kata.genpolicy: use pause image from ghcr.io

sespiros · sespiros · commit 2ada1331d422 · 2026-01-12T13:15:13.000+02:00
* dev-docs/e2e: remove pause error from well-known-errors.md
* nodeinstaller: use pause image from ghcr
* e2e/proxy/proxy_test.go: change detection url to ghcr.io

Signed-off-by: Spyros Seimenis &lt;sse@edgeless.systems&gt;
diff --git a/dev-docs/e2e/well-known-errors.md b/dev-docs/e2e/well-known-errors.md
@@ -111,47 +111,6 @@ time=2025-12-06T01:06:56.511Z level=DEBUG msg="pod status" namespace=testmemdump
         	Test:       	TestMemDump/memory_dump_does_not_contain_canary_string
 ```
 
-## 005 - mcr.microsoft.com: connection reset by peer
-
-Likely a transient network issue while pulling from the Microsoft Container Registry.
-
-Not much we can do about it except retrying the image pull or using another pause image.
-
-```
-time=2025-12-06T00:52:31.267Z level=DEBUG msg="Pulling manifest and config for mcr.microsoft.com/oss/kubernetes/pause:3.6" position=genpolicy::registry
-time=2025-12-06T00:52:32.530Z level=DEBUG msg=""
-time=2025-12-06T00:52:32.530Z level=ERROR msg="thread 'main' panicked at src/registry.rs:150:17:"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="Failed to pull container image manifest and config - error: RequestError("
-time=2025-12-06T00:52:32.530Z level=ERROR msg="    reqwest::Error {"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="        kind: Request,"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="        url: \"https://mcr.microsoft.com/v2/oss/kubernetes/pause/manifests/3.6\","
-time=2025-12-06T00:52:32.530Z level=ERROR msg="        source: hyper_util::client::legacy::Error("
-time=2025-12-06T00:52:32.530Z level=ERROR msg="            SendRequest,"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="            hyper::Error("
-time=2025-12-06T00:52:32.530Z level=ERROR msg="                Io,"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="                Os {"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="                    code: 104,"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="                    kind: ConnectionReset,"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="                    message: \"Connection reset by peer\","
-time=2025-12-06T00:52:32.530Z level=ERROR msg="                },"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="            ),"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="        ),"
-time=2025-12-06T00:52:32.530Z level=ERROR msg="    },"
-time=2025-12-06T00:52:32.530Z level=ERROR msg=)
-time=2025-12-06T00:52:32.530Z level=ERROR msg="stack backtrace:"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   0: __rustc::rust_begin_unwind"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   1: core::panicking::panic_fmt"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   2: genpolicy::pod::Container::init::{{closure}}"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   3: <genpolicy::deployment::Deployment as genpolicy::yaml::K8sResource>::init::{{closure}}"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   4: genpolicy::policy::AgentPolicy::from_files::{{closure}}"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   5: genpolicy::main::{{closure}}"
-time=2025-12-06T00:52:32.536Z level=ERROR msg="   6: genpolicy::main"
-time=2025-12-06T00:52:32.537Z level=ERROR msg="note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace."
-Error: generate policies: failed to generate policy for "openssl-frontend" in "/tmp/nix-shell.K1AGUb/TestDeterminsticPolicyGeneration3638285464/001/resources.yml": running genpolicy: exit status 101
-```
-
-- https://github.com/edgelesssys/contrast/actions/runs/19978992654/job/57301706373
-
 ## 006 - genpolicy: failed to lookup address information
 
 Likely a transient network issue.
diff --git a/e2e/proxy/proxy_test.go b/e2e/proxy/proxy_test.go
@@ -68,9 +68,9 @@ func TestHTTPProxy(t *testing.T) {
 			coordinatorConnectionProxied.Store(true)
 		}
 		// While we could parse the expected registries from the ImageReplacementsFile, we know
-		// that the pause container image will come from MCR, so we use that as an indicator for
+		// that the pause container image will come from ghcr.io, so we use that as an indicator for
 		// registry requests being proxied.
