Docker Patch Library to support Docker re-release Automation #268
Conversation
Divyaasm
requested review from
peterzhuamazon,
prudhvigodithi,
gaiksaya and
rishabh6788
as code owners
Codecov Report
@@ Coverage Diff @@
## main #268 +/- ##
============================================
+ Coverage 86.63% 86.69% +0.06%
Complexity 27 27
============================================
Files 77 78 +1
Lines 202 203 +1
Branches 11 11
============================================
+ Hits 175 176 +1
Misses 19 19
Partials 8 8
|
Divyaasm
force-pushed
the
dockerpatch
branch
2 times, most recently
from
c8c6f6e
to
9aa11ae
Compare
Signed-off-by: Divya Madala <[email protected]>
vars/patchDockerImage.groovy
Outdated
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${docker_image} > versionnumber""" | ||
|
|
||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.build-date"}}' ${docker_image} > time""" | ||
|
|
||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.description"}}' ${docker_image} > number""" |
There was a problem hiding this comment.
Does it make sense to combine these shell commands into above sh""" block.
Also avoid using time as variable name. Can mess up actual clock sometimes.
There was a problem hiding this comment.
Yeah but having all these statements in a single block isn't storing the output value in a variable. That's technically resulting an error. I'll change time variable name. Thanks
There was a problem hiding this comment.
That doesn't sound right! This might be the culprit https://github.com/opensearch-project/opensearch-build-libraries/pull/268/files#diff-d42288632ebcbc435313fa808e87e49f58461165639396b6ec30cbb928596336R15-R17
I believe by default the shell is zsh and here we are running bash. Also those lines apply only to one command docker pull ${docker_image}. Try removing those and put it under default shell
vars/patchDockerImage.groovy
Outdated
|
|
||
| docker pull ${docker_image} | ||
| """ | ||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${docker_image} > versionnumber""" |
There was a problem hiding this comment.
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${docker_image} > versionnumber""" | |
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${docker_image} > versionNumber""" |
There was a problem hiding this comment.
Use sh("") if you are trying to do one liner unless you have other reasons.
vars/patchDockerImage.groovy
Outdated
|
|
||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.build-date"}}' ${docker_image} > time""" | ||
|
|
||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.description"}}' ${docker_image} > number""" |
There was a problem hiding this comment.
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.description"}}' ${docker_image} > number""" | |
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.description"}}' ${docker_image} > buildNumber""" |
vars/patchDockerImage.groovy
Outdated
| if (artifactUrlX64 == null || artifactUrlARM64 == null) { | ||
| echo 'Skipping docker build, one of x64 or arm64 artifacts was not built.' | ||
| } else { |
There was a problem hiding this comment.
Please format the document for proper alignment.
vars/patchDockerImage.groovy
Outdated
| if (artifactUrlX64 == null || artifactUrlARM64 == null) { | ||
| echo 'Skipping docker build, one of x64 or arm64 artifacts was not built.' | ||
| } else { | ||
| echo 'Trigger docker-build' |
There was a problem hiding this comment.
| echo 'Trigger docker-build' | |
| echo 'Triggering docker-build' |
vars/patchDockerImage.groovy
Outdated
| ] | ||
| } | ||
|
|
||
| echo 'Trigger docker-copy with tag build date ' |
There was a problem hiding this comment.
| echo 'Trigger docker-copy with tag build date ' | |
| echo 'Triggering docker-copy with tag build date ' |
vars/patchDockerImage.groovy
Outdated
| } | ||
| } | ||
|
|
||
| echo "Trigger docker-scan for ${args.product} version ${inputManifest.build.version}${build_qualifier}" |
There was a problem hiding this comment.
| echo "Trigger docker-scan for ${args.product} version ${inputManifest.build.version}${build_qualifier}" | |
| echo "Triggering docker-scan for ${args.product} version ${inputManifest.build.version}${build_qualifier}" |
vars/patchDockerImage.groovy
Outdated
| ] | ||
| } | ||
|
|
||
| echo 'Trigger docker-promote' |
There was a problem hiding this comment.
| echo 'Trigger docker-promote' | |
| echo 'Triggering docker-promote' |
vars/patchDockerImage.groovy
Outdated
| } | ||
|
|
||
| echo 'Trigger docker-promote' | ||
| if(args.rerelease){ |
There was a problem hiding this comment.
