Merge pull request #13244 from hakman/automated-cherry-pick-of-#13240-upstream-release-1.23

Automated cherry pick of #13240: Install runc from opencontainers/runc
2022-02-13 03:05:48 -08:00 · 2022-02-13 03:05:48 -08:00 · 48d539e2f6
parent 5214407a0f 0ec5971bd1
commit 48d539e2f6
23 changed files with 274 additions and 13 deletions
--- a/nodeup/pkg/model/containerd.go
+++ b/nodeup/pkg/model/containerd.go
@ -106,9 +106,12 @@ func (b *ContainerdBuilder) installContainerd(c *fi.ModelBuilderContext) error {

 	// Add binaries from assets
 	if b.Cluster.Spec.ContainerRuntime == "containerd" {
-		f := b.Assets.FindMatches(regexp.MustCompile(`^(\./)?usr/local/(bin/containerd|bin/crictl|bin/ctr|sbin/runc)`))
+		// Add containerd binaries from containerd package
+		f := b.Assets.FindMatches(regexp.MustCompile(`^(\./)?usr/local/bin/(containerd|crictl|ctr)`))
 		if len(f) == 0 {
-			f = b.Assets.FindMatches(regexp.MustCompile(`^docker/(containerd|ctr|runc)`))
+			// Add containerd binaries from Docker package (for ARM64 builds < v1.6.0)
+			// https://github.com/containerd/containerd/pull/6196
+			f = b.Assets.FindMatches(regexp.MustCompile(`^docker/(containerd|ctr)`))
 		}
 		if len(f) == 0 {
 			return fmt.Errorf("unable to find any containerd binaries in assets")
@ -123,6 +126,31 @@ func (b *ContainerdBuilder) installContainerd(c *fi.ModelBuilderContext) error {
 			c.AddTask(fileTask)
 		}

+		// Add runc binary from https://github.com/opencontainers/runc
+		// https://github.com/containerd/containerd/issues/6541
+		f = b.Assets.FindMatches(regexp.MustCompile(`/runc\.(amd64|arm64)$`))
+		if len(f) == 0 {
+			// Add runc binary from containerd package (for builds < v1.6.0)
+			f = b.Assets.FindMatches(regexp.MustCompile(`^(\./)?usr/local/sbin/runc$`))
+		}
+		if len(f) == 0 {
+			// Add runc binary from Docker package (for ARM64 builds < v1.6.0)
+			// https://github.com/containerd/containerd/pull/6196
+			f = b.Assets.FindMatches(regexp.MustCompile(`^docker/runc$`))
+		}
+		if len(f) != 1 {
+			return fmt.Errorf("error finding runc asset")
+		}
+		for _, v := range f {
+			fileTask := &nodetasks.File{
+				Path:     "/usr/bin/runc",
+				Contents: v,
+				Type:     nodetasks.FileType_File,
+				Mode:     fi.String("0755"),
+			}
+			c.AddTask(fileTask)
+		}
+
 		// Add configuration file for easier use of crictl
 		b.addCrictlConfig(c)
 	}
--- a/nodeup/pkg/model/containerd_test.go
+++ b/nodeup/pkg/model/containerd_test.go
@ -162,6 +162,7 @@ func runContainerdBuilderTest(t *testing.T, key string, distro distributions.Dis
 	nodeUpModelContext.Assets.AddForTest("critest", "usr/local/bin/critest", "testing containerd content")
 	nodeUpModelContext.Assets.AddForTest("ctr", "usr/local/bin/ctr", "testing containerd content")
 	nodeUpModelContext.Assets.AddForTest("runc", "usr/local/sbin/runc", "testing containerd content")
+	nodeUpModelContext.Assets.AddForTest("runc.amd64", "https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64", "testing runc content")

