Commit Graph

51 Commits (cc2db2aeb5f91730a6fa9c6253e683e856a4878f)

Author SHA1 Message Date
Clark Boylan 0937872119 Use bwrap --disable-userns if possible
Newer bwrap has added the ability to disable additional nested user
namespace creation from with the bwrap execution context. Take advantage
of this feature in Zuul if we are able to in order to fortify Zuul's
security position.

In particular we need two conditions to take advantage of this. 1) bwrap
must be new enough to support the feature (>=0.8.0) and 2) we must be
running with user namespaces enabled. We explicitly check for both
conditions and add the appropriate invocation flags to bwrap when the
conditions are met.

Change-Id: Idf933a0847cb8570b551892186ca9c0057be127f
2023-05-16 10:12:21 -07:00
James E. Blair c3ea135eaa Add PBR_VERSION argument to Dockerfile
This allows the use of the PBR_VERSION environment variable when
building container imasges.  This facilitates custom version numbers
with builds.

Change-Id: Ib0156836285a798ebe184691d109301bdf751efb
2023-02-13 15:50:37 -08:00
James E. Blair c0985cff39 Pin sqlalchemy to <2.0 and revert "Update git"
2.0 has breaking api changes:

Revert "Update git"

This reverts commit 944b9852c9.

Upstream Debian has updated git to 2.30.2-1+deb11u1 which patches git
for the issues we manually patched to cover. We don't need the manual
patch anymore and can switch to the distro hence this revert.

Reviewers should double check that the image build process installs the
expected 2.30.2-1+deb11u1 version.

Change-Id: I02c4746a0f6651dfcd04ea88ccfd7d62e481d490
Co-Authored-By: Clark Boylan <>
2023-01-30 11:45:27 -08:00
Ian Wienand d071bfd221
Dockerfile: build later skopeo
skopeo has started failing with

  unsupported MIME type for compression: application/

since the buildx v.10.0 release [1].  The version in bullseye is a
long way behind upstream, and unfortunately there's no practical way
to backport the package (it would require also pulling in a lot of
exploded out go container dependencies).

Thus we take the alternative solution of just building it ourselves
for the executor image.  I couldn't figure out how to build this with
the Debian-packaged go (I think it has something to do with the
aforementioned libraries) but it works with the upstream monolith.  It
produces a binary that is linked to a few local libraries, which are
installed here.


Change-Id: Iab667a92a5b6e6f8591db2aa435a782913d9d34f
2023-01-24 13:26:42 +11:00
James E. Blair 944b9852c9 Update git
This updates git to address CVE-2022-23521.

Change-Id: Ib08ff1fc7b3c8623fa6b927f3010af72e1b946cf
Co-Authored-By: Jeremy Stanley <>
Co-Authored-By: Clark Boylan <>
2023-01-18 15:37:47 -08:00
Clark Boylan 939a7c0394 Update openshift client install version
This updates the openshift client install to use the latest stable
release. Hashes of the oc and kubectl command remain the same which
should continue to allow us to avoid copying both files.

Note we don't fetch the client from the stable-4.11/ path because the
versions of the client under this path are updated when the stable
version updates. Instad we fetch it from the permanent location for the
current stable release (4.11.20/).

Change-Id: Ie78ecd9108f8d6d100479910aa524f867020774f
2023-01-10 09:11:13 -08:00
Clark Boylan c3395915a9 Dedup the oc and kubectl commands in the docker images
These binaries are about 115MB each and we copy both of them.
Fortunately they are identical according to hashing routines so we can
save space by copying them once and using a symlink. We choose to make
`oc` the canonical file as these binaries come from openshift.

Change-Id: I3a34acf4ee20db935a471c4fa9ca5e2f7d297d39
2022-12-09 11:16:33 -08:00
Clark Boylan 9b2b8f82ff Add Python 3.11 testing
This adds python 3.11 testing and drops python3.10 in order to keep
testing only the bounds of what Zuul supports. Note that currently the
python 3.11 available for jammy is based on an RC release. This should
be fine as we do functional testing with a released python 3.11 and that
is what people will consume via the docker images.

