kubernetes · medyagh · Oct 2, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/.github/workflows/update-ubuntu-version.yml → .github/workflows/update-debian-version.yml b/.github/workflows/update-ubuntu-version.yml → .github/workflows/update-debian-version.yml
@@ -1,4 +1,4 @@
-name: "update-ubuntu-version"
+name: "update-debian-version"
 on:
   workflow_dispatch:
   schedule:
@@ -19,35 +19,35 @@ jobs:
         with:
           go-version: ${{env.GO_VERSION}}
       - name: Bump Ubuntu version
-        id: bumpUbuntu
+        id: bumpBaseOsImage
         run: |
           echo "OLD_VERSION=$(DEP=ubuntu make get-dependency-version)" >> "$GITHUB_OUTPUT"
-          make update-ubuntu-version
+          make update-debian-version
           echo "NEW_VERSION=$(DEP=ubuntu make get-dependency-version)" >> "$GITHUB_OUTPUT"
           # The following is to support multiline with GITHUB_OUTPUT, see https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
           echo "changes<<EOF" >> "$GITHUB_OUTPUT"
           echo "$(git status --porcelain)" >> "$GITHUB_OUTPUT"
           echo "EOF" >> "$GITHUB_OUTPUT"
       - name: Create PR
         id: createPR
-        if: ${{ steps.bumpUbuntu.outputs.changes != '' }}
+        if: ${{ steps.bumpBaseOsImage.outputs.changes != '' }}
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
         with:
           token: ${{ secrets.MINIKUBE_BOT_PAT }}
-          commit-message: 'Kicbase: Bump ubuntu:jammy from ${{ steps.bumpUbuntu.outputs.OLD_VERSION }} to ${{ steps.bumpUbuntu.outputs.NEW_VERSION }}'
+          commit-message: 'Kicbase: Bump debian:bookworm from ${{ steps.bumpBaseOsImage.outputs.OLD_VERSION }} to ${{ steps.bumpBaseOsImage.outputs.NEW_VERSION }}'
           committer: minikube-bot <minikube-bot@google.com>
           author: minikube-bot <minikube-bot@google.com>
-          branch: auto_bump_ubuntu_version
+          branch: auto_bump_debian_version
           push-to-fork: minikube-bot/minikube
           base: master
           delete-branch: true
-          title: 'Kicbase: Bump ubuntu:jammy from ${{ steps.bumpUbuntu.outputs.OLD_VERSION }} to ${{ steps.bumpUbuntu.outputs.NEW_VERSION }}'
+          title: 'Kicbase: Bump debian:bookworm from ${{ steps.bumpBaseOsImage.outputs.OLD_VERSION }} to ${{ steps.bumpBaseOsImage.outputs.NEW_VERSION }}'
           body: |
-            The ubuntu:jammy image released a new version
+            The debian:bookworm image released a new version
 
-            This PR was auto-generated by `make update-ubuntu-version` using [update-ubuntu-version.yml](https://github.com/kubernetes/minikube/tree/master/.github/workflows/update-ubuntu-version.yml) CI Workflow.
+            This PR was auto-generated by `make update-debian-version` using [update-debian-version.yml](https://github.com/kubernetes/minikube/tree/master/.github/workflows/update-debian-version.yml) CI Workflow.
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
-        if: ${{ steps.bumpUbuntu.outputs.changes != '' }}
+        if: ${{ steps.bumpBaseOsImage.outputs.changes != '' }}
         with:
           github-token: ${{ secrets.MINIKUBE_BOT_PAT }}
           script: |

diff --git a/.github/workflows/update-iso-image-versions.yml b/.github/workflows/update-iso-image-versions.yml
@@ -7,8 +7,8 @@ on:
         description: "Comma-separated list of make targets to run (e.g., update-buildkit-version,update-cni-plugins-version)"
         required: true
         # Uncomment after crictl/cri-o issue resolved: https://github.com/kubernetes/minikube/issues/18359
-        # default: "update-buildkit-version,update-cni-plugins-version,update-containerd-version,update-cri-o-version,update-crictl-version,update-crun-version,update-docker-version,update-docker-buildx-version,update-golang-version,update-nerdctl-version,update-nerdctld-version,update-runc-version,update-ubuntu-version"
-        default: "update-buildkit-version,update-cni-plugins-version,update-crun-version,update-docker-version,update-golang-version,update-runc-version,update-ubuntu-version"
+        # default: "update-buildkit-version,update-cni-plugins-version,update-containerd-version,update-cri-o-version,update-crictl-version,update-crun-version,update-docker-version,update-docker-buildx-version,update-golang-version,update-nerdctl-version,update-nerdctld-version,update-runc-version,update-debian-version"
+        default: "update-buildkit-version,update-cni-plugins-version,update-crun-version,update-docker-version,update-golang-version,update-runc-version,update-debian-version"
 env:
   GOPROXY: https://proxy.golang.org
   GO_VERSION: '1.24.6'

diff --git a/Makefile b/Makefile
@@ -1133,9 +1133,9 @@ update-runc-version:
 update-docker-version:
 	cd hack && go run update/docker_version/docker_version.go
 
-.PHONY: update-ubuntu-version
-update-ubuntu-version:
-	cd hack && go run update/ubuntu_version/ubuntu_version.go
+.PHONY: update-debian-version
+update-debian-version:
+	cd hack && go run update/debian_version/debian_version.go
 
 .PHONY: update-cni-plugins-version
 update-cni-plugins-version:

diff --git a/deploy/kicbase/Dockerfile b/deploy/kicbase/Dockerfile
@@ -18,10 +18,10 @@
 # https://systemd.io/CONTAINER_INTERFACE/
 
 
-# this ARG needs to be global to use it in `FROM` & is updated for new versions of ubuntu:jammy-*
-ARG UBUNTU_JAMMY_IMAGE="ubuntu:jammy-20250819"
+# this ARG needs to be global to use it in `FROM` & is updated for new versions of debian:bookworm-slim-*
+ARG KICBASE_IMAGE="debian:bookworm-20250908-slim"
 # multi-stage docker build so we can build auto-pause for arm64
-FROM golang:1.24.6 as auto-pause
+FROM golang:1.24.6 AS auto-pause
 WORKDIR /src
 # auto-pause depends on core minikube code so we need to pass the whole source code as the context
 # copy in the minimal amount of source code possible
@@ -37,12 +37,13 @@ ENV GOARCH=${TARGETARCH}
 ARG PREBUILT_AUTO_PAUSE
 RUN if [ "$PREBUILT_AUTO_PAUSE" != "true" ]; then cd ./cmd/auto-pause/ && go build -o auto-pause-${TARGETARCH}; fi
 
-# start from ubuntu 22.04, this image is reasonably small as a starting point
+# start from debin 12, this image is reasonably small as a starting point
 # for a kubernetes node image, it doesn't contain much we don't need
-FROM ${UBUNTU_JAMMY_IMAGE} as kicbase
+FROM ${KICBASE_IMAGE} AS kicbase
 
 ARG BUILDKIT_VERSION="v0.18.1"
-ARG CRIO_VERSION="1.24"
+ARG CRIO_VERSION="v1.34"
+ARG CRICTL_VERSION="v1.34.0"
 ARG CRI_DOCKERD_VERSION="v0.4.0"
 ARG CRI_DOCKERD_COMMIT="b9b889355f3002c01db294427964e454dfbc3feb"
 ARG CNI_PLUGINS_VERSION="v1.4.0"
@@ -140,6 +141,16 @@ RUN clean-install \
     # libglib2.0-0 is required for conmon, which is required for podman
     libglib2.0-0
 
+# Add support for rsa1 in sshd
+# modern debian-based OSs dont support rsa1 by default, so we need to enable it to support older ssh clients
+# TODO: remove after https://github.com/kubernetes/minikube/issues/21543 is solved
+RUN cat <<EOF >> /etc/ssh/sshd_config
+PubkeyAcceptedAlgorithms +ssh-rsa
+HostkeyAlgorithms +ssh-rsa
+PubkeyAuthentication yes
+PasswordAuthentication no
+EOF
+
 # Install nerdctl and nerdctld
 RUN export ARCH=$(dpkg --print-architecture) \
     && if [ "$ARCH" = 'amd64' ] || [ "$ARCH" = 'arm64' ]; then \
@@ -153,10 +164,15 @@ RUN export ARCH=$(dpkg --print-architecture) \
     fi
 
