From c94b442c87cf16c29a7d1aa1fcc203cdec3dd1ac Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Thu, 25 Jun 2026 20:06:22 +0300 Subject: [PATCH 1/6] test(virt-artifact): pin build stage to pre-CVE toolchain SHA for live-migration A/B Override the virt-artifact build stage to use the pre-CVE toolchain (registry.deckhouse.io/base_images@sha256:e25c039, ALT 20250625 / go1.25.10, the v1.8.3 base) directly via 'from:', bypassing the base-images pin that switches builder/golang-alt-1.25 to the ALT 20260119 toolchain. Only virt-artifact is affected; dvcr-artifact and other images keep the new toolchain (their go.mod requires go >= 1.25.11). installCacheVersion forces a rebuild. Test-only; revert before merge. Signed-off-by: Pavel Tishkov --- images/virt-artifact/werf.inc.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 0d75ebb629..561d9426d1 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -13,6 +13,7 @@ secrets: - id: SOURCE_REPO value: {{ $.SOURCE_REPO }} shell: + installCacheVersion: '{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}' # force rebuild for old-toolchain A/B test install: - | echo "Git clone {{ $gitRepoName }} repository..." @@ -43,7 +44,11 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false -fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.25" "builder/golang-alt-1.25" }} +# A/B test: pin this stage to the go1.26.4 toolchain (ALT 20260119, the same new +# base as v1.9.1 but Go 1.26.4 instead of 1.25.11) to check whether a newer +# Go version restores live-migration TLS throughput. Only virt-artifact is +# affected; dvcr and other images keep the new toolchain. +from: registry.deckhouse.io/container-factory@sha256:71dffc9bccd6c1ce5ecd78495652c9d209b518ec297a80e358b4a98e33d5b40c mount: {{- include "mount points for golang builds" . }} secrets: From 92f16211760a8f2652bac955650ac6a3ecb6a59f Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Fri, 26 Jun 2026 08:39:09 +0300 Subject: [PATCH 2/6] test(virt-artifact): pin build stage to dev-registry toolchain image (b370cc95) Switch the virt-artifact build stage from the pinned go1.26.4 toolchain (71dffc9, slow per bench) to dev-registry.deckhouse.io/container-factory@ sha256:b370cc95 (go1.25.11 + greenteagc). Isolated TLS bench on this image: AES-GCM 3648 MB/s, TLS 1.3 forced 22673 Mbit/s, TLS 1.2 forced 27471 Mbit/s (cipher negotiated = TLS_AES_128_GCM_SHA256; GOST suites present but not selected). No regression vs the slow 713b7c2 toolchain (49 Mbit/s in diary). Dev-only: image lives in dev-registry.deckhouse.io/container-factory, not yet pushed to prod registry.deckhouse.io/container-factory. Revert to fromImage: builder/golang-alt-1.25 once b370cc95 is available in prod. Signed-off-by: Pavel Tishkov --- images/virt-artifact/werf.inc.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 561d9426d1..cd5ddfb6a2 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -13,7 +13,6 @@ secrets: - id: SOURCE_REPO value: {{ $.SOURCE_REPO }} shell: - installCacheVersion: '{{ now | date "Mon Jan 2 15:04:05 MST 2006" }}' # force rebuild for old-toolchain A/B test install: - | echo "Git clone {{ $gitRepoName }} repository..." @@ -44,11 +43,11 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false -# A/B test: pin this stage to the go1.26.4 toolchain (ALT 20260119, the same new -# base as v1.9.1 but Go 1.26.4 instead of 1.25.11) to check whether a newer -# Go version restores live-migration TLS throughput. Only virt-artifact is -# affected; dvcr and other images keep the new toolchain. -from: registry.deckhouse.io/container-factory@sha256:71dffc9bccd6c1ce5ecd78495652c9d209b518ec297a80e358b4a98e33d5b40c +# Dev: use the dev-registry toolchain image (go1.25.11 + greenteagc, but GOST +# cipher suites not selected in TLS 1.3 auto-negotiate -> AES-GCM, fast). +# Pending push to prod registry.deckhouse.io/container-factory; switch back to +# fromImage: builder/golang-alt-1.25 once available there. +from: dev-registry.deckhouse.io/container-factory@sha256:b370cc95d4ef09c9c877b2bc2601dd9f64639db1170d2374dd05ac82d0387f60 mount: {{- include "mount points for golang builds" . }} secrets: From 2620a5654ce2d34f0c5ac69897a752fddbf43e88 Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Fri, 26 Jun 2026 09:16:55 +0300 Subject: [PATCH 3/6] test(virt-artifact): pin build stage to dev-registry ALT toolchain with GOST TLS fix Switch the virt-artifact build stage from the slow go1.26.4 toolchain (71dffc9) to the dev-registry ALT toolchain 78a55067 (registry.altlinux.org/p11/alt:20260119 base, go1.25.11 + greenteagc + gogost) which carries the GOST TLS priority fix from base-images branch go-gost-tls-priority. GOST cipher suites are no longer preferred in TLS 1.3 auto-negotiate, so AES-GCM is selected and live-migration throughput is restored. Isolated TLS bench on 78a55067 (vs the slow 713b7c2 at ~49 Mbit/s in the regression report): AES-GCM ~3600 MB/s, TLS 1.3 ~22000 Mbit/s, cipher negotiated = TLS_AES_128_GCM_SHA256. Dev-only: the image lives in dev-registry.deckhouse.io/container-factory and is not yet pushed to prod registry.deckhouse.io/container-factory. TODO tracked in the comment: once base-images go-gost-tls-priority is released to prod, revert this to fromImage: builder/golang-alt-1.25 and update the SHA in build/base-images/container_factory_images.yml. Signed-off-by: Pavel Tishkov --- images/virt-artifact/werf.inc.yaml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index cd5ddfb6a2..0676abb011 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -43,11 +43,17 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false -# Dev: use the dev-registry toolchain image (go1.25.11 + greenteagc, but GOST -# cipher suites not selected in TLS 1.3 auto-negotiate -> AES-GCM, fast). -# Pending push to prod registry.deckhouse.io/container-factory; switch back to -# fromImage: builder/golang-alt-1.25 once available there. -from: dev-registry.deckhouse.io/container-factory@sha256:b370cc95d4ef09c9c877b2bc2601dd9f64639db1170d2374dd05ac82d0387f60 +# Dev: use the dev-registry ALT toolchain image with GOST TLS priority fix +# (go1.25.11 + greenteagc + gogost, but GOST cipher suites no longer preferred +# in TLS 1.3 auto-negotiate -> AES-GCM negotiated, fast). Restores live-migration +# throughput vs the slow 713b7c2 toolchain. +# +# TODO: image 78a55067 lives in dev-registry.deckhouse.io/container-factory only. +# Once base-images (branch go-gost-tls-priority) is released to prod +# registry.deckhouse.io/container-factory, switch this back to the regular +# fromImage: builder/golang-alt-1.25 and update the SHA in +# build/base-images/container_factory_images.yml accordingly. +from: dev-registry.deckhouse.io/container-factory@sha256:78a55067d15c9f23c0c725336f14329838115a4d860dfe6d6a8f41e66a240f72 mount: {{- include "mount points for golang builds" . }} secrets: From a6917247996b5449af85bd169c9f16de8deb5d68 Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Fri, 26 Jun 2026 11:38:02 +0300 Subject: [PATCH 4/6] fix(core): bump builder/golang-alt-1.25 to GOST TLS priority fix toolchain Bump