Skip to content

controllers: Validates kata version aginst the Kata RPM version present in the extension image. #1514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ANJANA-A-R-K wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

controllers: Validates kata version aginst the Kata RPM version present in the extension image. #1514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion controllers/daemonset_reconcile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,7 +415,9 @@ func (r *KataConfigOpenShiftReconciler) processKataConfigInstallRequestDaemonSet
}
}

return ctrl.Result{}, nil
return ctrl.Result{
RequeueAfter: 10 * time.Minute,
Copy link
Contributor

@Pacho20 Pacho20 Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ANJANA-A-R-K Could you explain why do you need this?

}, nil
}

func (r *KataConfigOpenShiftReconciler) addPeerPodsConfigDaemonSet() error {
Expand Down
52 changes: 16 additions & 36 deletions scripts/kata-install/osc-kata-addons-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,51 +47,31 @@ update_config() {
# 0 on success
#######################################
install_addons() {
local addon_image="${ADDON_IMAGE:?}"

echo "Installing addon artifacts from: $addon_image"

local kernel_src="${ADDON_KERNEL_PATH:?}"
local kernel_file
kernel_file="$(basename "$kernel_src")"

if [ -z "$kernel_src" ]; then
echo "ERROR: ADDON_KERNEL_PATH is mandatory but was not provided." >&2
local staged_dir="/host/var/lib/kata/addons"
Copy link
Contributor

@Pacho20 Pacho20 Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This path is used in multiple functions so I think it should be a global variable.

Copy link
Member

@gkurz gkurz Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other function is extract_kata_addon_image(), the code of which was moved away from here to osc-kata-install.sh... the duplication of the path seems to be the consequence of that. It is a sign that this refactoring isn't good : the main script shouldn't contain addon specific code.

local staged_kernel="${staged_dir}/${kernel_src}"

if [[ ! -f "$staged_kernel" ]]; then
echo "ERROR: Staged kernel not found: $staged_kernel" >&2
exit 1
fi

# Standard installation directory
local install_dir="/host/etc/kata-containers"
local temp_dir="/tmp/kata-addons-$$"
local auth_file="/tmp/regauth/auth.json"

mkdir -p "$install_dir"
mkdir -p "$temp_dir"

local kernel_installed=""
local kernel_path=""

# Extract and install kernel
echo "Extracting kernel from: $kernel_src"

# Reuse extract_container_image from lib.sh
if extract_container_image "$addon_image" "$kernel_src" "$temp_dir" "$auth_file"; then
local kernel_file=$(basename "$kernel_src")
if [ -f "$temp_dir/$kernel_file" ]; then
kernel_installed="$install_dir/$kernel_file"
kernel_path="/etc/kata-containers/$kernel_file"
cp "$temp_dir/$kernel_file" "$kernel_installed"
chmod 644 "$kernel_installed"
echo "Kernel installed: $kernel_installed"
local kernel_installed="${install_dir}/${kernel_file}"
local kernel_path="/etc/kata-containers/${kernel_file}"

# Print checksum of the installed kernel
echo "Kernel image $kernel_file checksum (sha256):"
sha256sum "$kernel_installed"
fi
fi
cp "$staged_kernel" "$kernel_installed"

rm -rf $staged_dir

echo "Kernel installed: $kernel_installed"
echo "Kernel image $kernel_file checksum (sha256):"
sha256sum "$kernel_installed"

# Cleanup
rm -rf "$temp_dir"

# Update kata configuration
update_config "$kernel_path"

echo "Addon installation completed"
Expand Down
50 changes: 50 additions & 0 deletions scripts/kata-install/osc-kata-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,42 @@ set_status_uninstalled() {
label_node "uninstalled"
}

extract_kata_version_from_rpm() {
local rpm="$1"
basename "$rpm" | sed -E 's/^kata-containers-([0-9]+\.[0-9]+(\.[0-9]+)?).*/\1/'
Copy link
Contributor

@Pacho20 Pacho20 Jan 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use rpm to retrieve the package version. This avoids relying on the file name or sed. Although the file name is unlikely to change, doing so prevents potential failures if it ever does.

rpm -q --qf "%{VERSION}\n" "$rpm"

}

extract_kata_addon_image() {
Copy link
Contributor

@Pacho20 Pacho20 Jan 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be two functions. One to extract the addon and one to get the version. It would be easier to understand what it does imo.

local addon_image="$1"
local addon_stage_dir="/host/var/lib/kata/addons"

mkdir -p $addon_stage_dir

extract_container_image \
"$addon_image" \
"/artifacts" \
"$addon_stage_dir" \
"/tmp/regauth/auth.json" >/dev/null


if [[ ! -f "$addon_stage_dir/artifacts/version.json" ]]; then
echo "ERROR: version.json not found in addon image"
exit 1
fi

dnf install -y jq >/dev/null 2>&1
Copy link
Contributor

@Pacho20 Pacho20 Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The jq installation should be moved in the Dockerfile imo.


local kata_version
kata_version=$(jq -r '.kata_version' "$addon_stage_dir/artifacts/version.json")

if [[ -z "$kata_version" || "$kata_version" == "null" ]]; then
echo "ERROR: kata_version missing in version.json"
exit 1
fi

echo "$kata_version"
}

install() {
# Initial wait: avoid doing anything if a previous staged update is pending
wait_for_reboot_clear
Expand All @@ -104,6 +140,20 @@ install() {
continue
fi

if [[ "$package" == "kata-containers" && -n "${ADDON_IMAGE:-}" ]]; then
rpm_kata_version=$(extract_kata_version_from_rpm "$rpm_path")
addon_kata_version=$(extract_kata_addon_image "$ADDON_IMAGE")

if [[ "$addon_kata_version" != "$rpm_kata_version" ]]; then
echo "ERROR: Kata version mismatch between addon image and host RPM"
echo "Addon image kata version: $addon_kata_version"
echo "Host kata RPM version: $rpm_kata_version"
exit 1
fi

echo "Addon image kata version validated: $addon_kata_version"
fi

# Get available version
available_version=$(rpm -qp "$rpm_path")

Expand Down