0.13 rootless containers #4273
Closed
0.13 rootless containers #4273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* docs: add migration guide from 0.12 to bonsai * docs: migrating-to-bonsai: address review comments * docs: migrating-to-bonsai: fix in-cluster build doc link Co-authored-by: Orzelius <[email protected]> * docs: migrating-to-bonsai: address review comments --------- Co-authored-by: Orzelius <[email protected]>
* test: allow all vms * chore: update runner machine * chore: disable microk8s tests
Locally set your default environment for a project. Simple quality of life improvement, that I'm sure many will enjoy (I for sure will).
1 minute might be not enough if the deloyment takes too long
Otherwise, manual revert is necessary if the test script has to be executed again after a failure.
The failures were caused by #3997 as the container validation handler actually modifies the deployment's ingress hostname to the project default hostname if it's not specified on the deploy itself.
* perf: got rid of unnecessary HTTP requests This improves performance by avoiding unnecessary target version searches when the version is specified explicitly. Also, this removes the unnecessary local variable `targetVersion` which has been semantically equal to `desiredVersion`. * refactor: utility function to find a release by a predicate The new method `findReleaseVersion` contains machinery to traverse GitHub releases in a pagination mode and get the first one matching a given predicate. * refactor: move GH helpers to a dedicated namespace To reduce the semantic load of the `SelfUpdateCommand` class. Those helpers are generic and not tightly related to the semantics of the `self-update` command. * refactor: inline `targetVersionMatches` method That method was tightly connected to the caller's logic, and was used by the only caller. * refactor: helper function to get release artifact details To isolate the artifacts details collection and return the details as a structured object. The artifacts details can differ depending on the `desiredVersion` type (edge/pre-release/release). This change will support pre-prelease versions in `self-update` command. * refactor: helper function to identify pre-release versions * feat: support pre-release versions in `self-update` command * chore: remove unnecessary log line An empty message on the `error` level gets rendered as `✖ undefined`. That might be not very clear. * fix: fix version comparing logic To correctly handle `0.x` -> `0.y` updates as major ones. --------- Co-authored-by: Orzelius <[email protected]>
When the `deploy` command is called with options that would put it into persistent operation, we now run it from inside the `dev` command. This brings a more full-featured interactive experience, and makes the UX more consistent.
This fixes an issue where some sync-related log lines would be duplicated (since they were rendered when the task for the relevant deploy action emitted a `ready` event).
We now stop any syncs started during a `dev` command session when exiting the command with CTRL-D or the `exit` command.
`BoundedCache` is a simple "FIFO key-value cache" that prunes older keys when the configured maximum entry count is exceeded. This is useful where the number of cached keys can be expected to potentially grow unboundedly.
These are generated when providers are instantiated from config, and can be used by plugins e.g. for caching logic (e.g. when cache entries should be scoped to a given provider instance and not be maintained across reloads).
Because the `delete namespace` command can be called interactively (which deletes the default app namespace), and because of the `reload` command, we needed a different approach to caching namespace statuses in the Kubernetes plugin. The new approach scopes the cache by provider UID, and clears the cache for a given provider UID if the `delete namespace` command is called. We also introduced an async lock to the `ensureNamespace` helper, since the first `deploy` command after a `delete namespace` command can result in more than one concurrent `ensureNamespace` call for the same namespace. Fixes #4223.
* ci(dockerhub): secure sha256 references and multi-layer caching - Use sha256 references that can be automatically updated by dependabot - Use buildkit's cacheFrom and cacheTo to increase difficulty of supply chain attacks Co-authored-by: Tim Beyer <[email protected]>
If one or more Garden configs is changed during a `dev` command, we lazily reload the project when the next command is run. This approach avoids multiple reloads when the user is modifying their Garden configs. The old Watcher class was reduced down to its bare essentials for this purpose (up to this point, it had been unused in 0.13).
Closes #4186. Before this fix, we weren't removing event listeners registered by the plugin event brokers (mostly for the `_exit` and `_restart` control events). This is now done in a simple way via the new `onKey` and `clearKey` methods on the event bus, which facilitates removing all listeners matching a given key. We use `garden.sessionId` as the key now, which is not quite ideal when running concurrent commands in `garden dev`, but we'll be assigning a command-unique `sessionId` in an upcoming PR (which gives us precisely the semantics we want here).
Before this, server logs would be emitted twice over ws. Once via the 'commandOutput' event which a request would subscribe to and once as a 'logEntry' event. By setting the logger instance to the VoidLogger for the logs when executed by the server, we eliminate the latter and only emit the log once. Note that this is a bit hacky and means that other log entries that the logs command creates are also ignored.
This commit adds a command for getting the current status of all configured syncs. In this first iteration the command is not persistent but we may decide to add a "--follow" or "--monitor" flag later. The main reason I'm not doing it here is because even if we're monitoring the sync statuses, we don't get the "sync stop" events from Mutagen which is one of the main events we'd want to follow in the first place. So since sync monitoring would be incomplete and you'd need to re-run the command to get the latest status I decided leave it out for now.
