Update AMI

Author: aledbf

README.md

@@ -20,13 +20,13 @@ Please update the `ami` field in the [eks-cluster.yaml](eks-cluster.yaml) file w
 
 | Region       | AMI                   |
 | ------------ | --------------------- |
-| us-west-1    | ami-06c84b5625f8b9604 |
-| us-west-2    | ami-0a9aa973650d0c831 |
-| eu-west-1    | ami-0de99790cc9326e71 |
-| eu-west-2    | ami-0fea47c0b713f556a |
-| eu-central-1 | ami-037f1d445b7fce6d9 |
-| us-east-1    | ami-0cb54c9245b490884 |
-| us-east-2    | ami-0648e811b79d1c89a |
+| us-west-1    | ami-0f3e6671ef1ede777 |
+| us-west-2    | ami-04a6d2a3b0d131841 |
+| eu-west-1    | ami-0542a7d18c5df4e79 |
+| eu-west-2    | ami-060cb8be1976f9dd5 |
+| eu-central-1 | ami-0d58b84ef791d4348 |
+| us-east-1    | ami-0efd7bb7f07150aa3 |
+| us-east-2    | ami-08b5bc88b0131552f |
 
 
 **To start the installation, execute:**
@@ -41,12 +41,12 @@ The whole process takes around forty minutes. In the end, the following resource
 
 - an EKS cluster running Kubernetes v1.21
 - Kubernetes nodes using a custom [AMI image](https://github.com/gitpod-io/amazon-eks-custom-amis/tree/gitpod):
-  - Ubuntu 20.04
+  - Ubuntu 21.10
   - Linux kernel v5.13
-  - containerd v1.5.5
+  - containerd v1.5.8
   - runc: v1.0.1
   - CNI plugins: v0.9.1
-  - Stargz Snapshotter: v0.7.0
+  - Stargz Snapshotter: v0.10.0
 
 - ALB load balancer with TLS termination and re-encryption
 - RDS Mysql database

ami/Makefile

@@ -1,5 +1,5 @@
 
-PACKER_VARIABLES := binary_bucket_name binary_bucket_region eks_version eks_build_date cni_plugin_version root_volume_size data_volume_size hardening_flag http_proxy https_proxy no_proxy
+PACKER_VARIABLES := binary_bucket_name binary_bucket_region eks_version eks_build_date root_volume_size data_volume_size hardening_flag http_proxy https_proxy no_proxy
 VPC_ID := vpc-0e8cf1ce122b1b059
 SUBNET_ID := subnet-0eddf1d7d0f9f9772
 AWS_REGION := us-west-2
@@ -15,12 +15,12 @@ build:
 		$(foreach packerVar,$(PACKER_VARIABLES), $(if $($(packerVar)),--var $(packerVar)='$($(packerVar))',)) \
 		$(PACKER_FILE)
 
-# Ubuntu 20.04
+# Ubuntu 21.10
 #-----------------------------------------------------
 # https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
 
-build-ubuntu2004-1.20:
-	$(MAKE) build PACKER_FILE=amazon-eks-node-ubuntu2004.json eks_version=$(EKS_120_VERSION) eks_build_date=2021-04-12
+build-ubuntu2110-1.20:
+	$(MAKE) build PACKER_FILE=amazon-eks-node-ubuntu2110.json eks_version=$(EKS_120_VERSION) eks_build_date=2021-04-12
 
-build-ubuntu2004-1.21:
-	$(MAKE) build PACKER_FILE=amazon-eks-node-ubuntu2004.json eks_version=$(EKS_121_VERSION) eks_build_date=2021-07-05
+build-ubuntu2110-1.21:
+	$(MAKE) build PACKER_FILE=amazon-eks-node-ubuntu2110.json eks_version=$(EKS_121_VERSION) eks_build_date=2021-07-05

ami/amazon-eks-node-ubuntu2004.json renamed to ami/amazon-eks-node-ubuntu2110.json

