kn Tekton Task Image Isn't Executable As Script

[danielhelfand]

Bug report

Trying to use the kn Tekton Task's image with a script in a step, such as below, fails with the error also shown below:

- name: ksvc-url
   image: "gcr.io/knative-releases/knative.dev/client/cmd/kn:latest"
   script: |
     kn service describe petclinic-ksvc -o url -n ns | tee $(results.url)

[ksvc-url] 2020/07/23 16:59:20 Error executing command: fork/exec /tekton/scripts/script-4-844l8: no such file or directory

Expected behavior

Able to execute kn in a Tekton step script.

Steps to reproduce the problem

Execute a simple Task with kn:

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: print-version
  annotations:
    description: |
      A simple task that prints kn version
spec:
  results:
    - name: version
      description: kn version
  steps:
    - name: get-version
      image: "gcr.io/knative-releases/knative.dev/client/cmd/kn:latest"
      script: |
        kn version | tee /tekton/results/version
    - name: print-version
      image: bash:latest
      script: |
        #!/usr/bin/env bash
        result=$(cat "$(results.version.path)")
        echo $result

[navidshaikh]

/assign

[navidshaikh]

kn image gcr.io/knative-releases/knative.dev/client/cmd/kn:latest doesnt have shell in it, the image is built by ko which uses the default base image gcr.io/distroless/static:latest ref. And script in task expects shell being present in the image.

We'd need to override base image with a proper one to support such use cases OR generate two images, current one and another with proper base image and tag them accordingly? cc: @rhuss

[navidshaikh]

@danielhelfand : meanwhile you can use the latest kn image with shell from here, I've tested the mentioned scenario with this image and it works fine.

[imjasonh]

This should be resolveable by making the image's base something with sh, like gcr.io/distroless/base:debug.

If other users of gcr.io/knative-release/knative.dev/client/cmd/kn would find this surprising, we could have another image .../kn:debug that's based on gcr.io/distroless/base:debug, which the Tekton Task could use.

[danielhelfand]

@navidshaikh Thanks for looking into this and the alternative image

[rhuss]

tbh, I wouldn't mind to change to a base image with shell, as we are talking here about a short running client executables that does not have the same strong security constraints like long running server processes. So adding a shell makes definitely sense, also to allow the usage of shell based kn plugins that are mounted or added to a container.

So my proposal would be to switch to a richer base image, like alpine or ubi. Not so keen though to use a base image which is labeled with :debug as a regular base image.

[itsmurugappan]

for the distroless image can we please use non root, "gcr.io/distroless/static:nonroot"

[imjasonh]

for the distroless image can we please use non root, "gcr.io/distroless/static:nonroot"

gcr.io/distroless/base:debug-nonroot even 😄

[navidshaikh]

In #974 we've following config for test image(s) and kn image, PTAL

defaultBaseImage: gcr.io/distroless/base:debug-nonroot
baseImageOverrides:
  knative.dev/client/cmd/kn: docker.io/library/alpine:latest

cc: @imjasonh

[itsmurugappan]

@navidshaikh can you please close this, as it was fixed by #974

[navidshaikh]

Sure @itsmurugappan , let me verify quickly with nightly image.

[navidshaikh]

@danielhelfand : I was able to successfully run the mentioned task with nightly kn image : gcr.io/knative-nightly/knative.dev/client/cmd/kn:latest

$ tkn tr logs -f kn-update
[get-version] + tee /tekton/results/version
[get-version] + kn version
[get-version] Version:      
[get-version] Build Date:   
[get-version] Git Revision: 
[get-version] Supported APIs:
[get-version] * Serving
[get-version]   - serving.knative.dev/v1 (knative-serving v0.17.0)
[get-version] * Eventing
[get-version]   - sources.knative.dev/v1alpha2 (knative-eventing v0.17.0)
[get-version]   - eventing.knative.dev/v1beta1 (knative-eventing v0.17.0)

[print-version] Version: Build Date: Git Revision: Supported APIs: * Serving - serving.knative.dev/v1 (knative-serving v0.17.0) * Eventing - sources.knative.dev/v1alpha2 (knative-eventing v0.17.0) - eventing.knative.dev/v1beta1 (knative-eventing v0.17.0)

We're using docker.io/library/alpine:latest base image now for kn image, the next kn release 0.17.0 (due next Tuesday) will ship this kn image as well.
Closing the issue now, thanks!
/close

[knative-prow-robot]

@navidshaikh: Closing this issue.

In response to this:

@danielhelfand : I was able to run successfully the mentioned task with nightly kn image : gcr.io/knative-nightly/knative.dev/client/cmd/kn:latest

$ tkn tr logs -f kn-update
[get-version] + tee /tekton/results/version
[get-version] + kn version
[get-version] Version:      
[get-version] Build Date:   
[get-version] Git Revision: 
[get-version] Supported APIs:
[get-version] * Serving
[get-version]   - serving.knative.dev/v1 (knative-serving v0.17.0)
[get-version] * Eventing
[get-version]   - sources.knative.dev/v1alpha2 (knative-eventing v0.17.0)
[get-version]   - eventing.knative.dev/v1beta1 (knative-eventing v0.17.0)

[print-version] Version: Build Date: Git Revision: Supported APIs: * Serving - serving.knative.dev/v1 (knative-serving v0.17.0) * Eventing - sources.knative.dev/v1alpha2 (knative-eventing v0.17.0) - eventing.knative.dev/v1beta1 (knative-eventing v0.17.0)

We're using docker.io/library/alpine:latest base image now for kn image, the next kn release 0.17.0 (due next Tuesday) will ship this kn image as well.
Closing the issue now, thanks!
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.