Change-Id: Ic5ecf2e23b250d3dbf592983b17ec715d6e9722e
2022-10-27 16:47:14 -07:00
Ian Wienand f5cfb8a900 Revert "Use debian bookworm version of libc-bin"
This reverts commit 559602910f.

The fix to grantpt() required has been merged into bullseye with

To minimise our differences to a standard upstream we can revert to
this version of glibc.


Change-Id: I8580e15d4ea4c65154ba465462e6f38cb4363a5f
2022-09-13 19:40:59 +00:00
Albin Vass 559602910f Use debian bookworm version of libc-bin
Ansible can deadlock when using a libc version lower than 2.33
because of ansible using os.fork for starting new processes.

Change-Id: I76ba278d1ffecbd00886531b4554d7aed21c43df
2022-07-15 15:38:34 -07:00
Clark Boylan d665053fe9 Bump up to python3.10
This adds python3.10 testing on Jammy and switches the docker images to
python3.10 from 3.8.

We run sudo for postgres with -Hi to avoid non fatal errors when
postres' client attempts to write command history to Zuul's homedir (it
is running as the postgres user which can't write to zuul's homedir). We
also need to update the libffi package version for jammy to 8 in
bindep.txt. Finally, python_version values need to be quoted as "3.10"
is different than 3.10 which is equivalent to 3.1 when serialized by
yaml as a float.

Force setuptools to use stdlib (shipped by the distro) distutils to
avoid problems with virtualenvs not actually being virtualenvs.

Finally we switch the bulk of jobs over to using nodeset: ubuntu-jammy
as the default python there is 3.10.

Change-Id: I97b90bb7a23c90f108f23dda9fdd0e89f9f4dbca
2022-07-01 15:59:48 -07:00
Clark Boylan bb52902303 Update nodejs runtime to version 16
We had been using version 14 which is the previous LTS. Now there are
problems running:

  npx browserslist@latest --update-db

running out of memory. Update to the current nodejs LTS version to
ensure we are running an up to date runtime that hopefully performs more
consistently with the browserslist command.

Change-Id: Ib20c1090ea0f30b7dac2780b6ed963dd6e4b6f77
2022-03-14 15:29:31 -07:00
James E. Blair b269e9e255 Rely on bullseye image for skopeo in container image
Debian bullseye includes skopeo, so we can drop the kubic repository
(which as I write this is having synchronization errors) in favor of
just using the version from the underlying OS.

Change-Id: Ifde147c8c690dd6a421b0133dbabcff7dd9b9649
2021-10-27 14:39:45 -07:00
Clark Boylan 4ebbcbdc27 Build Zuul's docker images on Bullseye
Bullseye is out and Buster is old news :) Bump up the base image that we
build Zuul on to Bullseye from Buster. The python version remains the
same but this gives us a more up to date userland. In particular git
goes from 2.20 to 2.30.

Change-Id: I2decbe805a4d0d1daa96de24e317339cee318850
2021-10-12 15:30:22 -07:00
Monty Taylor a4dcc8bc4b Use node image to build javascript
We can use more than one builder image. Use the node image for
the javascript build so we can avoid spending time installing
node in the python builder image.

Change-Id: I19b18dd419b98119f75a8c3a9f3978f37f329e58
2021-06-04 16:04:06 +00:00
Clark Boylan 4f897f8b9f Noop change to Dockerfile to trigger image builds
Base images have updated. Lets do a rebuild for latest.

Change-Id: I79b20c68a94dadb92fc975c4241782d6a26eef35
2021-02-19 13:09:18 -08:00
James E. Blair f42604a8d9 Squash some RUN layers in Dockerfile
This will reduce the number of layers in the final image.

