UBI Upgrade & Python39 & Add locks for Teems Data (#2693)

azure-pipelines.yaml

@@ -0,0 +1,114 @@
+# Starter pipeline
+# Start with a minimal pipeline that you can customize to build and deploy your code.
+# Add steps that build, run tests, deploy, and more:
+# https://aka.ms/yaml
+
+trigger:
+  branches:
+    include:
+      - master
+  tags:
+    include:
+      - v*
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+variables:
+  imageName: 'f5networks/k8s-bigip-ctlr-devel'
+  quayConnection: 'quay-bot'
+  redhatConnection: 'redhat-bot'
+  dockerConnection: 'docker-bot'
+  scanConnection: 'cis-scan-bot'
+  quay_path: 'quay.io/f5networks/k8s-bigip-ctlr-devel'
+  redhat_prj_name: 'cntr-ingress-svcs'
+  docker_repo: 'f5networks/k8s-bigip-ctlr'
+  chartPath: 'incubator'
+  chartRepoName: 'charts'
+  chartOrganization: F5Networks
+  helmVersion: 'v3.5.4'
+  chartsUpdated: False
+  operatorUpdated: False
+  operatorImageName: 'f5networks/f5-cis-operator-devel'
+  operatorBundleImageName: 'f5networks/f5-cis-operator-bundle-devel'
+  operatorIndexImage: 'f5networks/f5-cis-operator-index-devel'
+
+stages:
+  - stage: PreCheck
+    jobs:
+      - job: Preverification
+        steps:
+          - task: CmdLine@2
+            displayName: Check Go format and Suspicious constructs
+            inputs:
+              script: 'make verify'
+  - stage: ContainerImage
+    dependsOn: PreCheck
+    jobs:
+      - job: BuildContainerImage
+        steps:
+          - script: |
+              echo "##vso[task.setvariable variable=BUILD_VERSION]$(cat next-version.txt)"
+            displayName: Set CIS Version
+          - task: Docker@2
+            displayName: Login to redhat registry
+            inputs:
+              command: login
+              containerRegistry: $(redhatConnection)
+          - task: Docker@2
+            displayName: Login to quay registry
+            inputs:
+              command: login
+              containerRegistry: $(quayConnection)
+          - task: Docker@2
+            displayName: Login to docker registry
+            condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
+            inputs:
+              command: login
+              containerRegistry: $(dockerConnection)
+          - task: Docker@2
+            displayName: Login to scan registry
+            condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
+            inputs:
+              command: login
+              containerRegistry: $(scanConnection)
+          - task: Docker@2
+            displayName: Build from Red Hat Universal Base Image
+            inputs:
+              command: build
+              containerRegistry: $(quayConnection)
+              repository: $(imageName)
+              Dockerfile: build-tools/Dockerfile.ubi
+              buildContext: .
+              tags: $(Build.SourceVersion)
+              arguments: "--build-arg BUILD_INFO=azure-$(Build.BuildId)-$(Build.SourceVersion) --build-arg BUILD_VERSION=$(BUILD_VERSION) --build-arg RUN_TESTS=$(RUN_TESTS) --build-arg COVERALLS_TOKEN=$(COVERALLS_TOKEN)"
+          - task: Docker@2
+            displayName: Push image to Quay
+            inputs:
+              command: push
+              containerRegistry: $(quayConnection)
+              repository: $(imageName)
+              tags: $(Build.SourceVersion)
+          - script: |
+              set -ex
+              podman pull --authfile $(DOCKER_CONFIG)/config.json $(quay_path):$(Build.SourceVersion)
+              podman tag $(quay_path):$(Build.SourceVersion) scan.connect.redhat.com/$(REDHAT_PRJ_ID)/$(redhat_prj_name):$(BUILD_VERSION)-ubi8
+              podman push --authfile $(DOCKER_CONFIG)/config.json scan.connect.redhat.com/$(REDHAT_PRJ_ID)/$(redhat_prj_name):$(BUILD_VERSION)-ubi8
+            condition: and(succeeded(), startsWith(variables['build.sourceBranch'], 'refs/tags/'))
+            displayName: 'Push image to Redhat'
+            continueOnError: true
+          - script: |
+              set -ex
+              docker pull $(quay_path):$(Build.SourceVersion)
+              docker tag $(quay_path):$(Build.SourceVersion) $(docker_repo):latest
+              docker tag $(quay_path):$(Build.SourceVersion) $(docker_repo):$(BUILD_VERSION)
+              patch_version=`echo $(BUILD_VERSION) | awk -F '.'  '{print $3}'`
+              if [ "${patch_version}" == "0" ] ; then
+                stripped_version=`echo $(BUILD_VERSION) | rev | cut -c3- | rev`
+                docker tag $(quay_path):$(Build.SourceVersion) $(docker_repo):${stripped_version}
+                docker push $(docker_repo):${stripped_version}
+              fi
+              docker push $(docker_repo):latest
+              docker push $(docker_repo):$(BUILD_VERSION)
+            displayName: 'Push image to DockerHub'
+            condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')

build-tools/Dockerfile.ubi

@@ -12,7 +12,7 @@ COPY . .
 
