Move Windows compilation test to GHA and enable tests

.drone.yml

@@ -47,14 +47,6 @@ steps:
   - name: docker
     path: /var/run/docker.sock
 
-- name: validate-cross-compilation
-  image: rancher/dapper:v0.6.0
-  commands:
-  - dapper validate-cross-compilation
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-
 - name: fossa
   image: rancher/drone-fossa:latest
   failure: ignore

.github/workflows/build-k3s.yaml

@@ -7,10 +7,6 @@ on:
       type: string
       description: 'Architecture to build'
       default: 'ubuntu-latest'
-    upload-repo:
-      type: boolean
-      required: false
-      default: false
     upload-image:
       type: boolean
       required: false
@@ -23,33 +19,27 @@ jobs:
   build:
     name: Build
     runs-on: ${{ inputs.arch }} # defaults to ubuntu-latest, for arm64 use ubuntu-24.04-arm
-    timeout-minutes: 20
+    timeout-minutes: 30
     steps:
     - name: Checkout K3s
       uses: actions/checkout@v4
     - name: Build K3s binary
       run: |
         DOCKER_BUILDKIT=1 SKIP_IMAGE=1 SKIP_AIRGAP=1 SKIP_VALIDATE=1 GOCOVER=1 make
         sha256sum dist/artifacts/k3s | sed 's|dist/artifacts/||' > dist/artifacts/k3s.sha256sum
+    - name: Build K3s binary (windows)
+      if: inputs.arch == 'ubuntu-latest'
+      run: |
+        DOCKER_BUILDKIT=1 SKIP_IMAGE=1 SKIP_AIRGAP=1 SKIP_VALIDATE=1 GOCOVER=1 GOOS=windows make
+        sha256sum dist/artifacts/k3s.exe | sed 's|dist/artifacts/||' > dist/artifacts/k3s.exe.sha256sum
     - name: Build K3s image
       if: inputs.upload-image == true
       run: make package-image
-    - name: bundle repo
-      if: inputs.upload-repo == true
-      run: |
-        tar -czvf ../k3s-repo.tar.gz .
-        mv ../k3s-repo.tar.gz .
-    - name: "Upload K3s directory"
-      if: inputs.upload-repo == true
-      uses: actions/upload-artifact@v4
-      with:
-        name: k3s-repo.tar.gz
-        path: k3s-repo.tar.gz
     - name: "Save K3s image"
       if: inputs.upload-image == true
       run: docker image save rancher/k3s -o ./dist/artifacts/k3s-image.tar
     - name: "Upload K3s Artifacts"
-      if: inputs.upload-repo == false && inputs.arch == 'ubuntu-latest'
+      if: inputs.arch == 'ubuntu-latest'
       uses: actions/upload-artifact@v4
       with:
         name: k3s
@@ -59,4 +49,4 @@ jobs:
       uses: actions/upload-artifact@v4
       with:
         name: k3s-arm64
-        path: dist/artifacts/k3s*
+        path: dist/artifacts/k3s*

.github/workflows/install.yaml

@@ -105,3 +105,29 @@ jobs:
         with:
           ## If no one connects after 5 minutes, shut down server.
           wait-timeout-minutes: 5
+  test-windows:
+    name: "Smoke Test (windows)"
+    needs: build
+    runs-on: windows-2022
+    timeout-minutes: 10
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+        with: {fetch-depth: 1}
+      - name: "Download k3s binary"
+        uses: actions/download-artifact@v4
+        with:
+          name: k3s
+          path: dist/artifacts/
+      - name: "Run K3s"
+        timeout-minutes: 5
+        run: |
+          $ErrorActionPreference = "Continue"
+          $PSNativeCommandUseErrorActionPreference = $true
+          $Server = Start-Job -ScriptBlock { ./dist/artifacts/k3s.exe server --token=token --embedded-registry --disable=metrics-server }
+          Start-Sleep -Seconds 15
+          D:/var/lib/rancher/k3s/data/current/bin/k3s.exe kubectl get node -o wide
+          D:/var/lib/rancher/k3s/data/current/bin/k3s.exe kubectl get pod -A -o wide
+          Stop-Job -Job $Server
+          Receive-Job -Wait -Job $Server
+          Remove-Job -Job $Server

.github/workflows/unitcoverage.yaml

@@ -26,8 +26,8 @@ permissions:
   contents: read
 
 jobs:
-  test:
-    name: Unit Tests
+  test-unit-linux:
+    name: Unit Tests (linux)
     runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
@@ -38,8 +38,8 @@ jobs:
     - name: Install Go
       uses: ./.github/actions/setup-go
     - name: Run Unit Tests
-      run: | 
-        go test -coverpkg=./... -coverprofile=coverage.out ./pkg/... -run Unit
+      run: |
+        go test -coverpkg ./pkg/... -coverprofile coverage.out ./pkg/... -run Unit
         go tool cover -func coverage.out
     - name: On Failure, Launch Debug Session
       if: ${{ failure() }}
@@ -53,3 +53,25 @@ jobs:
         files: ./coverage.out
         flags: unittests # optional
         verbose: true # optional (default = false)
+  test-unit-windows:
+    name: Unit Tests (windows)
+    runs-on: windows-2022
+    timeout-minutes: 20
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+    - name: Install Go
+      uses: actions/setup-go@v5
+    - name: Run Unit Tests
+      run: |
+        go test -coverpkg ./pkg/... -coverprofile coverage.out ./pkg/... -run Unit
+        go tool cover -func coverage.out
+    - name: Upload Results To Codecov
+      uses: codecov/codecov-action@v5
+      with:
+        token: ${{ secrets.CODECOV_TOKEN }}
+        files: ./coverage.out
+        flags: unittests # optional
+        verbose: true # optional (default = false)

.gitignore

@@ -21,7 +21,7 @@
 /image/go_build_agent
 /image/main.squashfs
 /package/k3s
-/package/data.tar.zst
+/package/data-*
 /pkg/data/zz_generated_bindata.go
 __pycache__
 /tests/.pytest_cache/

Dockerfile.dapper

@@ -52,7 +52,7 @@ ENV SELINUX=${SELINUX}
 
 # Set Dapper configuration variables
 ENV DAPPER_RUN_ARGS="--privileged -v k3s-cache:/go/src/github.com/k3s-io/k3s/.cache -v trivy-cache:/root/.cache/trivy" \
-    DAPPER_ENV="REPO TAG DRONE_TAG IMAGE_NAME SKIP_VALIDATE SKIP_IMAGE SKIP_AIRGAP AWS_SECRET_ACCESS_KEY AWS_ACCESS_KEY_ID GITHUB_TOKEN GOLANG GOCOVER DEBUG" \
+    DAPPER_ENV="REPO TAG DRONE_TAG IMAGE_NAME SKIP_VALIDATE SKIP_IMAGE SKIP_AIRGAP AWS_SECRET_ACCESS_KEY AWS_ACCESS_KEY_ID GITHUB_TOKEN GOLANG GOCOVER GOOS DEBUG" \
     DAPPER_SOURCE="/go/src/github.com/k3s-io/k3s/" \
     DAPPER_OUTPUT="./bin ./dist ./build/out ./build/static ./pkg/static ./pkg/deploy" \
     DAPPER_DOCKER_SOCKET=true \

Makefile

@@ -1,5 +1,6 @@
 TARGETS := $(shell ls scripts | grep -v \\.sh)
 GO_FILES ?= $$(find . -name '*.go' | grep -v generated)
+SHELL := /bin/bash
 
 
 .dapper:
@@ -9,7 +10,11 @@ GO_FILES ?= $$(find . -name '*.go' | grep -v generated)
 	@./.dapper.tmp -v
 	@mv .dapper.tmp .dapper
 
