Use init process #367
Merged
Use init process #367
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
squaremo
force-pushed
the
use-init-process
branch
3 times, most recently
from
e1f9024 to
35f3065
Compare
The operator runs as PID 1, which is expected to reap zombie processes; since it doesn't, they get left around to take up room. This commit installs `tini` and uses it as PID 1, instead. This removes the use of ssh-agent in the `build/bin/entrypoint` script, which serves only to prevent go-git from complaining about not finding an ssh-agent socket -- and doesn't help with authentication (if no SSH key is supplied, it will simply fail the SSH handshake). Signed-off-by: Michael Bridgen <[email protected]>
These are relics of old operator-sdk boilerplate. In particular, - the entrypoint script is not needed because the entrypoint can be given in the Dockerfile (and doesn't need to do anything fancy) - the user_setup script isn't needed when `useradd` is run. `useradd` would not normally be available, since the base image used for controllers is often some variation of minimal, distro-less image; but, this image uses the maximalist pulumi/pulumi base image. Signed-off-by: Michael Bridgen <[email protected]>
Signed-off-by: Michael Bridgen <[email protected]>
When using SSH, a key must be obtained from somewhere. On the command line, git would either use the ssh-agent socket, or try to use a key in ~/.ssh. go-git mirrors this, by resorting to ssh-agent if it is not given any other choices. But in the operator container, it doesn't make sense too try to use ssh-agent, because there's no chance to add keys to it -- its only purpose would be to stop go-git from complaining. So: treat it as an error if someone uses an SSH git URL, but doesn't supply a private SSH key. Signed-off-by: Michael Bridgen <[email protected]>
squaremo
force-pushed
the
use-init-process
branch
from
e9ee5ab to
dd3e453
Compare
lblackstone
approved these changes
Nov 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The operator runs as PID 1, which is expected to reap zombie processes; since it doesn't, they get left around to take up room. This PR installs
tiniand uses it as PID 1, instead.I've removed the build/bin/{entrypoint,user_setup} scripts, which aren't necessary. The entry point can be given in the Dockerfile, and
useraddalready does the necessary setup. It is still necessary to create $HOME/.ssh, since git uses SSH and SSH expects that directory to exist.This also removes the extra ceremony around using ssh-agent. Very little explanation is given in #92 where it was added, so I did some investigation. It turns out that go-git will use SSH agent if not given any other auth. The automation API will supply auth to go-git as long as it's given something, but will otherwise let go-git fall back to using the ssh-agent.
The problem with falling back to ssh-agent is that it won't work inside the operator container -- even if you run ssh-agent, that will avoid go-git complaining about not finding its socket (which seems to have been the impetus for #92), but will then fail to authenticate because ssh-agent doesn't have any keys to offer. A better alternative is to explicitly require a secret key in
.spec.gitAuth.