Install container runtime packages as assets - Code Review 1

2020-10-23 08:02:41 +03:00 · 2020-10-23 08:02:41 +03:00 · ed3f3a7493
parent 022f4a4158
commit ed3f3a7493
14 changed files with 238 additions and 170 deletions
--- a/nodeup/pkg/model/containerd.go
+++ b/nodeup/pkg/model/containerd.go
@ -99,12 +99,13 @@ func (b *ContainerdBuilder) Build(c *fi.ModelBuilderContext) error {
 			return fmt.Errorf("unable to find any containerd binaries in assets")
 		}
 		for k, v := range f {
-			c.AddTask(&nodetasks.File{
+			fileTask := &nodetasks.File{
 				Path:     filepath.Join("/usr/bin", k),
 				Contents: v,
 				Type:     nodetasks.FileType_File,
 				Mode:     fi.String("0755"),
-			})
+			}
+			c.AddTask(fileTask)
 		}
 	}

--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -599,7 +599,7 @@ func (c *NodeupModelContext) GetPrivateKey(name string) ([]byte, error) {

 func (b *NodeupModelContext) AddCNIBinAssets(c *fi.ModelBuilderContext, assetNames []string) error {
 	for _, assetName := range assetNames {
-		re, err := regexp.Compile(fmt.Sprintf("^%s$", assetName))
+		re, err := regexp.Compile(fmt.Sprintf("^%s$", regexp.QuoteMeta(assetName)))
 		if err != nil {
 			return err
 		}
@ -611,19 +611,17 @@ func (b *NodeupModelContext) AddCNIBinAssets(c *fi.ModelBuilderContext, assetNam
 }

 func (b *NodeupModelContext) addCNIBinAsset(c *fi.ModelBuilderContext, assetPath *regexp.Regexp) error {
-	a := b.Assets.FindMatches(assetPath)
-	if len(a) != 1 {
-		return fmt.Errorf("unable to locate asset %q", assetPath.String())
+	name, res, err := b.Assets.FindMatch(assetPath)
+	if err != nil {
+		return err
 	}

-	for k, v := range a {
-		c.AddTask(&nodetasks.File{
-			Path:     filepath.Join(b.CNIBinDir(), k),
-			Contents: v,
-			Type:     nodetasks.FileType_File,
-			Mode:     fi.String("0755"),
-		})
-	}
+	c.AddTask(&nodetasks.File{
+		Path:     filepath.Join(b.CNIBinDir(), name),
+		Contents: res,
+		Type:     nodetasks.FileType_File,
+		Mode:     fi.String("0755"),
+	})

 	return nil
 }
--- a/nodeup/pkg/model/docker.go
+++ b/nodeup/pkg/model/docker.go
@ -79,6 +79,15 @@ func (b *DockerBuilder) Build(c *fi.ModelBuilderContext) error {
 		return nil
 	}

+	dockerVersion, err := b.dockerVersion()
+	if err != nil {
+		return err
+	}
+	sv, err := semver.ParseTolerant(dockerVersion)
+	if err != nil {
+		return fmt.Errorf("error parsing docker version %q: %v", dockerVersion, err)
+	}
+
 	c.AddTask(b.buildDockerGroup())
 	c.AddTask(b.buildSystemdSocket())

@ -89,13 +98,23 @@ func (b *DockerBuilder) Build(c *fi.ModelBuilderContext) error {
 			return fmt.Errorf("unable to find any Docker binaries in assets")
 		}
 		for k, v := range f {
-			klog.V(4).Infof("Found matching Docker asset: %q", k)
-			c.AddTask(&nodetasks.File{
+			fileTask := &nodetasks.File{
 				Path:     filepath.Join("/usr/bin", k),
 				Contents: v,
 				Type:     nodetasks.FileType_File,
 				Mode:     fi.String("0755"),
-			})
+			}
+			c.AddTask(fileTask)
+
+			// As a mitigation for CVE-2019-5736 we chattr docker-runc to be immutable
+			// https://github.com/kubernetes/kops/blob/master/docs/advisories/cve_2019_5736.md
+			if strings.HasSuffix(k, "runc") && sv.LT(semver.MustParse("18.9.2")) {
+				c.AddTask(&nodetasks.Chattr{
+					File: filepath.Join("/usr/bin", k),
+					Mode: "+i",
+					Deps: []fi.Task{fileTask},
+				})
+			}
 		}
 	}

@ -109,16 +128,7 @@ func (b *DockerBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}

-	dockerVersion, err := b.dockerVersion()
-	if err != nil {
-		return err
-	}
-
-	v, err := semver.ParseTolerant(dockerVersion)
-	if err != nil {
-		return fmt.Errorf("error parsing docker version %q: %v", dockerVersion, err)
-	}
-	c.AddTask(b.buildSystemdService(v))
+	c.AddTask(b.buildSystemdService(sv))

 	if err := b.buildSysconfig(c); err != nil {
 		return err
--- a/nodeup/pkg/model/docker_test.go
+++ b/nodeup/pkg/model/docker_test.go
@ -21,6 +21,8 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/blang/semver/v4"
+
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
 	"k8s.io/kops/pkg/testutils"
@ -120,15 +122,38 @@ func runDockerBuilderTest(t *testing.T, key string) {

 	nodeUpModelContext.Distribution = distributions.DistributionUbuntu1604

-	nodeUpModelContext.Assets = fi.NewAssetStore("")
-	nodeUpModelContext.Assets.AddForTest("containerd", "docker/containerd", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("containerd-shim", "docker/containerd-shim", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("ctr", "docker/ctr", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("docker", "docker/docker", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("docker-init", "docker/docker-init", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("docker-proxy", "docker/docker-proxy", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("dockerd", "docker/dockerd", "testing Docker content")
-	nodeUpModelContext.Assets.AddForTest("runc", "docker/runc", "testing Docker content")
+	if nodeUpModelContext.Cluster.Spec.Docker.SkipInstall == false {
+		if nodeUpModelContext.Cluster == nil || nodeUpModelContext.Cluster.Spec.Docker == nil || nodeUpModelContext.Cluster.Spec.Docker.Version == nil {
+			t.Fatalf("error finding Docker version")
+			return
+		}
+		dv := fi.StringValue(nodeUpModelContext.Cluster.Spec.Docker.Version)
+		sv, err := semver.ParseTolerant(dv)
+		if err != nil {
+			t.Fatalf("error parsing Docker version %q: %v", dv, err)
+			return
+		}
+		nodeUpModelContext.Assets = fi.NewAssetStore("")
+		if sv.GTE(semver.MustParse("19.3.0")) {
+			nodeUpModelContext.Assets.AddForTest("containerd", "docker/containerd", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("containerd-shim", "docker/containerd-shim", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("ctr", "docker/ctr", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker", "docker/docker", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-init", "docker/docker-init", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-proxy", "docker/docker-proxy", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("dockerd", "docker/dockerd", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("runc", "docker/runc", "testing Docker content")
+		} else {
+			nodeUpModelContext.Assets.AddForTest("docker", "docker/docker", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-containerd", "docker/docker-containerd", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-containerd-ctr", "docker/docker-containerd-ctr", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-containerd-shim", "docker/docker-containerd-shim", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-init", "docker/docker-init", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-proxy", "docker/docker-proxy", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("docker-runc", "docker/docker-runc", "testing Docker content")
+			nodeUpModelContext.Assets.AddForTest("dockerd", "docker/dockerd", "testing Docker content")
+		}
+	}

 	context := &fi.ModelBuilderContext{
 		Tasks: make(map[string]fi.Task),
--- a/nodeup/pkg/model/tests/dockerbuilder/docker_18.06.3/tasks.yaml
+++ b/nodeup/pkg/model/tests/dockerbuilder/docker_18.06.3/tasks.yaml
@ -1,3 +1,6 @@
+file: /usr/bin/docker-runc
+mode: +i
+---
 contents: |-
  DOCKER_OPTS=
  DOCKER_NOFILE=1000000
@ -72,30 +75,6 @@ mode: "0755"
 path: /opt/kops/bin/docker-healthcheck
 type: file
 ---
-contents:
-  Asset:
-    AssetPath: docker/containerd
-    Key: containerd
-mode: "0755"
-path: /usr/bin/containerd
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/containerd-shim
-    Key: containerd-shim
-mode: "0755"
-path: /usr/bin/containerd-shim
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/ctr
-    Key: ctr
-mode: "0755"
-path: /usr/bin/ctr
-type: file
---
 contents:
  Asset:
    AssetPath: docker/docker
@ -104,6 +83,30 @@ mode: "0755"
 path: /usr/bin/docker
 type: file
 ---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd
+    Key: docker-containerd
+mode: "0755"
+path: /usr/bin/docker-containerd
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-ctr
+    Key: docker-containerd-ctr
+mode: "0755"
+path: /usr/bin/docker-containerd-ctr
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-shim
+    Key: docker-containerd-shim
+mode: "0755"
+path: /usr/bin/docker-containerd-shim
+type: file
+---
 contents:
  Asset:
    AssetPath: docker/docker-init
@ -122,18 +125,18 @@ type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/dockerd
-    Key: dockerd
+    AssetPath: docker/docker-runc
+    Key: docker-runc
 mode: "0755"
-path: /usr/bin/dockerd
+path: /usr/bin/docker-runc
 type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/runc
-    Key: runc
+    AssetPath: docker/dockerd
+    Key: dockerd
 mode: "0755"
-path: /usr/bin/runc
+path: /usr/bin/dockerd
 type: file
 ---
 contents: |2
--- a/nodeup/pkg/model/tests/dockerbuilder/healthcheck/tasks.yaml
+++ b/nodeup/pkg/model/tests/dockerbuilder/healthcheck/tasks.yaml
@ -1,3 +1,6 @@
+file: /usr/bin/docker-runc
+mode: +i
+---
 contents: |-
  DOCKER_OPTS=
  DOCKER_NOFILE=1000000
@ -72,30 +75,6 @@ mode: "0755"
 path: /opt/kops/bin/docker-healthcheck
 type: file
 ---
-contents:
-  Asset:
-    AssetPath: docker/containerd
-    Key: containerd
-mode: "0755"
-path: /usr/bin/containerd
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/containerd-shim
-    Key: containerd-shim
-mode: "0755"
-path: /usr/bin/containerd-shim
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/ctr
-    Key: ctr
-mode: "0755"
-path: /usr/bin/ctr
-type: file
---
 contents:
  Asset:
    AssetPath: docker/docker
@ -104,6 +83,30 @@ mode: "0755"
 path: /usr/bin/docker
 type: file
 ---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd
+    Key: docker-containerd
+mode: "0755"
+path: /usr/bin/docker-containerd
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-ctr
+    Key: docker-containerd-ctr
+mode: "0755"
+path: /usr/bin/docker-containerd-ctr
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-shim
+    Key: docker-containerd-shim
+mode: "0755"
+path: /usr/bin/docker-containerd-shim
+type: file
+---
 contents:
  Asset:
    AssetPath: docker/docker-init
@ -122,18 +125,18 @@ type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/dockerd
-    Key: dockerd
+    AssetPath: docker/docker-runc
+    Key: docker-runc
 mode: "0755"
-path: /usr/bin/dockerd
+path: /usr/bin/docker-runc
 type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/runc
-    Key: runc
+    AssetPath: docker/dockerd
+    Key: dockerd
 mode: "0755"
-path: /usr/bin/runc
+path: /usr/bin/dockerd
 type: file
 ---
 contents: |2
--- a/nodeup/pkg/model/tests/dockerbuilder/logflags/tasks.yaml
+++ b/nodeup/pkg/model/tests/dockerbuilder/logflags/tasks.yaml
@ -1,3 +1,6 @@
+file: /usr/bin/docker-runc
+mode: +i
+---
 contents: |-
  DOCKER_OPTS=
  DOCKER_NOFILE=1000000
@ -72,30 +75,6 @@ mode: "0755"
 path: /opt/kops/bin/docker-healthcheck
 type: file
 ---
-contents:
-  Asset:
-    AssetPath: docker/containerd
-    Key: containerd
-mode: "0755"
-path: /usr/bin/containerd
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/containerd-shim
-    Key: containerd-shim
-mode: "0755"
-path: /usr/bin/containerd-shim
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/ctr
-    Key: ctr
-mode: "0755"
-path: /usr/bin/ctr
-type: file
---
 contents:
  Asset:
    AssetPath: docker/docker
@ -104,6 +83,30 @@ mode: "0755"
 path: /usr/bin/docker
 type: file
 ---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd
+    Key: docker-containerd
+mode: "0755"
+path: /usr/bin/docker-containerd
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-ctr
+    Key: docker-containerd-ctr
+mode: "0755"
+path: /usr/bin/docker-containerd-ctr
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-shim
+    Key: docker-containerd-shim
+mode: "0755"
+path: /usr/bin/docker-containerd-shim
+type: file
+---
 contents:
  Asset:
    AssetPath: docker/docker-init
@ -122,18 +125,18 @@ type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/dockerd
-    Key: dockerd
+    AssetPath: docker/docker-runc
+    Key: docker-runc
 mode: "0755"
-path: /usr/bin/dockerd
+path: /usr/bin/docker-runc
 type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/runc
-    Key: runc
+    AssetPath: docker/dockerd
+    Key: dockerd
 mode: "0755"
-path: /usr/bin/runc
+path: /usr/bin/dockerd
 type: file
 ---
 contents: |2
--- a/nodeup/pkg/model/tests/dockerbuilder/simple/tasks.yaml
+++ b/nodeup/pkg/model/tests/dockerbuilder/simple/tasks.yaml
@ -1,3 +1,6 @@
+file: /usr/bin/docker-runc
+mode: +i
+---
 contents: |-
  DOCKER_OPTS=
  DOCKER_NOFILE=1000000
@ -72,30 +75,6 @@ mode: "0755"
 path: /opt/kops/bin/docker-healthcheck
 type: file
 ---
-contents:
-  Asset:
-    AssetPath: docker/containerd
-    Key: containerd
-mode: "0755"
-path: /usr/bin/containerd
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/containerd-shim
-    Key: containerd-shim
-mode: "0755"
-path: /usr/bin/containerd-shim
-type: file
---
-contents:
-  Asset:
-    AssetPath: docker/ctr
-    Key: ctr
-mode: "0755"
-path: /usr/bin/ctr
-type: file
---
 contents:
  Asset:
    AssetPath: docker/docker
@ -104,6 +83,30 @@ mode: "0755"
 path: /usr/bin/docker
 type: file
 ---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd
+    Key: docker-containerd
+mode: "0755"
+path: /usr/bin/docker-containerd
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-ctr
+    Key: docker-containerd-ctr
+mode: "0755"
+path: /usr/bin/docker-containerd-ctr
+type: file
+---
+contents:
+  Asset:
+    AssetPath: docker/docker-containerd-shim
+    Key: docker-containerd-shim
+mode: "0755"
+path: /usr/bin/docker-containerd-shim
+type: file
+---
 contents:
  Asset:
    AssetPath: docker/docker-init
@ -122,18 +125,18 @@ type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/dockerd
-    Key: dockerd
+    AssetPath: docker/docker-runc
+    Key: docker-runc
 mode: "0755"
-path: /usr/bin/dockerd
+path: /usr/bin/docker-runc
 type: file
 ---
 contents:
  Asset:
-    AssetPath: docker/runc
-    Key: runc
+    AssetPath: docker/dockerd
+    Key: dockerd
 mode: "0755"
-path: /usr/bin/runc
+path: /usr/bin/dockerd
 type: file
 ---
 contents: |2
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@ -1078,7 +1078,7 @@ func validateContainerdConfig(config *kops.ContainerdConfig, fldPath *field.Path
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("version"), config.Version,
 				fmt.Sprintf("unable to parse version string: %s", err.Error())))
 		}
-		if sv.LT(semver.MustParse("1.2.6")) {
+		if sv.LT(semver.MustParse("1.2.4")) {
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("version"), config.Version, "unsupported legacy version"))
 		}
 	}
--- a/upup/pkg/fi/assetstore.go
+++ b/upup/pkg/fi/assetstore.go
@ -103,7 +103,7 @@ func NewAssetStore(cacheDir string) *AssetStore {
 func (a *AssetStore) FindMatches(expr *regexp.Regexp) map[string]Resource {
 	matches := make(map[string]Resource)

