Kicbase/ISO: Update buildroot from 2023.02.9 to 2025.2

[ComradeProgrammer]

No description provided.

[ComradeProgrammer]

/ok-to-build-image

[ComradeProgrammer]

/ok-to-build-iso

[ComradeProgrammer]

/ok-to-test

[ComradeProgrammer]

It works locally on my own machine. Let's see if it can build ISO successfully on CI

[minikube-bot]

Hi @ComradeProgrammer, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further.

[nirs]

Why 1.23.4? Latest is 1.23.8.

[prezha]

we currently use GO_VERSION 1.24.0 in this Makefile (set above), what is the reason for overriding it here?

i also noticed that our go.mod still uses 1.23.4 though, not sure if we're blocked on bumping it as well and then have all go versions in sync

[nirs]

Why the new options are needed?

[ComradeProgrammer]

For newer version of go, if we don't set those options, the build will fail.
E.g. after go 1.21 GOPROXY no longer tolerates an empty string when GOMOD111 is turned on
See golang/go#61928 (comment)

[prezha]

based on Mills' comment in the linked issue, looks like if we're building go v1.21.0+ from source we also need to create the $GOROOT/go.env that sets GOPROXY and GOSUMDB, and we probably do not need to implicitly set the GOARCH and GOOS (those should be automatically inferred) so these additional changes would not be needed - here and in few other places/files below?

the additional reason to avoid setting these manually in several places would be easier maintenance - we'd avoid failing because we have not manually added it to all other places that might need it and the relevant default values should be taken from the go release itself

[nirs]

Unify indent?

[ComradeProgrammer]

I think the intents here are already the same with other go envs?

[prezha]

i think that Nir meant that we should have same alignment (ie, same number of blanks before these last three lines as lines above), but see my previous comment about avoiding adding it altogether

[nirs]

The path was changed?

[ComradeProgrammer]

Yes. New buildroot includes conmon by default, and the new path is this

[prezha]

nit: we could also update the TestDockerSystemInfo to reflect the new conmon path

[ComradeProgrammer]

/ok-to-test

[ComradeProgrammer]

/ok-to-test

[nirs]

Can we change the service configuration instead? It will avoid the fake ResetFailed interface we add here.

[ComradeProgrammer]

Good idea. I guess it is possible, but perhaps we can do this in next PR. Currently buildroot issues are blocking us from building ISO and we cannot update crio, containerd or anything else which involves go>=1.22. It is a rather urgent one

The .service file from cir-dockerd is this cri-docker.service
where it declares StartLimitBurst=3 StartLimitInterval=60s . I am not sure but I guess this is the problem, because journalctl -u cri-docker.service always shows cri-docker.service: Start request repeated too quickly..

I guess it may also work if we remove these two lines from cri-containerd via go code

[nirs]

Why do we have a burst of start requests?

If the systemd unit is defined properly, system will start the service when dependent service are ready and we should not see such issue.

I guess we install the services dynamically when creating the machine (since we don't know at build time which container runtime will be used). And we probably start them manually without considering the dependencies between services, and then retry failed services?

[ComradeProgrammer]

And we probably start them manually without considering the dependencies between services, and then retry failed services?

I agree. For this issue specifically, accroding to the log here my guessing is that: somehow when we try to start cri-dockerd, the docker daemon/socket is not ready.

However I did tried to wait for docker service/socket with r.Init.Active("docker") before restarting cri-containerd, but it doesn't work at all. r.Init.Active("docker") return true while cri-containerd continue to complain that Cannot connect to the Docker daemon at unix:///var/run/....

So I just came up with this temporary brute-force solution, forcing restart of all those services, and it works. This is definitely not a good idea, I think we should continue to investigate it and see what we can do to actually solve this.

[nirs]

However I did tried to wait for docker service/socket with r.Init.Active("docker") before restarting cri-containerd, but it doesn't work at all. r.Init.Active("docker") return true while cri-containerd continue to complain that Cannot connect to the Docker daemon at unix:///var/run/....

is-active is not documented to return true when the service is ready:

   is-active PATTERN...
       Check whether any of the specified units are active (i.e. running).
       Returns an exit code 0 if at least one is active, or non-zero
       otherwise. Unless --quiet is specified, this will also print the
       current unit state to standard output.

[nirs]

For this issue specifically, accroding to the log here my guessing is that: somehow when we try to start cri-dockerd, the docker daemon/socket is not ready.

This happens here?

minikube/pkg/minikube/cruntime/docker.go

Line 174 in 8575bee

// restart cri-docker

[ComradeProgrammer]

yes, this is exactly the place where it happened.

[prezha]

this behaviour is strange/unexpected i think: we have Type=notify set and NotifyAccess not set, which should mean that the service (ie, its main process) will send the READY=1 signal only when actually "ready", and that should be picked up by the is-active - not sure why it would not work in our setup

ref: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html

[ComradeProgrammer]

/ok-to-test

[ComradeProgrammer]

/ok-to-build-iso

[ComradeProgrammer]

/ok-to-build-image

[nirs]

I tested this on Fedora 42 with kvm driver and containerd runtime. My test creates 3 single node clusters, deploy ocm, olm, rook-ceph, submariner, velero, volsync, minio, and ramen and run end to end disaster recovery tests.

Looking at the first failures in KVM_linux_containerd - we have many of these:

	  Warning  Failed     5m14s (x3 over 8m6s)    kubelet            Failed to pull image "busybox:stable": failed to pull and unpack image "docker.io/library/busybox:stable": failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/library/busybox/manifests/sha256:e246aa22ad2cbdfbd19e2a6ca2b275e26245a21920e2b2d0666324cee3f15549: 429 Too Many Requests - Server message: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit

We don't pull any image from docker.io to avoid these failures.

[nirs]

Why 2024.11.2 (what we used for other parts) is not right here?

[ComradeProgrammer]

Well it is still about falco-modules(but it is not working, as you can see)

It seems that after we update the buildroot, buildroot will append the FALCO_MODULE_INSTALL_STAGING_OPTS and the FALCO_MODULE_INSTALL_TARGET_OPTS to cmake command, which causes an iso build failure. I don't know why this happens, so I tried some other versions. But it still cannot work. All those weird changes about falco-modules (for which I didn't give any reason why I made them) are basically all for falco-modules

I guess I will remove falco-modules for now, which should work, I guess

BTW I think we should still keep using 2025.02 because i found that in buildroot, 20xx.xx are version numbers for long term supports, while 20xx.xx.xx is not. If we want to update the buildroot, I think maybe LTS version is better

[nirs]

LTS sounds good but we don't have to do this change now.

[ComradeProgrammer]

uhh probably you misunderstood this change? The current buildroot version in main branch is BUILDROOT_BRANCH ?= 2023.02.9. In this PR I chosen 2024.11.2 at the beginning but then I submitted another commit which change it to 2025.2

Since we have to update this buildroot in this PR, why should't we update it to the latest LTS version?

[nirs]

The pr message says "Update buildroot from 2023.02.9 to 2024.11.2"

[nirs]

I guess I was also confused by the commit message: "fix falco-modules" - I assumed you update falco version. I see now that this updates BUILDROOT_BRANCH.

[ComradeProgrammer]

/ok-to-build-iso

/ok-to-test

[prezha]

thanks for the efforts you've put into this @ComradeProgrammer!
please have a look at few comments i left

[prezha]

we currently use GO_VERSION 1.24.0 in this Makefile (set above), what is the reason for overriding it here?

i also noticed that our go.mod still uses 1.23.4 though, not sure if we're blocked on bumping it as well and then have all go versions in sync

[prezha]

i think that the go.hash file should not be updated manually - should be managed by the updateGoHashFile func in hack/update/golang_version/update_golang_version.go

[prezha]

based on Mills' comment in the linked issue, looks like if we're building go v1.21.0+ from source we also need to create the $GOROOT/go.env that sets GOPROXY and GOSUMDB, and we probably do not need to implicitly set the GOARCH and GOOS (those should be automatically inferred) so these additional changes would not be needed - here and in few other places/files below?

the additional reason to avoid setting these manually in several places would be easier maintenance - we'd avoid failing because we have not manually added it to all other places that might need it and the relevant default values should be taken from the go release itself

[prezha]

i think that Nir meant that we should have same alignment (ie, same number of blanks before these last three lines as lines above), but see my previous comment about avoiding adding it altogether

[prezha]

nit: we could also update the TestDockerSystemInfo to reflect the new conmon path

[prezha]

this behaviour is strange/unexpected i think: we have Type=notify set and NotifyAccess not set, which should mean that the service (ie, its main process) will send the READY=1 signal only when actually "ready", and that should be picked up by the is-active - not sure why it would not work in our setup

ref: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html

[ComradeProgrammer]

/ok-to-test

[medyagh]

/ok-to-test

[minikube-pr-bot]

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 20720) |
+----------------+----------+---------------------+
| minikube start | 54.5s    | 54.0s               |
| enable ingress | 18.8s    | 17.8s               |
+----------------+----------+---------------------+

Times for minikube start: 52.5s 53.9s 52.9s 56.8s 56.7s
Times for minikube (PR 20720) start: 57.5s 54.6s 52.5s 52.2s 53.3s

Times for minikube ingress: 19.2s 20.1s 15.6s 20.1s 19.1s
Times for minikube (PR 20720) ingress: 18.6s 15.6s 16.2s 20.1s 18.6s

docker driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 20720) |
+----------------+----------+---------------------+
| minikube start | 25.8s    | 24.9s               |
| enable ingress | 13.3s    | 13.0s               |
+----------------+----------+---------------------+

Times for minikube start: 26.7s 25.4s 26.8s 24.8s 25.3s
Times for minikube (PR 20720) start: 24.0s 23.5s 26.4s 23.6s 27.2s

Times for minikube (PR 20720) ingress: 12.4s 12.9s 13.4s 13.9s 12.4s
Times for minikube ingress: 13.4s 13.4s 13.4s 12.9s 13.4s

docker driver with containerd runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 20720) |
+----------------+----------+---------------------+
| minikube start | 24.2s    | 22.5s               |
| enable ingress | 30.5s    | 29.5s               |
+----------------+----------+---------------------+

Times for minikube start: 25.8s 23.1s 24.8s 23.4s 23.5s
Times for minikube (PR 20720) start: 22.2s 22.6s 23.9s 21.5s 22.2s

Times for minikube ingress: 22.9s 22.9s 28.9s 38.9s 38.9s
Times for minikube (PR 20720) ingress: 38.9s 39.9s 22.9s 22.9s 22.9s

[medyagh]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ComradeProgrammer, medyagh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ComradeProgrammer,medyagh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[medyagh]

thank you @ComradeProgrammer for fixing this ISO issue, this was a blocker for minikube release and you did an amazing work thanks