diff --git a/.gitignore b/.gitignore index 450c3260..ce0c3ce5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -.idea -.vscode/ +.qemu.downloaded hello-* +qemu-*-static diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml index 3ebc0f6e..8f4d7c9e 100644 --- a/.semaphore/semaphore.yml +++ b/.semaphore/semaphore.yml @@ -2,11 +2,11 @@ version: v1.0 name: go-build agent: machine: - type: e1-standard-2 - os_image: ubuntu1804 + type: e1-standard-4 + os_image: ubuntu2004 execution_time_limit: - minutes: 60 + minutes: 120 global_job_config: secrets: @@ -46,7 +46,7 @@ blocks: - if [ "${TARGET_ARCH}" == "amd64" ]; then cd felix && make ut && cd ../calicoctl && make ut && cd ../libcalico-go && make ut; fi matrix: - env_var: TARGET_ARCH - values: ["amd64", "arm64","armv7", "ppc64le", "s390x"] + values: ["amd64", "arm64", "ppc64le", "s390x"] - name: "Push manifest" skip: diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..4207aa8d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,192 @@ +ARG TARGETARCH=${TARGETARCH} + +FROM calico/bpftool:v5.3-${TARGETARCH} as bpftool + +FROM registry.access.redhat.com/ubi8/ubi:latest + +ARG TARGETARCH + +ARG GOLANG_VERSION=1.21.4 +ARG GOLANG_SHA256_AMD64=73cac0215254d0c7d1241fa40837851f3b9a8a742d0b54714cbdfb3feaf8f0af +ARG GOLANG_SHA256_ARM64=ce1983a7289856c3a918e1fd26d41e072cc39f928adfb11ba1896440849b95da +ARG GOLANG_SHA256_PPC64LE=2c63b36d2adcfb22013102a2ee730f058ec2f93b9f27479793c80b2e3641783f +ARG GOLANG_SHA256_S390X=7a75ba4afc7a96058ca65903d994cd862381825d7dca12b2183f087c757c26c0 + +ARG CONTAINERREGISTRY_VERSION=v0.16.1 +ARG GO_LINT_VERSION=v1.55.2 +ARG K8S_VERSION=v1.27.8 +ARG MOCKERY_VERSION=2.36.1 + +ARG CALICO_CONTROLLER_TOOLS_VERSION=calico-0.1 + +ENV PATH /usr/local/go/bin:$PATH + +# Enable non-native runs on amd64 architecture hosts +# Supported qemu-user-static arch files are copied in Makefile `download-qemu` target +COPY qemu-*-static /usr/bin + +# Install system dependencies and enable epel +RUN dnf upgrade -y && dnf install -y \ + autoconf \ + automake \ + clang \ + gcc \ + gcc-c++ \ + git \ + glibc-static \ + iputils \ + jq \ + libcurl-devel \ + libpcap-devel \ + libtool \ + llvm \ + make \ + openssh-clients \ + pcre-devel \ + pkg-config \ + wget \ + zip + +# Install system dependencies that are not in UBI repos +COPY rockylinux/Rocky*.repo /etc/yum.repos.d/ + +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ] || [ "${TARGETARCH}" = "arm64" ]; then \ + dnf --enablerepo=baseos,extras,powertools install -y \ + elfutils-libelf-devel \ + epel-release \ + iproute-devel \ + iproute-tc \ + libbpf-devel \ + lmdb-libs; \ + # requires epel-release package to be installed first + dnf install -y \ + GeoIP-devel \ + libmodsecurity-devel; \ + fi + +RUN dnf clean all + +# Install Go official release +RUN set -eux; \ + url=; \ + case "${TARGETARCH}" in \ + 'amd64') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz"; \ + sha256="${GOLANG_SHA256_AMD64}"; \ + ;; \ + 'arm64') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz"; \ + sha256="${GOLANG_SHA256_ARM64}"; \ + ;; \ + 'ppc64le') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-ppc64le.tar.gz"; \ + sha256="${GOLANG_SHA256_PPC64LE}"; \ + ;; \ + 's390x') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-s390x.tar.gz"; \ + sha256="${GOLANG_SHA256_S390X}"; \ + ;; \ + *) echo >&2 "error: unsupported architecture '${TARGETARCH}'"; exit 1 ;; \ + esac; \ + \ + wget -O go.tgz.asc "$url.asc"; \ + wget -O go.tgz "$url" --progress=dot:giga; \ + echo "$sha256 *go.tgz" | sha256sum -c -; \ + \ + # https://github.com/golang/go/issues/14739#issuecomment-324767697 + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + # https://www.google.com/linuxrepositories/ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; \ + # let's also fetch the specific subkey of that key explicitly that we expect "go.tgz.asc" to be signed by, just to make sure we definitely have it + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998 D857 78BD 6547 3CB3 BD13'; \ + gpg --batch --verify go.tgz.asc go.tgz; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" go.tgz.asc; \ + \ + tar -C /usr/local -xzf go.tgz; \ + rm -f go.tgz*; \ + \ + go version + +# don't auto-upgrade the gotoolchain +# https://github.com/docker-library/golang/issues/472 +ENV GOTOOLCHAIN=local + +ENV GOPATH /go +ENV PATH $GOPATH/bin:$PATH +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" + +# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. +RUN set -eux; \ + curl -sfL https://raw.githubusercontent.com/ncopa/su-exec/master/su-exec.c -o /tmp/su-exec.c; \ + gcc -Wall -O2 /tmp/su-exec.c -o /usr/bin/su-exec; \ + rm -f /tmp/su-exec.c + +# Install Go utilities + +# controller-gen is used for generating CRD files. +# Download