builder/golang-alt-1.25 in container_factory_images.yml from the slow 713b7c2 (registry.altlinux.org/p11/alt:20260119 + go1.25.11 + greenteagc + gogost, GOST cipher suites preferred in TLS 1.3 auto-negotiate -> Kuznyechik software path -> ~49 Mbit/s in the isolated TLS bench, ~300 Mbps in cluster live migration) to 603fbc50. The new 603fbc50 image is built from the same ALT 20260119 base and carries the GOST TLS priority fix from base-images branch go-gost-tls-priority: gogost v6 stays registered, but GOST cipher suites are no longer preferred, so TLS 1.3 auto-negotiate picks AES-GCM (AES-NI) again. Isolated TLS bench on 603fbc50: AES-GCM ~3578 MB/s, TLS 1.3 ~15838 Mbit/s, cipher negotiated = TLS_AES_128_GCM_SHA256. virt-handler's Go crypto/tls migration proxy is the data path for all multifd RAM traffic (pkg/virt-handler/migration-proxy/migration-proxy.go), so the toolchain GOST regression hit live-migration throughput directly. Cluster validation on the 'virt' cluster (injector VM, 8Gi, TLS on): MemoryBandwidth avg ~1013 Mbps / peak 1328 Mbps (vs regressed ~300 Mbps, vs v1.8.3 ~942 Mbps). Live migration Succeeded in ~25s. Reverts images/virt-artifact/werf.inc.yaml to the regular fromImage: builder/golang-alt-1.25 (the previous from: override pinned a dev-registry image and is no longer needed now that 603fbc50 is in prod registry.deckhouse.io/container-factory). The base-images-pins.yml entry routing builder/golang-alt-1.25 to container_factory stays: the new SHA lives there. Signed-off-by: Pavel Tishkov --- build/base-images/container_factory_images.yml | 2 +- images/virt-artifact/werf.inc.yaml | 12 +----------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/build/base-images/container_factory_images.yml b/build/base-images/container_factory_images.yml index 1468abf1d2..27131f2b08 100644 --- a/build/base-images/container_factory_images.yml +++ b/build/base-images/container_factory_images.yml @@ -44,7 +44,7 @@ builder/golang-1.26: "sha256:d771e7d448312e10eea7036af2f46a69d44461d711a2982f3c6 builder/golang-alpine-1.25: "sha256:9701f93cec25acec10837e2399f7fda7e4c23303bed6514bfa0ff692396f170b" # from: alpine:3.22.2 builder/golang-alpine-1.26.4: "sha256:193e8ed6cd7fc19015ab615ccf92d0fe02471e66e3e5abf560b3a87fb05bdb62" # from: alpine:3.22.2 builder/golang-alpine: "sha256:193e8ed6cd7fc19015ab615ccf92d0fe02471e66e3e5abf560b3a87fb05bdb62" # from: alpine:3.22.2 -builder/golang-alt-1.25: "sha256:713b7c272f5b7afe6a3101d2cb1ae891121162e60ec5127121bbe4625ffe0016" # from: registry.altlinux.org/p11/alt:20260119 +builder/golang-alt-1.25: "sha256:603fbc50b120329f25fa2d2162ec051d744edf66230e2362d9f0a5ffb9537c0f" # from: registry.altlinux.org/p11/alt:20260119 builder/golang-alt-1.26: "sha256:71dffc9bccd6c1ce5ecd78495652c9d209b518ec297a80e358b4a98e33d5b40c" # from: registry.altlinux.org/p11/alt:20260119 builder/golang-alt: "sha256:71dffc9bccd6c1ce5ecd78495652c9d209b518ec297a80e358b4a98e33d5b40c" # from: registry.altlinux.org/p11/alt:20260119 builder/golang-artifact-1.25: "sha256:3a6662d203f06e0a136378677fd2da6e726a08db45f77a8e9c50495c111c445a" # from: builder/distroless diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 0676abb011..22e96d7d1e 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -43,17 +43,7 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false -# Dev: use the dev-registry ALT toolchain image with GOST TLS priority fix -# (go1.25.11 + greenteagc + gogost, but GOST cipher suites no longer preferred -# in TLS 1.3 auto-negotiate -> AES-GCM negotiated, fast). Restores