@@ -1,10 +1,9 @@
 {
   "variables":{
-    "aws_region":"us-east-2",
-    "ami_description":"EKS Kubernetes Worker AMI on Ubuntu 20.04 (k8s: {{user `eks_version`}})",
+    "aws_region":"us-west-2",
+    "ami_description":"EKS Kubernetes Worker AMI on Ubuntu 21.10 (k8s: {{user `eks_version`}})",
     "eks_version":"",
     "eks_build_date":"",
-    "cni_plugin_version": "v0.9.1",
     "binary_bucket_name": "amazon-eks",
     "binary_bucket_region": "us-west-2",
     "hardening_flag": "false",
@@ -20,8 +19,8 @@
     "source_ami_owner_govcloud": "513442679011",
     "source_ami_ssh_user": "ubuntu",
     "source_ami_arch":"x86_64",
-    "source_ami_name":"ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*",
-    "target_ami_name": "amazon-eks-node-{{user `eks_version`}}-ubuntu-20.04-{{ timestamp }}"
+    "source_ami_name":"ubuntu/images/hvm-ssd/ubuntu-impish-21.10-amd64-server-*",
+    "target_ami_name": "amazon-eks-node-{{user `eks_version`}}-ubuntu-21.10-{{ timestamp }}"
   },
   "builders":[
     {
@@ -41,7 +40,7 @@
         ],
         "most_recent":true
       },
-      "instance_type":"m5.xlarge",
+      "instance_type":"m6i.xlarge",
       "ssh_username":"{{user `source_ami_ssh_user`}}",
       "ssh_pty":true,
       "subnet_id":"{{user `subnet_id`}}",
@@ -63,7 +62,7 @@
         {
           "device_name":"/dev/sdb",
           "volume_size":"{{user `data_volume_size`}}",
-          "volume_type":"gp2",
+          "volume_type":"gp3",
           "delete_on_termination":true
         }
       ],
@@ -106,7 +105,6 @@
         "KUBERNETES_BUILD_DATE={{user `eks_build_date`}}",
         "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
         "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
-        "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
         "HARDENING_FLAG={{user `hardening_flag`}}"
       ],
       "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'",
@@ -128,13 +126,21 @@
         "KUBERNETES_BUILD_DATE={{user `eks_build_date`}}",
         "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
         "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
-        "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
         "HARDENING_FLAG={{user `hardening_flag`}}"
       ],
       "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'",
       "expect_disconnect":true,
       "pause_after":"30s"
     },
+    {
+      "type":"shell",
+      "scripts":[
+        "./scripts/ubuntu2004/shiftfs.sh"
+      ],
+      "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'",
+      "expect_disconnect":true,
+      "pause_after":"30s"
+    },
     {
       "type":"shell",
       "scripts": [
@@ -149,7 +155,6 @@
         "KUBERNETES_BUILD_DATE={{user `eks_build_date`}}",
         "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
         "BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
-        "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
         "HARDENING_FLAG={{user `hardening_flag`}}"
       ],
       "execute_command":"echo 'packer' | {{.Vars}} sudo -S -E bash -eux '{{.Path}}'"

ami/files/gitpod/containerd-stargz-grpc.toml

@@ -0,0 +1,3 @@
+[cri_keychain]
+enable_keychain = true
+image_service_path = "/run/containerd/containerd.sock"