 	if err := nodeUpModelContext.Init(); err != nil {
 		t.Fatalf("error from nodeupModelContext.Init(): %v", err)
--- a/nodeup/pkg/model/tests/containerdbuilder/simple/tasks.yaml
+++ b/nodeup/pkg/model/tests/containerdbuilder/simple/tasks.yaml
@ -115,8 +115,8 @@ type: file
 ---
 contents:
  Asset:
-    AssetPath: usr/local/sbin/runc
-    Key: runc
+    AssetPath: https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
+    Key: runc.amd64
 mode: "0755"
 path: /usr/bin/runc
 type: file
--- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
@ -261,7 +261,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/minimal.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: fFeMP5JIrK3qetB2vAHSq3++zGw3qwu9FnhaLhp6V2g=
+NodeupConfigHash: jFiN4zHvDJVVfGP4JlYSxpbxyXRQ/wblkvP0hw7zwLE=

 __EOF_KUBE_ENV

--- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content
+++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content
@ -59,6 +59,7 @@ Assets:
  - 2d0f5ba6faa787878b642c151ccb2c3390ce4c1e6c8e2b59568b3869ba407c4f@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/amd64/kubectl
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64
  - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64
  arm64:
@ -66,6 +67,7 @@ Assets:
  - 1d77d6027fc8dfed772609ad9bd68f611b7e4ce73afa949f27084ad3a92b15fe@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubectl
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
  - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64
  - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64
 CAs:
--- a/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_nodeupconfig-nodes_content
+++ b/tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_bucket_object_nodeupconfig-nodes_content
@ -4,11 +4,13 @@ Assets:
  - 2d0f5ba6faa787878b642c151ccb2c3390ce4c1e6c8e2b59568b3869ba407c4f@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/amd64/kubectl
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  arm64:
  - a546fb7ccce69c4163e4a0b19a31f30ea039b4e4560c23fd6e3016e2b2dfd0d9@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubelet
  - 1d77d6027fc8dfed772609ad9bd68f611b7e4ce73afa949f27084ad3a92b15fe@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubectl
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
 CAs:
  kubernetes-ca: |
    -----BEGIN CERTIFICATE-----
--- a/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
@ -269,7 +269,7 @@ CloudProvider: aws
 ConfigBase: memfs://tests/minimal.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: C1z4iXH/CHiuAY5SvilUFE2lPzN5p6PHtSLxuulQTGA=
+NodeupConfigHash: p1pC4k8WMvFCnHQ5jGiG2/6l3iq4jerMFdlWo87xIoo=

 __EOF_KUBE_ENV

--- a/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_nodes.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/minimal-1.23/data/aws_launch_template_nodes.minimal.example.com_user_data
@ -168,7 +168,7 @@ CloudProvider: aws
 ConfigBase: memfs://tests/minimal.example.com
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: q0NRuaSMwed2XXWNb3/XApTi0I9KmedDde2qJcVzdOk=
+NodeupConfigHash: vFW0sgIK2CFJYVLlWYYd4+mfOwCgDTEwjxbkwrc4AEU=

 __EOF_KUBE_ENV

--- a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content
+++ b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content
@ -59,6 +59,7 @@ Assets:
  - 2d0f5ba6faa787878b642c151ccb2c3390ce4c1e6c8e2b59568b3869ba407c4f@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/amd64/kubectl
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64
  - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64
  arm64:
@ -66,6 +67,7 @@ Assets:
  - 1d77d6027fc8dfed772609ad9bd68f611b7e4ce73afa949f27084ad3a92b15fe@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubectl
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
  - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64
  - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64
 CAs:
--- a/tests/integration/update_cluster/minimal-1.23/data/aws_s3_bucket_object_nodeupconfig-nodes_content
+++ b/tests/integration/update_cluster/minimal-1.23/data/aws_s3_bucket_object_nodeupconfig-nodes_content
@ -4,11 +4,13 @@ Assets:
  - 2d0f5ba6faa787878b642c151ccb2c3390ce4c1e6c8e2b59568b3869ba407c4f@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/amd64/kubectl
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  arm64:
  - a546fb7ccce69c4163e4a0b19a31f30ea039b4e4560c23fd6e3016e2b2dfd0d9@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubelet
  - 1d77d6027fc8dfed772609ad9bd68f611b7e4ce73afa949f27084ad3a92b15fe@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubectl
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
 CAs:
  kubernetes-ca: |
    -----BEGIN CERTIFICATE-----
--- a/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
@ -265,7 +265,7 @@ CloudProvider: aws
 ConfigBase: memfs://tests/minimal.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: jF4WNBDFH3LgC9n+hTv8Wl16Pi9GrhG84864dSFICjU=
+NodeupConfigHash: mZ7xZC9B41kOW3PsK5tY+L7Z+ko3CvTBXTMef1uu8sE=