a version of controller-gen that has been updated to support additional types (e.g., float). +# We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen +# tooling. Example: float, all the types in the numorstring package, etc. +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ]; then \ + wget -O /usr/local/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/${CALICO_CONTROLLER_TOOLS_VERSION}/controller-gen && chmod +x /usr/local/bin/controller-gen; \ + fi + +# crane is needed for our release targets to copy images from the dev registries to the release registries. +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ]; then \ + curl -sfL https://github.com/google/go-containerregistry/releases/download/${CONTAINERREGISTRY_VERSION}/go-containerregistry_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin crane; \ + fi + +RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION + +# Install necessary Kubernetes binaries used in tests. +RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/${TARGETARCH}/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/${TARGETARCH}/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/${TARGETARCH}/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + +RUN set -eux; \ + case "${TARGETARCH}" in \ + 'amd64') \ + curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery; \ + ;; \ + 'arm64') \ + curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_arm64.tar.gz | tar xz -C /usr/local/bin --extract mockery; \ + ;; \ + *) echo >&2 "warning: unsupported architecture '${TARGETARCH}'" ;; \ + esac + +# Install go programs that we rely on +# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ + go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ + go install github.com/jstemmer/go-junit-report@v1.0.0 && \ + go install github.com/mikefarah/yq/v3@3.4.1 && \ + go install github.com/pmezard/licenses@v0.0.0-20160314180953-1117911df3df && \ + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ + go install github.com/wadey/gocovmerge@v0.0.0-20160331181800-b5bfa59ec0ad && \ + go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ + go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ + go install gotest.tools/gotestsum@v1.11.0 && \ + go install k8s.io/code-generator/cmd/client-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/conversion-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/informer-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/lister-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.8 && \ + go clean -modcache && go clean -cache + +# Ensure that everything under the GOPATH is writable by everyone +RUN chmod -R 777 $GOPATH + +# Allow validated remote servers +COPY ssh_known_hosts /etc/ssh/ssh_known_hosts + +# Add bpftool for Felix UT/FV. +COPY --from=bpftool /bpftool /usr/bin + +COPY entrypoint.sh /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 deleted file mode 100644 index 3999b490..00000000 --- a/Dockerfile.amd64 +++ /dev/null @@ -1,117 +0,0 @@ -FROM calico/bpftool:v5.3-amd64 as bpftool - -FROM golang:1.21.4-bullseye - -LABEL maintainer="Shaun Crampton " - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG LLVM_VERSION=15 -ARG MANIFEST_TOOL_VERSION=v1.0.2 -ARG MOCKERY_VER=2.27.1 -ARG MODSEC_VERSION=v3.0.10 -ARG QEMU_ARCHS="arm aarch64 ppc64le s390x" -ARG QEMU_VERSION=7.2.0-1 -ARG SU_EXEC_VER=212b75144bbc06722fbd7661f651390dc47a43d1 - -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install gcc for cgo. -# Install lsb-release software-properties-common for llvm upgrade script -# Install clang, libbpf and newer kernel headers for building BPF binaries. -# Install libpcre++-dev and libraries for ModSecurity dependencies. -RUN apt-get -y update && apt-get -y upgrade && \ - apt-get install --no-install-recommends -y \ - libbpf-dev linux-headers-amd64 \ - curl git openssh-client make wget util-linux file grep sed jq zip \ - lsb-release software-properties-common binutils inetutils-ping iproute2 \ - ca-certificates gcc mingw-w64 libc-dev bsdmainutils strace libpcap-dev \ - autoconf automake build-essential \ - libcurl4-openssl-dev libgeoip-dev liblmdb-dev \ - libpcre++-dev libtool libxml2-dev libyajl-dev \ - pkgconf zlib1g-dev - -RUN curl -sfL https://apt.llvm.org/llvm.sh | bash -s -- ${LLVM_VERSION} && \ - apt-get install clang-${LLVM_VERSION} - -RUN apt-get autoclean && apt-get clean - -# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. -# (sudo doesn't work easily in a container.) The version was current master at the time of writing. -RUN set -ex; \ - curl -o /sbin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/${SU_EXEC_VER}/su-exec.c; \ - gcc -Wall /sbin/su-exec.c -o/sbin/su-exec; \ - chown root:root /sbin/su-exec; \ - chmod 0755 /sbin/su-exec; \ - rm /sbin/su-exec.c - -RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VER}/mockery_${MOCKERY_VER}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install go programs that we rely on -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN \ - go install github.com/onsi/ginkgo/v2/ginkgo@v2.11.0 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install golang.org/x/tools/cmd/goimports@v0.8.0 && \ - curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION && \ - go install github.com/pmezard/licenses@master && \ - go install github.com/wadey/gocovmerge@master && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/jstemmer/go-junit-report@v1.0.0 && \ - go install golang.org/x/tools/cmd/stringer@v0.8.0 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/client-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/lister-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/informer-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/defaulter-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/conversion-gen@v0.26.3 && \ - go install github.com/swaggo/swag/cmd/swag@v1.8.7 && \ - go install gotest.tools/gotestsum@latest && \ - go clean -modcache && go clean -cache - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager -# Used for generating CRD files. -# Download a version of controller-gen that has been hacked to support additional types (e.g., float). -# We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen -# tooling. Example: float, all the types in the numorstring package, etc. -RUN wget -O ${GOPATH}/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x ${GOPATH}/bin/controller-gen - -# Enable non-native runs on amd64 architecture hosts -RUN for i in ${QEMU_ARCHS}; do curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-${i}-static.tar.gz | tar xz -C /usr/bin; done - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH - -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-amd64 -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -# crane is needed for our release targets to copy images from the dev registries to the release registries. -RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/v0.4.1/go-containerregistry_Linux_x86_64.tar.gz | tar xz -C /usr/bin crane - -# Add bpftool for Felix UT/FV. -COPY --from=bpftool /bpftool /usr/bin - -# Build ModSecurity for Dikastes. -RUN git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ - cd /build && ./build.sh && ./configure && \ - make && make install && \ - rm -fr /build - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 deleted file mode 100644 index 2a785411..00000000 --- a/Dockerfile.arm64 +++ /dev/null @@ -1,102 +0,0 @@ -FROM calico/bpftool:v5.0-arm64 as bpftool - -FROM debian:bullseye as qemu - -LABEL maintainer="Reza Ramezanpour " - -ARG QEMU_VERSION=7.2.0-1 - -RUN apt update && apt install -y curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-aarch64-static.tar.gz | tar xz -C /usr/bin - -FROM arm64v8/golang:1.21.4-bullseye - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG LLVM_VERSION=15 -ARG MANIFEST_TOOL_VERSION=v1.0.2 -ARG MOCKERY_VER=2.14.0 -ARG SU_EXEC_VER=212b75144bbc06722fbd7661f651390dc47a43d1 - -# Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ - -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install gcc for cgo. -# Install lsb-release software-properties-common for llvm upgrade script -# Install clang, libbpf and newer kernel headers for building BPF binaries. -RUN apt-get update && apt-get -y upgrade && \ - apt-get install --no-install-recommends -y \ - libbpf-dev linux-headers-arm64 \ - curl git openssh-client make wget util-linux file grep sed jq zip \ - lsb-release software-properties-common binutils inetutils-ping iproute2 \ - ca-certificates gcc libc-dev bsdmainutils strace libpcap-dev - -RUN curl -sfL https://apt.llvm.org/llvm.sh | bash -s -- ${LLVM_VERSION} && \ - apt-get install clang-${LLVM_VERSION} - -RUN apt-get autoclean && apt-get clean - -# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. -# (sudo doesn't work easily in a container.) The version was current master at the time of writing. -RUN set -ex; \ - curl -o /sbin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/${SU_EXEC_VER}/su-exec.c; \ - gcc -Wall /sbin/su-exec.c -o/sbin/su-exec; \ - chown root:root /sbin/su-exec; \ - chmod 0755 /sbin/su-exec; \ - rm /sbin/su-exec.c - -RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VER}/mockery_${MOCKERY_VER}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install go programs that we rely on -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN \ - go install github.com/onsi/ginkgo/v2/ginkgo@v2.11.0 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install golang.org/x/tools/cmd/goimports@v0.8.0 && \ - curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION && \ - go install github.com/pmezard/licenses@master && \ - go install github.com/wadey/gocovmerge@master && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/jstemmer/go-junit-report@v1.0.0 && \ - go install golang.org/x/tools/cmd/stringer@v0.8.0 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.26.3 && \ - go install github.com/swaggo/swag/cmd/swag@v1.8.7 && \ - go install gotest.tools/gotestsum@latest && \ - go clean -modcache && go clean -cache - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH - -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-arm64 -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -# crane is needed for our release targets to copy images from the dev registries to the release registries. -RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/v0.4.1/go-containerregistry_Linux_arm64.tar.gz | tar xz -C /usr/bin crane - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/arm64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Add bpftool for Felix UT/FV. -COPY --from=bpftool /bpftool /usr/bin - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/Dockerfile.armv7 b/Dockerfile.armv7 deleted file mode 100644 index 18209776..00000000 --- a/Dockerfile.armv7 +++ /dev/null @@ -1,79 +0,0 @@ -FROM alpine:3.17 as qemu - -ARG QEMU_VERSION=7.2.0-1 - -RUN apk --update add curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-arm-static.tar.gz | tar xz -C /usr/bin - -FROM arm32v7/golang:1.21.4-alpine3.18 - -LABEL maintainer="Marc Crebassa " - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG MANIFEST_TOOL_VERSION=v1.0.2 - -# Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ - -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache su-exec curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev clang clang-dev linux-headers libbpf-dev musl-dev llvm -RUN apk upgrade --no-cache - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.2 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - -# Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION - -# Install license checking tool. -RUN go install github.com/pmezard/licenses@master - -# Install tool to merge coverage reports. -RUN go install github.com/wadey/gocovmerge@master - -# Install CLI tool for working with yaml files -RUN go install github.com/mikefarah/yq/v3@3.4.1 - -# Delete all the Go sources that were downloaded, we only rely on the binaries -RUN rm -rf /go/src/* - -# Install generation tools. -RUN go install k8s.io/code-generator/cmd/openapi-gen@master -RUN go install k8s.io/code-generator/cmd/deepcopy-gen@master - -# Install Swaggo -RUN go install github.com/swaggo/swag/cmd/swag@v1.8.7 - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH - -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-armv7 -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"] diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le deleted file mode 100644 index a746def0..00000000 --- a/Dockerfile.ppc64le +++ /dev/null @@ -1,79 +0,0 @@ -FROM alpine:3.17 as qemu - -ARG QEMU_VERSION=7.2.0-1 - -RUN apk --update add curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-ppc64le-static.tar.gz | tar xz -C /usr/bin - -FROM ppc64le/golang:1.21.4-alpine3.18 - -LABEL maintainer="David Wilder " - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG MANIFEST_TOOL_VERSION=v1.0.2 - -# Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ - -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache su-exec curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev -RUN apk upgrade --no-cache - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.2 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - -# Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION - -# Install license checking tool. -RUN go install github.com/pmezard/licenses@master - -# Install tool to merge coverage reports. -RUN go install github.com/wadey/gocovmerge@master - -# Install CLI tool for working with yaml files -RUN go install github.com/mikefarah/yq/v3@3.4.1 - -# Delete all the Go sources that were downloaded, we only rely on the binaries -RUN rm -rf /go/src/* - -# Install generation tools. -RUN go install k8s.io/code-generator/cmd/openapi-gen@master -RUN go install k8s.io/code-generator/cmd/deepcopy-gen@master - -# Install Swaggo -RUN go install github.com/swaggo/swag/cmd/swag@v1.8.7 - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH - -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-ppc64le -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"] diff --git a/Dockerfile.s390x b/Dockerfile.s390x deleted file mode 100644 index 50c279a4..00000000 --- a/Dockerfile.s390x +++ /dev/null @@ -1,79 +0,0 @@ -FROM alpine:3.17 as qemu - -ARG QEMU_VERSION=7.2.0-1 - -RUN apk --update add curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-s390x-static.tar.gz | tar xz -C /usr/bin - -FROM s390x/golang:1.21.4-alpine3.18 - -LABEL maintainer="LoZ Open SourceEcosystem (https://www.ibm.com/developerworks/community/groups/community/lozopensource)" - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG MANIFEST_TOOL_VERSION=v1.0.2 - -# Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ - -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache su-exec curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev -RUN apk upgrade --no-cache - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.2 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - -# Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION - -# Install license checking tool. -RUN go install github.com/pmezard/licenses@master - -# Install tool to merge coverage reports. -RUN go install github.com/wadey/gocovmerge@master - -# Install CLI tool for working with yaml files -RUN go install github.com/mikefarah/yq/v3@3.4.1 - -# Delete all the Go sources that were downloaded, we only rely on the binaries -RUN rm -rf /go/src/* - -# Install generation tools. -RUN go install k8s.io/code-generator/cmd/openapi-gen@master -RUN go install k8s.io/code-generator/cmd/deepcopy-gen@master - -# Install Swaggo -RUN go install github.com/swaggo/swag/cmd/swag@v1.8.7 - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/s390x/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH - -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-s390x -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"] diff --git a/Makefile b/Makefile index 940cb8e0..bb5b1e1d 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ all: image-all # The target architecture is select by setting the ARCH variable. # When ARCH is undefined it is set to the detected host architecture. # When ARCH differs from the host architecture a crossbuild will be performed. -ARCHES = amd64 armv7 arm64 ppc64le s390x +ARCHES = amd64 arm64 ppc64le s390x # BUILDARCH is the host architecture # ARCH is the target architecture @@ -22,9 +22,6 @@ endif ifeq ($(BUILDARCH),x86_64) BUILDARCH=amd64 endif -ifeq ($(BUILDARCH),armv7l) - BUILDARCH=armv7 -endif # unless otherwise set, I am building for my own architecture, i.e. not cross-compiling ARCH ?= $(BUILDARCH) @@ -33,48 +30,41 @@ ARCH ?= $(BUILDARCH) ifeq ($(ARCH),aarch64) override ARCH=arm64 endif -ifeq ($(ARCH),armv7l) - override ARCH=armv7 -endif ifeq ($(ARCH),x86_64) override ARCH=amd64 endif ############################################################################### -DOCKERFILE ?= Dockerfile.$(ARCH) +GOBUILD_IMAGE ?= calico/go-build VERSION ?= latest -DEFAULTIMAGE ?= calico/go-build:$(VERSION) +DEFAULTIMAGE ?= $(GOBUILD_IMAGE):$(VERSION) ARCHIMAGE ?= $(DEFAULTIMAGE)-$(ARCH) BUILDIMAGE ?= $(DEFAULTIMAGE)-$(BUILDARCH) -MANIFEST_TOOL_VERSION := v1.0.2 -MANIFEST_TOOL_DIR := $(shell mktemp -d) -export PATH := $(MANIFEST_TOOL_DIR):$(PATH) - -space := -space += -comma := , -prefix_linux = $(addprefix linux/,$(strip $(subst armv,arm/v,$1))) -join_platforms = $(subst $(space),$(comma),$(call prefix_linux,$(strip $1))) - # Check if the docker daemon is running in experimental mode (to get the --squash flag) DOCKER_EXPERIMENTAL=$(shell docker version -f '{{ .Server.Experimental }}') DOCKER_BUILD_ARGS?= ifeq ($(DOCKER_EXPERIMENTAL),true) DOCKER_BUILD_ARGS+=--squash endif -ifneq ($(ARCH),amd64) -DOCKER_BUILD_ARGS+=--cpuset-cpus 0 -endif ############################################################################### # Building the image ############################################################################### +QEMU_DOWNLOADED=.qemu.downloaded +QEMU_VERSION=v7.2.0-1 + +.PHONY: download-qemu +download-qemu: $(QEMU_DOWNLOADED) +$(QEMU_DOWNLOADED): + curl --remote-name-all -sfL --retry 3 https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{aarch64,ppc64le,s390x}-static + chmod 755 qemu-*-static + touch $@ + +.PHONY: image image: calico/go-build -calico/go-build: register - # Make sure we re-pull the base image to pick up security fixes. - # Limit the build to use only one CPU, This helps to work around qemu bugs such as https://bugs.launchpad.net/qemu/+bug/1098729 - docker build $(DOCKER_BUILD_ARGS) --pull -t $(ARCHIMAGE) -f $(DOCKERFILE) . +calico/go-build: register download-qemu + docker buildx build --pull $(DOCKER_BUILD_ARGS) --platform=linux/$(ARCH) -t $(ARCHIMAGE) -f Dockerfile . --load image-all: $(addprefix sub-image-,$(ARCHES)) sub-image-%: @@ -87,6 +77,7 @@ ifeq ($(BUILDARCH),amd64) docker run --rm --privileged multiarch/qemu-user-static:register --reset endif +.PHONY: push push: image docker push $(ARCHIMAGE) # to handle default case, because quay.io does not support