Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Distribution Team Discussions / 12 Aug 2020
GitLab / Distribution Team Discussions / 12 Aug 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Distribution Team | UBI Images Discussion

Description

The Distribution team discusses UBI images, including why we build them and how.


https://gitlab.com/gitlab-org/build/CNG/-/tree/master
https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1796

A

Perfect: okay, I'm going to show my screen and watch my fans ramp.

A

Up.

A

Okay,.

A

Okay, can everyone see my screen perfect yeah, so the uh ubi images uh we currently don't have them running on pipelines by default uh on merge, request or branch pipelines by default?

A

So, typically, when you look at a cng pipeline, it doesn't include them, um so the pipelines that do include them are tags on dev, um there's a if you have a dash uvi on the tag which we have the release tools do when we release it runs the vi specific pipeline uh and uh also we have basically how we how we have been testing ub, the ubi pipeline since we've been manually, triggering.

A

Pipelines with the uei pipeline flag. So if I run, if I go into the ui and hit run pipeline for master and I throw in ubi pipe line and spell it correctly and say true- and this is actually fine to do for master as well.

B

I think it might be spelled wrong.

A

It is spelled wrong. That's fine!

A

I will attempt to spell it correctly.

A

Does it look better.

B

Yeah.

A

Okay,.

A

Yeah that looks right uh and we can tell immediately because it's broken up by a lot more phases uh because there's build stages and then final image stages, so in the ubi pipeline, so the ubi images are are just images that are using um the red hat ubi containers as the base image but yeah, which is a hardened container that they provide. uh In addition, we also wanted this container to be uh kind of like offline buildable, um which is a requirement from the dod.

A

So we have them broken up into these build containers and final containers. So these build containers uh do all the work that has to like reach out to the uh internet, to grab sources for and stuff like that, and then they basically at the end of them. They, uh you know they have their builds compiled uh resources.

A

I really appreciate it uh and then only these ones.

B

Are what.

A

Users actually download from the registry or in the dod's case they actually build these. This set from the docker files and what these do is. Typically, they just copy in the compiled assets from these other containers and then add whatever build dependencies, because then, on the dod side for offline, build, they're only allowed to uh add dependencies that are in the default red hat repositories.

A

So absolutely anything, that's not in the default red hat repositories for the ubi images have to be built first or retrieved first in these build containers, uh and this whole idea of so that differs from our regular cng release and that we don't have these build containers.

A

This approach of having separate, build containers in separate final images, probably is due as one of the steps for our regular images as well, but we did it first as a kind of an experiment for the ubi build images. So, in terms of the repository, what it looks like is almost all of our images have, uh in addition to our regular docker file, have a dockerfile.ubi and if they need, if they need a bill, a separate, build container.

A

They have a dockerfile.build.ubi as well, so in the case of the container registry, for example, the build file is responsible for actually grabbing the.

A

Registry and compiling it so cloning cloning.

C

It and.

A

Making it and then copying those final assets into a location that then the build container will add in so this tar gz is actually the build output of the previous container.

A

So, just in terms of the uvi, that's that's kind of the the high level build case. There are some, so most of the images have both a build and a final image stage. Some of the images will only have a build stage because they never have a final image that users ever need to download they're only ever included as uh like dependencies is another example that is in python.

A

It only has a build stage, because we only have to compile.

C

It and then.

A

Include it in other images, we never have to just have someone download the python image and then, in this case, in the alpine certificates case, it might be the opposite.

A

um It might be, as far as I know, with all of our our images so far, um they either need the build or they need both the build and the final image. I think in the case of the alpine certificates- or in this case I guess they're not really alpine, um it probably will be a case as far as we know right now, because you're not gonna have to grab anything from anywhere other than the default repositories.

A

At this point, it's probably a case where you just need the final image, so it'd be a matter of adding in in terms of what it looks like in the ubi platform. It's a matter of adding the ubi darker file and then you don't add a new for for the uh for the regular case. You don't add a new uh build for it.

A

You just likely have to change the existing build to work, to be run with the ubi specific settings.

A

So if we look at.

A

One we look at the alpine certificates.

A

You may actually not need to do anything. There might be some tweaks, but you may not need to do anything to this, because just the fact that it has um you like once, you create the dockerfile.ubi8. The fact that it has it should cause the switch between.

A

um Between ubi and not- and I think that's the case, because if we go back to the pipeline, I triggered I think this will still have an alpine certificates.

A

Yeah, it still does have the alpine certificates, it just wasn't actually creating a ubi version of it. It was just recreating our normal one, based on debian, so yeah. I think I think, in this case, it'll just be a matter of creating that dockerfall.ubi.

A

So in terms of the ubi images, that's that's the case. Now these alpine certificates themselves uh have or just using the just getting the certificates to work, is kind of a separate, a separate issue. We very specifically have used uh alpine um both because of the command that was there by default for us to include other certificates in it, which I think for the ubi images.

A

Jason already has a comment on the issue regarding how that might look like for these images, but then the other thing is: is they end up in a different location by default, which might be fine for the image, but it means at least by default. Our chart won't be looking for them in the right place, so there might be there's going to be that's going to have to be handled as well. Jason might be able to speak to that, a little more go for it.

B

I, like your mic's.

A

Working.

A

I'm not hearing you at all.

C

Jason.

C

Now, thanks zoom, okay, yeah guess what this time, instead of my audio being at 10, my mic was at 10 all right, so the alpine certificates container essentially does nothing but rebuild, etc. Ssl um into a pre-made ca certificates that we can just kind of dump around that gets consumed by the ssl certificates, job, which actually combines everything. That's in that directory into a functional set.

