anax icon indicating copy to clipboard operation
anax copied to clipboard

Published 20 hours ago verified publisher icon open-horizon

Clarify deploycheck message when allowPrivileged is missing

Open dabooz opened this issue 5 years ago • 12 comments

When deploycheck discovers that a node and deployment policy are not compatible, it would be helpful to add clarification to the incompatibility message when the allowPrivileged constraint has been implicitly applied to the compatibility calculation. This happens when a service deployment config requests use of a privileged feature. If the message could indicate that the missing requirement was implicitly generated, it would help, for example: Existing message: "reason": { "IBM/ibm.gps_2.0.9_arm": "Policy Incompatible: Compatibility Error: Node properties do not satisfy constraint requirements. The required properties openhorizon.allowPrivileged=true were not found in the available properties version=1.0.0, ram=926, cpus=4, arch=arm, owner=varatep, batch=1, openhorizon.hardwareId=00000000bde46796, openhorizon.cpu=4, openhorizon.arch=arm, openhorizon.memory=926, openhorizon.allowPrivileged=false" } A better message would be something like: "reason": { "IBM/ibm.gps_2.0.9_arm": "Policy Incompatible: Compatibility Error: Node properties do not satisfy constraint requirements. The required property openhorizon.allowPrivileged=true was implicitly added because the service requires privileged container function. The required properties openhorizon.allowPrivileged=true were not found in the available properties version=1.0.0, ram=926, cpus=4, arch=arm, owner=varatep, batch=1, openhorizon.hardwareId=00000000bde46796, openhorizon.cpu=4, openhorizon.arch=arm, openhorizon.memory=926, openhorizon.allowPrivileged=false" }

dabooz avatar Mar 06 '20 13:03 dabooz

Hi how can I assign this issue to me? (this is my first time contributing to opensource)

Brun0fl avatar Apr 08 '20 22:04 Brun0fl

@Brun0fl sorry, I did not see this until now. Yes, please assign it to yourself.

linggao avatar Jun 04 '20 12:06 linggao

@linggao It seems I can not assign it to myself. What permissions should I apply for? Thanks much.

xiuleiyy avatar Jul 07 '20 14:07 xiuleiyy

@Brun0fl and @acostry, once you comment on an issue, we can assign it to you. Bruno, let me know if you aren't able to get to this issue, and I can alternatively assign it to Xiulei Zhu instead.

joewxboy avatar Jul 07 '20 18:07 joewxboy

@joewxboy I can do it, just figuring out the process. Thanks

pyrobit avatar Jul 07 '20 19:07 pyrobit

Thanks. I'm not sure if the commit process will require a signoff, but please try to do so. The Technical Charter at section 7.b.ii states:

All new inbound code contributions must also be accompanied by a Developer Certificate of Origin (http://developercertificate.org) sign-off in the source code system that is submitted through a TSC-approved contribution process which will bind the authorized contributor and, if not self-employed, their employer to the applicable license;

We're still trying to determine if that process is enforced.

joewxboy avatar Jul 07 '20 19:07 joewxboy

Using git commit -s should be an automated way to do so:

The -s option used for both alternatives causes a committer signed-off-by line to be appended to the end of the commit message body. It certifies that committer has the rights to submit this work under the same license and agrees to our Developer Certificate of Origin

joewxboy avatar Jul 07 '20 19:07 joewxboy

Is this issue still active? If yes can I take it up?

sudo-panda avatar Feb 07 '21 20:02 sudo-panda

Folks please feel free to re-assign this problem to @acostry, a lot of things happened in since our last contact and right now I am not feeling confident enough to contribute on this project. Att., Bruno Fonseca De Lima E-mail: [email protected] IS - Cloud Infrastructure +55-51-995117649 ITIL V3 Lean Six Sigma Black Belt trained
Let's have conversations that count
            ----- Original message -----From: Baidyanath Kundu [email protected]To: open-horizon/anax [email protected]Cc: Bruno de Lima [email protected], Mention [email protected]Subject: [EXTERNAL] Re: [open-horizon/anax] Clarify deploycheck message when allowPrivileged is missing (#1575)Date: Sun, Feb 7, 2021 5:17 PM    Is this issue still active? If yes can I take it up? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.  

Brun0fl avatar Feb 08 '21 13:02 Brun0fl

@joewxboy ^^

linggao avatar Feb 08 '21 14:02 linggao

@sudo-panda Please go ahead. Reach out to @dabooz with any technical questions.

joewxboy avatar Feb 08 '21 15:02 joewxboy

@dabooz Is it necessary to maintain the order of the message?

I ask this because the message, Compatibility Error: Node properties do not satisfy constraint requirements. is generated is in policy/policy_file.go while the implicit addition of openhorizon.allowPrivileged=true is added much before in the pipeline in compcheck/policy_check.go.

So unless there is a way to differentiate between implicitly added and explicitly added openhorizon.allowPrivileged=true I don't think we can add that to policy/policy_file.go and we need to add it to the error returned at line 259 of compcheck/policy_check.go.

Also I am tracing it by starting from PolicyCompatible function in deploycheck/policy.go

sudo-panda avatar Feb 08 '21 20:02 sudo-panda