Change-Id: I1102af5aa98df33d1454964955d0f2c13ee39907
2020-12-11 11:25:26 -08:00
James E. Blair f3e8c809dc Enable git protocol v2 in container images
Git versions between 2.18 and 2.26 have version 2 protocol support
but it's not enabled by default. Starting in 2.26, it is the
default.  V2 is more efficient at negotiating refs and can reduce
the time spent updating a repo by 50% on large repos.

This adds a setting to the container images to specify that v2
should be used.  The images are currently built with git 2.20, which
is in the range where this is needed.

Change-Id: Ifc471c5fde49c65137bc34e49734b3ac3d33e3e1
2020-12-11 09:23:46 -08:00
Tobias Henkel 02c3035837
Update kubic signature
The kubic repo has changed it signature key so update it to unbreak
container builds.

Change-Id: I3edc9bebfc6807fb2ed76e615fc9eeff48c03911
2020-10-12 12:46:14 +02:00
James E. Blair 14a86c4d89 Revert "Revert "Update images to use python 3.8""
This reverts commit fe58e85bb1.

We resolved the twine issue with

Change-Id: Iab73cf93dd7556609f7bddb13ab06ac7ab879d6b
2020-10-01 17:23:15 -06:00
Tobias Henkel fe58e85bb1
Revert "Update images to use python 3.8"
This breaks ensure-twine in opendev which is currently incompatible
with py38.

This reverts commit 429d73e93d.

Change-Id: I983b871d6b42b6d190bc055b57ba0a5f1a4618c0
2020-10-01 15:57:20 +02:00
Tobias Henkel 429d73e93d
Update images to use python 3.8
After dropping support of Ansible 2.7 which has compatibility issues
with python 3.8 we now can finally upgrade to Python 3.8 which has
improvements regarding performance and memory usage.

Change-Id: I346c2fe22f8409c600a3ee2a229369778e3cabd6
2020-09-25 11:18:11 +02:00
Clark Boylan e64fd8fff8 Simplify dockerfile
There was a bug in opendevorg/python-builder that prevented extras from
being installed properly. Zuul worked around this with an explicit step
to install those extras. The depends on of this change fixes the
python-builder bug so we can remove the workaround from Zuul's

Change-Id: I28a783ca0582669c7fe9045aa912908f4229fd29
2020-08-03 10:38:57 -07:00
Zuul 141347e082 Merge "Revert "Revert "Create zuul/web/static on demand""" 2020-07-08 18:23:41 +00:00
Tobias Henkel b6f3167b9c
Revert "Revert "Create zuul/web/static on demand""
The js content tarball creation was broken. Instead of leaving the
symlink to a non-existing directory which gets created during python
setup we should just remove that symlink as well and create the
symlink and the static dir during the python setup. This way nothing
will be in the way of the javascript content generation.

This reverts commit eb7b18b38e.

Change-Id: I5f8bfa62cd2d4d9823b86dbcda14885230847a82
2020-07-07 19:53:33 +02:00
Sorin Sbarnea 5a1954eb7b Avoid interactive when building containers
Fixed error observed locally when trying to reproduce CI command failure:

debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
Configuring openafs-client

AFS filespace is organized into cells or administrative domains. Each
workstation belongs to one cell.  Usually the cell is the DNS domain name of
the site.

AFS cell this workstation belongs to: ^C

Change-Id: I5e818d1fcdac360b13947c750c536ed5d0811cb9
2020-07-07 09:58:35 +01:00
Monty Taylor cb5f4007a6 Remove noninteractive flag from Dockerfile
This has been incorporated into the upstream image now.

Change-Id: I9761bdf04c6e7b559e82ffd0d2c1accd62d86e46
2020-06-26 08:30:38 -05:00
Monty Taylor eec7b303fb Add krb5-user to bindep for the images
We added openafs-krb5 but we need krb5-user for kinit.

Add DEBIAN_FRONTEND=noninteractive to the Dockerfile
to prevent the krb5-user package from asking for our
default realm.