-$(TARGETS): .dapper
+.PHONY: docker.sock
+docker.sock:
+	while ! docker version 1>/dev/null; do sleep 1; done
+
+$(TARGETS): .dapper docker.sock
 	./.dapper $@
 
 .PHONY: deps
@@ -42,4 +47,4 @@ format:
 local:
 	DOCKER_BUILDKIT=1 docker build \
 		--build-arg="REPO TAG GITHUB_TOKEN GOLANG GOCOVER DEBUG" \
-		-t k3s-local -f Dockerfile.local --output=. .
+		-t k3s-local -f Dockerfile.local --output=. .

go.mod

@@ -109,7 +109,7 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/json-iterator/go v1.1.12
 	github.com/k3s-io/helm-controller v0.16.6
-	github.com/k3s-io/kine v0.13.8
+	github.com/k3s-io/kine v0.13.9
 	github.com/klauspost/compress v1.17.11
 	github.com/libp2p/go-libp2p v0.38.2
 	github.com/minio/minio-go/v7 v7.0.83

go.sum

@@ -965,8 +965,8 @@ github.com/k3s-io/etcd/server/v3 v3.5.18-k3s1 h1:YHhvwef4h6F53c3BeVSROhXrka/CdFS
 github.com/k3s-io/etcd/server/v3 v3.5.18-k3s1/go.mod h1:waeL2uw6TdXniXaus105tiK1aSbblIBi21uk8y7D6Ng=
 github.com/k3s-io/helm-controller v0.16.6 h1:w/cdunYPTmatAMrYlf/qbmuatrKjfpC122ISn5QfIpA=
 github.com/k3s-io/helm-controller v0.16.6/go.mod h1:Zy6dK6PIepVPOH2wM3sg00RsJLAk3FkXIJl+rWeHC3Y=
-github.com/k3s-io/kine v0.13.8 h1:/dO49uLw8M6HULNmVvXH7k3VK6WerqCN0A3lm4C3Qrs=
-github.com/k3s-io/kine v0.13.8/go.mod h1:eBfR4kXgSkB4yIL+S3bF1+z5cvgYz8wbXrwANeL/Qok=
+github.com/k3s-io/kine v0.13.9 h1:Dcobn5rXfl0tGCTPJzLRsowxAnK/4hhLzRGuPXhRJVQ=
+github.com/k3s-io/kine v0.13.9/go.mod h1:eBfR4kXgSkB4yIL+S3bF1+z5cvgYz8wbXrwANeL/Qok=
 github.com/k3s-io/klog/v2 v2.120.1-k3s1 h1:7twAHPFpZA21KdMnMNnj68STQMPldAxF2Zsaol57dxw=
 github.com/k3s-io/klog/v2 v2.120.1-k3s1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 github.com/k3s-io/kube-router/v2 v2.2.1 h1:LrU6l4khFt67+QCIvgok9B/C9JY/U2/TaF9TCVUw0vw=

manifests/local-storage.yaml

@@ -65,6 +65,8 @@ spec:
           - key: "node-role.kubernetes.io/master"
             operator: "Exists"
             effect: "NoSchedule"
+      nodeSelector:
+        kubernetes.io/os: linux
       containers:
       - name: local-path-provisioner
         image: "%{SYSTEM_DEFAULT_REGISTRY}%rancher/local-path-provisioner:v0.0.31"

manifests/metrics-server/metrics-server-deployment.yaml

@@ -38,6 +38,8 @@ spec:
         - key: "node-role.kubernetes.io/master"
           operator: "Exists"
           effect: "NoSchedule"
+      nodeSelector:
+        kubernetes.io/os: linux
       volumes:
       # mount in tmp so we can safely use from-scratch images and/or read-only containers
       - name: tmp-dir

