-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install container runtime packages as assets #10048
Install container runtime packages as assets #10048
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
e54e4ea
to
ee427c9
Compare
ee427c9
to
e44037f
Compare
upup/pkg/fi/cloudup/containerd.go
Outdated
containerdFallbackVersion = "1.2.13" | ||
) | ||
|
||
func findContainerdAssets(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be singular: findContainerdAsset()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanted to keep the same naming convention as for findCNIAssets
and findLyftVPCAssets
.
I also think the singular is the better solution. Will change.
} | ||
|
||
func findAllContainerdDockerMappings() map[string]string { | ||
versions := map[string]string{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So:
- drops 1.2.4
- adds 1.2.6 and 1.2.12
- changes 1.2.10 from containerd to docker
- changes 1.2.13 from docker 19.03.11 to 19.03.12
Shouldn't at least the dropping of 1.2.4 be mentioned in release notes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Containerd support is a bit of a puzzle here. Will have to think about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be okay with only moving the newer versions of containerd to assets phase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem comes mostly from packaging bugs in containerd and package URL changes and lack of ARM builds...
So, to the point:
- drops 1.2.4 - adding back pretty easy to do
- adds 1.2.6 and 1.2.12 - it is not a big deal, added them just because it was easy to map to Docker packages
- changes 1.2.10 from containerd to docker - intended, shouldn't make any difference
- changes 1.2.13 from docker 19.03.11 to 19.03.12 - reverted this
upup/pkg/fi/cloudup/docker.go
Outdated
dockerFallbackVersion = "17.09.0" | ||
) | ||
|
||
func findDockerAssets(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
findDockerAsset()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanted to keep the same naming convention as for findCNIAssets and findLyftVPCAssets.
I also think the singular is the better solution. Will change.
hashes := map[string]string{ | ||
"17.03.0": "aac08524db82d3fdc8fc092f495e1174f5e1dd774b95a6d081544997d34b4855", | ||
"17.03.1": "3e070e7b34e99cf631f44d0ff5cf9a127c0b8af5c53dfc3e1fce4f9615fbf603", | ||
"17.03.2": "183b31b001e7480f3c691080486401aa519101a5cfe6e05ad01b9f5521c4112d", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So moving all distributions to the "static" variant. Is the removal of the docker-ce-selinux package on RHEL-7 and derived distributions not a problem?
(This is a change for 18.06.3 and earlier, with the exception of 17.03.2 on Ubuntu 18.04.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@justinsb also noticed this, so will try to explain below.
Kops support for SELinux was added in 1.19 (mostly experimental from my point of view) and could not be enabled in docker config in the past. Contents of the packages show that it contains only the SELinux profiles:
> rpm -qlp ./docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm
/usr/share/doc/docker-ce-selinux-17.03.2.ce
/usr/share/doc/docker-ce-selinux-17.03.2.ce/LICENSE
/usr/share/selinux/devel/include/services/docker.if
/usr/share/selinux/packages/docker.pp.bz2
The docker-ce-selinux
package is distributed only for 17.03.x and later versions switch to the container-selinux
dependency, distributed with RHEL/CentOS.
Considering that SELinux could not be used in the past and we already install by default a replacement package, I don't think this is an issue.
Mode: "+i", | ||
Deps: []fi.Task{packageTask}, | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we not need this mitigation anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I saw this done only for 17.03.x and didn't seem like something that important anymore considering the number of security issues with that version. Anyone interested in security should really use a newer Docker version.
Do you think it has any value for newer versions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't have value for newer versions, but I don't think we should reintroduce a significant security vulnerability for 17.03.
Perhaps we should work on our deprecation policy for container runtimes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call on digging a bit more. Seems that this is wider than initially thought and affects about anything < 18.09.2.
Re-added the mitigation and updated the tests output.
Perhaps we should work on our deprecation policy for container runtimes.
+1 from me 😄
nodeup/pkg/model/context.go
Outdated
@@ -598,29 +599,31 @@ func (c *NodeupModelContext) GetPrivateKey(name string) ([]byte, error) { | |||
|
|||
func (b *NodeupModelContext) AddCNIBinAssets(c *fi.ModelBuilderContext, assetNames []string) error { | |||
for _, assetName := range assetNames { | |||
if err := b.addCNIBinAsset(c, assetName); err != nil { | |||
re, err := regexp.Compile(fmt.Sprintf("^%s$", assetName)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little worried about regexp metacharacters, such as ".", in the assetName.
Perhaps use regexp.Compile(fmt.Sprintf("^%s$", regexp.QuoteMeta(assetName)))
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable. Thanks for the suggestion.
nodeup/pkg/model/context.go
Outdated
func (b *NodeupModelContext) addCNIBinAsset(c *fi.ModelBuilderContext, assetPath *regexp.Regexp) error { | ||
a := b.Assets.FindMatches(assetPath) | ||
if len(a) != 1 { | ||
return fmt.Errorf("unable to locate asset %q", assetPath.String()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"unable to locate" is misleading if len(a) > 1
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Will change.
4f5826b
to
9046e32
Compare
9046e32
to
c362620
Compare
@johngmyers I think I addressed all the review comments in my latest commit. |
/lgtm |
Extracted out the package scripts for a few representative packages, the only thing I saw was adding the docker group and some apparmor (and we didn't support apparmor for these older versions). Thanks for doing this @hakman ! |
Thanks for checking @justinsb 😄 |
…-upstream-release-1.19 Automated cherry pick of #10048: Install container runtime packages as assets
The main purpose for this PR is to move the logic of choosing the container runtime (Docker or containerd) package from noddup to the assets building phase, when running
kops update cluster
. An additional benefit is that it's easy to add new versions and added all existing Docker packages to the supported list.Feature related changes are quite small and limited to the "Main" and "Misc" commits.
Tests changes are more extensive to be able to do changes with confidence and are separated in the "Tests" commit.
Integration tests changes are about adding the new asset to
conf/kube_env.yaml
, but touches all these tests. Fortunately changes are separated in the "Integration" commit.