diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml index 3538b808..f8692f1c 100644 --- a/.github/workflows/trivy_check.yaml +++ b/.github/workflows/trivy_check.yaml @@ -45,10 +45,10 @@ jobs: - name: Prepare sub repo run: | - version=v`grep "version :=" images/agent/werf.inc.yaml | awk -F'"' '{ print $2}'` + version=v`grep "UTIL_LINUX_VERSION :=" images/agent/werf.inc.yaml | awk -F'"' '{ print $2}'` git clone --depth 1 --branch $version ${{ secrets.SOURCE_REPO }}/util-linux/util-linux.git ./util-linux git clone ${{ secrets.SOURCE_REPO }}/lvmteam/lvm2.git ./lvm2 - version=`grep "version :=" images/sds-utils-installer/werf.inc.yaml | awk -F'"' '{ print $2}'` + version=`grep "LVM2_VERSION :=" images/sds-utils-installer/werf.inc.yaml | awk -F'"' '{ print $2}'` cd ./lvm2 git checkout $version cd .. diff --git a/.werf/consts.yaml b/.werf/consts.yaml new file mode 100644 index 00000000..b00cab8d --- /dev/null +++ b/.werf/consts.yaml @@ -0,0 +1,11 @@ +# base images +{{- $_ := set $ "BASE_ALT" "registry.deckhouse.io/base_images/alt:p10@sha256:f105773c682498700680d7cd61a702a4315c4235aee3622757591fd510fb8b4a" }} +{{- $_ := set $ "BASE_ALT_P11" "registry.deckhouse.io/base_images/alt:p11@sha256:e47d84424485d3674240cb2f67d3a1801b37d327e6d1eb8cc8d01be8ed3b34f3" }} +{{- $_ := set $ "BASE_GOLANG_1_23" "registry.deckhouse.io/base_images/golang:1.23.1-alpine3.20@sha256:716820a183116e643839611ff9eca9bd1c92d2bf8f7a5eda2f9fd16e8acbaa72" }} +{{- $_ := set $ "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:653ae76965c98c8cd1c8c9ff7725316d2983986f896655b30e0f44d2f8b2dd7e" }} +{{- $_ := set $ "BASE_ALPINE" "registry.deckhouse.io/base_images/alpine:3.20.3@sha256:41628df7c9b935d248f64542634e7a843f9bc7f2252d7f878e77f7b79a947466" }} + +# component versions +{{- $versions := dict }} + +{{- $_ := set $ "VERSIONS" $versions }} diff --git a/.werf/images.yaml b/.werf/images.yaml index 0908d90a..6aa9b902 100644 --- a/.werf/images.yaml +++ b/.werf/images.yaml @@ -1,7 +1,7 @@ {{- $ImagesBuildFiles := .Files.Glob "images/*/{Dockerfile,werf.inc.yaml}" }} {{- range $path, $content := $ImagesBuildFiles }} - {{ $ctx := (dict "ImageName" ($path | split "/")._1) }} + {{ $ctx := (dict "ImageName" ($path | split "/")._1 "Root" $ "Versions" $.VERSIONS) }} --- {{- /* For Dockerfile just render it from the folder. */ -}} {{- if not (regexMatch "/werf.inc.yaml$" $path) }} diff --git a/.werf/release.yaml b/.werf/release.yaml index f1e18db7..adca3bb9 100644 --- a/.werf/release.yaml +++ b/.werf/release.yaml @@ -1,6 +1,6 @@ # Release image, stored in your.registry.io/modules//release: --- -artifact: release-channel-version-artifact +image: release-channel-version-artifact from: registry.deckhouse.io/base_images/alpine:3.16.3 shell: beforeInstall: @@ -14,7 +14,7 @@ shell: image: release-channel-version from: registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc import: - - artifact: release-channel-version-artifact + - image: release-channel-version-artifact add: / to: / after: install diff --git a/api/go.mod b/api/go.mod index a6e247d1..05a0cf0b 100644 --- a/api/go.mod +++ b/api/go.mod @@ -13,8 +13,8 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/net v0.26.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/net v0.33.0 // indirect + golang.org/x/text v0.21.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/api/go.sum b/api/go.sum index 1aff0b65..edd69b2a 100644 --- a/api/go.sum +++ b/api/go.sum @@ -45,8 +45,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -55,8 +55,8 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= diff --git a/charts/deckhouse_lib_helm-1.1.3.tgz b/charts/deckhouse_lib_helm-1.1.3.tgz deleted file mode 100644 index a3b597f9..00000000 Binary files a/charts/deckhouse_lib_helm-1.1.3.tgz and /dev/null differ diff --git a/charts/deckhouse_lib_helm-1.41.0.tgz b/charts/deckhouse_lib_helm-1.41.0.tgz new file mode 100644 index 00000000..ed78597f Binary files /dev/null and b/charts/deckhouse_lib_helm-1.41.0.tgz differ diff --git a/images/agent/src/go.mod b/images/agent/src/go.mod index 7418ee48..75fe8fc8 100644 --- a/images/agent/src/go.mod +++ b/images/agent/src/go.mod @@ -59,11 +59,11 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect - golang.org/x/net v0.26.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.21.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect diff --git a/images/agent/src/go.sum b/images/agent/src/go.sum index b485677e..8c40072d 100644 --- a/images/agent/src/go.sum +++ b/images/agent/src/go.sum @@ -130,8 +130,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -140,14 +140,14 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/images/agent/werf.inc.yaml b/images/agent/werf.inc.yaml index 0128eabe..fe6c8467 100644 --- a/images/agent/werf.inc.yaml +++ b/images/agent/werf.inc.yaml @@ -1,22 +1,56 @@ -{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.8-alpine@sha256:54bb7313917c733191a079ccae2e52bd3b80664e46c7879efa06513d4221d804" }} -{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.ru/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }} -{{- $_ := set . "BASE_ALPINE_DEV" "registry.deckhouse.ru/base_images/dev-alpine:3.16.3@sha256:c706fa83cc129079e430480369a3f062b8178cac9ec89266ebab753a574aca8e" }} -{{- $_ := set . "BASE_ALT_DEV" "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }} +{{ $binaries := "/opt/deckhouse/sds/lib/libblkid.so.1 /opt/deckhouse/sds/lib/libmount.so.1 /opt/deckhouse/sds/lib/libsmartcols.so.1 /opt/deckhouse/sds/bin/nsenter.static /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 /opt/deckhouse/sds/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /opt/deckhouse/sds/bin/lsblk.dynamic" }} +{{ $UTIL_LINUX_VERSION := "2.39.3" }} + +# Do not remove. It's used in external tests. +--- +image: {{ $.ImageName }}-src-artifact +from: {{ $.Root.BASE_ALT }} +final: false + +git: + - add: /images/{{ $.ImageName }}/src + to: /src/images/{{ $.ImageName }}/src + stageDependencies: + install: + - "**/*" + - add: /api + to: /src/api + stageDependencies: + install: + - "**/*" + +shell: + install: + - apt-get update + - apt-get -y install git + - git clone --depth 1 --branch v{{ $UTIL_LINUX_VERSION }} {{ env "SOURCE_REPO" }}/util-linux/util-linux.git /src/util-linux + - rm -rf /src/util-linux/.git + -{{ $binaries := "/opt/deckhouse/sds/lib/libblkid.so.1 /opt/deckhouse/sds/lib/libmount.so.1 /opt/deckhouse/sds/lib/libsmartcols.so.1 /opt/deckhouse/sds/bin/nsenter.static /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 ld-linux-x86-64.so.2 /opt/deckhouse/sds/bin/lsblk.dynamic" }} -{{ $version := "2.39.3" }} --- image: {{ $.ImageName }}-binaries-artifact -from: {{ $.BASE_ALT_DEV }} +from: {{ $.Root.BASE_ALT }} final: false +import: + - image: {{ $.ImageName }}-src-artifact + add: /src + to: /src + before: install + +git: + - add: /tools/dev_images/additional_tools/binary_replace.sh + to: /binary_replace.sh + stageDependencies: + install: + - "**/*" + shell: install: - apt-get update - | apt-get install -y \ build-essential \ - git \ pkg-config \ gettext \ autoconf \ @@ -28,67 +62,68 @@ shell: libmount-devel-static \ automake \ gettext \ - flex - - cd / - - git clone {{ env "SOURCE_REPO" }}/util-linux/util-linux.git - - cd /util-linux - - git checkout v{{ $version }} + flex \ + glibc-core + - cd /src/util-linux - ./autogen.sh - ./configure LDFLAGS="-static" --enable-static-programs -disable-all-programs --enable-nsenter - make install-strip - ./configure --prefix /opt/deckhouse/sds --with-udev - make install-strip - mkdir -p /opt/deckhouse/sds/lib/x86_64-linux-gnu/ - - cp /util-linux/nsenter.static /opt/deckhouse/sds/bin/nsenter.static + - cp /src/util-linux/nsenter.static /opt/deckhouse/sds/bin/nsenter.static - cp /lib64/libudev.so.1 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libudev.so.1 - cp /lib64/libc.so.6 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libc.so.6 - cp /lib64/libcap.so.2 /opt/deckhouse/sds/lib/x86_64-linux-gnu/libcap.so.2 - cp /lib64/ld-2.32.so /opt/deckhouse/sds/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 - cp /opt/deckhouse/sds/bin/lsblk /opt/deckhouse/sds/bin/lsblk.dynamic + - chmod +x /binary_replace.sh - /binary_replace.sh -i "{{ $binaries }}" -o /relocate --- image: {{ $.ImageName }}-golang-artifact -from: {{ $.BASE_GOLANG }} +from: {{ $.Root.BASE_GOLANG_1_23 }} final: false -git: - - add: / - to: / - includePaths: - - api - - images/agent/src - stageDependencies: - setup: - - "**/*" +import: + - image: {{ $.ImageName }}-src-artifact + add: /src + to: /src + before: install + +mount: + - fromPath: ~/go-pkg-cache + to: /go/pkg shell: setup: - - cd /images/agent/src/cmd - - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /sds-node-configurator-agent - - chmod +x /sds-node-configurator-agent + - cd /src/images/{{ $.ImageName }}/src/cmd + - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /{{ $.ImageName }} + - chmod +x /{{ $.ImageName }} --- image: {{ $.ImageName }}-distroless-artifact -from: {{ $.BASE_ALPINE_DEV }} +from: {{ $.Root.BASE_ALT }} final: false shell: install: + - apt-get update + - apt-get install ca-certificates tzdata -y - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share - cp -pr /tmp /relocate - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc - cp -pr /usr/share/ca-certificates /relocate/usr/share - cp -pr /usr/share/zoneinfo /relocate/usr/share - - cp -pr etc/ssl/cert.pem /relocate/etc/ssl - - cp -pr /etc/ssl/certs /relocate/etc/ssl + - cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl + - cp -pr /etc/pki/tls/certs /relocate/etc/ssl - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd - echo "deckhouse:x:64535:" >> /relocate/etc/group - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow --- image: {{ $.ImageName }}-distroless -from: {{ $.BASE_SCRATCH }} +from: {{ $.Root.BASE_SCRATCH }} final: false import: @@ -106,9 +141,10 @@ import: to: / before: setup - image: {{ $.ImageName }}-golang-artifact - add: /sds-node-configurator-agent - to: /sds-node-configurator-agent + add: /{{ $.ImageName }} + to: /{{ $.ImageName }} before: setup docker: - ENTRYPOINT: ["/sds-node-configurator-agent"] + ENTRYPOINT: ["/{{ $.ImageName }}"] + USER: deckhouse:deckhouse diff --git a/images/sds-health-watcher-controller/src/go.mod b/images/sds-health-watcher-controller/src/go.mod index ac624bbb..1bf9e924 100644 --- a/images/sds-health-watcher-controller/src/go.mod +++ b/images/sds-health-watcher-controller/src/go.mod @@ -53,11 +53,11 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect - golang.org/x/net v0.26.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sys v0.21.0 // indirect - golang.org/x/term v0.21.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/protobuf v1.34.2 // indirect diff --git a/images/sds-health-watcher-controller/src/go.sum b/images/sds-health-watcher-controller/src/go.sum index 510a6998..6655aa8a 100644 --- a/images/sds-health-watcher-controller/src/go.sum +++ b/images/sds-health-watcher-controller/src/go.sum @@ -176,8 +176,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -187,15 +187,15 @@ golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= -golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/images/sds-health-watcher-controller/werf.inc.yaml b/images/sds-health-watcher-controller/werf.inc.yaml index bea9b7be..ee51d8f8 100644 --- a/images/sds-health-watcher-controller/werf.inc.yaml +++ b/images/sds-health-watcher-controller/werf.inc.yaml @@ -1,38 +1,90 @@ -{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.8-alpine@sha256:54bb7313917c733191a079ccae2e52bd3b80664e46c7879efa06513d4221d804" }} -{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }} +{{ $binaries := "/sds-utils/bin/lvm.static" }} +# Do not remove. It's used in external tests. --- -image: {{ $.ImageName }}-golang-artifact -from: {{ $.BASE_GOLANG }} +image: {{ $.ImageName }}-src-artifact +from: {{ $.Root.BASE_ALT }} final: false git: - - add: / - to: / - includePaths: - - api - - images/sds-health-watcher-controller/src + - add: /images/{{ $.ImageName }}/src + to: /src/images/{{ $.ImageName }}/src + stageDependencies: + install: + - "**/*" + - add: /api + to: /src/api stageDependencies: - setup: + install: - "**/*" + +shell: + install: + - echo "src artifact" + +--- +image: {{ $.ImageName }}-golang-artifact +from: {{ $.Root.BASE_GOLANG_1_23 }} +final: false + +import: + - image: {{ $.ImageName }}-src-artifact + add: /src + to: /src + before: install + mount: - fromPath: ~/go-pkg-cache to: /go/pkg + shell: setup: - - cd images/sds-health-watcher-controller/src/cmd - - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /sds-health-watcher-controller - - chmod +x /sds-health-watcher-controller + - cd /src/images/{{ $.ImageName }}/src/cmd + - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /{{ $.ImageName }} + - chmod +x /{{ $.ImageName }} + + +--- +image: {{ $.ImageName }}-distroless-artifact +from: {{ $.Root.BASE_ALT }} +final: false + +shell: + install: + - apt-get update + - apt-get install ca-certificates tzdata -y + - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share + - cp -pr /tmp /relocate + - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc + - cp -pr /usr/share/ca-certificates /relocate/usr/share + - cp -pr /usr/share/zoneinfo /relocate/usr/share + - cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl + - cp -pr /etc/pki/tls/certs /relocate/etc/ssl + - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd + - echo "deckhouse:x:64535:" >> /relocate/etc/group + - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow + +--- +image: {{ $.ImageName }}-distroless +from: {{ $.Root.BASE_SCRATCH }} +final: false + +import: + - image: {{ $.ImageName }}-distroless-artifact + add: /relocate + to: / + before: setup --- image: {{ $.ImageName }} -from: {{ $.BASE_SCRATCH }} +fromImage: {{ $.ImageName }}-distroless import: - image: {{ $.ImageName }}-golang-artifact - add: /sds-health-watcher-controller - to: /sds-health-watcher-controller + add: /{{ $.ImageName }} + to: /{{ $.ImageName }} before: setup docker: - ENTRYPOINT: ["/sds-health-watcher-controller"] + ENTRYPOINT: ["/{{ $.ImageName }}"] + USER: deckhouse:deckhouse diff --git a/images/sds-utils-installer/werf.inc.yaml b/images/sds-utils-installer/werf.inc.yaml index fcf6039c..6a3b9729 100644 --- a/images/sds-utils-installer/werf.inc.yaml +++ b/images/sds-utils-installer/werf.inc.yaml @@ -1,15 +1,51 @@ -{{- $_ := set . "BASE_GOLANG" "registry.deckhouse.io/base_images/golang:1.22.8-alpine@sha256:54bb7313917c733191a079ccae2e52bd3b80664e46c7879efa06513d4221d804" }} -{{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.ru/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc" }} -{{- $_ := set . "BASE_ALPINE_DEV" "registry.deckhouse.ru/base_images/dev-alpine:3.16.3@sha256:c706fa83cc129079e430480369a3f062b8178cac9ec89266ebab753a574aca8e" }} -{{- $_ := set . "BASE_ALT_DEV" "registry.deckhouse.ru/base_images/dev-alt:p10@sha256:76e6e163fa982f03468166203488b569e6d9fc10855d6a259c662706436cdcad" }} - {{ $binaries := "/sds-utils/bin/lvm.static" }} -{{ $version := "d786a8f820d54ce87a919e6af5426c333c173b11" }} +{{ $LVM2_VERSION := "d786a8f820d54ce87a919e6af5426c333c173b11" }} + +# Do not remove. It's used in external tests. +--- +image: {{ $.ImageName }}-src-artifact +from: {{ $.Root.BASE_ALT }} +final: false + +git: + - add: /images/{{ $.ImageName }}/src + to: /src/images/{{ $.ImageName }}/src + stageDependencies: + install: + - "**/*" + - add: /api + to: /src/api + stageDependencies: + install: + - "**/*" + +shell: + install: + - apt-get update + - apt-get -y install git + - git clone --depth 1 {{ env "SOURCE_REPO" }}/lvmteam/lvm2.git /src/lvm2 + - cd /src/lvm2 + - git fetch --depth 1 origin {{ $LVM2_VERSION }} + - rm -rf /src/lvm2/.git + --- image: {{ $.ImageName }}-binaries-artifact -from: {{ $.BASE_ALT_DEV }} +from: {{ $.Root.BASE_ALT }} final: false +import: + - image: {{ $.ImageName }}-src-artifact + add: /src + to: /src + before: install + +git: + - add: /tools/dev_images/additional_tools/binary_replace.sh + to: /binary_replace.sh + stageDependencies: + install: + - "**/*" + shell: install: - apt-get update @@ -24,56 +60,61 @@ shell: libaio-devel-static \ libblkid-devel-static \ thin-provisioning-tools \ - git - - cd / - - git clone {{ env "SOURCE_REPO" }}/lvmteam/lvm2.git - - cd /lvm2 - - git checkout {{ $version }} + glibc-core + - cd /src/lvm2 - ./configure --enable-static_link --disable-silent-rules --disable-readline --enable-blkid_wiping --build=x86_64-linux-gnu - make - mkdir -p /sds-utils/bin/ - - mv /lvm2/tools/lvm.static /sds-utils/bin/lvm.static + - mv /src/lvm2/tools/lvm.static /sds-utils/bin/lvm.static + - chmod +x /binary_replace.sh - /binary_replace.sh -i "{{ $binaries }}" -o /relocate --- image: {{ $.ImageName }}-golang-artifact -from: {{ $.BASE_GOLANG }} +from: {{ $.Root.BASE_GOLANG_1_23 }} final: false -git: - - add: /images/sds-utils-installer/src +import: + - image: {{ $.ImageName }}-src-artifact + add: /src to: /src - stageDependencies: - setup: - - "**/*" + before: install + +mount: + - fromPath: ~/go-pkg-cache + to: /go/pkg shell: setup: - - cd /src/cmd - - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /bin-copier - - chmod +x /bin-copier + - cd /src/images/{{ $.ImageName }}/src/cmd + - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /{{ $.ImageName }} + - chmod +x /{{ $.ImageName }} + # - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o /bin-copier + # - chmod +x /bin-copier --- image: {{ $.ImageName }}-distroless-artifact -from: {{ $.BASE_ALPINE_DEV }} +from: {{ $.Root.BASE_ALT }} final: false shell: install: + - apt-get update + - apt-get install ca-certificates tzdata -y - mkdir -p /relocate/bin /relocate/sbin /relocate/etc /relocate/etc/ssl /relocate/usr/bin /relocate/usr/sbin /relocate/usr/share - cp -pr /tmp /relocate - cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc - cp -pr /usr/share/ca-certificates /relocate/usr/share - cp -pr /usr/share/zoneinfo /relocate/usr/share - - cp -pr etc/ssl/cert.pem /relocate/etc/ssl - - cp -pr /etc/ssl/certs /relocate/etc/ssl + - cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl + - cp -pr /etc/pki/tls/certs /relocate/etc/ssl - echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd - echo "deckhouse:x:64535:" >> /relocate/etc/group - echo "deckhouse:!::0:::::" >> /relocate/etc/shadow --- image: {{ $.ImageName }}-distroless -from: {{ $.BASE_SCRATCH }} +from: {{ $.Root.BASE_SCRATCH }} final: false import: @@ -91,10 +132,11 @@ import: to: / before: setup - image: {{ $.ImageName }}-golang-artifact - add: /bin-copier - to: /bin-copier + add: /{{ $.ImageName }} + to: /{{ $.ImageName }} before: setup docker: - ENTRYPOINT: ["/bin-copier"] + ENTRYPOINT: ["/{{ $.ImageName }}"] CMD: ["/sds-utils", "/opt/deckhouse/sds"] + USER: deckhouse:deckhouse diff --git a/templates/agent/daemonset.yaml b/templates/agent/daemonset.yaml index a3dcc0e6..aa634cfe 100644 --- a/templates/agent/daemonset.yaml +++ b/templates/agent/daemonset.yaml @@ -52,6 +52,14 @@ spec: serviceAccountName: sds-node-configurator hostPID: true hostNetwork: true + # We need root privileges to perform LVM operations on the node. + securityContext: + runAsUser: 0 + runAsNonRoot: false + runAsGroup: 0 + seLinuxOptions: + level: s0 + type: spc_t initContainers: - name: sds-utils-installer image: {{ include "helm_lib_module_image" (list . "sdsUtilsInstaller") }} @@ -81,11 +89,10 @@ spec: - -- - modprobe - dm_thin_pool + # Privileged mode is required to use nsenter and access the host's mount namespace. + # This is necessary to run modprobe and load the dm_thin_pool kernel module on the host. securityContext: privileged: true - seLinuxOptions: - level: s0 - type: spc_t volumeMounts: - mountPath: /dev/ name: host-device-dir @@ -123,11 +130,6 @@ spec: - name: metrics containerPort: 4202 protocol: TCP - securityContext: - privileged: true - seLinuxOptions: - level: s0 - type: spc_t env: - name: NODE_NAME valueFrom: @@ -145,6 +147,9 @@ spec: {{- else if eq .Values.sdsNodeConfigurator.logLevel "TRACE" }} value: "4" {{- end }} + # Privileged mode is required to use nsenter and execute host-level commands like lvm and lsblk. + securityContext: + privileged: true volumeMounts: - mountPath: /dev/ name: host-device-dir diff --git a/tools/dev_images/additional_tools/binary_replace.sh b/tools/dev_images/additional_tools/binary_replace.sh new file mode 100644 index 00000000..5f2d0057 --- /dev/null +++ b/tools/dev_images/additional_tools/binary_replace.sh @@ -0,0 +1,129 @@ +#!