Use a forked copy of multiarch/qemu-user-static scripts instead of a privileged container

[ixdy]

What this PR does / why we need it: in several of our Makefiles, we run docker run --privileged multiarch/qemu-user-static:register to register qemu in the host kernel, but this is roughly equivalent to curl | sudo sh.

As we have to run these operations as root, we should at least run copies of the script that we can maintain and audit.

Release note:

NONE

/assign @cblecker @dims @mkumatag @tallclair

[ixdy]

/assign @lavalamp
for third_party

[cblecker]

/lgtm
/approve

[tallclair]

Thanks, /lgtm

[dims]

Was this file really downloaded from here @ixdy ? (the one in the url looks different)

[cblecker]

In https://github.com/kubernetes/kubernetes/pull/69820/files#diff-411cd91074aad363eef8c602401707e0R1 he notes that it was downloaded at a specific commit

[dims]

ah thanks!

/hold cancel

[ixdy]

right, this file was actually copied from qemu/qemu into multiarch/qemu-user-static, where this comment was added (see https://github.com/multiarch/qemu-user-static/blob/22b0013668d2aed4a2cfd21650e85c664b1f21c6/register/qemu-binfmt-conf.sh#L5).

[dims]

/hold

one question on the script inline

[ixdy]

Of course our build image doesn't have sudo. Thinking about how to fix this.
/hold

[ixdy]

/hold cancel

I added some Makefile one-liners to fix the sudo issue, PTAL.

[ixdy]

To explain this: make doesn't let you do equality checks in variable assignment, so this is next best option. Basically, filter pattern,text returns whitespace-separated words from text that match the pattern, so here we're returning 0 when the user is root and empty string otherwise.

the if in variable assignment considers nonempty strings as true, empty strings as false. thus when the effective user id is 0 (i.e. you're root), filter returns 0, which evaluates to true, and so we don't use sudo. Otherwise we do.

[ixdy]

(this implementation was basically copied from https://stackoverflow.com/a/9008922/9723266.)

[ixdy]

(I pushed new changes to reverse the order of arguments to filter, since they were backwards before. No functionality change, though.)

[ixdy]

oh, this is failing because I think the cross job isn't running in a privileged container.

I guess we can switch that, but it's a little unfortunate... cc @BenTheElder

[ixdy]

I wonder if we can move symlink creation to the hyperkube base image, and then remove the need for the register call entirely.

[BenTheElder]

[FYI we discussed offline and Jeff is trying the route mentioned above]

[ixdy]

cross-linking: #69832 is the PR to move symlink creation to the hyperkube base image.

I think we still want this PR, since there are cases (like creation of the base images) where we need to register the qemu handlers, and I'd rather use a local script instead of a privileged container.

[ixdy]

I've rebased now that #69832 has merged. I believe this should be good to go now.

[dims]

/lgtm

[ixdy]

/assign @smarterclayton

can you review/approve the third_party change?

[dims]

@thockin @smarterclayton can you please approve the changes under third_party?

[ixdy]

/assign @lavalamp

Can someone please approve for third_party? :)

[ixdy]

ping?

[lavalamp]

/approve

sorry didn't see this in my email until now

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cblecker, ixdy, lavalamp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• build/OWNERS [cblecker,ixdy,lavalamp]
• test/images/OWNERS [cblecker,ixdy,lavalamp]
• third_party/OWNERS [lavalamp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment