Skip to content

Commit

Permalink
Merge branch 'develop' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@clemlesne
clemlesne committed Aug 26, 2023
2 parents 841ca9b + 538ca02 commit 35a81ed
Show file tree
Hide file tree
Showing 8 changed files with 80 additions and 34 deletions.
32 changes: 16 additions & 16 deletions .github/workflows/pipeline.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,15 +71,15 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0
with:
# We need all Git history for testing credentials
fetch-depth: 0
# Ensure all submodules up-to-date
submodules: recursive

- name: SAST - Credentials
uses: trufflesecurity/trufflehog@v3.47.0
uses: trufflesecurity/trufflehog@v3.53.0
with:
base: ${{ github.event.repository.default_branch }}
head: HEAD
Expand All @@ -94,7 +94,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0
with:
# We need all Git history for "version.sh"
fetch-depth: 0
Expand All @@ -114,7 +114,7 @@ jobs:

# Required for running "npx" CLI
- name: Setup Node
uses: actions/setup-node@v3.7.0
uses: actions/setup-node@v3.8.1
with:
node-version: ${{ env.NODE_VERSION }}

Expand Down Expand Up @@ -170,7 +170,7 @@ jobs:
snyk.sarif
- name: Upload results to GitHub Security
uses: github/codeql-action/[email protected].3
uses: github/codeql-action/[email protected].4
with:
sarif_file: merged.sarif

Expand All @@ -185,7 +185,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0
with:
# Chart Releaser needs to have local access to "gh-pages" plus current branch
fetch-depth: 0
Expand Down Expand Up @@ -214,11 +214,11 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0

# Required for running "npx" CLI
- name: Setup Node
uses: actions/setup-node@v3.7.0
uses: actions/setup-node@v3.8.1
with:
node-version: ${{ env.NODE_VERSION }}

Expand Down Expand Up @@ -255,7 +255,7 @@ jobs:
arch: linux/amd64,linux/arm64
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0
with:
# We need all Git history for "version.sh"
fetch-depth: 0
Expand Down Expand Up @@ -288,7 +288,7 @@ jobs:
# Required for running "npx" CLI
- name: Setup Node
uses: actions/setup-node@v3.7.0
uses: actions/setup-node@v3.8.1
with:
node-version: ${{ env.NODE_VERSION }}

Expand Down Expand Up @@ -405,7 +405,7 @@ jobs:
snyk-*.sarif
- name: Upload results to GitHub Security
uses: github/codeql-action/[email protected].3
uses: github/codeql-action/[email protected].4
with:
sarif_file: merged.sarif

Expand All @@ -426,7 +426,7 @@ jobs:
runs-on: windows-2019
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0
with:
# We need all Git history for "version.sh"
fetch-depth: 0
Expand Down Expand Up @@ -579,7 +579,7 @@ jobs:
${{ steps.tag.outputs.tag }}
- name: Upload results to GitHub Security
uses: github/codeql-action/[email protected].3
uses: github/codeql-action/[email protected].4
with:
sarif_file: snyk.sarif

Expand All @@ -590,7 +590,7 @@ jobs:
image: returntocorp/semgrep
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0

- name: Run tests
# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security
Expand All @@ -600,7 +600,7 @@ jobs:
run: semgrep ci --sarif --output=semgrep.sarif

- name: Upload results to GitHub Security
uses: github/codeql-action/[email protected].3
uses: github/codeql-action/[email protected].4
with:
sarif_file: semgrep.sarif

Expand All @@ -611,7 +611,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
uses: actions/checkout@v3.6.0

- name: Setup ORAS
uses: oras-project/[email protected]
Expand Down
18 changes: 8 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,15 +94,8 @@ pipelines:
capabilities:
- arch_arm64

affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
extraNodeSelectors:
kubernetes.io/arch: arm64
```
Deploy the Helm instance:
Expand Down Expand Up @@ -392,7 +385,7 @@ extraVolumeMounts:
| `pipelines.tmpdir.volumeEnabled` | Enabled by default, can be disabled if your CSI driver doesn't support ephemeral storage ([exhaustive list](https://kubernetes-csi.github.io/docs/drivers.html)). If disabled, it is advised to allow >= 10Gi of ephemeral storage usage (see `resources`). | `true` |
| `podSecurityContext` | Security rules applied to the Pod ([more details](https://kubernetes.io/docs/concepts/security/pod-security-standards)). | `{}` |
| `replicaCount` | Default fixed amount of agents deployed. Those are not auto-scaled. | `3` |
| `resources` | Resource limits | `{ "resources": { "limits": { "cpu": 2, "memory": "4Gi", "ephemeral-storage": "4Gi" }, "requests": { "cpu": 1, "memory": "2Gi", "ephemeral-storage": "2Gi" }}}` |
| `resources` | Resource limits | `{ "resources": { "limits": { "cpu": 2, "memory": "4Gi", "ephemeral-storage": "8Gi" }, "requests": { "cpu": 1, "memory": "2Gi", "ephemeral-storage": "2Gi" }}}` |
| `secret.create` | Create Secret, must contains `personalAccessToken` and `organizationURL` variables. | `true` |
| `secret.name` | Secret name | _Release name_ |
| `securityContext` | Security rules applied to the container ([more details](https://kubernetes.io/docs/concepts/security/pod-security-standards)). | `{}` |
Expand All @@ -410,6 +403,11 @@ These actions can enhance your system performance:
- SSD volumes are used for both cache (see `pipelines.cache`) and system temporary directory (see `pipelines.tmpdir`). For exemple, in Azure, the `managed-csi-premium` volume type is a high-performance SSD.
- The network bewteen Azure DevOps server and agents has a low latency.

BuikdKit specifics:

- Choose an ephemeral disk for the cache in `/app-root/.local/share/buildkit`, instead of an emptyDir.
- Use an high-performance disk for the cache, exemple `managed-csi-premium` in Azure.

### Proxy

If you need to use a proxy, you can set the following environment variables. See [this documentation](https://github.com/microsoft/azure-pipelines-agent/blob/master/docs/start/proxyconfig.md) for more details.
Expand Down
40 changes: 39 additions & 1 deletion TROUBLESHOOTING.md
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,49 @@
# Troubleshooting

## Pods are evicted by Kubernetes with the message `Pod ephemeral local storage usage exceeds the total limit of containers`

This error is due to the fact that the default ephemeral storage limit is set to a lower value than the one used by the pipeline. You can fix it by setting the value to more than default value in `resources.limits.ephemeral-storage`.

This error notably happens when using BuildKit with an `emptyDir` and a large number of layers.

```yaml
# values.yaml (extract)
resources:
limits:
ephemeral-storage: 16Gi
```
## Pods are started but never selected by Azure DevOps when using multiple architectures
Prefer hardcoding the architecture in both the pipeline and the Helm values. As this, KEDA will be able to select the right pods matching the architecture. Otherwise, there is a possibility that the deployment selected by KEDA is not matching the requested architecture.
```yaml
# azure-pipelines.yaml (extract)
stages:
- stage: test
jobs:
- job: test
pool:
demands:
- arch_x64
```
```yaml
# values.yaml (extract)
extraNodeSelectors:
kubernetes.io/arch: arm64

pipelines:
capabilities:
- arch_arm64
```
## Container fails to a `ContainerStatusUnknown` state

Error is often due to two things:

- Kubernetes is not able to pull the image: check the image name and the credentials, if you are using the public registry, mind the domain whitelist
- Pod has been ecivted by Kubernetes due to the excessive local storage usage: parameter `ephemeral-storage` in `resources` Helm values is set to 4Gi by default, you can increase it to 10Gi for example
- Pod has been ecivted by Kubernetes due to the excessive local storage usage: parameter `ephemeral-storage` in `resources` Helm values is set to `8Gi` by default, you can increase it to `16Gi` for example

## Namespaces must be set to a non-zero value

Expand Down
16 changes: 14 additions & 2 deletions example/helm/container-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,16 @@ extraVolumeMounts:
name: buildkitd

extraVolumes:
- emptyDir: {}
name: buildkitd
- name: buildkitd
# emptyDir: {}
ephemeral:
volumeClaimTemplate:
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: "managed-csi-premium"
resources:
requests:
storage: 16Gi

securityContext:
seccompProfile:
Expand All @@ -29,7 +37,11 @@ resources:

pipelines:
capabilities:
- arch_x64
- buildkit
personalAccessToken: your-pat
poolName: private_kube
organizationURL: https://dev.azure.com/shopping-cart-devops-demo

extraNodeSelectors:
kubernetes.io/arch: amd64
2 changes: 0 additions & 2 deletions example/helm/windows.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
pipelines:
capabilities:
- arch_x64
personalAccessToken: your-pat
poolName: private_kube
organizationURL: https://dev.azure.com/shopping-cart-devops-demo
Expand Down
2 changes: 1 addition & 1 deletion src/docker/Dockerfile-bookworm
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim@sha256:85f215d6225222ed9c6350787c7b65fdb05bf98c48f116ce70ba7261736581cd as base
FROM mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim@sha256:d9c46e7265ab5dacd41ab10253da89639afe63db10265912bfd779395ea5ad02 as base

# Force apt-get to not use TTY
ENV DEBIAN_FRONTEND noninteractive
Expand Down
2 changes: 1 addition & 1 deletion src/docker/Dockerfile-bullseye
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:03aae52deb58521b0368987571f85872af90e7e04496f7927fe84968d2bd3d49 as base
FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:39f2c3efb84d744c63f43ee1c206d560d67444858e9622a9c5db93d5ef221dc8 as base

# Force apt-get to not use TTY
ENV DEBIAN_FRONTEND noninteractive
Expand Down
2 changes: 1 addition & 1 deletion src/helm/azure-pipelines-agent/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ securityContext: {}
resources:
limits:
cpu: 2
ephemeral-storage: 4Gi
ephemeral-storage: 8Gi
memory: 4Gi
requests:
cpu: 1
Expand Down

0 comments on commit 35a81ed

Please sign in to comment.