[11.0-stable] Update github workflows: perform login on docker, self-hosted runners and linuxkit update #5043
Conversation
rene
force-pushed
the
add-dockerlogin-11.0
branch
3 times, most recently
from
37c449c to
bffc2ee
Compare
|
A new LinuxKit should implement part of it... I prefer to get 1.7.0 working (or 1.8.0?). Previous fixes were more workarounds. |
rene
force-pushed
the
add-dockerlogin-11.0
branch
4 times, most recently
from
76c99c9 to
516f3be
Compare
|
|
This commit ports (adapted) the following commits: Upgrade Linuxkit to 1.7.0 This version has many important fixes 1. Import of Docker credentials 2. --builder-config can pass a buildkitd.toml to a builder container So we do not need an ensure-builder target anymore. It was very useful for debugging Docker login / mirror related issues but I hope it is gone for good. Signed-off-by: Mikhail Malyshev <[email protected]> Create linuxkit-builder manually to support parallel build Linuxkit tries to create docker builder container if it doesn't exist. It works fine for -j 1 but fails for parallel build. LK tries to create or update the builder concurrently and fails. To avoid a race we create builder manually - the builder name is hard-coded and is linuxkit-builder - override context name for `linuxkit pkg build` so it doesn't try to create a builder by itself - ensure-builder target checks if the container exists and of required version - docker prune operation cannot be executed concurrently, use flock to handle that this is especially important for CI build with PRUNE=1 set Signed-off-by: Mikhail Malyshev <[email protected]> Fix 'unauthenticated pull rate limit reached' problem - action/docker-login stores credential in ~/.docker/config.json. In theory this file should be mounted into linuxkit-builder container but I did not know about it. Dut to that fact buildkit was running unauthenticated - upgrade to linuxkit 1.6.5 that has fixes for a race in builder creation and cache access - mount /etc/buildkit/buildkitd.toml that MAY define a mirror to speedup the build. LK doens't do it other wise we could remove the whole block for manual creation of buildkit runner Signed-off-by: Mikhail Malyshev <[email protected]> Makefile: Bump linuxkit to version 1.5.3 Bump linuxkit to version 1.5.3 in order to get a new feature that supports --tag in build.yml. This version also introduces some changes that requires some adjusts in the Makefile: 1. Introduces different verbose levels (this commit sets to level 2 to keep the same amount of information provided by the current version) 2. Remove --arch parameter from cache command (in favor of a --platform docker style parameter) Signed-off-by: Renê de Souza Pinto <[email protected]> Signed-off-by: Renê de Souza Pinto <[email protected]>
Provide docker login for build.yml workflow. Signed-off-by: Renê de Souza Pinto <[email protected]>
Switch to Zededa's self hosted runners on build and publish workflows. Signed-off-by: Renê de Souza Pinto <[email protected]>
rene
force-pushed
the
add-dockerlogin-11.0
branch
from
516f3be to
6c0b2c9
Compare
| @@ -18,11 +18,11 @@ jobs: | |||
| fail-fast: false | |||
| matrix: | |||
| include: | |||
| - os: buildjet-4vcpu-ubuntu-2204-arm | |||
| - os: zededa-ubuntu-2204 | |||
There was a problem hiding this comment.
I think it was the reason why I had zero problems building and publishing for 11:
We did not hit any 429 error on that branch because we use virtual runners there. Our runners all share the same IP.
FYI, @rene, @rucoder, @uncleDecart
There was a problem hiding this comment.
On the other hand, I see that Eden tests are starting to experience the same issue, and they run on virtual runners. And they have nothing with parallel build as well. I really think it's some new changes on Dockerhub. The policy officially changed on April 1st, but we are now starting to see the consequences.
There was a problem hiding this comment.
https://www.docker.com/blog/revisiting-docker-hub-policies-prioritizing-developer-experience/
Do we have updated information? In this link it says:
We did not enforce the Docker Hub rate limit changes previously scheduled for April 1, 2025. The current limits—100 pulls per 6 hours for unauthenticated users and 200 pulls per 6 hours for Docker Personal users—will remain in place as we continue to evaluate developer feedback and identify appropriate long-term limits.
We will announce any future enforcement at least 6 months in advance.
But they might have changed their minds... or they are doing some tests...
Btw, it also says:
Unlimited Pull rates for Paid Users (As Announced Earlier) – Starting April 1, 2025, all paid Docker subscribers will have unlimited image pulls (with fair use limits) to ensure a seamless experience.
For us the pull rate limits shouldn't be a problem at all by doing login....
|
Last test on my repo: https://github.com/rene/eve/actions/runs/16047887243?pr=75 |
|
Just a note: The issue with accessing secrets in the workflow file arises because it uses the |
rene
changed the title
OhmSpectator
added
the
side-quest
|
Is this PR stalled because we still see 429's on the zededa runners? Or can we proceed? |
We've got more updates on the workflows @europaul , I will need to rebase this PR, so just moved to Draft for now.... |
Description
This PR brings several new features and changes from current workflows to 11.0-stable branch:
How to test and validate this PR
Run GH workflows.
Changelog notes
None.
Checklist
check them.