Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use krane to fetch the project's SDK #411

Merged
merged 6 commits into from
Dec 3, 2024
Merged

Use krane to fetch the project's SDK #411

merged 6 commits into from
Dec 3, 2024

Conversation

cbgbt
Copy link
Contributor

@cbgbt cbgbt commented Dec 3, 2024
edited
Loading

Description of changes:
This PR resolves two issues:

  • The fetch-sdk task used docker pull to pull the SDK image. We use krane for authenticated OCI registry interactions elsewhere in twoliter, so using it for fetch-sdk allows us to avoid needing to configure additional credentials for the docker daemon.
  • krane uses a dated version of the ecr-login package from awslabs/amazon-ecr-credential-helper. This pulls in the latest version, which should have support for the latest AWS endpoints.

Testing done:
These tests were conducted on an EC2 instance with a role that allows pulling from the given private ECR repository.

Using the old twoliter, I removed all docker credential configurations and then attempted to use a build with an SDK overridden to a private ECR repository:

[cargo-make] INFO - Running Task: fetch-sdk
Error response from daemon: Head "https://109276217309.dkr.ecr.us-west-2.amazonaws.com/v2/bottlerocket/bottlerocket-sdk/manifests/v0.47.0": no basic auth credentials
failed to pull '$ACCOUNT.dkr.ecr.us-west-2.amazonaws.com/bottlerocket/bottlerocket-sdk:v0.47.0'
[cargo-make] ERROR - Error while executing command, exit code: 1

Using the new twoliter:

[cargo-make] INFO - Running Task: fetch-sdk
Pulling SDK '109276217309.dkr.ecr.us-west-2.amazonaws.com/bottlerocket/bottlerocket-sdk:v0.47.0'
Loaded image: 109276217309.dkr.ecr.us-west-2.amazonaws.com/bottlerocket/bottlerocket-sdk:v0.47.0
[cargo-make] INFO - Running Task: fetch-sources

Logs from krane are also verbose with debug logs enabled:

[2024-12-03T21:35:24Z DEBUG oci_cli_wrapper::cli] [/tmp/.tmpEW7xjl/krane,
'-v', 'manifest', '109276217309.dkr.ecr.us-west-2.amazonaws.com/bottlerocket/bottlerocket-sdk:v0.47.0'] stderr: 2024/12/03 21:35:24 --> GET https://109276217309.dkr.ecr.us-west-2.amazonaws.com/v2/
    2024/12/03 21:35:24 GET /v2/ HTTP/1.1
    Host: 109276217309.dkr.ecr.us-west-2.amazonaws.com
    User-Agent: krane/(devel) go-containerregistry/v0.15.2
    Accept-Encoding: gzip

...

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

cbgbt added 2 commits December 3, 2024 00:03
@cbgbt
twoliter: refactor env vars to use slices
53a2f20 
This drops the requirement to manually keep track of the env var count
for the static array.
@cbgbt
krane: enable verbose mode if debug logging is enabled
5e4cd58
@cbgbt cbgbt force-pushed the twoliter-0.5.2-rc1 branch from 2659352 to 6cb224c Compare December 3, 2024 21:27
@cbgbt cbgbt force-pushed the twoliter-0.5.2-rc1 branch from 6cb224c to 74b99eb Compare December 3, 2024 21:50
@cbgbt cbgbt marked this pull request as ready for review December 3, 2024 21:57
bcressey
bcressey approved these changes Dec 3, 2024
View reviewed changes
twoliter/embedded/Makefile.toml
Comment on lines +327 to +328
${KRANE} pull "${TLPRIVATE_SDK_IMAGE}" /dev/stdout --platform "${SDK_PLATFORM}" \
| docker load
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if it applies here, but there's potential for a performance hit writing to a pipe vs. a seekable file, if krane would otherwise be able to transfer parts in parallel.

This is fine, but I would probably write it to a temp file under the build directory, and register a cleanup function, vs. relying on /dev/stdout. Then there'd be clearer separation between "failed to pull" and "failed to load".

twoliter/embedded/Makefile.toml
echo "Pulling SDK '${TLPRIVATE_SDK_IMAGE}'"
${KRANE} pull "${TLPRIVATE_SDK_IMAGE}" /dev/stdout --platform "${SDK_PLATFORM}" \
| docker load
if [[ ${PIPESTATUS[0]} -ne 0 ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
if [[ ${PIPESTATUS[0]} -ne 0 ]]; then
if [[ "${PIPESTATUS[0]}" -ne 0 ]]; then

tools/krane/build.rs
patches.sort();

for patch in patches {
println!("Executing `patch -p1 -i '{}'`", patch.display());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to arrange to install patch on the image used for GitHub actions, or is it already there?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, we may need to make sure that the cross build containers have patch. It seems that the GitHub actions succeeded, but I can explicitly install the dependency as well.

tools/krane/build.rs
fn main() {
let script_dir = env::current_dir().unwrap();
let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());

println!("cargo::rerun-if-changed=../build-cache-fetch");
println!("cargo::rerun-if-changed=hashes/crane");
println!("cargo::rerun-if-changed=patches");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I didn't realize cargo could watch an entire directory like this!

@cbgbt cbgbt force-pushed the twoliter-0.5.2-rc1 branch from 74b99eb to fbf3bbb Compare December 3, 2024 23:09
@cbgbt
Copy link
Contributor Author

cbgbt commented Dec 3, 2024

Added patch to the cross build environment per feedback from @bcressey.

Will resolve the rest of the feedback in an RC2 commit.

@cbgbt cbgbt merged commit 37945a6 into bottlerocket-os:develop Dec 3, 2024
1 check passed
@cbgbt cbgbt deleted the twoliter-0.5.2-rc1 branch December 3, 2024 23:11
@cbgbt cbgbt mentioned this pull request Dec 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgsharm mgsharm mgsharm approved these changes

@sam-berning sam-berning sam-berning approved these changes

@jmt-lab jmt-lab jmt-lab approved these changes

@yeazelm yeazelm yeazelm approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@cbgbt @bcressey @arnaldo2792 @yeazelm @jmt-lab @sam-berning @mgsharm