Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add fscrypt kernel options #14783

Merged
merged 2 commits into from
Aug 25, 2022

Conversation

irq0
Copy link
Contributor

@irq0 irq0 commented Aug 12, 2022

Enables filesystem encryption support in the minikube kernel. Allows
users to use file level encryption on ext4.

Signed-off-by: Marcel Lauhoff marcel.lauhoff@suse.com

Enables filesystem encryption support in the minikube kernel. Allows
users to use file level encryption on ext4.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 12, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @irq0. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Aug 12, 2022
@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@nixpanic
Copy link
Contributor

I don't think my review counts for much, but this looks good to me.

/lgtm

@k8s-ci-robot
Copy link
Contributor

@nixpanic: changing LGTM is restricted to collaborators

In response to this:

I don't think my review counts for much, but this looks good to me.

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@irq0
Copy link
Contributor Author

irq0 commented Aug 23, 2022

Enabling fscrypt is unlikely to interfere with anything, as a user has to take extra steps to use it.

The current minikube kernel only has support for one of the fscrypt-enabled file systems, ext4 [0]. To use fscrypt on ext4, a filesystem must have the non-default 'encrypt' feature enabled.

So, there is no "stumbling" into this feature.

Why have it in minikube than? As minikube is used as a base for CI testing in many projects, especially useful when testing storage related projects like container storage interface (CSI) drivers.

Being able to test a CSI driver that uses fscrypt on minikube would be just awesome. The first project that would benefit is Ceph CSI, where fscrypt on ext4 on Rados Block Devices (RBD) is currently on the way [1] and the CI uses minikube.

[0] https://github.com/google/fscrypt#runtime-dependencies
[1] ceph/ceph-csi#3310

@reylejano
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 24, 2022
@reylejano
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 24, 2022
@reylejano
Copy link
Member

/assign @prezha

@spowelljr
Copy link
Member

ok-to-build-iso

@minikube-bot
Copy link
Collaborator

Hi @irq0, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 25, 2022
@reylejano
Copy link
Member

re-applying lgtm
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 25, 2022
@spowelljr
Copy link
Member

/ok-to-test

@minikube-pr-bot
Copy link

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 14783) |
+----------------+----------+---------------------+
| minikube start | 56.2s    | 56.9s               |
| enable ingress | 27.8s    | 27.7s               |
+----------------+----------+---------------------+

Times for minikube start: 56.6s 56.3s 56.5s 57.0s 54.7s
Times for minikube (PR 14783) start: 56.3s 56.9s 56.5s 57.5s 57.1s

Times for minikube ingress: 26.6s 28.6s 29.1s 28.7s 26.1s
Times for minikube (PR 14783) ingress: 25.7s 26.1s 29.1s 29.1s 28.6s

docker driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 14783) |
+----------------+----------+---------------------+
| minikube start | 28.3s    | 28.6s               |
| enable ingress | 35.6s    | 23.0s               |
+----------------+----------+---------------------+

Times for minikube start: 27.5s 27.6s 28.9s 28.8s 28.6s
Times for minikube (PR 14783) start: 28.2s 28.7s 29.2s 27.8s 29.1s

Times for minikube ingress: 83.5s 23.5s 22.0s 22.0s 27.0s
Times for minikube (PR 14783) ingress: 22.5s 22.4s 23.5s 24.5s 22.0s

docker driver with containerd runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 14783) |
+----------------+----------+---------------------+
| minikube start | 24.0s    | 24.0s               |
| enable ingress | 27.4s    | 27.0s               |
+----------------+----------+---------------------+

Times for minikube start: 24.4s 24.1s 24.1s 24.6s 22.8s
Times for minikube (PR 14783) start: 23.8s 24.5s 23.9s 23.8s 23.9s

Times for minikube (PR 14783) ingress: 27.0s 27.0s 26.5s 27.5s 27.0s
Times for minikube ingress: 27.5s 27.4s 27.5s 27.0s 27.5s

@minikube-pr-bot
Copy link

These are the flake rates of all failed tests.

