Skip to content

[ws-daemon] Force build of container image#14333

Merged
roboquat merged 1 commit intomainfrom
aledbf/wsdo
Nov 1, 2022
Merged

[ws-daemon] Force build of container image#14333
roboquat merged 1 commit intomainfrom
aledbf/wsdo

Conversation

@aledbf
Copy link
Contributor

@aledbf aledbf commented Nov 1, 2022
edited
Loading

Description

Address openssl CVE issue

How to test

  • Check openssl version in ws-daemon is 3.0.2

Release Notes

NONE

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=workspace
    Valid options are all, workspace, webapp, ide

@aledbf
3bec63c 
[ws-daemon] Force build of container image
@aledbf aledbf requested a review from a team November 1, 2022 18:49
@werft-gitpod-dev-com
Copy link

werft-gitpod-dev-com bot commented Nov 1, 2022

started the job as gitpod-build-aledbf-wsdo.1 because the annotations in the pull request description changed
(with .werft/ from main)

@github-actions github-actions bot added the team: workspace Issue belongs to the Workspace team label Nov 1, 2022
@kylos101
Copy link
Contributor

kylos101 commented Nov 1, 2022

/hold till tests pass

kylos101
kylos101 previously approved these changes Nov 1, 2022
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kylos101 kylos101 mentioned this pull request Nov 1, 2022
Closed
@kylos101 kylos101 dismissed their stale review November 1, 2022 20:31

Ran test in workspace-preview, still see # openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

@kylos101
Copy link
Contributor

kylos101 commented Nov 1, 2022

@aledbf tested in workspace-preview and did not see 3.0.7. 🤔

./new-vm.sh -v aledbf-wsdo.1
gcloud compute ssh --project=workspace-preview --zone=europe-west1-b --ssh-flag='-p 2222' g12c92def17f7f4cd0e059a
gitpod@g12c92def17f7f4cd0e059a:~$ sudo su
root@g12c92def17f7f4cd0e059a:/home/gitpod# kubectl get pods
NAME                                 READY   STATUS    RESTARTS        AGE
ide-metrics-7f7b9d45f6-xkq9n         2/2     Running   0               3m2s
dashboard-cb7459c8d-8cxhg            1/1     Running   0               3m2s
agent-smith-w8jgv                    2/2     Running   0               3m2s
content-service-7d7556b8dd-gdc68     2/2     Running   0               3m2s
ide-proxy-7bf6f9f984-7lssb           1/1     Running   0               3m2s
image-builder-mk3-78b6559b7-r4x9s    2/2     Running   0               3m1s
proxy-84f9547bdf-drh2r               2/2     Running   0               3m
openvsx-proxy-0                      3/3     Running   0               3m2s
registry-dbb76788b-vk5fw             1/1     Running   0               3m1s
ws-daemon-t89pv                      3/3     Running   0               3m2s
minio-557656fbfc-f454j               1/1     Running   0               3m1s
blobserve-5fc9d7cddc-wrbkd           2/2     Running   0               3m2s
ws-proxy-5dcf7b9465-zklxh            2/2     Running   0               3m
ide-service-6656584c58-59m9c         2/2     Running   0               3m2s
registry-facade-rfknj                3/3     Running   1 (2m42s ago)   3m2s
mysql-0                              1/1     Running   0               3m2s
messagebus-0                         1/1     Running   0               3m2s
ws-manager-bridge-59bdb887f9-nvxck   2/2     Running   0               3m
server-7855ffd44-4xvn2               2/2     Running   0               3m1s
ws-manager-7585cdcbc-gcz6f           2/2     Running   0               59s
root@g12c92def17f7f4cd0e059a:/home/gitpod# kubectl exec -it ws-daemon-t89pv -c ws-daemon -- sh -c "cd /mnt/workingarea;sh"
# openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
# exit
root@g12c92def17f7f4cd0e059a:/home/gitpod# kubectl describe daemonset ws-daemon | grep -i Image
    Image:      docker.io/library/ubuntu:20.04
    Image:      eu.gcr.io/gitpod-core-dev/build/seccomp-profile-installer:commit-085a6821487030751ad39f235849993cad1ede11
    Image:      eu.gcr.io/gitpod-core-dev/build/ws-daemon:commit-3bec63c4f9dcf90686e28b3cc0b17b50e9a48ea7
    Image:        eu.gcr.io/gitpod-core-dev/build/shiftfs-module-loader:commit-313e75e99d5db6f5ac4eb71ecc25b8807fdd8366
    Image:      eu.gcr.io/gitpod-core-dev/build/ws-daemon:commit-3bec63c4f9dcf90686e28b3cc0b17b50e9a48ea7
    Image:      quay.io/brancz/kube-rbac-proxy:v0.12.0
    Image:      eu.gcr.io/gitpod-core-dev/build/ws-daemon:commit-3bec63c4f9dcf90686e28b3cc0b17b50e9a48ea7

@aledbf
Copy link
Contributor Author

aledbf commented Nov 1, 2022
edited
Loading

@kylos101 sorry, the version is the same, just a minor change in the .deb package 🤦

from https://werft.gitpod-dev.com/job/gitpod-build-aledbf-wsdo.0/raw

[components/ws-daemon:docker] Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libssl3 amd64 3.0.2-0ubuntu1.7 [1899 kB]

kylos101
kylos101 approved these changes Nov 1, 2022
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call referring to the werft build to see the image build @aledbf ! Thank you.

@kylos101
Copy link
Contributor

kylos101 commented Nov 1, 2022

/unhold :)

@roboquat roboquat merged commit 6e71855 into main Nov 1, 2022
@roboquat roboquat deleted the aledbf/wsdo branch November 1, 2022 20:44
jenting
jenting reviewed Nov 2, 2022
View reviewed changes
components/ws-daemon/leeway.Dockerfile
FROM ubuntu:22.04

# trigger manual rebuild increasing the value
ENV TRIGGER_REBUILD=1
Copy link
Contributor

@jenting jenting Nov 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any guidelines that when we should bump this value?

Copy link
Contributor Author

@aledbf aledbf Nov 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only when there are no real changes in the images, but we need to force a rebuild

Copy link
Contributor

@kylos101 kylos101 Nov 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, we use similar strategy in other repos, like workspace-images, to trigger rebuilds to update ca-certs.

@jenting
Copy link
Contributor

jenting commented Nov 3, 2022
edited
Loading

Address openssl CVE issue

@aledbf
Could you update which CVEs issue we are going to address? It would be more precise.
Also, I think the release note is required since it's a security fix. Thank you.

@roboquat roboquat added deployed: workspace Workspace team change is running in production deployed Change is completely running in production labels Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kylos101 kylos101 kylos101 approved these changes

+1 more reviewer

@jenting jenting jenting left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@aledbf aledbf

Labels

deployed: workspace Workspace team change is running in production deployed Change is completely running in production release-note-none size/XS team: workspace Issue belongs to the Workspace team

Projects

No open projects
🌌 Workspace Team
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aledbf @kylos101 @jenting @roboquat