Merge pull request #1026 from pohly/ipmctl

Bundle ipmctl

Author: pohly

.dockerignore

@@ -1,16 +1,15 @@
 *
-! **/*.make
-! Dockerfile
-! LICENSE
-! Makefile
-! cmd/**
-! pkg/**
-! test/cmd/**
-! test/test-config.d/**
-! test/test-config.sh
-! third-party/**
-! hack/**
-! vendor/**
-! go.mod
-! go.sum
-! operator/
+!*/*.make
+!Dockerfile
+!LICENSE
+!Makefile
+!cmd/
+!pkg/
+!test/
+!third-party/
+!hack/
+!vendor/
+!go.mod
+!go.sum
+!operator/
+!deploy/

Dockerfile

@@ -1,3 +1,7 @@
+# Copyright 2021 Intel Coporation.
+#
+# SPDX-License-Identifier: Apache-2.0
+
 # Image builds are not reproducible because the base layer is changing over time.
 ARG LINUX_BASE=debian:buster-slim
 
@@ -18,7 +22,7 @@ RUN echo 'deb-src http://ftp.debian.org/debian buster-backports main' >> /etc/ap
 # tools and recommended packages. But this image gets pushed to a registry by the CI as a cache,
 # so it still makes sense to keep this layer small by removing /var/cache.
 RUN ${APT_GET} update && \
-    ${APT_GET} install -y gcc libndctl-dev/buster-backports make git curl iproute2 pkg-config xfsprogs e2fsprogs parted openssh-client python3 python3-venv equivs && \
+    ${APT_GET} install -y gcc libndctl-dev/buster-backports make git curl iproute2 pkg-config xfsprogs e2fsprogs parted openssh-client python3 python3-venv equivs debhelper cmake python asciidoctor pkg-config && \
     rm -rf /var/cache/*
 RUN curl -L https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz | tar -zxf - -C / && \
     mkdir -p /usr/local/bin/ && \
@@ -29,6 +33,20 @@ ADD hack/python3-fake-debian-package .
 # Creates python3_100.0_all.deb
 RUN equivs-build python3-fake-debian-package
 
+# Build ipmctl from source.
+# We use the latest official release and determine that via
+# the HTML redirect page.
+RUN set -x && \
+    git clone https://github.com/intel/ipmctl.git && \
+    cd ipmctl && \
+    tag=$(curl --silent https://github.com/intel/ipmctl/releases/latest | sed -e 's;.*tag/\([^"]*\).*;\1;') && \
+    git checkout $tag && \
+    mkdir build && \
+    cd build && \
+    cmake -DRELEASE=ON -DCMAKE_INSTALL_PREFIX=/usr/local .. && \
+    make -j all && \
+    make install
+
 # Clean image for deploying PMEM-CSI.
 FROM ${LINUX_BASE} as runtime
 ARG APT_GET="env DEBIAN_FRONTEND=noninteractive apt-get"
@@ -158,14 +176,21 @@ RUN set -x && \
     ls -l /usr/local/share/package-sources; \
     du -h /usr/local/share/package-sources
 
+COPY --from=build /ipmctl/LICENSE /usr/local/share/package-licenses/ipmctl.LICENSE
+
 # The actual pmem-csi-driver image.
 FROM runtime as pmem
 
 # Move required binaries and libraries to clean container.
-COPY --from=binaries /usr/local/bin/pmem-* /usr/local/bin/
+COPY --from=binaries /usr/local/bin/pmem-* /usr/local/bin/ipmctl /usr/local/bin/
+COPY --from=binaries /usr/local/lib/libipmctl*.so.* /usr/local/lib/
+COPY --from=binaries /usr/local/man /usr/local/man
 COPY --from=binaries /usr/local/share/package-licenses /usr/local/share/package-licenses
 COPY --from=binaries /usr/local/share/package-sources /usr/local/share/package-sources
 
+# /usr/local/lib is not in the default library search path.
+RUN for i in /usr/local/lib/*.so.*; do ln -s $i /usr/lib; done
+
 # Don't rely on udevd, it isn't available (https://unix.stackexchange.com/questions/591724/how-to-add-a-block-to-udev-database-that-works-after-reboot).
 # Same with D-Bus.
 # Backup and archival of metadata inside the container is useless.

