CI: build images

.circleci/config.yml

@@ -22,13 +22,15 @@ linuxkit_pkg_build: &linuxkit_pkg_build
         name: Building package
         command: |
           PKG=${CIRCLE_JOB#pkg-}
-          mkdir /workspace/images
+          mkdir /workspace/packages
           linuxkit pkg build pkg/$PKG
-          linuxkit pkg show-tag pkg/$PKG > /workspace/images/$PKG.tag
-          docker save -o /workspace/images/$PKG.tar $(cat /workspace/images/$PKG.tag)
+          linuxkit pkg show-tag pkg/$PKG > /workspace/packages/$PKG.tag
+          echo
+          docker image ls --all
+          docker image save -o /workspace/packages/$PKG.tar linuxkit/$PKG
     - persist_to_workspace:
         root: /workspace
-        paths: images
+        paths: packages
 
 image_cache_build: &image_cache_build
   docker:
@@ -55,13 +57,60 @@ image_cache_build: &image_cache_build
         command: |
           CACHE=${CIRCLE_JOB#pkg-image-cache-}
           PKG=kubernetes-docker-image-cache-$CACHE
-          mkdir /workspace/images
+          mkdir /workspace/packages
           make --no-print-directory -C pkg/image-cache build-$CACHE
-          make --no-print-directory -C pkg/image-cache show-tag-$CACHE > /workspace/images/$PKG.tag
-          docker save -o /workspace/images/$PKG.tar $(cat /workspace/images/$PKG.tag)
+          make --no-print-directory -C pkg/image-cache show-tag-$CACHE > /workspace/packages/$PKG.tag
+          echo
+          docker image ls --all
+          docker image save -o /workspace/packages/$PKG.tar linuxkit/$PKG
     - persist_to_workspace:
         root: /workspace
-        paths: images
+        paths: packages
+
+image_build: &image_build
+  docker:
+    - image: debian:stretch
+  steps:
+    - run:
+        name: Configure $PATH
+        command: echo 'export PATH=/workspace/bin:$PATH' >> $BASH_ENV
+    - run:
+        name: Install packages
+        # ca-certificates are needed for attach_workspace (and git over https)
+        command: apt-get update && apt-get install -y ca-certificates curl git make openssh-client
+    - attach_workspace:
+        at: /workspace
+    - checkout
+    - setup_remote_docker:
+        version: 17.06.1-ce
+    - run:
+        name: Importing packages from workspace
+        command: |
+          docker image load --input /workspace/packages/kubelet.tar
+          case "$KUBE_RUNTIME" in
+          docker)
+              docker image load --input /workspace/packages/kubernetes-docker-image-cache-common.tar
+              docker image load --input /workspace/packages/kubernetes-docker-image-cache-control-plane.tar
+              ;;
+          cri-containerd)
+              docker image load --input /workspace/packages/cri-containerd.tar
+              ;;
+          *)
+              echo "Unknown $KUBE_RUNTIME"
+              exit 1
+              ;;
+          esac
+          echo
+          docker image ls --all
+    - run:
+        name: Build images
+        command: |
+          mkdir -p /workspace/images/kube-$KUBE_RUNTIME-$KUBE_NETWORK
+          df -h .
+          # KUBE_FORMATS="iso-efi iso-bios" times out or fails for larger docker images.
+          # Just do tar for now.
+          make KUBE_FORMATS="tar" kube-master.iso kube-node.iso
+          #mv kube-master*.iso kube-node*.iso /workspace/images/kube-$KUBE_RUNTIME-$KUBE_NETWORK
 
 version: 2
 jobs:
@@ -80,7 +129,9 @@ jobs:
           command: |
             curl -fsSL -o /tmp/docker.tgz https://download.docker.com/linux/static/stable/x86_64/docker-17.06.2-ce.tgz
             tar xfO /tmp/docker.tgz docker/docker > /workspace/bin/docker
-            curl -fsSL -o /workspace/bin/linuxkit https://188-46932243-gh.circle-artifacts.com/0/linuxkit-linux-amd64
+            curl -fsSL -o /workspace/bin/linuxkit https://206-46932243-gh.circle-artifacts.com/0/linuxkit-linux-amd64
+            curl -fsSL -o /workspace/bin/manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.7.0/manifest-tool-linux-amd64
+            curl -fsSL -o /workspace/bin/notary https://github.com/theupdateframework/notary/releases/download/v0.4.3/notary-Linux-amd64
 
             echo "Downloaded:"
             sha256sum /workspace/bin/*
@@ -89,13 +140,17 @@ jobs:
             echo "Checking checksums"
             sha256sum -c <<EOF
             6af40e74b2dbb2927882acab52d50bfc72551779d541957fc70b6adc325ee5ef  /workspace/bin/docker
-            841425e37f713fcb19cb84a60e42df8a6e09066616eee0f4a00ee87bab7cb6dc  /workspace/bin/linuxkit
+            4561e6a19d126d5a4827d7cfff2c6fae2634d9564910df7ef9ff1e89c7e1c4d4  /workspace/bin/linuxkit
+            e4ca2ef0015a4be8597d31d9e3e70d88da33924ae72b0999e9f3b79304d4710d  /workspace/bin/manifest-tool
+            06cd02c4c2e7a3b1ad9899b03b3d4dde5392d964c675247d32f604a24661f839  /workspace/bin/notary
             EOF
       - run:
           name: Versions
           command: |
              chmod +x /workspace/bin/docker # docker version deferred until daemon configured in relevant jobs
              chmod +x /workspace/bin/linuxkit && /workspace/bin/linuxkit version
+             chmod +x /workspace/bin/manifest-tool && /workspace/bin/manifest-tool --version
+             chmod +x /workspace/bin/notary && /workspace/bin/notary version
       - persist_to_workspace:
           root: /workspace
           paths: bin
@@ -134,7 +189,33 @@ jobs:
   pkg-image-cache-control-plane:
     <<: *image_cache_build
 
-  pkgs:
+  image-docker-weave:
+    <<: *image_build
+    # Needs to be configured/enabled by CircleCI person
+    #resource_class: large
+    environment:
+      - KUBE_RUNTIME: docker
+      - KUBE_NETWORK: weave
+  image-docker-bridge:
+    <<: *image_build
+    # Needs to be configured/enabled by CircleCI person
+    #resource_class: large
+    environment:
+      - KUBE_RUNTIME: docker
+      - KUBE_NETWORK: bridge
+
+  image-cri-containerd-weave:
+    <<: *image_build
+    environment:
+      - KUBE_RUNTIME: cri-containerd
+      - KUBE_NETWORK: weave
+  image-cri-containerd-bridge:
+    <<: *image_build
+    environment:
+      - KUBE_RUNTIME: cri-containerd
+      - KUBE_NETWORK: bridge
+
+  push-pkgs-to-hub:
     docker:
       - image: debian:stretch
     steps:
@@ -144,7 +225,7 @@ jobs:
       - run:
           name: Install packages
           # ca-certificates are needed for attach_workspace (and git over https)
-          command: apt-get update && apt-get install -y ca-certificates
+          command: apt-get update && apt-get install -y ca-certificates expect git jq openssh-client
       - attach_workspace:
           at: /workspace
       - checkout
@@ -155,12 +236,31 @@ jobs:
           command: |
             docker version
       - run:
-          name: Import images
+          name: Import packages from workspace
           command: |
-            for pkg in /workspace/images/*.tar ; do
+            for pkg in /workspace/packages/*.tar ; do
                docker image load --input $pkg
             done
+            echo
             docker image ls --all
+      - run:
+          name: Push packages
+          command: |
+            # PRs from forks do not have access to the necessary secrets to do the push.
+            if [ -z "$DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE" ] ; then
+                echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE not set (likely this is a PR from a fork)."
+                echo "No credentials available, not pushing to hub."
+                exit 0
+            fi
+
+            docker login -u $DOCKER_USER -p $DOCKER_PASS
+            mkdir -p ~/.docker/trust/private
+            cp .circleci/content-trust.key ~/.docker/trust/private/b056f84873aa0be205dfe826afa6e7458120c9569dd19a2a84154498fb1165d5.key
+
+            linuxkit pkg push --nobuild pkg/cri-containerd
+            linuxkit pkg push --nobuild pkg/kubelet
+            # Omit kubernetes-docker-image-cache-{common,control-plane} until they support linuxkit pkg push.
+
 workflows:
   version: 2
   build:
@@ -182,9 +282,41 @@ workflows:
       - pkg-image-cache-control-plane:
           requires:
             - dependencies
-      - pkgs:
+
+      - image-docker-weave:
+          requires:
+            - dependencies
+            - pkg-kubelet
+            - pkg-image-cache-common
+            - pkg-image-cache-control-plane
+      - image-docker-bridge:
+          requires:
+            - dependencies
+            - pkg-kubelet
+            - pkg-image-cache-common
+            - pkg-image-cache-control-plane
+      - image-cri-containerd-weave:
+          requires:
+            - dependencies
+            - pkg-kubelet
+            - pkg-cri-containerd
+      - image-cri-containerd-bridge:
+          requires:
+            - dependencies
+            - pkg-kubelet
+            - pkg-cri-containerd
+
+      - push-pkgs-to-hub:
+          # We want everything to have passed, which is a bit
+          # tedious. Some of these are already covered transitively,
+          # but be more explicit.
           requires:
+            - check-hashes
             - pkg-kubelet
             - pkg-cri-containerd
             - pkg-image-cache-common
             - pkg-image-cache-control-plane
+            - image-docker-weave
+            - image-docker-bridge
+            - image-cri-containerd-weave
+            - image-cri-containerd-bridge

.circleci/content-trust.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFxDCCA6wCCQDB3AGNjPBlEjANBgkqhkiG9w0BAQsFADCBozELMAkGA1UEBhMC
+VUsxFzAVBgNVBAgMDkNhbWJyaWRnZXNoaXJlMRIwEAYDVQQHDAlDYW1icmlkZ2Ux
+ETAPBgNVBAoMCExpbnV4S2l0MSswKQYDVQQLDCJMaW51eEtpdC9LdWJlcm5ldGVz
+IENJIHNpZ25pbmcga2V5MScwJQYDVQQDDB5naXRodWIuY29tL2xpbnV4a2l0L2t1
+YmVybmV0ZXMwHhcNMTcxMTIxMTY1ODQ0WhcNMTgxMTIxMTY1ODQ0WjCBozELMAkG
+A1UEBhMCVUsxFzAVBgNVBAgMDkNhbWJyaWRnZXNoaXJlMRIwEAYDVQQHDAlDYW1i
+cmlkZ2UxETAPBgNVBAoMCExpbnV4S2l0MSswKQYDVQQLDCJMaW51eEtpdC9LdWJl
+cm5ldGVzIENJIHNpZ25pbmcga2V5MScwJQYDVQQDDB5naXRodWIuY29tL2xpbnV4
+a2l0L2t1YmVybmV0ZXMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDF
+lc4gUNtWX8OUxCOD65NHnnIQNjbfF28IA4L20lfhfrnzhGY4a6eCN2IwTDtD1huJ
+6/2fg4QcUHiZdWj9PmnsGsblNrxUAjuJNSypyBhV24C9kk7se8pSt0N7/HlHAiIV
+whaRMqiiR5+SZKI5IMZFltcu3YuPzGWy+RbS/3o4f4WArfQVGXUPAxovfxqxOFhp
+onGi2zTm8bg307i3zzQ+3YkVeEoG7MyVrGHLSAmoCMnTP8NU5WFVJrlPe/Hea3+0
+3IdNp/+V4SVdM+ET/+mqf5fuRdJibT2R64u69t8rAOh5iaUGzPORoJmcXbG3fBQW
+uYe1MEezj953Xny85AGhRinAsJok6VHA/nYkTBpZQtRv82CVSj+rg7oyfvy9f3SG
+mLYw4JpMOMAGq0ywLvt4p/DNIey7RFurLhp5bnNh1Dprbc3I2dgb3TlPRZZ32OV8
+66JKxQg5aweS8efech7PqbBpuf4OHrprjhXZWgH9hHgfONNT3qnlqgigd5SI2S23
+1tIXdzcM4kjMQ+18KBvYOVwhmjJV5LQUfbE/+R+NN47gVIKm/NwPW891UXRxczKW
+uMHccyox5Xqhf/nW9wEEKQvq+JSlgtXczLFgMFCYrNUwALP6BX2Y/7Kfd5VrnTrD
+GPASh/AWn/RK/nxCbNcdWgIYU2ABoPs4MTCsO5GapQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4ICAQBk+UAEtgFMnbTobO0zH3pxUrAAsqRT2GWeWNdVc8NOjj7zzkJyl6G1
+epUT1KyjyrfSNWF0l/cMgosTIJKQA7+gQDRivS/pp+4vWLq0/pjkCtGlJO9batuf
+ELALlWHeXKj4C7Adx5QAyDuvGqnH2JrCLX++GyZvcU76gv0Y/KRr+Ttj057ILenL
+/2xNyFuwXgb1/243m2DRWs8mILI0a731X+l2W/sp8LLnArKhiCcSZXaJNVHTrDqg
+a2YKR/edjRDG/GL2F/5F/8s27EgKhZfiEKtuCQz+Cl3yIMuE+lM/ObTHvYpU+qhO
+ypwka6Yfri2fwYIaPAHUHBGiyeVzJMANluifZd6mMzd8o8FWhFhKrUUOrhhuEAh6
+3fagymS2vqf4LvUqtvIp0BPwQ4L+RmiucHXSTprDIbTOHHidHJ2DeHGDM5XTfE/J
+U72Btj9a+VX3M1XY3IhOCUVUOTET92Ey4n1GJ497f4vOKZ34d3A79fDhXGr2cSAK
+1CW0M0v8obFrpMu6vd6NqeSazz5vthYMqJOTKhtpAFvt8lROqQLYNwZ5uBzEDphz
+Dv8kLuTHHjspl5Q2wQRt7iqB+cn+cH1BU/pOkNVa+MCZiwB9HnB/YyMspKf0S1QS
+wFMq67DIzyxhSEo9IorVGsg0LRByVjEY6uK8aBERFARLELug8k+xVg==
+-----END CERTIFICATE-----

.circleci/content-trust.key

@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,054D79A3BFFB818D6EA3FF54A0457C31
+
+XbdXsNS3FCb67KWRHukUHpkX3Do1D2Sittt+xnUcNWPFzoN9LEyjIDzcWLlGpmkv
+OmvPKDwtleHzk4TH3lkpEIq7AhzC9MCfHnfVD6/4iN13Aqg5B130lEBJCSqwiykK
+1AvlK4MiarIcV4G3iG40s9J7TpuADPy3WJeXVu7X7E3SFddyNEiEW4N97GUy0RdG
+32g6B7/MD2p+oGvbzyO74KegKjMdTptDjwIWgDIPWgBfmllBOWiHsG82B9khE1WS
+F+yuY3eeNY7cPESgvwd2EAc3+mybTEKFzC3RVdFHeHaafMjNSS2NM6FAncuqECmP
+zcztFQlyOjKrDESeCiQYged9fl7sXoIZFj0qPWhQBIlSmTAuEEwam6RT0b+J6S4o
+4OBJWsIYG+SWyHKFUkqPdkx3zh/ncs4LefDDWQ9domKMVieoKhTDdvdhYqmbiLiQ
+D2A4QqbDUfmZBbksfZqKj1SePm9t27sdApEactaD0uyF7x+OTcwJKdO1KxAwL01W
+n5RHxkWfOOaGTx/n+cuIPYKzajMZnBciU9JPavd+qRTmO9abVD81MmbrmBO7weVq
+g8fhhWL+ybI0QNon4DrnSpJRysmqIoi2MBzG/TYoO5AY40UiXgjvSLFHuxqyDlXg
+XjtM4+E2jUnMq6DAIqOhq1V9086ryzb3qiKGJWVoWhSogyzUabe+Emt4hUrM476B
+vukUiSW8Wd5y+feGbe1KTWfYq/kiLdr+B6hrA5YsCW5yMYjTL1uof/hjoBOcyoku
+CcBeBfmQOjurH4yylBdi1WOKWoxoS07LTYp4uZFemJXlff1nQ/5ofmav3BCa5A0A
+9gAXhU0JK8Qc3rhvfip7hkV5GjOuTQ79qMNYrbkN4brlvG9dTHrgwz6x0OfVhiAi
+xXO+A/J9spfaK5nWP9BB+EgzFXOQndcdlSZmePH58jMeUrCjm9yT/t3GOyJ1inpO
+aR1/t9ZIruouqI7/Brfxc03zwBUh1fqnqRUM893opq892Fxvr7Uw/QwbkoEMhWiI
+UC8d4D5KcA9yKp7Spx9x2FP1EAIY3QcIRgh3UaPLCv4lI5wwDU5QoB1aHGrKHxMD
+kok383wNVh1pB+wHjMLbZkzIK83eW6QYSaTlNn1thpoITi+WI8nHBA8QFGTt/jpd
+/rRr6XtStMlaFsEj6T41wia6p+pVzKdWnu5bndWa/9BsNQWpgtncMqnlxGiS2ufD
+zpPbspQ5LFSn22KL5qWHeBXawU+M3L6230LFpzdP0vDESSB12YOiLDnAMElVliTh
++95vJGtaVfGPo91jrsQ7JaTjwk1sgj0O/EDSvHbuf8HBrSB9ScAVO4i+bEH5t/aX
+potS8Gk+SFVtCnR2GYrawj+OqnG6N5SsrfaTOvP8rF7kNKz7v3P2ikC9jgTBihcF
+5wW3rU9jpOmGM8/Riv1E/567x23HAxPYR4az4HYncEOOHDVcWVPVkz2zjNK3EOHF
+vRZ4kaig6XurOW/SVWQxHPTF1BX/0CFLPT/tr1z5jwIeplnVd/Errwry2tNxoWfu
+c5OX+Iq/dcu//X1Ty+IjamqfejmK1RxLZOftO+Lmd2tHTohGy5jZiu+iyvUXXYtV
+YRnTdlbxNUU/DukuDbmiiB92bAiXlkho2w383+2ERlfCS3p9OeP2Mnvs034NE0Sg
+CG4UUA1bhn3rwgdf9S6aYqLsIlmuZL0TB5hns4B6d3sIpKlRwWbAth1zFXCajldc
+Suw0Dq+1kG3N6gCaXEk+imyRAOx3SxJGJ9bJGcBia2vMmqs+UbX9zdbuBSz/6vI3
+F00XqKTQojXQfX3JnWusf98VgtF9N/33YQa5Y1rXRlBra+UBG8rmpeDvasCaIyef
+5LuDKqVZrDAt2QQRu6+R/r73x6Dv40E1wfYN2GggZVg+aCukam84V6NJkCVRYiUo
+oaX+SsYmoDnnzZRJMs60GoluhkNciqtrLRTSQeFqXMb/CRoe418zQQy099A/0lwh
+Y5yBKvZ4U5TFloEdpo4COM+UkP+XrmGPzln0XKr72fwJJU6vu2e1yuPId8bDX9Sf
+Y5Sn3ALW6vgKJwkvXfNpo4g1qdTFuWTGFLhDjURmz/bOg2Y9F0MdiDC3j5Qm859U
+ZATychGpuwsorNWFeCIEUYl4ApiqQgf/zES8CXk6p3xOxwE35Onlk5y1OrRfNJlI
+Zuc6QTORjRo+R7BGipSWHBV75BOfW/D3lR9kan6Qo9dCOGhDlFHddSzSDaJnICjq
+AITx0oKaXJNQILIohfzmupl+ZlX1eg3wIS0659YL5IELSqhkQ9xig613Nf5kL9tB
+o7CC+NiZGEvA6EVH5cUB4+94AZTIFNpIQh34kkUPCrDs8oz/0zFoGLAbS/ObbX4o
+Zd5g41WoiDSDNwKGcP3ZCKrvUWahiEuKJxHXas6H4YHsMpOPmXnsvtpIUWu7cPqn
+YALZCzy8ytFw/AFTPnw7ryj5urtDrf8qpNtPKo2MqftJBflLj2UoIdSWaU+vFS6p
+3/snFB4WaTFuK05DwNQoJ/IYmSJKAOz1kyjq3hq9fBXAFuM4wXcbLnIcK3zN6kaV
+ZgEGVh6H1O9Oq4ievJLousYa7A8AGlD8fCU+HfY0yzXFCXSPT8k9OZH07qJkbrSp
+mQ/vOgLB2tfzEx0f+7K8VWAZGQswo/OCp4v5uNT8d1DgGr0/VdIJzs+j+aORbFxE
+w0MNU/Bs3CgqrrBzmqIXMvBF4g+dO6Y5pmXfvbEDvzxZ8tSszXHau7g6uxNFYZ4J
+nqJT6yKKRVAhXyA5BwfZgUndCphGjAVMc57YhB9FyshU2Z0TWtWxqKEf6klpt2O7
+7Wb9Jl/a/subGmsBaKIgot8CpZYQDBpQDXonTuAQLFIKRRe9aHNnGkbeSTLvBCqO
+JZJtMrGLNSpnamywi4cDRMFWshkjYmExvkPmhLGkzBGeWMKAz7LIZ7mZUvm4DiU2
+m+FLsGi1d81J3b+1/Oe2zDlcl3i2wAfbZCuNKERZX3039yrEYVQnGm+Hjlom99Ia
+QmSSJfDA1pyygeo//wvNTtc6zx2cUYFTgRTOZByASPsQuxqoNF7wKSPqK8bzOKVy
+b392fHNptt9H2+9VUXV8dqvWKsYTRQn8LvsHsXFPDkN31IEkTYtD0pun83hHEg7q
+-----END RSA PRIVATE KEY-----

Makefile

@@ -31,7 +31,7 @@ update-hashes:
 	           $$(make --no-print-directory -C pkg/image-cache show-tag-common) \
 	           $$(make --no-print-directory -C pkg/image-cache show-tag-control-plane) ; do \
 	    image=$${tag%:*} ; \
-	    git grep -E -l "\b$$image:" | xargs --no-run-if-empty sed -i.bak -e "s,$$image:[[:xdigit:]]"'\{40\}'",$$tag,g" ; \
+	    git grep -E -l "\b$$image:" | xargs --no-run-if-empty sed -i.bak -e "s,$$image:[[:xdigit:]]\{40\}\(-dirty\)\?,$$tag,g" ; \
 	done
 
 .PHONY: clean