diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 4f23b33d43d..d00a7cbc30e 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -103,31 +103,6 @@ jobs: go-version: ${{ env.GO_VERSION }} - run: make check-config-template - get-script: - if: ${{ github.base_ref == 'main' }} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - run: sudo scripts/get - - run: crio version - - get-script-with-verification: - if: ${{ github.base_ref == 'main' }} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 - with: - go-version: ${{ env.GO_VERSION }} - - uses: sigstore/cosign-installer@v3 - - run: | - BOM_VERSION=v0.5.1 - curl -sSfL --retry 5 --retry-delay 3 https://github.com/kubernetes-sigs/bom/releases/download/$BOM_VERSION/bom-amd64-linux -o bom - chmod +x bom - sudo cp bom /usr/bin - - run: sudo -E PATH=$PATH scripts/get - - run: crio version - dependencies: runs-on: ubuntu-latest steps: diff --git a/README.md b/README.md index 7225ff41fb9..766738e562a 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,8 @@ To install `CRI-O`, you can follow our [installation guide](install.md). Alternatively, if you'd rather build `CRI-O` from source, checkout our [setup guide](install.md#build-and-install-cri-o-from-source). We also provide a way in building -[static binaries of `CRI-O`](install.md#static-builds) via nix. +[static binaries of `CRI-O`](install.md#static-builds) via nix as part of the +[cri-o/packaging repository](https://github.com/cri-o/packaging). Those binaries are available for every successfully built commit on our [Google Cloud Storage Bucket][bucket]. This means that the latest commit can be installed via our convenience script: @@ -158,7 +159,7 @@ This means that the latest commit can be installed via our convenience script: [bucket]: https://console.cloud.google.com/storage/browser/cri-o/artifacts ```console -> curl https://raw.githubusercontent.com/cri-o/cri-o/main/scripts/get | bash +> curl https://raw.githubusercontent.com/cri-o/packaging/main/get | bash ``` The script automatically verifies the uploaded sigstore signatures as well, if @@ -172,13 +173,13 @@ This can be selected via the script, too: ```shell -curl https://raw.githubusercontent.com/cri-o/cri-o/main/scripts/get | bash -s -- -a arm64 +curl https://raw.githubusercontent.com/cri-o/packaging/main/get | bash -s -- -a arm64 ``` It is also possible to select a specific git SHA or tag by: ```shell -curl https://raw.githubusercontent.com/cri-o/cri-o/main/scripts/get | bash -s -- -t v1.21.0 +curl https://raw.githubusercontent.com/cri-o/packaging/main/get | bash -s -- -t v1.21.0 ``` diff --git a/dependencies.yaml b/dependencies.yaml index 7317966594a..a2d2bfc1419 100644 --- a/dependencies.yaml +++ b/dependencies.yaml @@ -99,12 +99,6 @@ dependencies: - path: .github/workflows/nixpkgs.yml match: NIX_VERSION - - name: bom - version: 0.5.1 - refPaths: - - path: .github/workflows/verify.yml - match: BOM_VERSION - - name: release-notes version: 0.16.1 refPaths: diff --git a/scripts/get