containerd: Add support for tar.gz package

[hakman]

Each containerd release comes with a tar.gz that can be used to install it with minimal effort.
Ref: #7986 (comment)

Summary of changes:

• Archive task will extract each required file to the desired location - easier to control what goes where, but may need versioning in the future
• the package contains static binaries, so no need to provide a distro like with each rpm/deb
• having a single package means dependencies need to go to Packages
• support for CentOS should be much simpler now that container-selinux is installed from repo and not vault (vault package is still needed for RHEL and Amazon Linux)

PS1: Docker could get some similar upgrade by moving the deps to Packages and would open the way to multi-arch.

PS2: Amazon Linux 2 doesn't have the packages required to run the latest containerd (and Docker). At least the deps for container-selinux from CentOS are missing. I suspect this distro will need special care if support for it is desired.

[k8s-ci-robot]

Hi @hakman. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hakman]

/cc @justinsb

[tanjunchen]

/ok-to-test

[johngmyers]

/test pull-kops-verify-packages

[tanjunchen]

/test pull-kops-e2e-kubernetes-aws

[johngmyers]

/test pull-kops-verify-generated

[hakman]

/assign @justinsb

[justinsb]

I'm wondering if we should map directories, as this likely makes it harder to support new tar.gz bundles we don't yet know about (they may have added a file)...

[hakman]

Very good point. Updated and works perfectly.

[justinsb]

We might actually need these to prevent systemd marking the unit as failed and not always restarting e.g. https://serverfault.com/questions/736624/systemd-service-automatic-restart-after-startlimitinterval

However, I think with RestartSec = 5 we're OK with the default values, but it is possible that systemd is not running with the default values.

Also annoying is that the field was renamed from StartLimitInterval to StartLimitIntervalSec at some stage; I don't know if any of our OSes uses StartLimitInterval.

We might need a helper function - so we can probably leave this as-is for now :-)

[hakman]

I also saw that Kops doesn't use StartLimitInterval anywhere. Besides the name, it was also moved from [Service] to [Unit] at some point.
https://lists.freedesktop.org/archives/systemd-devel/2017-July/039255.html

Unless someone will complain, I also think we can skip it for now.

[justinsb]

These are the ones we're moving into packages.go?

[hakman]

Yes. Moving to packages.go.

[justinsb]

This is going to be slow I think, because we have to read the whole tar file every time (tar files aren't indexed, unlike zip files).

[hakman]

In theory, yes. In practice it's faster than yum install containerd:

I0112 04:43:20.381756     652 files.go:100] Hash matched for "/var/cache/nodeup/archives/containerd.io": sha1:f451d46280104588f236bee277bca1da8babc0e8
I0112 04:43:20.381805     652 archive.go:189] running command [tar xf /var/cache/nodeup/archives/containerd.io -C /usr --strip-components=3 ./usr/local/bin]
I0112 04:43:22.038539     652 archive.go:189] running command [tar xf /var/cache/nodeup/archives/containerd.io -C /usr --strip-components=3 ./usr/local/sbin]
I0112 04:43:23.601597     652 executor.go:103] Tasks: 2 done / 60 total; 45 can run
``

[justinsb]

I guess the problem here is that container-selinux might be tied to the behaviour of a particular version of containerd. i.e. a new version of containerd introduces a new required permission (?)

[hakman]

My assumption was that newer container-selinux will only add permissions, which would make it backwards compatible with any containerd or docker version. In a regular install. where one has a valid subscription, any package upgrade would grab the latest version.

[justinsb]

Thanks @hakman ... generally looks good but I have some questions!

[hakman]

Thanks @justinsb. I think this will make it simpler to support multi-arch. I see that the guys working on containerd are improving their support for multi-arch and hopefully will release official builds soon.
containerd/containerd#3758

Would it make sense to try and move Docker deps to Packages and add a tar.gz package there also?

[justinsb]

Thanks for the tweaks - looks great!

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman, justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[justinsb]

For docker, my inclination would be to leave it as-is, and gradually let it age-out out of our code, as I think people will switch to pure containerd. But if there's an advantage to refactoring it, we can do that!

[hakman]

/retest

[hakman]

/retest

[hakman]

/test pull-kops-e2e-kubernetes-aws

[johngmyers]

/test pull-kops-e2e-kubernetes-aws

[hakman]

/retest