chore: install container-networkingplugins from dalec packages replacing old share #7781
Conversation
This change updates CNI plugin installation to use dalec-built reference CNI packages instead of downloading from GitHub. Changes include: - Updated components.json with new CNI plugin versions - Modified CSE install scripts for Ubuntu, Mariner, Flatcar, and OSGuard - Added logic to install CNI from package managers (apt/dnf) when available - Maintained backward compatibility with GitHub downloads as fallback Signed-off-by: Devin Wong <[email protected]>
Signed-off-by: Devin Wong <[email protected]>
Devinwong
requested review from
AbelHu,
YaoC,
awesomenix,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
timmy-wright,
yewmsft and
zachary-bailey
as code owners
There was a problem hiding this comment.
Pull request overview
This PR transitions the installation of container networking plugins from zip-based downloads to dalec package-based installation. The version is now hardcoded in the VHD via components.json rather than being determined by RP input, ensuring only one cached version.
Changes:
- Changed package name from "cni-plugins" to "containernetworking-plugins" in components.json
- Moved CNI plugin installation to VHD build time (OS-specific scripts) instead of CSE time
- Added OS-specific installCNI() implementations for Ubuntu and Mariner using package managers
- Flatcar and OSGuard continue using the old download method (version 1.6.2) until dalec support is added
Reviewed changes
Copilot reviewed 37 out of 71 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| parts/common/components.json | Updated package name and added versioned entries for Ubuntu (20.04, 22.04, 24.04) and AzureLinux (v3.0) |
| parts/linux/cloud-init/artifacts/cse_install.sh | Commented out installCNI call in installNetworkPlugin() since installation now happens at VHD build time |
| parts/linux/cloud-init/artifacts/ubuntu/cse_install_ubuntu.sh | Added new installCNI() function using apt-get to install from dalec packages |
| parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh | Added new installCNI() function using dnf to install from dalec packages |
| parts/linux/cloud-init/artifacts/flatcar/cse_install_flatcar.sh | Added installCNI() function using old download method (v1.6.2) as temporary fallback |
| parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh | Added installCNI() function using old download method (v1.6.2) as temporary fallback |
| pkg/agent/testdata/* | Updated binary test data files (base64 gzipped content) |
| } | ||
|
|
||
| # Reference CNI plugins is used by kubenet and the loopback plugin used by containerd 1.0 (dependency gone in 2.0) | ||
| # The version used to be deteremined by RP/toggle but are now just hadcoded in vhd as they rarely change and require a node image upgrade anyways |
There was a problem hiding this comment.
Spelling error: "deteremined" should be "determined"
| # The version used to be deteremined by RP/toggle but are now just hadcoded in vhd as they rarely change and require a node image upgrade anyways | |
| # The version used to be determined by RP/toggle but are now just hadcoded in vhd as they rarely change and require a node image upgrade anyways |
parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh
Outdated
Show resolved
Hide resolved
parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh
Outdated
Show resolved
Hide resolved
parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh
Outdated
Show resolved
Hide resolved
| retrycmd_get_tarball 120 5 "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/v1.6.2/binaries/cni-plugins-linux-amd64-v1.6.2.tgz" || exit $ERR_CNI_DOWNLOAD_TIMEOUT | ||
| extract_tarball "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "$CNI_BIN_DIR" |
There was a problem hiding this comment.
The installCNI function downloads and extracts a CNI plugin tarball from https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/... without any checksum or signature verification. If an attacker can compromise the download endpoint, DNS, or TLS path, they can substitute a malicious tarball and gain code execution on the node as root via the CNI binaries. Add strong integrity verification (for example, pinning to a known hash or verified signature before extraction) or source the plugins from a package channel that enforces signature checks.
| retrycmd_get_tarball 120 5 "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/v1.6.2/binaries/cni-plugins-linux-amd64-v1.6.2.tgz" || exit $ERR_CNI_DOWNLOAD_TIMEOUT | ||
| extract_tarball "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "$CNI_BIN_DIR" |
There was a problem hiding this comment.
