Mariner 3 upgrade

kubernetes/linux/Dockerfile.multiarch

@@ -1,7 +1,7 @@
 # Default base images. If you update them don't forgot to update variables in our build pipelines. Default values can be found in internal wiki. External can use ubuntu 18.04 and golang 1.18.3
 ARG GOLANG_BASE_IMAGE=
-ARG MARINER_BASE_IMAGE=mcr.microsoft.com/cbl-mariner/base/core:2.0
-ARG MARINER_DISTROLESS_IMAGE=mcr.microsoft.com/cbl-mariner/distroless/base:2.0
+ARG MARINER_BASE_IMAGE=mcr.microsoft.com/azurelinux/base/core:3.0
+ARG MARINER_DISTROLESS_IMAGE=mcr.microsoft.com/azurelinux/distroless/base:3.0
 
 FROM --platform=$BUILDPLATFORM ${GOLANG_BASE_IMAGE} AS golang-builder
 ARG TARGETOS TARGETARCH
@@ -11,7 +11,6 @@ COPY build /src/build
 COPY source /src/source
 RUN cd /src/build/linux && make arch=${TARGETARCH}
 
-
 FROM ${MARINER_BASE_IMAGE} AS builder
 ARG TARGETOS TARGETARCH
 LABEL maintainer="[email protected]"
@@ -43,7 +42,7 @@ RUN mkdir /busybin && busybox --install /busybin
 
 COPY --from=golang-builder /src/kubernetes/linux/Linux_ULINUX_1.0_*_64_Release/docker-cimprov-*.*.*-*.*.sh $tmpdir/
 COPY kubernetes/linux/setup.sh kubernetes/linux/main.sh kubernetes/linux/defaultpromenvvariables kubernetes/linux/defaultpromenvvariables-rs kubernetes/linux/defaultpromenvvariables-sidecar kubernetes/linux/mdsd.xml kubernetes/linux/envmdsd kubernetes/linux/logrotate.conf $tmpdir/
-COPY kubernetes/linux/mariner-official-extras.repo /etc/yum.repos.d/
+COPY kubernetes/linux/azure-official-extras.repo /etc/yum.repos.d/
 
 WORKDIR ${tmpdir}
 
@@ -65,7 +64,7 @@ ENV HOST_VAR /hostfs/var
 ENV AZMON_COLLECT_ENV False
 ENV KUBE_CLIENT_BACKOFF_BASE 1
 ENV KUBE_CLIENT_BACKOFF_DURATION 0
-ENV RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR 0.9
+ENV RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR 1.0
 
 # default value will be overwritten by pipeline
 ARG IMAGE_TAG=3.1.26
@@ -105,32 +104,28 @@ COPY --from=builder /usr/share/pki/ca-trust-source /usr/share/pki/ca-trust-sourc
 COPY --from=builder /usr/share/p11-kit/ /usr/share/p11-kit/
 
