From bad6fcc3b2dfd07fc949f78f2d9ab5f3e3e108f9 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Tue, 10 Oct 2023 16:26:42 -0700 Subject: [PATCH 01/20] Migrate go-build base to UBI This change is for amd64 for now. --- Dockerfile.amd64 | 201 ++++++++++++++++++------------- Dockerfile.arm64 | 85 ++++++------- Dockerfile.armv7 | 66 ++++------ Dockerfile.ppc64le | 66 ++++------ Dockerfile.s390x | 66 ++++------ Makefile | 4 +- Makefile.common | 27 ++--- README.md | 41 ++++--- entrypoint.sh | 36 ------ rockylinux/Rocky-BaseOS.repo | 18 +++ rockylinux/Rocky-PowerTools.repo | 18 +++ 11 files changed, 300 insertions(+), 328 deletions(-) delete mode 100755 entrypoint.sh create mode 100644 rockylinux/Rocky-BaseOS.repo create mode 100644 rockylinux/Rocky-PowerTools.repo diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index 3999b490..544da39c 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -1,111 +1,143 @@ FROM calico/bpftool:v5.3-amd64 as bpftool -FROM golang:1.21.4-bullseye +FROM registry.access.redhat.com/ubi8/ubi:latest LABEL maintainer="Shaun Crampton " +ARG GOLANG_VERSION=1.21.3 +ARG GOLANG_SHA256=1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 + +ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG LLVM_VERSION=15 -ARG MANIFEST_TOOL_VERSION=v1.0.2 -ARG MOCKERY_VER=2.27.1 +ARG K8S_VERSION=v1.27.6 +ARG MANIFEST_TOOL_VERSION=v1.0.3 +ARG MOCKERY_VERSION=2.35.3 ARG MODSEC_VERSION=v3.0.10 ARG QEMU_ARCHS="arm aarch64 ppc64le s390x" ARG QEMU_VERSION=7.2.0-1 -ARG SU_EXEC_VER=212b75144bbc06722fbd7661f651390dc47a43d1 - -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install gcc for cgo. -# Install lsb-release software-properties-common for llvm upgrade script -# Install clang, libbpf and newer kernel headers for building BPF binaries. -# Install libpcre++-dev and libraries for ModSecurity dependencies. -RUN apt-get -y update && apt-get -y upgrade && \ - apt-get install --no-install-recommends -y \ - libbpf-dev linux-headers-amd64 \ - curl git openssh-client make wget util-linux file grep sed jq zip \ - lsb-release software-properties-common binutils inetutils-ping iproute2 \ - ca-certificates gcc mingw-w64 libc-dev bsdmainutils strace libpcap-dev \ - autoconf automake build-essential \ - libcurl4-openssl-dev libgeoip-dev liblmdb-dev \ - libpcre++-dev libtool libxml2-dev libyajl-dev \ - pkgconf zlib1g-dev - -RUN curl -sfL https://apt.llvm.org/llvm.sh | bash -s -- ${LLVM_VERSION} && \ - apt-get install clang-${LLVM_VERSION} - -RUN apt-get autoclean && apt-get clean - -# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. -# (sudo doesn't work easily in a container.) The version was current master at the time of writing. -RUN set -ex; \ - curl -o /sbin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/${SU_EXEC_VER}/su-exec.c; \ - gcc -Wall /sbin/su-exec.c -o/sbin/su-exec; \ - chown root:root /sbin/su-exec; \ - chmod 0755 /sbin/su-exec; \ - rm /sbin/su-exec.c - -RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VER}/mockery_${MOCKERY_VER}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config +ENV PATH /usr/local/go/bin:$PATH + +# Install system dependencies +RUN dnf upgrade -y && dnf install -y \ + autoconf \ + automake \ + clang \ + gcc \ + gcc-c++ \ + git \ + glibc-static \ + iputils \ + jq \ + libcurl-devel \ + libpcap-devel \ + libtool \ + libxml2-devel \ + llvm \ + make \ + openssh-clients \ + pcre-devel \ + pkg-config \ + wget \ + yajl \ + zip + +COPY rockylinux/Rocky*.repo /etc/yum.repos.d/ +RUN dnf --enablerepo=baseos --enablerepo=powertools install -y \ + elfutils-libelf-devel \ + iproute-devel \ + libbpf-devel \ + lmdb-devel \ + mingw64-gcc + +RUN dnf clean all + +# Install Go official release +RUN set -eux; \ + wget -O go.tgz.asc https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz.asc; \ + wget -O go.tgz https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz --progress=dot:giga; \ + echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c -; \ + \ + # https://github.com/golang/go/issues/14739#issuecomment-324767697 + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + # https://www.google.com/linuxrepositories/ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; \ + # let's also fetch the specific subkey of that key explicitly that we expect "go.tgz.asc" to be signed by, just to make sure we definitely have it + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998 D857 78BD 6547 3CB3 BD13'; \ + gpg --batch --verify go.tgz.asc go.tgz; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" go.tgz.asc; \ + \ + tar -C /usr/local -xzf go.tgz; \ + rm -f go.tgz*; \ + \ + go version + +# don't auto-upgrade the gotoolchain +# https://github.com/docker-library/golang/issues/472 +ENV GOTOOLCHAIN=local + +ENV GOPATH /go +ENV PATH $GOPATH/bin:$PATH +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" + +# Install Go utilities + +# Used for generating CRD files. +# Download a version of controller-gen that has been hacked to support additional types (e.g., float). +# We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen +# tooling. Example: float, all the types in the numorstring package, etc. +RUN wget -O /usr/local/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x /usr/local/bin/controller-gen + +# crane is needed for our release targets to copy images from the dev registries to the release registries. +RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/${CONTAINERREGISTRY_VERSION}/go-containerregistry_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin crane + +RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION + +# Install necessary Kubernetes binaries used in tests. +RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + +RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery + +RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-amd64 -o /usr/local/bin/manifest-tool && \ + chmod +x /usr/local/bin/manifest-tool # Install go programs that we rely on # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN \ - go install github.com/onsi/ginkgo/v2/ginkgo@v2.11.0 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install golang.org/x/tools/cmd/goimports@v0.8.0 && \ - curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION && \ + go install github.com/jstemmer/go-junit-report@v1.0.0 && \ + go install github.com/mikefarah/yq/v3@3.4.1 && \ go install github.com/pmezard/licenses@master && \ + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ go install github.com/wadey/gocovmerge@master && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/jstemmer/go-junit-report@v1.0.0 && \ - go install golang.org/x/tools/cmd/stringer@v0.8.0 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/client-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/lister-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/informer-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/defaulter-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/conversion-gen@v0.26.3 && \ - go install github.com/swaggo/swag/cmd/swag@v1.8.7 && \ + go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ + go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ go install gotest.tools/gotestsum@latest && \ + go install k8s.io/code-generator/cmd/client-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/conversion-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/informer-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/lister-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ go clean -modcache && go clean -cache -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager -# Used for generating CRD files. -# Download a version of controller-gen that has been hacked to support additional types (e.g., float). -# We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen -# tooling. Example: float, all the types in the numorstring package, etc. -RUN wget -O ${GOPATH}/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x ${GOPATH}/bin/controller-gen - -# Enable non-native runs on amd64 architecture hosts -RUN for i in ${QEMU_ARCHS}; do curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-${i}-static.tar.gz | tar xz -C /usr/bin; done - # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH +ENV HOME $GOPATH -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-amd64 -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool +# Disable ssh host key checking +RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf -# crane is needed for our release targets to copy images from the dev registries to the release registries. -RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/v0.4.1/go-containerregistry_Linux_x86_64.tar.gz | tar xz -C /usr/bin crane +# Enable non-native runs on amd64 architecture hosts +RUN for i in ${QEMU_ARCHS}; \ + do curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-${i}-static.tar.gz | tar xz -C /usr/bin; done # Add bpftool for Felix UT/FV. -COPY --from=bpftool /bpftool /usr/bin +COPY --from=bpftool /bpftool /usr/local/bin # Build ModSecurity for Dikastes. RUN git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ @@ -113,5 +145,4 @@ RUN git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-subm make && make install && \ rm -fr /build -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] +WORKDIR $GOPATH diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 2a785411..6a70489e 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -1,9 +1,7 @@ -FROM calico/bpftool:v5.0-arm64 as bpftool +FROM calico/bpftool:v5.3-arm64 as bpftool FROM debian:bullseye as qemu -LABEL maintainer="Reza Ramezanpour " - ARG QEMU_VERSION=7.2.0-1 RUN apt update && apt install -y curl @@ -13,12 +11,14 @@ RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v$ FROM arm64v8/golang:1.21.4-bullseye +LABEL maintainer="Reza Ramezanpour " + +ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 +ARG K8S_VERSION=v1.27.6 ARG LLVM_VERSION=15 -ARG MANIFEST_TOOL_VERSION=v1.0.2 -ARG MOCKERY_VER=2.14.0 -ARG SU_EXEC_VER=212b75144bbc06722fbd7661f651390dc47a43d1 +ARG MANIFEST_TOOL_VERSION=v1.0.3 +ARG MOCKERY_VERSION=2.35.3 # Enable non-native builds of this image on an amd64 hosts. # This must be the first RUN command in this file! @@ -37,66 +37,57 @@ COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ # Install clang, libbpf and newer kernel headers for building BPF binaries. RUN apt-get update && apt-get -y upgrade && \ apt-get install --no-install-recommends -y \ - libbpf-dev linux-headers-arm64 \ - curl git openssh-client make wget util-linux file grep sed jq zip \ - lsb-release software-properties-common binutils inetutils-ping iproute2 \ - ca-certificates gcc libc-dev bsdmainutils strace libpcap-dev + libbpf-dev linux-headers-arm64 \ + curl git openssh-client make wget util-linux file grep sed jq zip \ + lsb-release software-properties-common binutils inetutils-ping iproute2 \ + ca-certificates gcc libc-dev bsdmainutils strace libpcap-dev RUN curl -sfL https://apt.llvm.org/llvm.sh | bash -s -- ${LLVM_VERSION} && \ apt-get install clang-${LLVM_VERSION} RUN apt-get autoclean && apt-get clean -# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. -# (sudo doesn't work easily in a container.) The version was current master at the time of writing. -RUN set -ex; \ - curl -o /sbin/su-exec.c https://raw.githubusercontent.com/ncopa/su-exec/${SU_EXEC_VER}/su-exec.c; \ - gcc -Wall /sbin/su-exec.c -o/sbin/su-exec; \ - chown root:root /sbin/su-exec; \ - chmod 0755 /sbin/su-exec; \ - rm /sbin/su-exec.c +# Install Go utilities -RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VER}/mockery_${MOCKERY_VER}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery +# crane is needed for our release targets to copy images from the dev registries to the release registries. +RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/${CONTAINERREGISTRY_VERSION}/go-containerregistry_Linux_arm64.tar.gz | tar xz -C /usr/local/bin crane -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config +RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION + +# Install necessary Kubernetes binaries used in tests. +RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/arm64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + +RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery + +RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-arm64 -o /usr/local/bin/manifest-tool && \ + chmod +x /usr/local/bin/manifest-tool # Install go programs that we rely on # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo RUN \ - go install github.com/onsi/ginkgo/v2/ginkgo@v2.11.0 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ + go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install golang.org/x/tools/cmd/goimports@v0.8.0 && \ - curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION && \ + go install github.com/jstemmer/go-junit-report@v1.0.0 && \ + go install github.com/mikefarah/yq/v3@3.4.1 && \ go install github.com/pmezard/licenses@master && \ + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ go install github.com/wadey/gocovmerge@master && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/jstemmer/go-junit-report@v1.0.0 && \ - go install golang.org/x/tools/cmd/stringer@v0.8.0 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.26.3 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.26.3 && \ - go install github.com/swaggo/swag/cmd/swag@v1.8.7 && \ + go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ + go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ go install gotest.tools/gotestsum@latest && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ go clean -modcache && go clean -cache # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH +ENV HOME $GOPATH -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-arm64 -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -# crane is needed for our release targets to copy images from the dev registries to the release registries. -RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/v0.4.1/go-containerregistry_Linux_arm64.tar.gz | tar xz -C /usr/bin crane - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/arm64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager +# Disable ssh host key checking +RUN echo 'Host *' >> /etc/ssh/ssh_config \ + && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config # Add bpftool for Felix UT/FV. -COPY --from=bpftool /bpftool /usr/bin - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] +COPY --from=bpftool /bpftool /usr/local/bin diff --git a/Dockerfile.armv7 b/Dockerfile.armv7 index 18209776..d66e8c19 100644 --- a/Dockerfile.armv7 +++ b/Dockerfile.armv7 @@ -12,14 +12,13 @@ FROM arm32v7/golang:1.21.4-alpine3.18 LABEL maintainer="Marc Crebassa " ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG MANIFEST_TOOL_VERSION=v1.0.2 +ARG K8S_VERSION=v1.27.6 +ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. # This must be the first RUN command in this file! COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) # Install bash for the entry script (and because it's generally useful) # Install curl # Install git for fetching Go dependencies @@ -29,51 +28,38 @@ COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ # Install util-linux for column command (used for output formatting). # Install grep, sed, zip, and jq for use in some Makefiles # Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache su-exec curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev clang clang-dev linux-headers libbpf-dev musl-dev llvm +RUN apk update && apk add --no-cache curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev clang clang-dev linux-headers libbpf-dev musl-dev llvm RUN apk upgrade --no-cache -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.2 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 +# Install Go utilities # Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION - -# Install license checking tool. -RUN go install github.com/pmezard/licenses@master - -# Install tool to merge coverage reports. -RUN go install github.com/wadey/gocovmerge@master - -# Install CLI tool for working with yaml files -RUN go install github.com/mikefarah/yq/v3@3.4.1 - -# Delete all the Go sources that were downloaded, we only rely on the binaries -RUN rm -rf /go/src/* - -# Install generation tools. -RUN go install k8s.io/code-generator/cmd/openapi-gen@master -RUN go install k8s.io/code-generator/cmd/deepcopy-gen@master - -# Install Swaggo -RUN go install github.com/swaggo/swag/cmd/swag@v1.8.7 +RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION # Install necessary Kubernetes binaries used in tests. RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + +RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-armv7 -o /usr/local/bin/manifest-tool && \ + chmod +x /usr/local/bin/manifest-tool + +# Install ginkgo CLI tool for running tests +# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ + go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ + go install github.com/mikefarah/yq/v3@3.4.1 && \ + go install github.com/pmezard/licenses@master && \ + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ + go install github.com/wadey/gocovmerge@master && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ + go clean -modcache && go clean -cache # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH +ENV HOME $GOPATH -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-armv7 -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"] +# Disable ssh host key checking +RUN echo 'Host *' >> /etc/ssh/ssh_config \ + && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index a746def0..770367fc 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -12,14 +12,13 @@ FROM ppc64le/golang:1.21.4-alpine3.18 LABEL maintainer="David Wilder " ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG MANIFEST_TOOL_VERSION=v1.0.2 +ARG K8S_VERSION=v1.27.6 +ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. # This must be the first RUN command in this file! COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) # Install bash for the entry script (and because it's generally useful) # Install curl # Install git for fetching Go dependencies @@ -29,51 +28,38 @@ COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ # Install util-linux for column command (used for output formatting). # Install grep, sed, zip, and jq for use in some Makefiles # Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache su-exec curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev +RUN apk update && apk add --no-cache curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev RUN apk upgrade --no-cache -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.2 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 +# Install Go utilities # Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION - -# Install license checking tool. -RUN go install github.com/pmezard/licenses@master - -# Install tool to merge coverage reports. -RUN go install github.com/wadey/gocovmerge@master - -# Install CLI tool for working with yaml files -RUN go install github.com/mikefarah/yq/v3@3.4.1 - -# Delete all the Go sources that were downloaded, we only rely on the binaries -RUN rm -rf /go/src/* - -# Install generation tools. -RUN go install k8s.io/code-generator/cmd/openapi-gen@master -RUN go install k8s.io/code-generator/cmd/deepcopy-gen@master - -# Install Swaggo -RUN go install github.com/swaggo/swag/cmd/swag@v1.8.7 +RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION # Install necessary Kubernetes binaries used in tests. RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + +RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-ppc64le -o /usr/local/bin/manifest-tool && \ + chmod +x /usr/local/bin/manifest-tool + +# Install ginkgo CLI tool for running tests +# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ + go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ + go install github.com/mikefarah/yq/v3@3.4.1 && \ + go install github.com/pmezard/licenses@master && \ + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ + go install github.com/wadey/gocovmerge@master && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ + go clean -modcache && go clean -cache # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH +ENV HOME $GOPATH -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-ppc64le -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"] +# Disable ssh host key checking +RUN echo 'Host *' >> /etc/ssh/ssh_config \ + && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config diff --git a/Dockerfile.s390x b/Dockerfile.s390x index 50c279a4..f360c365 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -12,14 +12,13 @@ FROM s390x/golang:1.21.4-alpine3.18 LABEL maintainer="LoZ Open SourceEcosystem (https://www.ibm.com/developerworks/community/groups/community/lozopensource)" ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.26.3 -ARG MANIFEST_TOOL_VERSION=v1.0.2 +ARG K8S_VERSION=v1.27.6 +ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. # This must be the first RUN command in this file! COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ -# Install su-exec for use in the entrypoint.sh (so processes run as the right user) # Install bash for the entry script (and because it's generally useful) # Install curl # Install git for fetching Go dependencies @@ -29,51 +28,38 @@ COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ # Install util-linux for column command (used for output formatting). # Install grep, sed, zip, and jq for use in some Makefiles # Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache su-exec curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev +RUN apk update && apk add --no-cache curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev RUN apk upgrade --no-cache -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.9.2 && \ - mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 +# Install Go utilities # Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin $GO_LINT_VERSION - -# Install license checking tool. -RUN go install github.com/pmezard/licenses@master - -# Install tool to merge coverage reports. -RUN go install github.com/wadey/gocovmerge@master - -# Install CLI tool for working with yaml files -RUN go install github.com/mikefarah/yq/v3@3.4.1 - -# Delete all the Go sources that were downloaded, we only rely on the binaries -RUN rm -rf /go/src/* - -# Install generation tools. -RUN go install k8s.io/code-generator/cmd/openapi-gen@master -RUN go install k8s.io/code-generator/cmd/deepcopy-gen@master - -# Install Swaggo -RUN go install github.com/swaggo/swag/cmd/swag@v1.8.7 +RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION # Install necessary Kubernetes binaries used in tests. RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/s390x/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/s390x/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager + +RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-s390x -o /usr/local/bin/manifest-tool && \ + chmod +x /usr/local/bin/manifest-tool + +# Install ginkgo CLI tool for running tests +# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ + go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ + go install github.com/mikefarah/yq/v3@3.4.1 && \ + go install github.com/pmezard/licenses@master && \ + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ + go install github.com/wadey/gocovmerge@master && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ + go clean -modcache && go clean -cache # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH +ENV HOME $GOPATH -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-s390x -o /usr/bin/manifest-tool && \ - chmod +x /usr/bin/manifest-tool - -COPY entrypoint.sh /usr/local/bin/entrypoint.sh -ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"] +# Disable ssh host key checking +RUN echo 'Host *' >> /etc/ssh/ssh_config \ + && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config diff --git a/Makefile b/Makefile index 940cb8e0..e5d2525c 100644 --- a/Makefile +++ b/Makefile @@ -101,7 +101,7 @@ sub-push-%: push-manifest: # Docker login to hub.docker.com required before running this target as we are using $(HOME)/.docker/config.json holds the docker login credentials - docker run -t --entrypoint /bin/sh -v $(HOME)/.docker/config.json:/root/.docker/config.json $(ARCHIMAGE) -c "/usr/bin/manifest-tool push from-args --platforms $(call join_platforms,$(ARCHES)) --template $(DEFAULTIMAGE)-ARCHVARIANT --target $(DEFAULTIMAGE)" + docker run -t --entrypoint /bin/sh -v $(HOME)/.docker/config.json:/go/.docker/config.json $(ARCHIMAGE) -c "manifest-tool push from-args --platforms $(call