Azure · AlisonB319 · Sep 12, 2024 · Sep 12, 2024 · Sep 12, 2024 · Sep 13, 2024
@@ -822,6 +822,48 @@
  }
  }
  }
+ },
+ {
+ "name": "containerd-wasm-shims",
+ "downloadLocation": "/usr/local/bin",
+ "downloadURIs": {
+ "default": {
+ "current": {
+ "versionsV2": [
+ {
+ "renovateTag": "<DO_NOT_UPDATE>",
+ "latestVersion": "0.3.0"
+ },
+ {
+ "renovateTag": "<DO_NOT_UPDATE>",
+ "latestVersion": "0.5.1"
+ },
+ {
+ "renovateTag": "<DO_NOT_UPDATE>",
+ "latestVersion": "0.8.0"
+ }
+ ],
+ "downloadURL": "https://acs-mirror.azureedge.net/containerd-wasm-shims/v${version}/linux/${CPU_ARCH}"
+ }
+ }
+ }
+ },
+ {
+ "name": "containerd-wasm-spinkube",
+ "downloadLocation": "/usr/local/bin",
+ "downloadURIs": {
+ "default": {
+ "current": {
+ "versionsV2": [
+ {
+ "renovateTag": "<DO_NOT_UPDATE>",
+ "latestVersion": "0.15.1"
+ }
+ ],
+ "downloadURL": "https://acs-mirror.azureedge.net/spinkube/v${version}/linux/${CPU_ARCH}"
+ }
+ }
+ }
  }
  ]
-}
+}
@@ -22,14 +22,14 @@ TELEPORTD_PLUGIN_DOWNLOAD_DIR="/opt/teleportd/downloads"
 CREDENTIAL_PROVIDER_DOWNLOAD_DIR="/opt/credentialprovider/downloads"
 CREDENTIAL_PROVIDER_BIN_DIR="/var/lib/kubelet/credential-provider"
 TELEPORTD_PLUGIN_BIN_DIR="/usr/local/bin"
-CONTAINERD_WASM_VERSIONS="v0.3.0 v0.5.1 v0.8.0 v0.15.1" # v0.15.1 is from SpinKube
 MANIFEST_FILEPATH="/opt/azure/manifest.json"
 COMPONENTS_FILEPATH="/opt/azure/components.json"
 MAN_DB_AUTO_UPDATE_FLAG_FILEPATH="/var/lib/man-db/auto-update"
 CURL_OUTPUT=/tmp/curl_verbose.out
 UBUNTU_OS_NAME="UBUNTU"
 MARINER_OS_NAME="MARINER"
 CPU_ARCH=""
+declare -a WASMSHIMPIDS=()
 
 setCPUArch() {
  CPU_ARCH=$(getCPUArch)
@@ -200,102 +200,122 @@ downloadSecureTLSBootstrapKubeletExecPlugin() {
  fi
 }
 