 # install docker
-RUN sh -c "echo 'deb https://download.docker.com/linux/ubuntu jammy stable' > /etc/apt/sources.list.d/docker.list" && \
-    curl -L https://download.docker.com/linux/ubuntu/gpg -o docker.key && \
-    apt-key add - < docker.key && \
-    clean-install docker-ce docker-ce-cli containerd.io docker-buildx-plugin
+## ref: https://docs.docker.com/engine/install/debian/#install-using-the-repository
+RUN install -m 0755 -d /etc/apt/keyrings \
+    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
+    && chmod a+r /etc/apt/keyrings/docker.asc \
+    && echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+    tee /etc/apt/sources.list.d/docker.list > /dev/null \
+    && clean-install docker-ce docker-ce-cli containerd.io docker-buildx-plugin
 
 # install buildkit
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm-v7/') \
@@ -187,30 +203,57 @@ RUN clean-install podman && \
     echo "d /run/podman 0770 root podman" > /etc/tmpfiles.d/podman.conf && \
     systemd-tmpfiles --create
 
+ # install crictl
+RUN export ARCH=$(dpkg --print-architecture) && \
+    case "$ARCH" in \
+      amd64) CRICTL_ARCH="amd64" ;; \
+      arm64) CRICTL_ARCH="arm64" ;; \
+      armhf) CRICTL_ARCH="armhf" ;; \
+      ppc64el) CRICTL_ARCH="ppc64le" ;; \
+      s390x) CRICTL_ARCH="s390x" ;; \
+      *) echo "Unsupported architecture for crictl: $ARCH" && exit 1 ;; \
+    esac && \
+    if [ "$CRICTL_ARCH" != "armhf" ]; then \
+      curl -fsSL --retry 5 --output /tmp/crictl.tgz "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-${CRICTL_ARCH}.tar.gz" && \
+      tar -C /usr/local/bin -xzvf /tmp/crictl.tgz && \
+      rm -f /tmp/crictl.tgz && \
+      chmod +x /usr/local/bin/crictl && \
+      if [ -f /usr/local/bin/critest ]; then chmod +x /usr/local/bin/critest; fi; \
+    else \
+      echo "Skipping crictl install for armhf: No asset available in v1.34.0"; \
+    fi   
 # install cri-o dependencies:
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/') && \
-    sh -c "echo 'deb https://downloadcontent.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_22.04/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" && \
-    curl -LO https://downloadcontent.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_22.04/Release.key && \
-    apt-key add - < Release.key && \
+    mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_12/Release.key | \
+        gpg --dearmor --yes -o /etc/apt/keyrings/libcontainers-archive-keyring.gpg && \
+    sh -c "echo 'deb [signed-by=/etc/apt/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_12/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" && \
     if [ "$ARCH" != "ppc64le" ]; then \
-        clean-install catatonit conmon cri-tools crun; \
+        clean-install catatonit crun; \
     else \
-        clean-install conmon crun; \
+        clean-install crun; \
     fi
-
 # install containernetworking-plugins
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm/') && \
     curl -LO "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/cni-plugins-linux-$ARCH-${CNI_PLUGINS_VERSION}.tgz" && \
     mkdir -p /opt/cni/bin && \
     tar -xf "cni-plugins-linux-$ARCH-${CNI_PLUGINS_VERSION}.tgz" -C /opt/cni/bin && \
     rm "cni-plugins-linux-$ARCH-${CNI_PLUGINS_VERSION}.tgz"
 
