-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHEL: Do not pull rootless CNI infra image, and instead request that user build it. #8671
RHEL: Do not pull rootless CNI infra image, and instead request that user build it. #8671
Conversation
The existing logic (Range > 0) always triggered, because range is guaranteed to be at least 1 (a single port has a range of 1, a two port range (e.g. 80-81) has a range of 2, and so on). As such this could cause ports that had a host port assigned to them by the user to randomly assign one instead. Fixes containers#8650 Fixes containers#8651 Signed-off-by: Matthew Heon <[email protected]>
@mheon Looks like you have a PR in here that is not supposed to be here on Ports. |
@rhatdan Deliberate cherry-pick - that's a pretty significant bugfix we should get into RHEL. We're not frozen yet, so I grabbed it. |
LGTM |
libpod/rootless_cni_linux.go
Outdated
if err != nil { | ||
if errors.Cause(err) == define.ErrNoSuchImage { | ||
return nil, errors.Errorf("rootless CNI infra image not present - please build image from https://github.com/containers/podman/blob/v2.2.1/contrib/rootless-cni-infra/Containerfile and tag as %q", imageName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it's long already, but could we give them the command to use to build the image instead of just the Containerfile?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so - the actual build process is getting very complicated because we can't just do a podman build $URL
(you need to pull down not just the containerfile, but the directory containing it, and then do a podman build
on that)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a separate card to document this elsewhere, which is where I think that sort of documentation will need to land.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about letting Podman itself execute git clone ... && git checkout ... && podman build -t rootless-cni-infra .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Problem is disconnected environments - we can't guarantee the system has a working connection to the internet.
0a596dd
to
fefb663
Compare
@AkihiroSuda PTAL. At some point we'd love to ship multi-arch images but the local build seems like the best way forward for now. |
Ah, that's a RHEL-only branch |
test/e2e/network_create_test.go
Outdated
@@ -74,6 +74,7 @@ var _ = Describe("Podman network create", func() { | |||
) | |||
|
|||
BeforeEach(func() { | |||
SkipIfRootless("rootless CNI is tech preview in 8.3.1") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
8.3.1 -> RHEL 8.3.1
I don't have visibility in this URL, but I'm wondering Red Hat could build and upload the infra image by themselves if they have concern in the image built outside Red Hat. |
I think that's the long-term goal. Thanks for checking! |
fefb663
to
c2ad5a8
Compare
Re-pushed. Added some extra docs to the README on Github about building, which should help people get started. |
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.3.1, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place. Ref: https://issues.redhat.com/browse/RUN-1127 Please note that this is a RHEL only change and should not be included in non-RHEL branches. Signed-off-by: Matthew Heon <[email protected]>
c2ad5a8
to
4007554
Compare
Good to merge |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@containers/podman-maintainers PTAL |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: AkihiroSuda, mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.4.0, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place. Ref: https://issues.redhat.com/browse/RUN-1127 Please note that this is a RHEL only change and should not be included in non-RHEL branches. This is a forward-port of the original changes in containers#8671 to the new v3.0.1-rhel branch. Signed-off-by: Matthew Heon <[email protected]>
Instead, we want to advise users to manually build the image. We cannot distribute the existing image for RHEL 8.3.1, and the feature will be tech preview, so this degraded user experience will have to be sufficient until we can get a better solution in place.
Ref: https://issues.redhat.com/browse/RUN-1127
Please note that this is a RHEL only change and should not be included in non-RHEL branches.
Also, cherry-pick #8652 into the RHEL tree.