-	klog.Infof("Matching assets:")
+	klog.Infof("Matching assets for %q:", expr.String())
 	for _, a := range a.assets {
 		if expr.MatchString(a.AssetPath) {
 			klog.Infof("    %s", a.AssetPath)
@ -114,6 +114,26 @@ func (a *AssetStore) FindMatches(expr *regexp.Regexp) map[string]Resource {
 	return matches
 }

+func (a *AssetStore) FindMatch(expr *regexp.Regexp) (name string, res Resource, err error) {
+	matches := a.FindMatches(expr)
+
+	switch len(matches) {
+	case 0:
+		return "", nil, fmt.Errorf("found no matching assets for expr: %q", expr.String())
+	case 1:
+		var n string
+		var r Resource
+		for k, v := range matches {
+			klog.Infof("Found single matching asset for expr %q: %q", expr.String(), k)
+			n = k
+			r = v
+		}
+		return n, r, nil
+	default:
+		return "", nil, fmt.Errorf("found multiple matching assets for expr: %q", expr.String())
+	}
+}
+
 func (a *AssetStore) Find(key string, assetPath string) (Resource, error) {
 	var matches []*asset
 	for _, asset := range a.assets {
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -1100,9 +1100,9 @@ func (c *ApplyClusterCmd) addFileAssets(assetBuilder *assets.AssetBuilder) error
 		var containerRuntimeAssetHash *hashing.Hash
 		switch c.Cluster.Spec.ContainerRuntime {
 		case "docker":
-			containerRuntimeAssetUrl, containerRuntimeAssetHash, err = findDockerAssets(c.Cluster, assetBuilder, arch)
+			containerRuntimeAssetUrl, containerRuntimeAssetHash, err = findDockerAsset(c.Cluster, assetBuilder, arch)
 		case "containerd":
-			containerRuntimeAssetUrl, containerRuntimeAssetHash, err = findContainerdAssets(c.Cluster, assetBuilder, arch)
+			containerRuntimeAssetUrl, containerRuntimeAssetHash, err = findContainerdAsset(c.Cluster, assetBuilder, arch)
 		default:
 			err = fmt.Errorf("unknown container runtime: %q", c.Cluster.Spec.ContainerRuntime)
 		}
--- a/upup/pkg/fi/cloudup/containerd.go
+++ b/upup/pkg/fi/cloudup/containerd.go
@ -38,7 +38,7 @@ const (
 	containerdFallbackVersion = "1.2.13"
 )