 __EOF_KUBE_ENV

--- a/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_nodes.minimal.example.com_user_data
+++ b/tests/integration/update_cluster/minimal-1.24/data/aws_launch_template_nodes.minimal.example.com_user_data
@ -166,7 +166,7 @@ CloudProvider: aws
 ConfigBase: memfs://tests/minimal.example.com
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: eDA0J+FYLsmvodng9/dWtd26yOpwkwM8hP3ffYMqjko=
+NodeupConfigHash: Kv2Ya62emhcl1YzpYi+KXjCAjMJuegoD8EXuT/PeaEQ=

 __EOF_KUBE_ENV

--- a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content
+++ b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content
@ -59,6 +59,7 @@ Assets:
  - d36c259706f15424c3b6afef38e724333fca0f1f5c44fcba5263a3b8da133ffd@https://storage.googleapis.com/kubernetes-release/release/v1.24.0-alpha.1/bin/linux/amd64/kubectl
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64
  - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64
  arm64:
@ -66,6 +67,7 @@ Assets:
  - d57a24ecd03e56c13791549186669c5fc60e3e13faa3c08b7a12a02f42d9c646@https://storage.googleapis.com/kubernetes-release/release/v1.24.0-alpha.1/bin/linux/arm64/kubectl
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
  - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64
  - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64
 CAs:
--- a/tests/integration/update_cluster/minimal-1.24/data/aws_s3_bucket_object_nodeupconfig-nodes_content
+++ b/tests/integration/update_cluster/minimal-1.24/data/aws_s3_bucket_object_nodeupconfig-nodes_content
@ -4,11 +4,13 @@ Assets:
  - d36c259706f15424c3b6afef38e724333fca0f1f5c44fcba5263a3b8da133ffd@https://storage.googleapis.com/kubernetes-release/release/v1.24.0-alpha.1/bin/linux/amd64/kubectl
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  arm64:
  - c0e578be05655e0ecb364fea3834809d9b940c9bcd6b6f99b319beed002cb4b2@https://storage.googleapis.com/kubernetes-release/release/v1.24.0-alpha.1/bin/linux/arm64/kubelet
  - d57a24ecd03e56c13791549186669c5fc60e3e13faa3c08b7a12a02f42d9c646@https://storage.googleapis.com/kubernetes-release/release/v1.24.0-alpha.1/bin/linux/arm64/kubectl
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
 CAs:
  kubernetes-ca: |
    -----BEGIN CERTIFICATE-----
--- a/tests/integration/update_cluster/minimal_gce/data/aws_s3_bucket_object_nodeupconfig-master-us-test1-a_content
+++ b/tests/integration/update_cluster/minimal_gce/data/aws_s3_bucket_object_nodeupconfig-master-us-test1-a_content
@ -57,6 +57,7 @@ Assets:
  - ab63ef67b254a2eae51782106593c266e0b054ac2248e2cb913f6d165afae83c@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/amd64/mounter
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64
  - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64
  arm64:
@ -65,6 +66,7 @@ Assets:
  - 6ef5620ad47035a168bf28335aa39a09f246e17f5d6e42f0d8daba7d90fc4e9f@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/mounter
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
  - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64
  - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64
 CAs:
--- a/tests/integration/update_cluster/minimal_gce/data/aws_s3_bucket_object_nodeupconfig-nodes_content
+++ b/tests/integration/update_cluster/minimal_gce/data/aws_s3_bucket_object_nodeupconfig-nodes_content
@ -5,12 +5,14 @@ Assets:
  - ab63ef67b254a2eae51782106593c266e0b054ac2248e2cb913f6d165afae83c@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/amd64/mounter
  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
  - ead57ce46ebb92979dfdb35c1a9eac70a3a68086508da693ce75c7d8b7b2e790@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-amd64.tar.gz
+  - ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
  arm64:
  - a546fb7ccce69c4163e4a0b19a31f30ea039b4e4560c23fd6e3016e2b2dfd0d9@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubelet
  - 1d77d6027fc8dfed772609ad9bd68f611b7e4ce73afa949f27084ad3a92b15fe@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/kubectl
  - 6ef5620ad47035a168bf28335aa39a09f246e17f5d6e42f0d8daba7d90fc4e9f@https://storage.googleapis.com/kubernetes-release/release/v1.23.0/bin/linux/arm64/mounter
  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
  - 09fdff397546466f3ee76535aad5236192700f65727cd3068193ae204cd8fda9@https://github.com/containerd/containerd/releases/download/v1.6.0-rc.3/cri-containerd-cni-1.6.0-rc.3-linux-arm64.tar.gz
+  - 9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68@https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.arm64
 CAs:
  kubernetes-ca: |
    -----BEGIN CERTIFICATE-----
--- a/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_master-us-test1-a-minimal-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_master-us-test1-a-minimal-gce-example-com_metadata_startup-script
@ -253,7 +253,7 @@ CloudProvider: gce
 ConfigBase: memfs://tests/minimal-gce.example.com
 InstanceGroupName: master-us-test1-a
 InstanceGroupRole: Master
-NodeupConfigHash: zuyVTOFivedWkhcwOzOvByKzC1b/7yK+pbBAQ/mD9fo=
+NodeupConfigHash: eQ1jZqLlz+Su6l3xB/wKf1NjuanUt40yYALcbQjqLgg=