Change-Id: Ifbef43887e541a3edc259ffaf9a75d7343c97dca
2020-06-26 08:29:47 -05:00
Monty Taylor 1f7c6fef9c Create virtualenvs in series to avoid cache race
virtualenv 20.0.24 creates ~/.local/share/virtualenv with the
seed packages needed for making virtualenvs per-python version.
Creating empty virtualenvs is quick, so run those in sequence
to avoid race possibilities. Then, we can still run the
installs into the virtualenvs in parallel.

We also fix a bug in the console stream functional jobs and install pip
with the use of ensure-pip. This is necessary because the virtualenv
fix runs the stream functional jobs and the update to the stream
functional jobs relies on working docker images.

Change-Id: I3dec251d19dd7b3807848a54e6a20a8e89d30a4e
2020-06-23 10:08:06 -07:00
Clark Boylan 9220d41e9e Specifically use python 3.7 base images
We are consuming OpenDev's default python-builder and python-base images
which happen to be python3.7 today. Zuul specifically wants python3.7 so
we should explicitly use OpenDev's 3.7 tags of these images. This way if
OpenDev updates the default to 3.8 zuul can continue to assert its
dependency on 3.7.

Change-Id: I1f344eccfddff9bf1050c571604038371eec1a3f
2020-05-13 10:45:25 -07:00
Tobias Henkel 95d7ebb370
Switch back to python 3.7
Ansible 2.7 is known to be broken with python 3.8 so switch back to
python 3.7 for now until we dropped support for Ansible 2.7.

Change-Id: Ibfe1b226630c8db202a294590c6435666afcb62d
2020-05-13 08:39:42 +02:00
Monty Taylor 02081b585b Build zuul images with python 3.8
We suspect a memory leak in python 3.7. BMW saw one and reverted
to 3.6 and has been better. OpenDev is seeing one which seems to
be improved by sending SIGUSR2 signals to the process, which makes
us think there may be an issue in the GC.

Try updating to 3.8. If it fixes it, we can just shrug and say
"3.7 lol". If it doesn't, we can follow BMW's lead and try 3.6.

Change-Id: Iaa53fa2b3125dd3a2c79ba25191b2b44ed473200
2020-05-01 13:38:21 -05:00
Monty Taylor 012eaa7fa1 Install skopeo in container images
The container roles in zuul jobs use skopeo to copy to and from
the intermediate registry. It is therefore helpful to have
skopeo in the images.

Change-Id: I1550b2eeca6cb1755976dd884e668bddf960f296
2020-04-30 19:12:10 -05:00
Monty Taylor 957cec37f3 Remove stretch-backports from docker build
python-base is buster now, so this is not necessary. We can
just install bubblewrap and socat from buster directly.

Change-Id: If65f3c2d6367a7c79cf9d6d8f788021ba72cccd4
2020-03-12 14:17:53 -05:00
Monty Taylor d606ac5151 Be explicit about source of base images
podman build can't build this Dockerfile if we use unprefixed

Change-Id: I6f3c21fe38bf446b22dbf09e6ceadb98d0f29212
2020-03-12 13:46:31 -05:00
James E. Blair bbe2d36495 Stream output from kubectl pods
When we get a pod from nodepool, this starts a kubectl port-forward
on the pod so that zuul-console and the normal method of streaming
command output will work.

Change-Id: Iae85347c3d8e0a74e330a7b62b513c7b41641383
Story: 2007321
Task: 38832
2020-02-27 07:49:40 -08:00
Tobias Henkel a13ec193c8
Add foreground option
The current options stated as 'do not run as a daemon' is actually
'run in debug mode in foreground'. When running in container we
actually want an option for running normally in foreground. Thus add a
new option -f for foreground operations and change the docker imaged
to use this accordingly.

Change-Id: I16173a73dbfb79dc2c2b05c2002ac41e20a48225
2020-02-22 17:59:24 +01:00
Zuul bc374f5a3e Merge "Fix kubectl/oc install in container image" 2020-02-11 22:40:38 +00:00
James E. Blair 821cff92e2 Fix kubectl/oc install in container image
The binaries were only installed on the builder image.  This change
installs them on the executor image.

