Multi-arch, multi-distro matrix build

Author: rpardini

Diff for: .dockerignore

@@ -0,0 +1,3 @@
+.git
+.github
+out

Diff for: .github/workflows/main-latest.yml

@@ -0,0 +1,138 @@
+name: main-latest
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+
+  prepare:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prepare release ID
+        id: prep
+        run: |
+          echo ::set-output name=created::$(date -u +'%Y%m%d-%H%M')
+    outputs:
+      created: ${{ steps.prep.outputs.created }} # refer to as ${{needs.prepare.outputs.created}}
+
+
+  build:
+    needs: [ prepare ]
+    runs-on: ubuntu-latest # soon to support hosted runners for arm64
+    strategy:
+      fail-fast: false # let other jobs try to complete if one fails
+      matrix:
+        arch: [ 'amd64' , 'arm64' ]
+        distro: [ 'ubuntu:impish', 'ubuntu:hirsute', 'golang:1.16-bullseye', 'debian:sid' ]
+        # FIXME: if you know of an updated multiarch Ubuntu Focal image with 1.16 golang please PR
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Cache Docker layers ${{ matrix.arch }} ${{ matrix.distro }}
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ matrix.arch }}-${{ matrix.distro }}-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-${{ matrix.arch }}-${{ matrix.distro }}
+
+      - name: Build ${{ matrix.arch }} ${{ matrix.distro }}
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/${{ matrix.arch }}
+          load: true
+          pull: true # bring in updated versions of preexisting GH images
+          push: false
+          tags: k8s-worker-containerd:${{ matrix.arch }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          build-args: |
+            PACKAGE_VERSION=${{needs.prepare.outputs.created}}
+            BASE_IMAGE=${{ matrix.distro }}
+            OS_ARCH=${{ matrix.arch }}
+
+      - name: Extract artifacts from docker ${{ matrix.arch }} ${{ matrix.distro }}
+        run: docker cp $(docker create --rm k8s-worker-containerd:${{ matrix.arch }}):/out ./
+
+      - name: Upload deb as artifact ${{ matrix.arch }} ${{ matrix.distro }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: deb
+          path: out/*.deb
+
+      - name: Upload tarball as artifact ${{ matrix.arch }} ${{ matrix.distro }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: tarball
+          path: out/*.tar.gz
+
+      # Temp fix: https://github.com/docker/build-push-action/issues/252
+      - name: Move caches ${{ matrix.arch }} ${{ matrix.distro }}
+        run: |
+          echo "Old ${{ matrix.arch }} ${{ matrix.distro }} cache..."
+          ls -lahtR /tmp/.buildx-cache || true
+          if [[ -d /tmp/.buildx-cache-new ]]; then
+            echo "New  ${{ matrix.arch }} ${{ matrix.distro }} cache..."
+            ls -lahtR /tmp/.buildx-cache-new
+            echo "Flipping  ${{ matrix.arch }} ${{ matrix.distro }} cache..."
+            rm -rf /tmp/.buildx-cache
+            mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          fi
+
+  release:
+    needs: [ prepare, build ] # depend on the previous jobs...
+    if: "${{ always() }}" # ... but run even if (some of) them failed.
+    runs-on: ubuntu-latest
+    steps:
+      # Download the built artifacts from GH artifacts.  
+      - uses: actions/download-artifact@v2
+        name: Download deb artifacts
+        with:
+          name: deb
+          path: out
+
+      - uses: actions/download-artifact@v2
+        name: Download tarball artifacts
+        with:
+          name: tarball
+          path: out
+
+      - name: List artifacts downloaded
+        run: |
+          ls -lahtR
+
+      # Release the artifacts into GitHub Releases
+      - name: "GH specific release"
+        uses: "marvinpinto/action-automatic-releases@latest"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          automatic_release_tag: "${{needs.prepare.outputs.created}}"
+          prerelease: false
+          title: "${{needs.prepare.outputs.created}}"
+          files: |
+            out/*.deb
+            out/*.tar.gz
+
+      #- name: "GH latest release"
+      #  uses: "marvinpinto/action-automatic-releases@latest"
+      #  with:
+      #    repo_token: "${{ secrets.GITHUB_TOKEN }}"
+      #    automatic_release_tag: "latest"
+      #    prerelease: false
+      #    title: "Latest: ${{needs.prepare.outputs.created}}"
+      #    files: |
+      #      out/*.deb
+      #      out/*.tar.gz
+