Environment Failed Tests Flake Rate (%)
Docker_Cloud_Shell TestStartStop/group/cloud-shell/serial/AddonExistsAfterStop (gopogh) 11.59 (chart)
Docker_Cloud_Shell TestStartStop/group/cloud-shell/serial/EnableAddonAfterStop (gopogh) 12.12 (chart)
Docker_Cloud_Shell TestStartStop/group/cloud-shell/serial/SecondStart (gopogh) 12.12 (chart)
Docker_Cloud_Shell TestStartStop/group/cloud-shell/serial/Stop (gopogh) 12.12 (chart)
Docker_Cloud_Shell TestStartStop/group/cloud-shell/serial/UserAppExistsAfterStop (gopogh) 12.12 (chart)
KVM_Linux TestPause/serial/SecondStartNoReconfiguration (gopogh) 28.14 (chart)
Hyper-V_Windows TestPause/serial/SecondStartNoReconfiguration (gopogh) 49.30 (chart)
KVM_Linux TestMultiNode/serial/RestartMultiNode (gopogh) 55.09 (chart)
Docker_Windows TestStartStop/group/newest-cni/serial/Pause (gopogh) 72.61 (chart)
Docker_Linux_containerd TestNetworkPlugins/group/calico/Start (gopogh) 74.80 (chart)
Docker_Linux_containerd TestNetworkPlugins/group/enable-default-cni/DNS (gopogh) 76.15 (chart)
Docker_Linux_containerd TestNetworkPlugins/group/bridge/DNS (gopogh) 81.62 (chart)
Docker_Windows TestNetworkPlugins/group/calico/Start (gopogh) 95.54 (chart)
Hyper-V_Windows TestNoKubernetes/serial/StartWithStopK8s (gopogh) 97.98 (chart)
Docker_macOS TestDownloadOnly/v1.16.0/preload-exists (gopogh) 99.35 (chart)
Docker_Linux_containerd TestKubernetesUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/serial/ValidateIngressAddonActivation (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/serial/ValidateIngressAddons (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/serial/ValidateIngressDNSAddonActivation (gopogh) 100.00 (chart)
Docker_macOS TestIngressAddonLegacy/StartLegacyK8sCluster (gopogh) 100.00 (chart)
Docker_macOS TestKubernetesUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestMissingContainerUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestNetworkPlugins/group/kubenet/HairPin (gopogh) 100.00 (chart)
Docker_macOS TestPause/serial/VerifyStatus (gopogh) 100.00 (chart)
Docker_macOS TestPreload (gopogh) 100.00 (chart)
Docker_macOS TestRunningBinaryUpgrade (gopogh) 100.00 (chart)
Docker_macOS TestStartStop/group/default-k8s-different-port/serial/Pause (gopogh) 100.00 (chart)
Docker_macOS TestStartStop/group/embed-certs/serial/Pause (gopogh) 100.00 (chart)
Docker_macOS TestStartStop/group/newest-cni/serial/Pause (gopogh) 100.00 (chart)
Docker_macOS TestStartStop/group/no-preload/serial/Pause (gopogh) 100.00 (chart)
More tests... Continued...

Too many tests failed - See test logs for more details.

To see the flake rates of all tests by environment, click here.

Copy link
Member

@spowelljr spowelljr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

@spowelljr spowelljr merged commit 8d34afd into kubernetes:master Aug 25, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irq0, nixpanic, reylejano, spowelljr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 25, 2022
@irq0 irq0 deleted the linux-defconfig-add-fscrypt branch August 26, 2022 08:34
nixpanic added a commit to nixpanic/ceph-csi that referenced this pull request Sep 21, 2022
The fscrypt kernel module has been enabled, yay!

See-also: kubernetes/minikube#14783
Updates: ceph#3310
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Madhu-1 pushed a commit to nixpanic/ceph-csi that referenced this pull request Sep 23, 2022
The fscrypt kernel module has been enabled, yay!

See-also: kubernetes/minikube#14783
Updates: ceph#3310
Signed-off-by: Niels de Vos <ndevos@redhat.com>
mergify bot pushed a commit to ceph/ceph-csi that referenced this pull request Sep 23, 2022
The fscrypt kernel module has been enabled, yay!

See-also: kubernetes/minikube#14783
Updates: #3310
Signed-off-by: Niels de Vos <ndevos@redhat.com>
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/ceph-csi that referenced this pull request Sep 29, 2022
The fscrypt kernel module has been enabled, yay!

See-also: kubernetes/minikube#14783
Updates: ceph#3310
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants