Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build all non-distro-packaged go binaries ourselves and respect .go-version #3201

Merged
merged 4 commits into from
May 10, 2023
Merged

build all non-distro-packaged go binaries ourselves and respect .go-version #3201

merged 4 commits into from
May 10, 2023

Conversation

BenTheElder
Copy link
Member

@BenTheElder BenTheElder commented May 9, 2023
edited
Loading

Pros:

  • streamlines patching go version related CVEs
  • ensures binaries with CGO are linked to the library version we'll be using
  • allows controlling runc version independent of containerd version
  • allows retiring https://github.com/kind-ci/containerd-nightlies, we can leave it as-is but we don't need to keep maintaining this vestigial hack and any contributor can PR changes to the containerd build as normal now
  • allows us to control build-tags and compile out unused containerd snapshotters for some binary size savings
  • ensures we can easily include LICENSE / notice info for binaries not coming from ubuntu packages

Cons:

  • building the node image is more expensive, however we don't have to do this super often and we have automated builds now so we can throw cores at it and still have quick builds. The buildx multi-stage build is a DAG that can execute steps in parallel so with enough cores this runs pretty quickly.
  • we had to put another copy of gimme in the image directory ... you can't use symlinks outside of the build context with docker build and we don't want the whole repo as a build context ... this is the path of least resistance for now. gimme doesn't really need updating for the forseeable future though so this is fine.
  • dockerfile is somewhat more complex with more multi-stage steps, however, on the other hand these steps are typically actually simpler than the "fetch and check shasum" inline scripts, basically just clone and then make

TODO:

When those are complete, go CVEs can be addressed in two PRs:

  1. bump .go-version
  2. bump references to images built as a result of merging 1)

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 9, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BenTheElder

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 9, 2023
BenTheElder
BenTheElder commented May 9, 2023
View reviewed changes
images/base/Dockerfile Outdated Show resolved Hide resolved
@aojea
Copy link
Contributor

aojea commented May 9, 2023

cool

@BenTheElder
Copy link
Member Author

I've run make -C images/base quick locally and the image checks out, I haven't used it for a node image yet, but I don't have any reason to suspect issues there.

aojea
aojea reviewed May 9, 2023
View reviewed changes
images/base/Dockerfile Outdated Show resolved Hide resolved
BenTheElder
BenTheElder commented May 9, 2023
View reviewed changes
images/base/Dockerfile Outdated Show resolved Hide resolved
@BenTheElder BenTheElder force-pushed the go-build branch 2 times, most recently from 2cf344a to c385c0c Compare May 9, 2023 20:45
@BenTheElder
Copy link
Member Author

I've updated this to also include LICENSE and notice files via https://github.com/google/go-license

Some other Kubernetes projects are doing this and we haven't been, this is easier to do now that we're cloning and building these packages.

debian packages that we're just installing the usual way already include comparable info in a standard way.

@BenTheElder
build external go binaries from source
2c2b553 
- streamlines patching go version related CVEs
- ensures binaries with CGO are linked to the library version we'll be using
@BenTheElder BenTheElder changed the title [WIP] build external go binaries from source build external go binaries from source May 9, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 9, 2023
@BenTheElder BenTheElder force-pushed the go-build branch 2 times, most recently from 110cc1f to 5c8ec48 Compare May 9, 2023 21:20
@BenTheElder BenTheElder mentioned this pull request May 9, 2023
Merged
@BenTheElder BenTheElder force-pushed the go-build branch 3 times, most recently from 2fa880f to 68dfb5b Compare May 9, 2023 21:36
@BenTheElder
Copy link
Member Author

I've tested all of these builds locally in quick mode (single-architecture only w/o pushing).

@BenTheElder BenTheElder changed the title build external go binaries from source build all non-distro-packaged go binaries ourselves and respect .go-version May 9, 2023
aojea
aojea reviewed May 9, 2023
View reviewed changes
images/base/Dockerfile
# set by makefile to .go-version
ARG GO_VERSION
RUN eval "$(gimme "${GO_VERSION}")" \
&& GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Latest?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, the most recent tagged release. the API surface of this tool is small

aojea
aojea reviewed May 9, 2023
View reviewed changes
images/base/Dockerfile
# stage for building runc
FROM go-build as build-runc
ARG GO_VERSION
ARG RUNC_VERSION="v1.1.7"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't containerd have a specific version for runc that we obtained from one of the files on the repo?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We did do that, but that version is just a recommendation / what they're using in CI in containerd*, we want to be able to control the pace of upgrading runc.

* their own integration tests, maybe not k8s e2e ...

We may even have to split this up and use multiple versions depending on k8s version, see kubernetes/kubernetes#117691 (comment)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/containerd/containerd/blob/c6d7e45c14896addf3b1e06db3f7999026b0191f/docs/RUNC.md#runc-version-requirements-for-containerd

It's recommended to use a version >= https://github.com/containerd/containerd/blob/main/script/setup/runc-version, but that may actually be broken with Kubernetes or we may want to be ahead.

runc versions will need more thought following the thread I linked above, but for now sticking to the current stable tag.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should add: 1.1.7 is the version used by containerd 1.6.21 https://github.com/containerd/containerd/releases/tag/v1.6.21

semi-related: they're no longer including runc with containerd releases containerd/containerd#6541

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

turns out we actually need to be able to stick to an older version at times. #3220

older is fine, newer binary may not be. at least as long as we have to support cgroups v1

@aojea
Copy link
Contributor

aojea commented May 10, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 10, 2023
@k8s-ci-robot k8s-ci-robot merged commit 486859a into kubernetes-sigs:main May 10, 2023
@BenTheElder BenTheElder deleted the go-build branch May 10, 2023 14:13
This was referenced May 10, 2023
Merged
Merged
@BenTheElder
Copy link
Member Author

This has serious perf issues in the arm64 cross-build. Working on a fix

@BenTheElder
Copy link
Member Author

follow-up in #3214

@BenTheElder BenTheElder mentioned this pull request May 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aojea aojea aojea left review comments

@neolit123 neolit123 Awaiting requested review from neolit123

Assignees

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BenTheElder @k8s-ci-robot @aojea