join_platforms,$(ARCHES)) --template $(DEFAULTIMAGE)-ARCHVARIANT --target $(DEFAULTIMAGE)" ############################################################################### # UTs @@ -110,7 +110,7 @@ test: register for arch in $(ARCHES) ; do ARCH=$$arch $(MAKE) testcompile; done testcompile: - docker run --rm -e LOCAL_USER_ID=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go + docker run --rm --user=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go docker run --rm -v ${PWD}:/code $(BUILDIMAGE) /code/hello-$(ARCH) | grep -q "hello world" @echo "success" diff --git a/Makefile.common b/Makefile.common index 12cebf9b..22b2a5c5 100644 --- a/Makefile.common +++ b/Makefile.common @@ -185,19 +185,6 @@ ifneq ($(OS),Windows_NT) DATE:=$(shell date -u +'%FT%T%z') endif -# Figure out the users UID/GID. These are needed to run docker containers -# as the current user and ensure that files built inside containers are -# owned by the current user. -ifneq ($(OS),Windows_NT) -LOCAL_USER_ID:=$(shell id -u) -LOCAL_GROUP_ID:=$(shell id -g) -endif - -ifeq ("$(LOCAL_USER_ID)", "0") -# The build needs to run as root. -EXTRA_DOCKER_ARGS+=-e RUN_AS_ROOT='true' -endif - # Allow the ssh auth sock to be mapped into the build container. ifdef SSH_AUTH_SOCK EXTRA_DOCKER_ARGS += -v $(SSH_AUTH_SOCK):/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent @@ -231,10 +218,10 @@ endif DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ docker run --rm \ - --net=host \ --init \ + --net=host \ + --user=$(shell id -u):$(shell id -g) \ $(EXTRA_DOCKER_ARGS) \ - -e LOCAL_USER_ID=$(LOCAL_USER_ID) \ -e GOCACHE=/go-cache \ $(GOARCH_FLAGS) \ -e GOPATH=/go \ @@ -247,10 +234,10 @@ DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ DOCKER_RUN_RO := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ docker run --rm \ - --net=host \ --init \ + --net=host \ + --user=$(shell id -u):$(shell id -g) \ $(EXTRA_DOCKER_ARGS) \ - -e LOCAL_USER_ID=$(LOCAL_USER_ID) \ -e GOCACHE=/go-cache \ $(GOARCH_FLAGS) \ -e GOPATH=/go \ @@ -417,15 +404,15 @@ git-commit: # different implementation. ############################################################################### -CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/root/.docker/config.json $(CALICO_BUILD) -c \ +CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/.docker/config.json $(CALICO_BUILD) -c \ $(double_quote)crane GIT_CMD = git DOCKER_CMD = docker MANIFEST_TOOL_EXTRA_DOCKER_ARGS ?= # note that when using the MANIFEST_TOOL command you need to close the command with $(double_quote). -MANIFEST_TOOL_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/root/.docker/config.json $(MANIFEST_TOOL_EXTRA_DOCKER_ARGS) $(CALICO_BUILD) -c \ - $(double_quote)/usr/bin/manifest-tool +MANIFEST_TOOL_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/.docker/config.json $(MANIFEST_TOOL_EXTRA_DOCKER_ARGS) $(CALICO_BUILD) -c \ + $(double_quote)manifest-tool ifdef CONFIRM CRANE = $(CRANE_CMD) diff --git a/README.md b/README.md index b13ce750..f038cd78 100644 --- a/README.md +++ b/README.md @@ -1,47 +1,51 @@ [![Build Status](https://semaphoreci.com/api/v1/calico/go-build/branches/master/badge.svg)](https://semaphoreci.com/calico/go-build) # Calico go-build -Base image for doing golang builds for the various [project calico](https://projectcalico.org) builds. +Base image for doing golang builds for the various [project calico](https://projectcalico.org) builds. ## Building the image + To build the image: -``` +```bash make image ``` The above will build for whatever architecture you are running on. To force a different architecture: -``` +```bash ARCH= make image ``` ## Tagging + The image is tagged the version, e.g. `v0.9` or `latest`. In addition, the given architecture is appended to the end. Thus, for example, the latest version on `amd64` will be `calico/go-build:latest-amd64`. -The above tagging scheme keeps everything in a single image repository `calico/go-build` and prepares for using milti-architecture image manifests. +The above tagging scheme keeps everything in a single image repository `calico/go-build` and prepares for using multi-architecture image manifests. As of this writing, the only way to create such manifests is using the [manifest-tool](https://github.com/estesp/manifest-tool), which involves multiple steps. This can be incorporated into the build process, or we can wait until `docker manifest` is rolled into the docker CLI, see [this PR](https://github.com/docker/cli/pull/138). Until such time as the `docker manifest` is ready, or we decide to use `manifest-tool`, the default image name will point to `amd64`. Thus, `calico/go-build:latest` refers to `calico/go-build:latest-amd64`. -## Cross building using go-build: +## Cross building using go-build + Any supported platform can be built natively from its own platform, i.e.g `amd64` from `amd64`, `arm64` from `arm64` and `ppc64le` from `ppc64le`. In addition, `ppc64le` and `arm64` are supported for cross-building from `amd64` only. We do not (yet) support cross-building from `arm64` and `ppc64le`. -The cross-build itself will function normally on any platform, since golang supports cross-compiling using `GOARCH= go build `. +The cross-build itself will function normally on any platform, since golang supports cross-compiling using `GOARCH= go build`. -``` +```bash docker run -e GOARCH= calico/go-build:latest-amd64 sh -c 'go build hello.go || ./hello' ``` The above will output a binary `hello` built for the architecture ``. -## Cross-runnning Binaries binfmt +## Cross-running Binaries binfmt + The Linux kernel has the ability to run binaries built for one arch on another, e.g. `arm64` binaries on an `amd64` architecture. Support requires two things: -1. Registering an interpeter that can run the binary for the other architecture along with configuration information on how to identify which binaries are for which platform and which emulator will handle them. +1. Registering an interpreter that can run the binary for the other architecture along with configuration information on how to identify which binaries are for which platform and which emulator will handle them. 2. Making the interpreter binary available. The interpreter must exist in one of two places: @@ -53,19 +57,20 @@ For example, if you registered the `s390x` emulator at `/usr/bin/qemu-s390x-stat To register emulators, we run: -``` +```bash docker run -it --rm --privileged multiarch/qemu-user-static:register ``` or simply -``` +```bash make register ``` After the above registration, your system can handle other-architecture binaries. The above registration uses the first method, since _all_ kernels that support `binfmt` support this method, while only kernels from version 4.8+ support the latter. While docker-for-mac and docker-for-windows both use supporting kernels, almost every CI-as-a-service does not. ## Using binfmt in other Calico projects + To use `binfmt` in other projects: 1. Ensure you have run registration as above. @@ -87,34 +92,34 @@ RUN apk --update add curl ``` ## Running a Binary -To *run* a binary from a different architecture, you need to use `binfmt` and `qemu` static. + +To _run_ a binary from a different architecture, you need to use `binfmt` and `qemu` static. Register `qemu-*-static` for all supported processors except the current one using the following command: -``` +```bash docker run --rm --privileged multiarch/qemu-user-static:register ``` - If a cross built binary is executed in the go-build container qemu-static will automatically be used. - ### Testing Cross-Run + There is a `Makefile` target that cross-builds and runs a binary. To run it on your own architecture: -``` +```bash make testcompile ``` or -``` +```bash make testcompile ARCH=$(uname -m) ``` To test on a different architecture, for example `arm64` when you are running on `amd64`, pass it an alternate architecture: -``` +```bash make testcompile ARCH=arm64 ``` diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100755 index 1d67c1b9..00000000 --- a/entrypoint.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -# Add local user -# Either use the LOCAL_USER_ID if passed in at runtime or -# fallback - -USER_ID=${LOCAL_USER_ID:-9001} - -if [ "${RUN_AS_ROOT}" = "true" ]; then - exec "$@" -fi - -echo "Starting with UID : $USER_ID" 1>&2 -# Do not create mail box. -/bin/sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd -# Don't pass "-m" to useradd if the home directory already exists (which can occur if it was volume mounted in) otherwise it will fail. -if [[ ! -d "/home/user" ]]; then - /usr/sbin/useradd -m -U -s /bin/bash -u $USER_ID user -else - /usr/sbin/useradd -U -s /bin/bash -u $USER_ID user -fi - -export HOME=/home/user - -if [ -n "$EXTRA_GROUP_ID" ]; then - echo "Adding user to additional GID : $EXTRA_GROUP_ID" 1>&2 - # Adding the group can fail if it already exists. - if addgroup --gid $EXTRA_GROUP_ID group; then - adduser user group - else - echo "Adding user to existing group instead" 1>&2 - adduser user `getent group $EXTRA_GROUP_ID | cut -d: -f1` - fi -fi - -exec /sbin/su-exec user "$@" diff --git a/rockylinux/Rocky-BaseOS.repo b/rockylinux/Rocky-BaseOS.repo new file mode 100644 index 00000000..8612021c --- /dev/null +++ b/rockylinux/Rocky-BaseOS.repo @@ -0,0 +1,18 @@ +# Rocky-BaseOS.repo +# +# The mirrorlist system uses the connecting IP address of the client and the +# update status of each mirror to pick current mirrors that are geographically +# close to the client. You should use this for Rocky updates unless you are +# manually picking other mirrors. +# +# If the mirrorlist does not work for you, you can try the commented out +# baseurl line instead. + +[baseos] +name=Rocky Linux $releasever - BaseOS +mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever +#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/ +gpgcheck=0 +enabled=1 +countme=1 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/rockylinux/Rocky-PowerTools.repo b/rockylinux/Rocky-PowerTools.repo new file mode 100644 index 00000000..0ad6aef1 --- /dev/null +++ b/rockylinux/Rocky-PowerTools.repo @@ -0,0 +1,18 @@ +# Rocky-PowerTools.repo +# +# The mirrorlist system uses the connecting IP address of the client and the +# update status of each mirror to pick current mirrors that are geographically +# close to the client. You should use this for Rocky updates unless you are +# manually picking other mirrors. +# +# If the mirrorlist does not work for you, you can try the commented out +# baseurl line instead. + +[powertools] +name=Rocky Linux $releasever - PowerTools +mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=PowerTools-$releasever +#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/PowerTools/$basearch/os/ +gpgcheck=0 +enabled=0 +countme=1 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From 48438c578df8769454dc9e3b954a1417edf8bc81 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Fri, 13 Oct 2023 11:52:10 -0700 Subject: [PATCH 02/20] Make arm64 go-build feature parity with amd64 --- .gitignore | 1 + Dockerfile.amd64 | 12 ++--- Dockerfile.arm64 | 129 +++++++++++++++++++++++++++++---------------- Dockerfile.armv7 | 16 +----- Dockerfile.ppc64le | 16 +----- Dockerfile.s390x | 16 +----- Makefile | 16 +++--- 7 files changed, 105 insertions(+), 101 deletions(-) diff --git a/.gitignore b/.gitignore index 450c3260..96012bd8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .idea .vscode/ hello-* +qemu-*-static diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index 544da39c..dc94cf5e 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -2,8 +2,6 @@ FROM calico/bpftool:v5.3-amd64 as bpftool FROM registry.access.redhat.com/ubi8/ubi:latest -LABEL maintainer="Shaun Crampton " - ARG GOLANG_VERSION=1.21.3 ARG GOLANG_SHA256=1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 @@ -13,11 +11,13 @@ ARG K8S_VERSION=v1.27.6 ARG MANIFEST_TOOL_VERSION=v1.0.3 ARG MOCKERY_VERSION=2.35.3 ARG MODSEC_VERSION=v3.0.10 -ARG QEMU_ARCHS="arm aarch64 ppc64le s390x" -ARG QEMU_VERSION=7.2.0-1 ENV PATH /usr/local/go/bin:$PATH +# Enable non-native runs on amd64 architecture hosts +# Supported qemu-user-static arch files are copied in Makefile `download-qemu` target +COPY qemu-*-static /usr/bin + # Install system dependencies RUN dnf upgrade -y && dnf install -y \ autoconf \ @@ -132,10 +132,6 @@ ENV HOME $GOPATH # Disable ssh host key checking RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf -# Enable non-native runs on amd64 architecture hosts -RUN for i in ${QEMU_ARCHS}; \ - do curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-${i}-static.tar.gz | tar xz -C /usr/bin; done - # Add bpftool for Felix UT/FV. COPY --from=bpftool /bpftool /usr/local/bin diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 6a70489e..3222de6c 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -1,57 +1,85 @@ FROM calico/bpftool:v5.3-arm64 as bpftool -FROM debian:bullseye as qemu +FROM registry.access.redhat.com/ubi8/ubi:latest -ARG QEMU_VERSION=7.2.0-1 +ARG GOLANG_VERSION=1.21.3 +ARG GOLANG_SHA256=fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987ef3 -RUN apt update && apt install -y curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-aarch64-static.tar.gz | tar xz -C /usr/bin - -FROM arm64v8/golang:1.21.4-bullseye - -LABEL maintainer="Reza Ramezanpour " - -ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 -ARG LLVM_VERSION=15 ARG MANIFEST_TOOL_VERSION=v1.0.3 ARG MOCKERY_VERSION=2.35.3 +ARG MODSEC_VERSION=v3.0.10 + +ENV PATH /usr/local/go/bin:$PATH # Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ - -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install gcc for cgo. -# Install lsb-release software-properties-common for llvm upgrade script -# Install clang, libbpf and newer kernel headers for building BPF binaries. -RUN apt-get update && apt-get -y upgrade && \ - apt-get install --no-install-recommends -y \ - libbpf-dev linux-headers-arm64 \ - curl git openssh-client make wget util-linux file grep sed jq zip \ - lsb-release software-properties-common binutils inetutils-ping iproute2 \ - ca-certificates gcc libc-dev bsdmainutils strace libpcap-dev - -RUN curl -sfL https://apt.llvm.org/llvm.sh | bash -s -- ${LLVM_VERSION} && \ - apt-get install clang-${LLVM_VERSION} - -RUN apt-get autoclean && apt-get clean +COPY qemu-aarch64-static /usr/bin/ + +# Install system dependencies +RUN dnf upgrade -y && dnf install -y \ + autoconf \ + automake \ + clang \ + gcc \ + gcc-c++ \ + git \ + glibc-static \ + iputils \ + jq \ + libcurl-devel \ + libpcap-devel \ + libtool \ + libxml2-devel \ + llvm \ + make \ + openssh-clients \ + pcre-devel \ + pkg-config \ + wget \ + yajl \ + zip + +COPY rockylinux/Rocky*.repo /etc/yum.repos.d/ +RUN dnf --enablerepo=baseos --enablerepo=powertools install -y \ + elfutils-libelf-devel \ + iproute-devel \ + libbpf-devel \ + lmdb-devel + +RUN dnf clean all + +# Install Go official release +RUN set -eux; \ + wget -O go.tgz.asc https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz.asc; \ + wget -O go.tgz https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz --progress=dot:giga; \ + echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c -; \ + \ + # https://github.com/golang/go/issues/14739#issuecomment-324767697 + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + # https://www.google.com/linuxrepositories/ + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; \ + # let's also fetch the specific subkey of that key explicitly that we expect "go.tgz.asc" to be signed by, just to make sure we definitely have it + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998 D857 78BD 6547 3CB3 BD13'; \ + gpg --batch --verify go.tgz.asc go.tgz; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" go.tgz.asc; \ + \ + tar -C /usr/local -xzf go.tgz; \ + rm -f go.tgz*; \ + \ + go version + +# don't auto-upgrade the gotoolchain +# https://github.com/docker-library/golang/issues/472 +ENV GOTOOLCHAIN=local + +ENV GOPATH /go +ENV PATH $GOPATH/bin:$PATH +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" # Install Go utilities -# crane is needed for our release targets to copy images from the dev registries to the release registries. -RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/${CONTAINERREGISTRY_VERSION}/go-containerregistry_Linux_arm64.tar.gz | tar xz -C /usr/local/bin crane - RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION # Install necessary Kubernetes binaries used in tests. @@ -66,8 +94,7 @@ RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFE # Install go programs that we rely on # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN \ - go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ +RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ go install github.com/jstemmer/go-junit-report@v1.0.0 && \ go install github.com/mikefarah/yq/v3@3.4.1 && \ @@ -77,7 +104,12 @@ RUN \ go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ go install gotest.tools/gotestsum@latest && \ + go install k8s.io/code-generator/cmd/client-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/conversion-gen@v0.27.6 && \ go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/informer-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/lister-gen@v0.27.6 && \ go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ go clean -modcache && go clean -cache @@ -86,8 +118,15 @@ RUN chmod -R 777 $GOPATH ENV HOME $GOPATH # Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config +RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf # Add bpftool for Felix UT/FV. COPY --from=bpftool /bpftool /usr/local/bin + +# Build ModSecurity for Dikastes. +RUN git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ + cd /build && ./build.sh && ./configure && \ + make && make install && \ + rm -fr /build + +WORKDIR $GOPATH diff --git a/Dockerfile.armv7 b/Dockerfile.armv7 index d66e8c19..47090718 100644 --- a/Dockerfile.armv7 +++ b/Dockerfile.armv7 @@ -1,23 +1,11 @@ -FROM alpine:3.17 as qemu - -ARG QEMU_VERSION=7.2.0-1 - -RUN apk --update add curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-arm-static.tar.gz | tar xz -C /usr/bin - -FROM arm32v7/golang:1.21.4-alpine3.18 - -LABEL maintainer="Marc Crebassa " +FROM arm32v7/golang:1.21.3-alpine3.18 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ +COPY qemu-arm-static /usr/bin/ # Install bash for the entry script (and because it's generally useful) # Install curl diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index 770367fc..002ab618 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -1,23 +1,11 @@ -FROM alpine:3.17 as qemu - -ARG QEMU_VERSION=7.2.0-1 - -RUN apk --update add curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-ppc64le-static.tar.gz | tar xz -C /usr/bin - -FROM ppc64le/golang:1.21.4-alpine3.18 - -LABEL maintainer="David Wilder " +FROM ppc64le/golang:1.21.3-alpine3.18 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ +COPY qemu-ppc64le-static /usr/bin/ # Install bash for the entry script (and because it's generally useful) # Install curl diff --git a/Dockerfile.s390x b/Dockerfile.s390x index f360c365..00172afe 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -1,23 +1,11 @@ -FROM alpine:3.17 as qemu - -ARG QEMU_VERSION=7.2.0-1 - -RUN apk --update add curl - -# Enable non-native runs on amd64 architecture hosts -RUN curl -sfL https://github.com/multiarch/qemu-user-static/releases/download/v${QEMU_VERSION}/qemu-s390x-static.tar.gz | tar xz -C /usr/bin - -FROM s390x/golang:1.21.4-alpine3.18 - -LABEL maintainer="LoZ Open SourceEcosystem (https://www.ibm.com/developerworks/community/groups/community/lozopensource)" +FROM s390x/golang:1.21.3-alpine3.18 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. -# This must be the first RUN command in this file! -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ +COPY qemu-s390x-static /usr/bin/ # Install bash for the entry script (and because it's generally useful) # Install curl diff --git a/Makefile b/Makefile index e5d2525c..071b2e64 100644 --- a/Makefile +++ b/Makefile @@ -63,18 +63,22 @@ DOCKER_BUILD_ARGS?= ifeq ($(DOCKER_EXPERIMENTAL),true) DOCKER_BUILD_ARGS+=--squash endif -ifneq ($(ARCH),amd64) -DOCKER_BUILD_ARGS+=--cpuset-cpus 0 -endif ############################################################################### # Building the image ############################################################################### +QEMU_VERSION=v7.2.0-1 + +.PHONY: download-qemu +download-qemu: + curl --remote-name-all -sfL https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{arm,aarch64,ppc64le,s390x}-static && \ + chmod 755 qemu-*-static + +.PHONY: image image: calico/go-build -calico/go-build: register +calico/go-build: register download-qemu # Make sure we re-pull the base image to pick up security fixes. - # Limit the build to use only one CPU, This helps to work around qemu bugs such as https://bugs.launchpad.net/qemu/+bug/1098729 - docker build $(DOCKER_BUILD_ARGS) --pull -t $(ARCHIMAGE) -f $(DOCKERFILE) . + docker build $(DOCKER_BUILD_ARGS) --platform=linux/${ARCH} --pull -t $(ARCHIMAGE) -f $(DOCKERFILE) . image-all: $(addprefix sub-image-,$(ARCHES)) sub-image-%: From 20eeeedd68f826da8a8742d685c3d334fb2e3e44 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Fri, 13 Oct 2023 13:59:16 -0700 Subject: [PATCH 03/20] Use docker manifest to replace manifest-tool --- Dockerfile.amd64 | 4 ---- Dockerfile.arm64 | 4 ---- Dockerfile.armv7 | 4 ---- Dockerfile.ppc64le | 4 ---- Dockerfile.s390x | 4 ---- Makefile | 18 +++++++----------- Makefile.common | 22 ---------------------- README.md | 4 ---- 8 files changed, 7 insertions(+), 57 deletions(-) diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index dc94cf5e..1e93d882 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -8,7 +8,6 @@ ARG GOLANG_SHA256=1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420 ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 -ARG MANIFEST_TOOL_VERSION=v1.0.3 ARG MOCKERY_VERSION=2.35.3 ARG MODSEC_VERSION=v3.0.10 @@ -101,9 +100,6 @@ RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-apiserver -O /usr RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-amd64 -o /usr/local/bin/manifest-tool && \ - chmod +x /usr/local/bin/manifest-tool - # Install go programs that we rely on # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 3222de6c..9ffd1219 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -7,7 +7,6 @@ ARG GOLANG_SHA256=fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987e ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 -ARG MANIFEST_TOOL_VERSION=v1.0.3 ARG MOCKERY_VERSION=2.35.3 ARG MODSEC_VERSION=v3.0.10 @@ -89,9 +88,6 @@ RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-apiserver -O /usr RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-arm64 -o /usr/local/bin/manifest-tool && \ - chmod +x /usr/local/bin/manifest-tool - # Install go programs that we rely on # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ diff --git a/Dockerfile.armv7 b/Dockerfile.armv7 index 47090718..47740713 100644 --- a/Dockerfile.armv7 +++ b/Dockerfile.armv7 @@ -2,7 +2,6 @@ FROM arm32v7/golang:1.21.3-alpine3.18 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 -ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. COPY qemu-arm-static /usr/bin/ @@ -29,9 +28,6 @@ RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /u wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-armv7 -o /usr/local/bin/manifest-tool && \ - chmod +x /usr/local/bin/manifest-tool - # Install ginkgo CLI tool for running tests # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index 002ab618..b7a697c9 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -2,7 +2,6 @@ FROM ppc64le/golang:1.21.3-alpine3.18 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 -ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. COPY qemu-ppc64le-static /usr/bin/ @@ -29,9 +28,6 @@ RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /u wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-ppc64le -o /usr/local/bin/manifest-tool && \ - chmod +x /usr/local/bin/manifest-tool - # Install ginkgo CLI tool for running tests # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ diff --git a/Dockerfile.s390x b/Dockerfile.s390x index 00172afe..62886262 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -2,7 +2,6 @@ FROM s390x/golang:1.21.3-alpine3.18 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 -ARG MANIFEST_TOOL_VERSION=v1.0.3 # Enable non-native builds of this image on an amd64 hosts. COPY qemu-s390x-static /usr/bin/ @@ -29,9 +28,6 @@ RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-apiserver -O /usr wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/s390x/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager -RUN curl -sfL https://github.com/estesp/manifest-tool/releases/download/${MANIFEST_TOOL_VERSION}/manifest-tool-linux-s390x -o /usr/local/bin/manifest-tool && \ - chmod +x /usr/local/bin/manifest-tool - # Install ginkgo CLI tool for running tests # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ diff --git a/Makefile b/Makefile index 071b2e64..33d58e71 100644 --- a/Makefile +++ b/Makefile @@ -47,16 +47,6 @@ DEFAULTIMAGE ?