mbox series

[XEN,v3,0/4] automation: Update containers to allow HTTPS access to xenbits

Message ID 20230224172915.39675-1-anthony.perard@citrix.com (mailing list archive)
Headers show
Series automation: Update containers to allow HTTPS access to xenbits | expand

Message

Anthony PERARD Feb. 24, 2023, 5:29 p.m. UTC
Patch series available in this git branch:
https://xenbits.xen.org/git-http/people/aperard/xen-unstable.git br.gitlab-containers-update-v3

v3:
- new patch which remove non-debug x86_32 builds
- don't fix root certificates in jessie containers as those won't be used
  anymore on the main branch.

v2:
- Remove CentOS 7.2
- Remove Debian Jessie test, but update container recipe for the benefit of
  older branches.
- Fix CentOS 7 containner recipe to update all packages. (Fix missing update of
  HTTPS root certificates)

There is work in progress [1] to update urls in our repo to use https, but
those https urls to xenbits don't work in our containers, due to an expired
root certificate. So we need to update those containers.

This series update the dockerfile where just rebuilding the container isn't enough.

Cheers,

Anthony PERARD (4):
  automation: Use EOL tag for Jessie container
  automation: Remove testing on Debian Jessie
  automation: Remove expired root certificates used to be used by let's
    encrypt
  automation: Remove non-debug x86_32 build jobs

 .../build/debian/jessie-i386.dockerfile       |  2 +-
 automation/build/debian/jessie.dockerfile     |  2 +-
 automation/build/ubuntu/trusty.dockerfile     |  5 ++
 automation/gitlab-ci/build.yaml               | 60 -------------------
 4 files changed, 7 insertions(+), 62 deletions(-)

Comments

Andrew Cooper Feb. 24, 2023, 5:37 p.m. UTC | #1
On 24/02/2023 5:29 pm, Anthony PERARD wrote:
> Patch series available in this git branch:
> https://xenbits.xen.org/git-http/people/aperard/xen-unstable.git br.gitlab-containers-update-v3
>
> v3:
> - new patch which remove non-debug x86_32 builds
> - don't fix root certificates in jessie containers as those won't be used
>   anymore on the main branch.
>
> v2:
> - Remove CentOS 7.2
> - Remove Debian Jessie test, but update container recipe for the benefit of
>   older branches.
> - Fix CentOS 7 containner recipe to update all packages. (Fix missing update of
>   HTTPS root certificates)
>
> There is work in progress [1] to update urls in our repo to use https, but
> those https urls to xenbits don't work in our containers, due to an expired
> root certificate. So we need to update those containers.
>
> This series update the dockerfile where just rebuilding the container isn't enough.

LGTM.

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

I'll add this to my commit sweep, and rebuild the remaining containers.

But on that note, I noticed that the debian unstable container was 2.3G
when I last rebuilt it.  Which I think is obscenely large for what we're
doing.

Can we see about switching to slim/tiny container bases?

~Andrew
Anthony PERARD Feb. 24, 2023, 6:12 p.m. UTC | #2
On Fri, Feb 24, 2023 at 05:37:44PM +0000, Andrew Cooper wrote:
> On 24/02/2023 5:29 pm, Anthony PERARD wrote:
> > Patch series available in this git branch:
> > https://xenbits.xen.org/git-http/people/aperard/xen-unstable.git br.gitlab-containers-update-v3
> >
> > v3:
> > - new patch which remove non-debug x86_32 builds
> > - don't fix root certificates in jessie containers as those won't be used
> >   anymore on the main branch.
> >
> > v2:
> > - Remove CentOS 7.2
> > - Remove Debian Jessie test, but update container recipe for the benefit of
> >   older branches.
> > - Fix CentOS 7 containner recipe to update all packages. (Fix missing update of
> >   HTTPS root certificates)
> >
> > There is work in progress [1] to update urls in our repo to use https, but
> > those https urls to xenbits don't work in our containers, due to an expired
> > root certificate. So we need to update those containers.
> >
> > This series update the dockerfile where just rebuilding the container isn't enough.
> 
> LGTM.
> 
> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> I'll add this to my commit sweep, and rebuild the remaining containers.
> 
> But on that note, I noticed that the debian unstable container was 2.3G
> when I last rebuilt it.  Which I think is obscenely large for what we're
> doing.
> 
> Can we see about switching to slim/tiny container bases?

I don't think that would help much, the non-slim container is only 116MB
vs 74.6MB for the slim (amd64 containers). But maybe we could try to use
"--no-install-recommends", that might save a few bytes in our containers.

Cheers,
Andrew Cooper Feb. 24, 2023, 6:22 p.m. UTC | #3
On 24/02/2023 6:12 pm, Anthony PERARD wrote:
> On Fri, Feb 24, 2023 at 05:37:44PM +0000, Andrew Cooper wrote:
>> On 24/02/2023 5:29 pm, Anthony PERARD wrote:
>>> Patch series available in this git branch:
>>> https://xenbits.xen.org/git-http/people/aperard/xen-unstable.git br.gitlab-containers-update-v3
>>>
>>> v3:
>>> - new patch which remove non-debug x86_32 builds
>>> - don't fix root certificates in jessie containers as those won't be used
>>>   anymore on the main branch.
>>>
>>> v2:
>>> - Remove CentOS 7.2
>>> - Remove Debian Jessie test, but update container recipe for the benefit of
>>>   older branches.
>>> - Fix CentOS 7 containner recipe to update all packages. (Fix missing update of
>>>   HTTPS root certificates)
>>>
>>> There is work in progress [1] to update urls in our repo to use https, but
>>> those https urls to xenbits don't work in our containers, due to an expired
>>> root certificate. So we need to update those containers.
>>>
>>> This series update the dockerfile where just rebuilding the container isn't enough.
>> LGTM.
>>
>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>
>> I'll add this to my commit sweep, and rebuild the remaining containers.
>>
>> But on that note, I noticed that the debian unstable container was 2.3G
>> when I last rebuilt it.  Which I think is obscenely large for what we're
>> doing.
>>
>> Can we see about switching to slim/tiny container bases?
> I don't think that would help much, the non-slim container is only 116MB
> vs 74.6MB

That's 64% smaller to start with...

>  for the slim (amd64 containers). But maybe we could try to use
> "--no-install-recommends", that might save a few bytes in our containers.

Oh wow - yeah.  For buster-gcc-ibt (which is already slim), we're getting:

Suggested packages:
  binutils-doc bison-doc bzip2-doc cpp-doc gcc-8-locales dbus-user-session
  libpam-systemd pinentry-gnome3 tor debian-keyring flex-doc g++-multilib
  g++-8-multilib gcc-8-doc libstdc++6-8-dbg autoconf automake libtool gdb
  gcc-doc libgcc1-dbg libgomp1-dbg libitm1-dbg libatomic1-dbg libasan5-dbg
  liblsan0-dbg libtsan0-dbg libubsan1-dbg libmpx2-dbg libquadmath0-dbg
  parcimonie xloadimage scdaemon glibc-doc sensible-utils git bzr gdbm-l10n
  gmp-doc libgmp10-doc libmpfr-doc libsasl2-modules-gssapi-mit
  | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap
libsasl2-modules-otp
  libsasl2-modules-sql libstdc++-8-doc m4-doc make-doc man-browser ed
  diffutils-doc perl-doc libterm-readline-gnu-perl
  | libterm-readline-perl-perl libb-debug-perl liblocale-codes-perl
  pinentry-doc readline-doc


which is a whole bunch of junk we absolutely do not need.

~Andrew