Install container runtime packages as assets #10048
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/nodeup
approved
hakman
force-pushed
the
container-runtime-assets
branch
5 times, most recently
from
e54e4ea
to
ee427c9
Compare
hakman
force-pushed
the
container-runtime-assets
branch
from
ee427c9
to
e44037f
Compare
upup/pkg/fi/cloudup/containerd.go
Outdated
| containerdFallbackVersion = "1.2.13" | ||
| ) | ||
|
|
||
| func findContainerdAssets(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) { |
There was a problem hiding this comment.
Shouldn't this be singular: findContainerdAsset()?
There was a problem hiding this comment.
Wanted to keep the same naming convention as for findCNIAssets and findLyftVPCAssets.
I also think the singular is the better solution. Will change.
| } | ||
|
|
||
| func findAllContainerdDockerMappings() map[string]string { | ||
| versions := map[string]string{ |
There was a problem hiding this comment.
So:
- drops 1.2.4
- adds 1.2.6 and 1.2.12
- changes 1.2.10 from containerd to docker
- changes 1.2.13 from docker 19.03.11 to 19.03.12
Shouldn't at least the dropping of 1.2.4 be mentioned in release notes?
There was a problem hiding this comment.
Containerd support is a bit of a puzzle here. Will have to think about it.
There was a problem hiding this comment.
I would be okay with only moving the newer versions of containerd to assets phase.
There was a problem hiding this comment.
The problem comes mostly from packaging bugs in containerd and package URL changes and lack of ARM builds...
So, to the point:
- drops 1.2.4 - adding back pretty easy to do
- adds 1.2.6 and 1.2.12 - it is not a big deal, added them just because it was easy to map to Docker packages
- changes 1.2.10 from containerd to docker - intended, shouldn't make any difference
- changes 1.2.13 from docker 19.03.11 to 19.03.12 - reverted this
upup/pkg/fi/cloudup/docker.go
Outdated
| dockerFallbackVersion = "17.09.0" | ||
| ) | ||
|
|
||
| func findDockerAssets(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) { |
There was a problem hiding this comment.
Wanted to keep the same naming convention as for findCNIAssets and findLyftVPCAssets.
I also think the singular is the better solution. Will change.
| hashes := map[string]string{ | ||
| "17.03.0": "aac08524db82d3fdc8fc092f495e1174f5e1dd774b95a6d081544997d34b4855", | ||
| "17.03.1": "3e070e7b34e99cf631f44d0ff5cf9a127c0b8af5c53dfc3e1fce4f9615fbf603", | ||
| "17.03.2": "183b31b001e7480f3c691080486401aa519101a5cfe6e05ad01b9f5521c4112d", |
There was a problem hiding this comment.
So moving all distributions to the "static" variant. Is the removal of the docker-ce-selinux package on RHEL-7 and derived distributions not a problem?
(This is a change for 18.06.3 and earlier, with the exception of 17.03.2 on Ubuntu 18.04.)
There was a problem hiding this comment.
@justinsb also noticed this, so will try to explain below.
Kops support for SELinux was added in 1.19 (mostly experimental from my point of view) and could not be enabled in docker config in the past. Contents of the packages show that it contains only the SELinux profiles:
> rpm -qlp ./docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm
/usr/share/doc/docker-ce-selinux-17.03.2.ce
/usr/share/doc/docker-ce-selinux-17.03.2.ce/LICENSE
/usr/share/selinux/devel/include/services/docker.if
/usr/share/selinux/packages/docker.pp.bz2The docker-ce-selinux package is distributed only for 17.03.x and later versions switch to the container-selinux dependency, distributed with RHEL/CentOS.
Considering that SELinux could not be used in the past and we already install by default a replacement package, I don't think this is an issue.
| Mode: "+i", | ||
| Deps: []fi.Task{packageTask}, | ||
| }) | ||
| } |
There was a problem hiding this comment.
Do we not need this mitigation anymore?
There was a problem hiding this comment.
I saw this done only for 17.03.x and didn't seem like something that important anymore considering the number of security issues with that version. Anyone interested in security should really use a newer Docker version.
Do you think it has any value for newer versions?
There was a problem hiding this comment.
It doesn't have value for newer versions, but I don't think we should reintroduce a significant security vulnerability for 17.03.
Perhaps we should work on our deprecation policy for container runtimes.
There was a problem hiding this comment.
Good call on digging a bit more. Seems that this is wider than initially thought and affects about anything < 18.09.2.
Re-added the mitigation and updated the tests output.
Perhaps we should work on our deprecation policy for container runtimes.
+1 from me 😄
nodeup/pkg/model/context.go
Outdated
| @@ -598,29 +599,31 @@ func (c *NodeupModelContext) GetPrivateKey(name string) ([]byte, error) { | |||
|
|
|||
| func (b *NodeupModelContext) AddCNIBinAssets(c *fi.ModelBuilderContext, assetNames []string) error { | |||
| for _, assetName := range assetNames { | |||
| if err := b.addCNIBinAsset(c, assetName); err != nil { | |||
| re, err := regexp.Compile(fmt.Sprintf("^%s$", assetName)) | |||
There was a problem hiding this comment.
I'm a little worried about regexp metacharacters, such as ".", in the assetName.
Perhaps use regexp.Compile(fmt.Sprintf("^%s$", regexp.QuoteMeta(assetName))) instead?
There was a problem hiding this comment.
Sounds reasonable. Thanks for the suggestion.
nodeup/pkg/model/context.go
Outdated
| func (b *NodeupModelContext) addCNIBinAsset(c *fi.ModelBuilderContext, assetPath *regexp.Regexp) error { | ||
| a := b.Assets.FindMatches(assetPath) | ||
| if len(a) != 1 { | ||
| return fmt.Errorf("unable to locate asset %q", assetPath.String()) |
There was a problem hiding this comment.
"unable to locate" is misleading if len(a) > 1.
hakman
force-pushed
the
container-runtime-assets
branch
from
4f5826b
to
9046e32
Compare
hakman
force-pushed
the
container-runtime-assets
branch
from
9046e32
to
c362620
Compare
|
@johngmyers I think I addressed all the review comments in my latest commit. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Extracted out the package scripts for a few representative packages, the only thing I saw was adding the docker group and some apparmor (and we didn't support apparmor for these older versions). Thanks for doing this @hakman ! |
|
Thanks for checking @justinsb 😄 |
…-upstream-release-1.19 Automated cherry pick of #10048: Install container runtime packages as assets
The main purpose for this PR is to move the logic of choosing the container runtime (Docker or containerd) package from noddup to the assets building phase, when running
kops update cluster. An additional benefit is that it's easy to add new versions and added all existing Docker packages to the supported list.Feature related changes are quite small and limited to the "Main" and "Misc" commits.
Tests changes are more extensive to be able to do changes with confidence and are separated in the "Tests" commit.
Integration tests changes are about adding the new asset to
conf/kube_env.yaml, but touches all these tests. Fortunately changes are separated in the "Integration" commit.