= calico/go-build:$(VERSION) ARCHIMAGE ?= $(DEFAULTIMAGE)-$(ARCH) BUILDIMAGE ?= $(DEFAULTIMAGE)-$(BUILDARCH) -MANIFEST_TOOL_VERSION := v1.0.2 -MANIFEST_TOOL_DIR := $(shell mktemp -d) -export PATH := $(MANIFEST_TOOL_DIR):$(PATH) - -space := -space += -comma := , -prefix_linux = $(addprefix linux/,$(strip $(subst armv,arm/v,$1))) -join_platforms = $(subst $(space),$(comma),$(call prefix_linux,$(strip $1))) - # Check if the docker daemon is running in experimental mode (to get the --squash flag) DOCKER_EXPERIMENTAL=$(shell docker version -f '{{ .Server.Experimental }}') DOCKER_BUILD_ARGS?= @@ -105,7 +95,13 @@ sub-push-%: push-manifest: # Docker login to hub.docker.com required before running this target as we are using $(HOME)/.docker/config.json holds the docker login credentials - docker run -t --entrypoint /bin/sh -v $(HOME)/.docker/config.json:/go/.docker/config.json $(ARCHIMAGE) -c "manifest-tool push from-args --platforms $(call join_platforms,$(ARCHES)) --template $(DEFAULTIMAGE)-ARCHVARIANT --target $(DEFAULTIMAGE)" + docker manifest create $(DEFAULTIMAGE) \ + --amend $(DEFAULTIMAGE)-amd64 \ + --amend $(DEFAULTIMAGE)-armv7 \ + --amend $(DEFAULTIMAGE)-arm64 \ + --amend $(DEFAULTIMAGE)-ppc64le \ + --amend $(DEFAULTIMAGE)-s390x + docker manifest push $(DEFAULTIMAGE) ############################################################################### # UTs diff --git a/Makefile.common b/Makefile.common index 22b2a5c5..32d40be9 100644 --- a/Makefile.common +++ b/Makefile.common @@ -409,21 +409,14 @@ CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/. GIT_CMD = git DOCKER_CMD = docker -MANIFEST_TOOL_EXTRA_DOCKER_ARGS ?= -# note that when using the MANIFEST_TOOL command you need to close the command with $(double_quote). -MANIFEST_TOOL_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/.docker/config.json $(MANIFEST_TOOL_EXTRA_DOCKER_ARGS) $(CALICO_BUILD) -c \ - $(double_quote)manifest-tool - ifdef CONFIRM CRANE = $(CRANE_CMD) GIT = $(GIT_CMD) DOCKER = $(DOCKER_CMD) -MANIFEST_TOOL = $(MANIFEST_TOOL_CMD) else CRANE = echo [DRY RUN] $(CRANE_CMD) GIT = echo [DRY RUN] $(GIT_CMD) DOCKER = echo [DRY RUN] $(DOCKER_CMD) -MANIFEST_TOOL = echo [DRY RUN] $(MANIFEST_TOOL_CMD) endif commit-and-push-pr: @@ -855,21 +848,6 @@ push-image-arch-to-registry-%: $(NOECHO) $(NOOP)\ ) -manifest-tool-generate-spec: var-require-all-BUILD_IMAGE-IMAGETAG-MANIFEST_TOOL_SPEC_TEMPLATE-OUTPUT_FILE - bash $(MANIFEST_TOOL_SPEC_TEMPLATE) $(OUTPUT_FILE) $(BUILD_IMAGE) $(IMAGETAG) - -## push multi-arch manifest where supported. If the MANIFEST_TOOL_SPEC_TEMPLATE variable is specified this will include -## the `from-spec` version of the tool. -push-manifests: var-require-all-IMAGETAG $(addprefix sub-manifest-,$(call escapefs,$(PUSH_MANIFEST_IMAGES))) -ifdef MANIFEST_TOOL_SPEC_TEMPLATE -sub-manifest-%: var-require-all-OUTPUT_DIR - $(MAKE) manifest-tool-generate-spec BUILD_IMAGE=$(call unescapefs,$*) OUTPUT_FILE=$(OUTPUT_DIR)$*.yaml - $(MANIFEST_TOOL) push from-spec $(OUTPUT_DIR)$*.yaml$(double_quote) -else -sub-manifest-%: - $(MANIFEST_TOOL) push from-args --platforms $(call join_platforms,$(VALIDARCHES)) --template $(call unescapefs,$*):$(IMAGETAG)-ARCHVARIANT --target $(call unescapefs,$*):$(IMAGETAG)$(double_quote) -endif - # cd-common tags and pushes images with the branch name and git version. This target uses PUSH_IMAGES, BUILD_IMAGE, # and BRANCH_NAME env variables to figure out what to tag and where to push it to. cd-common: var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME diff --git a/README.md b/README.md index f038cd78..61570887 100644 --- a/README.md +++ b/README.md @@ -24,10 +24,6 @@ The image is tagged the version, e.g. `v0.9` or `latest`. In addition, the given The above tagging scheme keeps everything in a single image repository `calico/go-build` and prepares for using multi-architecture image manifests. -As of this writing, the only way to create such manifests is using the [manifest-tool](https://github.com/estesp/manifest-tool), which involves multiple steps. This can be incorporated into the build process, or we can wait until `docker manifest` is rolled into the docker CLI, see [this PR](https://github.com/docker/cli/pull/138). - -Until such time as the `docker manifest` is ready, or we decide to use `manifest-tool`, the default image name will point to `amd64`. Thus, `calico/go-build:latest` refers to `calico/go-build:latest-amd64`. - ## Cross building using go-build Any supported platform can be built natively from its own platform, i.e.g `amd64` from `amd64`, `arm64` from `arm64` and `ppc64le` from `ppc64le`. In addition, From 3f10dffef149e58bea2d0b4047f4ced64d1e74d2 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Fri, 13 Oct 2023 12:35:20 -0700 Subject: [PATCH 04/20] Bump semaphore build VM and time limit --- .semaphore/semaphore.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml index 3ebc0f6e..895b3697 100644 --- a/.semaphore/semaphore.yml +++ b/.semaphore/semaphore.yml @@ -2,11 +2,11 @@ version: v1.0 name: go-build agent: machine: - type: e1-standard-2 - os_image: ubuntu1804 + type: e1-standard-4 + os_image: ubuntu2004 execution_time_limit: - minutes: 60 + minutes: 120 global_job_config: secrets: From bdf73ce058b8ea110c5d3dc752c0b1f9dfea3c08 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Fri, 13 Oct 2023 17:12:44 -0700 Subject: [PATCH 05/20] Drop 32 bit linux/arm support k8s dropped 32 bit linux/arm support from v1.27+ [1]. [1] https://github.com/kubernetes/kubernetes/pull/115742 --- .semaphore/semaphore.yml | 2 +- Dockerfile.armv7 | 49 ---------------------------------------- Makefile | 13 +++-------- Makefile.common | 21 ----------------- 4 files changed, 4 insertions(+), 81 deletions(-) delete mode 100644 Dockerfile.armv7 diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml index 895b3697..8f4d7c9e 100644 --- a/.semaphore/semaphore.yml +++ b/.semaphore/semaphore.yml @@ -46,7 +46,7 @@ blocks: - if [ "${TARGET_ARCH}" == "amd64" ]; then cd felix && make ut && cd ../calicoctl && make ut && cd ../libcalico-go && make ut; fi matrix: - env_var: TARGET_ARCH - values: ["amd64", "arm64","armv7", "ppc64le", "s390x"] + values: ["amd64", "arm64", "ppc64le", "s390x"] - name: "Push manifest" skip: diff --git a/Dockerfile.armv7 b/Dockerfile.armv7 deleted file mode 100644 index 47740713..00000000 --- a/Dockerfile.armv7 +++ /dev/null @@ -1,49 +0,0 @@ -FROM arm32v7/golang:1.21.3-alpine3.18 - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.27.6 - -# Enable non-native builds of this image on an amd64 hosts. -COPY qemu-arm-static /usr/bin/ - -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev clang clang-dev linux-headers libbpf-dev musl-dev llvm -RUN apk upgrade --no-cache - -# Install Go utilities - -# Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/pmezard/licenses@master && \ - go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - go install github.com/wadey/gocovmerge@master && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ - go clean -modcache && go clean -cache - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH -ENV HOME $GOPATH - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config diff --git a/Makefile b/Makefile index 33d58e71..f4944e86 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ all: image-all # The target architecture is select by setting the ARCH variable. # When ARCH is undefined it is set to the detected host architecture. # When ARCH differs from the host architecture a crossbuild will be performed. -ARCHES = amd64 armv7 arm64 ppc64le s390x +ARCHES = amd64 arm64 ppc64le s390x # BUILDARCH is the host architecture # ARCH is the target architecture @@ -22,9 +22,6 @@ endif ifeq ($(BUILDARCH),x86_64) BUILDARCH=amd64 endif -ifeq ($(BUILDARCH),armv7l) - BUILDARCH=armv7 -endif # unless otherwise set, I am building for my own architecture, i.e. not cross-compiling ARCH ?= $(BUILDARCH) @@ -33,9 +30,6 @@ ARCH ?= $(BUILDARCH) ifeq ($(ARCH),aarch64) override ARCH=arm64 endif -ifeq ($(ARCH),armv7l) - override ARCH=armv7 -endif ifeq ($(ARCH),x86_64) override ARCH=amd64 endif @@ -61,14 +55,14 @@ QEMU_VERSION=v7.2.0-1 .PHONY: download-qemu download-qemu: - curl --remote-name-all -sfL https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{arm,aarch64,ppc64le,s390x}-static && \ + curl --remote-name-all -sfL https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{aarch64,ppc64le,s390x}-static && \ chmod 755 qemu-*-static .PHONY: image image: calico/go-build calico/go-build: register download-qemu # Make sure we re-pull the base image to pick up security fixes. - docker build $(DOCKER_BUILD_ARGS) --platform=linux/${ARCH} --pull -t $(ARCHIMAGE) -f $(DOCKERFILE) . + docker buildx build $(DOCKER_BUILD_ARGS) --platform=linux/${ARCH} --pull -t $(ARCHIMAGE) -f $(DOCKERFILE) . image-all: $(addprefix sub-image-,$(ARCHES)) sub-image-%: @@ -97,7 +91,6 @@ push-manifest: # Docker login to hub.docker.com required before running this target as we are using $(HOME)/.docker/config.json holds the docker login credentials docker manifest create $(DEFAULTIMAGE) \ --amend $(DEFAULTIMAGE)-amd64 \ - --amend $(DEFAULTIMAGE)-armv7 \ --amend $(DEFAULTIMAGE)-arm64 \ --amend $(DEFAULTIMAGE)-ppc64le \ --amend $(DEFAULTIMAGE)-s390x diff --git a/Makefile.common b/Makefile.common index 32d40be9..a1fa02bc 100644 --- a/Makefile.common +++ b/Makefile.common @@ -47,9 +47,6 @@ endif ifeq ($(BUILDARCH),x86_64) BUILDARCH=amd64 endif -ifeq ($(BUILDARCH),armv7l) - BUILDARCH=armv7 -endif # unless otherwise set, I am building for my own architecture, i.e. not cross-compiling ARCH ?= $(BUILDARCH) @@ -61,27 +58,12 @@ endif ifeq ($(ARCH),x86_64) override ARCH=amd64 endif -ifeq ($(ARCH),armv7l) - override ARCH=armv7 -endif -ifeq ($(ARCH),armhfv7) - override ARCH=armv7 -endif - -# If ARCH is arm based, find the requested version/variant -ifeq ($(word 1,$(subst v, ,$(ARCH))),arm) -ARM_VERSION := $(word 2,$(subst v, ,$(ARCH))) -endif LATEST_IMAGE_TAG?=latest # these macros create a list of valid architectures for pushing manifests -space := -space += comma := , double_quote := $(shell echo '"') -prefix_linux = $(addprefix linux/,$(strip $(subst armv,arm/v,$1))) -join_platforms = $(subst $(space),$(comma),$(call prefix_linux,$(strip $1))) ## Targets used when cross building. .PHONY: native register @@ -211,9 +193,6 @@ GIT_DESCRIPTION = $(shell git describe --tags --dirty --always --abbrev=12 || ec endif # Define go architecture flags to support arm variants GOARCH_FLAGS :=-e GOARCH=$(ARCH) -ifdef ARM_VERSION -GOARCH_FLAGS :=-e GOARCH=arm -e GOARM=$(ARM_VERSION) -endif DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ From 18e7ff3924bdc3241c9992922b16c0a3d80bebb9 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Fri, 13 Oct 2023 20:17:54 -0700 Subject: [PATCH 06/20] Retry curl download --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f4944e86..31286c58 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ QEMU_VERSION=v7.2.0-1 .PHONY: download-qemu download-qemu: - curl --remote-name-all -sfL https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{aarch64,ppc64le,s390x}-static && \ + curl --remote-name-all -sfL --retry 3 https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{aarch64,ppc64le,s390x}-static && \ chmod 755 qemu-*-static .PHONY: image From 4c43270fcbeafc52b97761141ffcaa418937e3fd Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Sat, 14 Oct 2023 13:55:13 -0700 Subject: [PATCH 07/20] Unify Dockerfile for all arches --- .gitignore | 3 +- Dockerfile.amd64 => Dockerfile | 96 ++++++++++++++++++------- Dockerfile.arm64 | 128 --------------------------------- Dockerfile.ppc64le | 49 ------------- Dockerfile.s390x | 49 ------------- Makefile | 22 ++++-- 6 files changed, 89 insertions(+), 258 deletions(-) rename Dockerfile.amd64 => Dockerfile (52%) delete mode 