* Use channel.yaml instead of curling for stable for kubectl install
* Stop vex report from leaking out of make local-image
Signed-off-by: Derek Nola <derek.nola@suse.com>
Not currently used, but was useful in tracking down the specific call path for the empty token handling
Prints error as:
> `msg="Error: starting kubernetes: failed to start cluster: failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD> at github.com/urfave/cli/v2.(*App).RunContext(app.go:333)->github.com/urfave/cli/v2.(*Command).Run(command.go:269)->github.com/urfave/cli/v2.(*Command).Run(command.go:276)->github.com/k3s-io/k3s/pkg/cli/server.Run(server.go:48)->github.com/k3s-io/k3s/pkg/cli/server.run(server.go:629)->github.com/k3s-io/k3s/pkg/server.StartServer(server.go:74)->github.com/k3s-io/k3s/pkg/daemons/control.Server(server.go:72)->github.com/k3s-io/k3s/pkg/cluster.(*Cluster).Start(cluster.go:75)->github.com/k3s-io/k3s/pkg/cluster.Save(storage.go:79)->github.com/k3s-io/k3s/pkg/util.NormalizeToken(token.go:51)"`
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes issue preventing containerd from accessing spegel on ipv6-primary agents. Only affects agents because only agents use the kubelet-serving cert for the supervisor listener.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Update install tests with new images, add alma10
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Stop running each provisioning step individually for install tests
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
Upgrade docker/docker dependency from v25.0.8 to v25.0.13 to address
CVE-2025-54410 which affects Moby/Docker versions before 25.0.13.
This vulnerability could allow containers across different bridge networks
to access each other's ports when firewalld is reloaded, breaking network
isolation.
Signed-off-by: Rahul Rai <rahul.cncf@gmail.com>
* Move cleanup earlier, to prevent running out of space when restoring caches
* Consistently use local setup-go action to avoid saving cache on PR runs
* Update local setup-go action
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Manifest from https://raw.githubusercontent.com/longhorn/longhorn/v1.10.1/deploy/longhorn.yaml - with modifications to use rancher-mirrored images to avoid image pull rate limits, and allow operation on a node with fewer resources.
Also adds more log dumping on integration test failure.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Spegel insists on checking containerd features when the store is created, so defer creating it until after contaienerd is up
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes HIGH CVE-2025-68156. This is an indirect dep from github.com/nats-io/jsm.go but it appears they have not yet bumped it either
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
- Use os.CreateTemp to avoid race conditions with fixed temp filename
- Add f.Sync() before close to ensure data durability
- Check all fmt.Fprintf errors instead of ignoring them
- Preserve original file permissions when overwriting
- Handle dir== edge case from filepath.Split
- Check os.MkdirAll error
- Proper cleanup on all error paths
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Add documentation comments to WriteSubnetFile
Clarify the design choices for atomic file writing:
- Explain why CreateTemp is used (defense-in-depth, avoids pre-existing file issues)
- Document the single-instance assumption
- Note the permission preservation logic
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Update WriteSubnetFile comment to clarify CreateTemp rationale
Remove misleading reference to concurrent writes (K3s is single-instance).
Focus on the actual benefits: avoiding stale temp files from crashes,
handling unexpected permissions/ownership, and O_EXCL guarantees.
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Refactor cleanup to use merr.NewErrors for better error aggregation
Address review feedback from @brandond to improve error handling:
- Change cleanup function to accept error parameter
- Use merr.NewErrors to aggregate original error with Close/Remove errors
- Simplify error handling with consistent return cleanup(err) pattern
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Fix Close error handling to preserve original error
Add cleanupNoClose helper to avoid double Close and preserve the
original Close error when file close fails.
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Reconcile against local etcd would short-circuit and skip reading from the datastore if the cert dirs were missing.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes an issue where copying files out from under a currently-running etcd instance can cause startup reconcile to fail. Direct creation of a mvcc store without any of the raft stuff is faster, and gives us direct control over how the store handles snapshot recovery.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Need to check out one deeper than the number of commits in order to compare to the target branch
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
