Skip to content

Bug 1845345: Fix building multi-stage image that has a --from=X#166

Merged
openshift-merge-robot merged 1 commit intoopenshift:release-4.5from
adambkaplan:bump-buildah
Aug 5, 2020
Merged

Bug 1845345: Fix building multi-stage image that has a --from=X#166
openshift-merge-robot merged 1 commit intoopenshift:release-4.5from
adambkaplan:bump-buildah

Conversation

@adambkaplan
Copy link
Copy Markdown
Contributor

@adambkaplan adambkaplan commented Jul 22, 2020

  • Bump github.com/openshift/source-to-image to v1.3.0 to address dependency
    skews which prove problematic for go.mod.
  • Pin github.com/containerd/containerd to v1.3.6 to resolve transitive
    dependencies on v0.y versions of containerd/containerd.
  • Switch github.com/docker/docker back to using an upstream pseudo-version that
    aligns better with containers/image.
  • Pin golag.org/x/crypto to ensure dependencies include fix for CVE-2020-9283.
  • Bump github.com/containers/buildah to v1.14.10 to include fix for Bug 1845345,
    along with its dependencies:
    • github.com/containers/conmon to v0.8.4
    • github.com/containers/image/v5 to v5.4.3
    • github.com/containers/storage to v1.18.2
    • github.com/openshift/imagebuilder to v1.1.4

@adambkaplan
Bug 1845345: bump(*)
9170f9e 
- Bump github.com/openshift/source-to-image to v1.3.0 to address dependency
  skews which prove problematic for go.mod.
- Pin github.com/containerd/containerd to v1.3.6 to resolve transitive
  dependencies on v0.y versions of containerd/containerd.
- Switch github.com/docker/docker back to using an upstream pseudo-version that
  aligns better with containers/image.
- Pin golag.org/x/crypto to ensure dependencies include fix for CVE-2020-9283.
- Bump github.com/containers/buildah to v1.14.10 to include fix for Bug 1845345,
  along with its dependencies:
  - github.com/containers/conmon to v0.8.4
  - github.com/containers/image/v5 to v5.4.3
  - github.com/containers/storage to v1.18.2
  - github.com/openshift/imagebuilder to v1.1.4
@openshift-ci-robot openshift-ci-robot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Jul 22, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jul 22, 2020

@adambkaplan: This pull request references Bugzilla bug 1845345, which is invalid:

  • expected dependent Bugzilla bug 1843232 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ASSIGNED instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 1845345: bump(*)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 22, 2020
@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Jul 22, 2020

/bugzilla refresh

@openshift-ci-robot openshift-ci-robot added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Jul 22, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jul 22, 2020

@adambkaplan: This pull request references Bugzilla bug 1845345, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.5.z) matches configured target release for branch (4.5.z)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 1844596 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
  • dependent Bugzilla bug 1844596 targets the "4.6.0" release, which is one of the valid target releases: 4.6.0, 4.6.z
  • bug has dependents
Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Copy Markdown
Contributor Author

adambkaplan commented Jul 22, 2020

/assign @TomSweeneyRedHat

/cc @nalind @otaviof @coreydaley

adambkaplan
adambkaplan commented Jul 23, 2020
View reviewed changes
Comment thread go.mod
github.com/containerd/containerd => github.com/containerd/containerd v0.2.10-0.20180716142608-408d13de2fbb
github.com/docker/docker => github.com/openshift/moby-moby v1.4.2-0.20190308215630-da810a85109d
github.com/containerd/containerd => github.com/containerd/containerd v1.3.6
github.com/docker/docker => github.com/docker/docker v0.0.0-20190404075923-dbe4a30928d4
Copy link
Copy Markdown
Contributor Author

@adambkaplan adambkaplan Jul 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

containerd/containerd needs to be replaced because there are transitive dependencies which reference different versions that conflict. The 1.3.6 version is a more recent tag that resolves the conflicts.

docker/docker is moved to an upstream version with a pseudo-version that replace can resolve. We don't need the OpenShift fork any more as this has drifted from what buildah uses.

Comment thread go.mod
github.com/moby/buildkit => github.com/dmcgowan/buildkit v0.0.0-20170731200553-da2b9dc7dab9
github.com/opencontainers/runtime-tools => github.com/opencontainers/runtime-tools v0.8.0
// CVE-2020-9283 fix
golang.org/x/crypto => golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
Copy link
Copy Markdown
Contributor Author

@adambkaplan adambkaplan Jul 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We pull in the vulnerable ssh code, therefore we need to bump this to a patched version.

@TomSweeneyRedHat
Copy link
Copy Markdown
Contributor

TomSweeneyRedHat commented Jul 23, 2020
edited
Loading

LGTM
Thanks so much for running this down @adambkaplan , I'd no hair left after my attempts.

@sdodson
Copy link
Copy Markdown
Member

sdodson commented Aug 4, 2020

Still needs LGTM label.

@gabemontero
Copy link
Copy Markdown
Contributor

gabemontero commented Aug 4, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 4, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Aug 4, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, gabemontero, otaviof

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sdodson sdodson added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Aug 5, 2020
@sdodson
Copy link
Copy Markdown
Member

sdodson commented Aug 5, 2020

/retitle Bug 1845345: Fix building multi-stage image that has a --from=X

@openshift-ci-robot openshift-ci-robot changed the title Bug 1845345: bump(*) Bug 1845345: Fix building multi-stage image that has a --from=X Aug 5, 2020
@openshift-merge-robot openshift-merge-robot merged commit aaa5f69 into openshift:release-4.5 Aug 5, 2020
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Aug 5, 2020

@adambkaplan: All pull requests linked via external trackers have merged: openshift/builder#166. Bugzilla bug 1845345 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1845345: Fix building multi-stage image that has a --from=X

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan adambkaplan mentioned this pull request Dec 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coreydaley coreydaley Awaiting requested review from coreydaley

@gabemontero gabemontero Awaiting requested review from gabemontero

@nalind nalind Awaiting requested review from nalind

1 more reviewer

@otaviof otaviof otaviof approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@gabemontero gabemontero

@TomSweeneyRedHat TomSweeneyRedHat

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@adambkaplan @openshift-ci-robot @TomSweeneyRedHat @sdodson @gabemontero @otaviof @openshift-merge-robot