The --log-file parameter will be deprecated as of Kubernetes 1.23 and should be
avoided. The replacement for distroless images is the image with go-runner, a
tool that handles output redirection.
For kubemark to run in that image it must be built as static binary.
kube-log-runner was formerly known as go-runner when it was originally introduced
in 393e0952e9
It was moved to kubernetes/release/images/build/go-runner later but is now
needed again in Kubernetes itself as replacement for the deprecated --log-file
klog feature: when bringing up a Windows node, kube-proxy.exe and kubelet.exe must be wrapped
with the helper binary to redirect output.
It got renamed to avoid a naming conflict with
test/conformance/image/go-runner and because the name was too vague.
Other downstream Kubernetes users may have a similar need, therefore it makes
sense to provide a prebuilt binary also in the release archives.
On a ppc64le host, fast build was failing:
# make KUBE_FASTBUILD=true quick-release
+++ [0908 15:56:36] Verifying Prerequisites....
+++ [0908 15:56:36] Building Docker image kube-build:build-fd009aaa81-5-v1.23.0-go1.17-buster.0
+++ [0908 15:56:44] Syncing sources to container
+++ [0908 15:56:48] Running build command...
+++ [0908 15:56:56] Building go targets for linux/ppc64le:
./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
> non-static build: k8s.io/kubernetes/./vendor/k8s.io/code-generator/cmd/prerelease-lifecycle-gen
touch: cannot touch '_output/bin/prerelease-lifecycle-gen': No such file or directory
make[2]: *** [Makefile.generated_files:209: _output/bin/prerelease-lifecycle-gen] Error 1
make[1]: *** [Makefile:552: generated_files] Error 2
make: *** [Makefile:512: cross] Error 1
!!! [0908 15:56:58] Call tree:
!!! [0908 15:56:58] 1: build/../build/common.sh:476 kube::build::run_build_command_ex(...)
!!! [0908 15:56:58] 2: build/release.sh:36 kube::build::run_build_command(...)
make: *** [Makefile:454: quick-release] Error 1
This error happened because the _output/bin/ directory didn't exist at
the moment the file _output/bin/prerelease-lifecycle-gen was touched, so
the path didn't exist.
The _output/bin symlink was not created by kube::golang::place_bins()
because kube::golang::setup_platforms() assumed
KUBE_CLIENT_PLATFORMS=linux/amd64 despite being on a ppc64le host.
Fix build error by not assuming host_arch=amd64 when on ppc64le in
kube::golang::setup_platforms().
Signed-off-by: Murilo Opsfelder Araujo <muriloo@linux.ibm.com>
The tag extraction from GOFLAGS doesn't do anything if -tags is not
present in GOFLAGS. Not only does that mean non-sensical tags are
passed, but because GOFLAGS is a space-separated variable, the build
will fail because the build flags because -tags must be comma-separated.
Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>
When building inside a docker container, we fail to pass along enough
information for KUBE_CGO_OVERRIDES. The original PR was geared towards
building the binary from the command line
- dca376a03e
- e4ded2b3ec
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
We now add the `-buildmode pie` flag when building non-static binaries,
which enables the ASLR security mechanism.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Golang fixed the issue with the non-reproducible buildid already in
v1.15.3:
c5f6920212a3e965ce8a
This means we can now use the internal buildid instead of the unset one.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Removes discovery v1alpha1 API
* Replaces per Endpoint Topology with a read only DeprecatedTopology
in GA API
* Adds per Endpoint Zone field in GA API
A benchmark with go1.16 on amd64 resulted in an overall maximum memory
usage of 15GiB. This means we now lower the `KUBE_PARALLEL_BUILD_MEMORY`
to `20` to still have some room left.
