cri-o Switch to libexecdir (#11584)

Signed-off-by: Kay Yan <kay.yan@daocloud.io>
1 month ago · fcbcf3c03b
9 changed files with 52 additions and 20 deletions
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@ -2,6 +2,7 @@

 crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
 crio_conmon: "{{ bin_dir }}/conmon"
+crio_libexec_dir: "/usr/libexec/crio"
 crio_enable_metrics: false
 crio_log_level: "info"
 crio_metrics_port: "9090"
@ -40,7 +41,7 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m
 # The crio_runtimes variable defines a list of OCI compatible runtimes.
 crio_runtimes:
  - name: runc
-    path: "{{ bin_dir }}/runc"
+    path: "{{ crio_runtime_bin_dir }}/runc"
    type: oci
    root: /run/runc

@ -58,7 +59,7 @@ kata_runtimes:
 # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
 crun_runtime:
  name: crun
-  path: "{{ bin_dir }}/crun"
+  path: "{{ crio_runtime_bin_dir }}/crun"
  type: oci
  root: /run/crun

--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@ -82,6 +82,23 @@
    - "{{ crio_bin_files }}"
  notify: Restart crio

+- name: Cri-o | create directory for libexec
+  file:
+    path: "{{ crio_libexec_dir }}"
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Cri-o | copy libexec
+  copy:
+    src: "{{ local_release_dir }}/cri-o/bin/{{ item }}"
+    dest: "{{ crio_libexec_dir }}/{{ item }}"
+    mode: "0755"
+    remote_src: true
+  with_items:
+    - "{{ crio_libexec_files }}"
+  notify: Restart crio
+
 - name: Cri-o | copy service file
  copy:
    src: "{{ local_release_dir }}/cri-o/contrib/crio.service"
--- a/roles/container-engine/cri-o/tasks/reset.yml
+++ b/roles/container-engine/cri-o/tasks/reset.yml
@ -88,3 +88,11 @@
  with_items: "{{ crio_bin_files }}"
  tags:
    - reset_crio
+
+- name: CRI-O | Remove CRI-O libexec
+  file:
+    name: "{{ item }}"
+    state: absent
+  with_items: "{{ crio_libexec_files }}"
+  tags:
+    - reset_crio
--- a/roles/container-engine/cri-o/vars/v1.28.yml
+++ b/roles/container-engine/cri-o/vars/v1.28.yml
@ -1,4 +1,6 @@
 ---
+crio_runtime_bin_dir: "{{ bin_dir }}"
+
 # cri-o binary files
 crio_bin_files:
  - conmon
--- a/roles/container-engine/cri-o/vars/v1.29.yml
+++ b/roles/container-engine/cri-o/vars/v1.29.yml
@ -1,5 +1,6 @@
 ---
 crio_conmon: "{{ bin_dir }}/crio-conmon"
+crio_runtime_bin_dir: "{{ bin_dir }}"

 # cri-o binary files
 crio_bin_files:
--- a/roles/container-engine/cri-o/vars/v1.31.yml
+++ b/roles/container-engine/cri-o/vars/v1.31.yml
@ -1,13 +1,16 @@
 ---
-crio_conmon: "{{ bin_dir }}/conmon"
+crio_conmon: "{{ crio_libexec_dir }}/conmon"
+crio_runtime_bin_dir: "{{ crio_libexec_dir }}"

 # cri-o binary files
 crio_bin_files:
+  - crio
+  - pinns
+
+crio_libexec_files:
  - conmon
  - conmonrs
  - crun
  - runc
-  - crio
-  - pinns

 crio_status_command: crio status
--- a/roles/container-engine/youki/tasks/main.yml
+++ b/roles/container-engine/youki/tasks/main.yml
@ -6,7 +6,7 @@

 - name: Youki | Copy youki binary from download dir
  copy:
-    src: "{{ local_release_dir }}/youki_{{ youki_version | regex_replace('\\.', '_') }}_linux/youki-{{ youki_version }}/youki"
+    src: "{{ local_release_dir }}/youki"
    dest: "{{ youki_bin_dir }}/youki"
    mode: "0755"
    remote_src: true
--- a/roles/kubespray-defaults/defaults/main/checksums.yml
+++ b/roles/kubespray-defaults/defaults/main/checksums.yml
@ -900,37 +900,37 @@ crun_checksums:
    1.9.2: 0
 youki_checksums:
  arm:
+    0.4.1: 0
+    0.4.0: 0
    0.3.2: 0
    0.3.1: 0
    0.3.0: 0
    0.2.0: 0
    0.1.0: 0
-    0.0.5: 0
-    0.0.4: 0
  arm64:
+    0.4.1: 0
+    0.4.0: 0
    0.3.2: 0
    0.3.1: 0
    0.3.0: 0
    0.2.0: 0
    0.1.0: 0
-    0.0.5: 0
-    0.0.4: 0
  amd64:
-    0.3.2: 0
-    0.3.1: 0
+    0.4.1: 6504a43c28710d2cb3dd6535ae9222c0570e954a799a787ccf5e5d611996bf11
+    0.4.0: a9fb31c7388ed786a2a1b6361cf4aaa7c3e3b62be4c3d36dc15331416a3d6290
+    0.3.2: fe80475ad6e727a50f7c0b89e26e4632dd55e477c99bbca192ad1d5fee065377
+    0.3.1: 8a92304312982246d5ad9c00da367868dcc4d331fd992ca89dada8eff9cbdeaf
    0.3.0: 741ba3cd85d768bebba02598cedcf3b15a2160e4d6ce33a3d5c4e1b3080f9c1c
    0.2.0: b268689a91db07feebfd41d5806b10c7d051fbcbf7efb15076e2228763ac0762
    0.1.0: f00677e9674215b44f140f0c0f4b79b0001c72c073d2c5bb514b7a9dcb13bdbc
-    0.0.5: 8504f4c35a24b96782b9e0feb7813aba4e7262c55a39b8368e94c80c9a4ec564
-    0.0.4: c213376393cb16462ef56586e68fef9ec5b5dd80787e7152f911d7cfd72d952e
  ppc64le:
+    0.4.1: 0
+    0.4.0: 0
    0.3.2: 0
    0.3.1: 0
    0.3.0: 0
    0.2.0: 0
    0.1.0: 0
-    0.0.5: 0
-    0.0.4: 0
 kata_containers_binary_checksums:
  arm:
    3.2.0: 0
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@ -77,7 +77,7 @@ image_arch: "{{ host_architecture | default('amd64') }}"
 crun_version: 1.14.4
 runc_version: v1.1.14
 kata_containers_version: 3.1.3
-youki_version: 0.1.0
+youki_version: 0.4.1
 gvisor_version: 20240305
 containerd_version: 1.7.22
 cri_dockerd_version: 0.3.11
@ -188,7 +188,7 @@ crio_download_url: "{{ storage_googleapis_url }}/cri-o/artifacts/cri-o.{{ image_
 helm_download_url: "{{ get_helm_url }}/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ github_url }}/opencontainers/runc/releases/download/{{ runc_version }}/runc.{{ image_arch }}"
 crun_download_url: "{{ github_url }}/containers/crun/releases/download/{{ crun_version }}/crun-{{ crun_version }}-linux-{{ image_arch }}"
-youki_download_url: "{{ github_url }}/containers/youki/releases/download/v{{ youki_version }}/youki_{{ youki_version | regex_replace('\\.', '_') }}_linux.tar.gz"
+youki_download_url: "{{ github_url }}/containers/youki/releases/download/v{{ youki_version }}/youki-{{ youki_version }}-{{ ansible_architecture }}-musl.tar.gz"
 kata_containers_download_url: "{{ github_url }}/kata-containers/kata-containers/releases/download/{{ kata_containers_version }}/kata-static-{{ kata_containers_version }}-{{ ansible_architecture }}.tar.xz"
 # gVisor only supports amd64 and uses x86_64 to in the download link
 gvisor_runsc_download_url: "{{ storage_googleapis_url }}/gvisor/releases/release/{{ gvisor_version }}/{{ ansible_architecture }}/runsc"
@ -524,7 +524,7 @@ downloads:
    file: true
    enabled: "{{ container_manager == 'crio' }}"
    version: "{{ crio_version }}"
-    dest: "{{ local_release_dir }}/cri-o.{{ image_arch }}.{{ crio_version }}tar.gz"
+    dest: "{{ local_release_dir }}/cri-o.{{ image_arch }}.{{ crio_version }}.tar.gz"
    sha256: "{{ crio_archive_checksum }}"
    url: "{{ crio_download_url }}"
    unarchive: true
@ -565,7 +565,7 @@ downloads:
    file: true
    enabled: "{{ youki_enabled }}"
    version: "{{ youki_version }}"
-    dest: "{{ local_release_dir }}/youki_{{ youki_version | regex_replace('\\.', '_') }}_linux.tar.gz"
+    dest: "{{ local_release_dir }}/youki-{{ youki_version }}-{{ ansible_architecture }}.tar.gz"
    sha256: "{{ youki_archive_checksum }}"
    url: "{{ youki_download_url }}"
    unarchive: true