m/n/k/containerd: use preseeded pause container
To allow no-network tests we need to bundle the pause container.
Change-Id: I1fa6bb70c10a16097d35d919941f501ddc5f784d
Reviewed-on: https://review.monogon.dev/c/monogon/+/2767
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index eb7e870..52c5d56 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel
@@ -84,6 +84,7 @@
# Containerd preseed bundles
"//metropolis/test/e2e/preseedtest:preseedtest_tarball": "/containerd/preseed/k8s.io/preseedtest.tar",
+ "//metropolis/node/kubernetes/pause:pause_tarball": "/containerd/preseed/k8s.io/pause.tar",
# CNI Plugins
"@com_github_containernetworking_plugins//plugins/main/loopback": "/containerd/bin/cni/loopback",
diff --git a/metropolis/node/kubernetes/containerd/config.toml b/metropolis/node/kubernetes/containerd/config.toml
index f033b27..4f6e31c 100644
--- a/metropolis/node/kubernetes/containerd/config.toml
+++ b/metropolis/node/kubernetes/containerd/config.toml
@@ -53,7 +53,7 @@
stream_server_port = "0"
stream_idle_timeout = "4h0m0s"
enable_selinux = false
- sandbox_image = "k8s.gcr.io/pause:3.1"
+ sandbox_image = "preseed.metropolis.internal/node/kubernetes/pause:latest"
stats_collect_period = 10
systemd_cgroup = false
enable_tls_streaming = false
diff --git a/metropolis/node/kubernetes/kubelet.go b/metropolis/node/kubernetes/kubelet.go
index 2d18b72..136bc28 100644
--- a/metropolis/node/kubernetes/kubelet.go
+++ b/metropolis/node/kubernetes/kubelet.go
@@ -29,6 +29,7 @@
kubeletconfig "k8s.io/kubelet/config/v1beta1"
ipb "source.monogon.dev/metropolis/node/core/curator/proto/api"
+
"source.monogon.dev/metropolis/node/core/localstorage"
"source.monogon.dev/metropolis/node/kubernetes/pki"
"source.monogon.dev/metropolis/node/kubernetes/reconciler"
@@ -135,6 +136,8 @@
cmd := exec.CommandContext(ctx, "/kubernetes/bin/kube", "kubelet",
fargs.FileOpt("--config", "config.json", configRaw),
fmt.Sprintf("--container-runtime-endpoint=unix://%s", s.EphemeralDirectory.Containerd.ClientSocket.FullPath()),
+ //TODO: Remove with k8s 1.29 (https://github.com/kubernetes/kubernetes/pull/118544)
+ "--pod-infra-container-image", "preseed.metropolis.internal/node/kubernetes/pause:latest",
fargs.FileOpt("--kubeconfig", "kubeconfig", s.kubeconfig),
fmt.Sprintf("--root-dir=%s", s.KubeletDirectory.FullPath()),
)
diff --git a/metropolis/node/kubernetes/pause/BUILD.bazel b/metropolis/node/kubernetes/pause/BUILD.bazel
new file mode 100644
index 0000000..b70d051
--- /dev/null
+++ b/metropolis/node/kubernetes/pause/BUILD.bazel
@@ -0,0 +1,45 @@
+cc_binary(
+ name = "pause",
+ srcs = [
+ "@io_k8s_kubernetes//build/pause/linux:pause.c",
+ ],
+ visibility = [
+ "//metropolis/node:__pkg__",
+ ],
+)
+
+load("@aspect_bazel_lib//lib:transitions.bzl", "platform_transition_binary")
+
+platform_transition_binary(
+ name = "pause_transitioned",
+ binary = ":pause",
+ target_platform = "//build/platforms:linux_amd64_static",
+ visibility = ["//visibility:private"],
+)
+
+load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
+
+pkg_tar(
+ name = "pause_layer",
+ srcs = [":pause_transitioned"],
+ visibility = ["//visibility:private"],
+)
+
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball")
+
+oci_image(
+ name = "pause_image",
+ architecture = "amd64",
+ entrypoint = ["/pause"],
+ os = "linux",
+ tars = [":pause_layer"],
+ visibility = ["//visibility:public"],
+ workdir = "/",
+)
+
+oci_tarball(
+ name = "pause_tarball",
+ image = ":pause_image",
+ repo_tags = ["preseed.metropolis.internal/node/kubernetes/pause:latest"],
+ visibility = ["//metropolis/node:__pkg__"],
+)
diff --git a/third_party/go/patches/k8s-add-pause-build-file.patch b/third_party/go/patches/k8s-add-pause-build-file.patch
new file mode 100644
index 0000000..a5b35fa
--- /dev/null
+++ b/third_party/go/patches/k8s-add-pause-build-file.patch
@@ -0,0 +1,20 @@
+From b524a63f818f74b7fbef0ca0016c61ea454a50bd Mon Sep 17 00:00:00 2001
+From: Tim Windelschmidt <tim@monogon.tech>
+Date: Tue, 13 Feb 2024 15:19:31 +0100
+Subject: [PATCH] add BUILD file for pause container
+
+---
+ build/pause/linux/BUILD.bazel | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 build/pause/linux/BUILD.bazel
+
+diff --git a/build/pause/linux/BUILD.bazel b/build/pause/linux/BUILD.bazel
+new file mode 100644
+index 00000000000..8057dd4a859
+--- /dev/null
++++ b/build/pause/linux/BUILD.bazel
+@@ -0,0 +1 @@
++exports_files(["pause.c"])
+--
+2.42.0
+
diff --git a/third_party/go/repositories.bzl b/third_party/go/repositories.bzl
index a6b9685..98eadfd 100644
--- a/third_party/go/repositories.bzl
+++ b/third_party/go/repositories.bzl
@@ -6346,6 +6346,7 @@
patches = [
"//third_party/go/patches:k8s-native-metrics.patch",
"//third_party/go/patches:k8s-removed-block-device-pseudo-locks.patch",
+ "//third_party/go/patches:k8s-add-pause-build-file.patch",
],
pre_patches = [
"//third_party/go/patches:k8s-fix-logs-path.patch",