package/Dockerfile

@@ -1,8 +1,8 @@
 FROM alpine:3.21 as base
 RUN apk add -U ca-certificates zstd tzdata
-COPY build/out/data.tar.zst /
+COPY build/out/data-linux.tar.zst /
 RUN mkdir -p /image/etc/ssl/certs /image/run /image/var/run /image/tmp /image/lib/modules /image/lib/firmware && \
-    zstdcat -d /data.tar.zst | tar -xa -C /image && \
+    zstdcat -d /data-linux.tar.zst | tar -xa -C /image && \
     echo "root:x:0:0:root:/:/bin/sh" > /image/etc/passwd && \
     echo "root:x:0:" > /image/etc/group && \
     cp /etc/ssl/certs/ca-certificates.crt /image/etc/ssl/certs/ca-certificates.crt

pkg/agent/containerd/config.go

@@ -53,7 +53,7 @@ func writeContainerdHosts(cfg *config.Node, containerdConfig templates.Container
 
 	// Write out new templates
 	for host, config := range hosts {
-		hostDir := filepath.Join(cfg.Containerd.Registry, host)
+		hostDir := filepath.Join(cfg.Containerd.Registry, hostDirectory(host))
 		hostsFile := filepath.Join(hostDir, "hosts.toml")
 		hostsTemplate, err := templates.ParseHostsTemplateFromConfig(templates.HostsTomlTemplate, config)
 		if err != nil {

pkg/agent/containerd/config_linux.go

@@ -27,6 +27,12 @@ const (
 	runtimesPath = "/usr/local/nvidia/toolkit:/opt/kwasm/bin"
 )
 
+// hostDirectory returns the name of the host dir for a given registry.
+// This is a no-op on linux, as all possible host:port strings are valid paths.
+func hostDirectory(host string) string {
+	return host
+}
+
 func getContainerdArgs(cfg *config.Node) []string {
 	args := []string{
 		"containerd",

pkg/agent/containerd/config_test.go

@@ -1500,7 +1500,7 @@ func Test_UnitGetHostConfigs(t *testing.T) {
 			for host, config := range got {
 				hostsTemplate, err := templates.ParseHostsTemplateFromConfig(templates.HostsTomlTemplate, config)
 				assert.NoError(t, err, "ParseHostTemplateFromConfig for %s", host)
-				t.Logf("%s/hosts.d/%s/hosts.toml\n%s", tempDir, host, hostsTemplate)
+				t.Logf("%s/hosts.d/%s/hosts.toml\n%s", tempDir, hostDirectory(host), hostsTemplate)
 			}
 
 			// Confirm that the main containerd config.toml renders properly

pkg/agent/containerd/config_windows.go

@@ -4,6 +4,8 @@
 package containerd
 
 import (
+	"net"
+
 	"github.com/containerd/containerd"
 	"github.com/k3s-io/k3s/pkg/agent/templates"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
@@ -13,6 +15,16 @@ import (
 	"k8s.io/cri-client/pkg/util"
 )
 
+// hostDirectory returns the name of the host dir for a given registry.
+// Colons are not allowed in windows paths, so convert `:port` to `_port_`.
+// Ref: https://github.com/containerd/containerd/blob/v1.7.25/remotes/docker/config/hosts.go#L291-L298
+func hostDirectory(host string) string {
+	if host, port, err := net.SplitHostPort(host); err == nil && port != "" {
+		return host + "_" + port + "_"
+	}
+	return host
+}
+
 func getContainerdArgs(cfg *config.Node) []string {
 	args := []string{
 		"containerd",

pkg/agent/netpol/netpol_windows.go

@@ -4,8 +4,10 @@ import (
 	"context"
 
 	daemonconfig "github.com/k3s-io/k3s/pkg/daemons/config"
+	"github.com/sirupsen/logrus"
 )
 
 func Run(ctx context.Context, nodeConfig *daemonconfig.Node) error {
-	panic("Netpol is not supported on windows ensure to pass --disable-network-policy")
+	logrus.Warnf("Skipping network policy controller start, netpol is not supported on windows")
+	return nil
 }

pkg/agent/templates/templates.go

@@ -86,7 +86,7 @@ enable_keychain = true
 {{end}}
 
 [plugins."io.containerd.snapshotter.v1.stargz".registry]
-  config_path = "{{ .NodeConfig.Containerd.Registry }}"
+  config_path = {{ printf "%q" .NodeConfig.Containerd.Registry }}
 