-		if addr == "mcr.microsoft.com:443" {
+		if addr == "ghcr.io:443" {
 			registryConnectionProxied.Store(true)
 		}
 		ctx, cancel := context.WithTimeout(t.Context(), 2*time.Second)
diff --git a/nodeinstaller/internal/containerdconfig/testdata/containerd-config.toml b/nodeinstaller/internal/containerdconfig/testdata/containerd-config.toml
@@ -2,7 +2,7 @@
 version = 2
 oom_score = 0
 [plugins."io.containerd.grpc.v1.cri"]
-  sandbox_image = "mcr.microsoft.com/oss/kubernetes/pause:3.6"
+  sandbox_image = "ghcr.io/edgelesssys/kubernetes/pause:3.6"
   [plugins."io.containerd.grpc.v1.cri".containerd]
       disable_snapshot_annotations = false
     default_runtime_name = "runc"
diff --git a/nodeinstaller/internal/containerdconfig/testdata/expected-bare-metal-qemu-snp-gpu.toml b/nodeinstaller/internal/containerdconfig/testdata/expected-bare-metal-qemu-snp-gpu.toml
@@ -8,7 +8,7 @@ address = '0.0.0.0:10257'
 
 [plugins]
 [plugins.'io.containerd.grpc.v1.cri']
-sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6'
+sandbox_image = 'ghcr.io/edgelesssys/kubernetes/pause:3.6'
 
 [plugins.'io.containerd.grpc.v1.cri'.cni]
 bin_dir = '/opt/cni/bin'
diff --git a/nodeinstaller/internal/containerdconfig/testdata/expected-bare-metal-qemu-snp.toml b/nodeinstaller/internal/containerdconfig/testdata/expected-bare-metal-qemu-snp.toml
@@ -8,7 +8,7 @@ address = '0.0.0.0:10257'
 
 [plugins]
 [plugins.'io.containerd.grpc.v1.cri']
-sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6'
+sandbox_image = 'ghcr.io/edgelesssys/kubernetes/pause:3.6'
 
 [plugins.'io.containerd.grpc.v1.cri'.cni]
 bin_dir = '/opt/cni/bin'
diff --git a/nodeinstaller/internal/containerdconfig/testdata/expected-bare-metal-qemu-tdx.toml b/nodeinstaller/internal/containerdconfig/testdata/expected-bare-metal-qemu-tdx.toml
@@ -8,7 +8,7 @@ address = '0.0.0.0:10257'
 
 [plugins]
 [plugins.'io.containerd.grpc.v1.cri']
-sandbox_image = 'mcr.microsoft.com/oss/kubernetes/pause:3.6'
+sandbox_image = 'ghcr.io/edgelesssys/kubernetes/pause:3.6'
 
 [plugins.'io.containerd.grpc.v1.cri'.cni]
 bin_dir = '/opt/cni/bin'
diff --git a/packages/by-name/kata/genpolicy/genpolicy_settings_dev.patch b/packages/by-name/kata/genpolicy/genpolicy_settings_dev.patch
@@ -2,7 +2,16 @@ diff --git a/genpolicy-settings.json b/genpolicy-settings.json
 index b5c1c1968..06c02f098 100644
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -346,7 +346,8 @@
+@@ -291,7 +291,7 @@
+         "enable_configmap_secret_storages": false
+     },
+     "cluster_config": {
+-        "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6",
++        "pause_container_image": "ghcr.io/edgelesssys/kubernetes/pause:3.6",
+         "guest_pull": true,
+         "pause_container_id_policy": "v1"
+     },
+@@ -313,7 +313,8 @@
                  "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
                  "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
                  "^TERM=xterm$",
@@ -12,7 +21,7 @@ index b5c1c1968..06c02f098 100644
              ]
          },
          "UpdateInterfaceRequest": {
-@@ -363,7 +364,9 @@
+@@ -330,7 +331,9 @@
          ],
          "ExecProcessRequest": {
              "allowed_commands": [],
@@ -23,7 +32,7 @@ index b5c1c1968..06c02f098 100644
          },
          "UpdateRoutesRequest": {
              "forbidden_device_names": [
-@@ -375,8 +378,8 @@
+@@ -350,8 +353,8 @@
              ]
          },
          "CloseStdinRequest": false,
diff --git a/packages/by-name/kata/genpolicy/genpolicy_settings_prod.patch b/packages/by-name/kata/genpolicy/genpolicy_settings_prod.patch
@@ -2,7 +2,16 @@ diff --git a/genpolicy-settings.json b/genpolicy-settings.json
 index bc1d3fc52..91126cf8c 100644
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -366,7 +366,7 @@
+@@ -291,7 +291,7 @@
+         "enable_configmap_secret_storages": false
+     },
+     "cluster_config": {
+-        "pause_container_image": "mcr.microsoft.com/oss/kubernetes/pause:3.6",
++        "pause_container_image": "ghcr.io/edgelesssys/kubernetes/pause:3.6",
+         "guest_pull": true,
+         "pause_container_id_policy": "v1"
+     },
+@@ -350,7 +350,7 @@
              ]
          },
          "CloseStdinRequest": false,
@@ -11,3 +20,4 @@ index bc1d3fc52..91126cf8c 100644
          "UpdateEphemeralMountsRequest": false,
          "WriteStreamRequest": false
      }
+
diff --git a/packages/by-name/kata/genpolicy/package.nix b/packages/by-name/kata/genpolicy/package.nix
@@ -69,6 +69,7 @@ rustPlatform.buildRustPackage rec {
       '';
     };
 
+    # These get applied on top of all the patches under the "runtime" folder
     settings = applyPatches {
       src = settings-base;
       patches = [ ./genpolicy_settings_prod.patch ];

Original file line number	Diff line number	Diff line change
`@@ -68,9 +68,9 @@ func TestHTTPProxy(t *testing.T) {`
`68`	`68`	`coordinatorConnectionProxied.Store(true)`
`69`	`69`	`}`
`70`	`70`	`// While we could parse the expected registries from the ImageReplacementsFile, we know`
`71`		`- // that the pause container image will come from MCR, so we use that as an indicator for`
	`71`	`+ // that the pause container image will come from ghcr.io, so we use that as an indicator for`
`72`	`72`	`// registry requests being proxied.`
`73`		`- if addr == "mcr.microsoft.com:443" {`
	`73`	`+ if addr == "ghcr.io:443" {`
`74`	`74`	`registryConnectionProxied.Store(true)`
`75`	`75`	`}`
`76`	`76`	`ctx, cancel := context.WithTimeout(t.Context(), 2*time.Second)`