Merge pull request kubernetes#110379 from marosset/windows-pause-image-base

Updating base container image for pause image on Windows

Author: k8s-ci-robot

build/dependencies.yaml

@@ -146,7 +146,7 @@ dependencies:
       match: __default_go_runner_version=
 
   - name: "registry.k8s.io/pause"
-    version: 3.7
+    version: 3.8
     refPaths:
     - path: build/pause/Makefile
       match: TAG\s*\?=

build/pause/CHANGELOG.md

@@ -1,3 +1,8 @@
+# 3.8
+
+* Updating base image for Windows container images from nanoserver to `mcr.microsoft.com/oss/kubernetes/windows-pause-image-base` which gets built on a Windows machine.
+This addresses [Cannot modify registry keys during Windows pause image build process #109161](https://github.com/kubernetes/kubernetes/issues/109161)
+
 # 3.7
 
 * Unsupported Windows Semi-Annual container images removed (OS Versions removed: 1903, 1909, 2004) . ([#107056](https://github.com/kubernetes/kubernetes/pull/107056), [@jsturtevant](https://github.com/jsturtevant/))

build/pause/Dockerfile_windows

@@ -18,11 +18,6 @@ ARG ARCH
 ADD bin/pause-windows-${ARCH}.exe /pause.exe
 ADD bin/wincat-windows-amd64 /Windows/System32/wincat.exe
 
-# NOTE(claudiub): We're replacing the diagtrack.dll as a means to disable the
-# DiagTrack service (it cannot run without this DLL). We do not need this
-# service in the pause image and there's no reason for it to have any CPU usage.
-ADD windows/pause.c /Windows/System32/diagtrack.dll
-
 # NOTE(claudiub): docker buildx sets the PATH env variable to a Linux-like PATH,
 # which is not desirable. See: https://github.com/moby/buildkit/issues/1560
 # TODO(claudiub): remove this once the issue has been resolved.

build/pause/Makefile

@@ -17,7 +17,7 @@
 REGISTRY ?= staging-k8s.gcr.io
 IMAGE = $(REGISTRY)/pause
 
-TAG ?= 3.7
+TAG ?= 3.8
 REV = $(shell git describe --contains --always --match='v*')
 
 # Architectures supported: amd64, arm, arm64, ppc64le and s390x
@@ -68,7 +68,8 @@ TRIPLE.linux-ppc64le := powerpc64le-linux-gnu
 TRIPLE.linux-s390x := s390x-linux-gnu
 TRIPLE := ${TRIPLE.${OS}-${ARCH}}
 BASE.linux := scratch
-BASE.windows := mcr.microsoft.com/windows/nanoserver
+# Source for windows pause image base is located at https://github.com/microsoft/windows-pause-image-base
+BASE.windows := mcr.microsoft.com/oss/kubernetes/windows-pause-image-base:v0.2
 BASE := ${BASE.${OS}}
 
 # If you want to build AND push all containers, see the 'all-push' rule.
@@ -77,16 +78,21 @@ all: all-container-docker
 # NOTE(claudiub): A non-default builder instance is needed in order to build Windows images.
 all-push: all-container-registry push-manifest
 
+push-manifest: SHELL:=/bin/bash
 push-manifest:
 	docker manifest create --amend $(IMAGE):$(TAG) $(shell echo $(ALL_OS_ARCH) | sed -e "s~[^ ]*~$(IMAGE):$(TAG)\-&~g")
 	set -x; for arch in $(ALL_ARCH.linux); do docker manifest annotate --os linux --arch $${arch} ${IMAGE}:${TAG} ${IMAGE}:${TAG}-linux-$${arch}; done
 	# For Windows images, we also need to include the "os.version" in the manifest list, so the Windows node can pull the proper image it needs.
 	# we use awk to also trim the quotes around the OS version string.
 	set -x; \
+	# tagToKernelVersionMap maps the container images tags for different Windows Server releases (ex: ltsc2022 for Windows Server 2022)
+	# to the kernel version for that OS release (ex: 20348 for Windows Server 2022). This is needed to fetch the servicing revision from the
+	# pause base image manifest (which containers an entry for each Windows Server version) so we can add the approrite 'os.version'
+	# field to the pause image manifest.
+	declare -A tagToKernelVersionMap=( ['1809']='17763' ['20H2']='19042' ['ltsc2022']='20348' );\
 	for arch in $(ALL_ARCH.windows);  do \
 		for osversion in ${ALL_OSVERSIONS.windows}; do \
-			BASEIMAGE=${BASE.windows}:$${osversion}; \
-			full_version=`docker manifest inspect ${BASE.windows}:$${osversion} | grep "os.version" | head -n 1 | awk -F\" '{print $$4}'` || true; \
+			full_version=`docker manifest inspect ${BASE.windows} | grep "10.0.$${tagToKernelVersionMap[$$osversion]}" | head -n 1 | awk -F\" '{print $$4}'` || true; \
 			docker manifest annotate --os windows --arch $${arch} --os-version $${full_version} ${IMAGE}:${TAG} ${IMAGE}:${TAG}-windows-$${arch}-$${osversion}; \
 		done; \
 	done
@@ -122,7 +128,7 @@ container: .container-${OS}-$(ARCH)
 
 .container-windows-$(ARCH): $(foreach binary, ${BIN}, bin/${binary}-${OS}-${ARCH})
 	docker buildx build --pull --output=type=${OUTPUT_TYPE} --platform ${OS}/$(ARCH) \
-		-t $(IMAGE):$(TAG)-${OS}-$(ARCH)-${OSVERSION} --build-arg BASE=${BASE}:${OSVERSION} --build-arg ARCH=$(ARCH) -f Dockerfile_windows .
+		-t $(IMAGE):$(TAG)-${OS}-$(ARCH)-${OSVERSION} --build-arg BASE=${BASE}-windows-${OSVERSION}-${ARCH} --build-arg ARCH=$(ARCH) -f Dockerfile_windows .
 	touch $@
 
 # Useful for testing, not automatically included in container image