-func findContainerdAssets(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
+func findContainerdAsset(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
 	if c.Spec.Containerd == nil || fi.StringValue(c.Spec.Containerd.Version) == "" {
 		return nil, nil, fmt.Errorf("unable to find containerd version")
 	}
@ -162,10 +162,12 @@ func findAllContainerdHashesAmd64() map[string]string {

 func findAllContainerdDockerMappings() map[string]string {
 	versions := map[string]string{
+		"1.2.4":  "18.09.3",
+		"1.2.5":  "18.09.4",
 		"1.2.6":  "19.03.2",
 		"1.2.10": "19.03.5",
 		"1.2.12": "19.03.6",
-		"1.2.13": "19.03.12",
+		"1.2.13": "19.03.11",
 		"1.3.7":  "19.03.13",
 	}

--- a/upup/pkg/fi/cloudup/containerd_test.go
+++ b/upup/pkg/fi/cloudup/containerd_test.go
@ -43,8 +43,8 @@ func TestContainerdVersionUrlHash(t *testing.T) {
 		{
 			arch:    architectures.ArchitectureArm64,
 			version: "1.3.4",
-			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.12.tgz",
-			hash:    "bc7810d58e32360652abfddc9cb43405feee4ed9592aedc1132fb35eede9fa9e",
+			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.11.tgz",
+			hash:    "9cd49fe82f6b7ec413b04daef35bc0c87b01d6da67611e5beef36291538d3145",
 			err:     nil,
 		},
 		{
@ -71,8 +71,8 @@ func TestContainerdVersionUrlHash(t *testing.T) {
 		{
 			arch:    architectures.ArchitectureArm64,
 			version: "1.4.1",
-			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.12.tgz",
-			hash:    "bc7810d58e32360652abfddc9cb43405feee4ed9592aedc1132fb35eede9fa9e",
+			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.11.tgz",
+			hash:    "9cd49fe82f6b7ec413b04daef35bc0c87b01d6da67611e5beef36291538d3145",
 			err:     nil,
 		},
 	}
@ -159,7 +159,7 @@ func TestContainerdVersionUrl(t *testing.T) {
 		{
 			arch:    architectures.ArchitectureArm64,
 			version: "1.3.4",
-			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.12.tgz",
+			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.11.tgz",
 			err:     nil,
 		},
 		{
@ -171,7 +171,7 @@ func TestContainerdVersionUrl(t *testing.T) {
 		{
 			arch:    architectures.ArchitectureArm64,
 			version: "1.4.1",
-			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.12.tgz",
+			url:     "https://download.docker.com/linux/static/stable/aarch64/docker-19.03.11.tgz",
 			err:     nil,
 		},
 	}
@ -254,7 +254,7 @@ func TestContainerdVersionHash(t *testing.T) {
 		{
 			arch:    architectures.ArchitectureArm64,
 			version: "1.4.1",
-			hash:    "bc7810d58e32360652abfddc9cb43405feee4ed9592aedc1132fb35eede9fa9e",
+			hash:    "9cd49fe82f6b7ec413b04daef35bc0c87b01d6da67611e5beef36291538d3145",
 			err:     nil,
 		},
 	}
--- a/upup/pkg/fi/cloudup/docker.go
+++ b/upup/pkg/fi/cloudup/docker.go
@ -41,7 +41,7 @@ const (
 	dockerFallbackVersion = "17.09.0"
 )

-func findDockerAssets(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
+func findDockerAsset(c *kops.Cluster, assetBuilder *assets.AssetBuilder, arch architectures.Architecture) (*url.URL, *hashing.Hash, error) {
 	if c.Spec.Docker == nil || fi.StringValue(c.Spec.Docker.Version) == "" {
 		return nil, nil, fmt.Errorf("unable to find Docker version")
 	}