Do we want to do few more tests before pushing to Prod? For example we do not want to push to prod if high CVEs are detected in above docker scan. @bbarani @peterzhuamazon
Also @Divyaasm please add https://github.com/opensearch-project/opensearch-build/blob/main/jenkins/opensearch/distribution-build.jenkinsfile#L440 wait:true for each job that is being triggered. I think default is true by default but better to mention it.
There was a problem hiding this comment.
Think we have ignored CVE's presence in this implementation promote the image when Docker-Scan and Docker-Validation(enhancement) are successful . The idea is to re-run the Job every week to align with Base OS Image. @bbarani Correct me if I'm wrong.
There was a problem hiding this comment.
I don't think we can do anything about any CVE at this point in time if it didn't get remediated as part of yum update as the fix needs to come from base OS team. My recommendation is to move forward with available fixes and patch the Docker images on regular basis.
There was a problem hiding this comment.
Hi @Divyaasm please read the comment here and considering not copy pasting the entire dockerbuild lib if possible.
I would suggest to re-use the lib or modify with new functions as we discussed before.
https://github.com/opensearch-project/opensearch-build-libraries/blob/main/vars/buildDockerImage.groovy
Thanks.
vars/patchDockerImage.groovy
Outdated
| sh""" | ||
| #!/bin/bash |
There was a problem hiding this comment.
Use this:
sh """#!/bin/bash
Your original implementation will not force bash and will default back to sh.
vars/patchDockerImage.groovy
Outdated
|
|
||
| docker pull ${docker_image} | ||
| """ | ||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${docker_image} > versionnumber""" |
There was a problem hiding this comment.
Use sh("") if you are trying to do one liner unless you have other reasons.
vars/patchDockerImage.groovy
Outdated
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.build-date"}}' ${docker_image} > time""" | ||
|
|
||
| sh """docker inspect --format '{{ index .Config.Labels "org.label-schema.description"}}' ${docker_image} > number""" |
There was a problem hiding this comment.
Why are we keep doing one liners here?
vars/patchDockerImage.groovy
Outdated
|
|
||
| artifactUrlARM64 = "https://ci.opensearch.org/ci/dbc/distribution-build-${args.product}/${version}/${build_number}/linux/arm64/tar/dist/${args.product}/${args.product}-${version}-linux-arm64.tar.gz" | ||
|
|
||
| /*slice the time to get date value*/ |
Signed-off-by: Divya Madala <[email protected]>
There was a problem hiding this comment.
Hi @Divyaasm this is much better and I add some comments on this.
Please take a look when you have time.
Thanks.
Signed-off-by: Divya Madala <[email protected]>
vars/buildDockerImage.groovy
Outdated
| @@ -6,11 +6,24 @@ | |||
| * this file be licensed under the Apache-2.0 license or a | |||
| * compatible open source license. | |||
| */ | |||
| /** | |||
| @param Map[inputManifest] <Required> - path to Input Manifest. | |||
vars/patchDockerImage.groovy
Outdated
| docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${docker_image} > versionNumber | ||
| docker inspect --format '{{ index .Config.Labels "org.label-schema.build-date"}}' ${docker_image} > time | ||
| docker inspect --format '{{ index .Config.Labels "org.label-schema.description"}}' ${docker_image} > buildNumber | ||
| docker inspect --format '{{ index .Config.Labels "org.label-schema.version"}}' ${latest_docker_image} > latestVersionNumber |
There was a problem hiding this comment.
I didnt realize you are creating files here.
You can simply use this to save all the values?
GIT_COMMIT_EMAIL = sh (
script: 'git --no-pager show -s --format=\'%ae\'',
returnStdout: true
).trim()
Possibly I miss it in the initial review?
Thanks.
Signed-off-by: Divya Madala <[email protected]>
Signed-off-by: Divya Madala <[email protected]>
Signed-off-by: Divya Madala <[email protected]>
Signed-off-by: Divya Madala <[email protected]> Signed-off-by: Divya Madala <[email protected]> (cherry picked from commit be4e5cd) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Divya Madala <[email protected]> Signed-off-by: Divya Madala <[email protected]> (cherry picked from commit be4e5cd) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
Addressing the Issue
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.