Pin dependency library versions

[2uasimojo]

To make image builds more predictable, this commit pins the versions of
the two libraries pulled in by the docker build:

• util-linux
• amazon-efs-utils

This way we don't get surprised by changes in the underlying libs -- we
move along explicitly and deliberately.

Is this a bug fix or adding new feature?
Neither, just hardening the image build process.

What is this PR about? / Why do we need it?

Recently when trying to debug a problem mounting access points (see #152) one of our wild goose chases involved figuring out what version of amazon-efs-utils was built into the driver image at various times during our testing. Having the version pinned in the dockerfile for a given driver release would have removed the guesswork.

And in general this is just a good idea.

What testing is done?
Local make image-release, run (overriding entrypoint with a shell), verify installed versions with yum.

[k8s-ci-robot]

Hi @2uasimojo. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jharrington22]

Moving forward these versions may be dropped from the repository. Do we need to pin the FROM image too? Assuming the repo source URLs are specific for minor releases otherwise it wouldn't help.

[wongma7]

Right, it doesn't seem to help, for example try base image 20200207 released prior to 1.24 and it still needs to get updates from the amzn2-core repository where only 1 version is available:

sh-4.2# yum list available amazon-efs-utils
Loaded plugins: ovl, priorities
Available Packages
amazon-efs-utils.noarch                   1.24-4.amzn2                    amzn2-core

So any time a new package of amazon-efs-utils replaces the old, builds will fail (like as part of PR CI)? That will be painful for contributors.

Alternatively, we could log the amazon-efs-utils version with mount.efs --version

aws-efs-csi-driver/pkg/driver/version.go

Line 46 in be96b1d

func GetVersionJSON() (string, error) {

to help with the debugging/guesswork part of this issue.

[2uasimojo]

It sounds like there's not a perfect answer here; we're going to have to choose the lesser evil.

I think we really only need to worry about the dep versions being removed (do they really do that?) during the lifecycle of latest. Once we tag a driver release, we're effectively freezing at whatever's available at that time; the bits stick to the image even if the repo is changed. If something happens where we need to update a tagged version (backporting a bugfix, for example), we can bump the lib versions at the same time if necessary -- the point being that we're always using a specific known working version.

And yes, developers working on latest could be inconvenienced if a lib version goes away, but IMO that's a good thing. As it stands, if something breaks while I'm developing, I don't know whether it's my code or because the anonymous lib version moved underneath me, and that's hard to discover. If the library version is pinned, that source of error is eliminated. If that version disappears, the failure (in CI or locally) is easy to understand. Yes, it requires a new/separate PR to fix, but IMO that's worth the trouble.

[wongma7]

I forgot to set --show-duplicates:

$ yum --showduplicates list amazon-efs-utils
Loaded plugins: priorities, update-motd
Installed Packages
amazon-efs-utils.noarch                         1.25-2.amzn2                         @amzn2-core
Available Packages
amazon-efs-utils.noarch                         1.0-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.1-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.2-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.3-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.4-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.5-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.6-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.7-1.amzn2                          amzn2-core 
amazon-efs-utils.noarch                         1.10-1.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.18-1.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.21-2.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.23-2.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.24-2.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.24-3.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.24-4.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.25-1.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.25-2.amzn2                         amzn2-core 
amazon-efs-utils.noarch                         1.25-3.amzn2                         amzn2-core

So my point is moot. They don't seem to remove old versions.

[leakingtapan]

/ok-to-test

[2uasimojo]

/retest

[2uasimojo]

Sorry for my ignorance @leakingtapan: I can't tell if this build failure is spurious, or if it's happening because the checksum of the driver image has changed. The latter would be expected -- but I could use some help identifying where the expected checksum would need to be updated. (And I might also submit a PR to put that explanation into the text for this build failure to help future me.)

[2uasimojo]

/test pull-aws-efs-csi-driver-e2e
...to see if this is for real.

[2uasimojo]

Sorry for my ignorance @leakingtapan: I can't tell if this build failure is spurious, or if it's happening because the checksum of the driver image has changed.

Spurious. It passed on a retest. Disregard.

[2uasimojo]

/test pull-aws-efs-csi-driver-e2e

[2uasimojo]

I've rebased and added a commit to pin the amazonlinux image as well. Can we continue this discussion?

[2uasimojo]

/test pull-aws-efs-csi-driver-e2e

[2uasimojo]

The pull-aws-efs-csi-driver-e2e job seems unhappy, but I don't think it's my PR. I'll wait a bit before retesting.

[wongma7]

/lgtm
/approve

I'm going to create a follow up PR to bump to 1.25-3 as that's the latest and I want to get that tested ASAP.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, wongma7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wongma7]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[2uasimojo]

Thanks @wongma7

I'm going to create a follow up PR to bump to 1.25-3 as that's the latest and I want to get that tested ASAP.

Cool, would you please @ me when you do? I'd like to watch that and test with it as well.