Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hermekton Beta Tracking Issue #3965

Open
3 of 7 tasks
priyawadhwa opened this issue May 20, 2021 · 4 comments
Open
3 of 7 tasks

Hermekton Beta Tracking Issue #3965

priyawadhwa opened this issue May 20, 2021 · 4 comments
Labels
area/roadmap Issues that are part of the project (or organization) roadmap (usually an epic) kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@priyawadhwa
Copy link

priyawadhwa commented May 20, 2021
edited
Loading

This is an overarching issue we can use to track the different things we'll need to do for hermekton beta:

  • Figure out how we want to handle sidecar containers. We can either just document that they aren't supported or actually fail if hermetic execution mode is applied on a Task with sidecar containers
  • Add sample working tasks & pipelines
  • Should they be enabled for pipelines as well?
  • Make sure hermekton works if the user isn't running as root (more details in Add support for experimental hermetic execution mode to TaskRuns #3956 (comment)) (added test for this in Add hermetic test running as non-root user #3973 )
  • Check if this will work across most major kernel versions (namespaces introduced in 2013, so we should be good here)
  • Documentation on limitations/generally make sure docs are up to date
  • Remove the alpha feature flag requirement for hermekton

Relevant Links:
TEP: https://github.com/tektoncd/community/blob/main/teps/0025-hermekton.md
Hermekton alpha PR: #3956
@vdemeester vdemeester added area/roadmap Issues that are part of the project (or organization) roadmap (usually an epic) kind/feature Categorizes issue or PR as related to a new feature. labels May 21, 2021
@imjasonh
Copy link
Member

Figure out how we want to handle sidecar containers. We can either just document that they aren't supported or actually fail if hermetic execution mode is applied on a Task with sidecar containers

One option, at least for declared sidecars, would be to inject the entrypoint even if we don't otherwise use it to start the container. That wouldn't help with injected sidecars, but then we could just detect/block injected sidecars, instead of blocking all sidecars.

@priyawadhwa
Copy link
Author

@imjasonh wouldn't we have to use the entrypointer to start the container as well? Right now hermekton basically takes the command the entrypointer would run and runs it in a namespace without network access, so I think we'd need the entrypointer to start sidecars as well for this to work--

pipeline/cmd/entrypoint/runner.go

Line 63 in 145043a

dropNetworking(cmd)

@priyawadhwa priyawadhwa mentioned this issue May 25, 2021
Merged
5 tasks
@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 15, 2021
@vdemeester
Copy link
Member

/lifecycle frozen

@tekton-robot tekton-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/roadmap Issues that are part of the project (or organization) roadmap (usually an epic) kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
Tekton Community Roadmap
Status: Todo
Tekton Pipelines Roadmap
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vdemeester @imjasonh @priyawadhwa @tekton-robot