Cleanup after #8855

[hakman]

The repo containing the binaries for Docker 1.11, 1.12 and 1.13 was shut down on March 31. This means support for older docker versions cannot be maintained.
https://www.docker.com/blog/changes-dockerproject-org-apt-yum-repositories/

On the 31st of March 2020, we will be shutting down the legacy APT and YUM repositories hosted at dockerproject.org and dockerproject.com. These repositories haven’t been updated with the latest releases of Docker and so the packages hosted there contain security vulnerabilities. Removing these repositories will make sure that people download the latest version of Docker ensuring their security and providing the best experience possible

This PR will need to be cherry-picked to 1.16+.

[hakman]

/assign @justinsb
/cc @rifelpet

[rifelpet]

With this PR what exactly will happen if a user specifies one of the impacted docker versions in the cluster manifest? Will nodeup fallback to the new default docker version of 17.03.2?

Should we add some api-level validation, so that a kops update cluster on a cluster that specifies one of these docker versions will fail with a useful error message?

[hakman]

@rifelpet I think it will install 17.03.2, this is what I saw happening in the past when the Docker version was not found by NodeUp.
Api-level validation on the docker version would be nice to have. As long as we keep the list of supported Docker versions there, should be a big improvement.

[hakman]

Validation for Docker versions is now added. Thanks for the idea @rifelpet.

[hakman]

/retest

[johngmyers]

Might be better to instead require a value in the manifest.

[hakman]

This is used as a fallback when the dirstro or arch is not listed. For example, if anyone chooses to use a Debian Jessie based image with latest Docker, NodeUp will not find it and use this.

[johngmyers]

How does that work? I only see this referenced from the dockerVersion() receiver of DockerBuilder, when Cluster.Spec.Docker.Version is not specified.

It seems odd to be updating a field to the oldest version we can. The comment suggests it's a backwards-compatibility strategy that is never supposed to be updated.

[hakman]

I looked at the code and I also don't see any other reference. It is used just if the version doesn't exist as you also noticed.

This is a very old piece of code that exists since the beginnings. No idea why it was needed then and why we still keep it. At this point there should always be a Docker version.

kops/pkg/model/components/docker.go

Lines 50 to 62 in 62c5100

	if fi.StringValue(clusterSpec.Docker.Version) == "" {
	if b.IsKubernetesGTE("1.18") {
	docker.Version = fi.String("19.03.8")
	} else if b.IsKubernetesGTE("1.17") {
	docker.Version = fi.String("19.03.4")
	} else if b.IsKubernetesGTE("1.16") {
	docker.Version = fi.String("18.09.9")
	} else if b.IsKubernetesGTE("1.12") {
	docker.Version = fi.String("18.06.3")
	} else {
	docker.Version = fi.String("17.03.2")
	}
	}

The only explanation I have is this, since containerd support was added: #7986 (comment).

[johngmyers]

Yeah, the components/docker.go code that presumably ensures the field is set was added in the same commit that adds DefaultDockerVersion. @justinsb would have the context.

[justinsb]

This is indeed very very old. The kops CLI is supposed to populate the docker version in the "expanded" form of the cluster spec (the one you can see with --full). When it was first introduced, we didn't lock nodeup to the kops version, and so there was the risk of skew. To tolerate that, we introduced a default docker version that nodeup would use, when kops didn't populate it.

At this point, it's probably easier to remove the nodeup defaulting entirely - just skip installing docker if isn't populated, I would suggest (with a warning so we can figure out what happened!).

[justinsb]

This is indeed very very old. The kops CLI is supposed to populate the docker version in the "expanded" form of the cluster spec (the one you can see with --full). When it was first introduced, we didn't lock nodeup to the kops version, and so there was the risk of skew. To tolerate that, we introduced a default docker version that nodeup would use, when kops didn't populate it.

At this point, it's probably easier to remove the nodeup defaulting entirely - just skip installing docker if isn't populated, I would suggest (with a warning so we can figure out what happened!).

[justinsb]

This validation is the critical thing to backport, I believe. (I think the others might have a higher risk of collisions).

Should we split this out into its own commit that we cherry-pick back? And I'm wondering whether it's easier just to exclude the known-bad versions (1.11, 1.12 etc) with an explicit "docker removed these versions" message... Technically I guess it doesn't really matter if we let through 19.03.8 on an older version that doesn't support it - we're no worse off than we are today.

[justinsb]

Thanks for doing this @hakman . On the cherry-pick, I think the critical thing to cherry pick is a warning/error about the no-longer available docker versions; so I suggested splitting that into its own PR. Removal of the mappings to URLs is internal machinery and so less important to cherry-pick I suggest, and I worry that there has been some changes there that might make it harder to cherry-pick.

[hakman]

Thanks @justinsb. I create a new PR that can be easily cherry-picked and will update this to remove default Docker version.

[justinsb]

Thanks for splitting this out - looks great @hakman

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman, justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hakman]

Thanks @justinsb. Will take care of the cherry-picks for Kops 1.16 and 1.17.