latchbio · maximsmol · Aug 7, 2023 · Aug 7, 2023 · Aug 7, 2023 · Aug 8, 2023
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,153 @@
+name: Packer Build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+jobs:
+  prepare:
+    name: Build EKS AMI
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    env:
+      # renovate: datasource=github-tags depName=nestybox/sysbox
+      SYSBOX_VERSION: v0.6.2
+    outputs:
+      new_release_version: ${{ steps.semantic_release.outputs.new_release_version }}
+      new_release_published: ${{ steps.semantic_release.outputs.new_release_published }}
+      sysbox_version: ${{ env.SYSBOX_VERSION }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PLURAL_BOT_PAT }}
+      - name: 'Setup Node'
+        uses: actions/setup-node@v3
+        if: github.event_name != 'pull_request'
+        with:
+          node-version: 18.12.1
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v3
+        id: semantic_release
+        with:
+          dry_run: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.PLURAL_BOT_PAT }}
+          NODE_AUTH_TOKEN: ${{ secrets.PLURAL_BOT_NPM_TOKEN }}
+      - name: Cache sysbox and cri-o files
+        id: sysbox_cache
+        uses: actions/cache@v3
+        with:
+          path: tmp
+          key: ${{ runner.os }}-build-${{ env.SYSBOX_VERSION }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        if: steps.sysbox_cache.outputs.cache-hit != 'true'
+      - name: Get sysbox and cri-o files
+        if: steps.sysbox_cache.outputs.cache-hit != 'true'
+        run: make get-files
+  packer_build_eks:
+    name: Build EKS AMI
+    runs-on: ubuntu-latest
+    needs: prepare
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s_version: ["1.23", "1.24", "1.25", "1.26"]
+        ubuntu_version: ["focal-20.04"]
+        architecture: ["amd64", "arm64"]
+        sysbox_version: ["${{ needs.prepare.outputs.sysbox_version }}"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        if: github.event_name != 'pull_request'
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::654897662046:role/github-actions/plural-sysbox-amis-packer
+          role-session-name: SysboxAmisPacker
+      - name: Setup `packer`
+        uses: hashicorp/setup-packer@main
+        id: setup
+        with:
+          version: 1.9.2
+      - name: Restore downloaded files
+        uses: actions/cache/restore@v3
+        with:
+          path: tmp
+          key: ${{ runner.os }}-build-${{ matrix.sysbox_version }}
+      - name: Run `packer init`
+        id: init
+        run: "packer init ."
+      - name: Run `packer validate`
+        id: validate
+        run: "packer validate ."
+      - name: Run `packer build`
+        id: build
+        # always is used here to ensure the builds can't get cancelled and leave dangling resources
+        if: always() && (github.event_name != 'pull_request' && needs.prepare.outputs.new_release_published == 'true')
+        env:
+          PKR_VAR_k8s_version: ${{ matrix.k8s_version }}
+          PKR_VAR_ubuntu_version: ${{ matrix.ubuntu_version }}
+          PKR_VAR_architecture: ${{ matrix.architecture }}
+          PKR_VAR_sysbox_version: ${{ matrix.sysbox_version }}
+          PKR_VAR_img_version: ${{ needs.prepare.outputs.new_release_version }}
+        run: "packer build ."
+  release:
+    runs-on: ubuntu-latest
+    needs: packer_build_eks
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PLURAL_BOT_PAT }}
+      - name: 'Setup Node'
+        uses: actions/setup-node@v3
+        if: github.event_name != 'pull_request'
+        with:
+          node-version: 18.12.1
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v3
+        id: semantic_release
+        if: github.event_name != 'pull_request'
+        env:
+          GITHUB_TOKEN: ${{ secrets.PLURAL_BOT_PAT }}
+          NODE_AUTH_TOKEN: ${{ secrets.PLURAL_BOT_NPM_TOKEN }}
+  # trivy-scan:
+  #   name: Trivy fs scan
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # for actions/checkout to fetch code
+  #     security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  #     actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@v3
+  #     - name: Run Trivy vulnerability scanner in fs mode
