From 1cbea9b599c9f1a40248c0e0087332e345d5e138 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Wed, 25 Dec 2024 00:35:33 -0800 Subject: [PATCH] feat: add container runtime archive configuration This change adds container runtime archive configuration as a tracked dependency with weekly update automation against upstream nerdctl full archives. Signed-off-by: Austin Vazquez --- .github/workflows/macos-ci.yaml | 1 + .github/workflows/update-dependencies.yaml | 82 +++++++++++++++++-- Makefile | 3 - Makefile.darwin | 22 +++-- Makefile.windows | 4 +- bin/update-container-runtime-full-archive.sh | 49 +++++++++++ ...{update-deps.sh => update-lima-bundles.sh} | 2 +- deps/README.md | 18 ++-- deps/container-runtime-full-archive.conf | 7 ++ lima-template/fedora.yaml | 10 +-- 10 files changed, 166 insertions(+), 32 deletions(-) create mode 100644 bin/update-container-runtime-full-archive.sh rename bin/{update-deps.sh => update-lima-bundles.sh} (97%) create mode 100644 deps/container-runtime-full-archive.conf diff --git a/.github/workflows/macos-ci.yaml b/.github/workflows/macos-ci.yaml index d688ff4..afa81aa 100644 --- a/.github/workflows/macos-ci.yaml +++ b/.github/workflows/macos-ci.yaml @@ -11,6 +11,7 @@ on: - main paths: - .github/workflows/macos-ci.yaml + - deps/container-runtime-full-archive.conf - deps/full-os.conf - deps/lima.conf - e2e/** diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml index 5bc096f..92c06cb 100644 --- a/.github/workflows/update-dependencies.yaml +++ b/.github/workflows/update-dependencies.yaml @@ -3,17 +3,27 @@ on: schedule: - cron: '0 11 * * 2' workflow_dispatch: + inputs: + nerdctl_tag_override: + type: string + description: The tag of nerdctl full archive to update + required: false + default: 'latest' permissions: - # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. - # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings - id-token: write - contents: write - pull-requests: write + contents: read jobs: update-deps: runs-on: ubuntu-latest + + permissions: + # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. + # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings + id-token: write + contents: write + pull-requests: write + steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -25,9 +35,9 @@ jobs: role-session-name: dependency-upload-session aws-region: ${{ secrets.REGION }} - - name: Update Lima dependencies archive for Finch on macOS - run: bash bin/update-deps.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} - + - name: Update Lima bundle archive for Finch on macOS + run: bash bin/update-lima-bundles.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} + - name: Update base OS for Finch on macOS run: bash bin/update-os-image.