Skip to content

iso: support building the arm64 ISO on an arm64 host#22862

Open
abedegno wants to merge 2 commits intokubernetes:masterfrom
abedegno:iso-aarch64-host-build
Open

iso: support building the arm64 ISO on an arm64 host#22862
abedegno wants to merge 2 commits intokubernetes:masterfrom
abedegno:iso-aarch64-host-build

Conversation

@abedegno
Copy link
Copy Markdown

@abedegno abedegno commented Apr 19, 2026

Fix for arm64-host buildroot builds of the minikube arm64 ISO.

Problem

On an arm64 Linux host (e.g. Colima on Apple Silicon), make minikube-iso-aarch64 completes with exit 0 but silently produces a ~319 MB ISO instead of the expected ~403 MB. The ISO boots fine, but minikube start fails during provisioning:

diff: can't stat '/lib/systemd/system/docker.service': No such file or directory
Created symlink '/etc/systemd/system/multi-user.target.wants/docker.service' -> '/usr/lib/systemd/system/docker.service'.
Job for docker.service failed because the control process exited with error code.

Same failure mode on vfkit, qemu2, and virtualbox (so it isn't driver-specific).

Root cause

buildroot's BR2_PACKAGE_HOST_GO_BOOTSTRAP_STAGE1_ARCH_SUPPORTS only default-y's for x86, x86_64 and arm hosts. When the buildroot host is aarch64 the symbol stays unset, which leaves BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS unset, which silently drops every Go-target package: cri-dockerd-aarch64, cni-plugins-latest-aarch64, podman, crio-bin, plus transitive deps. docker-bin-aarch64 has no host-go dependency and still installs, which is why the docker binary ends up in the ISO but none of the CRI service glue does.

The gate is the right shape for host-go-src (source bootstrap of Go has real host arch restrictions), but minikube resolves host-go via host-go-bin which has a prebuilt Go binary for aarch64 and works fine. The stage1 gate is overly strict for the host-go-bin case.

Fix

Adds a buildroot patch at deploy/iso/minikube-iso/patches/buildroot/0001-host-go-aarch64-stage1.patch:

--- a/package/go/go-bootstrap-stage1/Config.in.host
+++ b/package/go/go-bootstrap-stage1/Config.in.host
@@ -4,3 +4,4 @@ config BR2_PACKAGE_HOST_GO_BOOTSTRAP_STAGE1_ARCH_SUPPORTS
 	default y if BR2_HOSTARCH = "x86"
 	default y if BR2_HOSTARCH = "x86_64"
 	default y if BR2_HOSTARCH = "arm"
+	default y if BR2_HOSTARCH = "aarch64"

Extends the buildroot: target in the top-level Makefile to apply any *.patch files dropped into that directory right after the initial git clone. Any future per-host fixes can be added there without further Makefile work.

The proper long-term fix belongs upstream in buildroot; this is a pragmatic near-term workaround so local arm64-host builds produce the same artifact as CI.

Test

On darwin/arm64 (M-series Mac, Colima --vm-type vz --arch aarch64):

  • Before this PR: ISO 319 MB, provisioning fails on all drivers at docker.service restart.
  • After this PR: ISO 403 MB (size-matches the published minikube-v1.38.0-arm64.iso), cri-docker.service, crio.service, podman.service, cri-dockerd/crio/podman binaries all present.
  • minikube start --driver=vfkit|qemu2|virtualbox all produce a Ready control-plane node on the newly-built ISO.
  • make minikube-iso-x86_64 unaffected (patch only activates on aarch64 hosts).

Upstream CI (x86_64 builders) is unaffected.

Related

Add a buildroot patch applied during the 'buildroot' target after
clone. The patch extends BR2_PACKAGE_HOST_GO_BOOTSTRAP_STAGE1_ARCH_SUPPORTS's
default-y list to include aarch64, matching the arches that host-go-bin
actually supports.

Without it, on an arm64 host BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
is unset and every Go-target package (cri-dockerd, cni-plugins,
podman, crio-bin, ...) silently drops out of the arm64 minikube ISO,
producing a 319 MB image that fails provisioning at the docker.service
restart step. With the patch the ISO is back to the expected ~403 MB
and boots cleanly under vfkit, qemu2, and virtualbox.

The proper fix belongs upstream in buildroot; this is a pragmatic
near-term workaround for local arm64-host builds (e.g. Colima on
Apple Silicon). The new patches/buildroot/ directory is wired into
the existing 'buildroot' target so any future per-host fixes can be
dropped there without further Makefile changes.
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 19, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

Hi @abedegno. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@minikube-bot
Copy link
Copy Markdown
Collaborator

Can one of the admins verify this patch?

