[REQ] Support RPM-based images with valid rpm status but missing tools
ashnamehrotra opened this issue · comments
What kind of request is this?
None
What is your request or suggestion?
Line 333 in d648155
Turning copacetic TODO comments into issues from https://docs.google.com/spreadsheets/d/1XwNj1J6e2FrUhlqaIsV10l8_tgov7WodlkvpNZXYZMU/edit#gid=1386834576.
Are you willing to submit PRs to contribute to this feature request?
- Yes, I am willing to implement it.
I've done some of the initial work required for this feature which is available in my fork of the repo available here.
There are two approaches we can take to this feature, both of which are documented below.
Approach 1 - Reusing The Approach Used For Distroless
This is the approach currently taken in my fork of the repo linked above. While it generally works, there are 2 roadblocks that prevent this from working flawlessly.
- Missing packages in the CBL mariner package manager repos
- If all packages do exist in the CBL mariner package manager repos, we will always get the following error after all packages have been downloaded:
Error: lstat /var/lib/docker/tmp/buildkit-mount2278373692/var/lib/rpmmanifest: no such file or directory
To fix the first issue, we could add 3rd party yum
repos into the CBL mariner tooling image. Deciding on which one should be used and how to handle packages which exist in more than one repo could be a challenge.
The second issue will require further investigation for me to determine why that directory is missing.
Reproducing Above Issues
Clone my git branch (https://github.com/MiahaCybersec/copacetic/tree/valid-rpm-status-no-tools)
With no further changes, using the patch
commands below will reproduce the first issue mentioned.
To skip over missing packages in the CBL mariner package manager repos, add --skip-broken
to the yumdownloader
commands on lines 482 and 490 in rpm.go
. This will tell yum that if any packages are broken or missing, simply skip over them and continue executing anyway.
From here, choose an image that is missing RPM tools. There are two images I've been working with below as examples.
patch -r /calico-node-3.23.3-32.json -i docker.io/calico/node:v3.23.3-32-g2b86bba8df1f --debug
patch -r /ubi8-micro8.7.json -i docker.io/redhat/ubi8-micro:8.7 --debug
Once the above changes are made, we can reliably reproduce the second issue.
Approach 2 - Adding a New Function
This approach would allow us to handle images which have a valid RPM status but missing tools differently than a distroless image. While I have started initial work on this locally, I will likely need additional time and help learning LLB and BuildKit.
Due to this approach relying upon the CBL mariner tooling image, we'd still run into the first issue listed under the first approach. It is possible other issues may arise while taking this approach, but those issues are not currently known if they exist.