feat: option to install containerd 1.7 from S3 (#2339)

* install containerd 1.7 from internal s3

* add containerd_rpm_url property to allow install containerd rpm from outside url

* fix nit

* install containerd binary with patches from s3

* fix lint

* Update templates/al2/provisioners/install-worker.sh

Co-authored-by: Carter <mckdev@amazon.com>

* install binary from s3 if INSTALL_CONTAINERD_FROM_S3

* update the s3 path

* Update templates/al2023/provisioners/install-worker.sh

Co-authored-by: Carter <mckdev@amazon.com>

* Update templates/al2/provisioners/install-worker.sh

Co-authored-by: Carter <mckdev@amazon.com>

* Update templates/al2/provisioners/install-worker.sh

Co-authored-by: Carter <mckdev@amazon.com>

* Update templates/al2023/provisioners/install-worker.sh

Co-authored-by: Nick Baker <ndbaker1@outlook.com>

* fix nit

* exclude the containerd from dnf and yum conf

* add pull bianry according to arch and update the generate-version-info script for containerd

* update the key in al2

* fix nit

* fix lint

* fix lint

* fix nit

* pin fully-format containerd version in variables file

---------

Co-authored-by: Carter <mckdev@amazon.com>
Co-authored-by: Nick Baker <ndbaker1@outlook.com>

Author: 3 people

doc/usage/al2.md

@@ -22,6 +22,7 @@
 | `cache_container_images` |  |
 | `cni_plugin_version` |  |
 | `containerd_version` |  |
+| `install_containerd_from_s3` |  |
 | `creator` |  |
 | `docker_version` | Docker is not installed on Kubernetes v1.25+ |
 | `enable_fips` | Install openssl and enable fips related kernel parameters |

doc/usage/al2023.md

@@ -19,6 +19,7 @@
 | `binary_bucket_name` |  |
 | `binary_bucket_region` |  |
 | `containerd_version` |  |
+| `install_containerd_from_s3` |  |
 | `creator` |  |
 | `enable_accelerator` | Vendor that provides the GPU or accelerator hardware. Currently we support Neuron and NVIDIA. |
 | `enable_efa` | Valid options are ```true``` or ```false```. Wheather or not to install the software needed to use AWS Elastic Fabric Adapter (EFA) network interfaces. |

templates/al2/provisioners/install-worker.sh

@@ -149,8 +149,27 @@ sudo yum install -y runc-${RUNC_VERSION}
 sudo yum versionlock runc-*
 
 # install containerd and lock version
-sudo yum install -y containerd-${CONTAINERD_VERSION}
-sudo yum versionlock containerd-*
+if [[ "$INSTALL_CONTAINERD_FROM_S3" == "true" ]]; then
+  CONTAINERD_BINARIES=(
+    containerd
+    containerd-shim-runc-v2
+    ctr
+  )
+  echo "Installing containerd from S3..."
+  for binary in "${CONTAINERD_BINARIES[@]}"; do
+    aws s3 cp --region ${BINARY_BUCKET_REGION} s3://${BINARY_BUCKET_NAME}/containerd/${CONTAINERD_VERSION}/${MACHINE}/${binary} .
+    sudo chmod +x $binary
+    sudo mv $binary /usr/bin/
+  done
+  sudo mkdir -p /var/lib/containerd
+  sudo mv $WORKING_DIR/containerd.service /etc/systemd/system/containerd.service
+  sudo chown root:root /etc/systemd/system/containerd.service
+  # exclude containerd from yum.conf as versionlock doesn't work in this case
+  echo "exclude=containerd*,docker*" | sudo tee -a /etc/yum.conf
+else
+  sudo yum install -y containerd-${CONTAINERD_VERSION}
+  sudo yum versionlock containerd-*
+fi
 