The installCNI function downloads and extracts a CNI plugin tarball from https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/... without any checksum or signature verification. If an attacker can compromise the download host, DNS, or TLS path, they can replace the tarball with a malicious one and obtain root-level code execution via the installed CNI binaries. Add robust integrity checking (e.g., verify a pinned hash or signature before extraction) or move to a package distribution mechanism that performs signature validation.
github-actions
bot
added
the
components
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
| # Old versions of VHDs will not have components.json. If it does not exist, we will fall back to the hardcoded download for CNI. | ||
| # Network Isolated Cluster / Bring Your Own ACR will not work with a vhd that requires a hardcoded CNI download. | ||
| if [ ! -f "$COMPONENTS_FILEPATH" ] || ! jq '.Packages[] | select(.name == "containernetworking-plugins")' < $COMPONENTS_FILEPATH > /dev/null; then | ||
| echo "WARNING: no containernetworking-plugins components present falling back to hard coded download of 1.6.2. This should error eventually" |
There was a problem hiding this comment.
The comment mentions "hardcoded download of 1.6.2" but then exits with ERR_CNI_VERSION_INVALID immediately. This makes the warning message misleading since no fallback download actually occurs. Either remove the warning message or implement the fallback download behavior described.
| # Old versions of VHDs will not have components.json. If it does not exist, we will fall back to the hardcoded download for CNI. | |
| # Network Isolated Cluster / Bring Your Own ACR will not work with a vhd that requires a hardcoded CNI download. | |
| if [ ! -f "$COMPONENTS_FILEPATH" ] || ! jq '.Packages[] | select(.name == "containernetworking-plugins")' < $COMPONENTS_FILEPATH > /dev/null; then | |
| echo "WARNING: no containernetworking-plugins components present falling back to hard coded download of 1.6.2. This should error eventually" | |
| # Old versions of VHDs will not have components.json. If it does not exist, we will treat this as an invalid CNI configuration. | |
| # Network Isolated Cluster / Bring Your Own ACR will not work with a vhd that requires components.json entries for CNI. | |
| if [ ! -f "$COMPONENTS_FILEPATH" ] || ! jq '.Packages[] | select(.name == "containernetworking-plugins")' < $COMPONENTS_FILEPATH > /dev/null; then | |
| echo "ERROR: no containernetworking-plugins components present in components.json (or file missing); exiting with ERR_CNI_VERSION_INVALID." |
| # Ensure exactly one containernetworking-plugins package version is present; multiple versions are not supported. | ||
| # shellcheck disable=SC3010 | ||
| if [ ${#PACKAGE_VERSIONS[@]} -gt 1 ]; then | ||
| echo "WARNING: containerd package versions array has more than one element." |
There was a problem hiding this comment.
Error message says "containerd package versions array" but this is the CNI plugin installation function. The error message should reference "containernetworking-plugins" instead of "containerd" for clarity.
| echo "WARNING: containerd package versions array has more than one element." | |
| echo "WARNING: containernetworking-plugins package versions array has more than one element." |
parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh
Outdated
Show resolved
Hide resolved
| packageVersion=${PACKAGE_VERSIONS[0]} | ||
|
|
||
| # - between name and version unlike apt which uses = | ||
| packageName="containernetworking-plugins-${packageVersion}" |
There was a problem hiding this comment.
Spelling error in comment: "vesion" should be "version"
Co-authored-by: Copilot <[email protected]>
| ##installCNI #reference plugins. Mostly for kubenet but loopback plugin is used by containerd until containerd 2 | ||
| ##rm -rf $CNI_DOWNLOADS_DIR & |
There was a problem hiding this comment.
The commented-out code should be removed entirely rather than left as comments. If the installCNI function is no longer needed at CSE time, these lines should be deleted. Commented-out code creates maintenance confusion.
| ##installCNI #reference plugins. Mostly for kubenet but loopback plugin is used by containerd until containerd 2 | |
| ##rm -rf $CNI_DOWNLOADS_DIR & |
| } | ||
|
|
||
| # Reference CNI plugins is used by kubenet and the loopback plugin used by containerd 1.0 (dependency gone in 2.0) | ||
| # The version used to be determined by RP/toggle but is now just hardcoded in the VHD as it rarely changes and requires a node image upgrade anyway |
There was a problem hiding this comment.
we shouldn't have references to RP/ "toggles" if we can help it
| "versionsV2": [ | ||
| { | ||
| "renovateTag": "<DO_NOT_UPDATE>", | ||
| "latestVersion": "1.6.2" |
There was a problem hiding this comment.
we've been on 1.6.2 this whole time? :D
There was a problem hiding this comment.
yes. Paul confirmed it's intended.
| fi | ||
| # shellcheck disable=SC3010 | ||
| if [ ${#PACKAGE_VERSIONS[@]} -gt 1 ]; then | ||
| echo "WARNING: containernetworking-plugins package versions array has more than one element." |
There was a problem hiding this comment.
