From 3c55c9e2dfbd31a1f0e4c92db01728d076f08086 Mon Sep 17 00:00:00 2001
From: Jackson West <jgw@amazon.com>
Date: Sat, 2 Apr 2022 22:00:37 -0500
Subject: [PATCH 1/2] Switch to AL2 base image for node image

Signed-off-by: Jackson West <jgw@amazon.com>
---
 images/base/Dockerfile                        | 146 ++++++++----------
 images/base/files/usr/local/bin/clean-install |  10 +-
 2 files changed, 69 insertions(+), 87 deletions(-)

diff --git a/images/base/Dockerfile b/images/base/Dockerfile
index f6abfa3b..e4c13a47 100644
--- a/images/base/Dockerfile
+++ b/images/base/Dockerfile
@@ -19,43 +19,25 @@
 
 # start from ubuntu, this image is reasonably small as a starting point
 # for a kubernetes node image, it doesn't contain much we don't need
-ARG BASE_IMAGE=ubuntu:22.04
-FROM $BASE_IMAGE as build
+ARG BASE_IMAGE
+ARG BUILDER_IMAGE
+FROM $BASE_IMAGE as base-amd64
+
+ARG CRICTL_AMD64_URL
+ARG CRICTL_AMD64_SHA256SUM_URL
+ARG CRICTL_URL=${CRICTL_AMD64_URL}
+ARG CRICTL_SHA256SUM_URL=${CRICTL_AMD64_SHA256SUM_URL}
 
-# `docker buildx` automatically sets this arg value
-ARG TARGETARCH
 
-# Configure containerd and runc binaries from kind-ci/containerd-nightlies repository
-# The repository contains latest stable releases and nightlies built for multiple architectures
-ARG CONTAINERD_VERSION="1.6.19-46-g941215f49"
-ARG CONTAINERD_BASE_URL="https://github.com/kind-ci/containerd-nightlies/releases/download"
-ARG CONTAINERD_URL="${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}-linux-${TARGETARCH}.tar.gz"
-ARG CONTAINERD_AMD64_SHA256SUM="df182a12d9108042df7dc449506be43f2fed8b3babde5bb9a72e5554e055a085"
-ARG CONTAINERD_ARM64_SHA256SUM="2c76703c81ddaee5295911b8d8816dc84bcd8c5f78e48ea6f03b00a86148694e"
-
-ARG RUNC_URL="${CONTAINERD_BASE_URL}/containerd-${CONTAINERD_VERSION}/runc.${TARGETARCH}"
-ARG RUNC_AMD64_SHA256SUM="76acadf30309b3e36aeb1bdb69238e52be2dd12e7a3557641e6f25415c1cb29b"
-ARG RUNC_ARM64_SHA256SUM="2216c944455b4664113ce0af8b4a6ddc3beb7bacecc06b45b03b004995c822c1"
-
-# Configure crictl binary from upstream
-ARG CRICTL_VERSION="v1.26.1"
-ARG CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${TARGETARCH}.tar.gz"
-ARG CRICTL_AMD64_SHA256SUM="0c1a0f9900c15ee7a55e757bcdc220faca5dd2e1cfc120459ad1f04f08598127"
-ARG CRICTL_ARM64_SHA256SUM="cfa28be524b5da1a6dded455bb497dfead27b1fd089e1161eb008909509be585"
-
-# Configure CNI binaries from upstream
-ARG CNI_PLUGINS_VERSION="v1.2.0"
-ARG CNI_PLUGINS_TARBALL="${CNI_PLUGINS_VERSION}/cni-plugins-linux-${TARGETARCH}-${CNI_PLUGINS_VERSION}.tgz"
-ARG CNI_PLUGINS_URL="https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_TARBALL}"
-ARG CNI_PLUGINS_AMD64_SHA256SUM="f3a841324845ca6bf0d4091b4fc7f97e18a623172158b72fc3fdcdb9d42d2d37"
-ARG CNI_PLUGINS_ARM64_SHA256SUM="525e2b62ba92a1b6f3dc9612449a84aa61652e680f7ebf4eff579795fe464b57"
-
-# Configure containerd-fuse-overlayfs snapshotter binary from upstream
-ARG CONTAINERD_FUSE_OVERLAYFS_VERSION="1.0.5"
-ARG CONTAINERD_FUSE_OVERLAYFS_TARBALL="v${CONTAINERD_FUSE_OVERLAYFS_VERSION}/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_VERSION}-linux-${TARGETARCH}.tar.gz"
-ARG CONTAINERD_FUSE_OVERLAYFS_URL="https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/${CONTAINERD_FUSE_OVERLAYFS_TARBALL}"
-ARG CONTAINERD_FUSE_OVERLAYFS_AMD64_SHA256SUM="1f4b12322cc1b044dfbbeaec30fc42295cedc8b6f0642146ba518333f9d5ddca"
-ARG CONTAINERD_FUSE_OVERLAYFS_ARM64_SHA256SUM="073e83196a7a73bd130fe44085bd65303c7e6cfc8c53ba46d90a16cbb8e5a112"
+FROM $BASE_IMAGE as base-arm64
+
+ARG CRICTL_ARM64_URL
+ARG CRICTL_ARM64_SHA256SUM_URL
+ARG CRICTL_URL=${CRICTL_ARM64_URL}
+ARG CRICTL_SHA256SUM_URL=${CRICTL_ARM64_SHA256SUM_URL}
+
+ARG TARGETARCH
+FROM base-$TARGETARCH as base
 