Diff for: .gitignore

@@ -0,0 +1,2 @@
+.idea
+out

Diff for: Dockerfile

@@ -0,0 +1,144 @@
+ARG BASE_IMAGE="ubuntu:hirsute"
+FROM ${BASE_IMAGE} as build
+
+ARG OS_ARCH="amd64"
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get -y update
+RUN apt-get -y dist-upgrade
+RUN apt-get -y install git bash wget curl build-essential devscripts debhelper libseccomp-dev libapparmor-dev libassuan-dev libbtrfs-dev libc6-dev libdevmapper-dev libglib2.0-dev libgpgme-dev libgpg-error-dev libprotobuf-dev libprotobuf-c-dev libseccomp-dev libselinux1-dev libsystemd-dev pkg-config
+SHELL ["/bin/bash", "-e", "-c"]
+RUN which go || apt-get -y install golang-go
+
+
+# See https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/79a3f79b27bd28f82f071bb877a266c2e62ee506/docs/09-bootstrapping-kubernetes-workers.md#download-and-install-worker-binaries
+
+# Build runc from source
+FROM build as runc
+WORKDIR /src
+ARG RUNC_VERSION="v1.0.2"
+RUN git clone --depth=1 --single-branch --branch=${RUNC_VERSION} https://github.com/opencontainers/runc /src/runc
+WORKDIR /src/runc
+RUN make
+
+# Build conmon from source
+FROM build as conmon
+WORKDIR /src
+ARG CONMON_VERSION="v2.0.30"
+RUN git clone --depth=1 --single-branch --branch=${CONMON_VERSION} https://github.com/containers/conmon.git /src/conmon
+WORKDIR /src/conmon
+RUN make
+
+# Build podman from source.
+FROM build as podman
+WORKDIR /src
+ARG PODMAN_VERSION="v3.4.1"
+RUN git clone --depth=1 --single-branch --branch=${PODMAN_VERSION} https://github.com/containers/podman.git /src/podman
+WORKDIR /src/podman
+RUN make BUILDTAGS="selinux seccomp systemd"
+
+# Build containerd from source
+FROM build as containerd
+WORKDIR /src
+ARG CONTAINERD_VERSION="v1.5.7"
+RUN git clone --depth=1 --single-branch --branch=${CONTAINERD_VERSION} https://github.com/containerd/containerd /src/containerd
+WORKDIR /src/containerd
+RUN BUILDTAGS=no_btrfs make
+
+# Build cri-tools from source
+FROM build as cri-tools
+WORKDIR /src
+ARG CRI_TOOLS_VERSION="v1.22.0"
+RUN git clone --depth=1 --single-branch --branch=${CRI_TOOLS_VERSION} https://github.com/kubernetes-sigs/cri-tools /src/cri-tools
+WORKDIR /src/cri-tools
+RUN make
+
+# Build cfssl from source 
+FROM build as cfssl
+WORKDIR /src
+ARG CFSSL_VERSION="v1.6.1"
+RUN git clone --depth=1 --single-branch --branch=${CFSSL_VERSION} https://github.com/cloudflare/cfssl /src/cfssl
+WORKDIR /src/cfssl
+RUN make
+
+# Build nerdctl from source 
+FROM build as nerdctl
+WORKDIR /src
+ARG NERDCTL_VERSION="v0.12.1"
+RUN git clone --depth=1 --single-branch --branch=${NERDCTL_VERSION} https://github.com/containerd/nerdctl /src/nerdctl
+WORKDIR /src/nerdctl
+RUN make
+
+# Prepare the results in /out
+FROM build as packager
+WORKDIR /out/usr/sbin
+COPY --from=runc /src/runc/runc .
+
+WORKDIR /out/usr/bin
+COPY --from=cri-tools /src/cri-tools/build/bin/crictl crictl-latest
+COPY --from=cri-tools /src/cri-tools/build/bin/critest .
+COPY --from=containerd /src/containerd/bin/* .
+COPY --from=podman /src/podman/bin/podman .
+COPY --from=conmon /src/conmon/bin/conmon .
+COPY --from=cfssl /src/cfssl/bin/cfssl .
+COPY --from=cfssl /src/cfssl/bin/cfssljson .
+COPY --from=nerdctl /src/nerdctl/_output/nerdctl .
+
+# add podman default configs
+WORKDIR /out/etc/containers
+RUN curl -L -o /out/etc/containers/registries.conf https://src.fedoraproject.org/rpms/containers-common/raw/main/f/registries.conf
+RUN curl -L -o /out/etc/containers/policy.json https://src.fedoraproject.org/rpms/containers-common/raw/main/f/default-policy.json
+
+# Prepare debian binary package
+WORKDIR /pkg/src
+ADD debian /pkg/src/debian
+RUN cp -rvp /out/* /pkg/src/
+# Create the .install file with the binaries to be installed, without leading slash
+RUN find /out -type f | sed -e 's/^\/out\///g' > debian/k8s-worker-containerd.install
+
+# Create the "Architecture: amd64" field in control
+RUN echo "Architecture: ${OS_ARCH}" >> /pkg/src/debian/control
+RUN cat /pkg/src/debian/control
+
+# Create the Changelog, fake. The atrocities we do in dockerfiles.
+ARG PACKAGE_VERSION="20210928"
+RUN echo "k8s-worker-containerd (${PACKAGE_VERSION}) stable; urgency=medium" >> /pkg/src/debian/changelog
+RUN echo "" >> /pkg/src/debian/changelog
+RUN echo "  * Not a real changelog. Sorry." >> /pkg/src/debian/changelog
+RUN echo "" >> /pkg/src/debian/changelog
+RUN echo " -- Ricardo Pardini <[email protected]>  Wed, 15 Sep 2021 14:18:33 +0200" >> /pkg/src/debian/changelog
+RUN cat /pkg/src/debian/changelog
+
+
+# Build the package, don't sign it, don't lint it, compress fast with xz
+WORKDIR /pkg/src
+RUN debuild --no-lintian --build=binary -us -uc -Zxz -z1 
+RUN file /pkg/*.deb
+
+# Show package info
+RUN dpkg-deb -I /pkg/*.deb || true
+RUN dpkg-deb -f /pkg/*.deb || true
+
+# Install it to make sure it works
+RUN dpkg -i /pkg/*.deb
+RUN runc --version
+RUN containerd --version
+RUN crictl-latest --version # Real bin
+RUN crictl --version # symlink in usr/local/bin
+RUN podman --version
+RUN conmon --version
+RUN cfssl version
+RUN cfssljson --version
+RUN nerdctl --version
+RUN dpkg -L k8s-worker-containerd
+
+# Now prepare the real output: a tarball of /out, and the .deb for this arch.
+WORKDIR /artifacts
+RUN cp -v /pkg/*.deb k8s-worker-containerd_${OS_ARCH}_$(lsb_release -c -s).deb
+WORKDIR /out
+RUN tar czvf /artifacts/k8s-worker-containerd_${OS_ARCH}_$(lsb_release -c -s).tar.gz *
+
+# Final stage is just alpine so we can start a fake container just to get at its contents using docker in GHA
+FROM alpine:3.14.2
+COPY --from=packager /artifacts/* /out/
+

