2025-11-25T11:25:34+0800 (#952)

* 2025-11-25T11:25:34+0800

* 2025-11-25T11:25:34+0800

* 2025-11-25T11:25:34+0800

* 2025-11-25T11:25:34+0800

* 2025-11-25T11:25:34+0800

* 2025-11-25T11:25:34+0800

Author: gaoyonglong

.VERSION

@@ -1,2 +1,2 @@
-KUSCIA_VERSION = 1.0.0b0
+KUSCIA_VERSION = 1.1.0b0
 SECRETFLOW_VERSION = 1.11.0b1

.github/workflows/dependency-review.yml

@@ -39,3 +39,6 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4
+        with:
+          warn-only: true
+          fail-on-severity: critical

.github/workflows/golangci-lint.yml

@@ -52,7 +52,7 @@ jobs:
           cache: true
       - name: Install specific version of golangci-lint
         run: |
-          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.61.0
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.5.0
           golangci-lint --version
       - name: Install codespell
         run: |
@@ -64,5 +64,5 @@ jobs:
           else
             LAST_COMMIT_SHA=${{ github.event.pull_request.base.sha }}
           fi
-          golangci-lint run --new-from-rev=${LAST_COMMIT_SHA} --out-format=colored-line-number --timeout=5m
+          golangci-lint run --new-from-rev=${LAST_COMMIT_SHA} --timeout=5m
           make codespell-check

.golangci.yml

@@ -17,6 +17,7 @@
 # This file contains all available configuration options
 # with their default values.
 
+version: 2
 # options for analysis running
 run:
   # default concurrency is a available CPU number
@@ -36,8 +37,6 @@ run:
 
 # output configuration options
 output:
-  # sort linter result
-  sort-results: true
   # sort order
   sort-order:
     - linter
@@ -46,111 +45,22 @@ output:
 
   # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
   formats:
-    - format: json
+    json:
       path: stderr
 
-  # print lines of code with issue, default is true
-  print-issued-lines: true
-
-  # print linter name in the end of issue text, default is true
-  print-linter-name: true
-
 issues:
   max-same-issues: 0
   max-issues-per-linter: 0
-  exclude-files:
-    - _test\.go
-    - cmd/example
-    - webdemo/
-
-# all available settings of specific linters
-linters-settings:
-  revive:
-    rules:
-      - name: unused-parameter # disable unused-parameter rule
-        disabled: true
-  errcheck:
-    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
-    # default is false: such cases aren't reported by default.
-    check-type-assertions: false
-
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-    # default is false: such cases aren't reported by default.
-    check-blank: false
-  govet:
-    # report about shadowed variables
-    enable:
-      - shadow
-  gofmt:
-    # simplify code: gofmt with `-s` option, true by default
-    simplify: true
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: github.com/secretflow/kuscia
-  gocyclo:
-    # minimal code complexity to report, 30 by default (but we recommend 10-20)
-    min-complexity: 10
-  dupl:
-    # tokens count to trigger issue, 150 by default
-    threshold: 150
-  goconst:
-    # minimal length of string constant, 3 by default
-    min-len: 3
-    # minimal occurrences count to trigger, 3 by default
-    min-occurrences: 3
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: "github.com/davecgh/go-spew/spew"
-  misspell:
-    # Correct spellings using locale preferences for US or UK.
-    # Default is to use a neutral variety of English.
-    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
-    locale: US
-    ignore-words:
-      - someword
-  lll:
-    # max line length, lines longer will be reported. Default is 120.
-    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
-    line-length: 120
-    # tab width in spaces. Default to 1.
-    tab-width: 1
-  unused:
-    parameters-are-used: true
-    exported-fields-are-used: true
-  unparam:
-    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
-    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-  nakedret:
-    # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
-    max-func-lines: 30
-  prealloc:
-    # XXX: we don't recommend using this linter before doing performance profiling.
-    # For most programs usage of prealloc will be a premature optimization.
-
-    # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
-    # True by default.
-    simple: true
-    range-loops: true # Report preallocation suggestions on range loops, true by default
-    for-loops: false # Report preallocation suggestions on for loops, false by default
-  gocritic:
-    # Which checks should be disabled; can't be combined with 'enabled-checks'; default is empty
-    disabled-checks:
-      - regexpMust
-
-    # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint` run to see all tags and checks.
-    # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
-    enabled-tags:
-      - performance
-
-    settings: # settings passed to gocritic
-      captLocal: # must be valid enabled check name
-        paramsOnly: true
+
+formatters:
+  settings:
+    gofmt:
+      # simplify code: gofmt with `-s` option, true by default
+      simplify: true
+    goimports:
+      # put imports beginning with prefix after 3rd-party packages;
+      # it's a comma-separated list of prefixes
+      local-prefixes: github.com/secretflow/kuscia
 
 linters:
   enable:
@@ -160,6 +70,101 @@ linters:
     - errcheck
     - goconst
     - dupl
-    - goimports
-  disable-all: true
-  fast: false
+  disable:
+    - ineffassign
+    - staticcheck
+  exclusions:
+    rules:
+      - source: Close
+        linters:
+          - errcheck
+    paths:
+      - _test\.go
+      - cmd/example
+      - webdemo/.*
+      - pkg/datamesh/dataserver/io/builtin/.*
+  # all available settings of specific linters
+  settings:
+    revive:
+      rules:
+        - name: unused-parameter # disable unused-parameter rule
+          disabled: true
+    errcheck:
+      # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
+      # default is false: such cases aren't reported by default.
+      check-type-assertions: false
+
+      # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+      # default is false: such cases aren't reported by default.
+      check-blank: false
+      exclude-functions:
+        - os.Remove
+        - os.RemoveAll
+    govet:
+      # report about shadowed variables
+      enable:
+        - shadow
+    gocyclo:
+      # minimal code complexity to report, 30 by default (but we recommend 10-20)
+      min-complexity: 10
+    dupl:
+      # tokens count to trigger issue, 150 by default
+      threshold: 150
+    goconst:
+      # minimal length of string constant, 3 by default
+      min-len: 3
+      # minimal occurrences count to trigger, 3 by default
+      min-occurrences: 3
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: "github.com/davecgh/go-spew/spew"
+    misspell:
+      # Correct spellings using locale preferences for US or UK.
+      # Default is to use a neutral variety of English.
+      # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+      locale: US
+      ignore-rules:
+        - someword
+    lll:
+      # max line length, lines longer will be reported. Default is 120.
+      # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+      line-length: 120
+      # tab width in spaces. Default to 1.
+      tab-width: 1
+    unused:
+      parameters-are-used: true
+      exported-fields-are-used: true
+    unparam:
+      # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
+      # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
+      # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
+      # with golangci-lint call it on a directory with the changed file.
+      check-exported: false
+    nakedret:
+      # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
+      max-func-lines: 30
+    prealloc:
+      # XXX: we don't recommend using this linter before doing performance profiling.
+      # For most programs usage of prealloc will be a premature optimization.
+
+      # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
+      # True by default.
+      simple: true
+      range-loops: true # Report preallocation suggestions on range loops, true by default
+      for-loops: false # Report preallocation suggestions on for loops, false by default
+    gocritic:
+      # Which checks should be disabled; can't be combined with 'enabled-checks'; default is empty
+      disabled-checks:
+        - regexpMust
+
+      # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint` run to see all tags and checks.
+      # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
+      enabled-tags:
+        - performance
+
+      settings: # settings passed to gocritic
+        captLocal: # must be valid enabled check name
+          paramsOnly: true
+

MODULE.bazel

@@ -14,7 +14,7 @@
 
 module(
     name = "kuscia",
-    version = "1.0.0b0",
+    version = "1.1.0b0",
     compatibility_level = 1,
 )
 

build/dockerfile/base/kuscia-deps.Dockerfile

@@ -14,28 +14,52 @@
 # limitations under the License.
 #
 
-ARG K3S_VER=v1.26.11-k3s2
+ARG K3S_VER=v1.33.5-k3s1
 ARG K3S_IMAGE=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/k3s:${K3S_VER}
 ARG PROOT_IMAGE=secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/proot
 FROM ${PROOT_IMAGE} as proot-image
 FROM ${K3S_IMAGE} as k3s-image
 
 FROM secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/anolisos:23
-ARG TARGETPLATFORM
 ARG TARGETARCH
+ARG TARGETOS
 RUN yum install -y git glibc-static wget gcc make && \
     yum clean all
 
 RUN mkdir -p /image/home/kuscia/bin && \
-    mkdir -p /image/bin/aux
+    mkdir -p /image/home/kuscia/libexec/cni
 
 WORKDIR /tmp
 
 COPY --from=proot-image /root/proot/src/proot /image/home/kuscia/bin/
-COPY --from=k3s-image /bin/k3s /bin/containerd /bin/containerd-shim-runc-v2 /bin/runc /bin/cni /image/home/kuscia/bin/
-COPY --from=k3s-image /bin/aux /image/bin/aux
-
-COPY build/${TARGETPLATFORM}/k3s/bin/k3s /image/home/kuscia/bin/
+COPY --from=k3s-image /bin/k3s /bin/runc /bin/cni /image/home/kuscia/bin/
+COPY --from=k3s-image /bin/aux /image/home/kuscia/bin/
 
 RUN wget "https://github.com/krallin/tini/releases/download/v0.19.0/tini-${TARGETARCH}" -O /image/home/kuscia/bin/tini && \
     chmod +x /image/home/kuscia/bin/tini
+
+ARG CONTAINERD_VERSION=1.7.28
+RUN fname="containerd-${CONTAINERD_VERSION}-${TARGETOS:-linux}-${TARGETARCH:-amd64}.tar.gz" && \
+   wget --progress=bar:force:noscroll "https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/${fname}" -O "${fname}" && \
+   tar xzf "${fname}" -C /tmp && \
+   cp -rf /tmp/bin/* /image/home/kuscia/bin && \
+   rm -f "${fname}" && rm -rf /tmp/bin
+
+RUN echo "${TARGETARCH:-amd64}" | sed -e s/amd64/x86_64/ -e s/arm64/aarch64/ | tee /target_uname_m
+ARG CNI_PLUGINS_VERSION=v1.7.1
+RUN fname="cni-plugins-${TARGETOS:-linux}-${TARGETARCH:-amd64}-${CNI_PLUGINS_VERSION}.tgz" && \
+   wget --progress=bar:force:noscroll "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/${fname}" -O "${fname}" && \
+   tar xzf "${fname}" -C /image/home/kuscia/libexec/cni && \
+   rm -f "${fname}"
+
+ARG ROOTLESSKIT_VERSION=v2.3.5
+RUN fname="rootlesskit-$(cat /target_uname_m).tar.gz" && \
+  wget --progress=bar:force:noscroll "https://github.com/rootless-containers/rootlesskit/releases/download/${ROOTLESSKIT_VERSION}/${fname}" -O "${fname}" && \
+  tar xzf "${fname}" -C /image/home/kuscia/bin && \
+  rm -f "${fname}" /image/home/kuscia/bin/rootlesskit-docker-proxy
+
+ARG SLIRP4NETNS_VERSION=v1.3.1
+RUN fname="slirp4netns-$(cat /target_uname_m)" && \
+  wget --progress=bar:force:noscroll "https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/${fname}" -O "${fname}" && \
+  mv "${fname}" /image/home/kuscia/bin/slirp4netns && \
+  chmod +x /image/home/kuscia/bin/slirp4netns

build/dockerfile/kuscia-anolis.Dockerfile

@@ -14,15 +14,15 @@
 # limitations under the License.
 #
 
-ARG DEPS_IMAGE="secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/kuscia-deps:0.6.1b0"
+ARG DEPS_IMAGE="secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/kuscia-deps:0.7.0b0"
 ARG KUSCIA_ENVOY_IMAGE="secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/kuscia-envoy:0.6.2b0"
-ARG PROM_NODE_EXPORTER="secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/node-exporter:v1.7.0"
+ARG PROM_NODE_EXPORTER="secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/node-exporter:v1.9.1"
 ARG BASE_IMAGE="secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/anolisos:23"
 
-FROM ${DEPS_IMAGE} as deps
+FROM ${DEPS_IMAGE} AS deps
 
-FROM ${PROM_NODE_EXPORTER} as node_exporter
-FROM ${KUSCIA_ENVOY_IMAGE} as kuscia_envoy
+FROM ${PROM_NODE_EXPORTER} AS node_exporter
+FROM ${KUSCIA_ENVOY_IMAGE} AS kuscia_envoy
 
 FROM ${BASE_IMAGE}
 
@@ -52,12 +52,10 @@ RUN useradd -ms /bin/bash kuscia && \
     chmod -R g+rwxs /home/kuscia
 
 COPY --chown=kuscia:kuscia --from=deps /image/home/kuscia/bin ${HOME_DIR}/bin
-COPY --chown=kuscia:kuscia --from=deps /image/bin/aux /bin/aux
 COPY --chown=kuscia:kuscia --from=node_exporter /bin/node_exporter ${HOME_DIR}/bin
 
 RUN pushd ${HOME_DIR}/bin && \
     ln -s k3s crictl && \
-    ln -s k3s ctr && \
     ln -s k3s kubectl && \
     ln -s cni bridge && \
     ln -s cni flannel && \

changelog/v1.0.0_CHANGELOG.md

@@ -42,6 +42,7 @@
 - **[问题修复]** Kuscia 使用 PostgreSQL 作为元数据存储时连接异常问题
 
 **注**：
+
 - Alpha功能还在完善中，未经质量测试，不适合在实际的生产环境中使用。
 
 ---
@@ -90,4 +91,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **[Bugfix]** Kuscia connection exception when using PostgreSQL as metadata storage
 
 **Note**
+
 - Alpha features are still under development and have not been quality tested, so they are not suitable for use in actual production environments.