Change-Id: I86f7102218a77908c02b7da8a913fd20d417794d
2020-02-11 13:09:31 -08:00
Monty Taylor a864a23cac Run yarn explicitly in Dockerfile
Rather than relying on the setup hook to build the javascript
on demand, we always want to build the javascript in the container
context, so just run yarn explicitly.

Change-Id: Iaf456a78b5f798d3b4d05aa3925beb920dc56258
2020-02-11 12:21:17 -06:00
James E. Blair b374954aa4 Install kubectl/oc into executor container image
This installs oc and kubectl (really oc masquerading as kubectl)
into the zuul-executor container image, so that Ansible kubectl
connections work as expected.

Change-Id: Ib40cacea6751674346154457db4187e8600788d5
2020-02-10 15:53:09 -08:00
Tristan Cacqueray c56250de36 Dockerfile: create a zuul user with uid 10001
This change creates an unprivileged user zuul (uid 10001) to run the
zuul service.

Change-Id: I8bd2cafbe9d2e7580407262c035e50e2e3be474e
2020-01-31 20:46:49 +00:00
Tobias Henkel 8e3d60567b
Cleanup executor specific requirements
Ara and openstacksdk are installed into the ansible virtualenvs now so
there is no need to pull them as executor specific dependencies.

Change-Id: I3aeac278b8e1f4bb796e0f3a3f475b3c97208a85
2019-04-04 08:58:04 +02:00
Tobias Henkel cd9827e664
Manage ansible installations within zuul
As a first step towards supporting multiple ansible versions we need
tooling to manage ansible installations. This moves the installation
of ansible from the requirements.txt into zuul. This is called as a
setup hook to install the ansible versions into
<prefix>/lib/zuul/ansible. Further this tooling abstracts knowledge
that the executor must know in order to actually run the correct
version of ansible.

The actual usage of multiple ansible versions will be done in

For better maintainability the ansible plugins live in
zuul/ansible/base where plugins can be kept in different versions if
necessary. For each supported ansible version there is a specific
folder that symlinks the according plugins.

Change-Id: I5ce1385245c76818777aa34230786a9dbaf723e5
2019-03-15 09:09:16 +01:00
Mohammed Naser 2a36eea341 docker: add state folder
Most configuration options depend on storing state data inside
the /var/lib/zuul path which does not exist by default, causing
a lot of configurations to not work out of the box.

This patch creates the folder in the zuul base image, which will
reduce the number of options to be moved around to store state.

Change-Id: I22d05ca26324ffc02cd0b8d2a3059247a21ffdd9
2019-02-23 09:20:41 -05:00
Zuul d010bec30a Merge "Disable service workers by default" 2019-02-05 19:16:34 +00:00
Zuul 59be0ac518 Merge "Add react build env vars to Dockerfile" 2019-02-05 18:46:41 +00:00
Monty Taylor b4f6ef7b70 Disable service workers by default
The Service Workers seem to be consistently causing issues for people
that are strange, meaning many of our deployers are disabling them.

Since they aren't super necessary for the Zuul use case, change the
default behavior to be to disable them instead of enable them.

Change-Id: Iea8348a3b007badaae74fc1837b55bb0b076ac65
2019-02-05 17:23:24 +00:00
Monty Taylor 73feab3b13 Add react build env vars to Dockerfile
So that people can re-use the Dockerfiles to build zuul images
but with different flags set, plumb the env vars through here
as ARG entries.

Also, fix 2 doc references that were misspelled.

Change-Id: I320a496eadf4132fc0583dd48a87024a2ff61a07
2019-02-05 14:32:58 +00:00
Monty Taylor 489f295bf9 Stop building an explicit zuul-base image
We have a utility image that we use for running the zuul command
that doens't have any additional software installed. Although it does
set a COMMAND of /usr/local/bin/zuul, it could still be useful as
a general base image for other people if they wanted such a thing.

Change-Id: I4f92d8707f478c73cd41678db4ed511e8dbfbb7e
2019-01-24 16:13:45 +00:00