Merge pull request #7193 from fidencio/topic/stable-3.1-stop-using-centos

stable-3.1: A bunch of kata-deploy fixes and a switch to using ubuntu as the base image
2025-09-03 01:44:29 +00:00 · 2023-06-30 10:09:41 +02:00
parent efd336eb40 956368e16a
commit 3cae94ea8a
4 changed files with 76 additions and 41 deletions
--- a/tools/packaging/kata-deploy/Dockerfile
+++ b/tools/packaging/kata-deploy/Dockerfile
@@ -3,27 +3,29 @@
 # SPDX-License-Identifier: Apache-2.0
 # Specify alternative base image, e.g. clefos for s390x
-ARG IMAGE
+ARG BASE_IMAGE_NAME=ubuntu
-FROM ${IMAGE:-registry.centos.org/centos}:7
+ARG BASE_IMAGE_TAG=20.04
 FROM $BASE_IMAGE_NAME:$BASE_IMAGE_TAG
 ENV DEBIAN_FRONTEND=noninteractive
 ARG KATA_ARTIFACTS=./kata-static.tar.xz
 ARG DESTINATION=/opt/kata-artifacts
 COPY ${KATA_ARTIFACTS} ${WORKDIR}
-RUN \
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 yum -y update && \
 yum -y install xz && \
 yum clean all && \
 mkdir -p ${DESTINATION} && \
 tar xvf ${KATA_ARTIFACTS} -C ${DESTINATION}
 # hadolint will deny echo -e, heredocs don't work in Dockerfiles, shell substitution doesn't work with $'...'
 RUN \
-echo "[kubernetes]" >> /etc/yum.repos.d/kubernetes.repo && \
+apt-get update && \
-echo "name=Kubernetes" >> /etc/yum.repos.d/kubernetes.repo && \
+apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl gpg xz-utils systemd && \
-echo "baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-$(uname -m)" >> /etc/yum.repos.d/kubernetes.repo && \
+mkdir -p /etc/apt/keyrings/ && \
-echo "gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg" >> /etc/yum.repos.d/kubernetes.repo && \
+curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg && \
-yum -y install kubectl && \
+echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \
-yum clean all
+apt-get update && \
 apt-get install -y --no-install-recommends kubectl && \
 apt-get clean && rm -rf /var/lib/apt/lists/ && \
 mkdir -p ${DESTINATION} && \
 tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
 rm -f ${WORKDIR}/${KATA_ARTIFACTS}
 COPY scripts ${DESTINATION}/scripts
--- a/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+++ b/tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
@@ -27,19 +27,19 @@ spec:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
-          privileged: false
+          privileged: true
        volumeMounts:
        - name: dbus
-          mountPath: /var/run/dbus
+          mountPath: /var/run/dbus/system_bus_socket
        - name: systemd
-          mountPath: /run/systemd
+          mountPath: /run/systemd/system
      volumes:
        - name: dbus
          hostPath:
-            path: /var/run/dbus
+            path: /var/run/dbus/system_bus_socket
        - name: systemd
          hostPath:
-            path: /run/systemd
+            path: /run/systemd/system
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
--- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
@@ -29,7 +29,7 @@ spec:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
-          privileged: false
+          privileged: true
        volumeMounts:
        - name: crio-conf
          mountPath: /etc/crio/
@@ -38,9 +38,9 @@ spec:
        - name: kata-artifacts
          mountPath: /opt/kata/
        - name: dbus
-          mountPath: /var/run/dbus
+          mountPath: /var/run/dbus/system_bus_socket
        - name: systemd
-          mountPath: /run/systemd
+          mountPath: /run/systemd/system
        - name: local-bin
          mountPath: /usr/local/bin/
      volumes:
@@ -56,10 +56,10 @@ spec:
