Use Maistra proxy based on CentOS Stream 8 in integration tests

[jewertow]

Istio has been using its own tool to build container images for some time. This tool is docker-builder.
Unfortunately docker-builder does not support RUN command, so we cannot install iptables and openssl packages in proxyv2 with RUN dnf install ....

To work around this limitation, I built an image with necessary packages, pushed to my registry and used it as the base image for proxyv2.

Image quay.io/jewertow/base-maistra-proxyv2:2.3 was built from the following Dockerfile:

FROM quay.io/centos/centos:stream8

RUN dnf -y upgrade --refresh --nobest && \
    dnf -y install iptables iproute openssl && \
    dnf -y clean all

I think that it does not make sense to extend docker-builder to support RUN, because it's too complicated (if possible)
and we just have to build our official base image and use it as I did with my image.

Update:

I figured out that we can disable building container images with crane by setting ISTIO_DOCKER_BUILDER=docker, so I updated images to use CentOS Stream 8 as a base image and added image app_sidecar_centos_stream_8 to test VMs.

Signed-off-by: Jacek Ewertowski jewertow@redhat.com

[jwendell]

Not sure about this.

I have experimented with this a week ago: #604 and I think it worked...

Also, please align with @bmangoen and hisr PR: #606

[jewertow]

Your PR didn't work. Look at the log - everything failed. You can find there the following warnings:

2022-09-02T13:29:02.519537Z	warn	dockerfile	Skipping RUN: [dnf -y upgrade --refresh --nobest &&     dnf -y install iptables iproute openssl &&     dnf -y clean all]
2022-09-02T13:29:02.521035Z	warn	dockerfile	Skipping RUN: [dpkg -i /tmp/istio-sidecar.deb && rm /tmp/istio-sidecar.deb]

And as you can see in one of istio-init logs, iptables-restore did not exist in the proxy container.

[jwendell]

hmm, I see. Is it possible to install the libssl1 in the [upstream] base image? If yes, then we don't need a special Dockerfile based on centos. We can use the same upstream mechanism without any changes.

In the past we needed this image based on centos because the envoy binary built on centos was not compatible with the libc present on Ubuntu. It looks like it's not the case anymore. I was able to run our Envoy on this base image (which is derived from Ubuntu). The problem now is that our Envoy relies on the presence of the /lib64/libssl.so.1.1 library, which is provided by the Ubuntu package libssl1, which is not installed by default.

If there's no way to have this package installed in the base image (and since it's not possible to have RUN apt install anymore), I suggest you add a new target as a dependency for the make docker target .i.e, that will run first, that will create a new base image, let's say, maistra-base which is merely the Dockerfile you created this custom base image. Then, for every run, we first create this custom base image, and proxy is based on that. In other words, we would use your solution, but baking it at build-time instead of relying in a pre-built image hosted somewhere.

[jewertow]

/test gencheck

[jewertow]

/test integration-servicemesh

[jewertow]

/test integration-telemetry

[jewertow]

@jwendell thanks for your advice. I was trying to run tests on Ubuntu, but currently it provides libssl.so.3.0 by default. I was trying to find a workaround to install OpenSSL 1.1.1, e.g. using repositories from older releases, but I had some other issues, so I gave up in favor of bringing an image based on CentOS Stream 8.

[jwendell]

Is there any reason to have a centos8 image?

[jewertow]

Nope, it is not used, but we don't use other images as well. I didn't remove them to not increase the scope of this PR.

[jwendell]

I guess this is the change that allows you have have RUN commands in the proxy dockerfile?

[jewertow]

Yes, you're right. As you can see, I updated the PR description and mentioned about this variable.

[jwendell]

nit: Put a FIXME: prefix to those comments? Perhaps it makes it easier for us in the future to locate them?

[jewertow]

Done

[jwendell]

I think the format is https://github.com/istio/istio/issues/0

[jewertow]

Thanks, I fixed it.

[jewertow]

It turned out that we have to disable whole suite. It works on my local machine, but does not on prow. I was trying to find out what's wrong there, but it seems to be a more complicated issue. I will solve it later.

[yxun]

Do we need to install a specific versoin of openssl or just the latest one ?

[jewertow]

We need OpenSSL 1.1.1 and our istio-proxy expects to find libssl.so.1.1. In CentOS Stream 8 the package openssl is exactly this one that we expect. I don't think that this package will be replaced by another version, because the next one is 3.0.0 which provides breaking API and ABI and upgrading from 1.1.1 to 3.0.0 is a big challenge, so it will probably not happen.

[jewertow]

/retest

[jewertow]

/test unit