Dockerfile.UBI

@@ -0,0 +1,170 @@
+# Copyright 2021 Intel Coporation.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Image for building PMEM-CSI for OpenShift.
+#
+# This need a subscription for the RHEL package feed.
+#
+# On a suitable host, run
+#   subscription-manager register --username <username> --auto-attach
+# to subscribe. Then build with
+#   buildah bud -f Dockerfile.UBI
+#
+# If such a host is not available, then the same can be done in a container.
+# The host then only needs buildah but doesn't need to be RHEL. In the following
+# example, /nvme is where the GOPATH and the current directory are located.
+#
+#   docker run --detach --privileged -v /var/lib/containers/:/var/lib/containers/:Z -v /nvme:/nvme --name rhel registry.access.redhat.com/rhel7:latest sleep infinity
+#   docker exec -ti rhel subscription-manager register --username <username> --auto-attach
+#   docker exec rhel subscription-manager repos --enable=rhel-7-server-rpms
+#   docker exec rhel subscription-manager repos --enable=rhel-7-server-extras-rpms
+#   docker exec rhel yum -y install buildah
+#   docker exec rhel buildah bud -f `pwd`/Dockerfile.UBI `pwd`
+#
+# Because /var/lib/containers/ is shared with the host, buildah on the host will
+# have access to the resulting image:
+#
+# $ sudo buildah images
+# REPOSITORY                                                                                 TAG      IMAGE ID       CREATED         SIZE
+# <none>                                                                                     <none>   d1767ba7457c   1 minutes ago   361 MB
+# $ container=$(sudo buildah from d1767ba7457c)
+# $ sudo buildah $container ls /licenses
+# PMEM-CSI.LICENSE  github.com  go-fibmap  go.LICENSE  go.uber.org  golang.org  gomodules.xyz  google.golang.org gopkg.in  ipmctl.LICENSE  k8s.io  sigs.k8s.io
+#
+# It can be tagged either as part of "buildah bud" with "-t <tag>" or later.
+
+# Image #0 as build
+FROM registry.access.redhat.com/ubi8
+
+WORKDIR /pmem-csi
+COPY . .
+
+ARG GO_VERSION="1.16.1"
+
+# CACHEBUST is set by the CI when building releases to ensure that apt-get really gets
+# run instead of just using some older, cached result.
+ARG CACHEBUST
+
+RUN dnf install -y gcc ndctl-devel make git pkg-config curl tar findutils xz cmake pkg-config gcc-c++ python36
+RUN curl -L https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz | tar -zxf - -C / && \
+    mkdir -p /usr/local/bin/ && \
+    for i in /go/bin/*; do ln -s $i /usr/local/bin/; done
+
+# Build ipmctl from source.
+# We use the latest official release and determine that via
+# the HTML redirect page.
+RUN set -x && \
+    git clone https://github.com/intel/ipmctl.git && \
+    mkdir -p /usr/local/share/package-licenses && \
+    cp LICENSE /usr/local/share/package-licenses/ipmctl.LICENSE && \
+    cd ipmctl && \
+    tag=$(curl --silent https://github.com/intel/ipmctl/releases/latest | sed -e 's;.*tag/\([^"]*\).*;\1;') && \
+    git checkout $tag && \
+    mkdir build && \
+    cd build && \
+    cmake -DRELEASE=ON -DCMAKE_INSTALL_PREFIX=/usr/local .. && \
+    make -j all && \
+    make install
+
+# build pmem-csi-driver
+ARG VERSION="unknown"
+ENV PKG_CONFIG_PATH=/usr/lib/pkgconfig/
+
+# Here we choose explicitly which binaries we want in the image and in
+# which flavor (production or testing). The actual binary name in the
+# image is going to be the same, to avoid unnecessary deployment
+# differences.
+RUN set -x && \
+    make VERSION=${VERSION} pmem-csi-driver pmem-csi-operator && \
+    mkdir -p /usr/local/bin && \
+    mv _output/pmem-csi-driver /usr/local/bin/pmem-csi-driver && \
+    mv _output/pmem-csi-operator /usr/local/bin/pmem-csi-operator && \
+    go mod vendor && \
+    hack/copy-modules-license.sh /usr/local/share/package-licenses ./cmd/pmem-csi-driver ./cmd/pmem-csi-operator && \
+    cp /go/LICENSE /usr/local/share/package-licenses/go.LICENSE && \
+    cp LICENSE /usr/local/share/package-licenses/PMEM-CSI.LICENSE
+
+# Now also copy copyleft source code that was used during the build of our binaries.
+RUN set -x && \
+    mkdir -p /usr/local/share/package-sources && \
+    for license in $(grep -l -r -w -e MPL -e GPL -e LGPL /usr/local/share/package-licenses | sed -e 's;^/usr/local/share/package-licenses/;;'); do \
+        if ! (dir=$(dirname $license) && \
+              tar -Jvcf /usr/local/share/package-sources/$(echo $dir | tr / _).tar.xz vendor/$dir ); then \
+              exit 1; \
+        fi; \
+    done; \
+    ls -l /usr/local/share/package-sources; \
+    du -h /usr/local/share/package-sources
+
+# The actual pmem-csi-driver image.
+# Image #1 as runtime
+FROM registry.access.redhat.com/ubi8
+LABEL name="pmem-csi-driver"
+LABEL vendor="Intel"
+# updated by hack/set-version.sh when preparing a release
+LABEL version="v0.9.1"
+# Needs to be set by Red Hat build service.
+# LABEL release="1"
+LABEL summary="A CSI driver for managing PMEM."
+LABEL description="Intel(R) PMEM-CSI is a Container Storage Interface (CSI) driver for container orchestrators like Kubernetes. It makes local persistent memory (PMEM) available as a filesystem volume to container applications."
+
+# Update and install the minimal amount of additional packages that
+# are needed at runtime:
+# file - driver uses file utility to determine filesystem type
+# xfsprogs, e2fsprogs - formating filesystems
+# lvm2 - volume management
+# ndctl - pulls in the necessary library, useful by itself
+RUN dnf install -y file xfsprogs e2fsprogs lvm2 ndctl && \
+    mv /var/log/dnf.rpm.log /usr/local/share/package-install.log && \
+    rm -rf /var/cache /var/log/dnf*
+
+# Move required binaries and libraries to clean container.
+COPY --from=0 /usr/local/bin/pmem-* /usr/local/bin/ipmctl /usr/local/bin/
+COPY --from=0 /usr/local/lib64/libipmctl*.so.* /usr/local/lib64
+COPY --from=0 /usr/local/share/package-licenses /licenses
+COPY --from=0 /usr/local/share/package-sources /sources
+
+# /usr/local/lib is not in the default library search path.
+RUN for i in /usr/local/lib64/*.so.*; do ln -s $i /usr/lib64; done
+
+# Download source RPMs for those packages that were installed by us above.
+RUN echo "Extra packages installed as separate layer:" && grep Installed: /usr/local/share/package-install.log
+RUN set -xe && \
+    cd /sources && \
+    for package in $(grep Installed: /usr/local/share/package-install.log | sed -e 's/.*Installed: //' | sort -u); do \
+       base=${package%-*-*} && \
+       case $base in \
+           *) \
+               license=$(rpm -q --qf %{license} "$base") && \
+               case $license in \
+                   *MPL*|*GPL*) \
+                       echo "INFO: downloading source of $base because of the $license" && \
+                       dnf download --source $base \
+                       ;; \
+                   *) \
+                       echo "INFO: not shipping source of $base because not required by $license" \
+                       ;; \
+               esac \
+               ;; \
+       esac; \
+    done && \
+    rm -rf /var/cache /var/log/dnf*
+
+RUN ls -l /sources
+RUN du -h /sources
+
+# Don't rely on udevd, it isn't available (https://unix.stackexchange.com/questions/591724/how-to-add-a-block-to-udev-database-that-works-after-reboot).
+# Same with D-Bus.
+# Backup and archival of metadata inside the container is useless.
+RUN sed -i \
+        -e 's/udev_sync = 1/udev_sync = 0/' \
+        -e 's/udev_rules = 1/udev_rules = 0/' \
+        -e 's/obtain_device_list_from_udev = 1/obtain_device_list_from_udev = 0/' \
+        -e 's/multipath_component_detection = 1/multipath_component_detection = 0/' \
+        -e 's/md_component_detection = 1/md_component_detection = 0/' \
+        -e 's/notify_dbus = 1/notify_dbus = 0/' \
+        -e 's/backup = 1/backup = 0/' \
+        -e 's/archive = 1/archive = 0/' \
+        /etc/lvm/lvm.conf
+

