Container plugin meeting notes

November 23rd

• 2.8.2 and 2.9.1 releases are going to be released this week
  • 2.8.2 - Container Support - Pulp
  • 2.9.1 - Container Support - Pulp
  • ipanova will do the releases
• Signing work, who can contribute?
  • Tanya, Ina, Lubos?
  • Container signing/verification support - HackMD
• Roles work, needs review/testing for the 3.17 release
  • https://github.com/pulp/pulp_container/pull/403
    • Tanya, Ina

November 29

• 2.9.1 and 2.8.2 releases are out
• we have community contribution that fixes an S3 bug, should we backport this into earlier release?https://github.com/pulp/pulp_container/pull/437
  • ask galaxy
• signing work
  • separate branch for development: “signing”
  • signature model/viewset/serializer PR is ready https://github.com/pulp/pulp_container/pull/439
  • sync signatures WIP
    • downloaders question https://github.com/pulp/pulp_container/pull/436#discussion_r757065877
  • sign content from within registry WIP
    • add-signing-service pulpcore command needs adjustments so script field is optional
• roles work
  • PR needs review, it is ready? https://github.com/pulp/pulp_container/pull/403
  • CI is broken, need to fix
  • migrate groups into roles Task #9572: Port the RBAC implementation to the pulpcore roles framework - Container Support - Pulp
• any blockers?
  • docker hub pull limit rate - look into Team plan pricing

December 6

• Container Registry signing service WIP
  • https://github.com/pulp/pulp_container/pull/441
• Sync of signatures from a sigstore WIP
  • https://github.com/pulp/pulp_container/pull/436
  • how should we test this? we need a rtesting egistry with the sigstore
• 2026277 – null value in column "manifest_id" violates not-null constraint error while syncing RHOSP container images we should switch to use content.resolution() in the sync pipeline
  • Refactor #9424: Remove the interrelate stage from the sync pipeline - Container Support - Pulp Need to meet and brainstorm approach to get this story groomed
• 3 backport requests from galaxy, we need to release before shutdown
  • Backport #9601: Backport 9586 to pulp_container 2.8 - Container Support - Pulp
  • Backport #9600: Backport 9586 to pulp_container 2.5 - Container Support - Pulp
  • Backport #9610: backport to 2.8: Enable rate_limit option during container sync from remote registry - Container Support - Pulp
• Redis caching PR, close to be done and ready for review
  • https://github.com/pulp/pulp_container/pull/444

January 10

• need to prioritize sync pipeline refactor 2026277 – null value in column "manifest_id" violates not-null constraint error while syncing RHOSP container images
• Signing epic
  • Signature serve/pull PR is up. Let’s merge the branch after this PR?
  • we can switch to write tests soon. How to test integration with sigstore will an opened question.
• Redis caching PR needs review
  • Ina started to look into it

January 17

• refactor of sync pipeline discussions https://github.com/pulp/pulp_container/issues/495
• roles RBAC PR
  • look into tests and ensure that they use roles
  • CI is green, needs review - Tanya will take a look
    • (DATA-)Migrations for permissions to roles are missing, TBD
• redis caching PR - needs re-review
• signing epic
  • sync from extensions API PR ready for review
  • push of signature from the client - in progress
  • still figuring out how to test proper integration with sigstore
• “Bringing pulp_ansible and pulp_container together for all the things”
• BZ solved with a hotfix patch 2026277 – null value in column "manifest_id" violates not-null constraint error while syncing RHOSP container images

January 24

• https://github.com/pulp/pulp_container/pull/546#issuecomment-1016795721 ci reaches limit on docker pull

  • tests need changes, pulp-smash needs a setting to account for user/pass
    • [dkliban] this might not be possible for PRs because secrets are not available there for security issues. will investigate.
    • [matthias] will look into tests whether it is possible to download content less frequently
  • [ipanova] look whether it is possible to have a robot account or re-purpose one of our accounts

• roles RBAC migration

  • translating the auto-generated groups may not be sufficient
  • add-permission needs to be translated to creator role
  • I’d like to have a review on the role layout before continuing writing the migration [tanya]
  • what to do with directly assigned permissions? maybe ask on pulpcore meeting for more insight

January 31

Regrets: ipanova, x9c4.