Diff for: build-docker.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+rm -rf ./out
+docker buildx build --progress=plain --platform=linux/amd64 --build-arg BASE_IMAGE=golang:1.16-bullseye -t containerd:amd64 .
+docker cp $(docker create --rm containerd:amd64):/out ./
+ls -lah ./out/

Diff for: debian/compat

@@ -0,0 +1 @@
+14

Diff for: debian/control

@@ -0,0 +1,17 @@
+Maintainer: Ricardo Pardini <[email protected]>
+Source: k8s-worker-containerd
+Section: admin
+Priority: optional
+Build-Depends: debhelper (>=9.2), lsb-release, bash (>= 4.0)
+Standards-Version: 3.9.6
+Homepage: https://containerd.io/
+
+Package: k8s-worker-containerd
+Provides: golang-cfssl, containerd, runc, podman, conman, golang-github-containers-image, golang-github-containers-common, cri-tools
+Conflicts: golang-cfssl, containerd, runc, podman, conman, golang-github-containers-image, golang-github-containers-common
+Description: containerd/run/cri-tools/podman/conman for k8s
+ containerd/run/cri-tools/podman/conman
+ Built from source. Docker-free stuff.
+Section: admin
+Pre-Depends: bash (>= 4.0)
+Depends: ${misc:Depends}, ${shlibs:Depends}

Diff for: debian/copyright

@@ -0,0 +1,3 @@
+Files: debian/*
+Copyright: 2021-2021 Ricardo Pardini <[email protected]>
+License: Apache

Diff for: debian/k8s-worker-containerd.containerd.service

@@ -0,0 +1,40 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target
+
+[Service]
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/bin/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target

Diff for: debian/k8s-worker-containerd.postinst

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+#DEBHELPER#
+
+echo "k8s-worker-containerd: cri-tools: Installink symlink to /usr/bin/crictl-latest as /usr/local/bin/crictl"
+rm -f /usr/local/bin/crictl
+ln -s /usr/bin/crictl-latest /usr/local/bin/crictl
+/usr/local/bin/crictl --version
+
+exit 0

Diff for: debian/rules

@@ -0,0 +1,14 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+export DEB_BUILD_OPTIONS=nostrip
+
+%:
+	dh $@
+
+
+override_dh_installsystemd:
+	dh_installsystemd --name=containerd --no-enable --no-start
+

Diff for: debian/source/format

@@ -0,0 +1 @@
+3.0 (native)