ami/files/gitpod/containerd.toml

@@ -1,30 +1,38 @@
+# explicitly use v2 config format
 version = 2
 
-[plugins]
-  [plugins."io.containerd.grpc.v1.cri"]
-    max_concurrent_downloads = 20
-    sandbox_image = "k8s.gcr.io/pause:3.5"
-
-    [plugins."io.containerd.grpc.v1.cri".containerd]
-      default_runtime_name = "runc"
-      #snapshotter = "overlayfs"
-
-      snapshotter = "stargz"
-      disable_snapshot_annotations = false
-
-      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-          privileged_without_host_devices = false
-          runtime_type = "io.containerd.runc.v2"
-
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-            SystemdCgroup = true
-
-    [plugins."io.containerd.grpc.v1.cri".registry]
-      config_path = "/etc/containerd/certs.d"
-
 [proxy_plugins]
-  [proxy_plugins.stargz]
-    type = "snapshot"
-    address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+# stargz is used for lazy pulling
+[proxy_plugins.stargz]
+  type = "snapshot"
+  address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+
+[plugins."io.containerd.grpc.v1.cri".containerd]
+  # save disk space when using a single snapshotter
+  discard_unpacked_layers = true
+  # enable stargz snapshotter
+  snapshotter = "stargz"
+  # pass additional snapshotter labels to remote snapshotter
+  disable_snapshot_annotations = false
+  # explicit default here, as we're configuring it below
+  default_runtime_name = "runc"
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+  # set default runtime handler to v2, which has a per-pod shim
+  runtime_type = "io.containerd.runc.v2"
+
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+  SystemdCgroup = true
+
+# allow pulling from registries using self-signed SSL certificates
+[plugins."io.containerd.grpc.v1.cri".registry]
+  config_path = "/etc/containerd/certs.d"
+
+[plugins."io.containerd.grpc.v1.cri"]
+  max_concurrent_downloads = 20
+  # use fixed sandbox image
+  sandbox_image = "k8s.gcr.io/pause:3.6"
+  # allow hugepages controller to be missing
+  # see https://github.com/containerd/cri/pull/1501
+  tolerate_missing_hugepages_controller = true
+  # restrict_oom_score_adj needs to be true when running inside UserNS (rootless)
+  restrict_oom_score_adj = false

ami/files/gitpod/kubelet.service

@@ -12,6 +12,7 @@ ExecStart=/usr/bin/kubelet --cloud-provider aws \
     --resolv-conf=/run/systemd/resolve/resolv.conf \
     --container-runtime remote \
     --container-runtime-endpoint unix:///run/containerd/containerd.sock \
+    --image-service-endpoint=unix:///run/containerd-stargz-grpc/containerd-stargz-grpc.sock \
     $KUBELET_ARGS $KUBELET_EXTRA_ARGS
 
 Restart=on-failure

ami/scripts/shared/docker.sh

@@ -4,24 +4,21 @@ set -o pipefail
 set -o nounset
 set -o errexit
 
-# shellcheck disable=SC1091
-source /etc/packer/files/functions.sh
-
-apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
-
-add-apt-repository -y ppa:tuxinvader/lts-mainline
-apt-get update
-apt-get install -y linux-generic-5.13
+# Update OS
+apt update
 
 # Install required packages
-apt-get install -y \
+apt --no-install-recommends install -y \
+  apt-transport-https ca-certificates curl gnupg2 software-properties-common \
   iptables libseccomp2 socat conntrack ipset \
   fuse3 \
   jq \
   iproute2 \
   auditd \
   ethtool \
-  net-tools
+  net-tools \
+  linux-aws \
+  dkms
 
 mkdir -p /etc/modules-load.d/
 
@@ -39,37 +36,37 @@ blacklist dccp
 blacklist sctp
 EOF
 
-# Configure grub
-# echo "GRUB_GFXPAYLOAD_LINUX=keep" >> /etc/default/grub
 # Enable cgroups2
-# sed -i 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all \1"/g' /etc/default/grub
-# update-grub2
+# sed -i 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=1 \1"/g' /etc/default/grub
 
 # Install containerd
-curl -sSL https://github.com/containerd/nerdctl/releases/download/v0.11.1/nerdctl-full-0.11.1-linux-amd64.tar.gz -o - | tar -xz -C /usr/local
+curl -sSL https://github.com/containerd/nerdctl/releases/download/v0.14.0/nerdctl-full-0.14.0-linux-amd64.tar.gz -o - | tar -xz -C /usr/local
 
-mkdir -p /etc/containerd /etc/containerd/certs.d
-
-cp /etc/packer/files/gitpod/containerd.toml /etc/containerd/config.toml
+# copy the portmap plugin to support hostport
+mkdir -p /opt/cni/bin
+ln -s /usr/local/libexec/cni/portmap /opt/cni/bin
 
 cp /usr/local/lib/systemd/system/* /lib/systemd/system/
-sed -i 's/--log-level=debug//g' /lib/systemd/system/stargz-snapshotter.service
 