 # install cri-tools for crictl, needed to interact with containerd's CRI server
 sudo yum install -y cri-tools

templates/al2/runtime/containerd.service

@@ -0,0 +1,42 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target dbus.service
+
+[Service]
+#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
+#Environment="ENABLE_CRI_SANDBOXES=sandboxed"
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/bin/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target

templates/al2/template.json

@@ -18,6 +18,7 @@
     "cache_container_images": null,
     "cni_plugin_version": null,
     "containerd_version": null,
+    "install_containerd_from_s3": null,
     "creator": null,
     "docker_version": null,
     "enable_fips": null,
@@ -205,6 +206,7 @@
         "CACHE_CONTAINER_IMAGES={{user `cache_container_images`}}",
         "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
         "CONTAINERD_VERSION={{user `containerd_version`}}",
+        "INSTALL_CONTAINERD_FROM_S3={{user `install_containerd_from_s3`}}",
         "DOCKER_VERSION={{user `docker_version`}}",
         "KUBERNETES_BUILD_DATE={{user `kubernetes_build_date`}}",
         "KUBERNETES_VERSION={{user `kubernetes_version`}}",

templates/al2/variables-default.json

@@ -13,7 +13,8 @@
     "binary_bucket_region": "us-west-2",
     "cache_container_images": "false",
     "cni_plugin_version": "v1.2.0",
-    "containerd_version": "1.7.*",
+    "containerd_version": "1.7.27",
+    "install_containerd_from_s3": "false",
     "creator": "{{env `USER`}}",
     "docker_version": "none",
     "enable_fips": "false",

templates/al2023/provisioners/install-worker.sh

@@ -146,10 +146,26 @@ fi
 ###############################################################################
 ### Containerd setup ##########################################################
 ###############################################################################
-
 sudo dnf install -y runc-${RUNC_VERSION}
-sudo dnf install -y containerd-${CONTAINERD_VERSION}
-sudo dnf versionlock containerd-*
+if [[ "$INSTALL_CONTAINERD_FROM_S3" == "true" ]]; then
+  CONTAINERD_BINARIES=(
+    containerd
+    containerd-shim-runc-v2
+    ctr
+  )
+  for binary in "${CONTAINERD_BINARIES[@]}"; do
+    echo "Installing containerd from S3..."
+    aws s3 cp --region ${BINARY_BUCKET_REGION} s3://${BINARY_BUCKET_NAME}/containerd/${CONTAINERD_VERSION}/${MACHINE}/${binary} .
+    sudo chmod +x $binary
+    sudo mv $binary /usr/bin/
+    # exclude containerd from yum.conf as versionlock doesn't work in this case
+    echo "exclude=containerd*" | sudo tee -a /etc/dnf/dnf.conf
+  done
+  sudo mkdir -p /var/lib/containerd
+else
+  sudo dnf install -y containerd-${CONTAINERD_VERSION}
+  sudo dnf versionlock containerd-*
+fi
 
 sudo systemctl enable ebs-initialize-bin@containerd
 

templates/al2023/runtime/rootfs/etc/systemd/system/containerd.service

@@ -0,0 +1,42 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target dbus.service
+
+[Service]
+#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
+#Environment="ENABLE_CRI_SANDBOXES=sandboxed"
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/bin/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target

templates/al2023/template.json

@@ -15,6 +15,7 @@
     "binary_bucket_name": null,
     "binary_bucket_region": null,
     "containerd_version": null,
+    "install_containerd_from_s3": null,
     "creator": null,
     "enable_accelerator": null,
     "enable_efa": null,
@@ -208,6 +209,7 @@
         "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
         "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
         "CONTAINERD_VERSION={{user `containerd_version`}}",
+        "INSTALL_CONTAINERD_FROM_S3={{user `install_containerd_from_s3`}}",
         "KUBERNETES_BUILD_DATE={{user `kubernetes_build_date`}}",
         "KUBERNETES_VERSION={{user `kubernetes_version`}}",
         "RUNC_VERSION={{user `runc_version`}}",

templates/al2023/variables-default.json

@@ -10,7 +10,8 @@
     "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}",
     "binary_bucket_name": "amazon-eks",
     "binary_bucket_region": "us-west-2",
-    "containerd_version": "1.7.*",
+    "containerd_version": "1.7.27",
+    "install_containerd_from_s3": "false",
     "creator": "{{env `USER`}}",
     "enable_accelerator": "",
     "enable_efa": "false",