-# install cri-o based on https://github.com/cri-o/cri-o/blob/release-1.24/README.md#installing-cri-o
+# install cri-o from the OBS repositories
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm-v7/') && \
-    if [ "$ARCH" != "ppc64le" ] && [ "$ARCH" != "arm-v7" ]; then sh -c "echo 'deb https://downloadcontent.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/${CRIO_VERSION}/xUbuntu_22.04/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:${CRIO_VERSION}.list" && \
-    curl -LO https://downloadcontent.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/${CRIO_VERSION}/xUbuntu_22.04/Release.key && \
-    apt-key add - < Release.key && \
-    clean-install cri-o cri-o-runc; fi
+    if [ "$ARCH" != "ppc64le" ] && [ "$ARCH" != "arm-v7" ]; then \
+        mkdir -p /etc/apt/sources.list.d /etc/apt/trusted.gpg.d && \
+        echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_12/ /' \
+            > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list && \
+        curl -fsSL https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_12/Release.key \
+            | gpg --dearmor --yes -o /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_stable.gpg && \
+        echo "deb http://download.opensuse.org/repositories/isv:/cri-o:/stable:/${CRIO_VERSION}:/build/deb/ /" \
+            > "/etc/apt/sources.list.d/isv:cri-o:stable:${CRIO_VERSION}:build.list" && \
+        curl -fsSL "https://download.opensuse.org/repositories/isv:cri-o:stable:${CRIO_VERSION}:build/deb/Release.key" \
+            | gpg --dearmor --yes -o "/etc/apt/trusted.gpg.d/isv_cri-o_stable_${CRIO_VERSION}_build.gpg" && \
+        clean-install cri-o; \
+    fi
 
 # install NVIDIA container toolkit
 RUN export ARCH=$(dpkg --print-architecture) && \
@@ -236,29 +279,30 @@ COPY deploy/kicbase/scheduled-stop/minikube-scheduled-stop /var/lib/minikube/sch
 COPY deploy/kicbase/scheduled-stop/minikube-scheduled-stop.service /usr/lib/systemd/system/minikube-scheduled-stop.service
 RUN  chmod +x /var/lib/minikube/scheduled-stop/minikube-scheduled-stop
 
-# disable non-docker runtimes by default
+# disable non-docker runtimes by default (since cri-dockerd is default in minikube)
 RUN systemctl disable containerd
 # disable crio for archs that support it
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/' | sed 's/armhf/arm-v7/') && \
-    if [ "$ARCH" != "ppc64le" ] && [ "$ARCH" != "arm-v7" ]; then systemctl disable crio && rm /etc/crictl.yaml; fi
+    if [ "$ARCH" != "ppc64le" ] && [ "$ARCH" != "arm-v7" ]; then systemctl disable crio && rm -f /etc/crictl.yaml; fi
 # enable podman socket on archs that support it
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/') && if [ "$ARCH" != "ppc64le" ]; then systemctl enable podman.socket; fi
 # enable docker which is default
 RUN systemctl enable docker.service
-# making SSH work for docker container
-# based on https://github.com/rastasheep/ubuntu-sshd/blob/master/18.04/Dockerfile
-RUN mkdir /var/run/sshd
-RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config
 # minikube relies on /etc/hosts for control-plane discovery. This prevents nefarious DNS servers from breaking it.
 RUN sed -ri 's/dns files/files dns/g' /etc/nsswitch.conf
 
 EXPOSE 22
 # create docker user for minikube ssh. to match VM using "docker" as username
-RUN adduser --ingroup docker --disabled-password --gecos '' docker
-RUN adduser docker sudo
+# Ensure 'docker' group exists; create a 'docker' user with a shell
+## ref: https://docs.docker.com/engine/install/linux-postinstall/
+RUN groupadd -f docker \
+    && useradd -m -s /bin/bash -g docker -G sudo docker
+# Ensure the account is usable for key-only SSH - unlock the account, and disable password
+RUN usermod -p '*' docker && passwd -u docker && passwd -d docker
+RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/20-passwordless-sudo \
+    && chmod 0440 /etc/sudoers.d/20-passwordless-sudo
 RUN export ARCH=$(dpkg --print-architecture | sed 's/ppc64el/ppc64le/') && if [ "$ARCH" != "ppc64le" ]; then adduser docker podman; fi
 RUN adduser docker buildkit
-RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 USER docker
 RUN mkdir /home/docker/.ssh
 USER root