Kong
make failing when building test image
Am using Pongo for the first time, trying to do a basic “pongo lint” test on some plugin code after installing it. However, I ran into an error when pongo.sh is trying to build the test Docker image, specifically when it tried to use apk:
Step 15/18 : RUN apk update && apk add zip unzip make g++ py-pip jq git bsd-compat-headers m4 openssl-dev curl wget python3-dev shadow && curl -k -s -S -L https://github.com/fullstorydev/grpcurl/releases/download/v1.7.0/grpcurl_1.7.0_linux_x86_64.tar.gz | tar xz -C /kong/bin && pip install httpie ; cd /kong && git config --global url.https://github.com/.insteadOf git://github.com/ && make dependencies && luarocks install busted-htest && luarocks install luacov
---> Running in 68896cd57602
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
140548989598536:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1919:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.16/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.16/main: No such file or directory
I figured that it was failing reaching the external repo because of self-signed certs on the corporate web proxy. So I modified the ./assets/Dockerfile to include the corporate intermediate and root CAs and ensure they were used by apk:
COPY assets/CAs.pem /root/trusted-certs.pem
RUN SSL_CERT_FILE=~/trusted-certs.pem apk update \
&& SSL_CERT_FILE=~/trusted-certs.pem apk add zip unzip ...
That got me past the errors above, and it looks like all the packages are successfully installed/updated. However when it gets to the make command:
starting make in kong
make: /bin/sh: Operation not permitted
make: uname: Operation not permitted
make: dirname: Operation not permitted
make: /bin/sh: Operation not permitted
make: /bin/sh: Operation not permitted
make: *** [Makefile:118: dependencies] Error 127
Is this related to the same issue apk was having (being able to pull something externally), or is it likely something else?
OS: macOS 12.6 Docker: version 20.10.18, build b40c2f6b5d
I would add that I've been doing a fair bit of Googling for the error messages, and it seems this issue was common when Alpine 3.14 was released. Some of the threads talked about an upgrade to Docker 20.10.x as a fix, but given the base Kong image being pulled by pongo.sh is Alpine 3.16.2, that would seem to indicate this is different.
That was my first thought as well, but indeed doesn't seem the case.
What is the Kong version you're testing? (building the image for)
I'm trying to test Kong 3.0.0, which I think would be this folder in the Pongo repo.
And the way I verified the Alpine version was to just spin up the image that Pongo had pulled and check it:
$ docker run --rm -it kong /bin/sh
/ $ cat /etc/alpine-release
3.16.2
/ $ kong version
3.0.0
unsatifactory, but maybe working asnwer; can you try the branch pongo2 ?
we'll be releasing it in the next week(s) and it will change the base image to Ubuntu
unsatifactory, but maybe working asnwer; can you try the branch
pongo2?we'll be releasing it in the next week(s) and it will change the base image to Ubuntu
I replaced my local copy with the pongo2 branch, cleaned up any remaining images locally, and tried KONG_VERSION=3.0.0 pongo lint again. It pulled the image "kong:latest" (which is actually another question, that defining the KONG_VERSION env var doesn't seem to make any difference as it always pulls the 'latest' tag). However, the docker build step failed:
Step 16/23 : RUN apt update && apt install -y zip make jq m4 curl build-essential wget git libssl-dev zlib1g-dev
---> Running in 89ccdc37df9f
/bin/sh: apt: not found
The command '/bin/sh -c apt update && apt install -y zip make jq m4 curl build-essential wget git libssl-dev zlib1g-dev' returned a non-zero code: 127
[pongo-ERROR] Error: failed to build test environment
I spun up a container with the image it pulled, and sure enough, it was the Alpine one again rather than Ubuntu:
$ docker run --rm -it kong /bin/sh
/ $ which apt
/ $ cat /etc/alpine-release
3.16.2
I didn't see in the README whether I needed to do something different.
if you drop all Kong images (check docker images | grep kong), then it should pull the ubuntu based ones if you use the Pongo 2 branch. I just updated the version number on that branch, so if you update, you can check with "pongo help" if you did use the proper version.
I thought I had pulled the pongo2 branch, but as a sanity check, I deleted my local copy and pulled it again, and confirmed that pongo help shows v2 and running it pulls an Ubuntu image for Kong.
The build is still failing but I think that's due to the problem I had before, where it is being blocked by the corporate proxy when trying to access external resources:
luacheck 0.26.1 not found, installing via luarocks...
Warning: Failed downloading. Attempting mirror at https://raw.githubusercontent.com/rocks-moonscript-org/moonrocks-mirror/master//luacheck-0.26.1-1.src.rock
Warning: Failed downloading. Attempting mirror at https://luafr.org/luarocks//luacheck-0.26.1-1.src.rock
Error: Could not fetch rock file: Error fetching file: Failed downloading https://luarocks.org/luacheck-0.26.1-1.src.rock -
I'll do what I did with the Alpine version (add our intermediate and root CAs to the process) and see if that gets around it. But perhaps something to consider for a future Pongo feature, to support including private CAs.
I'll do what I did with the Alpine version (add our intermediate and root CAs to the process) and see if that gets around it. But perhaps something to consider for a future Pongo feature, to support including private CAs.
I don't have an environment to test this. So if you could create a PR for that, that would be most welcome.
recently new changes were added, that will add the proxy env vars during the build and when running. ALso a new option "insecure" is available to the build. Which will disable cert verification, which could help getting around the proxy issues.