manifest yet @@ -99,9 +90,22 @@ push-all: $(addprefix sub-push-,$(ARCHES)) sub-push-%: $(MAKE) push ARCH=$* +.PHONY: push-manifest push-manifest: # Docker login to hub.docker.com required before running this target as we are using $(HOME)/.docker/config.json holds the docker login credentials - docker run -t --entrypoint /bin/sh -v $(HOME)/.docker/config.json:/root/.docker/config.json $(ARCHIMAGE) -c "/usr/bin/manifest-tool push from-args --platforms $(call join_platforms,$(ARCHES)) --template $(DEFAULTIMAGE)-ARCHVARIANT --target $(DEFAULTIMAGE)" + docker manifest create $(DEFAULTIMAGE) \ + --amend $(DEFAULTIMAGE)-amd64 \ + --amend $(DEFAULTIMAGE)-arm64 \ + --amend $(DEFAULTIMAGE)-ppc64le \ + --amend $(DEFAULTIMAGE)-s390x + docker manifest push $(DEFAULTIMAGE) + +.PHONY: clean +clean: + rm -f qemu-*-static + rm -f $(QEMU_DOWNLOADED) + -docker image rm -f $$(docker images $(GOBUILD_IMAGE) -a -q) + -docker manifest rm $(DEFAULTIMAGE) ############################################################################### # UTs diff --git a/Makefile.common b/Makefile.common index 12cebf9b..aa590ab3 100644 --- a/Makefile.common +++ b/Makefile.common @@ -47,9 +47,6 @@ endif ifeq ($(BUILDARCH),x86_64) BUILDARCH=amd64 endif -ifeq ($(BUILDARCH),armv7l) - BUILDARCH=armv7 -endif # unless otherwise set, I am building for my own architecture, i.e. not cross-compiling ARCH ?= $(BUILDARCH) @@ -61,27 +58,12 @@ endif ifeq ($(ARCH),x86_64) override ARCH=amd64 endif -ifeq ($(ARCH),armv7l) - override ARCH=armv7 -endif -ifeq ($(ARCH),armhfv7) - override ARCH=armv7 -endif - -# If ARCH is arm based, find the requested version/variant -ifeq ($(word 1,$(subst v, ,$(ARCH))),arm) -ARM_VERSION := $(word 2,$(subst v, ,$(ARCH))) -endif LATEST_IMAGE_TAG?=latest # these macros create a list of valid architectures for pushing manifests -space := -space += comma := , double_quote := $(shell echo '"') -prefix_linux = $(addprefix linux/,$(strip $(subst armv,arm/v,$1))) -join_platforms = $(subst $(space),$(comma),$(call prefix_linux,$(strip $1))) ## Targets used when cross building. .PHONY: native register @@ -224,9 +206,6 @@ GIT_DESCRIPTION = $(shell git describe --tags --dirty --always --abbrev=12 || ec endif # Define go architecture flags to support arm variants GOARCH_FLAGS :=-e GOARCH=$(ARCH) -ifdef ARM_VERSION -GOARCH_FLAGS :=-e GOARCH=arm -e GOARM=$(ARM_VERSION) -endif DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ @@ -417,26 +396,19 @@ git-commit: # different implementation. ############################################################################### -CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/root/.docker/config.json $(CALICO_BUILD) -c \ +CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/home/user/.docker/config.json $(CALICO_BUILD) -c \ $(double_quote)crane GIT_CMD = git DOCKER_CMD = docker -MANIFEST_TOOL_EXTRA_DOCKER_ARGS ?= -# note that when using the MANIFEST_TOOL command you need to close the command with $(double_quote). -MANIFEST_TOOL_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/root/.docker/config.json $(MANIFEST_TOOL_EXTRA_DOCKER_ARGS) $(CALICO_BUILD) -c \ - $(double_quote)/usr/bin/manifest-tool - ifdef CONFIRM CRANE = $(CRANE_CMD) GIT = $(GIT_CMD) DOCKER = $(DOCKER_CMD) -MANIFEST_TOOL = $(MANIFEST_TOOL_CMD) else CRANE = echo [DRY RUN] $(CRANE_CMD) GIT = echo [DRY RUN] $(GIT_CMD) DOCKER = echo [DRY RUN] $(DOCKER_CMD) -MANIFEST_TOOL = echo [DRY RUN] $(MANIFEST_TOOL_CMD) endif commit-and-push-pr: @@ -868,21 +840,6 @@ push-image-arch-to-registry-%: $(NOECHO) $(NOOP)\ ) -manifest-tool-generate-spec: var-require-all-BUILD_IMAGE-IMAGETAG-MANIFEST_TOOL_SPEC_TEMPLATE-OUTPUT_FILE - bash $(MANIFEST_TOOL_SPEC_TEMPLATE) $(OUTPUT_FILE) $(BUILD_IMAGE) $(IMAGETAG) - -## push multi-arch manifest where supported. If the MANIFEST_TOOL_SPEC_TEMPLATE variable is specified this will include -## the `from-spec` version of the tool. -push-manifests: var-require-all-IMAGETAG $(addprefix sub-manifest-,$(call escapefs,$(PUSH_MANIFEST_IMAGES))) -ifdef MANIFEST_TOOL_SPEC_TEMPLATE -sub-manifest-%: var-require-all-OUTPUT_DIR - $(MAKE) manifest-tool-generate-spec BUILD_IMAGE=$(call unescapefs,$*) OUTPUT_FILE=$(OUTPUT_DIR)$*.yaml - $(MANIFEST_TOOL) push from-spec $(OUTPUT_DIR)$*.yaml$(double_quote) -else -sub-manifest-%: - $(MANIFEST_TOOL) push from-args --platforms $(call join_platforms,$(VALIDARCHES)) --template $(call unescapefs,$*):$(IMAGETAG)-ARCHVARIANT --target $(call unescapefs,$*):$(IMAGETAG)$(double_quote) -endif - # cd-common tags and pushes images with the branch name and git version. This target uses PUSH_IMAGES, BUILD_IMAGE, # and BRANCH_NAME env variables to figure out what to tag and where to push it to. cd-common: var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME diff --git a/README.md b/README.md index b13ce750..61570887 100644 --- a/README.md +++ b/README.md @@ -1,47 +1,47 @@ [![Build Status](https://semaphoreci.com/api/v1/calico/go-build/branches/master/badge.svg)](https://semaphoreci.com/calico/go-build) # Calico go-build -Base image for doing golang builds for the various [project calico](https://projectcalico.org) builds. +Base image for doing golang builds for the various [project calico](https://projectcalico.org) builds. ## Building the image + To build the image: -``` +```bash make image ``` The above will build for whatever architecture you are running on. To force a different architecture: -``` +```bash ARCH= make image ``` ## Tagging -The image is tagged the version, e.g. `v0.9` or `latest`. In addition, the given architecture is appended to the end. Thus, for example, the latest version on `amd64` will be `calico/go-build:latest-amd64`. -The above tagging scheme keeps everything in a single image repository `calico/go-build` and prepares for using milti-architecture image manifests. +The image is tagged the version, e.g. `v0.9` or `latest`. In addition, the given architecture is appended to the end. Thus, for example, the latest version on `amd64` will be `calico/go-build:latest-amd64`. -As of this writing, the only way to create such manifests is using the [manifest-tool](https://github.com/estesp/manifest-tool), which involves multiple steps. This can be incorporated into the build process, or we can wait until `docker manifest` is rolled into the docker CLI, see [this PR](https://github.com/docker/cli/pull/138). +The above tagging scheme keeps everything in a single image repository `calico/go-build` and prepares for using multi-architecture image manifests. -Until such time as the `docker manifest` is ready, or we decide to use `manifest-tool`, the default image name will point to `amd64`. Thus, `calico/go-build:latest` refers to `calico/go-build:latest-amd64`. +## Cross building using go-build -## Cross building using go-build: Any supported platform can be built natively from its own platform, i.e.g `amd64` from `amd64`, `arm64` from `arm64` and `ppc64le` from `ppc64le`. In addition, `ppc64le` and `arm64` are supported for cross-building from `amd64` only. We do not (yet) support cross-building from `arm64` and `ppc64le`. -The cross-build itself will function normally on any platform, since golang supports cross-compiling using `GOARCH= go build `. +The cross-build itself will function normally on any platform, since golang supports cross-compiling using `GOARCH= go build`. -``` +```bash docker run -e GOARCH= calico/go-build:latest-amd64 sh -c 'go build hello.go || ./hello' ``` The above will output a binary `hello` built for the architecture ``. -## Cross-runnning Binaries binfmt +## Cross-running Binaries binfmt + The Linux kernel has the ability to run binaries built for one arch on another, e.g. `arm64` binaries on an `amd64` architecture. Support requires two things: -1. Registering an interpeter that can run the binary for the other architecture along with configuration information on how to identify which binaries are for which platform and which emulator will handle them. +1. Registering an interpreter that can run the binary for the other architecture along with configuration information on how to identify which binaries are for which platform and which emulator will handle them. 2. Making the interpreter binary available. The interpreter must exist in one of two places: @@ -53,19 +53,20 @@ For example, if you registered the `s390x` emulator at `/usr/bin/qemu-s390x-stat To register emulators, we run: -``` +```bash docker run -it --rm --privileged multiarch/qemu-user-static:register ``` or simply -``` +```bash make register ``` After the above registration, your system can handle other-architecture binaries. The above registration uses the first method, since _all_ kernels that support `binfmt` support this method, while only kernels from version 4.8+ support the latter. While docker-for-mac and docker-for-windows both use supporting kernels, almost every CI-as-a-service does not. ## Using binfmt in other Calico projects + To use `binfmt` in other projects: 1. Ensure you have run registration as above. @@ -87,34 +88,34 @@ RUN apk --update add curl ``` ## Running a Binary -To *run* a binary from a different architecture, you need to use `binfmt` and `qemu` static. + +To _run_ a binary from a different architecture, you need to use `binfmt` and `qemu` static. Register `qemu-*-static` for all supported processors except the current one using the following command: -``` +```bash docker run --rm --privileged multiarch/qemu-user-static:register ``` - If a cross built binary is executed in the go-build container qemu-static will automatically be used. - ### Testing Cross-Run + There is a `Makefile` target that cross-builds and runs a binary. To run it on your own architecture: -``` +```bash make testcompile ``` or -``` +```bash make testcompile ARCH=$(uname -m) ``` To test on a different architecture, for example `arm64` when you are running on `amd64`, pass it an alternate architecture: -``` +```bash make testcompile ARCH=arm64 ``` diff --git a/entrypoint.sh b/entrypoint.sh index 1d67c1b9..09237300 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,8 +1,7 @@ #!