100644 Dockerfile.arm64 delete mode 100644 Dockerfile.ppc64le delete mode 100644 Dockerfile.s390x diff --git a/.gitignore b/.gitignore index 96012bd8..ce0c3ce5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -.idea -.vscode/ +.qemu.downloaded hello-* qemu-*-static diff --git a/Dockerfile.amd64 b/Dockerfile similarity index 52% rename from Dockerfile.amd64 rename to Dockerfile index 1e93d882..68c7ef64 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile @@ -1,11 +1,12 @@ -FROM calico/bpftool:v5.3-amd64 as bpftool +ARG TARGETARCH=${TARGETARCH} +FROM calico/bpftool:v5.3-${TARGETARCH} as bpftool FROM registry.access.redhat.com/ubi8/ubi:latest -ARG GOLANG_VERSION=1.21.3 -ARG GOLANG_SHA256=1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 +ARG TARGETARCH ARG CONTAINERREGISTRY_VERSION=v0.16.1 +ARG GOLANG_VERSION=1.21.3 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 ARG MOCKERY_VERSION=2.35.3 @@ -41,21 +42,50 @@ RUN dnf upgrade -y && dnf install -y \ yajl \ zip +# Install system dependencies that are not in UBI repos COPY rockylinux/Rocky*.repo /etc/yum.repos.d/ -RUN dnf --enablerepo=baseos --enablerepo=powertools install -y \ - elfutils-libelf-devel \ - iproute-devel \ - libbpf-devel \ - lmdb-devel \ - mingw64-gcc + +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ] || [ "${TARGETARCH}" = "arm64" ]; then \ + dnf --enablerepo=baseos --enablerepo=powertools install -y \ + elfutils-libelf-devel \ + iproute-devel \ + libbpf-devel \ + lmdb-devel; \ + fi; \ + if [ "${TARGETARCH}" = "amd64" ]; then \ + dnf --enablerepo=powertools install -y \ + mingw64-gcc; \ + fi RUN dnf clean all # Install Go official release RUN set -eux; \ - wget -O go.tgz.asc https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz.asc; \ - wget -O go.tgz https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz --progress=dot:giga; \ - echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c -; \ + url=; \ + case "${TARGETARCH}" in \ + 'amd64') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz"; \ + sha256='1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8'; \ + ;; \ + 'arm64') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz"; \ + sha256='fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987ef3'; \ + ;; \ + 'ppc64le') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-ppc64le.tar.gz"; \ + sha256='3b0e10a3704f164a6e85e0377728ec5fd21524fabe4c925610e34076586d5826'; \ + ;; \ + 's390x') \ + url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-s390x.tar.gz"; \ + sha256='4c78e2e6f4c684a3d5a9bdc97202729053f44eb7be188206f0627ef3e18716b6'; \ + ;; \ + *) echo >&2 "error: unsupported architecture '${TARGETARCH}'"; exit 1 ;; \ + esac; \ + \ + wget -O go.tgz.asc "$url.asc"; \ + wget -O go.tgz "$url" --progress=dot:giga; \ + echo "$sha256 *go.tgz" | sha256sum -c -; \ \ # https://github.com/golang/go/issues/14739#issuecomment-324767697 GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ @@ -82,23 +112,38 @@ RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" # Install Go utilities -# Used for generating CRD files. +# coltroller-gen is used for generating CRD files. # Download a version of controller-gen that has been hacked to support additional types (e.g., float). # We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen # tooling. Example: float, all the types in the numorstring package, etc. -RUN wget -O /usr/local/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x /usr/local/bin/controller-gen +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ]; then \ + wget -O /usr/local/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x /usr/local/bin/controller-gen; \ + fi # crane is needed for our release targets to copy images from the dev registries to the release registries. -RUN curl -sfL https://github.com/google/go-containerregistry/releases/download/${CONTAINERREGISTRY_VERSION}/go-containerregistry_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin crane +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ]; then \ + curl -sfL https://github.com/google/go-containerregistry/releases/download/${CONTAINERREGISTRY_VERSION}/go-containerregistry_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin crane; \ + fi RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION # Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/amd64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager +RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/${TARGETARCH}/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ + wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/${TARGETARCH}/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ + wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/${TARGETARCH}/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager -RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery +RUN set -eux; \ + case "${TARGETARCH}" in \ + 'amd64') \ + curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery; \ + ;; \ + 'arm64') \ + curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_arm64.tar.gz | tar xz -C /usr/local/bin --extract mockery; \ + ;; \ + *) echo >&2 "warning: unsupported architecture '${TARGETARCH}'" ;; \ + esac # Install go programs that we rely on # Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo @@ -129,12 +174,15 @@ ENV HOME $GOPATH RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf # Add bpftool for Felix UT/FV. -COPY --from=bpftool /bpftool /usr/local/bin +COPY --from=bpftool /bpftool /usr/bin # Build ModSecurity for Dikastes. -RUN git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ - cd /build && ./build.sh && ./configure && \ - make && make install && \ - rm -fr /build +RUN set -eux; \ + if [ "${TARGETARCH}" = "amd64" ] || [ "${TARGETARCH}" = "arm64" ]; then \ + git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ + cd /build && ./build.sh && ./configure && \ + make -j4 && make install && \ + rm -fr /build; \ + fi WORKDIR $GOPATH diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 deleted file mode 100644 index 9ffd1219..00000000 --- a/Dockerfile.arm64 +++ /dev/null @@ -1,128 +0,0 @@ -FROM calico/bpftool:v5.3-arm64 as bpftool - -FROM registry.access.redhat.com/ubi8/ubi:latest - -ARG GOLANG_VERSION=1.21.3 -ARG GOLANG_SHA256=fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987ef3 - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.27.6 -ARG MOCKERY_VERSION=2.35.3 -ARG MODSEC_VERSION=v3.0.10 - -ENV PATH /usr/local/go/bin:$PATH - -# Enable non-native builds of this image on an amd64 hosts. -COPY qemu-aarch64-static /usr/bin/ - -# Install system dependencies -RUN dnf upgrade -y && dnf install -y \ - autoconf \ - automake \ - clang \ - gcc \ - gcc-c++ \ - git \ - glibc-static \ - iputils \ - jq \ - libcurl-devel \ - libpcap-devel \ - libtool \ - libxml2-devel \ - llvm \ - make \ - openssh-clients \ - pcre-devel \ - pkg-config \ - wget \ - yajl \ - zip - -COPY rockylinux/Rocky*.repo /etc/yum.repos.d/ -RUN dnf --enablerepo=baseos --enablerepo=powertools install -y \ - elfutils-libelf-devel \ - iproute-devel \ - libbpf-devel \ - lmdb-devel - -RUN dnf clean all - -# Install Go official release -RUN set -eux; \ - wget -O go.tgz.asc https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz.asc; \ - wget -O go.tgz https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz --progress=dot:giga; \ - echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c -; \ - \ - # https://github.com/golang/go/issues/14739#issuecomment-324767697 - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - # https://www.google.com/linuxrepositories/ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; \ - # let's also fetch the specific subkey of that key explicitly that we expect "go.tgz.asc" to be signed by, just to make sure we definitely have it - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998 D857 78BD 6547 3CB3 BD13'; \ - gpg --batch --verify go.tgz.asc go.tgz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" go.tgz.asc; \ - \ - tar -C /usr/local -xzf go.tgz; \ - rm -f go.tgz*; \ - \ - go version - -# don't auto-upgrade the gotoolchain -# https://github.com/docker-library/golang/issues/472 -ENV GOTOOLCHAIN=local - -ENV GOPATH /go -ENV PATH $GOPATH/bin:$PATH -RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" - -# Install Go utilities - -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/arm64/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/arm64/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -RUN curl -sfL https://github.com/vektra/mockery/releases/download/v${MOCKERY_VERSION}/mockery_${MOCKERY_VERSION}_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin --extract mockery - -# Install go programs that we rely on -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install github.com/jstemmer/go-junit-report@v1.0.0 && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/pmezard/licenses@master && \ - go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - go install github.com/wadey/gocovmerge@master && \ - go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ - go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ - go install gotest.tools/gotestsum@latest && \ - go install k8s.io/code-generator/cmd/client-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/conversion-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/informer-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/lister-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ - go clean -modcache && go clean -cache - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH -ENV HOME $GOPATH - -# Disable ssh host key checking -RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf - -# Add bpftool for Felix UT/FV. -COPY --from=bpftool /bpftool /usr/local/bin - -# Build ModSecurity for Dikastes. -RUN git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ - cd /build && ./build.sh && ./configure && \ - make && make install && \ - rm -fr /build - -WORKDIR $GOPATH diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le deleted file mode 100644 index b7a697c9..00000000 --- a/Dockerfile.ppc64le +++ /dev/null @@ -1,49 +0,0 @@ -FROM ppc64le/golang:1.21.3-alpine3.18 - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.27.6 - -# Enable non-native builds of this image on an amd64 hosts. -COPY qemu-ppc64le-static /usr/bin/ - -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev -RUN apk upgrade --no-cache - -# Install Go utilities - -# Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/ppc64le/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/ppc64le/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/pmezard/licenses@master && \ - go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - go install github.com/wadey/gocovmerge@master && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ - go clean -modcache && go clean -cache - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH -ENV HOME $GOPATH - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config diff --git a/Dockerfile.s390x b/Dockerfile.s390x deleted file mode 100644 index 62886262..00000000 --- a/Dockerfile.s390x +++ /dev/null @@ -1,49 +0,0 @@ -FROM s390x/golang:1.21.3-alpine3.18 - -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.27.6 - -# Enable non-native builds of this image on an amd64 hosts. -COPY qemu-s390x-static /usr/bin/ - -# Install bash for the entry script (and because it's generally useful) -# Install curl -# Install git for fetching Go dependencies -# Install ssh for fetching Go dependencies -# Install wget since it's useful for fetching -# Install make for building things -# Install util-linux for column command (used for output formatting). -# Install grep, sed, zip, and jq for use in some Makefiles -# Install shadow for useradd (it allows to use big UID) -RUN apk update && apk add --no-cache curl bash git openssh make wget util-linux tini file grep sed jq zip shadow libpcap-dev -RUN apk upgrade --no-cache - -# Install Go utilities - -# Install linting tools -RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin $GO_LINT_VERSION - -# Install necessary Kubernetes binaries used in tests. -RUN wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-apiserver -O /usr/local/bin/kube-apiserver && chmod +x /usr/local/bin/kube-apiserver && \ - wget https://dl.k8s.io/release/${K8S_VERSION}/bin/linux/s390x/kubectl -O /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && \ - wget https://dl.k8s.io/${K8S_VERSION}/bin/linux/s390x/kube-controller-manager -O /usr/local/bin/kube-controller-manager && chmod +x /usr/local/bin/kube-controller-manager - -# Install ginkgo CLI tool for running tests -# Install ginkgo v2 as ginkgo2 and keep ginkgo v1 as ginkgo -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go/bin/ginkgo2 && \ - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ - go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/pmezard/licenses@master && \ - go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - go install github.com/wadey/gocovmerge@master && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ - go clean -modcache && go clean -cache - -# Ensure that everything under the GOPATH is writable by everyone -RUN chmod -R 777 $GOPATH -ENV HOME $GOPATH - -# Disable ssh host key checking -RUN echo 'Host *' >> /etc/ssh/ssh_config \ - && echo ' StrictHostKeyChecking no' >> /etc/ssh/ssh_config diff --git a/Makefile b/Makefile index 31286c58..b653b3ee 100644 --- a/Makefile +++ b/Makefile @@ -35,9 +35,9 @@ ifeq ($(ARCH),x86_64) endif ############################################################################### -DOCKERFILE ?