pre-install-payload: Handle an official version of containerd

We rely on the node having containerd v1.7.0 or higher for the work we're doing. With this in mind, let's also ship the minimum containerd required by us, so users can decide whether or not to use it instead of upgrading their clusters. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
confidential-containers · Aug 31, 2023 · aa02bfe · aa02bfe
1 parent d070983
commit aa02bfe
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 2 deletions.
diff --git a/config/samples/ccruntime/base/ccruntime.yaml b/config/samples/ccruntime/base/ccruntime.yaml
@@ -69,6 +69,10 @@ spec:
         # default: true
         - name: "INSTALL_COCO_CONTAINERD"
           value: "true"
+        # If set to true, this will install the v1.7.0 release of containerd on the node.
+        # default: false
+        - name: "INSTALL_OFFICIAL_CONTAINERD"
+          value: "false"
     preInstall:
       image: quay.io/confidential-containers/reqs-payload
       volumeMounts:
@@ -90,6 +94,10 @@ spec:
         # default: true
         - name: "INSTALL_COCO_CONTAINERD"
           value: "true"
+        # If set to true, this will install the v1.7.0 release of containerd on the node.
+        # default: false
+        - name: "INSTALL_OFFICIAL_CONTAINERD"
+          value: "false"
     environmentVariables:
       - name: NODE_NAME
         valueFrom:

diff --git a/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml b/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml
@@ -67,6 +67,10 @@ spec:
         # default: true
         - name: "INSTALL_COCO_CONTAINERD"
           value: "true"
+        # If set to true, this will install the v1.7.0 release of containerd on the node.
+        # default: false
+        - name: "INSTALL_OFFICIAL_CONTAINERD"
+          value: "false"
     preInstall:
       image: quay.io/confidential-containers/reqs-payload
       volumeMounts:
@@ -88,6 +92,10 @@ spec:
         # default: true
         - name: "INSTALL_COCO_CONTAINERD"
           value: "true"
+        # If set to true, this will install the v1.7.0 release of containerd on the node.
+        # default: false
+        - name: "INSTALL_OFFICIAL_CONTAINERD"
+          value: "false"
     environmentVariables:
       - name: NODE_NAME
         valueFrom:

diff --git a/install/pre-install-payload/Dockerfile b/install/pre-install-payload/Dockerfile
@@ -6,17 +6,36 @@ FROM base as coco-containerd-binary-downloader
 
 ARG ARCH
 ARG COCO_CONTAINERD_VERSION
+ARG COCO_CONTAINERD_REPO
 
 ARG DESTINATION=/opt/confidential-containers-pre-install-artifacts
 ARG NODE_DESTINATION=${DESTINATION}/opt/confidential-containers
 
 RUN \
 	mkdir -p ${NODE_DESTINATION} && \
 	apk --no-cache add curl && \
-	curl -fOL --progress-bar https://github.com/confidential-containers/containerd/releases/download/v${COCO_CONTAINERD_VERSION}/containerd-${COCO_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz && \
+	curl -fOL --progress-bar ${COCO_CONTAINERD_REPO}/releases/download/v${COCO_CONTAINERD_VERSION}/containerd-${COCO_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz && \
 	tar xvzpf containerd-${COCO_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz -C ${NODE_DESTINATION} && \
 	rm containerd-${COCO_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz
 
+#### Official containerd
+
+FROM base as official-containerd-binary-downloader
+
+ARG ARCH
+ARG OFFICIAL_CONTAINERD_VERSION
+ARG OFFICIAL_CONTAINERD_REPO
+
+ARG DESTINATION=/opt/confidential-containers-pre-install-artifacts
+ARG NODE_DESTINATION=${DESTINATION}/opt/confidential-containers
+
+RUN \
+	mkdir -p ${NODE_DESTINATION} && \
+	apk --no-cache add curl && \
+	curl -fOL --progress-bar ${OFFICIAL_CONTAINERD_REPO}/releases/download/v${OFFICIAL_CONTAINERD_VERSION}/containerd-${OFFICIAL_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz && \
+	tar xvzpf containerd-${OFFICIAL_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz -C ${NODE_DESTINATION} && \
+	rm containerd-${OFFICIAL_CONTAINERD_VERSION}-linux-${ARCH}.tar.gz
+
 #### kubectl
 
