overhaul base image

.gitignore

@@ -1,10 +1,10 @@
 # build and test outputs
-bin/
+/bin/
-_output/
+/_output/
-_artifacts/
+/_artifacts/
 
 # used for the code generators only
-vendor/
+/vendor/
 
 # macOS
 .DS_Store

images/base/Dockerfile

@@ -12,51 +12,53 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# kind cluster base image
+# kind node base image
 #
 # For systemd + docker configuration used below, see the following references:
 # https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
-# https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container/
-# https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
 
-ARG BASE_IMAGE="ubuntu:19.10"
+# start from ubuntu 19.10, this image is reasonably small as a starting point
-FROM ${BASE_IMAGE}
+# for a kubernetes node image, it doesn't contain much we don't need
+FROM ubuntu:19.10
 
-# setting DEBIAN_FRONTEND=noninteractive stops some apt warnings, this is not 
+# Configure containerd and runc binaries from kind-ci/containerd-nightlies repository
-# a real argument, we're (ab)using ARG to get a temporary ENV again.
+# The repository contains latest stable releases and nightlies built for multiple architectures
-ARG DEBIAN_FRONTEND=noninteractive
+ARG CONTAINERD_VERSION="v1.3.0-7-g0b43a311"
+# Configure CNI binaries from upstream
+ARG CNI_VERSION="v0.8.2"
+# Configure crictl binary from upstream
+ARG CRICTL_VERSION="v1.16.1"
 
-COPY clean-install /usr/local/bin/clean-install
+# copy in static files (configs, scripts)
-RUN chmod +x /usr/local/bin/clean-install
+COPY files/ /
 
-# Get dependencies
+# Install dependencies, first from apt, then from release tarballs.
-# The base image already has: ssh, apt, snapd
+# NOTE: we use one RUN to minimize layers.
-# This is broken down into (each on a line):
+#
+# First we must ensure that our util scripts are executable.
+#
+# The base image already has: ssh, apt, snapd, but we need to install more packages.
+# Packages installed are broken down into (each on a line):
 # - packages needed to run services (systemd)
-# - CRI (containerd)
 # - packages needed for kubernetes components
 # - misc packages kind uses itself
-# Then we cleanup (removing unwanted systemd services)
+# After installing packages we cleanup by:
-# Then we disable kmsg in journald (these log entries would be confusing)
+# - removing unwanted systemd services)
+# - disabling kmsg in journald (these log entries would be confusing)
 #
-# ********************************<TEMPORARY>***********************************
+# Then we install containerd from our nightly build infrastructure, as this
+# build for multiple architectures and allows us to upgrade to patched releases
+# more quickly.
 #
-# We then download a ctr binary with a tiny additional feature
+# Next we download and extract crictl and CNI plugin binaries from upstream.
-# we use that is not yet merged / packaged.
 #
-# See: https://github.com/containerd/containerd/pull/3259
+# Finally we ensure the /etc/kubernetes/manifests directory exists. Normally
-#
+# a kubeadm debain / rpm package would ensure that this exists but we install
-# This binary is built with hack/build/ctr/run.sh
+# freshly built binaries directly when we build the node image.
-# Sources: https://github.com/BenTheElder/containerd/tree/kind
+RUN echo "Ensuring scripts are executable ..." \
-# Additional commit:
+    && chmod +x /usr/local/bin/clean-install /usr/local/bin/entrypoint \
-# https://github.com/BenTheElder/containerd/commit/cb7c780af2394ab08d5d8a3932ca7437074ae179
+ && echo "Installing Packages ..." \
-#
+    && DEBIAN_FRONTEND=noninteractive clean-install \
-# TODO(bentheelder): remove this once --no-unpack is packaged upstream.
-#
-# *******************************</TEMPORARY>***********************************
-#
-# https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container/
-RUN clean-install \
       systemd systemd-sysv libsystemd0 \
       conntrack iptables iproute2 ethtool socat util-linux mount ebtables udev kmod \
       bash ca-certificates curl rsync \
@@ -68,48 +70,28 @@ RUN clean-install \
     && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
     && rm -f /lib/systemd/system/basic.target.wants/* \
     && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \
-    && echo "done installing packages"
+ && echo "Installing containerd ..." \
-
+    && export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \
-# override the rp_filter settings to enable calico cni to "just work"
+    && export CONTAINERD_BASE_URL="https://github.com/kind-ci/containerd-nightlies/releases/download/containerd-${CONTAINERD_VERSION#v}" \
-COPY 10-network-security.conf /etc/sysctl.d/
+    && curl -sSL --retry 5 --output /tmp/containerd.tgz "${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION#v}.linux-${ARCH}.tar.gz" \
-
-# Install containerd and runc binaries from kind-ci/containerd-nightlies repository
-# The repository contains latest stable releases and nightlies built for multiple architectures
-ARG CONTAINERD_VERSION="v1.3.0-7-g0b43a311"
-ARG CONTAINERD_BASE_URL="https://github.com/kind-ci/containerd-nightlies/releases/download"
-RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \
-    && export RELEASE_BASE_URL="${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION#v}" \
-    && curl -sSL --retry 5 --output /tmp/containerd.tgz "${RELEASE_BASE_URL}/containerd-${CONTAINERD_VERSION#v}.linux-${ARCH}.tar.gz" \
     && tar -C /usr/local -xzf /tmp/containerd.tgz \
     && rm -rf /tmp/containerd.tgz \
-    && curl -sSL --retry 5 --output /usr/local/sbin/runc "${RELEASE_BASE_URL}/runc.${ARCH}" \
+    && curl -sSL --retry 5 --output /usr/local/sbin/runc "${CONTAINERD_BASE_URL}/runc.${ARCH}" \
     && chmod 755 /usr/local/sbin/runc \
-    && containerd --version
+    && containerd --version \
-
+    && systemctl enable containerd \
-# Install containerd systemd unit file
+ && echo "Installing crictl ..." \
-COPY containerd.service /etc/systemd/system
+    && curl -fSL "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${ARCH}.tar.gz" | tar xzC /usr/local/bin \
-RUN systemctl enable containerd
+ && echo "Installing CNI binaries ..." \
-
+    && export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \
-# configure containerd with some custom options
-COPY containerd-config.toml /etc/containerd/config.toml
-
-# Install CNI binaries to /opt/cni/bin
-# TODO(bentheelder): doc why / what here
-ARG CNI_VERSION="v0.8.2"
-ARG CNI_BASE_URL="https://github.com/containernetworking/plugins/releases/download/"
-RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \
     && export CNI_TARBALL="${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz" \
-    && export CNI_URL="${CNI_BASE_URL}${CNI_TARBALL}" \
+    && export CNI_URL="https://github.com/containernetworking/plugins/releases/download/${CNI_TARBALL}" \
     && curl -sSL --retry 5 --output /tmp/cni.tgz "${CNI_URL}" \
     && mkdir -p /opt/cni/bin \
     && tar -C /opt/cni/bin -xzf /tmp/cni.tgz \
-    && rm -rf /tmp/cni.tgz
+    && rm -rf /tmp/cni.tgz \
-
+ && echo "Ensuring /etc/kubernetes/manifests" \
-# Install crictl to /usr/local/bin
+    && mkdir -p /etc/kubernetes/manifests
-ARG CRICTL_VERSION="v1.16.1"
-RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') \
-    && curl -fSL "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${ARCH}.tar.gz" | tar xzC /usr/local/bin \
-    && echo 'runtime-endpoint: unix:///var/run/containerd/containerd.sock' > /etc/crictl.yaml
 
 # tell systemd that it is in docker (it will check for the container env)
 # https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
@@ -117,12 +99,5 @@ ENV container docker
 # systemd exits on SIGRTMIN+3, not SIGTERM (which re-executes it)
 # https://bugzilla.redhat.com/show_bug.cgi?id=1201657
 STOPSIGNAL SIGRTMIN+3
-
+# NOTE: this is *only* for documentation, the entrypoint is overridden later
-# wrap systemd with our special entrypoint, see pkg/build for how this is built
-# basically this just lets us set up some things before continuing on to systemd
-# while preserving that systemd is PID1
-# for how we leverage this, see pkg/cluster
-COPY [ "entrypoint", "/usr/local/bin/" ]
-# We need systemd to be PID1 to run the various services (docker, kubelet, etc.)
-# NOTE: this is *only* for documentation, the entrypoint is overridden by the node image
 ENTRYPOINT [ "/usr/local/bin/entrypoint", "/sbin/init" ]

images/base/files/etc/crictl.yaml

@@ -0,0 +1 @@
+runtime-endpoint: unix:///var/run/containerd/containerd.sock