@nirs
Copy link
Copy Markdown
Contributor

nirs commented Apr 19, 2026

/ok-to-build-iso

@nirs
Copy link
Copy Markdown
Contributor

nirs commented Apr 19, 2026

/cc @afbjorklund

@nirs
Copy link
Copy Markdown
Contributor

nirs commented Apr 19, 2026

/cc @medyagh

@k8s-ci-robot k8s-ci-robot requested a review from medyagh April 19, 2026 19:09
Copy link
Copy Markdown
Contributor

@nirs nirs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes looks good to me, but the best way to validate the change is to post a patch to buildroot. The fix is like much simpler if we don't have to keep a patch file.

@nirs
Copy link
Copy Markdown
Contributor

nirs commented Apr 19, 2026

@abedegno maybe open an issue for building on macOS? the existing issue is about building on Fedora - but the issue fixed here is not related to Fedora.

@minikube-bot
Copy link
Copy Markdown
Collaborator

Hi @abedegno, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further.

@nirs
Copy link
Copy Markdown
Contributor

nirs commented Apr 20, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 20, 2026
@minikube-pr-bot
Copy link
Copy Markdown

kvm2 driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 22862 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 36.1s    │ 36.1s                  │
│ enable ingress │ 15.5s    │ 15.6s                  │
└────────────────┴──────────┴────────────────────────┘
Details

Times for minikube (PR 22862) start: 37.3s 35.5s 36.5s 35.7s 35.3s
Times for minikube start: 34.9s 34.4s 35.3s 38.8s 37.0s

Times for minikube (PR 22862) ingress: 16.2s 15.2s 15.7s 15.7s 15.2s
Times for minikube ingress: 15.2s 15.7s 15.2s 15.2s 16.2s

docker driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 22862 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 21.3s    │ 19.3s                  │
│ enable ingress │ 16.6s    │ 16.6s                  │
└────────────────┴──────────┴────────────────────────┘
Details

Times for minikube (PR 22862) start: 20.6s 18.1s 21.6s 18.4s 17.9s
Times for minikube start: 20.7s 21.2s 21.5s 21.5s 21.5s

Times for minikube ingress: 10.6s 10.6s 40.6s 10.6s 10.6s
Times for minikube (PR 22862) ingress: 10.6s 10.6s 10.6s 10.6s 40.6s

docker driver with containerd runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 22862 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 17.4s    │ 18.1s                  │
│ enable ingress │ 23.1s    │ 23.3s                  │
└────────────────┴──────────┴────────────────────────┘
Details

Times for minikube start: 16.7s 16.2s 16.0s 18.8s 19.3s
Times for minikube (PR 22862) start: 16.8s 20.3s 19.3s 18.6s 15.6s

Times for minikube ingress: 23.1s 23.1s 23.1s 23.1s 23.1s
Times for minikube (PR 22862) ingress: 23.1s 23.1s 24.1s 23.1s 23.1s

@abedegno
Copy link
Copy Markdown
Author

Quick triage of the failed lanes - they all look environmental to me, and I don't think anything this PR changes can affect them. Flagging so we can kick a retest rather than chase them.

@abedegno
Copy link
Copy Markdown
Author

/retest

afbjorklund

This comment was marked as resolved.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: abedegno, afbjorklund
Once this PR has been reviewed and has the lgtm label, please assign medyagh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@afbjorklund
Copy link
Copy Markdown
Collaborator

afbjorklund commented Apr 20, 2026

It will be hard to get patches from upstream, if never updating the operating system...

(this bug is on master too, though. buildroot doesn't really try to build on non-x86)

@abedegno
Copy link
Copy Markdown
Author

Two failed lanes from the previous retest - appear to be environmental again.

Retesting both lanes individually:

/test pull-minikube-kvm-docker-linux-x86
/test pull-minikube-docker-crio-linux-x86

@abedegno
Copy link
Copy Markdown
Author

@abedegno maybe open an issue for building on macOS? the existing issue is about building on Fedora - but the issue fixed here is not related to Fedora.

@nirs Done #22866

@nirs
Copy link
Copy Markdown
Contributor

nirs commented Apr 20, 2026

It will be hard to get patches from upstream, if never updating the operating system...

Sure, this is another gap we need to close.

(this bug is on master too, though. buildroot doesn't really try to build on non-x86)

We also build on x86_64 in CI, but we want to build on aarch64 in GitHub actions for faster build.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 20, 2026

@abedegno: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-minikube-docker-crio-linux-x86 ee198bd link false /test pull-minikube-docker-crio-linux-x86

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@abedegno
Copy link
Copy Markdown
Author

All required checks green:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

iso: building arm64 ISO on an aarch64 host drops Go-target packages

6 participants