 {{ if .PrivateRegistryConfig }}
 {{range $k, $v := .PrivateRegistryConfig.Configs }}
@@ -104,14 +104,14 @@ enable_keychain = true
 
 {{- if not .NodeConfig.NoFlannel }}
 [plugins."io.containerd.grpc.v1.cri".cni]
-  bin_dir = "{{ .NodeConfig.AgentConfig.CNIBinDir }}"
-  conf_dir = "{{ .NodeConfig.AgentConfig.CNIConfDir }}"
+  bin_dir = {{ printf "%q" .NodeConfig.AgentConfig.CNIBinDir }}
+  conf_dir = {{ printf "%q" .NodeConfig.AgentConfig.CNIConfDir }}
 {{end}}
 
 {{- if or .NodeConfig.Containerd.BlockIOConfig .NodeConfig.Containerd.RDTConfig }}
 [plugins."io.containerd.service.v1.tasks-service"]
-  {{ if .NodeConfig.Containerd.BlockIOConfig }}blockio_config_file = "{{ .NodeConfig.Containerd.BlockIOConfig }}"{{end}}
-  {{ if .NodeConfig.Containerd.RDTConfig }}rdt_config_file = "{{ .NodeConfig.Containerd.RDTConfig }}"{{end}}
+  {{ if .NodeConfig.Containerd.BlockIOConfig }}blockio_config_file = {{ printf "%q" .NodeConfig.Containerd.BlockIOConfig }}{{end}}
+  {{ if .NodeConfig.Containerd.RDTConfig }}rdt_config_file = {{ printf "%q" .NodeConfig.Containerd.RDTConfig }}{{end}}
 {{end}}
 
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
@@ -120,8 +120,11 @@ enable_keychain = true
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
   SystemdCgroup = {{ .SystemdCgroup }}
 
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process]
+  runtime_type = "io.containerd.runhcs.v1"
+
 [plugins."io.containerd.grpc.v1.cri".registry]
-  config_path = "{{ .NodeConfig.Containerd.Registry }}"
+  config_path = {{ printf "%q" .NodeConfig.Containerd.Registry }}
 
 {{ if .PrivateRegistryConfig }}
 {{range $k, $v := .PrivateRegistryConfig.Configs }}

pkg/cli/agent/agent.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"runtime"
 
 	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/agent"
@@ -19,8 +18,10 @@ import (
 	"github.com/k3s-io/k3s/pkg/profile"
 	"github.com/k3s-io/k3s/pkg/spegel"
 	"github.com/k3s-io/k3s/pkg/util"
+	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/k3s-io/k3s/pkg/vpn"
+	"github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/signals"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -45,8 +46,10 @@ func Run(ctx *cli.Context) error {
 		return err
 	}
 
-	if runtime.GOOS != "windows" && os.Getuid() != 0 && !cmds.AgentConfig.Rootless {
-		return fmt.Errorf("agent must be run as root, or with --rootless")
+	if !cmds.AgentConfig.Rootless {
+		if err := permissions.IsPrivileged(); err != nil {
+			return errors.Wrap(err, "agent requires additional privilege if not run with --rootless")
+		}
 	}
 
 	if cmds.AgentConfig.TokenFile != "" {

pkg/cli/cmds/agent.go

@@ -158,7 +158,7 @@ var (
 		Name:        "pause-image",
 		Usage:       "(agent/runtime) Customized pause image for containerd or docker sandbox",
 		Destination: &AgentConfig.PauseImage,
-		Value:       DefaultPauseImage,
+		Value:       "rancher/mirrored-pause:3.6",
 	}
 	SnapshotterFlag = &cli.StringFlag{
 		Name:        "snapshotter",