adding version lock on runc, containerd and docker

[vishalkg]

Issue #, if available:
#648

Description of changes:
In the above mentioned issue, we downgraded the runc version, but did not lock the version. So, it is possible that runc can be updated to latest during patch installs. This PR puts a lock on containerd and runc versions

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Testing

• Before making this change:

[ec2-user@ip-192-168-29-25 ~]$ containerd --version
containerd github.com/containerd/containerd 1.4.1 c623d1b36f09f8ef6536a057bd658b3aa8632828
[ec2-user@ip-192-168-29-25 ~]$
[ec2-user@ip-192-168-29-25 ~]$ runc --version
runc version 1.0.0-rc92
commit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
spec: 1.0.2-dev
[ec2-user@ip-192-168-29-25 ~]$
[ec2-user@ip-192-168-29-25 ~]$ sudo yum update containerd runc
Loaded plugins: priorities, update-motd, versionlock
Resolving Dependencies
--> Running transaction check
---> Package containerd.x86_64 0:1.4.1-2.amzn2 will be updated
---> Package containerd.x86_64 0:1.4.4-1.amzn2 will be an update
---> Package runc.x86_64 0:1.0.0-0.1.20200826.gitff819c7.amzn2 will be updated
---> Package runc.x86_64 0:1.0.0-0.1.20210225.git12644e6.amzn2 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                     Arch                                    Version                                                              Repository                                          Size
===================================================================================================================================================================================================================
Updating:
 containerd                                  x86_64                                  1.4.4-1.amzn2                                                        amzn2extra-docker                                   24 M
 runc                                        x86_64                                  1.0.0-0.1.20210225.git12644e6.amzn2                                  amzn2extra-docker                                  3.2 M

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  2 Packages

Total download size: 27 M
Is this ok [y/d/N]: N
Exiting on user command
Your transaction was saved, rerun it with:
 yum load-transaction /tmp/yum_save_tx.2021-04-22.18-31.jCPvGl.yumtx

• During AMI build:

    ...
    amazon-ebs: Running transaction
    amazon-ebs:   Installing : yum-plugin-versionlock-1.1.31-46.amzn2.0.1.noarch            1/1
    amazon-ebs:   Verifying  : yum-plugin-versionlock-1.1.31-46.amzn2.0.1.noarch            1/1
    amazon-ebs:
    amazon-ebs: Installed:
    amazon-ebs:   yum-plugin-versionlock.noarch 0:1.1.31-46.amzn2.0.1
    amazon-ebs:
    amazon-ebs: Complete!
    amazon-ebs: Loaded plugins: priorities, update-motd, versionlock
    amazon-ebs: Adding versionlock on: 0:runc-1.0.0-0.1.20200826.gitff819c7.amzn2
    amazon-ebs: Adding versionlock on: 0:containerd-1.4.1-2.amzn2
    amazon-ebs: versionlock added: 2
    ...

• After making this change, built a new AMI and launched a new instance with the new AMI:

[ec2-user@ip-172-31-5-130 ~]$ runc --version
runc version 1.0.0-rc92
commit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
spec: 1.0.2-dev
[ec2-user@ip-172-31-5-130 ~]$
[ec2-user@ip-172-31-5-130 ~]$ containerd --version
containerd github.com/containerd/containerd 1.4.1 c623d1b36f09f8ef6536a057bd658b3aa8632828
[ec2-user@ip-172-31-5-130 ~]$
[ec2-user@ip-172-31-5-130 ~]$ sudo yum versionlock list
Loaded plugins: priorities, update-motd, versionlock
0:runc-1.0.0-0.1.20200826.gitff819c7.amzn2.*
0:containerd-1.4.1-2.amzn2.*
versionlock list done
[ec2-user@ip-172-31-5-130 ~]$ sudo yum update containerd runc
Loaded plugins: priorities, update-motd, versionlock
No packages marked for update
[ec2-user@ip-172-31-5-130 ~]$

[heybronson]

Let's move the runc version to a packer variable, like docker and containerd: https://github.com/awslabs/amazon-eks-ami/blob/master/eks-worker-al2.json#L17

[vishalkg]

Makes sense, done

[heybronson]

Should we also lock the docker version?

[vishalkg]

Makes sense, done

[vishalkg]

[ec2-user@ip-172-31-10-146 ~]$ runc --version
runc version 1.0.0-rc92
commit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
spec: 1.0.2-dev
[ec2-user@ip-172-31-10-146 ~]$ 
[ec2-user@ip-172-31-10-146 ~]$ containerd --version
containerd github.com/containerd/containerd 1.4.1 c623d1b36f09f8ef6536a057bd658b3aa8632828
[ec2-user@ip-172-31-10-146 ~]$ docker --version
Docker version 19.03.13-ce, build 4484c46
[ec2-user@ip-172-31-10-146 ~]$ 
[ec2-user@ip-172-31-10-146 ~]$ sudo yum versionlock list
Loaded plugins: priorities, update-motd, versionlock
0:containerd-1.4.1-2.amzn2.*
0:docker-19.03.13ce-1.amzn2.*
0:runc-1.0.0-0.1.20200826.gitff819c7.amzn2.*
versionlock list done
[ec2-user@ip-172-31-10-146 ~]$
[ec2-user@ip-172-31-10-146 ~]$ sudo yum update docker containerd runc
Loaded plugins: priorities, update-motd, versionlock
No packages marked for update
[ec2-user@ip-172-31-10-146 ~]$

[heybronson]

please add runc_version here as well: https://github.com/awslabs/amazon-eks-ami/blob/master/Makefile#L2

[vishalkg]

Done