C

That's still how it will behave in ubi. As far as I understand it's just that the original location of where this files come from is different. So the commands to generate that on the system where the sim link ends up pointing to that location is changed and the command to generate it has changed, but how the application operates is still outs out of et cetera, ssl certs.

B

Okay, that's helpful, so I think to do a quick recap. We build ubi images for most of the services in here if it requires reaching out to the internet to get dependencies. We do that in a separate, build image and then inherit from that in the final image. That's the one that will include any user or label configurations and then, in the case of alpine certificates, we shouldn't need a build image.

B

We should just need the final image and the existing bundle certificate script will need to be modified or it will use a separate script in the ubi, build.

C

I suspect there will be very little difference. um I have to go review the actual script, that's inside of alpine containers and exactly what it does for its rebuild patterns.

C

So there there's a fair chance that we'll actually have to have a different script. um I believe that's because we call update ca certs, which, outside of the update, ca trust patterns.

C

This is the same behavior, but we'll have to to have a different script. That's copied into the same location on the ubi, because the execution of the certificates container will expect it to be the same. So its intent. Is I'm going to pass you this in you're, going to run the thing and it'll update the stuff.

C

It's just knowing which things to update.

B

Got it that's helpful, okay, yeah that that covers my questions. I think for the context of why we do it and everything I might just write some this down and add it to the docs as well. Just for having those as well um from your from your quick look at this issue. Do you think it'd be just quick five minute thing for us to run through it together or.

C

It might be like a half hour, um but.

A

I.

C

Can't tell you for a fact: it's going to make it in in the next two days, just because we need to get through it and test it and verify everything. That's the biggest thing. um The amount of effort to actually make the change that is perceived should be relatively small. um We're not really pulling anything from the internet here dj unless I'm mistaken we're not pulling any sources. It's literally just the script. That's a part of this repository, that's my understanding.

A

As well, yeah.

C

Yeah, okay, so I don't expect this is going to be much of an issue um I kind of had scratch on. Do we need a dedicated image for this in ubi, or can we do something else.

C

But if we want to immediately replicate the existing pattern in the same way, it is yes build an image, except obviously wouldn't be called alpine certificates. Maybe it's time to reevaluate that in the future.

C

True yeah, so you should only need the the dockerfile.ubi8 and just we're going to have a replicate that script and then have it install that script into the same file, location and it should work.

C

This is big should based on a whole lot of background understanding that I can't explain right now,.

B

Fair do do you think it would be cleaner to modify the script to detect the platform, or would it be cleaner to have a separate script specifically for the.

C

Script would have no functionality to immediately detect whether it was a ubi or if it was just red hat. um We specifically care about like knowing which one is which.

C

I see what you're saying, though we could technically try and figure out. Okay is update, ca search, present or is update. Ca trusts present.

C

That's a different perspective. If you do that.

C

I don't see an immediate value in either direction.

C

Anything jump at you dj.

A

Sorry I was looking at some uh looking at a way to paralyze the ubi jobs with our regular ones. I didn't catch that last question.

C

Okay, so it basically is is duplicate the script or no. I think I just answered my own question, but I'll explain it so the question was originally: we said just dupe the script and install it to the same location which brings up. Can we make the script capable of detecting the platform? I think iteration one is literally just make changes, know it works. Iteration two is actually see if we can make it a single script.

C

If we can do that in a very fast turnaround, that's great, but let's get the minimum viable done. First,.

B

Because to your point, if we don't call it alpine certificates anymore, maybe we have a totally separate directory for this, in which case we would have two scripts anyway, one for ubi one for alpine effectively.

C

Yes, you'd have two different jobs: you'd have two yes, so.

B

But for now we'll just keep it in alpine, even though the name technically shouldn't match right: okay, iteration one.

C

Iteration one is make it work. Iteration two is make it better. Iteration three is make it sensible.

B

Sounds good yeah makes sense to me, so I can open up an mr and I'll take stab at it, and then we can async feedback on it.

C

Yeah sounds good.

B

And I can test that the image builds correctly in the pipeline by just adding that environment variable on my mr right or does it have to be a certain branch name.

C

You have to to manually run the pipeline against your branch name. You can't add the environment on the mr, yes, unfortunately, there's no way to do that.

B

But it doesn't have to be master or stable or anything like that.

C

Well, you couldn't run it against master staples because your changes aren't in there. So.

B

That's what I mean like when I, when I add the environment, variable to try to run the job, is it still going to skip it? If it's not, I saw that earlier. You ran it against masternode environment variable, but well that same environment variable on a different branch, like an mr branch, still triggered the job.

A

Yep yep cool it was.

C

Just this is how dj and I do this when we're like. Oh, we got to make sure this still works in ubi, because we're making a slightly odd functional change group.

A

Yeah the reason why the ebi pipelines don't run by default during your merge request is because they aren't different jobs, they're the same jobs, because we didn't want to make the ci even worse, like the ciam it already is, but I'm seeing now. So this is what I was looking at.

A

While I was distracted during your last question, I see now that we have like this idea of parallel matrix jobs in uh nci, where we could literally keep the same job, but just say that it has a different like to run two of them at the same time with a different environment variable. So there's probably a way we can start doing this a little better.

C

Yeah, that's a future iteration right up there with uh actually specifying needs. So, yes,.

A

Basically,.

C

Aggregate graphs work yeah.

A

Un unrelated to the work you got to do here mitch, but uh just for some context on why they don't automatically run is because we already have a mess of a ci file and we didn't want to duplicate the jobs.

B

Yeah yeah, we we, like our big pipelines.

B

Cool, I think that covers.

C

It.

B

Anything else for the recording.

A

No, that's it.

B

Cool I'll write up a little mr to add some more docs to that file and uh I'll open up nmr for this issue soon. Thank you.

B

Both.