Before this fix, the dev command would appear to hang indefinitely after typing "exit" or killing the process with ctrl+c because the websocket connection wasn't closed properly.
It does not work with the docker driver, unfortunately. Co-authored-by: Tim Beyer <[email protected]>
Co-authored-by: Orzelius <[email protected]>
#4268) * improvement: delete unused images docker-dind and socat are not being used anymore in our code base as far as I can tell. * improvement: remove parametrization from buildkit image This is to facilitate auto-updating e.g. using dependabot in the future. * ci: fix test-docker-gcloud The test only runs on main after edge releases from now on. * improvement: emphasize we do not publish alpine-builder * docs: use recent gcloud image tag This tag will exist after the first bonsai production release. * improvement(security): reference all builtin images using sha256 digest This prevents changing code in images after a Garden release has been cut. Improves security by preventing this supply chain attack vector. * improvement(security): add sha256 hashes to gardendev images
Add rootless container variant for use in environments where using the root user is not possible, for example GitLab's Runner Operator Supersedes #3865
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
original-coloroption fromgarden logscommandshow-containeroption fromgarden logscommandallow-dirtyoption fromgarden publishcommandsternfrom k8s plugin's toolsfaas-clifrom the list of macos dependenciescommandsunit tests (test: graph-v2 fixes forcommandsunit tests #3115)metaconfig fieldconfig-graph.tsvarfilesdefinition in the base action config schemagetActionTemplateReferencesactionConfigsschema definitionbaseRuntimeActionConfigschemabuildActionConfigtobuildActionConfigSchematestActionConfigtotestActionConfigSchemarunActionConfigtorunActionConfigSchemadeployActionConfigtodeployActionConfigSchemamodule actionstestsruninstead oftaskin artifact keyevent-handlers.tsrun service/deploycommandrun module/buildcommandrun workflowcommand torun-workflowrun testcommandrun taskcommand torungarden runand add watch modegarden callcommandgarden scancommandyarn.lock./container/build/buildkit.tsKubernetesDeployActionSpec./port-forward.ts./container/service.tsbuildspecdeployExecServicespecrunExecTaskspecgetExecServiceStatusspecdeleteExecServicespecget debug-infocommandget configtestsget statuscommand + updated testsget test-resultschema + testsget testsschema + testsyarn.lockExecCommandRunCommanddelete environment--with-dependants flag + testsget-run-result.tscompatibleTypesof a base action in the ctormakeTestModulehelperDEFAULT_API_VERSIONwhere possiblegarden devcommand implementationgetDataDirhelper where possiblegetDataDirhelper where possiblegetDataDirhelper ingarden.tsgetDataDirhelper functiongetAction(s)ByKindgetNameshelper where applicablecontainerservices./local-mode.tsexecprovider and its configconvertModulesfunctionconvertspec to own independent contextactionandruntimeDEFAULT_API_VERSIONexecmodule typemakeTempDirhelpermakeTempDirhelper where possibleexpectErrorto examine error messagesExecBuildSpec->ExecModuleBuildSpecExecModuleBuildSpecfrom extendingBaseBuildSpecBaseBuildSpecexpectErrorhelper in template string testscontainspredicate inexpectErrorexpectErrorhelperexpectErrorhelperexpectErrorhelperexpectErrorhelper in commands testsDockerfilein base-image exampleshell: trueoption to exec action specsgetResourceKeyhelper where possibleconfigureaction handlercontainerNamefrom k8s local mode specdemo-projectexampletimeoutfrom build action specasyncfrom function definitionhadolinttov.2.12.0garden devcommandterraform init#3632)syncFromSrchelperconfigureaction handlertypefieldcachedstate to eventsutil mutagencommand to ease troubleshooting sync issuessync startandsync stopcommandsself-updatecommand (improvement: more granular version control inself-updatecommand #3999)test-release.shset default-envcommandself-updatecommand (feat: support pre-release versions inself-updatecommand #4022)set default-env ''modulesproject config entry toscan(refactor: renamemodulesproject config entry toscan#4036)kubernetes-deployexampleexeccommand from running any deployments (0.13 fix exec to not deploy anything #4052)local.demo.gardenin the configs added in 0.130.13terms (docs: update local mode guide to use0.13terms #4106)-ialias for interactive mode inexeccommandgarden communitycommand (feat:garden communitycommand #4129)startSyncflag inDeployTaskParamsgetDependencyParams()apiVersion-field when using action kinds (feat: 0.13: MandatoryapiVersion-field when using action kinds #4102)run-workflowtoworkflow(refactor: renamerun-workflowtoworkflow#4187)runcommandactiontoactionsin template context (refactor: renameactiontoactionsin template context #4194)-noption backwards compatible to 0.12 (fix(commands): make test-noption backwards compatible to 0.12 #4208)garden upcmd as alias fordeploy --logsrunBaseParamsschema descriptionartifactsPathtorunBaseParamsWhat this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: