Updates: (#217)

## Description

<!--- Please describe what this PR is going to change -->
- Use latest v1.0.0 linuxkit images.
- Add images dir with runc and containerd to be able to better control
the version.
- Use latest upstream init as it has cgroups v2 as the default.
- Add dhcp to the linuxkit services so that interfaces stay configured
after lease times expire.
- Update to latest Docker in Docker version and update linuxkit spec to
handle cgroups v2.
- Increase the kernel command line parameter size to 4096 bytes to allow
for longer things to be passed like certs, etc.
- Default to linuxkit 1.2.0 binary as the containerd issues are resolved
with the ccgroup v2 changes.

## Why is this needed

<!--- Link to issue you have raised -->

Fixes: #

## How Has This Been Tested?
<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran
to -->
<!--- see how your change affects other areas of the code, etc. -->


## How are existing users impacted? What migration steps/scripts do we
need?

<!--- Fixes a bug, unblocks installation, removes a component of the
stack etc -->
<!--- Requires a DB migration script, etc. -->


## Checklist:

I have:

- [ ] updated the documentation and/or roadmap (if required)
- [ ] added unit or e2e tests
- [ ] provided instructions on how to upgrade

.github/mergify.yml

@@ -3,6 +3,8 @@ queue_rules:
     conditions:
       # Conditions to get out of the queue (= merged)
       - check-success=DCO
+      - check-success~="^Hook .*"
+      - check-success~="^Kernel .*"
 
 pull_request_rules:
   - name: Automatic merge on approval
@@ -12,7 +14,8 @@ pull_request_rules:
       - "#changes-requested-reviews-by=0"
       - "#review-requested=0"
       - check-success=DCO
-      - check-success~=validation$
+      - check-success~="^Hook .*"
+      - check-success~="^Kernel .*"
       - label!=do-not-merge
       - label=ready-to-merge
     actions:

.github/workflows/build-all-matrix.yaml

@@ -4,6 +4,8 @@ on:
   #  # every day at 5am UTC
   #  - cron: '0 5 * * *'
   workflow_dispatch:
+  pull_request:
+  push:
 
 env: # Global environment, passed to all jobs & all steps
   # Default to quay.io, which is also the default for the CLI. 
@@ -24,6 +26,12 @@ env: # Global environment, passed to all jobs & all steps
 
   # GHA runner configuration. See bash/json-matrix.sh for more details.
   CI_RUNNER_LK_CONTAINERS_ARM64: "ARM64" # Use a self-hosted runner with the "ARM64" tag for the ARM64 builds of LK containers
+  CI_RUNNER_LK_CONTAINERS_AMD64: "X64" # Use a self-hosted runner with the "X86" tag for the AMD64 builds of LK containers
+  CI_RUNNER_LK_ARM64: "ARM64" # Use a self-hosted runner with the "ARM64" tag for the ARM64 linuxkit builds
+  CI_RUNNER_LK_AMD64: "X64" # Use a self-hosted runner with the "X86" tag for the AMD64 linuxkit builds
+  CI_RUNNER_KERNEL_AMD64: "X64" # Use a self-hosted runner with the "X86" tag for the AMD64 kernel builds
+  CI_RUNNER_KERNEL_ARM64: "ARM64" # Use a self-hosted runner with the "ARM64" tag for the ARM64 kernel builds
+
 
 jobs:
 
@@ -66,7 +74,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Docker Login to quay.io
-        if: ${{ env.REGISTRY == 'quay.io' }}
+        if: ${{ env.REGISTRY == 'quay.io' && github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
         with: { registry: "quay.io", username: "${{ secrets.QUAY_USERNAME }}", password: "${{ secrets.QUAY_PASSWORD }}" }
 
@@ -78,7 +86,7 @@ jobs:
       - name: Build and Push LinuxKit containers for ${{matrix.docker_arch}}
         env:
           DOCKER_ARCH: "${{ matrix.docker_arch }}"
-          DO_PUSH: "yes"
+          DO_PUSH: "${{ github.ref == 'refs/heads/main' && 'yes' || 'no' }}"
         run: bash build.sh linuxkit-containers
 
   build-kernels:
@@ -97,7 +105,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Docker Login to quay.io
-        if: ${{ env.REGISTRY == 'quay.io' }}
+        if: ${{ env.REGISTRY == 'quay.io' && github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
         with: { registry: "quay.io", username: "${{ secrets.QUAY_USERNAME }}", password: "${{ secrets.QUAY_PASSWORD }}" }
 
@@ -108,7 +116,7 @@ jobs:
 
       - name: Build and push Kernel ${{matrix.kernel}} (${{ matrix.arch }})
         env:
-          DO_PUSH: "yes"
+          DO_PUSH: "${{ github.ref == 'refs/heads/main' && 'yes' || 'no' }}"
         run: bash build.sh build-kernel "${{ matrix.kernel }}"
 
   build-hook-ensemble:
@@ -127,12 +135,12 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Docker Login to DockerHub # read-only token, required to be able to pull all the linuxkit pkgs without getting rate limited.
-        if: ${{ env.LOGIN_TO_DOCKERHUB == 'yes' }}
+        if: ${{ env.LOGIN_TO_DOCKERHUB == 'yes' && github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
         with: { registry: "docker.io", username: "${{ secrets.DOCKERHUB_USERNAME }}", password: "${{ secrets.DOCKERHUB_PASSWORD }}" }
 
       - name: Docker Login to quay.io
-        if: ${{ env.REGISTRY == 'quay.io' }}
+        if: ${{ env.REGISTRY == 'quay.io' && github.ref == 'refs/heads/main' }}
         uses: docker/login-action@v3
         with: { registry: "quay.io", username: "${{ secrets.QUAY_USERNAME }}", password: "${{ secrets.QUAY_PASSWORD }}" }
 
@@ -178,7 +186,6 @@ jobs:
         with:
           pattern: "hook-tarball-*"
           merge-multiple: true
-          path: out
 
       - name: Figure Out Commit Short ID
         id: commitid
@@ -219,15 +226,15 @@ jobs:
         uses: jmgilman/actions-generate-checksum@v1
         with:
           method: sha512
-          patterns: out/*.tar.gz
+          patterns: "*.tar.gz"
 
       - name: Update latest release
         uses: softprops/action-gh-release@v2
         with:
           name: Hook Latest Development Build
           body: ${{env.RELEASE_NOTES}}
           files: |
-            out/*.tar.gz
+            *.tar.gz
             checksum.txt
           prerelease: true
           tag_name: latest

bash/hook-lk-containers.sh

@@ -4,9 +4,13 @@ function build_all_hook_linuxkit_containers() {
 	log info "Building all LinuxKit containers..."
 	: "${DOCKER_ARCH:?"ERROR: DOCKER_ARCH is not defined"}"
 
-	build_hook_linuxkit_container hook-bootkit HOOK_CONTAINER_BOOTKIT_IMAGE
-	build_hook_linuxkit_container hook-docker HOOK_CONTAINER_DOCKER_IMAGE
-	build_hook_linuxkit_container hook-mdev HOOK_CONTAINER_MDEV_IMAGE
+	# when adding new container builds here you'll also want to add them to the
+	# `linuxkit_build` function in the linuxkit.sh file.
+	build_hook_linuxkit_container images/hook-bootkit HOOK_CONTAINER_BOOTKIT_IMAGE
+	build_hook_linuxkit_container images/hook-docker HOOK_CONTAINER_DOCKER_IMAGE
+	build_hook_linuxkit_container images/hook-mdev HOOK_CONTAINER_MDEV_IMAGE
+	build_hook_linuxkit_container images/containerd HOOK_CONTAINER_CONTAINERD_IMAGE
+	build_hook_linuxkit_container images/runc HOOK_CONTAINER_RUNC_IMAGE
 }
 
 function build_hook_linuxkit_container() {

bash/json-matrix.sh

@@ -47,12 +47,12 @@ function output_gha_matrixes() {
 	prepare_json_matrix_lkcontainers "LK_CONTAINERS" # reads all_arches's keys and sets full_json
 	declare lkcontainers_json="${full_json}"
 
-	# If under GHA, set a GHA output variable, otherwise just log them
-	if [[ -z "${GITHUB_OUTPUT}" ]]; then
-		log info "Would have set GHA output kernels_json to: ${kernels_json}"
-		log info "Would have set GHA output lk_hooks_json to: ${lk_hooks_json}"
-		log info "Would have set GHA output lkcontainers_json to: ${lkcontainers_json}"
-	else
+	log info "kernels_json to: ${kernels_json}"
+	log info "lk_hooks_json to: ${lk_hooks_json}"
+	log info "lkcontainers_json to: ${lkcontainers_json}"
+
+	# If under GHA, set a GHA output variable.
+	if [[ -n "${GITHUB_OUTPUT}" ]]; then
 		# shellcheck disable=SC2129 # no, thanks, shellcheck.
 		echo "kernels_json=${kernels_json}" >> "${GITHUB_OUTPUT}"
 		echo "lk_hooks_json=${lk_hooks_json}" >> "${GITHUB_OUTPUT}"

bash/linuxkit.sh

@@ -50,7 +50,7 @@ function linuxkit_build() {
 	fi
 
 	# Build the containers in this repo used in the LinuxKit YAML;
-	build_all_hook_linuxkit_containers # sets HOOK_CONTAINER_BOOTKIT_IMAGE, HOOK_CONTAINER_DOCKER_IMAGE, HOOK_CONTAINER_MDEV_IMAGE
+	build_all_hook_linuxkit_containers # sets HOOK_CONTAINER_BOOTKIT_IMAGE, HOOK_CONTAINER_DOCKER_IMAGE, HOOK_CONTAINER_MDEV_IMAGE, HOOK_CONTAINER_CONTAINERD_IMAGE
 
 	# Template the linuxkit configuration file.
 	# - You'd think linuxkit would take --build-args or something by now, but no.
@@ -67,7 +67,9 @@ function linuxkit_build() {
 			HOOK_CONTAINER_BOOTKIT_IMAGE="${HOOK_CONTAINER_BOOTKIT_IMAGE}" \
 			HOOK_CONTAINER_DOCKER_IMAGE="${HOOK_CONTAINER_DOCKER_IMAGE}" \
 			HOOK_CONTAINER_MDEV_IMAGE="${HOOK_CONTAINER_MDEV_IMAGE}" \
-			envsubst '$HOOK_VERSION $HOOK_KERNEL_IMAGE $HOOK_KERNEL_ID $HOOK_KERNEL_VERSION $HOOK_CONTAINER_BOOTKIT_IMAGE $HOOK_CONTAINER_DOCKER_IMAGE $HOOK_CONTAINER_MDEV_IMAGE' \
+			HOOK_CONTAINER_CONTAINERD_IMAGE="${HOOK_CONTAINER_CONTAINERD_IMAGE}" \
+			HOOK_CONTAINER_RUNC_IMAGE="${HOOK_CONTAINER_RUNC_IMAGE}" \
+			envsubst '$HOOK_VERSION $HOOK_KERNEL_IMAGE $HOOK_KERNEL_ID $HOOK_KERNEL_VERSION $HOOK_CONTAINER_BOOTKIT_IMAGE $HOOK_CONTAINER_DOCKER_IMAGE $HOOK_CONTAINER_MDEV_IMAGE $HOOK_CONTAINER_CONTAINERD_IMAGE $HOOK_CONTAINER_RUNC_IMAGE' \
 			> "hook.${inventory_id}.yaml"
 
 	declare -g linuxkit_bin=""
@@ -139,7 +141,7 @@ function linuxkit_build() {
 
 	# tar the files into out/hook.tar in such a way that vmlinuz and initramfs are at the root of the tar; pigz it
 	# Those are the artifacts published to the GitHub release
-	tar -cvf- -C "out/hook" "${output_files[@]}" | pigz > "out/hook-${OUTPUT_ID}.tar.gz"
+	tar -cvf- -C "out/hook" "${output_files[@]}" | pigz > "out/hook_${OUTPUT_ID}.tar.gz"
 }
 
 function linuxkit_run_qemu() {

build.sh

@@ -29,7 +29,7 @@ declare -g HOOK_LK_CONTAINERS_OCI_BASE="${HOOK_LK_CONTAINERS_OCI_BASE:-"quay.io/
 declare -g SKOPEO_IMAGE="${SKOPEO_IMAGE:-"quay.io/skopeo/stable:latest"}"
 
 # See https://github.com/linuxkit/linuxkit/releases
-declare -g -r LINUXKIT_VERSION_DEFAULT="1.0.1" # LinuxKit version to use by default; each flavor can set its own too
+declare -g -r LINUXKIT_VERSION_DEFAULT="1.2.0" # LinuxKit version to use by default; each flavor can set its own too
 
 # Directory to use for storing downloaded artifacts: LinuxKit binary, shellcheck binary, etc.
 declare -g -r CACHE_DIR="${CACHE_DIR:-"cache"}"

images/containerd/Dockerfile

@@ -0,0 +1,46 @@
+FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as builder
+
+
+# checkout and compile containerd
+# Update `FROM` in `pkg/containerd/Dockerfile`, `pkg/init/Dockerfile` and
+# `test/pkg/containerd/Dockerfile` when changing this.
+ENV CONTAINERD_REPO=https://github.com/containerd/containerd.git
+
+ENV CONTAINERD_COMMIT=v1.7.15
+ENV GOPATH=/go
+RUN apk add go git
+RUN mkdir -p $GOPATH/src/github.com/containerd && \
+  cd $GOPATH/src/github.com/containerd && \
+  git clone https://github.com/containerd/containerd.git && \
+  cd $GOPATH/src/github.com/containerd/containerd && \
+  git checkout $CONTAINERD_COMMIT
+RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make libseccomp-dev
+WORKDIR $GOPATH/src/github.com/containerd/containerd
+RUN make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILDTAGS="static_build no_devmapper"
+
+RUN cp bin/containerd bin/ctr bin/containerd-shim bin/containerd-shim-runc-v2 /usr/bin/
+RUN strip /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2
+
+FROM scratch as containerd-dev
+ENTRYPOINT []
+WORKDIR /
+COPY --from=builder /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 /usr/bin/
+COPY --from=builder /go/src/github.com/containerd/containerd /go/src/github.com/containerd/containerd
+
+# Dockerfile to build linuxkit/containerd for linuxkit
+FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as alpine
+
+RUN apk add tzdata binutils
+RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/020-containerd
+
+FROM containerd-dev
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 /usr/bin/
+COPY --from=alpine /usr/share/zoneinfo/UTC /etc/localtime
+COPY --from=alpine /etc/init.d/ /etc/init.d/
+COPY etc etc/
+COPY --from=alpine /etc/apk /etc/apk/
+COPY --from=alpine /lib/apk /lib/apk/

images/containerd/etc/containerd/config.toml

@@ -0,0 +1,15 @@
+state = "/run/containerd"
+root = "/var/lib/containerd"
+disabled_plugins = ["cri"]
+
+[grpc]
+  address = "/run/containerd/containerd.sock"
+  uid = 0
+  gid = 0
+
+[debug]
+  address = "/run/containerd/debug.sock"
+  level = "info"
+
+[metrics]
+  address = ""

hook-bootkit/Dockerfile → images/hook-bootkit/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine as dev
+FROM golang:1.21-alpine as dev
 COPY . /src/
 WORKDIR /src
 RUN go mod download

hook-bootkit/go.mod → images/hook-bootkit/go.mod

@@ -3,30 +3,39 @@ module github.com/tinkerbell/hook/hook-bootkit
 go 1.17
 
 require (
-	github.com/cenkalti/backoff/v4 v4.2.1
-	github.com/docker/docker v24.0.4+incompatible
-	github.com/go-logr/logr v1.2.4
+	github.com/cenkalti/backoff/v4 v4.3.0
+	github.com/docker/docker v26.1.0+incompatible
+	github.com/go-logr/logr v1.4.1
 	github.com/go-logr/zerologr v1.2.3
 	github.com/rs/zerolog v1.30.0
 )
 
 require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/stretchr/testify v1.8.4 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
+	go.opentelemetry.io/otel v1.26.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 // indirect
+	go.opentelemetry.io/otel/metric v1.26.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.26.0 // indirect
+	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	gotest.tools/v3 v3.5.0 // indirect