live-migration -# throughput vs the slow 713b7c2 toolchain. -# -# TODO: image 78a55067 lives in dev-registry.deckhouse.io/container-factory only. -# Once base-images (branch go-gost-tls-priority) is released to prod -# registry.deckhouse.io/container-factory, switch this back to the regular -# fromImage: builder/golang-alt-1.25 and update the SHA in -# build/base-images/container_factory_images.yml accordingly. -from: dev-registry.deckhouse.io/container-factory@sha256:78a55067d15c9f23c0c725336f14329838115a4d860dfe6d6a8f41e66a240f72 +fromImage: builder/golang-alt-1.25 mount: {{- include "mount points for golang builds" . }} secrets: From 4e0c67c5ebd9de4f2cade71e019aa51ad8d746ad Mon Sep 17 00:00:00 2001 From: Pavel Tishkov Date: Fri, 26 Jun 2026 12:08:02 +0300 Subject: [PATCH 5/6] fix(virt-artifact): restore original fromImage template expression Restore the original fromImage ternary expression that was inadvertently simplified when reverting the dev-registry from: override. The expression keeps the SVACE_ENABLED branching shape intact even though both branches currently resolve to the same image. Signed-off-by: Pavel Tishkov --- images/virt-artifact/werf.inc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml index 22e96d7d1e..0d75ebb629 100644 --- a/images/virt-artifact/werf.inc.yaml +++ b/images/virt-artifact/werf.inc.yaml @@ -43,7 +43,7 @@ packages: image: {{ .ModuleNamePrefix }}{{ .ImageName }} final: false -fromImage: builder/golang-alt-1.25 +fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/golang-alt-1.25" "builder/golang-alt-1.25" }} mount: {{- include "mount points for golang builds" . }} secrets: From 25c54b6e5695d52c5432abb342c4cf1e7ceb0fcd Mon Sep 17 00:00:00 2001 From: Nikita Korolev <141920865+universal-itengineer@users.noreply.github.com> Date: Fri, 26 Jun 2026 12:51:51 +0300 Subject: [PATCH 6/6] Update build/base-images/container_factory_images.yml Signed-off-by: Nikita Korolev <141920865+universal-itengineer@users.noreply.github.com> --- build/base-images/container_factory_images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/base-images/container_factory_images.yml b/build/base-images/container_factory_images.yml index 27131f2b08..f715413224 100644 --- a/build/base-images/container_factory_images.yml +++ b/build/base-images/container_factory_images.yml @@ -44,7 +44,7 @@ builder/golang-1.26: "sha256:d771e7d448312e10eea7036af2f46a69d44461d711a2982f3c6 builder/golang-alpine-1.25: "sha256:9701f93cec25acec10837e2399f7fda7e4c23303bed6514bfa0ff692396f170b" # from: alpine:3.22.2 builder/golang-alpine-1.26.4: "sha256:193e8ed6cd7fc19015ab615ccf92d0fe02471e66e3e5abf560b3a87fb05bdb62" # from: alpine:3.22.2 builder/golang-alpine: "sha256:193e8ed6cd7fc19015ab615ccf92d0fe02471e66e3e5abf560b3a87fb05bdb62" # from: alpine:3.22.2 -builder/golang-alt-1.25: "sha256:603fbc50b120329f25fa2d2162ec051d744edf66230e2362d9f0a5ffb9537c0f" # from: registry.altlinux.org/p11/alt:20260119 +builder/golang-alt-1.25: "sha256:603fbc50b120329f25fa2d2162ec051d744edf66230e2362d9f0a5ffb9537c0f" # from: registry.altlinux.org/p11/alt:20260119 (v1.1.11 container-factory) builder/golang-alt-1.26: "sha256:71dffc9bccd6c1ce5ecd78495652c9d209b518ec297a80e358b4a98e33d5b40c" # from: registry.altlinux.org/p11/alt:20260119 builder/golang-alt: "sha256:71dffc9bccd6c1ce5ecd78495652c9d209b518ec297a80e358b4a98e33d5b40c" # from: registry.altlinux.org/p11/alt:20260119 builder/golang-artifact-1.25: "sha256:3a6662d203f06e0a136378677fd2da6e726a08db45f77a8e9c50495c111c445a" # from: builder/distroless