 # bash dependencies
-COPY --from=builder /lib/libreadline.so.8 /lib/
-COPY --from=builder /usr/lib/libncursesw.so.6 /usr/lib/libtinfo.so.6 /usr/lib/
-# inotifywait dependencies
-COPY --from=builder /lib/libinotifytools.so.0 /lib/
-COPY --from=builder /lib/libc.so.6 /lib/
-# crond dependencies
-COPY --from=builder /lib/libselinux.so.1 /lib/libpam.so.0 /lib/libc.so.6 /lib/libpcre.so.1 /lib/libaudit.so.1 /lib/libcap-ng.so.0/ /lib/
+COPY --from=builder /usr/lib/libreadline.so.8  /usr/lib/libc.so.6 /usr/lib/libncursesw.so.6 /usr/lib/libtinfo.so.6 /usr/lib/
+# inotifywait dependencies 
+COPY --from=builder /usr/lib/libinotifytools.so.0 /usr/lib/libstdc++.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/libc.so.6 /usr/lib/libm.so.6 /usr/lib/
+# crond dependencies 
+COPY --from=builder /usr/lib/libselinux.so.1 /usr/lib/libpam.so.0 /usr/lib/libc.so.6 /usr/lib/
 # ruby dependencies
-COPY --from=builder /usr/lib/libruby.so.3.1 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/libc.so.6 /usr/lib/
+COPY --from=builder /usr/lib/libruby.so.3.3 /usr/lib/libc.so.6 /usr/lib/libz.so.1 /usr/lib/libgmp.so.10 /usr/lib/libcrypt.so.1 /usr/lib/libm.so.6 /usr/lib/
 # fluent-bit dependencies
-# libssl.so.1.1 & libcrypto.so.1.1 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures
-COPY --from=builder /lib/libyaml-0.so.2 /lib/libsystemd.so.0 /lib/libm.so.6 /lib/libgcc_s.so.1 /lib/libc.so.6 /lib/liblzma.so.5 /lib/liblz4.so.1 /lib/libcap.so.2 /lib/libgcrypt.so.20 /lib/libgpg-error.so.0 /lib/libsasl2.so.3 /lib/
+# libssl.so.3 & libcrypto.so.3 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures
+COPY --from=builder /usr/lib/libluajit-5.1.so.2 /usr/lib/libyaml-0.so.2 /usr/lib/libsystemd.so.0 /usr/lib/libcurl.so.4 /usr/lib/libz.so.1 /usr/lib/libzstd.so.1 /usr/lib/libsasl2.so.3 /usr/lib/libm.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/libc.so.6 /usr/lib/libcap.so.2 /usr/lib/liblz4.so.1 /usr/lib/liblzma.so.5 /usr/lib/libnghttp2.so.14 /usr/lib/libssh2.so.1 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libresolv.so.2 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/
 # telegraf dependencies
-COPY --from=builder /lib/libresolv.so.2 /lib/libc.so.6 /lib/
+COPY --from=builder /usr/lib/libresolv.so.2 /usr/lib/libc.so.6 /usr/lib/
 # mdsd dependencies
-COPY --from=builder /usr/lib/libdl.so.2 /usr/lib/librt.so.1 /usr/lib/libpthread.so.0 /usr/lib/libm.so.6 /usr/lib/libstdc++.so.6 /usr/lib/libgcc_s.so.1 /usr/lib/
+COPY --from=builder /usr/sbin/../lib/libpthread.so.0 /usr/sbin/../lib/libdl.so.2 /usr/sbin/../lib/libsymcrypt.so.103 /usr/sbin/../lib/librt.so.1 /usr/sbin/../lib/libm.so.6 /usr/sbin/../lib/libc.so.6 /usr/sbin/../lib/libstdc++.so.6 /usr/sbin/../lib/libgcc_s.so.1 /usr/sbin/../lib/
 COPY --from=builder /opt/microsoft/azure-mdsd/lib/libtcmalloc_minimal.so.4 /opt/microsoft/azure-mdsd/lib/
-COPY --from=builder /opt/microsoft/azure-mdsd/lib/libsymcrypt.so.103 /opt/microsoft/azure-mdsd/lib/
-# logrotate dependencies
-COPY --from=builder /lib/libselinux.so.1 /lib/libpopt.so.0 /lib/libc.so.6 /lib/libpcre.so.1 /lib/
+# logrotate dependencies 
+COPY --from=builder /usr/lib/libpopt.so.0 /usr/lib/libc.so.6 /usr/lib/
 # curl dependencies
 # libssl.so.1.1 & libcrypto.so.1.1 are already available with openssl in distroless and copying them over causes FIPS HMAC verification failures
-COPY --from=builder /lib/libcurl.so.4 /lib/libz.so.1 /lib/libc.so.6 /lib/libnghttp2.so.14 /lib/libssh2.so.1 /lib/libgssapi_krb5.so.2 /lib/libzstd.so.1 /lib/
-COPY --from=builder /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/libresolv.so.2 /usr/lib/
+COPY --from=builder /usr/lib/libcurl.so.4 /usr/lib/libz.so.1 /usr/lib/libc.so.6 /usr/lib/libnghttp2.so.14 /usr/lib/libssh2.so.1 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libzstd.so.1 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libcom_err.so.2 /usr/lib/libkrb5support.so.0 /usr/lib/libresolv.so.2 /usr/lib/
 # jq dependencies
-COPY --from=builder /lib/libjq.so.1 /lib/libc.so.6 /lib/libm.so.6 /lib/libonig.so.5 /lib/
+COPY --from=builder /usr/lib/libjq.so.1 /usr/lib/libc.so.6 /usr/lib/libm.so.6 /usr/lib/libonig.so.5 /usr/lib/
 # update-ca-trust dependencies
 COPY --from=builder /lib/libp11-kit.so.0 /lib/libffi.so.8 /lib/libtasn1.so.6 /lib/
 COPY --from=builder /lib/pkcs11/p11-kit-trust.so /lib/pkcs11/