-cp /usr/local/lib/systemd/system/* /lib/systemd/system/
-# Disable software irqbalance service
-systemctl stop irqbalance.service
-systemctl disable irqbalance.service
+# Configure containerd
+mkdir -p /etc/containerd/
+cp /etc/packer/files/gitpod/containerd.toml /etc/containerd/config.toml
+# Enable stargz-snapshotter plugin
+mkdir -p /etc/containerd-stargz-grpc
+cp /etc/packer/files/gitpod/containerd-stargz-grpc.toml /etc/containerd-stargz-grpc/config.toml
+cp /etc/packer/files/gitpod/stargz-snapshotter.service  /lib/systemd/system/stargz-snapshotter.service
 
 # Reload systemd
 systemctl daemon-reload
 
-mkdir -p /etc/containerd-stargz-grpc/
-
 # Start containerd and stargz
 systemctl enable containerd
 systemctl enable stargz-snapshotter
 
+echo "image-endpoint: unix:///run/containerd-stargz-grpc/containerd-stargz-grpc.sock" >> /etc/crictl.yaml
+
 systemctl start containerd
+systemctl start stargz-snapshotter
 
 # Prepare images airgap tgz
 chmod +x /etc/packer/files/gitpod/airgap.sh

ami/scripts/shared/eks.sh

@@ -71,20 +71,6 @@ for binary in ${BINARIES[*]} ; do
     mv $binary /usr/bin/
 done
 
-# Since CNI 0.7.0, all releases are done in the plugins repo.
-CNI_PLUGIN_FILENAME="cni-plugins-linux-${ARCH}-${CNI_PLUGIN_VERSION}"
-
-curl -sL -o "${CNI_PLUGIN_FILENAME}.tgz" "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGIN_VERSION}/${CNI_PLUGIN_FILENAME}.tgz"
-curl -sL -o "${CNI_PLUGIN_FILENAME}.tgz.sha512" "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGIN_VERSION}/${CNI_PLUGIN_FILENAME}.tgz.sha512"
-
-sha512sum -c "${CNI_PLUGIN_FILENAME}.tgz.sha512"
-rm "${CNI_PLUGIN_FILENAME}.tgz.sha512"
-
-tar -xvf "${CNI_PLUGIN_FILENAME}.tgz" -C /opt/cni/bin
-rm "${CNI_PLUGIN_FILENAME}.tgz"
-
-rm ./*.sha256
-
 mkdir -p /etc/kubernetes/kubelet
 mkdir -p /etc/systemd/system/kubelet.service.d
 
@@ -98,16 +84,12 @@ configure_kubelet_environment
 
 systemctl daemon-reload && systemctl disable kubelet
 
-mkdir -p /var/lib/containerd/io.containerd.snapshotter.v1.stargz
-
 ################################################################################
 ### EKS ########################################################################
 ################################################################################
 
 mkdir -p /etc/eks
-# Temporal https://github.com/awslabs/amazon-eks-ami/pull/735
-curl -sL -o /etc/eks/eni-max-pods.txt https://raw.githubusercontent.com/awslabs/amazon-eks-ami/e9b681acc4ea08d22a82eb4388734a225d153561/files/eni-max-pods.txt
-# https://raw.githubusercontent.com/awslabs/amazon-eks-ami/master/files/eni-max-pods.txt
+curl -sL -o /etc/eks/eni-max-pods.txt https://raw.githubusercontent.com/awslabs/amazon-eks-ami/master/files/eni-max-pods.txt
 
 cp /etc/packer/files/gitpod/bootstrap.sh /etc/eks/bootstrap.sh
 chown root:root /etc/eks/bootstrap.sh

ami/scripts/ubuntu2004/boilerplate.sh

@@ -4,14 +4,16 @@ set -o pipefail
 set -o nounset
 set -o errexit
 
+export DEBIAN_FRONTEND=noninteractive
+
 # shellcheck disable=SC1091
 source /etc/packer/files/functions.sh
 
 # wait for cloud-init to finish
 wait_for_cloudinit
 
 # upgrade the operating system
-apt-get update -y && apt-get upgrade -y
+apt update -y && apt dist-upgrade -y
 
 # install dependencies
 apt-get install -y \

ami/scripts/ubuntu2004/shiftfs.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -o nounset
+set -o errexit
+
+git clone -b k5.13 https://github.com/toby63/shiftfs-dkms.git /tmp/shiftfs-k513
+cd /tmp/shiftfs-k513
+make -f Makefile.dkms
+modinfo shiftfs
+
+reboot