/bin/bash # Add local user -# Either use the LOCAL_USER_ID if passed in at runtime or -# fallback +# Either use the LOCAL_USER_ID if passed in at runtime or fallback USER_ID=${LOCAL_USER_ID:-9001} @@ -15,22 +14,22 @@ echo "Starting with UID : $USER_ID" 1>&2 /bin/sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd # Don't pass "-m" to useradd if the home directory already exists (which can occur if it was volume mounted in) otherwise it will fail. if [[ ! -d "/home/user" ]]; then - /usr/sbin/useradd -m -U -s /bin/bash -u $USER_ID user + /usr/sbin/useradd -m -U -s /bin/bash -u "$USER_ID" user else - /usr/sbin/useradd -U -s /bin/bash -u $USER_ID user + /usr/sbin/useradd -U -s /bin/bash -u "$USER_ID" user fi export HOME=/home/user -if [ -n "$EXTRA_GROUP_ID" ]; then +if [ -n "$EXTRA_GROUP_ID" ]; then echo "Adding user to additional GID : $EXTRA_GROUP_ID" 1>&2 # Adding the group can fail if it already exists. - if addgroup --gid $EXTRA_GROUP_ID group; then + if addgroup --gid "$EXTRA_GROUP_ID" group; then adduser user group else echo "Adding user to existing group instead" 1>&2 - adduser user `getent group $EXTRA_GROUP_ID | cut -d: -f1` + adduser user "$(getent group "$EXTRA_GROUP_ID" | cut -d: -f1)" fi fi -exec /sbin/su-exec user "$@" +exec /usr/bin/su-exec user "$@" diff --git a/rockylinux/Rocky-BaseOS.repo b/rockylinux/Rocky-BaseOS.repo new file mode 100644 index 00000000..b32722d5 --- /dev/null +++ b/rockylinux/Rocky-BaseOS.repo @@ -0,0 +1,18 @@ +# Rocky-BaseOS.repo +# +# The mirrorlist system uses the connecting IP address of the client and the +# update status of each mirror to pick current mirrors that are geographically +# close to the client. You should use this for Rocky updates unless you are +# manually picking other mirrors. +# +# If the mirrorlist does not work for you, you can try the commented out +# baseurl line instead. + +[baseos] +name=Rocky Linux $releasever - BaseOS +mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever +#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/ +gpgcheck=0 +enabled=0 +countme=1 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/rockylinux/Rocky-Extras.repo b/rockylinux/Rocky-Extras.repo new file mode 100644 index 00000000..a6713c53 --- /dev/null +++ b/rockylinux/Rocky-Extras.repo @@ -0,0 +1,18 @@ +# Rocky-Extras.repo +# +# The mirrorlist system uses the connecting IP address of the client and the +# update status of each mirror to pick current mirrors that are geographically +# close to the client. You should use this for Rocky updates unless you are +# manually picking other mirrors. +# +# If the mirrorlist does not work for you, you can try the commented out +# baseurl line instead. + +[extras] +name=Rocky Linux $releasever - Extras +mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-$releasever +#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/extras/$basearch/os/ +gpgcheck=0 +enabled=0 +countme=1 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/rockylinux/Rocky-PowerTools.repo b/rockylinux/Rocky-PowerTools.repo new file mode 100644 index 00000000..0ad6aef1 --- /dev/null +++ b/rockylinux/Rocky-PowerTools.repo @@ -0,0 +1,18 @@ +# Rocky-PowerTools.repo +# +# The mirrorlist system uses the connecting IP address of the client and the +# update status of each mirror to pick current mirrors that are geographically +# close to the client. You should use this for Rocky updates unless you are +# manually picking other mirrors. +# +# If the mirrorlist does not work for you, you can try the commented out +# baseurl line instead. + +[powertools] +name=Rocky Linux $releasever - PowerTools +mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=PowerTools-$releasever +#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/PowerTools/$basearch/os/ +gpgcheck=0 +enabled=0 +countme=1 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/ssh_known_hosts b/ssh_known_hosts new file mode 100644 index 00000000..9666bc8e --- /dev/null +++ b/ssh_known_hosts @@ -0,0 +1,3 @@ +github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= +github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl +github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=