= Dockerfile.$(ARCH) +GOBUILD_IMAGE ?= calico/go-build VERSION ?= latest -DEFAULTIMAGE ?= calico/go-build:$(VERSION) +DEFAULTIMAGE ?= $(GOBUILD_IMAGE):$(VERSION) ARCHIMAGE ?= $(DEFAULTIMAGE)-$(ARCH) BUILDIMAGE ?= $(DEFAULTIMAGE)-$(BUILDARCH) @@ -51,18 +51,20 @@ endif ############################################################################### # Building the image ############################################################################### +QEMU_DOWNLOADED=.qemu.downloaded QEMU_VERSION=v7.2.0-1 .PHONY: download-qemu -download-qemu: - curl --remote-name-all -sfL --retry 3 https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{aarch64,ppc64le,s390x}-static && \ +download-qemu: $(QEMU_DOWNLOADED) +$(QEMU_DOWNLOADED): + curl --remote-name-all -sfL --retry 3 https://github.com/multiarch/qemu-user-static/releases/download/${QEMU_VERSION}/qemu-{aarch64,ppc64le,s390x}-static chmod 755 qemu-*-static + touch $@ .PHONY: image image: calico/go-build calico/go-build: register download-qemu - # Make sure we re-pull the base image to pick up security fixes. - docker buildx build $(DOCKER_BUILD_ARGS) --platform=linux/${ARCH} --pull -t $(ARCHIMAGE) -f $(DOCKERFILE) . + docker buildx build --pull $(DOCKER_BUILD_ARGS) --platform=linux/$(ARCH) -t $(ARCHIMAGE) -f Dockerfile . --load image-all: $(addprefix sub-image-,$(ARCHES)) sub-image-%: @@ -75,6 +77,7 @@ ifeq ($(BUILDARCH),amd64) docker run --rm --privileged multiarch/qemu-user-static:register --reset endif +.PHONY: push push: image docker push $(ARCHIMAGE) # to handle default case, because quay.io does not support manifest yet @@ -87,6 +90,7 @@ push-all: $(addprefix sub-push-,$(ARCHES)) sub-push-%: $(MAKE) push ARCH=$* +.PHONY: push-manifest push-manifest: # Docker login to hub.docker.com required before running this target as we are using $(HOME)/.docker/config.json holds the docker login credentials docker manifest create $(DEFAULTIMAGE) \ @@ -96,6 +100,12 @@ push-manifest: --amend $(DEFAULTIMAGE)-s390x docker manifest push $(DEFAULTIMAGE) +.PHONY: clean +clean: + rm -f qemu-*-static + rm -f $(QEMU_DOWNLOADED) + -docker image rm -f $$(docker images $(GOBUILD_IMAGE) -a -q) + ############################################################################### # UTs ############################################################################### From ccaa2e0f72692bccaaf91900632b3390f7728008 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Sat, 14 Oct 2023 15:56:02 -0700 Subject: [PATCH 08/20] Remove docker manifest in clean target --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index b653b3ee..4e1db534 100644 --- a/Makefile +++ b/Makefile @@ -105,6 +105,7 @@ clean: rm -f qemu-*-static rm -f $(QEMU_DOWNLOADED) -docker image rm -f $$(docker images $(GOBUILD_IMAGE) -a -q) + -docker manifest rm $(DEFAULTIMAGE) ############################################################################### # UTs From bd3073ec933e1e64eb9d7c77619d65722356f730 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Sat, 14 Oct 2023 17:36:56 -0700 Subject: [PATCH 09/20] Add iproute-tc package --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 68c7ef64..84038550 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux; \ dnf --enablerepo=baseos --enablerepo=powertools install -y \ elfutils-libelf-devel \ iproute-devel \ + iproute-tc \ libbpf-devel \ lmdb-devel; \ fi; \ From fa0bb72d46f454735c33d6b8981771d93617089d Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Sat, 14 Oct 2023 21:52:16 -0700 Subject: [PATCH 10/20] Add GeoIP-devel package for modsecurity build --- Dockerfile | 8 ++++++-- rockylinux/Rocky-BaseOS.repo | 2 +- rockylinux/Rocky-Extras.repo | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 rockylinux/Rocky-Extras.repo diff --git a/Dockerfile b/Dockerfile index 84038550..a9adb699 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,7 @@ ENV PATH /usr/local/go/bin:$PATH # Supported qemu-user-static arch files are copied in Makefile `download-qemu` target COPY qemu-*-static /usr/bin -# Install system dependencies +# Install system dependencies and enable epel RUN dnf upgrade -y && dnf install -y \ autoconf \ automake \ @@ -47,12 +47,16 @@ COPY rockylinux/Rocky*.repo /etc/yum.repos.d/ RUN set -eux; \ if [ "${TARGETARCH}" = "amd64" ] || [ "${TARGETARCH}" = "arm64" ]; then \ - dnf --enablerepo=baseos --enablerepo=powertools install -y \ + dnf --enablerepo=baseos,extras,powertools install -y \ elfutils-libelf-devel \ + epel-release \ iproute-devel \ iproute-tc \ libbpf-devel \ lmdb-devel; \ + # requires epel-release package to be installed first + dnf install -y \ + GeoIP-devel; \ fi; \ if [ "${TARGETARCH}" = "amd64" ]; then \ dnf --enablerepo=powertools install -y \ diff --git a/rockylinux/Rocky-BaseOS.repo b/rockylinux/Rocky-BaseOS.repo index 8612021c..b32722d5 100644 --- a/rockylinux/Rocky-BaseOS.repo +++ b/rockylinux/Rocky-BaseOS.repo @@ -13,6 +13,6 @@ name=Rocky Linux $releasever - BaseOS mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/ gpgcheck=0 -enabled=1 +enabled=0 countme=1 #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/rockylinux/Rocky-Extras.repo b/rockylinux/Rocky-Extras.repo new file mode 100644 index 00000000..a6713c53 --- /dev/null +++ b/rockylinux/Rocky-Extras.repo @@ -0,0 +1,18 @@ +# Rocky-Extras.repo +# +# The mirrorlist system uses the connecting IP address of the client and the +# update status of each mirror to pick current mirrors that are geographically +# close to the client. You should use this for Rocky updates unless you are +# manually picking other mirrors. +# +# If the mirrorlist does not work for you, you can try the commented out +# baseurl line instead. + +[extras] +name=Rocky Linux $releasever - Extras +mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-$releasever +#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/extras/$basearch/os/ +gpgcheck=0 +enabled=0 +countme=1 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From 9f7268c4d93c969024ab0f16722d16062c8d923b Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 16 Oct 2023 11:04:39 -0700 Subject: [PATCH 11/20] Bring back su-exec and entrypoint --- Dockerfile | 11 +++++++++-- Makefile | 2 +- Makefile.common | 23 ++++++++++++++++++----- entrypoint.sh | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 8 deletions(-) create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index a9adb699..a3c037b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ ARG TARGETARCH=${TARGETARCH} + FROM calico/bpftool:v5.3-${TARGETARCH} as bpftool FROM registry.access.redhat.com/ubi8/ubi:latest @@ -115,6 +116,12 @@ ENV GOPATH /go ENV PATH $GOPATH/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" +# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. +RUN set -eux; \ + curl -sfL https://raw.githubusercontent.com/ncopa/su-exec/master/su-exec.c -o /tmp/su-exec.c; \ + gcc -Wall -O2 /tmp/su-exec.c -o /usr/bin/su-exec; \ + rm -f /tmp/su-exec.c + # Install Go utilities # coltroller-gen is used for generating CRD files. @@ -173,7 +180,6 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH -ENV HOME $GOPATH # Disable ssh host key checking RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf @@ -190,4 +196,5 @@ RUN set -eux; \ rm -fr /build; \ fi -WORKDIR $GOPATH +COPY entrypoint.sh /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/Makefile b/Makefile index 4e1db534..bb5b1e1d 100644 --- a/Makefile +++ b/Makefile @@ -114,7 +114,7 @@ test: register for arch in $(ARCHES) ; do ARCH=$$arch $(MAKE) testcompile; done testcompile: - docker run --rm --user=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go + docker run --rm -e LOCAL_USER_ID=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go docker run --rm -v ${PWD}:/code $(BUILDIMAGE) /code/hello-$(ARCH) | grep -q "hello world" @echo "success" diff --git a/Makefile.common b/Makefile.common index a1fa02bc..aa590ab3 100644 --- a/Makefile.common +++ b/Makefile.common @@ -167,6 +167,19 @@ ifneq ($(OS),Windows_NT) DATE:=$(shell date -u +'%FT%T%z') endif +# Figure out the users UID/GID. These are needed to run docker containers +# as the current user and ensure that files built inside containers are +# owned by the current user. +ifneq ($(OS),Windows_NT) +LOCAL_USER_ID:=$(shell id -u) +LOCAL_GROUP_ID:=$(shell id -g) +endif + +ifeq ("$(LOCAL_USER_ID)", "0") +# The build needs to run as root. +EXTRA_DOCKER_ARGS+=-e RUN_AS_ROOT='true' +endif + # Allow the ssh auth sock to be mapped into the build container. ifdef SSH_AUTH_SOCK EXTRA_DOCKER_ARGS += -v $(SSH_AUTH_SOCK):/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent @@ -197,10 +210,10 @@ GOARCH_FLAGS :=-e GOARCH=$(ARCH) DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ docker run --rm \ - --init \ --net=host \ - --user=$(shell id -u):$(shell id -g) \ + --init \ $(EXTRA_DOCKER_ARGS) \ + -e LOCAL_USER_ID=$(LOCAL_USER_ID) \ -e GOCACHE=/go-cache \ $(GOARCH_FLAGS) \ -e GOPATH=/go \ @@ -213,10 +226,10 @@ DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ DOCKER_RUN_RO := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ docker run --rm \ - --init \ --net=host \ - --user=$(shell id -u):$(shell id -g) \ + --init \ $(EXTRA_DOCKER_ARGS) \ + -e LOCAL_USER_ID=$(LOCAL_USER_ID) \ -e GOCACHE=/go-cache \ $(GOARCH_FLAGS) \ -e GOPATH=/go \ @@ -383,7 +396,7 @@ git-commit: # different implementation. ############################################################################### -CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/.docker/config.json $(CALICO_BUILD) -c \ +CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/home/user/.docker/config.json $(CALICO_BUILD) -c \ $(double_quote)crane GIT_CMD = git DOCKER_CMD = docker diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 00000000..09237300 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# Add local user +# Either use the LOCAL_USER_ID if passed in at runtime or fallback + +USER_ID=${LOCAL_USER_ID:-9001} + +if [ "${RUN_AS_ROOT}" = "true" ]; then + exec "$@" +fi + +echo "Starting with UID : $USER_ID" 1>&2 +# Do not create mail box. +/bin/sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd +# Don't pass "-m" to useradd if the home directory already exists (which can occur if it was volume mounted in) otherwise it will fail. +if [[ ! -d "/home/user" ]]; then + /usr/sbin/useradd -m -U -s /bin/bash -u "$USER_ID" user +else + /usr/sbin/useradd -U -s /bin/bash -u "$USER_ID" user +fi + +export HOME=/home/user + +if [ -n "$EXTRA_GROUP_ID" ]; then + echo "Adding user to additional GID : $EXTRA_GROUP_ID" 1>&2 + # Adding the group can fail if it already exists. + if addgroup --gid "$EXTRA_GROUP_ID" group; then + adduser user group + else + echo "Adding user to existing group instead" 1>&2 + adduser user "$(getent group "$EXTRA_GROUP_ID" | cut -d: -f1)" + fi +fi + +exec /usr/bin/su-exec user "$@" From 9693f5e884da3cf54696be97c9a49f54341b5194 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Tue, 24 Oct 2023 15:14:26 -0700 Subject: [PATCH 12/20] Install libmodsecurity-devel from epel --- Dockerfile | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index