Merge pull request #10396 from hakman/fix-protokube-lib-arm64

Mount /lib64 for Protokube only on AMD64

nodeup/pkg/model/protokube.go

@@ -33,6 +33,7 @@ import (
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+	"k8s.io/kops/util/pkg/architectures"
 	"k8s.io/kops/util/pkg/proxy"
 
 	"github.com/blang/semver/v4"
@@ -214,13 +215,18 @@ func (t *ProtokubeBuilder) ProtokubeContainerRunCommand() (string, error) {
 		containerRunArgs = append(containerRunArgs, []string{
 			"--volume /bin:/bin:ro",
 			"--volume /lib:/lib:ro",
-			"--volume /lib64:/lib64:ro",
 			"--volume /sbin:/sbin:ro",
 			"--volume /usr/bin:/usr/bin:ro",
 			"--volume /var/run/dbus:/var/run/dbus",
 			"--volume /run/systemd:/run/systemd",
 		}...)
 
+		if t.Architecture == architectures.ArchitectureAmd64 {
+			containerRunArgs = append(containerRunArgs, []string{
+				"--volume /lib64:/lib64:ro",
+			}...)
+		}
+
 		if fi.BoolValue(t.Cluster.Spec.UseHostCertificates) {
 			containerRunArgs = append(containerRunArgs, []string{
 				"--volume /etc/ssl/certs:/etc/ssl/certs",
@@ -264,13 +270,18 @@ func (t *ProtokubeBuilder) ProtokubeContainerRunCommand() (string, error) {
 		containerRunArgs = append(containerRunArgs, []string{
 			"--mount type=bind,src=/bin,dst=/bin,options=rbind:ro:rprivate",
 			"--mount type=bind,src=/lib,dst=/lib,options=rbind:ro:rprivate",
-			"--mount type=bind,src=/lib64,dst=/lib64,options=rbind:ro:rprivate",
 			"--mount type=bind,src=/sbin,dst=/sbin,options=rbind:ro:rprivate",
 			"--mount type=bind,src=/usr/bin,dst=/usr/bin,options=rbind:ro:rprivate",
 			"--mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate",
 			"--mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate",
 		}...)
 
+		if t.Architecture == architectures.ArchitectureAmd64 {
+			containerRunArgs = append(containerRunArgs, []string{
+				"--mount type=bind,src=/lib64,dst=/lib64,options=rbind:ro:rprivate",
+			}...)
+		}
+
 		if fi.BoolValue(t.Cluster.Spec.UseHostCertificates) {
 			containerRunArgs = append(containerRunArgs, []string{
 				"--mount type=bind,src=/etc/ssl/certs,dst=/etc/ssl/certs,options=rbind:ro:rprivate",

nodeup/pkg/model/tests/protokube/containerd/tasks-protokube.yaml

@@ -85,7 +85,7 @@ definition: |
   [Service]
   ExecStartPre=/bin/true
   ExecStartPre=-/usr/bin/ctr --namespace k8s.io container rm protokube
-  ExecStart=/usr/bin/ctr --namespace k8s.io run --net-host --with-ns pid:/proc/1/ns/pid --privileged --mount type=bind,src=/,dst=/rootfs,options=rbind:rslave --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --mount type=bind,src=/bin,dst=/bin,options=rbind:ro:rprivate --mount type=bind,src=/lib,dst=/lib,options=rbind:ro:rprivate --mount type=bind,src=/lib64,dst=/lib64,options=rbind:ro:rprivate --mount type=bind,src=/sbin,dst=/sbin,options=rbind:ro:rprivate --mount type=bind,src=/usr/bin,dst=/usr/bin,options=rbind:ro:rprivate --mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate --mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate --mount type=bind,src=/usr/local/bin,dst=/opt/kops/bin,options=rbind:ro:rprivate --env PATH=/opt/kops/bin:/usr/bin:/sbin:/bin docker.io/library/protokube image name protokube /protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=true --node-name=master.hostname.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO
+  ExecStart=/usr/bin/ctr --namespace k8s.io run --net-host --with-ns pid:/proc/1/ns/pid --privileged --mount type=bind,src=/,dst=/rootfs,options=rbind:rslave --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --mount type=bind,src=/bin,dst=/bin,options=rbind:ro:rprivate --mount type=bind,src=/lib,dst=/lib,options=rbind:ro:rprivate --mount type=bind,src=/sbin,dst=/sbin,options=rbind:ro:rprivate --mount type=bind,src=/usr/bin,dst=/usr/bin,options=rbind:ro:rprivate --mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate --mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate --mount type=bind,src=/lib64,dst=/lib64,options=rbind:ro:rprivate --mount type=bind,src=/usr/local/bin,dst=/opt/kops/bin,options=rbind:ro:rprivate --env PATH=/opt/kops/bin:/usr/bin:/sbin:/bin docker.io/library/protokube image name protokube /protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=true --node-name=master.hostname.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO
   Restart=always
   RestartSec=3s
   StartLimitInterval=0

nodeup/pkg/model/tests/protokube/docker/tasks-protokube.yaml

@@ -85,7 +85,7 @@ definition: |
   [Service]
   ExecStartPre=-/usr/bin/docker stop protokube
   ExecStartPre=-/usr/bin/docker rm protokube
-  ExecStart=/usr/bin/docker run --net=host --pid=host --privileged --volume /:/rootfs --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --volume /bin:/bin:ro --volume /lib:/lib:ro --volume /lib64:/lib64:ro --volume /sbin:/sbin:ro --volume /usr/bin:/usr/bin:ro --volume /var/run/dbus:/var/run/dbus --volume /run/systemd:/run/systemd --volume /usr/local/bin:/opt/kops/bin:ro --env PATH=/opt/kops/bin:/usr/bin:/sbin:/bin --name protokube protokube image name /protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=internal.minimal.k8s.local --dns=gossip --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=true --node-name=master.override.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO
+  ExecStart=/usr/bin/docker run --net=host --pid=host --privileged --volume /:/rootfs --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --volume /bin:/bin:ro --volume /lib:/lib:ro --volume /sbin:/sbin:ro --volume /usr/bin:/usr/bin:ro --volume /var/run/dbus:/var/run/dbus --volume /run/systemd:/run/systemd --volume /lib64:/lib64:ro --volume /usr/local/bin:/opt/kops/bin:ro --env PATH=/opt/kops/bin:/usr/bin:/sbin:/bin --name protokube protokube image name /protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=internal.minimal.k8s.local --dns=gossip --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=true --node-name=master.override.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO
   Restart=always
   RestartSec=3s
   StartLimitInterval=0