-downloadContainerdWasmShims() {
- declare -a wasmShimPids=()
- local containerd_wasm_filepath="/usr/local/bin"
- BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER="${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER:=}"
-
- for shim_version in $CONTAINERD_WASM_VERSIONS; do
- binary_version="$(echo "${shim_version}" | tr . -)"
-
- local version_suffix
- local shims_to_download=()
- local shim_prefix="containerd-shim-"
- local registry_path
- local base_path
- local shim_filename
-
- # figure out version suffix, shims to download, and paths
- if [ "$shim_version" == "v0.15.1" ]; then
- version_suffix="-v2"
- shims_to_download=("spin")
- registry_path="oss/binaries/spinkube/containerd-shim-spin"
- base_path="spinkube"
- shim_filename="containerd-shim-spin-v2"
- else
- version_suffix="-v1"
- shims_to_download=("spin" "slight")
- registry_path="oss/binaries/deislabs/containerd-wasm-shims"
- base_path="containerd-wasm-shims"
- shim_filename="containerd-wasm-shims-linux-${CPU_ARCH}.tar.gz"
- if [ "$shim_version" == "v0.8.0" ]; then
- shims_to_download+=("wws")
- fi
- fi
+# Install, download, update wasm must all be run from the same function call
+# in order to ensure WASMSHIMPIDS persists correctly since in bash a new
+# function call from install-dependnecies will create a new shell process.
+installContainerdWasmShims(){
+ local download_location=${1}
+ PACKAGE_DOWNLOAD_URL=${2}
+ shift 2 # shift past the first 2 arguments to capture the list of versions
+ local package_versions=("$@")
+
+ local shims_to_download=("spin" "slight")
+ local version_suffix="-v1"
+ local mcr_registry_path="deislabs/containerd-wasm-shims"
+ local shim_filename="containerd-wasm-shims-linux-${CPU_ARCH}.tar.gz"
+ if [ "$shim_version" == "0.15.1" ]; then
+ version_suffix="-v2"
+ shims_to_download=("spin")
+ mcr_registry_path="spinkube/containerd-shim-spin"
+ shim_filename="containerd-shim-spin-v2"
+ elif [ "$shim_version" == "0.8.0" ]; then
+ shims_to_download+=("wws")
+ fi
+
+ for version in "${package_versions[@]}"; do
+ containerd_wasm_url=$(evalPackageDownloadURL ${PACKAGE_DOWNLOAD_URL})
+ downloadContainerdWasmShims $download_location $containerd_wasm_url $version $shims_to_download $version_suffix $mcr_registry_path $shim_filename
+ done
+ wait ${WASMSHIMPIDS[@]}
+ for version in "${package_versions[@]}"; do
+ updateContainerdWasmShimsPermissions $download_location $version $shims_to_download $version_suffix
+ done
+}
 
- # check if shims are already downloaded
- shims_missing=false
- for shim in "${shims_to_download[@]}"; do
- if [ ! -f "${containerd_wasm_filepath}/${shim_prefix}${shim}-${binary_version}${version_suffix}" ]; then
- shims_missing=true
- break
- fi
- done
+wasmFilesExist() {
+ local containerd_wasm_filepath=${1}
+ local shim_version=${2}
+ local shims_to_download=${3}
+ local version_suffix=${4}
 
- if [ "$shims_missing" = false ]; then
- # all shims are already downloaded, skip downloading
- continue
+ local binary_version="$(echo "${shim_version}" | tr . -)"
+ for shim in "${shims_to_download[@]}"; do
+ if [ ! -f "${containerd_wasm_filepath}/containerd-shim-${shim}-v${binary_version}-${version_suffix}" ]; then
+ return 1 # file is missing
  fi
+ done
+ return 0 
+}
 
- if [[ -n ${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER} ]]; then
- # download shims from container registry
-
- local registry_url="${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER}/${registry_path}:${shim_version}-linux-${CPU_ARCH}"
- local wasm_shims_tgz_tmp="${containerd_wasm_filepath}/${shim_filename}"
-
- # if shim version is v0.15.1, the downloaded binary is already named correctly, so no need to extract
- # if shim version is not v0.15.1, extract the shims and rename them to match the binary version
- if [ "$shim_version" == "v0.15.1" ]; then
- retrycmd_get_binary_from_registry_with_oras 120 5 "${wasm_shims_tgz_tmp}" "${registry_url}" || exit $ERR_ORAS_PULL_CONTAINERD_WASM
- mv "${containerd_wasm_filepath}/containerd-shim-spin-v2" "${containerd_wasm_filepath}/containerd-shim-spin-${binary_version}-v2"
- else
- retrycmd_get_tarball_from_registry_with_oras 120 5 "${wasm_shims_tgz_tmp}" "${registry_url}" || exit $ERR_ORAS_PULL_CONTAINERD_WASM
- tar -zxf "$wasm_shims_tgz_tmp" -C "$containerd_wasm_filepath"
- for shim in "${shims_to_download[@]}"; do
- mv "${containerd_wasm_filepath}/${shim_prefix}${shim}-${shim_version}${version_suffix}" "${containerd_wasm_filepath}/${shim_prefix}${shim}-${binary_version}${version_suffix}"
- done
- fi
+downloadContainerdWasmShims() {
+ local containerd_wasm_filepath=${1}
+ local containerd_wasm_url=${2}
+ local shim_version=${3}
+ local shims_to_download=${4}
+ local version_suffix=${5}
+ local mcr_registry_path=${6}
+ local shim_filename=${7}
 