/bin/bash + +# Copyright 2023 Flant JSC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -Eeuo pipefail +shopt -s failglob + +FILE_TEMPLATE_BINS="" +TEMPLATE_BINS="" +RDIR="" + +tools=("ldd" "readlink" "awk" "dirname" "ls" "cat") +for tool in "${tools[@]}"; do + if ! command -v "$tool" >/dev/null 2>&1; then + echo "$tool is not installed." + exit 1 + fi +done + +function Help() { + # Display Help + echo "Copy binaries and their libraries to a folder" + echo "Only one input parameter allowed (-f or -i) !!!" + echo + echo "Syntax: scriptTemplate [-h|f|i|o]" + echo "options:" + echo "f Files with paths to binaries; Support mask like /sbin/m*" + echo "i Paths to binaries separated by space; Support mask like /sbin/m*; Example: /bin/chmod /bin/mount /sbin/m*" + echo ' List of binaries should be in double quotes, -i "/bin/chmod /bin/mount" ' + echo "o Output directory (Default value: '/relocate')" + echo "h Print this help" + echo + echo +} + +while getopts ":h:i:f:o:" option; do + case $option in + h) # display Help + Help + exit;; + f) + FILE_TEMPLATE_BINS=$OPTARG + ;; + i) + TEMPLATE_BINS=$OPTARG + ;; + o) + RDIR=$OPTARG + ;; + \?) + echo "Error: Invalid option" + exit;; + esac +done + +if [[ -z $RDIR ]];then + RDIR="/relocate" +fi +mkdir -p "${RDIR}" + +function relocate() { + local binary=$1 + relocate_item ${binary} + + for lib in $(ldd ${binary} 2>/dev/null | awk '/statically linked/ {next} {if ($2=="=>") print $3; else print $1}'); do + # don't try to relocate linux-vdso.so lib due to this lib is virtual + if [[ "${lib}" =~ "linux-vdso" ]]; then + continue + fi + relocate_item ${lib} + done +} + +function relocate_item() { + local file=$1 + local new_place="${RDIR}$(dirname ${file})" + + mkdir -p ${new_place} + cp -a ${file} ${new_place} + + # if symlink, copy original file too + local orig_file="$(readlink -f ${file})" + if [[ "${file}" != "${orig_file}" ]]; then + cp -a ${orig_file} ${new_place} + fi +} + +function get_binary_path () { + local bin + BINARY_LIST=() + + for bin in "$@"; do + if [[ ! -f $bin ]] || [ "${bin}" == "${RDIR}" ]; then + echo "Not found $bin" + exit 1 + fi + BINARY_LIST+=$(ls -la $bin 2>/dev/null | awk '{print $9}')" " + done + + if [[ -z $BINARY_LIST ]]; then echo "No binaryes for replace"; exit 1; fi; +} + +# if get file with binaryes (-f) +if [[ -n $FILE_TEMPLATE_BINS ]] && [[ -f $FILE_TEMPLATE_BINS ]] && [[ -z $TEMPLATE_BINS ]]; then + BIN_TEMPLATE=$(cat $FILE_TEMPLATE_BINS) + get_binary_path ${BIN_TEMPLATE} +# Or get paths to bin via raw input (-i) +elif [[ -n $TEMPLATE_BINS ]] && [[ -z $FILE_TEMPLATE_BINS ]]; then + get_binary_path ${TEMPLATE_BINS} +else + Help + exit +fi + +for binary in ${BINARY_LIST[@]}; do + relocate ${binary} +done diff --git a/werf.yaml b/werf.yaml index 4fab11c4..07a34773 100644 --- a/werf.yaml +++ b/werf.yaml @@ -1,9 +1,11 @@ project: sds-node-configurator configVersion: 1 --- +{{ tpl (.Files.Get ".werf/consts.yaml") $ }} {{ tpl (.Files.Get ".werf/images.yaml") $ }} {{ tpl (.Files.Get ".werf/images-digests.yaml") $ }} {{ tpl (.Files.Get ".werf/python-deps.yaml") $ }} {{ tpl (.Files.Get ".werf/bundle.yaml") $ }} {{ tpl (.Files.Get ".werf/release.yaml") $ }} +