b/scripts/get deleted file mode 100755 index a313c4d0c89..00000000000 --- a/scripts/get +++ /dev/null @@ -1,298 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -ARCH_AMD64=amd64 -ARCH_ARM64=arm64 -ARCH_PPC64LE=ppc64le -ARCH= -VERSION= -GITHUB_TOKEN=${GITHUB_TOKEN:-} -GCB_URL=https://storage.googleapis.com/cri-o - -usage() { - printf "Usage: %s [-a ARCH] [ -t TAG|SHA ] [ -b BUCKET ] [ -h ]\n\n" "$(basename "$0")" - echo "Possible arguments:" - printf " -a\tArchitecture to retrieve (defaults to the local system)\n" - printf " -t\tVersion tag or full length SHA to be used (defaults to the latest available main)\n" - printf " -b\tName of the GCS bucket for downloading artifacts (defaults to 'cri-o')\n" - printf " -h\tShow this help message\n" -} - -parse_args() { - echo "Welcome to the CRI-O install script!" - - while getopts 'a:b:t:h' OPTION; do - case "$OPTION" in - a) - ARCH="$OPTARG" - echo "Using architecture: $ARCH" - ;; - t) - VERSION="$OPTARG" - echo "Using version: $VERSION" - ;; - b) - GCB_URL="https://storage.googleapis.com/$OPTARG" - echo "Using GCS bucket: gs://$OPTARG" - ;; - h) - usage - exit 0 - ;; - ?) - usage - exit 1 - ;; - esac - done - - if [[ $ARCH == "" ]]; then - LOCAL_ARCH=$(uname -m) - if [[ "$LOCAL_ARCH" == x86_64 ]]; then - ARCH=$ARCH_AMD64 - elif [[ "$LOCAL_ARCH" == aarch64 ]]; then - ARCH=$ARCH_ARM64 - elif [[ "$LOCAL_ARCH" == "$ARCH_PPC64LE" ]]; then - ARCH=$ARCH_PPC64LE - else - echo "Unsupported local architecture: $LOCAL_ARCH" - exit 1 - fi - echo "No architecture provided, using: $ARCH" - fi -} - -verify_requirements() { - CMDS=(curl jq tar) - echo "Checking if all commands are available: ${CMDS[*]}" - for CMD in "${CMDS[@]}"; do - if ! command -v "$CMD" >/dev/null; then - echo "Command $CMD not available but required" - exit 1 - fi - done -} - -curl_retry() { - curl -sSfL --retry 5 --retry-delay 3 "$@" -} - -latest_version() { - GH_API_URL="https://api.github.com/repos/cri-o/cri-o/actions/runs?per_page=100" - - GH_HEADERS=(-H "Accept: application/vnd.github.v3+json") - if [[ $GITHUB_TOKEN != "" ]]; then - GH_HEADERS+=(-H "Authorization: token $GITHUB_TOKEN") - fi - - if [[ $VERSION == "" ]]; then - echo Searching for latest version via marker file - COMMIT=$(curl_retry "$GCB_URL/latest-main.txt") - if [[ "$COMMIT" != "" ]]; then - VERSION=$COMMIT - echo "Found latest version $VERSION" - return - fi - - echo No version marker found, trying latest successful GitHub actions run - echo Export a GITHUB_TOKEN environment variable to avoid GitHub API rate limits - PAGE=0 - while true; do - PAGE=$((PAGE + 1)) - echo Searching GitHub actions page $PAGE - - URL="${GH_API_URL}&page=$PAGE" - JSON=$(curl_retry "${GH_HEADERS[@]}" "$URL") - - if echo "$JSON" | jq -e '.workflow_runs | length == 0' >/dev/null; then - echo No more GitHub action runs available to search - exit 1 - fi - - FOUND=$(echo "$JSON" | - jq -r '.workflow_runs | map(select(.name == "test" and .head_branch == "main" and .conclusion == "success")) | first | .head_sha') - - if [[ $FOUND == null ]]; then - continue - fi - - VERSION=$FOUND - echo "Using latest successful GitHub action main: $VERSION" - break - done - - if [[ $VERSION == "" ]]; then - echo "Unable to find successful GitHub action" - exit 1 - fi - fi -} - -prepare() { - parse_args "$@" - verify_requirements - latest_version -} - -prepare "$@" - -TARBALL=cri-o.