a3c037b0..d4c9a6af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,6 @@ ARG GOLANG_VERSION=1.21.3 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 ARG MOCKERY_VERSION=2.35.3 -ARG MODSEC_VERSION=v3.0.10 ENV PATH /usr/local/go/bin:$PATH @@ -33,14 +32,12 @@ RUN dnf upgrade -y && dnf install -y \ libcurl-devel \ libpcap-devel \ libtool \ - libxml2-devel \ llvm \ make \ openssh-clients \ pcre-devel \ pkg-config \ wget \ - yajl \ zip # Install system dependencies that are not in UBI repos @@ -54,10 +51,11 @@ RUN set -eux; \ iproute-devel \ iproute-tc \ libbpf-devel \ - lmdb-devel; \ + lmdb-libs; \ # requires epel-release package to be installed first dnf install -y \ - GeoIP-devel; \ + GeoIP-devel \ + libmodsecurity-devel; \ fi; \ if [ "${TARGETARCH}" = "amd64" ]; then \ dnf --enablerepo=powertools install -y \ @@ -187,14 +185,5 @@ RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-str # Add bpftool for Felix UT/FV. COPY --from=bpftool /bpftool /usr/bin -# Build ModSecurity for Dikastes. -RUN set -eux; \ - if [ "${TARGETARCH}" = "amd64" ] || [ "${TARGETARCH}" = "arm64" ]; then \ - git clone -b ${MODSEC_VERSION} --depth 1 --recurse-submodules --shallow-submodules https://github.com/SpiderLabs/ModSecurity.git /build && \ - cd /build && ./build.sh && ./configure && \ - make -j4 && make install && \ - rm -fr /build; \ - fi - COPY entrypoint.sh /usr/local/bin/entrypoint.sh ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] From 6350cddcaa4fc4d581a654f5d46a827e064c7571 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 30 Oct 2023 15:25:47 -0700 Subject: [PATCH 13/20] Set golang sha256 checksum as args --- Dockerfile | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index d4c9a6af..3ae3fbe3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,8 +6,13 @@ FROM registry.access.redhat.com/ubi8/ubi:latest ARG TARGETARCH -ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GOLANG_VERSION=1.21.3 +ARG GOLANG_SHA256_AMD64=1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 +ARG GOLANG_SHA256_ARM64=fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987ef3 +ARG GOLANG_SHA256_PPC64LE=3b0e10a3704f164a6e85e0377728ec5fd21524fabe4c925610e34076586d5826 +ARG GOLANG_SHA256_S390X=4c78e2e6f4c684a3d5a9bdc97202729053f44eb7be188206f0627ef3e18716b6 + +ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GO_LINT_VERSION=v1.54.2 ARG K8S_VERSION=v1.27.6 ARG MOCKERY_VERSION=2.35.3 @@ -70,19 +75,19 @@ RUN set -eux; \ case "${TARGETARCH}" in \ 'amd64') \ url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz"; \ - sha256='1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8'; \ + sha256="${GOLANG_SHA256_AMD64}"; \ ;; \ 'arm64') \ url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-arm64.tar.gz"; \ - sha256='fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987ef3'; \ + sha256="${GOLANG_SHA256_ARM64}"; \ ;; \ 'ppc64le') \ url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-ppc64le.tar.gz"; \ - sha256='3b0e10a3704f164a6e85e0377728ec5fd21524fabe4c925610e34076586d5826'; \ + sha256="${GOLANG_SHA256_PPC64LE}"; \ ;; \ 's390x') \ url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-s390x.tar.gz"; \ - sha256='4c78e2e6f4c684a3d5a9bdc97202729053f44eb7be188206f0627ef3e18716b6'; \ + sha256="${GOLANG_SHA256_S390X}"; \ ;; \ *) echo >&2 "error: unsupported architecture '${TARGETARCH}'"; exit 1 ;; \ esac; \ From e32db9822254d154a749dad5906649c444246132 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 30 Oct 2023 15:27:31 -0700 Subject: [PATCH 14/20] Remove mingw64-gcc packages as not needed --- Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3ae3fbe3..f572cef5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -61,10 +61,6 @@ RUN set -eux; \ dnf install -y \ GeoIP-devel \ libmodsecurity-devel; \ - fi; \ - if [ "${TARGETARCH}" = "amd64" ]; then \ - dnf --enablerepo=powertools install -y \ - mingw64-gcc; \ fi RUN dnf clean all From 1aadd320a8cc50d73b78d8abf2dd29e27b4aa29b Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Tue, 7 Nov 2023 23:24:19 -0800 Subject: [PATCH 15/20] Update golang and k8s dependencies --- Dockerfile | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index f572cef5..bf4a9394 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,16 +6,16 @@ FROM registry.access.redhat.com/ubi8/ubi:latest ARG TARGETARCH -ARG GOLANG_VERSION=1.21.3 -ARG GOLANG_SHA256_AMD64=1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 -ARG GOLANG_SHA256_ARM64=fc90fa48ae97ba6368eecb914343590bbb61b388089510d0c56c2dde52987ef3 -ARG GOLANG_SHA256_PPC64LE=3b0e10a3704f164a6e85e0377728ec5fd21524fabe4c925610e34076586d5826 -ARG GOLANG_SHA256_S390X=4c78e2e6f4c684a3d5a9bdc97202729053f44eb7be188206f0627ef3e18716b6 +ARG GOLANG_VERSION=1.21.4 +ARG GOLANG_SHA256_AMD64=73cac0215254d0c7d1241fa40837851f3b9a8a742d0b54714cbdfb3feaf8f0af +ARG GOLANG_SHA256_ARM64=ce1983a7289856c3a918e1fd26d41e072cc39f928adfb11ba1896440849b95da +ARG GOLANG_SHA256_PPC64LE=2c63b36d2adcfb22013102a2ee730f058ec2f93b9f27479793c80b2e3641783f +ARG GOLANG_SHA256_S390X=7a75ba4afc7a96058ca65903d994cd862381825d7dca12b2183f087c757c26c0 ARG CONTAINERREGISTRY_VERSION=v0.16.1 -ARG GO_LINT_VERSION=v1.54.2 -ARG K8S_VERSION=v1.27.6 -ARG MOCKERY_VERSION=2.35.3 +ARG GO_LINT_VERSION=v1.55.2 +ARG K8S_VERSION=v1.27.7 +ARG MOCKERY_VERSION=2.36.1 ENV PATH /usr/local/go/bin:$PATH @@ -168,13 +168,13 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ go install gotest.tools/gotestsum@latest && \ - go install k8s.io/code-generator/cmd/client-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/conversion-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/informer-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/lister-gen@v0.27.6 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.27.6 && \ + go install k8s.io/code-generator/cmd/client-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/conversion-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/informer-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/lister-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.7 && \ go clean -modcache && go clean -cache # Ensure that everything under the GOPATH is writable by everyone From 112384f7297985f09d8c5868ef7da154f1f11963 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 13 Nov 2023 11:10:06 -0800 Subject: [PATCH 16/20] Apply suggestions from code review Co-authored-by: Shaun Crampton --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index bf4a9394..511a2310 100644 --- a/Dockerfile +++ b/Dockerfile @@ -123,8 +123,8 @@ RUN set -eux; \ # Install Go utilities -# coltroller-gen is used for generating CRD files. -# Download a version of controller-gen that has been hacked to support additional types (e.g., float). +# controller-gen is used for generating CRD files. +# Download a version of controller-gen that has been updated to support additional types (e.g., float). # We can remove this once we update the Calico v3 APIs to use only types which are supported by the upstream controller-gen # tooling. Example: float, all the types in the numorstring package, etc. RUN set -eux; \ From 25271861488a3b39b8ef594699189b4cef174cf0 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 13 Nov 2023 11:24:44 -0800 Subject: [PATCH 17/20] Pin go dep to commit hash when release is unavailable --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 511a2310..030d265d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -162,12 +162,12 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go go install github.com/onsi/ginkgo/ginkgo@v1.16.5 && \ go install github.com/jstemmer/go-junit-report@v1.0.0 && \ go install github.com/mikefarah/yq/v3@3.4.1 && \ - go install github.com/pmezard/licenses@master && \ + go install github.com/pmezard/licenses@v0.0.0-20160314180953-1117911df3df && \ go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ - go install github.com/wadey/gocovmerge@master && \ + go install github.com/wadey/gocovmerge@v0.0.0-20160331181800-b5bfa59ec0ad && \ go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ - go install gotest.tools/gotestsum@latest && \ + go install gotest.tools/gotestsum@v1.11.0 && \ go install k8s.io/code-generator/cmd/client-gen@v0.27.7 && \ go install k8s.io/code-generator/cmd/conversion-gen@v0.27.7 && \ go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.7 && \ From e5eef709491f5d03d5588fdcac37ba80b9f446ad Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 13 Nov 2023 11:27:54 -0800 Subject: [PATCH 18/20] Parameterize Calico controller-gen version --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 030d265d..f7e73229 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,8 @@ ARG GO_LINT_VERSION=v1.55.2 ARG K8S_VERSION=v1.27.7 ARG MOCKERY_VERSION=2.36.1 +ARG CALICO_CONTROLLER_TOOLS_VERSION=calico-0.1 + ENV PATH /usr/local/go/bin:$PATH # Enable non-native runs on amd64 architecture hosts @@ -129,7 +131,7 @@ RUN set -eux; \ # tooling. Example: float, all the types in the numorstring package, etc. RUN set -eux; \ if [ "${TARGETARCH}" = "amd64" ]; then \ - wget -O /usr/local/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/calico-0.1/controller-gen && chmod +x /usr/local/bin/controller-gen; \ + wget -O /usr/local/bin/controller-gen https://github.com/projectcalico/controller-tools/releases/download/${CALICO_CONTROLLER_TOOLS_VERSION}/controller-gen && chmod +x /usr/local/bin/controller-gen; \ fi # crane is needed for our release targets to copy images from the dev registries to the release registries. From 63a6f9a80531914f61e40de43e336d3a45bc47e6 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Tue, 14 Nov 2023 12:17:29 -0800 Subject: [PATCH 19/20] SSH allow only validated remote servers --- Dockerfile | 4 ++-- ssh_known_hosts | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 ssh_known_hosts diff --git a/Dockerfile b/Dockerfile index f7e73229..b6e14b13 100644 --- a/Dockerfile +++ b/Dockerfile @@ -182,8 +182,8 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH -# Disable ssh host key checking -RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf +# Allow validated remote servers +COPY ssh_known_hosts /etc/ssh/ssh_known_hosts # Add bpftool for Felix UT/FV. COPY --from=bpftool /bpftool /usr/bin diff --git a/ssh_known_hosts b/ssh_known_hosts new file mode 100644 index 00000000..9666bc8e --- /dev/null +++ b/ssh_known_hosts @@ -0,0 +1,3 @@ +github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= +github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl +github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= From d931d0efc5354b8d890f7c402d986779836d6246 Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Fri, 17 Nov 2023 13:16:48 -0800 Subject: [PATCH 20/20] Bump k8s release to v1.27.8 --- Dockerfile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index b6e14b13..4207aa8d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ ARG GOLANG_SHA256_S390X=7a75ba4afc7a96058ca65903d994cd862381825d7dca12b2183f087c ARG CONTAINERREGISTRY_VERSION=v0.16.1 ARG GO_LINT_VERSION=v1.55.2 -ARG K8S_VERSION=v1.27.7 +ARG K8S_VERSION=v1.27.8 ARG MOCKERY_VERSION=2.36.1 ARG CALICO_CONTROLLER_TOOLS_VERSION=calico-0.1 @@ -170,13 +170,13 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go go install golang.org/x/tools/cmd/goimports@v0.14.0 && \ go install golang.org/x/tools/cmd/stringer@v0.14.0 && \ go install gotest.tools/gotestsum@v1.11.0 && \ - go install k8s.io/code-generator/cmd/client-gen@v0.27.7 && \ - go install k8s.io/code-generator/cmd/conversion-gen@v0.27.7 && \ - go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.7 && \ - go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.7 && \ - go install k8s.io/code-generator/cmd/informer-gen@v0.27.7 && \ - go install k8s.io/code-generator/cmd/lister-gen@v0.27.7 && \ - go install k8s.io/code-generator/cmd/openapi-gen@v0.27.7 && \ + go install k8s.io/code-generator/cmd/client-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/conversion-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/deepcopy-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/defaulter-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/informer-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/lister-gen@v0.27.8 && \ + go install k8s.io/code-generator/cmd/openapi-gen@v0.27.8 && \ go clean -modcache && go clean -cache # Ensure that everything under the GOPATH is writable by everyone