-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NO-JIRA: Issue #362: feat(nbcs): build containers to be fips-ready #406
base: main
Are you sure you want to change the base?
NO-JIRA: Issue #362: feat(nbcs): build containers to be fips-ready #406
Conversation
/retest Looks like a flake, let's retrigger without thinking. |
First check, see that the expected fips-related symbols are in the binary
check that the binary is dynamically linked with libc
|
There are no suspicious messages in the logs. |
For further improvements, we maybe should have /healthz endpoint that has some diagnostics, or just dump these into the log at startup
|
And the notebook is spawned just fine, so, let's consider this tested. I used fips-enabled https://console-openshift-console.apps.ods-qe-psi-06 I had to change oauth-proxy image digest to 4f8d66597feeb32bb18699326029f9a71a5aca4a57679d636b876377c2e95695. |
34e06b6
to
f45a06e
Compare
/hold |
This takes inspiration from: * The Notebooks 2.0 Dockerfile, which comes from a default recent Kubebuilder template, at https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Dockerfile * The Red Hat build Dockerfile (that's the Cachito part) in an internal repository. This change brings multiple improvements: 1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect 2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns
f45a06e
to
0400fc3
Compare
@jiridanek: once the present PR merges, I will cherry-pick it on top of v1.9-branch in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@jiridanek , please dont use cherrypick anymore for this repo, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm in general
Two questions:
- Why TARGETARCH doesn't have a default value similarly as TARGETOS?
- Should we have the TARGETARCH defined in our Makefile?
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, | ||
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. | ||
RUN if [ -z ${CACHITO_ENV_FILE} ]; then go mod download; else source ${CACHITO_ENV_FILE}; fi && \ | ||
CGO_ENABLED=1 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -a -o ./bin/manager main.go |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why TARGETARCH doesn't have a default value similarly as TARGETOS?
That's explained in the comment above. No default means default to the arch of the container.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, I didn't pay enough attention to the comment
ARG TARGETOS | ||
ARG TARGETARCH |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have the TARGETARCH defined in our Makefile?
In general, I think not, or not yet. These variables are there mostly when somebody wants to mess with it from the outside (do amd64 build on
we can do something with it.
The way kubebuilder does it is something like https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Makefile#L106-L115 We'd have to do this with podman instead of docker buildx, but the approach is not very different. And we'd have to take into account osbs/konflux, which (I guess) builds every arch natively and then does the manifest in a separate step.
This is not intended to fully resolve https://issues.redhat.com/browse/RHOAISTRAT-214, but it's just a sensible first step done as a code improvement initiative, by following public advice in https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant
Description
As a next step, cpaas Dockerfiles will need to be updated in turn with the new things here.
How Has This Been Tested?
GHA
run this on fips cluster when I get PR images built
Merge criteria: