Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROX-27350: Fix task execution by removing dnf upgrade from tasks #9

Merged
merged 1 commit into from
Dec 18, 2024
Merged

ROX-27350: Fix task execution by removing dnf upgrade from tasks #9

merged 1 commit into from
Dec 18, 2024

Conversation

msugakov
Copy link
Contributor

@msugakov msugakov commented Dec 18, 2024
edited
Loading

Description

I was a bit too quick to switch images in task steps from UBI8 to UBI9 in #3. Where 8 felt ok, 9 started failing because of the dnf upgrade command.

E.g. in this run https://console.redhat.com/application-pipeline/workspaces/rh-acs/applications/acs/pipelineruns/scanner-db-on-push-9qsrm
image

From the task log:

step-determine-image-tag
Updating Subscription Management repositories.
[...]
================================================================================
 Package           Arch       Version               Repository             Size
================================================================================
Upgrading:
 libsemanage       x86_64     3.6-2.1.el9_5         ubi-9-baseos-rpms     120 k
 p11-kit           x86_64     0.25.3-3.el9_5        ubi-9-baseos-rpms     536 k
 p11-kit-trust     x86_64     0.25.3-3.el9_5        ubi-9-baseos-rpms     144 k
 python3           x86_64     3.9.21-1.el9_5        ubi-9-baseos-rpms      30 k
 python3-libs      x86_64     3.9.21-1.el9_5        ubi-9-baseos-rpms     8.1 M
 shadow-utils      x86_64     2:4.9-10.el9_5        ubi-9-baseos-rpms     1.2 M

[...]
Running transaction
  Preparing        :                                                        1/1 
  Upgrading        : python3-libs-3.9.21-1.el9_5.x86_64                    1/12 
  Upgrading        : python3-3.9.21-1.el9_5.x86_64                         2/12 
  Upgrading        : p11-kit-0.25.3-3.el9_5.x86_64                         3/12 
  Upgrading        : libsemanage-3.6-2.1.el9_5.x86_64                      4/12 
  Upgrading        : shadow-utils-2:4.9-10.el9_5.x86_64                    5/12Error unpacking rpm package shadow-utils-2:4.9-10.el9_5.x86_64
 
  Upgrading        : p11-kit-trust-0.25.3-3.el9_5.x86_64                   6/12 
error: unpacking of archive failed on file /usr/bin/newgidmap;6762b7fa: cpio: cap_set_file failed - Operation not permitted
error: shadow-utils-2:4.9-10.el9_5.x86_64: install failed

Here the upgrade of shadow-utils fails because it cannot overwrite /usr/bin/newgidmap (that's despite the container being executed as root). My scientific guess (guessing because the proper repro will take a couple hours I don't really want to invest in it) after reading this issue is that there's some special restriction on /usr/bin/newgidmap due to how Konflux/Tekton executes task steps. This restriction results in the error during the shadow-utils upgrade attempt. We've not seen this on 8 because likely there were just no shadow-utils upgrades there.

We don't actually need dnf upgrade for proper functioning of our tasks and the (relative) freshness of packages will be ensured by Renovate updating base images. Hence, my suggestion is to stop dnf upgrade-ing in tasks.

Testing

Used bundle from this PR in stackrox/scanner#1742 and our custom tasks succeeded there.

msugakov added a commit to stackrox/scanner that referenced this pull request Dec 18, 2024
@msugakov
Try fix custom task failures
02748af 
by using the bundle from
stackrox/konflux-tasks#9
@msugakov
Copy link
Contributor Author

#7 is required to address the failing pipeline here before merging. I can address it with a rebase once that PR gets merged. This shouldn't block reviewing this #9.

@msugakov msugakov marked this pull request as ready for review December 18, 2024 12:16
@msugakov msugakov requested a review from a team as a code owner December 18, 2024 12:16
@msugakov msugakov force-pushed the misha/fix-dnf-upgrade-failure branch from 31a6a3a to 64d9981 Compare December 18, 2024 13:09
@msugakov msugakov changed the title fix: Remove dnf upgrade from tasks ROX-27350: Fix failures by removin dnf upgrade from tasks Dec 18, 2024
@msugakov
Copy link
Contributor Author

/retest acs-konflux-tasks-on-push

@msugakov msugakov changed the title ROX-27350: Fix failures by removin dnf upgrade from tasks ROX-27350: Fix task execution by removing dnf upgrade from tasks Dec 18, 2024
@msugakov msugakov merged commit 510f1d7 into main Dec 18, 2024
1 check passed
@msugakov msugakov deleted the misha/fix-dnf-upgrade-failure branch December 18, 2024 13:15
msugakov added a commit to stackrox/collector that referenced this pull request Dec 18, 2024
@msugakov
Switch to the fixed latest
4b7418e 
After stackrox/konflux-tasks#9
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 18, 2024
@msugakov
Bump latest again
cf9e6d3 
After stackrox/konflux-tasks#9
msugakov added a commit to stackrox/stackrox that referenced this pull request Dec 20, 2024
@msugakov
Bump latest again
9ddf025 
After stackrox/konflux-tasks#9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tommartensen tommartensen tommartensen approved these changes

@kylape kylape Awaiting requested review from kylape

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@msugakov @tommartensen