- rm -f "$wasm_shims_tgz_tmp"
- else
- # download shims from acs-mirro
- local base_url="https://acs-mirror.azureedge.net/${base_path}/${shim_version}/linux/${CPU_ARCH}"
+ local binary_version="$(echo "${shim_version}" | tr . -)" # replaces . with - == 1.2.3 -> 1-2-3
+
+ echo "containerd_wasm_filepath: $containerd_wasm_filepath, containerd_wasm_url: $containerd_wasm_url, shim_version: $shim_version, binary_version: $binary_version, shims_to_download: ${shims_to_download[@]}, version_suffix: $version_suffix, mcr_registry_path: $mcr_registry_path, shim_filename: $shim_filename"
+
+ if wasmFilesExist "$containerd_wasm_filepath" "$shim_version" "$shims_to_download" "$version_suffix"; then
+ return
+ fi
 
+ # Oras download for WASM for Network Isolated Clusters
+ BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER="${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER:=}"
+ if [[ ! -z ${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER} ]]; then
+ local registry_url="${BOOTSTRAP_PROFILE_CONTAINER_REGISTRY_SERVER}/oss/binaries/${mcr_registry_path}:v${shim_version}-linux-${CPU_ARCH}"
+ local wasm_shims_tgz_tmp="${containerd_wasm_filepath}/${shim_filename}"
+
+ # if shim version is 0.15.1, the downloaded binary is already named correctly, so no need to extract
+ # if shim version is not 0.15.1, extract the shims and rename them to match the binary version
+ if [ "$shim_version" == "0.15.1" ]; then
+ retrycmd_get_binary_from_registry_with_oras 120 5 "${wasm_shims_tgz_tmp}" "${registry_url}" || exit $ERR_ORAS_PULL_CONTAINERD_WASM
+ mv "${containerd_wasm_filepath}/containerd-shim-spin-${version_suffix}" "${containerd_wasm_filepath}/containerd-shim-spin-v${binary_version}${version_suffix}"
+ else
+ retrycmd_get_tarball_from_registry_with_oras 120 5 "${wasm_shims_tgz_tmp}" "${registry_url}" || exit $ERR_ORAS_PULL_CONTAINERD_WASM
+ tar -zxf "$wasm_shims_tgz_tmp" -C "$containerd_wasm_filepath"
  for shim in "${shims_to_download[@]}"; do
- local shim_filename="${shim_prefix}${shim}${version_suffix}"
- retrycmd_if_failure 2 5 60 curl -fSLv -o "${containerd_wasm_filepath}/${shim_prefix}${shim}-${binary_version}${version_suffix}" "${base_url}/${shim_filename}" 2>&1 | tee "$CURL_OUTPUT" >/dev/null | grep -E "^(curl:.*)|([eE]rr.*)$" && (cat "$CURL_OUTPUT" && exit $ERR_KRUSTLET_DOWNLOAD_TIMEOUT) &
- wasmShimPids+=($!)
+ mv "${containerd_wasm_filepath}/containerd-shim-${shim}-v${shim_version}${version_suffix}" "${containerd_wasm_filepath}/containerd-shim-${shim}-v${binary_version}${version_suffix}"
  done
  fi
+
+ rm -f "$wasm_shims_tgz_tmp"
+ return
+ fi
+
+ # install from acs-mirror
+ for shim in "${shims_to_download[@]}"; do
+ retrycmd_if_failure 30 5 60 curl -fSLv -o "$containerd_wasm_filepath/containerd-shim-${shim}-v${binary_version}${version_suffix}" "$containerd_wasm_url/containerd-shim-${shim}-${version_suffix}" 2>&1 | tee $CURL_OUTPUT >/dev/null | grep -E "^(curl:.*)|([eE]rr.*)$" && (cat $CURL_OUTPUT && exit $ERR_KRUSTLET_DOWNLOAD_TIMEOUT) &
+ WASMSHIMPIDS+=($!)
  done
+}
 
