Merge pull request #136726 from dims/fix-containerd-ubuntu-dual-install

Fix install-containerd-ubuntu to skip apt when both versions specified

cluster/gce/gci/configure.sh

@@ -510,70 +510,98 @@ function load-docker-images {
   fi
 }
 
-# If we are on ubuntu we can try to install containerd
+# Create containerd systemd service (needed when skipping apt install)
+function ensure-containerd-systemd-service {
+  local -r svc="/etc/systemd/system/containerd.service"
+  [[ -f "${svc}" ]] && return 0
+  cat > "${svc}" <<'EOF'
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target
+[Service]
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/bin/containerd
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+TasksMax=infinity
+OOMScoreAdjust=-999
+[Install]
+WantedBy=multi-user.target
+EOF
+  systemctl daemon-reload && systemctl enable containerd
+}
+
+# Download and install containerd binary from GitHub
+function install-containerd-binary {
+  local -r version="$1" temp_dir="$(mktemp -d)"
+  local -r url="https://github.com/containerd/containerd/releases/download/${version}/containerd-${version#v}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz"
+  if download-robust "containerd ${version}" "${temp_dir}" "${url}"; then
+    tar --overwrite -xzf "${temp_dir}"/containerd-*.tar.gz -C /usr/
+    rm -rf "${temp_dir}"; return 0
+  fi
+  rm -rf "${temp_dir}"; return 1
+}
+
+# Download and install runc binary from GitHub
+function install-runc-binary {
+  local -r version="$1" temp_dir="$(mktemp -d)"
+  local -r url="https://github.com/opencontainers/runc/releases/download/${version}/runc.${HOST_ARCH}"
+  if download-robust "runc ${version}" "${temp_dir}" "${url}"; then
+    cp "${temp_dir}/runc.${HOST_ARCH}" /usr/sbin/runc && chmod 755 /usr/sbin/runc
+    rm -rf "${temp_dir}"; return 0
+  fi
+  rm -rf "${temp_dir}"; return 1
+}
+
+# Install containerd on Ubuntu. When both UBUNTU_INSTALL_CONTAINERD_VERSION and
+# UBUNTU_INSTALL_RUNC_VERSION are set, skips apt and downloads binaries directly.
 function install-containerd-ubuntu {
-  # bailout if we are not on ubuntu
   if [[ -z "$(command -v lsb_release)" || $(lsb_release -si) != "Ubuntu" ]]; then
-    echo "Unable to automatically install containerd in non-ubuntu image. Bailing out..."
+    echo "Unable to automatically install containerd in non-ubuntu image. Bailing out..."; exit 2
-    exit 2
   fi
 
-  # Install dependencies, some of these are already installed in the image but
+  local -r custom_containerd="${UBUNTU_INSTALL_CONTAINERD_VERSION:-}"
-  # that's fine since they won't re-install and we can reuse the code below
+  local -r custom_runc="${UBUNTU_INSTALL_RUNC_VERSION:-}"
-  # for another image someday.
+
   apt-get update
-  apt-get install -y --no-install-recommends \
+  apt-get install -y --no-install-recommends apt-transport-https ca-certificates \
-    apt-transport-https \
+    socat curl gnupg2 nfs-common software-properties-common lsb-release
-    ca-certificates \
-    socat \
-    curl \
-    gnupg2 \
-    nfs-common \
-    software-properties-common \
-    lsb-release
 
-  release=$(lsb_release -cs)
+  # Both versions specified: skip apt, install binaries directly
+  if [[ -n "${custom_containerd}" && -n "${custom_runc}" ]]; then
+    echo "Installing containerd ${custom_containerd} and runc ${custom_runc} (skipping apt)"
+    ensure-containerd-systemd-service
+    install-containerd-binary "${custom_containerd}" || { echo "ERROR: containerd download failed"; exit 1; }
+    install-runc-binary "${custom_runc}" || { echo "ERROR: runc download failed"; exit 1; }
+    systemctl start containerd
+    return
+  fi
 