 RUN $REPOPATH/build-tools/rel-build.sh
 
-FROM registry.redhat.io/ubi7/ubi-minimal
+FROM registry.redhat.io/ubi9/ubi-minimal
 
 LABEL name="f5networks/k8s-bigip-ctlr" \
       vendor="F5 Networks" \
@@ -38,30 +38,15 @@ COPY requirements.txt /tmp/requirements.txt
 RUN mkdir -p "$APPPATH/bin" "$APPPATH/vendor/src/f5/schemas/" \
  && touch $APPPATH/vendor/src/f5/VERSION_BUILD.json
 
-RUN microdnf update && \
-    microdnf \
-      --enablerepo=ubi-7-server-devtools-rpms --enablerepo=ubi-7-server-extras-rpms  \
-      --enablerepo=ubi-7-server-optional-rpms --enablerepo=ubi-server-rhscl-7-rpms \
-      install --nodocs \
-      rh-python38 git shadow-utils && \
-    microdnf \
-    --enablerepo=ubi-7-server-devtools-rpms --enablerepo=ubi-7-server-extras-rpms \
-    --enablerepo=ubi-7-server-optional-rpms --enablerepo=ubi-server-rhscl-7-rpms \
-    update nss-tools nss-softokn nss-util scl-utils && \
-    . scl_source enable rh-python38 && \
-    pip install --no-cache-dir --upgrade pip==20.0.2 && \
-    pip install --no-cache-dir -r /tmp/requirements.txt && \
-    python -m pip uninstall -y pip && \
+RUN microdnf update -y && \
+    microdnf --enablerepo=ubi-9-baseos-rpms install --nodocs python39 python3-pip git shadow-utils -y && \
+    microdnf --enablerepo=ubi-9-baseos-rpms --enablerepo=ubi-9-appstream-rpms update nss-tools nss-softokn nss-util scl-utils -y && \
+    pip3 install --no-cache-dir --upgrade pip==20.0.2 && \
+    pip3 install --no-cache-dir -r /tmp/requirements.txt && \
+    python3 -m pip uninstall -y pip && \
     adduser ctlr && \
-    microdnf remove  \
-    fipscheck fipscheck-lib    \
-    libgnome-keyring \
-    libedit openssh openssh-clients \
-    perl-Git  perl-TermReadKey  perl-macros git-core git-core-doc git less \
-    rsync shadow-utils  && \
-    microdnf clean all \
-    && echo "{\"version\": \"${BUILD_VERSION}\", \"build\": \"${BUILD_INFO}\"}" > $APPPATH/vendor/src/f5/VERSION_BUILD.json \
-    && chown -R ctlr "$APPPATH" && chmod -R 755 "$APPPATH"
+    microdnf remove libedit openssh openssh-clients perl-Git  perl-TermReadKey  perl-macros git-core git-core-doc git less shadow-utils -y && \
+    microdnf clean all && echo "{\"version\": \"${BUILD_VERSION}\", \"build\": \"${BUILD_INFO}\"}" > $APPPATH/vendor/src/f5/VERSION_BUILD.json && chown -R ctlr "$APPPATH" && chmod -R 755 "$APPPATH"
 
 USER ctlr
 COPY schemas/*.json $APPPATH/vendor/src/f5/schemas/
@@ -74,8 +59,7 @@ ENV GODEBUG x509ignoreCN=0
 
 # entrypoint to enable scl python at runtime
 RUN echo $'#!/bin/sh\n\
-	  source scl_source enable rh-python38\n\
-	  exec $APPPATH/bin/k8s-bigip-ctlr.real "$@"' > $APPPATH/bin/k8s-bigip-ctlr && \
+    exec $APPPATH/bin/k8s-bigip-ctlr.real "$@"' > $APPPATH/bin/k8s-bigip-ctlr && \
     chmod +x $APPPATH/bin/k8s-bigip-ctlr
 
 CMD ["/app/bin/k8s-bigip-ctlr"]

docs/RELEASE-NOTES.rst

@@ -1,6 +1,16 @@
 Release Notes for BIG-IP Controller for Kubernetes
 ==================================================
 
+1.14.2
+------------
+Added Functionality
+`````````````````````
+* Upgrade Base OS to UBI 9
+
+Bug Fixes
+`````````
+* Teems Data Crash issue fixed
+
 1.14.1
 ------------
 
@@ -11,7 +21,7 @@ Added Functionality
 
 Vulnerability Fixes
 ```````````````````
-Release image is upgrade to UBI-7 and  following vulnerabilities are fixed:
+Release image is upgrade to UBI-7 and fixed the following vulnerabilities:
 
 +---------------------------------+----------------+
 | CVE                             | PACKAGE        |

next-version.txt

@@ -1 +1 @@
-1.14.1
+1.14.2

pkg/teem/teem.go

@@ -69,7 +69,7 @@ func (td *TeemsData) PostTeemsData() bool {
 	// Retry only once upon failure
 	var retryCount = 1
 	var accessEnabled = true
-
+	td.Lock()
 	assetInfo := f5teem.AssetInfo{
 		Name:    "CIS-Ecosystem",
 		Version: fmt.Sprintf("CIS/v%v", td.CisVersion),
@@ -80,9 +80,8 @@ func (td *TeemsData) PostTeemsData() bool {
 		td.ResourceType.Configmaps, td.ResourceType.VirtualServer, td.ResourceType.TransportServer,
 		td.ResourceType.ExternalDNS, td.ResourceType.IPAMVS, td.ResourceType.IPAMTS, td.ResourceType.IPAMSvcLB,
 		td.ResourceType.NativeRoutes, td.ResourceType.RouteGroups}
-	var sum int
 	for _, rscType := range types {
-		sum = 0
+		sum := 0
 		rscType[TOTAL] = 0 // Reset previous iteration sum
 		for _, count := range rscType {
 			sum += count
@@ -109,6 +108,7 @@ func (td *TeemsData) PostTeemsData() bool {
 		"NativeRoutesCount":        td.ResourceType.NativeRoutes[TOTAL],
 		"RouteGroupsCount":         td.ResourceType.RouteGroups[TOTAL],
 	}
+	td.Unlock()
 	for retryCount >= 0 {
 		err := teemDevice.Report(data, "CIS Telemetry Data", "1")
 		if err != nil && !strings.Contains(err.Error(), "request-limit") {