kubernetes/linux/azure-official-extras.repo

@@ -0,0 +1,9 @@
+[azurelinux-official-extras]
+name=Azure-Linux Official extras
+baseurl=https://packages.microsoft.com/azurelinux/3.0/prod/ms-non-oss/x86_64/ https://packages.microsoft.com/azurelinux/3.0/prod/ms-oss/x86_64/
+gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY
+gpgcheck=1
+repo_gpgcheck=1
+enabled=1
+skip_if_unavailable=True
+sslverify=1

kubernetes/linux/setup.sh

@@ -12,47 +12,43 @@ fi
 sudo tdnf install ca-certificates-microsoft -y
 sudo update-ca-trust
 
-# sudo tdnf install ruby-3.1.3 -y
 if [ "$ARCH" == "arm64" ]; then
-    sudo tdnf install ruby-3.1.3-1.cm2.aarch64 -y
+    sudo tdnf install ruby-3.3.5-1.azl3.aarch64 -y
 else
     tdnf install -y gcc patch bzip2 openssl-devel libyaml-devel libffi-devel readline-devel zlib-devel gdbm-devel ncurses-devel
-    wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20230330.tar.gz -O ruby-build.tar.gz
+    wget https://github.com/rbenv/ruby-build/archive/refs/tags/v20250409.tar.gz -O ruby-build.tar.gz
     tar -xzf ruby-build.tar.gz
     PREFIX=/usr/local ./ruby-build-*/install.sh
-    ruby-build 3.1.3 /usr
+    ruby-build 3.3.8 /usr -v
+
+    rm ruby-build.tar.gz
 fi
 
 # clean up the ruby-build files
-rm ruby-build.tar.gz
 rm -rf ruby-build-*
 
 # remove unused default gem openssl, find as they have some known vulns
-rm /usr/lib/ruby/gems/3.1.0/specifications/default/openssl-3.0.1.gemspec
-rm -rf /usr/lib/ruby/gems/3.1.0/gems/openssl-3.0.1
-rm /usr/lib/ruby/gems/3.1.0/specifications/default/find-0.1.1.gemspec
-rm -rf /usr/lib/ruby/gems/3.1.0/gems/find-0.1.1
-rm /usr/lib/ruby/gems/3.1.0/specifications/default/rdoc-6.4.0.gemspec
-rm -rf /usr/lib/ruby/gems/3.1.0/gems/rdoc-6.4.0
+rm /usr/lib/ruby/gems/3.3.0/specifications/default/openssl-3.2.0.gemspec
+rm -rf /usr/lib/ruby/gems/3.3.0/gems/openssl-3.2.0
+rm /usr/lib/ruby/gems/3.3.0/specifications/default/find-0.2.0.gemspec
+rm -rf /usr/lib/ruby/gems/3.3.0/gems/find-0.2.0
+rm /usr/lib/ruby/gems/3.3.0/specifications/default/rdoc-6.6.3.1.gemspec
+rm -rf /usr/lib/ruby/gems/3.3.0/gems/rdoc-6.6.3.1
 