$ARCH.$VERSION.tar.gz -SPDX=$TARBALL.spdx -BASE_URL=$GCB_URL/artifacts - -TMPDIR="$(mktemp -d)" -trap 'rm -rf -- "$TMPDIR"' EXIT - -if command -v cosign >/dev/null; then - echo "Found cosign, verifying signatures" - pushd "$TMPDIR" >/dev/null - - FILES=( - "$TARBALL" - "$TARBALL.sig" - "$TARBALL.cert" - "$SPDX" - "$SPDX.sig" - "$SPDX.cert" - ) - for FILE in "${FILES[@]}"; do - echo "Downloading $FILE" - curl_retry "$BASE_URL/$FILE" -o "$FILE" - done - - GIT_REF=refs/heads/main - if git ls-remote --exit-code --tags https://github.com/cri-o/cri-o "refs/tags/$VERSION" >/dev/null; then - GIT_REF="refs/tags/$VERSION" - fi - BLOBS=( - "$TARBALL" - "$SPDX" - ) - for BLOB in "${BLOBS[@]}"; do - echo "Verifying blob $BLOB" - COSIGN_EXPERIMENTAL=1 cosign verify-blob "$BLOB" \ - --certificate-identity "https://github.com/cri-o/packaging/.github/workflows/obs.yml@$GIT_REF" \ - --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-github-workflow-repository cri-o/packaging \ - --certificate-github-workflow-ref "$GIT_REF" \ - --signature "$BLOB.sig" \ - --certificate "$BLOB.cert" - done - - tar xfz "$TARBALL" - TARBALL_DIR=cri-o - - if command -v bom >/dev/null; then - echo "Found bom tool, verifying bill of materials" - bom validate -e "$SPDX" -d "$TARBALL_DIR" - fi - - pushd "$TARBALL_DIR" -else - TARBALL_URL=$BASE_URL/$TARBALL - echo "Downloading $TARBALL_URL to $TMPDIR" - curl_retry "$TARBALL_URL" | tar xfz - --strip-components=1 -C "$TMPDIR" - pushd "$TMPDIR" -fi - -echo Installing CRI-O - -# Sync with -# https://github.com/cri-o/packaging/blob/main/templates/latest/cri-o/bundle/install -# if the `get-script{-with-verification}` CI test fails. - -DESTDIR=${DESTDIR:-} -PREFIX=${PREFIX:-/usr/local} -ETCDIR=${ETCDIR:-/etc} -CONTAINERS_DIR=${CONTAINERS_DIR:-$ETCDIR/containers} -CONTAINERS_REGISTRIES_CONFD_DIR=${CONTAINERS_REGISTRIES_CONFD_DIR:-$CONTAINERS_DIR/registries.conf.d} -CNIDIR=${CNIDIR:-$ETCDIR/cni/net.d} -BINDIR=${BINDIR:-$PREFIX/bin} -MANDIR=${MANDIR:-$PREFIX/share/man} -OCIDIR=${OCIDIR:-$PREFIX/share/oci-umount/oci-umount.d} -BASHINSTALLDIR=${BASHINSTALLDIR:-$PREFIX/share/bash-completion/completions} -FISHINSTALLDIR=${FISHINSTALLDIR:-$PREFIX/share/fish/completions} -ZSHINSTALLDIR=${ZSHINSTALLDIR:-$PREFIX/share/zsh/site-functions} -OPT_CNI_BIN_DIR=${OPT_CNI_BIN_DIR:-/opt/cni/bin} - -# Update systemddir based on OS -source /etc/os-release -if { [[ "${ID}" == "fedora" ]] && [[ "${VARIANT_ID}" == "coreos" ]]; } || - [[ "${ID}" == "rhcos" ]]; then - SYSTEMDDIR=${SYSTEMDDIR:-/etc/systemd/system} -else - SYSTEMDDIR=${SYSTEMDDIR:-$PREFIX/lib/systemd/system} -fi - -SELINUX= -if selinuxenabled 2>/dev/null; then - SELINUX=-Z -fi -ARCH=${ARCH:-amd64} -set -x -install $SELINUX -d -m 755 "$DESTDIR$CNIDIR" -install $SELINUX -D -m 755 -t "$DESTDIR$OPT_CNI_BIN_DIR" cni-plugins/* -install $SELINUX -D -m 644 -t "$DESTDIR$CNIDIR" contrib/11-crio-ipv4-bridge.conflist -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/conmon -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/conmonrs -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/crictl -install $SELINUX -d -m 755 "$DESTDIR$BASHINSTALLDIR" -install $SELINUX -d -m 755 "$DESTDIR$FISHINSTALLDIR" -install $SELINUX -d -m 755 "$DESTDIR$ZSHINSTALLDIR" -install $SELINUX -d -m 755 "$DESTDIR$CONTAINERS_DIR" -install $SELINUX -d -m 755 "$DESTDIR$CONTAINERS_REGISTRIES_CONFD_DIR" -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/crio-status -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/crio -install $SELINUX -D -m 644 -t "$DESTDIR$ETCDIR" etc/crictl.yaml -install $SELINUX -D -m 644 -t "$DESTDIR$OCIDIR" etc/crio-umount.conf -install $SELINUX -D -m 644 -t "$DESTDIR$ETCDIR/crio/crio.conf.d" etc/10-crun.conf -install $SELINUX -D -m 644 -t "$DESTDIR$MANDIR/man5" man/crio.conf.5 -install $SELINUX -D -m 644 -t "$DESTDIR$MANDIR/man5" man/crio.conf.d.5 -install $SELINUX -D -m 644 -t "$DESTDIR$MANDIR/man8" man/crio-status.8 -install $SELINUX -D -m 644 -t "$DESTDIR$MANDIR/man8" man/crio.8 -install $SELINUX -D -m 644 -t "$DESTDIR$BASHINSTALLDIR" completions/bash/crio -install $SELINUX -D -m 644 -t "$DESTDIR$FISHINSTALLDIR" completions/fish/crio.fish -install $SELINUX -D -m 644 -t "$DESTDIR$ZSHINSTALLDIR" completions/zsh/_crio -install $SELINUX -D -m 644 -t "$DESTDIR$SYSTEMDDIR" contrib/crio.service -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/pinns -install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/crun -install $SELINUX -D -m 644 -t "$DESTDIR$CONTAINERS_REGISTRIES_CONFD_DIR" contrib/registries.conf - -if [ ! -f "$DESTDIR$CONTAINERS_DIR/policy.json" ]; then - install $SELINUX -D -m 644 -t "$DESTDIR$CONTAINERS_DIR" contrib/policy.json -fi - -# only install runc if it's not already in the path -if ! command -v runc; then - install $SELINUX -D -m 755 -t "$DESTDIR$BINDIR" bin/runc -fi - -if [ -n "$SELINUX" ]; then - if command -v chcon >/dev/null; then - chcon -u system_u -r object_r -t container_runtime_exec_t \ - "$DESTDIR$BINDIR/crio" \ - "$DESTDIR$BINDIR/crio-status" \ - "$DESTDIR$BINDIR/crun" - - if [ "$ARCH" = amd64 ]; then - chcon -u system_u -r object_r -t container_runtime_exec_t \ - "$DESTDIR$BINDIR/runc" - fi - - chcon -u system_u -r object_r -t bin_t \ - "$DESTDIR$BINDIR/conmon" \ - "$DESTDIR$BINDIR/conmonrs" \ - "$DESTDIR$BINDIR/crictl" \ - "$DESTDIR$BINDIR/pinns" - - chcon -R -u system_u -r object_r -t bin_t \ - "$DESTDIR$OPT_CNI_BIN_DIR" - - chcon -R -u system_u -r object_r -t container_config_t \ - "$DESTDIR$ETCDIR/crio" \ - "$DESTDIR$OCIDIR/crio-umount.conf" - - chcon -R -u system_u -r object_r -t systemd_unit_file_t \ - "$DESTDIR$SYSTEMDDIR/crio.service" - fi -fi