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} @@ -45,3 +55,59 @@ jobs: signoff: true title: 'build(deps): Bump finch dependencies' branch: create-pull-request/bump-finch-dependencies + + fetch-nerdctl-latest-release: + runs-on: ubuntu-latest + + outputs: + tag: ${{ steps.latest-nerdctl-release.outputs.NERDCTL_TAG }} + + steps: + - name: Checkout nerdctl + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + repository: containerd/nerdctl + fetch-tags: true + - name: Fetch tag for latest release + id: nerdctl-latest-release + run: | + tag=$(git tag --sort=-version:refname | head -n 1) + if [[ -n ${{ github.event.inputs.nerdctl_tag_override }} ]]; then + tag=${{ github.event.inputs.nerdctl_tag_override }} + fi + echo "NERDCTL_TAG=$tag" >> $GITHUB_OUTPUT + + update-container-runtime-full-archive: + runs-on: ubuntu-latest + needs: [fetch-nerdctl-latest-release] + + permissions: + contents: write + pull-requests: write + + env: + NERDCTL_TAG: ${{ needs.fetch-nerdctl-latest-release.outputs.tag }} + + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Update container runtime dependencies + run: bash bin/update-container-runtime-deps.sh -t ${{ env.NERDCTL_TAG }} + + - name: Create PR + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + signoff: true + branch: create-pull-request/update-container-runtime-full-archive-${{ env.NERDCTL_TAG }} + delete-branch: true + title: 'build(deps): update container runtime full archive to nerdctl-${{ env.NERDCTL_TAG }}' + add-paths: deps/container-runtime-full-archive.conf + body: | + Update the container runtime full archive to nerdctl ${{ env.NERDCTL_TAG }} for macOS and Window platforms. + + See https://github.com/containerd/nerdctl/releases/tag/${{ env.NERDCTL_TAG }} for more details. + + This PR created by [create-pull-request](https://github.com/peter-evans/create-pull-request) must be closed + and reopened manually to trigger automated checks. diff --git a/Makefile b/Makefile index 295048d..7eeed5e 100644 --- a/Makefile +++ b/Makefile @@ -24,9 +24,6 @@ all: install.dependencies install.dependencies: $(FINCH_DAEMON_OUTDIR)/finch-daemon # Rootfs required for Windows, require full OS for Mac -FINCH_IMAGE_LOCATION ?= -FINCH_IMAGE_DIGEST ?= -FINCH_VM_TYPE ?= BUILD_OS ?= $(OS) ifeq ($(BUILD_OS), Windows_NT) include Makefile.windows diff --git a/Makefile.darwin b/Makefile.darwin index 9ff916c..879cd29 100644 --- a/Makefile.darwin +++ b/Makefile.darwin @@ -8,17 +8,23 @@ SOCKET_VMNET_TEMP_PREFIX ?= $(OUTDIR)/dependencies/lima-socket_vmnet/opt/finch include $(CURDIR)/deps/full-os.conf ifeq ($(ARCH),x86_64) -FINCH_OS_BASENAME ?= $(X86_64_ARTIFACT) -FINCH_OS_DIGEST ?= $(X86_64_512_DIGEST) +FINCH_OS_BASENAME := $(X86_64_ARTIFACT) +FINCH_OS_DIGEST := $(X86_64_512_DIGEST) LIMA_ARCH = x86_64 else -FINCH_OS_BASENAME ?= $(AARCH64_ARTIFACT) -FINCH_OS_DIGEST ?= $(AARCH64_512_DIGEST) +FINCH_OS_BASENAME := $(AARCH64_ARTIFACT) +FINCH_OS_DIGEST := $(AARCH64_512_DIGEST) LIMA_ARCH = aarch64 endif -FINCH_IMAGE_LOCATION := $(OS_OUTDIR)/$(FINCH_OS_BASENAME) -FINCH_IMAGE_DIGEST := "sha512:$(FINCH_OS_DIGEST)" +FINCH_IMAGE_LOCATION ?= $(OS_OUTDIR)/$(FINCH_OS_BASENAME) +FINCH_IMAGE_DIGEST ?= "sha512:$(FINCH_OS_DIGEST)" + +include $(CURDIR)/deps/container-runtime-full-archive.conf +CONTAINER_RUNTIME_ARCHIVE_AARCH64_LOCATION ?= "$(ARTIFACT_BASE_URL)/$(AARCH64_ARTIFACT)" +CONTAINER_RUNTIME_ARCHIVE_AARCH64_DIGEST ?= "sha256:$(AARCH64_256_DIGEST)" +CONTAINER_RUNTIME_ARCHIVE_X86_64_LOCATION ?= "$(ARTIFACT_BASE_URL)/$(X86_64_ARTIFACT)" +CONTAINER_RUNTIME_ARCHIVE_X86_64_DIGEST ?