Build containderd, cni-plugins, and runc from source

pipelines/concourse.yml

@@ -331,14 +331,8 @@ jobs:
             - get: golang-builder-image
               trigger: true
               params: { format: oci-layout }
-            - get: containerd
-              trigger: true
-            - get: runc
-              trigger: true
             - get: gdn
               trigger: true
-            - get: cni
-              trigger: true
             - get: dumb-init
               trigger: true
             - get: resource-types-amd64
@@ -1495,22 +1489,6 @@ resources:
       repository: bosh-backup-and-restore
       access_token: ((concourse_github_dummy.access_token))
 
-  - name: containerd
-    type: github-release
-    icon: *release-icon
-    source:
-      owner: containerd
-      repository: containerd
-      access_token: ((concourse_github_dummy.access_token))
-
-  - name: runc
-    type: github-release
-    icon: *release-icon
-    source:
-      owner: opencontainers
-      repository: runc
-      access_token: ((concourse_github_dummy.access_token))
-
   - name: dumb-init
     type: github-release
     icon: *release-icon
@@ -1527,14 +1505,6 @@ resources:
       repository: garden-runc-release
       access_token: ((concourse_github_dummy.access_token))
 
-  - name: cni
-    type: github-release
-    icon: *release-icon
-    source:
-      owner: containernetworking
-      repository: plugins
-      access_token: ((concourse_github_dummy.access_token))
-
   - name: mock-resource
     type: registry-image
     icon: *release-icon

pipelines/release.yml

@@ -336,14 +336,8 @@ jobs:
             - get: golang-builder-image
               trigger: true
               params: { format: oci-layout }
-            - get: containerd
-              trigger: true
-            - get: runc
-              trigger: true
             - get: gdn
               trigger: true
-            - get: cni
-              trigger: true
             - get: dumb-init
               trigger: true
             - get: resource-types-amd64
@@ -1711,33 +1705,6 @@ resources:
       semver_constraint: ((dep_bin_versions.gdn))
       access_token: ((concourse_github_dummy.access_token))
 
-  - name: containerd
-    type: github-release
-    icon: *release-icon
-    source:
-      owner: containerd
-      repository: containerd
-      semver_constraint: ((dep_bin_versions.containerd))
-      access_token: ((concourse_github_dummy.access_token))
-
-  - name: runc
-    type: github-release
-    icon: *release-icon
-    source:
-      owner: opencontainers
-      repository: runc
-      semver_constraint: ((dep_bin_versions.runc))
-      access_token: ((concourse_github_dummy.access_token))
-
-  - name: cni
-    type: github-release
-    icon: *release-icon
-    source:
-      owner: containernetworking
-      repository: plugins
-      semver_constraint: ((dep_bin_versions.cni))
-      access_token: ((concourse_github_dummy.access_token))
-
   - name: postgres-release
     type: bosh-io-release
     icon: *release-icon

tasks/build-dev-image/Dockerfile

@@ -36,39 +36,57 @@ RUN apk --no-cache add \
     ca-certificates \
     dumb-init
 
-# Networking tools for container runtimes
-RUN apk --no-cache add \
-    iproute2 \
-    iptables \
-    ip6tables \
-    # guardian runtime runs some script on startup to create iptable rules and
-    # requires the real xargs, not busybox's impl (https://github.com/cloudfoundry/guardian/blob/main/kawasaki/iptables/global_chains.go)
-    cmd:xargs
-
-# for worker/runtime/integration tests
-RUN apk --no-cache add \
-    mount \
-    umount
+RUN mkdir -p /usr/local/concourse/bin
 
-# Add container runtime dependencies
-#
+# Container runtime, dependencies
 # For containerd backend:
 #   - containerd binaries
 #   - runc
 #   - cni plugins
-#   - iptables (needed by cni plugins)
+RUN apk --no-cache add \
+    cni-plugins \
+    runc \
+    containerd
+
+# Copy containerd binaries
+RUN cp /usr/bin/containerd* /usr/local/concourse/bin/ && \
+    cp /usr/bin/ctr /usr/local/concourse/bin/
+
+# Copy runc
+RUN cp /usr/bin/runc /usr/local/concourse/bin/
+
+# Copy CNI plugin binaries
+RUN cp /usr/bin/bandwidth /usr/bin/bridge /usr/bin/dhcp /usr/bin/dummy \
+       /usr/bin/firewall /usr/bin/host-device /usr/bin/host-local /usr/bin/ipvlan \
+       /usr/bin/loopback /usr/bin/macvlan /usr/bin/portmap /usr/bin/ptp \
+       /usr/bin/sbr /usr/bin/static /usr/bin/tap /usr/bin/tuning \
+       /usr/bin/vlan /usr/bin/vrf \
+       /usr/local/concourse/bin/
+
+# Remove container runtime packages after they've been copied to the concourse bin directory
+RUN apk --no-cache del \
+    cni-plugins \
+    runc \
+    containerd
+
+# Add networking tools
+RUN apk --no-cache add \
+       iproute2 \
+       iptables \
+       ip6tables \
+       # guardian runtime runs some script on startup to create iptable rules and
+       # requires the real xargs, not busybox's impl (https://github.com/cloudfoundry/guardian/blob/main/kawasaki/iptables/global_chains.go)
+       cmd:xargs
 
-# Copies files from the bin directory of the tarball to /usr/local/concourse/bin
-ADD containerd/containerd-*-linux-${TARGETARCH}.tar.gz /usr/local/concourse
+# for worker/runtime/integration tests
+RUN apk --no-cache add \
+    mount \
+    umount
 
 COPY gdn/gdn-linux-${TARGETARCH}-[0-9]*.*.* /usr/local/concourse/bin/gdn
 # wolfi does not have /var/run setup, which guardian depends on existing already
 RUN ln -sf /run /var/run
 
-COPY runc/runc.${TARGETARCH} /usr/local/concourse/bin/runc
-
-ADD cni/cni-plugins-linux-${TARGETARCH}-*.tgz /usr/local/concourse/bin
-
 RUN chmod -R +x /usr/local/concourse/bin
 
 # add fly executables

tasks/build-dev-image/task.yml

@@ -10,12 +10,6 @@ inputs:
   - name: ci
   - name: concourse
   - name: gdn
-  - name: containerd
-    optional: true
-  - name: runc
-    optional: true
-  - name: cni
-    optional: true
   - name: resource-types-amd64
   - name: resource-types-arm64
   - name: fly-linux