 # update the time and uri package to tackle the vulnerabilities in these gems
-gem update time --default
-gem update uri --default
-gem update stringio --default
-gem update rexml --default
-gem update webrick --default
-mv /usr/lib/ruby/gems/3.1.0/specifications/default/time-0.2.0.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/..
-mv /usr/lib/ruby/gems/3.1.0/specifications/default/uri-0.11.0.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/..
-mv /usr/lib/ruby/gems/3.1.0/specifications/default/stringio-3.0.1.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/..
-mv /usr/lib/ruby/gems/3.1.0/specifications/default/rexml-3.2.5.gemspec /usr/lib/ruby/gems/3.1.0/specifications/default/..
-mv /usr/lib/ruby/gems/3.1.0/specifications/webrick-1.8.1.gemspec /usr/lib/ruby/gems/3.1.0/specifications/..
-gem uninstall time --version 0.2.0
-gem uninstall uri --version 0.11.0
-gem uninstall stringio --version 3.0.1
-gem uninstall rexml --version 3.2.5
-gem uninstall webrick --version 1.8.1
-
-sudo tdnf install -y azure-mdsd-1.31.4
+gem update time --default --no-document
+gem update uri --default --no-document
+gem update stringio --default --no-document
+
+mv /usr/lib/ruby/gems/3.3.0/specifications/default/time-0.3.0.gemspec /usr/lib/ruby/gems/3.3.0/specifications/default/..
+mv /usr/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.2.gemspec /usr/lib/ruby/gems/3.3.0/specifications/default/..
+mv /usr/lib/ruby/gems/3.3.0/specifications/default/stringio-3.1.1.gemspec /usr/lib/ruby/gems/3.3.0/specifications/default/..
+
+gem uninstall time --version 0.3.0
+gem uninstall uri --version 0.13.2
+gem uninstall stringio --version 3.1.1
+
+sudo tdnf install -y azure-mdsd-1.33.3
 cp -f $TMPDIR/mdsd.xml /etc/mdsd.d
 cp -f $TMPDIR/envmdsd /etc/mdsd.d
 rm /usr/sbin/telegraf
@@ -69,12 +65,12 @@ sudo tdnf install inotify-tools -y
 
 #used to parse response of kubelet apis
 #ref: https://packages.ubuntu.com/search?keywords=jq
-sudo tdnf install jq-1.6-1.cm2 -y
+sudo tdnf install jq-1.7.1-1.azl3 -y
 
 #used to setcaps for ruby process to read /proc/env
 sudo tdnf install libcap -y
 
-sudo tdnf install telegraf-1.29.4 -y
+sudo tdnf install telegraf-1.31.0 -y
 telegraf_version=$(sudo tdnf list installed | grep telegraf | awk '{print $2}')
 echo "telegraf $telegraf_version" >> packages_version.txt
 mv /usr/bin/telegraf /opt/telegraf
@@ -85,16 +81,16 @@ docker_cimprov_version=$(sudo tdnf list installed | grep docker-cimprov | awk '{
 echo "DOCKER_CIMPROV_VERSION=$docker_cimprov_version" >> packages_version.txt
 
 #install fluent-bit
-sudo tdnf install fluent-bit-3.0.6 -y
+sudo tdnf install fluent-bit-3.1.9 -y
 echo "$(fluent-bit --version)" >> packages_version.txt
 
 # install fluentd using the mariner package
-# sudo tdnf install rubygem-fluentd-1.14.6 -y
-fluentd_version="1.16.3"
+# sudo tdnf install rubygem-fluentd -y
+fluentd_version="1.18.0"
 gem install fluentd -v $fluentd_version --no-document
 
 # remove the test directory from fluentd
-rm -rf /usr/lib/ruby/gems/3.1.0/gems/fluentd-$fluentd_version/test/
+rm -rf /usr/lib/ruby/gems/3.3.0/gems/fluentd-$fluentd_version/test/
 
 echo "$(fluentd --version)" >> packages_version.txt
 fluentd --setup ./fluent
@@ -103,6 +99,7 @@ gem install gyoku iso8601 bigdecimal --no-doc
 gem install tomlrb -v "2.0.1" --no-document
 gem install ipaddress --no-document
 gem install jwt -v "2.7.1" --no-document
+gem install racc --no-document
 
 rm -f $TMPDIR/docker-cimprov*.sh
 rm -f $TMPDIR/mdsd.xml