= "sha256:$(X86_64_256_DIGEST)" # Virtualization framework is the default virtual machine type on Finch on macOS # This is only used for testing of Finch core bundles. @@ -55,6 +61,10 @@ $(LIMA_TEMPLATE_OUTDIR)/fedora.yaml: $(LIMA_TEMPLATE_OUTDIR) sed -i.bak -e "s||$(FINCH_IMAGE_LOCATION)|g" $@.template sed -i.bak -e "s//$(LIMA_ARCH)/g" $@.template sed -i.bak -e "s//$(FINCH_IMAGE_DIGEST)/g" $@.template + sed -i.bak -e "s||$(CONTAINER_RUNTIME_ARCHIVE_AARCH64_LOCATION)|g" $@.template + sed -i.bak -e "s//$(CONTAINER_RUNTIME_ARCHIVE_AARCH64_DIGEST)/g" $@.template + sed -i.bak -e "s||$(CONTAINER_RUNTIME_ARCHIVE_X86_64_LOCATION)|g" $@.template + sed -i.bak -e "s//$(CONTAINER_RUNTIME_ARCHIVE_X86_64_DIGEST)/g" $@.template # Replace was successful, so cleanup .bak files rm $(LIMA_TEMPLATE_OUTDIR)/*.yaml.template.bak diff --git a/Makefile.windows b/Makefile.windows index db045d2..a4906d6 100644 --- a/Makefile.windows +++ b/Makefile.windows @@ -7,8 +7,8 @@ OUTPUT_DIRECTORIES += $(ROOTFS_OUTPUT_DIR) include $(CURDIR)/deps/rootfs.conf ifeq ($(ARCH), x86_64) -FINCH_ROOTFS_BASENAME ?= $(X86_64_ARTIFACT) -FINCH_ROOTFS_DIGEST ?= $(X86_64_512_DIGEST) +FINCH_ROOTFS_BASENAME := $(X86_64_ARTIFACT) +FINCH_ROOTFS_DIGEST := $(X86_64_512_DIGEST) else $(error Finch on Windows ARM not supported) endif diff --git a/bin/update-container-runtime-full-archive.sh b/bin/update-container-runtime-full-archive.sh new file mode 100644 index 0000000..2e56542 --- /dev/null +++ b/bin/update-container-runtime-full-archive.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# A script to update the container runtime full archive used for Finch on macOS and Windows. +# +# Usage: bash update-container-runtime-full-archive.sh -t + +set -euxo pipefail + +CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PROJECT_ROOT="$(cd -- "${CURRENT_DIR}/.." && pwd)" + +while getopts t: flag +do + case "${flag}" in + t) tag=${OPTARG};; + *) echo "Error: unknown flag" && exit 1;; + esac +done +[[ -z "$tag" ]] && { echo "Error: Git tag not set"; exit 1; } + +DEPENDENCY_DOWNLOAD_BASE_URL="https://github.com/containerd/nerdctl/releases/download" +dependency_download_url="${DEPENDENCY_DOWNLOAD_BASE_URL}/${tag}" + +# Pull upstream's published release shasums and save for later artifact verification. +mkdir -p "${PROJECT_ROOT}/downloads" +downloaded_shasums="${PROJECT_ROOT}/downloads/nerdctl-${tag}.sha256sums" +curl -L --fail "${dependency_download_url}/SHA256SUMS" > "${downloaded_shasums}" + +version=${tag#v} +aarch64_deps="nerdctl-full-${version}-linux-arm64.tar.gz" +aarch64_deps_shasum=$(grep "${aarch64_deps}" "${downloaded_shasums}" | cut -d ' ' -f 1) +amd64_deps="nerdctl-full-${version}-linux-amd64.tar.gz" +amd64_deps_shasum=$(grep "${amd64_deps}" "${downloaded_shasums}" | cut -d ' ' -f 1) + +# Update archive file with latest artifacts and digests. +ARCHIVE_FILE="${PROJECT_ROOT}/deps/container-runtime-full-archive.conf" +truncate -s 0 "${ARCHIVE_FILE}" +{ + echo "ARTIFACT_BASE_URL=${dependency_download_url}" + echo "" + echo "AARCH64_ARTIFACT=${aarch64_deps}" + echo "AARCH64_256_DIGEST=${aarch64_deps_shasum}" + echo "" + echo "X86_64_ARTIFACT=${amd64_deps}" + echo "X86_64_256_DIGEST=${amd64_deps_shasum}" +} >> "${ARCHIVE_FILE}" diff --git a/bin/update-deps.sh b/bin/update-lima-bundles.sh similarity index 97% rename from bin/update-deps.sh