SCC: add {AllowedUnsafe,Forbidden}Sysctls

[stlaz]

This is a part of syncing with upstream which moved from {AllowedUnsafe,Forbidden}Sysctls annotations to their respective fields.

PTAL @php-coder @ingvagabund
CC @simo5

edit: openshift/origin#20151

[simo5]

Please add a link in the commit and PR description to the upstream PR if you can (helps reviewing as well as gives reference). Other than that..
/lgtm

[php-coder]

@openshift/api-review Should we modify the privileged SCC to allow all unsafe sysctls by default (like we did for allowedCapabilities: openshift/origin#12741)? In this case, we won't have a confusion when a cluster admin didn't have permissions for using usafe sysctls.

[liggitt]

that's what I would expect

[php-coder]

@stlaz Thank you!

/lgtm

[php-coder]

@stlaz 😉

[stlaz]

@php-coder oh you monster!
Regenerated on top of the current current repo.

[deads2k]

/hold

At this point the rebase is 6 tests from success and I think we've got all of them addressed (running CI now). When these are added into origin, you need to revert disable sysctl tests that don't support SCC. Needs to be reverted from openshift/origin#20033

[simo5]

@deads2k is it ok to get this one in now ?

[liggitt]

let's resolve the current 3 API changes not synced up in origin first (c.f. openshift/origin#19624 (comment))

[liggitt]

1.11.0 rebase is landed, origin is synced up

is the origin PR ready to go once this is merged?

/hold cancel

[stlaz]

Hopefully it should be. We'll only need a openshift/client-go update prior to that, right?

[liggitt]

To ensure the origin PR is ready to merge as soon as this is merged:

1. ensure this PR is based on latest openshift/api#master
2. In your openshift/origin PR:
   1. ensure it is based on latest openshift/origin#master
   2. add a TMP commit that points glide.yaml at your fork/branch:

      - package: github.com/openshift/api
        repo:    https://github.com/<your fork, e.g. "stlaz">/api.git
        version: <branch of this PR, e.g. "unsafe_sysctls">
      

   3. update your bump(*) commit to include the result of running hack/update-deps.sh, which will pull in these changes
3. make sure CI is green on your origin PR
4. get LGTM on your origin PR

We will then merge this PR, and you will do the following:

1. drop the TMP commit from your origin PR, pointing glide back at openshift/api#master
2. rerun hack/update-deps.sh and update your bump(*) commit
3. we'll then tag your origin PR for merge, and it can merge on green CI

[stlaz]

Many thanks for clarifying the proper way of doing this 🙂 I'll try to rebase the PRs now plus do the changes, although if something fails, I'll probably only be able to get back to them at the beginning of the next week.

[stlaz]

@liggitt When I follow your advice, a number (I'd say an unreasonable number) of dependencies get pulled at step 2, one of which corrupts the build, as seen in the origin PR. Am I doing something wrong?

[liggitt]

@liggitt When I follow your advice, a number (I'd say an unreasonable number) of dependencies get pulled at step 2, one of which corrupts the build, as seen in the origin PR. Am I doing something wrong?

I checked out your origin branch, and ran

glide cc
hack/update-deps.sh

it included far fewer dependency changes than were in your PR... I updated the bump(*) commit and pushed the results to https://github.com/liggitt/origin/commits/stlaz-sysctl_promotion if you want to take a look

what version of glide are you running?

[stlaz]

I tried doing the same (took a while), but the number of packages still seems to be the same. I'm running that in a clean repo (git clean -dfx), glide version is 0.13.1.

[stlaz]

After a rebase on the current origin master, I am even getting errors when running ./hack/update-deps.sh after glide cc:

[ERROR]	Error scanning github.com/openshift/origin/pkg/oc/admin/policy: cannot find package "." in:
	/home/slaznick/go/src/github.com/openshift/origin/pkg/oc/admin/policy
...
[ERROR]	Failed to retrieve a list of dependencies: Error resolving imports
[ERROR] PID 21310: hack/update-deps.sh:37: `glide update --strip-vendor` exited with status 1.

That's both on Fedora with the upstream glide, and on Arch with its distribution specific glide (0.13.1-2).

I have both origin and kubernetes repositories git clone $URL to GOPATH being set to /home/<me>/go, in $GOPATH/src/github.com/openshift/origin and $GOPATH/src/k8s.io/kubernetes/ respectively.

I am pretty sure I must have forgotten something very crucial, I have no idea what that could be, though.

[deads2k]

[ERROR] Error scanning github.com/openshift/origin/pkg/oc/admin/policy: cannot find package "." in:
/home/slaznick/go/src/github.com/openshift/origin/pkg/oc/admin/policy

That package doesn't exist. Try rebasing your pull on origin master and removing package refs that aren't present.

[simo5]

git clean -f -x -d -f
then try again

[stlaz]

Thanks. The actual workaround that helped me resolve my original issue with the great number of dependencies was to rm -rf $ORIGIN_GIT_ROOT/vendor/ and run ./hack/update-deps.sh afterwards (all credits for this go to Michal Fojtik). This did not work after the rebase, though.

Anyway, I fixed a wrong package reference in tools/testdebug/cmd/load_etcd.go, removed all of the vendor/ directory and finally got what I expected. Will update the origin PR once make update is done.

[stlaz]

@liggitt I believe the requirements from your post #60 (comment) were now met by getting the LGTM label at the origin PR.

[liggitt]

yes, thanks

/lgtm