 __EOF_KUBE_ENV

--- a/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_nodes-minimal-gce-example-com_metadata_startup-script
+++ b/tests/integration/update_cluster/minimal_gce/data/google_compute_instance_template_nodes-minimal-gce-example-com_metadata_startup-script
@ -167,7 +167,7 @@ CloudProvider: gce
 ConfigBase: memfs://tests/minimal-gce.example.com
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: gJSHakrXBy2pehI2Td/4wRfWavR5hGuE7ErSXPoWP98=
+NodeupConfigHash: X4LBKchPvdbp/TEirTqVaK6etqyBZ1CtIF6eiZjtG9s=

 __EOF_KUBE_ENV

--- a/upup/pkg/fi/cloudup/BUILD.bazel
+++ b/upup/pkg/fi/cloudup/BUILD.bazel
@ -14,6 +14,7 @@ go_library(
        "phase.go",
        "populate_cluster_spec.go",
        "populate_instancegroup_spec.go",
+        "runc.go",
        "spec_builder.go",
        "subnets.go",
        "target.go",
@ -107,6 +108,7 @@ go_test(
        "new_cluster_test.go",
        "populate_cluster_spec_test.go",
        "populate_instancegroup_spec_test.go",
+        "runc_test.go",
        "subnets_test.go",
        "template_functions_test.go",
        "urls_test.go",
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -1067,6 +1067,18 @@ func (c *ApplyClusterCmd) addFileAssets(assetBuilder *assets.AssetBuilder) error
 		}
 		c.Assets[arch] = append(c.Assets[arch], mirrors.BuildMirroredAsset(containerRuntimeAssetUrl, containerRuntimeAssetHash))

+		if c.Cluster.Spec.ContainerRuntime == "containerd" {
+			var runcAssetUrl *url.URL
+			var runcAssetHash *hashing.Hash
+			runcAssetUrl, runcAssetHash, err = findRuncAsset(c.Cluster, assetBuilder, arch)
+			if err != nil {
+				return err
+			}
+			if runcAssetUrl != nil && runcAssetHash != nil {
+				c.Assets[arch] = append(c.Assets[arch], mirrors.BuildMirroredAsset(runcAssetUrl, runcAssetHash))
+			}
+		}
+
 		asset, err := NodeUpAsset(assetBuilder, arch)
 		if err != nil {
 			return err
--- a/upup/pkg/fi/cloudup/containerd_test.go
+++ b/upup/pkg/fi/cloudup/containerd_test.go
@ -313,7 +313,7 @@ func TestContainerdVersionHash(t *testing.T) {

 func TestContainerdVersionsHashesAmd64(t *testing.T) {
 	if os.Getenv("VERIFY_HASHES") == "" {
-		t.Skip("VERIFY_HASHES not set, won't download & verify docker hashes")
+		t.Skip("VERIFY_HASHES not set, won't download & verify containerd hashes")
 	}

 	for version, hash := range findAllContainerdHashesAmd64() {
@ -328,7 +328,7 @@ func TestContainerdVersionsHashesAmd64(t *testing.T) {

 func TestContainerdVersionsHashesArm64(t *testing.T) {
 	if os.Getenv("VERIFY_HASHES") == "" {
-		t.Skip("VERIFY_HASHES not set, won't download & verify docker hashes")
+		t.Skip("VERIFY_HASHES not set, won't download & verify containerd hashes")
 	}