            type: DirectoryOrCreate
        - name: dbus
          hostPath:
-            path: /var/run/dbus
+            path: /var/run/dbus/system_bus_socket
        - name: systemd
          hostPath:
-            path: /run/systemd
+            path: /run/systemd/system
        - name: local-bin
          hostPath:
            path: /usr/local/bin/
--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
@@ -58,7 +58,17 @@ function install_artifacts() {
 	echo "copying kata artifacts onto host"
 	cp -au /opt/kata-artifacts/opt/kata/* /opt/kata/
 	chmod +x /opt/kata/bin/*
-	chmod +x /opt/kata/runtime-rs/bin/*
+	[ -d /opt/kata/runtime-rs/bin ] && \
 		chmod +x /opt/kata/runtime-rs/bin/*
 }
 function wait_till_node_is_ready() {
 	local ready="False"
 	while ! [[ "${ready}" == "True" ]]; do
 		sleep 2s
 		ready=$(kubectl get node $NODE_NAME -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
 	done
 }
 function configure_cri_runtime() {
@@ -74,6 +84,22 @@ function configure_cri_runtime() {
 	esac
 	systemctl daemon-reload
 	systemctl restart "$1"
 	wait_till_node_is_ready
 }
 function backup_shim() {
 	local shim_file="$1"
 	local shim_backup="${shim_file}.bak"
 	if [ -f "${shim_file}" ]; then
 		echo "warning: ${shim_file} already exists" >&2
 		if [ ! -f "${shim_backup}" ]; then
 			mv "${shim_file}" "${shim_backup}"
 		else
 			rm "${shim_file}"
 		fi
 	fi
 }
 function configure_different_shims_base() {
@@ -84,21 +110,15 @@ function configure_different_shims_base() {
 	#   https://github.com/containerd/containerd/issues/3073
 	#   https://github.com/containerd/containerd/issues/5006
 	local default_shim_file="/usr/local/bin/containerd-shim-kata-v2"
 	mkdir -p /usr/local/bin
 	for shim in "${shims[@]}"; do
 		local shim_binary="containerd-shim-kata-${shim}-v2"
 		local shim_file="/usr/local/bin/${shim_binary}"
 		local shim_backup="/usr/local/bin/${shim_binary}.bak"
-		if [ -f "${shim_file}" ]; then
+		backup_shim "${shim_file}"
 			echo "warning: ${shim_binary} already exists" >&2
 			if [ ! -f "${shim_backup}" ]; then
 				mv "${shim_file}" "${shim_backup}"
 			else
 				rm "${shim_file}"
 			fi
 		fi
 		if [[ "${shim}" == "dragonball" ]]; then
 			ln -sf /opt/kata/runtime-rs/bin/containerd-shim-kata-v2 "${shim_file}"
@@ -108,26 +128,37 @@ function configure_different_shims_base() {
 		chmod +x "$shim_file"
 		if [ "${shim}" == "${default_shim}" ]; then
 			backup_shim "${default_shim_file}"
 			echo "Creating the default shim-v2 binary"
-			ln -sf "${shim_file}" /usr/local/bin/containerd-shim-kata-v2
+			ln -sf "${shim_file}" "${default_shim_file}"
 		fi
 	done
 }
 function restore_shim() {
 	local shim_file="$1"
 	local shim_backup="${shim_file}.bak"
 	if [ -f "${shim_backup}" ]; then
 		mv "$shim_backup" "$shim_file"
 	fi
 }
 function cleanup_different_shims_base() {
 	local default_shim_file="/usr/local/bin/containerd-shim-kata-v2"
 	for shim in "${shims[@]}"; do
 		local shim_binary="containerd-shim-kata-${shim}-v2"
 		local shim_file="/usr/local/bin/${shim_binary}"
 		local shim_backup="/usr/local/bin/${shim_binary}.bak"
 		rm "${shim_file}" || true
-		if [ -f "${shim_backup}" ]; then
+		restore_shim "${shim_file}"
 			mv "$shim_backup" "$shim_file"
 		fi
 	done
-	rm /usr/local/bin/containerd-shim-kata-v2
+	rm "${default_shim_file}" || true
 	restore_shim "${default_shim_file}"
 }
 function configure_crio_runtime() {
@@ -264,6 +295,8 @@ function reset_runtime() {
 	if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then
 		systemctl restart kubelet
 	fi
 	wait_till_node_is_ready
 }
 function main() {