 FROM base as kubectl-binary-downloader
@@ -42,6 +61,7 @@ ARG NODE_CONTAINERD_SYSTEMD_DESTINATION=${DESTINATION}/etc/systemd/system/contai
 ARG CONTAINERD_SYSTEMD_ARTIFACTS=./containerd/containerd-for-cc-override.conf
 
 COPY --from=coco-containerd-binary-downloader ${NODE_DESTINATION}/bin/containerd ${NODE_DESTINATION}/bin/coco-containerd
+COPY --from=official-containerd-binary-downloader ${NODE_DESTINATION}/bin/containerd ${NODE_DESTINATION}/bin/official-containerd
 COPY --from=kubectl-binary-downloader /usr/bin/kubectl /usr/bin/kubectl
 COPY ${CONTAINERD_SYSTEMD_ARTIFACTS} ${NODE_CONTAINERD_SYSTEMD_DESTINATION}
 

diff --git a/install/pre-install-payload/Makefile b/install/pre-install-payload/Makefile
@@ -1,6 +1,9 @@
 COCO_CONTAINERD_VERSION = 1.6.8.2
+OFFICIAL_CONTAINERD_VERSION = 1.7.0
 
 BASH = bash
 
 reqs-image:
-	coco_containerd_version=$(COCO_CONTAINERD_VERSION) $(BASH) -x payload.sh
+	coco_containerd_version=$(COCO_CONTAINERD_VERSION) \
+	official_containerd_version=$(OFFICIAL_CONTAINERD_VERSION) \
+	$(BASH) -x payload.sh
diff --git a/install/pre-install-payload/payload.sh b/install/pre-install-payload/payload.sh
@@ -8,6 +8,8 @@ script_dir=$(dirname "$(readlink -f "$0")")
 
 coco_containerd_repo=${coco_containerd_repo:-"https://github.com/confidential-containers/containerd"}
 coco_containerd_version=${coco_containerd_version:-"v1.6.6.0"}
+official_containerd_repo=${official_containerd_repo:-"https://github.com/containerd/containerd"}
+official_containerd_version=${official_containerd_version:-"1.7.0"}
 containerd_dir="$(mktemp -d -t containerd-XXXXXXXXXX)/containerd"
 extra_docker_manifest_flags="${extra_docker_manifest_flags:-}"
 
@@ -57,6 +59,9 @@ function build_payload() {
 		docker buildx build \
 			--build-arg ARCH="${golang_arch}" \
 			--build-arg COCO_CONTAINERD_VERSION="${coco_containerd_version}" \
+			--build-arg COCO_CONTAINERD_REPO="${coco_containerd_repo}" \
+			--build-arg OFFICIAL_CONTAINERD_VERSION="${official_containerd_version}" \
+			--build-arg OFFICIAL_CONTAINERD_REPO="${official_containerd_repo}" \
 			-t "${registry}:${kernel_arch}-${tag}" \
 			--platform="${arch}" \
 			--load \

diff --git a/install/pre-install-payload/scripts/reqs-deploy.sh b/install/pre-install-payload/scripts/reqs-deploy.sh
@@ -45,10 +45,18 @@ function install_coco_containerd_artefacts() {
 	install_containerd_artefacts "coco"
 }
 
+function install_official_containerd_artefacts() {
+	install_containerd_artefacts "official"
+}
+
 function install_artifacts() {
 	if [ "${INSTALL_COCO_CONTAINERD}" = "true" ]; then
 		install_coco_containerd_artefacts
 	fi
+
+	if [ "${INSTALL_OFFICIAL_CONTAINERD}" = "true" ]; then
+		install_coco_containerd_artefacts
+	fi
 }
 
 function uninstall_containerd_artefacts() {
@@ -102,6 +110,7 @@ function print_help() {
 
 function main() {
 	echo "INSTALL_COCO_CONTAINERD: ${INSTALL_COCO_CONTAINERD}"
+	echo "INSTALL_OFFICIAL_CONTAINERD: ${INSTALL_OFFICIAL_CONTAINERD}"
 
 	# script requires that user is root
 	local euid=$(id -u)