 	for version, hash := range findAllContainerdHashesArm64() {
--- a/upup/pkg/fi/cloudup/runc.go
+++ b/upup/pkg/fi/cloudup/runc.go
@ -0,0 +1,148 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cloudup
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/blang/semver/v4"
+
+	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/pkg/assets"
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/util/pkg/architectures"
+	"k8s.io/kops/util/pkg/hashing"
+)
+
+const (
+	runcVersion         = "1.1.0"
+	runcVersionUrlAmd64 = "https://github.com/opencontainers/runc/releases/download/v%s/runc.amd64"
+	runcVersionUrlArm64 = "https://github.com/opencontainers/runc/releases/download/v%s/runc.arm64"
+)
+
+func findRuncAsset(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
+	if c.Spec.Containerd == nil || c.Spec.Containerd.Version == nil {
+		return nil, nil, fmt.Errorf("unable to find containerd version, used to determine runc version")
+	}
+
+	containerdVersion, err := semver.ParseTolerant(fi.StringValue(c.Spec.Containerd.Version))
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to parse version string: %q", fi.StringValue(c.Spec.Containerd.Version))
+	}
+	// The a compatible runc binary is bundled with containerd builds < v1.6.0
+	// https://github.com/containerd/containerd/issues/6541
+	if containerdVersion.LT(semver.MustParse("1.6.0-beta.2")) {
+		return nil, nil, nil
+	}
+
+	version := runcVersion
+	assetUrl, assetHash, err := findRuncVersionUrlHash(arch, version)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return findAssetsUrlHash(assetBuilder, assetUrl, assetHash)
+}
+
+func findRuncVersionUrlHash(arch architectures.Architecture, version string) (u string, h string, e error) {
+	var runcAssetUrl, runcAssetHash string
+
+	if findAllRuncHashesAmd64()[version] != "" {
+		var err error
+		runcAssetUrl, err = findRuncVersionUrl(arch, version)
+		if err != nil {
+			return "", "", err
+		}
+		runcAssetHash, err = findRuncVersionHash(arch, version)
+		if err != nil {
+			return "", "", err
+		}
+	} else {
+		return "", "", fmt.Errorf("unknown url and hash for runc version: %s - %s", arch, version)
+	}
+
+	return runcAssetUrl, runcAssetHash, nil
+}
+
+func findRuncVersionUrl(arch architectures.Architecture, version string) (string, error) {
+	sv, err := semver.ParseTolerant(version)
+	if err != nil {
+		return "", fmt.Errorf("unable to parse version string: %q", version)
+	}
+	if sv.LT(semver.MustParse("1.1.0")) {
+		return "", fmt.Errorf("unsupported runc version: %q", version)
+	}
+
+	var u string
+	switch arch {
+	case architectures.ArchitectureAmd64:
+		u = fmt.Sprintf(runcVersionUrlAmd64, version)
+	case architectures.ArchitectureArm64:
+		u = fmt.Sprintf(runcVersionUrlArm64, version)
+	default:
+		return "", fmt.Errorf("unknown arch: %q", arch)
+	}
+
+	if u == "" {
+		return "", fmt.Errorf("unknown url for runc version: %s - %s", arch, version)
+	}
+
+	return u, nil
+}
+
+func findRuncVersionHash(arch architectures.Architecture, version string) (string, error) {
+	sv, err := semver.ParseTolerant(version)
+	if err != nil {
+		return "", fmt.Errorf("unable to parse version string: %q", version)
+	}
+	if sv.LT(semver.MustParse("1.1.0")) {
+		return "", fmt.Errorf("unsupported runc version: %q", version)
+	}
+
+	var h string
+	switch arch {
+	case architectures.ArchitectureAmd64:
+		h = findAllRuncHashesAmd64()[version]
+	case architectures.ArchitectureArm64:
+		h = findAllRuncHashesArm64()[version]
+	default:
+		return "", fmt.Errorf("unknown arch: %q", arch)
+	}
+
+	if h == "" {
+		return "", fmt.Errorf("unknown hash for runc version: %s - %s", arch, version)
+	}
+
+	return h, nil
+}
+
+func findAllRuncHashesAmd64() map[string]string {
+	hashes := map[string]string{
+		"1.1.0": "ab1c67fbcbdddbe481e48a55cf0ef9a86b38b166b5079e0010737fd87d7454bb",
+	}
+
+	return hashes
+}
+
+func findAllRuncHashesArm64() map[string]string {
+	hashes := map[string]string{
+		"1.1.0": "9ec8e68feabc4e7083a4cfa45ebe4d529467391e0b03ee7de7ddda5770b05e68",
+	}
+
+	return hashes
+}
--- a/upup/pkg/fi/cloudup/runc_test.go
+++ b/upup/pkg/fi/cloudup/runc_test.go
@ -0,0 +1,54 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cloudup
+
+import (
+	"os"
+	"testing"
+
+	"k8s.io/kops/util/pkg/architectures"
+)
+
+func TestRuncVersionsHashesAmd64(t *testing.T) {
+	if os.Getenv("VERIFY_HASHES") == "" {
+		t.Skip("VERIFY_HASHES not set, won't download & verify runc hashes")
+	}
+
+	for version, hash := range findAllRuncHashesAmd64() {
+		t.Run(version+"-amd64", func(t *testing.T) {
+			url, _ := findRuncVersionUrl(architectures.ArchitectureAmd64, version)
+			if err := verifyPackageHash(url, hash); err != nil {
+				t.Errorf("error verifying package %q: %v", url, err)
+			}
+		})
+	}
+}
+
+func TestRuncVersionsHashesArm64(t *testing.T) {
+	if os.Getenv("VERIFY_HASHES") == "" {
+		t.Skip("VERIFY_HASHES not set, won't download & verify runc hashes")
+	}
+
+	for version, hash := range findAllRuncHashesArm64() {
+		t.Run(version+"-arm64", func(t *testing.T) {
+			url, _ := findRuncVersionUrl(architectures.ArchitectureArm64, version)
+			if err := verifyPackageHash(url, hash); err != nil {
+				t.Errorf("error verifying package %q: %v", url, err)
+			}
+		})
+	}
+}