From c4ef6a94b329d09da8962fb720b4bce814eecb9e Mon Sep 17 00:00:00 2001
From: Davanum Srinivas <davanum@gmail.com>
Date: Fri, 7 Feb 2020 11:03:53 -0500
Subject: [PATCH 1/3] Add gid to config.toml only when docker group is present

If we don't install docker and install just containerd apt packages,
there is no docker group. In this scenario, we should not add the gid to
config.toml
---
 cluster/gce/gci/configure-helper.sh | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index d486eb1f555..ef639727537 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -2668,8 +2668,6 @@ EOF
       cni_template_path=""
     fi
   fi
-  # Reuse docker group for containerd.
-  local containerd_gid="$(cat /etc/group | grep ^docker: | cut -d: -f 3)"
   cat > "${config_path}" <<EOF
 # Kubernetes doesn't use containerd restart manager.
 disabled_plugins = ["restart"]
@@ -2678,9 +2676,6 @@ oom_score = -999
 [debug]
   level = "${CONTAINERD_LOG_LEVEL:-"info"}"
 
-[grpc]
-  gid = ${containerd_gid}
-
 [plugins.cri]
   stream_server_address = "127.0.0.1"
   max_container_log_line_size = ${CONTAINERD_MAX_CONTAINER_LOG_LINE:-262144}
@@ -2691,6 +2686,16 @@ oom_score = -999
 [plugins.cri.registry.mirrors."docker.io"]
   endpoint = ["https://mirror.gcr.io","https://registry-1.docker.io"]
 EOF
+
+  # Reuse docker group for containerd.
+  local containerd_gid="$(cat /etc/group | grep ^docker: | cut -d: -f 3)"
+  if [[ ! -z "${containerd_gid:-}" ]]; then
+    cat >> "${config_path}" <<EOF
+# reuse id of the docker group
+[grpc]
+  gid = ${containerd_gid}
+EOF
+  fi
   chmod 644 "${config_path}"
 
   echo "Restart containerd to load the config change"

From acd286d95d8a2af14069ed808db501290841095f Mon Sep 17 00:00:00 2001
From: Davanum Srinivas <davanum@gmail.com>
Date: Fri, 7 Feb 2020 14:49:31 -0500
Subject: [PATCH 2/3] Install containerd package depending on CONTAINER_RUNTIME

---
 cluster/gce/gci/configure.sh | 45 +++++++++++++++++++++++++++++++++---
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh
index 3529944b676..12b16a43cdb 100644
--- a/cluster/gce/gci/configure.sh
+++ b/cluster/gce/gci/configure.sh
@@ -436,6 +436,39 @@ function install-docker {
   rm -rf /var/lib/apt/lists/*
 }
 
+# If we are on ubuntu we can try to install containerd
+function install-containerd {
+  # bailout if we are not on ubuntu
+  if ! command -v apt-get >/dev/null 2>&1; then
+    echo "Unable to install automatically install docker. Bailing out..."
+    return
+  fi
+  # Install dependencies, some of these are already installed in the image but
+  # that's fine since they won't re-install and we can reuse the code below
+  # for another image someday.
+  apt-get update
+  apt-get install -y --no-install-recommends \
+    apt-transport-https \
+    ca-certificates \
+    socat \
+    curl \
+    gnupg2 \
+    software-properties-common \
+    lsb-release
+
+  # Add the Docker apt-repository (as we install containerd from there)
+  curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg \
+    | apt-key add -
+  add-apt-repository \
+    "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
+    $(lsb_release -cs) stable"
+
+  # Install containerd from Docker repo
+  apt-get update && \
+    apt-get install -y --no-install-recommends containerd
+  rm -rf /var/lib/apt/lists/*
+}
+
 function ensure-container-runtime {
   container_runtime="${CONTAINER_RUNTIME:-docker}"
   if [[ "${container_runtime}" == "docker" ]]; then
@@ -448,11 +481,17 @@ function ensure-container-runtime {
     fi
     docker version
   elif [[ "${container_runtime}" == "containerd" ]]; then
+    set -x
     if ! command -v ctr >/dev/null 2>&1; then
-      echo "ERROR ctr not found. Aborting."
-      exit 2
+      install-containerd
+      if ! command -v containerd >/dev/null 2>&1; then
+        echo "ERROR containerd not found. Aborting."
+        exit 2
+      fi
     fi
-    ctr version
+    ctr --version
+    containerd --version
+    runc --version
   fi
 }
 

From da024f9a577f291e6e083e89f0db0384027a9ed2 Mon Sep 17 00:00:00 2001
From: Davanum Srinivas <davanum@gmail.com>
Date: Fri, 7 Feb 2020 15:49:19 -0500
Subject: [PATCH 3/3] Ability to override versions of containerd/runc

---
 cluster/gce/config-default.sh |  7 +++++
 cluster/gce/config-test.sh    |  7 +++++
 cluster/gce/gci/configure.sh  | 49 +++++++++++++++++++++++++++--------
 cluster/gce/util.sh           |  2 ++
 4 files changed, 54 insertions(+), 11 deletions(-)

diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 85f00f7724d..02cf7480880 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -101,6 +101,13 @@ if [[ "${CONTAINER_RUNTIME}" == "containerd" ]]; then
   LOAD_IMAGE_COMMAND=${KUBE_LOAD_IMAGE_COMMAND:-ctr -n=k8s.io images import}
 fi
 
+# Ability to inject custom versions (Ubuntu OS images ONLY)
+# if KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION or KUBE_UBUNTU_INSTALL_RUNC_VERSION
+# is set to empty then we do not override the version(s) and just
+# use whatever is in the default installation of containerd package
+UBUNTU_INSTALL_CONTAINERD_VERSION=${KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION:-}
+UBUNTU_INSTALL_RUNC_VERSION=${KUBE_UBUNTU_INSTALL_RUNC_VERSION:-}
+
 # MASTER_EXTRA_METADATA is the extra instance metadata on master instance separated by commas.
 MASTER_EXTRA_METADATA=${KUBE_MASTER_EXTRA_METADATA:-${KUBE_EXTRA_METADATA:-}}
 # MASTER_EXTRA_METADATA is the extra instance metadata on node instance separated by commas.
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index 098dcc35cde..75b039b7c3e 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -107,6 +107,13 @@ if [[ "${CONTAINER_RUNTIME}" == "containerd" ]]; then
   LOAD_IMAGE_COMMAND=${KUBE_LOAD_IMAGE_COMMAND:-ctr -n=k8s.io images import}
 fi
 
+# Ability to inject custom versions (Ubuntu OS images ONLY)
+# if KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION or KUBE_UBUNTU_INSTALL_RUNC_VERSION
+# is set to empty then we do not override the version(s) and just
+# use whatever is in the default installation of containerd package
+UBUNTU_INSTALL_CONTAINERD_VERSION=${KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION:-}
+UBUNTU_INSTALL_RUNC_VERSION=${KUBE_UBUNTU_INSTALL_RUNC_VERSION:-}
+
 # MASTER_EXTRA_METADATA is the extra instance metadata on master instance separated by commas.
 MASTER_EXTRA_METADATA=${KUBE_MASTER_EXTRA_METADATA:-${KUBE_EXTRA_METADATA:-}}
 # MASTER_EXTRA_METADATA is the extra instance metadata on node instance separated by commas.
diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh
index 12b16a43cdb..e8891e4e049 100644
--- a/cluster/gce/gci/configure.sh
+++ b/cluster/gce/gci/configure.sh
@@ -407,7 +407,7 @@ function load-docker-images {
 function install-docker {
   # bailout if we are not on ubuntu
   if ! command -v apt-get >/dev/null 2>&1; then
-    echo "Unable to install automatically install docker. Bailing out..."
+    echo "Unable to automatically install docker. Bailing out..."
     return
   fi
   # Install Docker deps, some of these are already installed in the image but
@@ -437,12 +437,18 @@ function install-docker {
 }
 
 # If we are on ubuntu we can try to install containerd
-function install-containerd {
+function install-containerd-ubuntu {
   # bailout if we are not on ubuntu
-  if ! command -v apt-get >/dev/null 2>&1; then
-    echo "Unable to install automatically install docker. Bailing out..."
-    return
+  if [[ -z "$(command -v lsb_release)" || $(lsb_release -si) != "Ubuntu" ]]; then
+    echo "Unable to automatically install containerd in non-ubuntu image. Bailing out..."
+    exit 2
   fi
+
+  if [[ $(dpkg --print-architecture) != "amd64" ]]; then
+    echo "Unable to automatically install containerd in non-amd64 image. Bailing out..."
+    exit 2
+  fi
+
   # Install dependencies, some of these are already installed in the image but
   # that's fine since they won't re-install and we can reuse the code below
   # for another image someday.
@@ -467,6 +473,16 @@ function install-containerd {
   apt-get update && \
     apt-get install -y --no-install-recommends containerd
   rm -rf /var/lib/apt/lists/*
+
+  # Override to latest versions of containerd and runc
+  systemctl stop containerd
+  if [[ ! -z "${UBUNTU_INSTALL_CONTAINERD_VERSION:-}" ]]; then
+    curl -fsSL "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}.linux-amd64.tar.gz" | tar --overwrite -xzv -C /usr/
+  fi
+  if [[ ! -z "${UBUNTU_INSTALL_RUNC_VERSION:-}" ]]; then
+    curl -fsSL "https://github.com/opencontainers/runc/releases/download/${UBUNTU_INSTALL_RUNC_VERSION}/runc.amd64" --output /usr/sbin/runc && chmod 755 /usr/sbin/runc
+  fi
+  sudo systemctl start containerd
 }
 
 function ensure-container-runtime {
@@ -481,16 +497,27 @@ function ensure-container-runtime {
     fi
     docker version
   elif [[ "${container_runtime}" == "containerd" ]]; then
-    set -x
+    # Install containerd/runc if requested
+    if [[ ! -z "${UBUNTU_INSTALL_CONTAINERD_VERSION:-}" || ! -z "${UBUNTU_INSTALL_RUNC_VERSION}" ]]; then
+      install-containerd-ubuntu
+    fi
+    # Verify presence and print versions of ctr, containerd, runc
     if ! command -v ctr >/dev/null 2>&1; then
-      install-containerd
-      if ! command -v containerd >/dev/null 2>&1; then
-        echo "ERROR containerd not found. Aborting."
-        exit 2
-      fi
+      echo "ERROR ctr not found. Aborting."
+      exit 2
     fi
     ctr --version
+
+    if ! command -v containerd >/dev/null 2>&1; then
+      echo "ERROR containerd not found. Aborting."
+      exit 2
+    fi
     containerd --version
+
+    if ! command -v runc >/dev/null 2>&1; then
+      echo "ERROR runc not found. Aborting."
+      exit 2
+    fi
     runc --version
   fi
 }
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 8a96237248e..43654795046 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -1224,6 +1224,8 @@ DISABLE_PROMETHEUS_TO_SD_IN_DS: $(yaml-quote ${DISABLE_PROMETHEUS_TO_SD_IN_DS:-f
 CONTAINER_RUNTIME: $(yaml-quote ${CONTAINER_RUNTIME:-})
 CONTAINER_RUNTIME_ENDPOINT: $(yaml-quote ${CONTAINER_RUNTIME_ENDPOINT:-})
 CONTAINER_RUNTIME_NAME: $(yaml-quote ${CONTAINER_RUNTIME_NAME:-})
+UBUNTU_INSTALL_CONTAINERD_VERSION: $(yaml-quote ${UBUNTU_INSTALL_CONTAINERD_VERSION:-})
+UBUNTU_INSTALL_RUNC_VERSION: $(yaml-quote ${UBUNTU_INSTALL_RUNC_VERSION:-})
 NODE_LOCAL_SSDS_EXT: $(yaml-quote ${NODE_LOCAL_SSDS_EXT:-})
 LOAD_IMAGE_COMMAND: $(yaml-quote ${LOAD_IMAGE_COMMAND:-})
 ZONE: $(yaml-quote ${ZONE})