-  # Add the Docker apt-repository (as we install containerd from there)
+  # Install from Docker apt repo, optionally override binaries
+  local -r release="$(lsb_release -cs)"
+  local -r keyring="/etc/apt/keyrings/docker.gpg"
+  mkdir -p "$(dirname "${keyring}")"
   # shellcheck disable=SC2086
-  curl ${CURL_FLAGS} \
+  curl ${CURL_FLAGS} -fsSL "https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID")/gpg" \
-    --location \
+    | gpg --batch --dearmor -o "${keyring}"
-    "https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID")/gpg" \
+  chmod a+r "${keyring}"
-  | apt-key add -
+  echo "deb [arch=${HOST_ARCH} signed-by=${keyring}] https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID") ${release} stable" \
-  add-apt-repository \
+    > /etc/apt/sources.list.d/docker.list
-    "deb [arch=${HOST_ARCH}] https://download.docker.com/${HOST_PLATFORM}/$(. /etc/os-release; echo "$ID") \
-    $release stable"
 
-  # Install containerd from Docker repo
+  apt-get update && apt-get install -y --no-install-recommends containerd.io
-  apt-get update && \
-    apt-get install -y --no-install-recommends containerd
   rm -rf /var/lib/apt/lists/*
 
-  # Override to latest versions of containerd and runc
   systemctl stop containerd
-  if [[ -n "${UBUNTU_INSTALL_CONTAINERD_VERSION:-}" ]]; then
+  [[ -n "${custom_containerd}" ]] && install-containerd-binary "${custom_containerd}"
-    local temp_dir
+  [[ -n "${custom_runc}" ]] && install-runc-binary "${custom_runc}"
-    temp_dir=$(mktemp -d)
+  systemctl start containerd
-    
-    # Download containerd
-    if download-robust "containerd ${UBUNTU_INSTALL_CONTAINERD_VERSION}" "${temp_dir}" \
-       "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz"; then
-      tar --overwrite -xzv -C /usr/ -f "${temp_dir}"/containerd-*.tar.gz
-    fi
-    rm -rf "${temp_dir}"
-  fi
-  if [[ -n "${UBUNTU_INSTALL_RUNC_VERSION:-}" ]]; then
-    local temp_dir
-    temp_dir=$(mktemp -d)
-    
-    # Download and install runc
-    if download-robust "runc ${UBUNTU_INSTALL_RUNC_VERSION}" "${temp_dir}" \
-       "https://github.com/opencontainers/runc/releases/download/${UBUNTU_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}"; then
-      cp "${temp_dir}/runc.${HOST_ARCH}" /usr/sbin/runc && chmod 755 /usr/sbin/runc
-    fi
-    rm -rf "${temp_dir}"
-  fi
-  sudo systemctl start containerd
 }
 
 # If we are on cos we can try to install containerd

cluster/gce/gci/master.yaml

@@ -129,6 +129,8 @@ write_files:
       WantedBy=multi-user.target
 
 runcmd:
+ - systemctl mask apt-news.service apt-news.timer esm-cache.service snapd.service snapd.socket lxd-installer.socket ubuntu-advantage.service unattended-upgrades.service motd-news.timer update-notifier-motd.timer update-notifier-download.timer || true
+ - systemctl stop unattended-upgrades.service || true
  - systemctl daemon-reload
  - systemctl enable kube-bootstrap-logs-forwarder.service
  - systemctl enable kube-master-installation.service

cluster/gce/gci/node.yaml

@@ -87,6 +87,8 @@ write_files:
       options sunrpc max_resvport=986
 
 runcmd:
+ - systemctl mask apt-news.service apt-news.timer esm-cache.service snapd.service snapd.socket lxd-installer.socket ubuntu-advantage.service unattended-upgrades.service motd-news.timer update-notifier-motd.timer update-notifier-download.timer || true
+ - systemctl stop unattended-upgrades.service || true
  - systemctl daemon-reload
  - systemctl enable kube-node-installation.service
  - systemctl enable kube-node-configuration.service