Same issue as Ubuntu: The error message says "WARNING" but the code exits fatally. This should say "ERROR" or handle the multiple versions gracefully.
| echo "WARNING: containernetworking-plugins package versions array has more than one element." | |
| echo "ERROR: containernetworking-plugins package versions array has more than one element." |
| exit $ERR_MISSING_CUDA_PACKAGE | ||
| fi | ||
|
|
There was a problem hiding this comment.
Whitespace-only change that removes trailing whitespace. While this is good hygiene, it's unrelated to the main PR purpose of changing CNI plugin installation.
| #unnecessary as this is completely installed at vhd build time in install dependencies | ||
| ##installCNI #reference plugins. Mostly for kubenet but loopback plugin is used by containerd until containerd 2 | ||
| ##rm -rf $CNI_DOWNLOADS_DIR & |
There was a problem hiding this comment.
The comment says "installCNI #reference plugins" is "unnecessary as this is completely installed at vhd build time in install dependencies" but the code is only commented out, not removed. However, looking at the OS-specific scripts (ubuntu/cse_install_ubuntu.sh, mariner/cse_install_mariner.sh), new installCNI() functions are being added that DO install the packages. This creates confusion about when installation happens. If installation truly happens only at VHD build time via install-dependencies.sh, these new OS-specific installCNI() functions shouldn't exist. If they're needed during CSE, the comment here is misleading.
| #unnecessary as this is completely installed at vhd build time in install dependencies | |
| ##installCNI #reference plugins. Mostly for kubenet but loopback plugin is used by containerd until containerd 2 | |
| ##rm -rf $CNI_DOWNLOADS_DIR & | |
| # CNI binaries/plugins are provisioned either at VHD build time (via install-dependencies.sh) | |
| # or by OS-specific installCNI() logic in the per-distro cse_install_* scripts. No additional | |
| # CNI installation or cleanup is performed from this top-level installNetworkPlugin() helper. |
| @@ -68,6 +68,48 @@ installDeps() { | |||
| fi | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Typo: "determined" is misspelled as "deteremined"
| # The version used to be determined by RP/toggle but is now just hardcoded in the VHD as it rarely changes and requires a node image upgrade anyway | |
| # Latest VHD should have the untar, older should have the tgz. And who knows will have neither. |
| # Ensure exactly one containernetworking-plugins package version is present; multiple versions are not supported. | ||
| # shellcheck disable=SC3010 | ||
| if [ ${#PACKAGE_VERSIONS[@]} -gt 1 ]; then | ||
| echo "WARNING: containernetworking-plugins package versions array has more than one element." |
There was a problem hiding this comment.
The error message says "WARNING: containernetworking-plugins package versions array has more than one element" but this is actually a fatal error that exits with ERR_CNI_VERSION_INVALID. The message should say "ERROR" instead of "WARNING" to accurately reflect the severity, or alternatively, the code should gracefully handle multiple versions (e.g., by selecting the first or last version) if this is truly just a warning scenario.
| echo "WARNING: containernetworking-plugins package versions array has more than one element." | |
| echo "ERROR: containernetworking-plugins package versions array has more than one element." |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Get new reference plugins from dalec packages instead of zip. Only ever install one version defined in components.json No longer takes input from RP so we only cache one version
ps: This PR was recreated based on Paul Miller's previous one #6313. The reason to recreate it is because it depends on an old branch and has many unsigned commits which are hard to fix.
Some important notes
flatcar and osguard still on old ones. Need to find owners there to build them in dalec
Not installing at CSE time any more just in vhd.
only ever one version cached.
Which issue(s) this PR fixes:
CVE in tap binary are fixed but also this stops us from going to wierd shars directly
Requirements:
Special notes for your reviewer:
Release note: