CASM-4669 Upgrade Nexus to 3.67.1 to support image signatures #25
Conversation
| @@ -50,13 +50,14 @@ Provides: pit-nexus | |||
| %define sonatype_nexus3_image artifactory.algol60.net/csm-docker/stable/docker.io/sonatype/nexus3:%{sonatype_nexus3_tag} | |||
| %define sonatype_nexus3_file sonatype-nexus3-%{sonatype_nexus3_tag}.tar | |||
|
|
|||
| %define cray_nexus_setup_tag 0.10.1 | |||
| %define cray_nexus_setup_tag 0.11.0 | |||
There was a problem hiding this comment.
Version 0.11.0 of cray-setup-nexus makes requests to /v1 Nexus API where previous /beta was accessed: Cray-HPE/nexus-setup#29. The /beta is not supported anymore by Nexus 3.67.1.
| skopeo --override-arch amd64 --override-os linux copy docker://%{skopeo_image} docker-archive:%{skopeo_file}:%{skopeo_image}:%{skopeo_tag} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{sonatype_nexus3_image} docker-archive:%{sonatype_nexus3_file}:%{sonatype_nexus3_image} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{cray_nexus_setup_image} docker-archive:%{cray_nexus_setup_file}:%{cray_nexus_setup_image} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{skopeo_source_image} docker-archive:%{skopeo_file}:%{skopeo_image}:%{skopeo_tag} |
There was a problem hiding this comment.
Still package skopeo as quay.io/skopeo/stable:latest for backwards compatibility, but use different image artifactory.algol60.net/csm-docker/stable/quay.io/skopeo/stable:v1 as a source. Tag v1 ensures backward compatibility between skopeo versions. Also, we ship our image with special configuration option, which enables copying of Sigstore attachments.
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{sonatype_nexus3_image} docker-archive:%{sonatype_nexus3_file} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{cray_nexus_setup_image} docker-archive:%{cray_nexus_setup_file} | ||
| skopeo --override-arch amd64 --override-os linux copy docker://%{skopeo_image} docker-archive:%{skopeo_file}:%{skopeo_image}:%{skopeo_tag} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{sonatype_nexus3_image} docker-archive:%{sonatype_nexus3_file}:%{sonatype_nexus3_image} |
There was a problem hiding this comment.
Setting image name here allows to avoid searching for image name/tag after podman load. Image already comes properly tagged after podman load.
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{cray_nexus_setup_image} docker-archive:%{cray_nexus_setup_file} | ||
| skopeo --override-arch amd64 --override-os linux copy docker://%{skopeo_image} docker-archive:%{skopeo_file}:%{skopeo_image}:%{skopeo_tag} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{sonatype_nexus3_image} docker-archive:%{sonatype_nexus3_file}:%{sonatype_nexus3_image} | ||
| skopeo --override-arch amd64 --override-os linux copy --src-creds=%(echo $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN) docker://%{cray_nexus_setup_image} docker-archive:%{cray_nexus_setup_file}:%{cray_nexus_setup_image} |
There was a problem hiding this comment.
Setting image name here allows to avoid searching for image name/tag after podman load. Image already comes properly tagged after podman load.
| @@ -121,8 +122,8 @@ rm -f \ | |||
| %service_del_postun nexus.service | |||
| podman stop nexus || echo 'No nexus container was running, nothing to stop.' | |||
| podman rm nexus || echo 'No nexus container was created, nothing to delete.' | |||
| podman rmi %{sonatype_nexus3_image}:%{sonatype_nexus3_tag} || echo 'No nexus image was loaded, nothing to remove.' | |||
| podman rmi %{cray_nexus_setup_image}:%{cray_nexus_setup_tag} || echo 'No nexus image was loaded, nothing to remove.' | |||
| podman rmi %{sonatype_nexus3_image} || echo 'No nexus image was loaded, nothing to remove.' | |||
There was a problem hiding this comment.
Tag is already part of %{sonatype_nexus3_image} var.
| podman rmi %{sonatype_nexus3_image}:%{sonatype_nexus3_tag} || echo 'No nexus image was loaded, nothing to remove.' | ||
| podman rmi %{cray_nexus_setup_image}:%{cray_nexus_setup_tag} || echo 'No nexus image was loaded, nothing to remove.' | ||
| podman rmi %{sonatype_nexus3_image} || echo 'No nexus image was loaded, nothing to remove.' | ||
| podman rmi %{cray_nexus_setup_image} || echo 'No nexus image was loaded, nothing to remove.' |
There was a problem hiding this comment.
Tag is already part of %{scray_nexus_setup_image} var.
| podman load -i "$NEXUS_IMAGE_PATH" || exit | ||
| # get the tag | ||
| NEXUS_IMAGE_ID=$(podman images --noheading --format "{{.Id}}" --filter label="name=Nexus Repository Manager") |
There was a problem hiding this comment.
This may not work properly, if there are more then 1 nexus images in podman. Anyway it's not needed anymore, because image comes already tagged after change in packaging.
| podman load -i "$NEXUS_IMAGE_PATH" | ||
| # get the tag | ||
| NEXUS_IMAGE_ID=$(podman images --noheading --format "{{.Id}}" --filter label="name=Nexus Repository Manager") |
There was a problem hiding this comment.
This may not work properly, if there are more then 1 nexus images in podman. Anyway it's not needed anymore, because image comes already tagged after change in packaging.
| podman load -i "$NEXUS_SETUP_IMAGE_PATH" || exit | ||
| # get the image id | ||
| CRAY_NEXUS_SETUP_ID=$(podman images --noheading --format "{{.Id}}" --filter label="org.label-schema.name=cray-nexus-setup") |
There was a problem hiding this comment.
This may not work properly, if there are more then 1 cray-nexus-setup images in podman. Anyway it's not needed anymore, because image comes already tagged after change in packaging.
Summary and Scope
To support multi-platform container image uploads together with Sigstore attachments, we need to upgrade metal nexus to latest version 3.67.1. This also involves upgrade of
cray-nexus-setupto 0.11.0.Issue Type
Prerequisites
Testing
/srv/cray/metal-provision/scripts/nexus/setup-nexus.shscript to initialize repositories and pour new content in NexusOn the screenshot above, more then 1 manifest per tag denotes multi-platform images (aka "manifest lists"), and tag named
sha256-*.sigdenotes Sigstore attachment.Idempotency
For better idempotency, fixed couple of bugs related to package upgrade flow:
Risks and Mitigations
This introduces some risk since this change also brings in a newer version of Nexus, but otherwise a new functionality required by CSM 1.6 roadmap can not be achieved.