Makefile

@@ -38,9 +38,9 @@ MAJOR_MINOR_VERSION:=$(shell echo $(MAJOR_MINOR_PATCH_VERSION) | sed -e 's/\([0-
 # case) and add local machine to no_proxy because some tests may use a
 # local Docker registry. Also exclude 0.0.0.0 because otherwise Go
 # tests using that address try to go through the proxy.
-HTTP_PROXY=$(shell echo "$${HTTP_PROXY:-$${http_proxy}}")
-HTTPS_PROXY=$(shell echo "$${HTTPS_PROXY:-$${https_proxy}}")
-NO_PROXY=$(shell echo "$${NO_PROXY:-$${no_proxy}},$$(ip addr | grep inet6 | grep /64 | sed -e 's;.*inet6 \(.*\)/64 .*;\1;' | tr '\n' ','; ip addr | grep -w inet | grep -e '/\(24\|16\|8\)' | sed -e 's;.*inet \(.*\)/\(24\|16\|8\) .*;\1;' | tr '\n' ',')",0.0.0.0)
+HTTP_PROXY:=$(shell echo "$${HTTP_PROXY:-$${http_proxy}}")
+HTTPS_PROXY:=$(shell echo "$${HTTPS_PROXY:-$${https_proxy}}")
+NO_PROXY:=$(shell echo "$${NO_PROXY:-$${no_proxy}},$$(if command -v ip &>/dev/null; then ip addr | grep inet6 | grep /64 | sed -e 's;.*inet6 \(.*\)/64 .*;\1;' | tr '\n' ','; ip addr | grep -w inet | grep -e '/\(24\|16\|8\)' | sed -e 's;.*inet \(.*\)/\(24\|16\|8\) .*;\1;' | tr '\n' ','; fi)",0.0.0.0)
 export HTTP_PROXY HTTPS_PROXY NO_PROXY
 