 # copy in static files
 # all scripts are 0755 (rwx r-x r-x)
@@ -102,11 +84,11 @@ COPY --chmod=0644 files/etc/systemd/system/kubelet.service.d/* /etc/systemd/syst
 RUN echo "Installing Packages ..." \
     && DEBIAN_FRONTEND=noninteractive clean-install \
       systemd \
-      conntrack iptables iproute2 ethtool socat util-linux mount ebtables kmod \
-      libseccomp2 pigz \
+      conntrack iptables iproute ethtool socat util-linux ebtables kmod \
+      libseccomp pigz \
       bash ca-certificates curl rsync \
-      nfs-common fuse-overlayfs open-iscsi \
-      jq \
+      nfs-utils \
+      containerd which tar procps hostname jq lockdev sudo \
     && find /lib/systemd/system/sysinit.target.wants/ -name "systemd-tmpfiles-setup.service" -delete \
     && rm -f /lib/systemd/system/multi-user.target.wants/* \
     && rm -f /etc/systemd/system/*.wants/* \
@@ -114,49 +96,65 @@ RUN echo "Installing Packages ..." \
     && rm -f /lib/systemd/system/sockets.target.wants/*udev* \
     && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
     && rm -f /lib/systemd/system/basic.target.wants/* \
-    && echo "ReadKMsg=no" >> /etc/systemd/journald.conf \
-    && ln -s "$(which systemd)" /sbin/init
+    # avoid runaway agetty processes most likely due to al2 being based on older centos 7
+    && systemctl mask getty@tty1.service \
+    && echo "ReadKMsg=no" >> /etc/systemd/journald.conf
 
 RUN echo "Enabling kubelet ... " \
     && systemctl enable kubelet.service
 
-RUN echo "Installing containerd ..." \
-    && curl -sSL --retry 5 --output /tmp/containerd.${TARGETARCH}.tgz "${CONTAINERD_URL}" \
-    && echo "${CONTAINERD_AMD64_SHA256SUM}  /tmp/containerd.amd64.tgz" | tee /tmp/containerd.sha256 \
-    && echo "${CONTAINERD_ARM64_SHA256SUM}  /tmp/containerd.arm64.tgz" | tee -a /tmp/containerd.sha256 \
-    && sha256sum --ignore-missing -c /tmp/containerd.sha256 \
-    && rm -f /tmp/containerd.sha256 \
-    && tar -C /usr/local -xzvf /tmp/containerd.${TARGETARCH}.tgz \
-    && rm -rf /tmp/containerd.${TARGETARCH}.tgz \
-    && rm -f /usr/local/bin/containerd-stress /usr/local/bin/containerd-shim-runc-v1 \
-    && curl -sSL --retry 5 --output /tmp/runc.${TARGETARCH} "${RUNC_URL}" \
-    && echo "${RUNC_AMD64_SHA256SUM}  /tmp/runc.amd64" | tee /tmp/runc.sha256 \
-    && echo "${RUNC_ARM64_SHA256SUM}  /tmp/runc.arm64" | tee -a /tmp/runc.sha256 \
-    && sha256sum --ignore-missing -c /tmp/runc.sha256 \
-    && mv /tmp/runc.${TARGETARCH} /usr/local/sbin/runc \
-    && chmod 755 /usr/local/sbin/runc \
+RUN echo "Enabling containerd ..." \
     && ctr oci spec \
         | jq '.hooks.createContainer[.hooks.createContainer| length] |= . + {"path": "/usr/local/bin/mount-product-files"}' \
         | jq 'del(.process.rlimits)' \
         > /etc/containerd/cri-base.json \
     && containerd --version \
     && runc --version \
-    && systemctl enable containerd
+    && systemctl enable containerd.service \
+    && cp /usr/lib/systemd/system/containerd.service /etc/systemd/system/containerd.service
 
-RUN echo "Installing crictl ..." \
+RUN echo "Installing crictl ..." \   
     && curl -sSL --retry 5 --output /tmp/crictl.${TARGETARCH}.tgz "${CRICTL_URL}" \
-    && echo "${CRICTL_AMD64_SHA256SUM}  /tmp/crictl.amd64.tgz" | tee /tmp/crictl.sha256 \
-    && echo "${CRICTL_ARM64_SHA256SUM}  /tmp/crictl.arm64.tgz" | tee -a /tmp/crictl.sha256 \
-    && sha256sum --ignore-missing -c /tmp/crictl.sha256 \
+    && echo "$(curl $CRICTL_SHA256SUM_URL | cut -d ' ' -f1)  /tmp/crictl.${TARGETARCH}.tgz" | tee /tmp/crictl.sha256 \
+    && sha256sum -c /tmp/crictl.sha256 \
     && rm -f /tmp/crictl.sha256 \
     && tar -C /usr/local/bin -xzvf /tmp/crictl.${TARGETARCH}.tgz \
-    && rm -rf /tmp/crictl.${TARGETARCH}.tgz
+    && rm -rf /tmp/crictl.${TARGETARCH}.tgz 
+
+RUN echo "Ensuring /etc/kubernetes/manifests" \
+    && mkdir -p /etc/kubernetes/manifests
+
+RUN echo "Adjusting systemd-tmpfiles timer" \
+    && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#'
+
+# These targets are basing off the "pushed" verison of the image above which is BUILDER_IMAGE
+# the final base will be eks-distro-base, with the contents from the above copied
+# into it to simulate "scratch" but from one of standard bases
+
+FROM $BUILDER_IMAGE as base-versioned-amd64
+
+ARG CNI_PLUGINS_AMD64_URL
+ARG CNI_PLUGINS_AMD64_SHA256SUM
+ARG CNI_PLUGINS_URL=${CNI_PLUGINS_AMD64_URL}
+ARG CNI_PLUGINS_SHA256SUM=${CNI_PLUGINS_AMD64_SHA256SUM}
+
+
+FROM $BUILDER_IMAGE as base-versioned-arm64
+
+ARG CNI_PLUGINS_ARM64_URL
+ARG CNI_PLUGINS_ARM64_SHA256SUM
+ARG CNI_PLUGINS_URL=${CNI_PLUGINS_ARM64_URL}
+ARG CNI_PLUGINS_SHA256SUM=${CNI_PLUGINS_ARM64_SHA256SUM}
+
+FROM base-versioned-$TARGETARCH as base-versioned-intermediate
+
+COPY --chmod=0755 files/usr/local/bin/* /usr/local/bin/
+COPY --chmod=0644 files/etc/* /etc
 
 RUN echo "Installing CNI plugin binaries ..." \
     && curl -sSL --retry 5 --output /tmp/cni.${TARGETARCH}.tgz "${CNI_PLUGINS_URL}" \
-    && echo "${CNI_PLUGINS_AMD64_SHA256SUM}  /tmp/cni.amd64.tgz" | tee /tmp/cni.sha256 \
-    && echo "${CNI_PLUGINS_ARM64_SHA256SUM}  /tmp/cni.arm64.tgz" | tee -a /tmp/cni.sha256 \
-    && sha256sum --ignore-missing -c /tmp/cni.sha256 \
+    && echo "${CNI_PLUGINS_SHA256SUM}  /tmp/cni.${TARGETARCH}.tgz" | tee /tmp/cni.sha256 \
+    && sha256sum -c /tmp/cni.sha256 \
     && rm -f /tmp/cni.sha256 \
     && mkdir -p /opt/cni/bin \
     && tar -C /opt/cni/bin -xzvf /tmp/cni.${TARGETARCH}.tgz \
@@ -169,24 +167,10 @@ RUN echo "Installing CNI plugin binaries ..." \
       \) \
       -delete
 
-RUN echo "Installing containerd-fuse-overlayfs ..." \
-    && curl -sSL --retry 5 --output /tmp/containerd-fuse-overlayfs.${TARGETARCH}.tgz "${CONTAINERD_FUSE_OVERLAYFS_URL}" \
-    && echo "${CONTAINERD_FUSE_OVERLAYFS_AMD64_SHA256SUM}  /tmp/containerd-fuse-overlayfs.amd64.tgz" | tee /tmp/containerd-fuse-overlayfs.sha256 \
-    && echo "${CONTAINERD_FUSE_OVERLAYFS_ARM64_SHA256SUM}  /tmp/containerd-fuse-overlayfs.arm64.tgz" | tee -a /tmp/containerd-fuse-overlayfs.sha256 \
-    && sha256sum --ignore-missing -c /tmp/containerd-fuse-overlayfs.sha256 \
-    && rm -f /tmp/containerd-fuse-overlayfs.sha256 \
-    && tar -C /usr/local/bin -xzvf /tmp/containerd-fuse-overlayfs.${TARGETARCH}.tgz \
-    && rm -rf /tmp/containerd-fuse-overlayfs.${TARGETARCH}.tgz
-
-RUN echo "Ensuring /etc/kubernetes/manifests" \
-    && mkdir -p /etc/kubernetes/manifests
 
-RUN echo "Adjusting systemd-tmpfiles timer" \
-    && sed -i /usr/lib/systemd/system/systemd-tmpfiles-clean.timer -e 's#OnBootSec=.*#OnBootSec=1min#'
+FROM $BASE_IMAGE as base-versioned
 
-# squash
-FROM scratch
-COPY --from=build / /
+COPY --from=base-versioned-intermediate / /
 
 # tell systemd that it is in docker (it will check for the container env)
 # https://systemd.io/CONTAINER_INTERFACE/
diff --git a/images/base/files/usr/local/bin/clean-install b/images/base/files/usr/local/bin/clean-install
index b0b861c3..f1d714a6 100755
--- a/images/base/files/usr/local/bin/clean-install
+++ b/images/base/files/usr/local/bin/clean-install
@@ -24,12 +24,10 @@ if [ $# = 0 ]; then
   echo >&2 "No packages specified"
   exit 1
 fi
-
-apt-get update
-apt-get upgrade -y
-apt-get install -y --no-install-recommends "$@"
-apt-get clean -y
+yum install -y "$@"
+yum clean all
 rm -rf \
+   /var/cache/yum/* \
    /var/cache/debconf/* \
    /var/lib/apt/lists/* \
    /var/log/* \
@@ -38,4 +36,4 @@ rm -rf \
    /usr/share/doc/* \
    /usr/share/doc-base/* \
    /usr/share/man/* \
-   /usr/share/local/*
+   /usr/share/local/* || true
-- 
2.39.2