diff --git a/tools/packaging/kata-deploy/Dockerfile b/tools/packaging/kata-deploy/Dockerfile index 94533a906d..cc14ff2dea 100644 --- a/tools/packaging/kata-deploy/Dockerfile +++ b/tools/packaging/kata-deploy/Dockerfile @@ -3,27 +3,29 @@ # SPDX-License-Identifier: Apache-2.0 # Specify alternative base image, e.g. clefos for s390x -ARG IMAGE -FROM ${IMAGE:-registry.centos.org/centos}:7 +ARG BASE_IMAGE_NAME=ubuntu +ARG BASE_IMAGE_TAG=20.04 +FROM $BASE_IMAGE_NAME:$BASE_IMAGE_TAG +ENV DEBIAN_FRONTEND=noninteractive + ARG KATA_ARTIFACTS=./kata-static.tar.xz ARG DESTINATION=/opt/kata-artifacts COPY ${KATA_ARTIFACTS} ${WORKDIR} -RUN \ -yum -y update && \ -yum -y install xz && \ -yum clean all && \ -mkdir -p ${DESTINATION} && \ -tar xvf ${KATA_ARTIFACTS} -C ${DESTINATION} +SHELL ["/bin/bash", "-o", "pipefail", "-c"] -# hadolint will deny echo -e, heredocs don't work in Dockerfiles, shell substitution doesn't work with $'...' RUN \ -echo "[kubernetes]" >> /etc/yum.repos.d/kubernetes.repo && \ -echo "name=Kubernetes" >> /etc/yum.repos.d/kubernetes.repo && \ -echo "baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$(uname -m)" >> /etc/yum.repos.d/kubernetes.repo && \ -echo "gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg" >> /etc/yum.repos.d/kubernetes.repo && \ -yum -y install kubectl && \ -yum clean all +apt-get update && \ +apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl gpg xz-utils systemd && \ +mkdir -p /etc/apt/keyrings/ && \ +curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg && \ +echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \ +apt-get update && \ +apt-get install -y --no-install-recommends kubectl && \ +apt-get clean && rm -rf /var/lib/apt/lists/ && \ +mkdir -p ${DESTINATION} && \ +tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \ +rm -f ${WORKDIR}/${KATA_ARTIFACTS} COPY scripts ${DESTINATION}/scripts diff --git a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml index be640ae584..c0220b89be 100644 --- a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml +++ b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml @@ -27,19 +27,19 @@ spec: fieldRef: fieldPath: spec.nodeName securityContext: - privileged: false + privileged: true volumeMounts: - name: dbus - mountPath: /var/run/dbus + mountPath: /var/run/dbus/system_bus_socket - name: systemd - mountPath: /run/systemd + mountPath: /run/systemd/system volumes: - name: dbus hostPath: - path: /var/run/dbus + path: /var/run/dbus/system_bus_socket - name: systemd hostPath: - path: /run/systemd + path: /run/systemd/system updateStrategy: rollingUpdate: maxUnavailable: 1 diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index a6616fe672..1bfc73530e 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -29,7 +29,7 @@ spec: fieldRef: fieldPath: spec.nodeName securityContext: - privileged: false + privileged: true volumeMounts: - name: crio-conf mountPath: /etc/crio/ @@ -38,9 +38,9 @@ spec: - name: kata-artifacts mountPath: /opt/kata/ - name: dbus - mountPath: /var/run/dbus + mountPath: /var/run/dbus/system_bus_socket - name: systemd - mountPath: /run/systemd + mountPath: /run/systemd/system - name: local-bin mountPath: /usr/local/bin/ volumes: @@ -56,10 +56,10 @@ spec: type: DirectoryOrCreate - name: dbus hostPath: - path: /var/run/dbus + path: /var/run/dbus/system_bus_socket - name: systemd hostPath: - path: /run/systemd + path: /run/systemd/system - name: local-bin hostPath: path: /usr/local/bin/ diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index a4a4f9d5cd..76fd8792bc 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -58,7 +58,17 @@ function install_artifacts() { echo "copying kata artifacts onto host" cp -au /opt/kata-artifacts/opt/kata/* /opt/kata/ chmod +x /opt/kata/bin/* - chmod +x /opt/kata/runtime-rs/bin/* + [ -d /opt/kata/runtime-rs/bin ] && \ + chmod +x /opt/kata/runtime-rs/bin/* +} + +function wait_till_node_is_ready() { + local ready="False" + + while ! [[ "${ready}" == "True" ]]; do + sleep 2s + ready=$(kubectl get node $NODE_NAME -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') + done } function configure_cri_runtime() { @@ -74,6 +84,22 @@ function configure_cri_runtime() { esac systemctl daemon-reload systemctl restart "$1" + + wait_till_node_is_ready +} + +function backup_shim() { + local shim_file="$1" + local shim_backup="${shim_file}.bak" + + if [ -f "${shim_file}" ]; then + echo "warning: ${shim_file} already exists" >&2 + if [ ! -f "${shim_backup}" ]; then + mv "${shim_file}" "${shim_backup}" + else + rm "${shim_file}" + fi + fi } function configure_different_shims_base() { @@ -84,21 +110,15 @@ function configure_different_shims_base() { # https://github.com/containerd/containerd/issues/3073 # https://github.com/containerd/containerd/issues/5006 + local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" + mkdir -p /usr/local/bin for shim in "${shims[@]}"; do local shim_binary="containerd-shim-kata-${shim}-v2" local shim_file="/usr/local/bin/${shim_binary}" - local shim_backup="/usr/local/bin/${shim_binary}.bak" - if [ -f "${shim_file}" ]; then - echo "warning: ${shim_binary} already exists" >&2 - if [ ! -f "${shim_backup}" ]; then - mv "${shim_file}" "${shim_backup}" - else - rm "${shim_file}" - fi - fi + backup_shim "${shim_file}" if [[ "${shim}" == "dragonball" ]]; then ln -sf /opt/kata/runtime-rs/bin/containerd-shim-kata-v2 "${shim_file}" @@ -108,26 +128,37 @@ function configure_different_shims_base() { chmod +x "$shim_file" if [ "${shim}" == "${default_shim}" ]; then + backup_shim "${default_shim_file}" + echo "Creating the default shim-v2 binary" - ln -sf "${shim_file}" /usr/local/bin/containerd-shim-kata-v2 + ln -sf "${shim_file}" "${default_shim_file}" fi done } +function restore_shim() { + local shim_file="$1" + local shim_backup="${shim_file}.bak" + + if [ -f "${shim_backup}" ]; then + mv "$shim_backup" "$shim_file" + fi +} + function cleanup_different_shims_base() { + local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" + for shim in "${shims[@]}"; do local shim_binary="containerd-shim-kata-${shim}-v2" local shim_file="/usr/local/bin/${shim_binary}" - local shim_backup="/usr/local/bin/${shim_binary}.bak" rm "${shim_file}" || true - if [ -f "${shim_backup}" ]; then - mv "$shim_backup" "$shim_file" - fi + restore_shim "${shim_file}" done - rm /usr/local/bin/containerd-shim-kata-v2 + rm "${default_shim_file}" || true + restore_shim "${default_shim_file}" } function configure_crio_runtime() { @@ -264,6 +295,8 @@ function reset_runtime() { if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then systemctl restart kubelet fi + + wait_till_node_is_ready } function main() {