- wait ${wasmShimPids[@]}
-
- # set permissions for the shims
- for shim_version in $CONTAINERD_WASM_VERSIONS; do
- binary_version="$(echo "${shim_version}" | tr . -)"
- if [ "$shim_version" == "v0.15.1" ]; then
- chmod 755 "$containerd_wasm_filepath/containerd-shim-spin-${binary_version}-v2"
- # spin shim v0.15.1 cannot be renamed: https://github.com/spinkube/containerd-shim-spin/issues/190
- # so we rename the shim back to containerd-shim-spin-v2
- mv "$containerd_wasm_filepath/containerd-shim-spin-${binary_version}-v2" "$containerd_wasm_filepath/containerd-shim-spin-v2"
- else 
- chmod 755 "$containerd_wasm_filepath/containerd-shim-spin-${binary_version}-v1"
- chmod 755 "$containerd_wasm_filepath/containerd-shim-slight-${binary_version}-v1"
- if [ "$shim_version" == "v0.8.0" ]; then
- chmod 755 "$containerd_wasm_filepath/containerd-shim-wws-${binary_version}-v1"
- fi
- fi
+updateContainerdWasmShimsPermissions() {
+ local containerd_wasm_filepath=${1}
+ local shim_version=${2}
+ local shims_to_download=${3}
+ local version_suffix=${4}
+
+ local binary_version="$(echo "${shim_version}" | tr . -)"
+
+ echo "Updating permissions containerd_wasm_filepath: $containerd_wasm_filepath, shim_version: $shim_version, binary_version: $binary_version, shims_to_download: ${shims_to_download[@]}, version_suffix: $version_suffix"
+
+ if [ "$shim_version" == "0.15.1" ]; then
+ echo "inside the 0.15.1: $shim_version"
+ chmod 755 "$containerd_wasm_filepath/containerd-shim-spin-v${binary_version}-${version_suffix}"
+ # spin shim v0.15.1 cannot be renamed: https://github.com/spinkube/containerd-shim-spin/issues/190
+ # so we rename the shim back to containerd-shim-spin-v2
+ mv "$containerd_wasm_filepath/containerd-shim-spin-v${binary_version}-${version_suffix}" "$containerd_wasm_filepath/containerd-shim-spin-${version_suffix}"
+ return
+ fi
+
+ for shim in "${shims_to_download[@]}"; do
+ echo "updating for shil: $shim ----> $containerd_wasm_filepath/containerd-shim-${shim}-v${binary_version}-${version_suffix}"
+ chmod 755 "$containerd_wasm_filepath/containerd-shim-${shim}-v${binary_version}-${version_suffix}"
  done
 }
 
@@ -321,7 +341,6 @@ installOras() {
  sudo tar -zxf "$ORAS_DOWNLOAD_DIR/${ORAS_TMP}" -C $ORAS_EXTRACTED_DIR/
  rm -r "$ORAS_DOWNLOAD_DIR"
  echo "Oras version $ORAS_VERSION installed successfully."
-
 }
 
 evalPackageDownloadURL() {

@@ -132,9 +132,15 @@ setupCNIDirs
 logs_to_events "AKS.CSE.installNetworkPlugin" installNetworkPlugin
 
 if [ "${IS_KRUSTLET}" == "true" ]; then
- logs_to_events "AKS.CSE.downloadKrustlet" downloadContainerdWasmShims
+ components_filepath="/opt/azure/components.json"
+ versions=$(jq -r '.Packages[] | select(.name == "containerd-wasm-shims") | .downloadURIs.default.current.versionsV2[].latestVersion' "$components_filepath")
+ downloadLocation=$(jq -r '.Packages[] | select(.name == "containerd-wasm-shims") | .downloadLocation' "$components_filepath")
+ downloadURL=$(jq -r '.Packages[] | select(.name == "containerd-wasm-shims") | .downloadURIs.default.current.downloadURL' "$components_filepath")
+
+ logs_to_events "AKS.CSE.downloadKrustlet" installContainerdWasmShims "$downloadLocation" "$downloadURL" "$versions"
 fi
 
+
 if [ "${ENABLE_SECURE_TLS_BOOTSTRAPPING}" == "true" ]; then
  logs_to_events "AKS.CSE.downloadSecureTLSBootstrapKubeletExecPlugin" downloadSecureTLSBootstrapKubeletExecPlugin
 fi