The benchmark has been done with the following `Dockerfile`:
```dockerfile
FROM k8s.gcr.io/build-image/kube-cross:v1.16.0-1
RUN apt-get update && apt-get install -y time
WORKDIR /go/src/k8s.io/kubernetes
RUN git clone https://github.com/kubernetes/kubernetes
ENV KUBE_PARALLEL_BUILD_MEMORY=0
RUN /usr/bin/time -v make -C kubernetes cross-in-a-container
```
The value of interest from the output:
```
Maximum resident set size (kbytes): 1847108
```
The RSS is not the only value we have to consider. During the runtime I
measured the usage of the cached memory, which gets peaks up to 15GiB.
Test machine specs:
- CPU: 2 x Intel Scalable Gold 5120 28-Core Processor @ 2.2GHz
- RAM: 384GB
- Disk: 1 x 3.8TB NVME
- OS: Debian 10 (buster)
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Since this invalid Semantic Version messages redirecting to stdout
will be captured by line 790 at hack/lib/golang.sh:
`goldflags="${GOLDFLAGS=-s -w -buildid=} $(kube::version::ldflags)"`
This happens when only no valid tag exists in repo
Currently target CC can only be set if the host platform
is linux/amd64 . If target is already set in the environment
it is always safe to use it and enable cgo.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The amount of memory required to build binaries in parallel is right now
set to 40GiB. We now make this variable to be able to build artifacts in
parallel even with a lower amount of memory.
This enables SIG Release to speed-up the build time drastically in
Google Cloud Build (GCB).
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
* switched one spot to use kube::logging
* make kube::util::find-binary return an error when it doesn't find
anything so that hack scripts fail fast instead of with '' binary not
found errors.
* this required deleting some genfeddoc stuff. the binary no longer
exists in k/k repo since we removed federation/, and I don't see it
in https://github.com/kubernetes-sigs/kubefed/ either. I'm assuming
that it's gone for good now.
If a bearer token is present in a request, the exec credential plugin should accept that as the chosen method of authentication. Judging by an [earlier comment in exec.go](c18bc7e9f7/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go (L217)), this was already intended. This would however not work since UpdateTransportConfig would set the GetCert callback which would then get called by the transport, triggering the exec plugin action even with a token present in the request. See linked issue for further details.
See #87369 for further details.
Signed-off-by: Anders Eknert <anders.eknert@bisnode.com>
While the umask was previously set for builds (and in fact `docker run`
sets it to 0022 by default), the release pipeline `cp`'s files (with
`-a`) which respect the user's umask, and is outside of the build path.
This sets the umask in a common function called by all build tools,
which Stephen agreed was the simplest and most complete fix. The
`verify-prereqs` function is already poorly named for what it does, and
this only makes it epsilon worse.
Some binaries now run as non-root (kube-scheduler). When umask is 0027,
for example, the container image we build has the binary 0750, which is
not executable by the non-root UID.
We have been having issues with making builds reproducible, especially
with the `.note.go.buildid` ELF section. One tip from a golang issue was
to set `-ldflags=-buildid=` which seems to work well. You can confirm
that the buildid is set to empty by inspecting the binaries with the go
command example `go tool buildid _output/local/go/bin/kubectl`
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
- On unstable arch like ARM, etcd needs the "ETCD_UNSUPPORTED_ARCH" to be set
`# etcd --version
etcd on unsupported platform without ETCD_UNSUPPORTED_ARCH=arm64 set`
- `tail -n +1 | head -n 1` is unnecessary, `head -n 1` is enough.
The image used by the Image Promoter (gcr.io/k8s-testimages/gcb-docker-gcloud:v20190906-745fed4)
is based on busybox, and thus, the sed binary is actually busybox. image-util.sh calls
kube::util::ensure-gnu-sed several times, which ensures that a GNU sed binary exists
(it checks by greping GNU in its --help output). Obviously, it won't match the busybox sed
binary. But the sed usage in image-util.sh is fairly simple, and the busybox sed is sufficient.
This was previously fixed in: #87188, but it was reverted by #87653 as it was failing
on Mac (sed does not exist). This commit fixes that issue as well.