• testing registry

  • outcome - use some deprecated repo from RH registry and add basic signature assertions in the tests
    • need to find one
    • deprecated repos
  • long term - stand up in CI a small sigstore proxy to variously pass through valid and invalid signatures?
    • no, work with the real registry, and just mock data for bad signatures

• CI reaches limit on docker pull

  • tests need changes, pulp-smash needs a setting to account for user/pass
    • [dkliban] this might not be possible for PRs because secrets are not available there for security issues. will investigate.
      • Not done yet, moving to the next week
    • [matthias] will look into tests whether it is possible to download content less frequently
  • [ipanova][done] look whether it is possible to have a robot account or re-purpose one of our accounts
    • service account does not seem to be different from regular account except for granting it read-only perms Service accounts | Docker Documentation TLDR; we can re-purpose one of the existing accounts
      • take Tanya’s
  • look into whether we can use GitHub registry so we’re not dependant on dockerhub?
    • AI: lmjachky

secrets can’t be used on PRs,
one solution would be migrating tests to use images from github,
and keep only a few tests with docker that only runs nightly

On pulp_ansible most of our tests run on galaxy, but we have few tests that run on AH:

February 7th

• think of what to do with directly assigned rbac perms
  • copy-pasta form pulpcore meeting notes:
    • Idea: manage command to report “unmigrated” permissions and let the admin assign the roles via api
    • Create the command in pulp_container codebase
  • Matthias has found a way how to identify directly assigned rbac perms and translate them into roles during the migration
  • PR is ready for review
• CI reaches limit on docker pull
  • tests need changes, pulp-smash needs a setting to account for user/pass
    • [dkliban] this might not be possible for PRs because secrets are not available there for security issues. will investigate.
    • [Matthias] will look into tests whether it is possible to download content less frequently
    • [Lubos] created PoC to move to Github Package Registry.
      • Does not support schema converstion, is it a concern?
      • Does not evaluate accept headers sent from the client
      • https://github.com/pulp/pulp_container/pull/563
      • No major concerns, let’s move
• needs a volunteer to enable docker push in katello https://github.com/pulp/pulp_container/issues/558
• can we create push repo ahead of push action?
  • need more info from katello

February 14

• Roles PR is ready for review
• moved away from Dockerhub on our CI, should we also propagate this change to other branches?
  • 2.5, 2.8, 2.9, 2.10 yes
• Enable docker push in katello https://github.com/pulp/pulp_container/issues/558 needs help with steps to reproduce
• merging signing branch into main, a lot of conflicts to solve
• doing various backports for the 2.5, 2.8, 2.9 and 2.10 branches + release

February 21

• PRs need review - repo blob mount and manifest list push
• [matthias] will look whether signature code path needs any adjustments for the roles work

February 28

• some customers still seem to have issue with manifest_id null during sync - ipanova is looking into this
• https://github.com/pulp/pulp_container/pull/605 we can remove some unnecessary db reset connection calls
• enable push with remote user auth - PR is up from Lubos
• what can we focus on next?
  • we should write some tests for the signing feature
  • sync of signatures is still in question how write tests → ask Tanya to re-fresh what has been decided/proposed

March 7th

• matthias is working on refactor sync pipeline
  • it’s failing in a strange way currently
  • https://github.com/pulp/pulp_container/pull/608 let’s take a look at the test failures
• i’d like to cut 2.11 release. Waiting on remote user and push of manifest list PRs
• ipanova will work on azure bug |https://bugzilla.redhat.com/show_bug.cgi?id=2026151

March 14th

• asked Tanya to re-fresh what has been decided/proposed w/r/t testing sync of signatures from a sigstore Container signing/verification support - HackMD
• Signing policy configuration - what workflow scenarios to document?
  • too many combinations, let’s have some discussion directly on the PR
• plan to release 2.11 this week
• refactor sync pipeline there is a bug only in one runner not sure it’s related
  • Refactor sync pipeline · pulp/pulp_container@d801f93 · GitHub
    • it seems like the order of list of blobs changed
• FYI Matthias is refactoring some rbac tests
  • https://github.com/pulp/pulp_container/pull/632

March 21

• sync pipeline refactor PR from Matthias is ready for review
• CI is failing due change in core. Investigation is ongoing - Matthias and Brian are on it
• ipanoved releaseed 2.11
• ipanova submitted PR for sig policy docs
• Lubos submitted PR for signature tests
• Matthias refactores sometests to use pytest
• Lubos is investigating CI intermittent failure related to tag
• we got some bugs reported from a user who upgrated to 2.11
  • ipanova is working on the gpg issue
  • we need to document Roles https://github.com/pulp/pulp_container/issues/641

This meeting was consolidated in favor of Pulp/Galaxy integration meeting