-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(Dockerfile): Refactor dockerfile to Debian Slim with no deps #613
base: master
Are you sure you want to change the base?
Conversation
@alfrunes, Let me know if you want to start the integration pipeline by mentioning me and the command "start pipeline". my commands and optionsYou can trigger a pipeline on multiple prs with:
You can start a fast pipeline, disabling full integration tests with:
You can trigger GitHub->GitLab branch sync with:
You can cherry pick to a given branch or branches with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okey, so we are finally going to publish mender-artifact
on Docker too 👍
See below - we need to preserver the backwards compatibility build before merging this.
Dockerfile
Outdated
@@ -1,9 +1,10 @@ | |||
# Keep golang version aligned with latest yocto release |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed this in the past. We cannot silently update the golang version.
However the intention now is to actually publish this image, so we cannot anymore lock to golang 1.17 here (obviously). So could you please extend your PR (scope creep coming!) with the following:
- Add a new Dockerfile (f.eks
Dockerfile.backcompat
or something like that) which still build the binary with golang 1.17 and keeps this comment - Add a new CI job to just do
docker build
on this new Dockerfile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having an extra Dockerfile for building for go1.17 seems a bit excessive. How about a simple gitlab job (build:yoctocompat
) that runs go build
in a golang:1.17
container?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having an extra Dockerfile for building for go1.17 seems a bit excessive. How about a simple gitlab job (
build:yoctocompat
) that runsgo build
in agolang:1.17
container?
Actually I thought about that during this week of inactivity in this PR. It is not only better, but also aligned to other client repos when we had to do backwards compatibility jobs. Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! I am very happy to see this coming up together 🚀
Pre-approving, but please see my comments below
.gitlab-ci.yml
Outdated
stage: build | ||
before_script: | ||
- docker login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the password is not masked, this line would leak it. It is better to use
- docker login --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" | |
- echo ${CI_REGISTRY_PASSWORD} | docker login --username ${CI_REGISTRY_USER} --password-stdin ${CI_REGISTRY} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I get it. Isn't it the same with the echo command? The variable is expanded there as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It won't be logged into stdout - (iow the CI logs). I cannot link to an LFF - but search for "GitLab CI secrets leak" in the LFF archive :)
Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
Needs to be overwritten in some circumstances, for example when building with coverage instrumentation. Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
@lluiscampos I'm wondering if we should bump the |
Yes, there is no reason to keep As a rule of thumb, we should have use golang versions: one specific for the new |
Oops, sorry (apparently my future self was talking here). I meant
Agreed! I'll update the |
4ffe851
to
3818d08
Compare
Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
reverts commit 634d64b Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>
@mender-test-bot start pipeline |
Hello 😺 I created a pipeline for you here: Pipeline-1327329596 Build Configuration Matrix
|
@@ -150,8 +150,6 @@ test:smoketests:linux: | |||
- ./mender-artifact-linux read test-rfs.mender | |||
- ./mender-artifact-linux validate test-rfs.mender | |||
- ./tests/test_compressions/test_supported_compressions.sh | |||
# QA-507: lock mender-artifact to OpenSSL 1.1 | |||
- ldd ./mender-artifact-linux | grep libssl.so.1.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not break compatibility this way. We need to plan it a bit. As discussed in person, we could offer two flavors in our Downloads page: one statically linked without pkcs11 and one dynamically linked for openssl3.
As this starts to be bigger than a nice to have PR, can we create a task for it? It involves the work here, plus having some sort of subdirs structure in the S3 bucket, and mender-docs
.
No description provided.