+  #       uses: aquasecurity/trivy-action@master
+  #       with:
+  #         scan-type: 'fs'
+  #         hide-progress: false
+  #         format: 'sarif'
+  #         output: 'trivy-results.sarif'
+  #         scanners: 'vuln,secret'
+  #         ignore-unfixed: true
+  #         #severity: 'CRITICAL,HIGH'
+  #     - name: Upload Trivy scan results to GitHub Security tab
+  #       uses: github/codeql-action/upload-sarif@v2
+  #       with:
+  #         sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/linting.yaml b/.github/workflows/linting.yaml
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
@@ -0,0 +1,18 @@
+name: "Semantic PR"
+
+on:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
 .DS_Store
 
 /scratch
-/crio
+/tmp
diff --git a/.releaserc b/.releaserc
@@ -0,0 +1,5 @@
+branches: ["main"]
+plugins:
+- "@semantic-release/commit-analyzer"
+- "@semantic-release/release-notes-generator"
+- "@semantic-release/github"
diff --git a/Makefile b/Makefile
@@ -0,0 +1,19 @@
+SYSBOX_VERSION ?= v0.6.2
+
+get-files:
+	rm -rf ./tmp
+	mkdir -p ./tmp/sysbox/amd64/bin
+	mkdir -p ./tmp/sysbox/arm64/bin
+	mkdir -p ./tmp/crio/amd64
+	mkdir -p ./tmp/crio/arm64
+	docker run --rm --platform linux/amd64 -v ./tmp:/host registry.nestybox.com/nestybox/sysbox-deploy-k8s:${SYSBOX_VERSION} /bin/bash -c "cp /opt/sysbox/bin/generic/* /host/sysbox/amd64/bin/ && cp -r /opt/sysbox/systemd/ /host/sysbox/systemd/ && cp -r /opt/crio-deploy/bin/* /host/crio/amd64/ && cp -r /opt/crio-deploy/config/ /host/crio/config/ && cp -r /opt/crio-deploy/scripts/ /host/crio/scripts/"
+	docker run --rm --platform linux/arm64 -v ./tmp:/host registry.nestybox.com/nestybox/sysbox-deploy-k8s:${SYSBOX_VERSION} /bin/bash -c "cp /opt/sysbox/bin/generic/* /host/sysbox/arm64/bin/ && cp -r /opt/crio-deploy/bin/* /host/crio/arm64/"
+
+packer-init:
+	packer init .
+
+packer-validate: get-files
+	packer validate .
+
+packer-build: packer-init packer-validate
+	packer build .
diff --git a/bootstrap.sh.patch b/bootstrap.sh.patch
@@ -1,35 +1,32 @@
---- new_bootstrap.sh	2023-06-20 10:39:32.000000000 -0700
-+++ new_bootstrap.patched.sh	2023-06-20 10:42:53.000000000 -0700
+--- current_bootstrap.sh	2023-08-07 21:28:54
++++ patched_bootstrap.sh	2023-08-07 21:29:11
 @@ -146,7 +146,7 @@
  API_RETRY_ATTEMPTS="${API_RETRY_ATTEMPTS:-3}"
  DOCKER_CONFIG_JSON="${DOCKER_CONFIG_JSON:-}"
  PAUSE_CONTAINER_VERSION="${PAUSE_CONTAINER_VERSION:-3.5}"
 -DEFAULT_CONTAINER_RUNTIME="containerd"
 +DEFAULT_CONTAINER_RUNTIME="cri-o"
  CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-$DEFAULT_CONTAINER_RUNTIME}"
- IP_FAMILY="${IP_FAMILY:-}"
- SERVICE_IPV6_CIDR="${SERVICE_IPV6_CIDR:-}"
-@@ -420,9 +420,21 @@
-     systemctl restart docker
-     snap set kubelet-eks \
- 	container-runtime=docker
+ # from >= 1.27, the cloud-provider will be external
+ CLOUD_PROVIDER="aws"
+@@ -429,6 +429,20 @@
+     # see https://github.com/NVIDIA/k8s-device-plugin
+     cp /usr/local/share/eks/nvidia-runtime-config.toml /etc/containerd/config.toml
+     systemctl restart containerd
++
 +elif [[ "$CONTAINER_RUNTIME" = "cri-o" ]]; then
-+  echo "Container runtime is CRI-O"
-+  snap set kubelet-eks \
-+      container-runtime=remote \
-+      container-runtime-endpoint=unix:///var/run/crio/crio.sock
-+  dasel put \
-+    string \
-+    --parser toml \
-+    --file /etc/crio/crio.conf \
-+    --selector 'crio.image.pause_image' \
-+    "${PAUSE_CONTAINER}"
-+  rm --force /run/dockershim.sock
-+  ln -sf /run/crio/crio.sock /run/dockershim.sock
++    echo "Container runtime is CRI-O"
++    snap set kubelet-eks \
++        container-runtime=remote \
++        container-runtime-endpoint=unix:///var/run/crio/crio.sock
++    dasel put \
++        string \
++        --parser toml \
++        --file /etc/crio/crio.conf \
++        --selector 'crio.image.pause_image' \
++        "${PAUSE_CONTAINER}"
++    rm --force /run/dockershim.sock
++    ln -sf /run/crio/crio.sock /run/dockershim.sock
+
  else
--    echo "Container runtime ${CONTAINER_RUNTIME} is not supported."
--    exit 1
-+  echo "Custom container runtime."
- fi
-
- echo "Configuring kubelet snap"
+     echo "Container runtime ${CONTAINER_RUNTIME} is not supported."