 REGISTRY_NAME?=$(shell . test/test-config.sh && echo $${TEST_BUILD_PMEM_REGISTRY})

README.md

@@ -30,7 +30,7 @@ versions:
 
 | Kubernetes version | Required alpha feature gates   | Support status
 |--------------------|--------------------------------|----------------
-| 1.13               | CSINodeInfo, CSIDriverRegistry,<br>CSIBlockVolume</br>| unsupported <sup>1</sup>
+| 1.13               | CSINodeInfo, CSIDriverRegistry, CSIBlockVolume | unsupported <sup>1</sup>
 | 1.14               |                                | unsupported <sup>2</sup>
 | 1.15               | CSIInlineVolume                | unsupported <sup>3</sup>
 | 1.16               |                                | unsupported <sup>4</sup>

conf.json

@@ -19,11 +19,15 @@
         "sphinx_md",
         "sphinx_copybutton"
     ],
+    "linkcheck_ignore": [
+        ".*cloudnative-k8sci.southcentralus.cloudapp.azure.com.*"
+    ],
     "linkcheck_anchors_ignore": [
         "^!",
         "^L[0-9]+-L[0-9]+$",
         "^discussion_r[0-9]+$"
     ],
+    "tls_verify": false,
     "copybutton_prompt_text": "$ ",
     "html_theme": "sphinx_rtd_theme",
     "project": "PMEM-CSI",

deploy/crd/pmem-csi.intel.com_pmemcsideployments.yaml

@@ -55,6 +55,12 @@ spec:
           spec:
             description: DeploymentSpec defines the desired state of Deployment
             properties:
+              controllReplicas:
+                description: ControllerReplicas determines how many copys of the controller
+                  Pod run concurrently. Zero (= unset) selects the builtin default,
+                  which is currently 1.
+                minimum: 0
+                type: integer
               controllerDriverResources:
                 description: ControllerDriverResources Compute resources required
                   by central driver container
@@ -86,7 +92,9 @@ spec:
                 description: ControllerTLSSecret is the name of a secret which contains
                   ca.crt, tls.crt and tls.key data for the scheduler extender and
                   pod mutation webhook. A controller is started if (and only if) this
-                  secret is specified.
+                  secret is specified. The special string "-openshift-" enables the
+                  usage of https://docs.openshift.com/container-platform/4.6/security/certificates/service-serving-certificate.html
+                  to create certificates.
                 type: string
               deviceMode:
                 description: DeviceMode to use to manage PMEM devices.

deploy/kubernetes-1.19/direct/pmem-csi.yaml

@@ -325,24 +325,8 @@ subjects:
   name: pmem-csi-intel-com-webhooks
   namespace: pmem-csi
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    pmem-csi.intel.com/deployment: direct-production
-  name: pmem-csi-intel-com-controller
-  namespace: pmem-csi
-spec:
-  ports:
-  - port: 10000
-    targetPort: 10000
-  selector:
-    app.kubernetes.io/instance: pmem-csi.intel.com
-    app.kubernetes.io/name: pmem-csi-controller
-    pmem-csi.intel.com/deployment: direct-production
----
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/component: controller
@@ -359,7 +343,6 @@ spec:
       app.kubernetes.io/instance: pmem-csi.intel.com
       app.kubernetes.io/name: pmem-csi-controller
       pmem-csi.intel.com/deployment: direct-production
-  serviceName: pmem-csi-intel-com-controller
   template:
     metadata:
       annotations:
@@ -380,7 +363,7 @@ spec:
         - -mode=webhooks
         - -drivername=$(PMEM_CSI_DRIVER_NAME)
         - -nodeSelector={"storage":"pmem"}
-        - -caFile=/certs/ca.crt
+        - -caFile=
         - -certFile=/certs/tls.crt
         - -keyFile=/certs/tls.key
         - -schedulerListen=:8000