rename to bin/update-lima-bundles.sh index 582d840..fe3e070 100755 --- a/bin/update-deps.sh +++ b/bin/update-lima-bundles.sh @@ -5,7 +5,7 @@ # A script to update the lima dependency used for Finch on MacOS and Windows. # -# Usage: bash update-deps.sh -d +# Usage: bash update-lima-bundles.sh -d set -euxo pipefail diff --git a/deps/README.md b/deps/README.md index d5e9528..a28ee47 100644 --- a/deps/README.md +++ b/deps/README.md @@ -33,12 +33,16 @@ supported so the ARM configuration is not required in ## Updating artifact configuration -Artifact configuration for the Lima bundle for Finch on macOS and the rootfs -for Finch on Windows is updated via the +Artifact configuration for the Finch on macOS virtual machine image, +Lima bundles, rootfs for Finch on Windows, and +container runtime full archive is updated via the [update dependencies](../.github/workflows/update-dependencies.yaml) -GitHub Actions workflow. The workflow scans S3 for more up-to-date -versions of the required dependency and opens a pull request with -the configuration updates. +GitHub Actions workflow. -Artifact configuration for the Finch on macOS virtual machine image -is still manually updated. +For Finch on macOS virtual machine image, Lima bundles, and Finch on Windows rootfs, +the workflow scans S3 for more up-to-date versions of the required dependency and +opens a pull request with the configuration updates. + +For Finch on macOS and Windows container runtime full archive, the workflow checks +upstream for new upstream nerdctl releases and opens a pull request with the configuration +updates. diff --git a/deps/container-runtime-full-archive.conf b/deps/container-runtime-full-archive.conf new file mode 100644 index 0000000..552c0a6 --- /dev/null +++ b/deps/container-runtime-full-archive.conf @@ -0,0 +1,7 @@ +ARTIFACT_BASE_URL=https://github.com/containerd/nerdctl/releases/download/v1.7.7 + +AARCH64_ARTIFACT=nerdctl-full-1.7.7-linux-arm64.tar.gz +AARCH64_256_DIGEST=b161a20c0e41f9ad999e8411e23c58ece4b3e584ae90b4252b76a39eee4a0c31 + +X86_64_ARTIFACT=nerdctl-full-1.7.7-linux-amd64.tar.gz +X86_64_256_DIGEST=a731eac93e8e9dda1a0d76dc1606438deb0668ea7d6bd5c5af436353ed9f65c5 diff --git a/lima-template/fedora.yaml b/lima-template/fedora.yaml index a00c9fd..0ec416f 100644 --- a/lima-template/fedora.yaml +++ b/lima-template/fedora.yaml @@ -118,12 +118,12 @@ containerd: # # Override containerd archive # # 🟢 Builtin default: hard-coded URL with hard-coded digest (see the output of `limactl info | jq .defaultTemplate.containerd.archives`) archives: - - location: "https://github.com/containerd/nerdctl/releases/download/v1.7.7/nerdctl-full-1.7.7-linux-amd64.tar.gz" - arch: "x86_64" - digest: "sha256:a731eac93e8e9dda1a0d76dc1606438deb0668ea7d6bd5c5af436353ed9f65c5" - - location: "https://github.com/containerd/nerdctl/releases/download/v1.7.7/nerdctl-full-1.7.7-linux-arm64.tar.gz" + - location: "" arch: "aarch64" - digest: "sha256:b161a20c0e41f9ad999e8411e23c58ece4b3e584ae90b4252b76a39eee4a0c31" + digest: "" + - location: "" + arch: "x86_64" + digest: "" # Provisioning scripts need to be idempotent because they might be called # multiple times, e.g. when the host VM is being restarted.