Removing the initial node from the cluster would previously cause etcd to panic on startup. Fixes to etcd reconcile have stopped that from happening, but now the node will successfully come up and start a new cluster - which is not right either. Require either manual removal of DB files to create a new cluster, or setting server address to join an existing cluster.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Use channel.yaml instead of curling for stable for kubectl install
* Stop vex report from leaking out of make local-image
Signed-off-by: Derek Nola <derek.nola@suse.com>
Not currently used, but was useful in tracking down the specific call path for the empty token handling
Prints error as:
> `msg="Error: starting kubernetes: failed to start cluster: failed to normalize server token; must be in format K10<CA-HASH>::<USERNAME>:<PASSWORD> or <PASSWORD> at github.com/urfave/cli/v2.(*App).RunContext(app.go:333)->github.com/urfave/cli/v2.(*Command).Run(command.go:269)->github.com/urfave/cli/v2.(*Command).Run(command.go:276)->github.com/k3s-io/k3s/pkg/cli/server.Run(server.go:48)->github.com/k3s-io/k3s/pkg/cli/server.run(server.go:629)->github.com/k3s-io/k3s/pkg/server.StartServer(server.go:74)->github.com/k3s-io/k3s/pkg/daemons/control.Server(server.go:72)->github.com/k3s-io/k3s/pkg/cluster.(*Cluster).Start(cluster.go:75)->github.com/k3s-io/k3s/pkg/cluster.Save(storage.go:79)->github.com/k3s-io/k3s/pkg/util.NormalizeToken(token.go:51)"`
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes issue preventing containerd from accessing spegel on ipv6-primary agents. Only affects agents because only agents use the kubelet-serving cert for the supervisor listener.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Update install tests with new images, add alma10
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Stop running each provisioning step individually for install tests
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
Upgrade docker/docker dependency from v25.0.8 to v25.0.13 to address
CVE-2025-54410 which affects Moby/Docker versions before 25.0.13.
This vulnerability could allow containers across different bridge networks
to access each other's ports when firewalld is reloaded, breaking network
isolation.
Signed-off-by: Rahul Rai <rahul.cncf@gmail.com>
* Move cleanup earlier, to prevent running out of space when restoring caches
* Consistently use local setup-go action to avoid saving cache on PR runs
* Update local setup-go action
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Manifest from https://raw.githubusercontent.com/longhorn/longhorn/v1.10.1/deploy/longhorn.yaml - with modifications to use rancher-mirrored images to avoid image pull rate limits, and allow operation on a node with fewer resources.
Also adds more log dumping on integration test failure.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Spegel insists on checking containerd features when the store is created, so defer creating it until after contaienerd is up
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes HIGH CVE-2025-68156. This is an indirect dep from github.com/nats-io/jsm.go but it appears they have not yet bumped it either
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
- Use os.CreateTemp to avoid race conditions with fixed temp filename
- Add f.Sync() before close to ensure data durability
- Check all fmt.Fprintf errors instead of ignoring them
- Preserve original file permissions when overwriting
- Handle dir== edge case from filepath.Split
- Check os.MkdirAll error
- Proper cleanup on all error paths
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Add documentation comments to WriteSubnetFile
Clarify the design choices for atomic file writing:
- Explain why CreateTemp is used (defense-in-depth, avoids pre-existing file issues)
- Document the single-instance assumption
- Note the permission preservation logic
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Update WriteSubnetFile comment to clarify CreateTemp rationale
Remove misleading reference to concurrent writes (K3s is single-instance).
Focus on the actual benefits: avoiding stale temp files from crashes,
handling unexpected permissions/ownership, and O_EXCL guarantees.
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Refactor cleanup to use merr.NewErrors for better error aggregation
Address review feedback from @brandond to improve error handling:
- Change cleanup function to accept error parameter
- Use merr.NewErrors to aggregate original error with Close/Remove errors
- Simplify error handling with consistent return cleanup(err) pattern
Signed-off-by: luojiyin <luojiyin@hotmail.com>
Fix Close error handling to preserve original error
Add cleanupNoClose helper to avoid double Close and preserve the
original Close error when file close fails.
Signed-off-by: luojiyin <luojiyin@hotmail.com>
