From bafd61f331b24e38d11d7ad861840fe82e63d2ca Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Tue, 2 Apr 2024 14:27:53 -0700 Subject: [PATCH] Remove unified image From now on, we will only publish the new "split" images (e.g., antrea/antrea-agent-ubuntu and antrea/antrea-controller-ubuntu). For #4832 Signed-off-by: Antonin Bas --- .github/workflows/build.yml | 3 -- .github/workflows/build_tag.yml | 3 -- .github/workflows/conformance.yml | 2 + .github/workflows/trivy_scan.yml | 42 ++++++++++++++----- .../workflows/trivy_scan_before_release.yml | 8 +--- Makefile | 32 +++++++------- build/images/Dockerfile.ubuntu | 24 ----------- ci/jenkins/test-vmc.sh | 26 +++++++++--- docs/antctl.md | 9 ++-- docs/getting-started.md | 5 ++- docs/maintainers/antrea-docker-image.md | 21 ++++++---- hack/build-antrea-linux-all.sh | 3 -- 12 files changed, 91 insertions(+), 87 deletions(-) delete mode 100644 build/images/Dockerfile.ubuntu diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 44edb90ab71..4a9aa86d0fd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -50,10 +50,8 @@ jobs: run: | echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin ./hack/build-antrea-linux-all.sh --pull --push-base-images - docker tag antrea/antrea-ubuntu:latest antrea/antrea-ubuntu-amd64:latest docker tag antrea/antrea-controller-ubuntu:latest antrea/antrea-controller-ubuntu-amd64:latest docker tag antrea/antrea-agent-ubuntu:latest antrea/antrea-agent-ubuntu-amd64:latest - docker push antrea/antrea-ubuntu-amd64:latest docker push antrea/antrea-controller-ubuntu-amd64:latest docker push antrea/antrea-agent-ubuntu-amd64:latest - name: Trigger Antrea arm builds and multi-arch manifest update @@ -96,7 +94,6 @@ jobs: run: | echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin ./hack/build-antrea-linux-all.sh --pull --push-base-images --distro ubi - docker push antrea/antrea-ubi:latest docker push antrea/antrea-agent-ubi:latest docker push antrea/antrea-controller-ubi:latest diff --git a/.github/workflows/build_tag.yml b/.github/workflows/build_tag.yml index bc31d7bf311..4beca35eac7 100644 --- a/.github/workflows/build_tag.yml +++ b/.github/workflows/build_tag.yml @@ -34,10 +34,8 @@ jobs: run: | ./hack/build-antrea-linux-all.sh --pull echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - docker tag antrea/antrea-ubuntu:"${VERSION}" antrea/antrea-ubuntu-amd64:"${VERSION}" docker tag antrea/antrea-agent-ubuntu:"${VERSION}" antrea/antrea-agent-ubuntu-amd64:"${VERSION}" docker tag antrea/antrea-controller-ubuntu:"${VERSION}" antrea/antrea-controller-ubuntu-amd64:"${VERSION}" - docker push antrea/antrea-ubuntu-amd64:"${VERSION}" docker push antrea/antrea-agent-ubuntu-amd64:"${VERSION}" docker push antrea/antrea-controller-ubuntu-amd64:"${VERSION}" - name: Trigger Antrea arm builds and multi-arch manifest update @@ -64,7 +62,6 @@ jobs: run: | ./hack/build-antrea-linux-all.sh --pull --distro ubi echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - docker push antrea/antrea-ubi:"${VERSION}" docker push antrea/antrea-agent-ubi:"${VERSION}" docker push antrea/antrea-controller-ubi:"${VERSION}" diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 00d507a9ca3..ca675c8eb62 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -74,6 +74,8 @@ jobs: sudo mv kind /usr/local/bin - name: Create K8s cluster run: | + # If an image does not exist (unified vs split), a warning will be printed, but the script + # execution will not fail. images=() images+=(antrea/antrea-controller-${{ inputs.antrea-image-distro }}:${{ steps.check-release.outputs.image-tag }}) images+=(antrea/antrea-agent-${{ inputs.antrea-image-distro }}:${{ steps.check-release.outputs.image-tag }}) diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 7d3e1bce4f9..0710e6aa0e9 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -18,7 +18,6 @@ jobs: if: github.repository == 'antrea-io/antrea' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - name: Find greatest Antrea version id: find-antrea-greatest-version env: @@ -32,33 +31,56 @@ jobs: - name: Pull Antrea Docker images id: pull run: | - docker pull antrea/antrea-ubuntu:latest - docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} - - name: Run Trivy vulnerability scanner on latest Antrea Docker image + docker pull antrea/antrea-agent-ubuntu:latest + docker pull antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} + docker pull antrea/antrea-controller-ubuntu:latest + docker pull antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }} + - name: Run Trivy vulnerability scanner on latest antrea-agent Docker image if: ${{ always() && steps.pull.conclusion == 'success' }} uses: aquasecurity/trivy-action@0.19.0 # we cannot use .trivy.yml as we need to override some config parameters # and that is not supported by aquasecurity/trivy-action with: scan-type: 'image' - image-ref: 'antrea/antrea-ubuntu:latest' + image-ref: 'antrea/antrea-agent-ubuntu:latest' exit-code: '1' ignore-unfixed: true severity: 'CRITICAL,HIGH' - # whereabouts project doesn't upgrade dependencies frequently - skip-files: '/opt/cni/bin/whereabouts' format: 'table' output: 'trivy.latest.txt' - - name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version + - name: Run Trivy vulnerability scanner on latest antrea-controller Docker image + if: ${{ always() && steps.pull.conclusion == 'success' }} + uses: aquasecurity/trivy-action@0.19.0 + # we cannot use .trivy.yml as we need to override some config parameters + # and that is not supported by aquasecurity/trivy-action + with: + scan-type: 'image' + image-ref: 'antrea/antrea-controller-ubuntu:latest' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + format: 'table' + output: 'trivy.latest.txt' + - name: Run Trivy vulnerability scanner on antrea-agent Docker image for latest released version + if: ${{ always() && steps.pull.conclusion == 'success' }} + uses: aquasecurity/trivy-action@0.19.0 + with: + scan-type: 'image' + image-ref: 'antrea/antrea-agent-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + format: 'table' + output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' + - name: Run Trivy vulnerability scanner on antrea-controller Docker image for latest released version if: ${{ always() && steps.pull.conclusion == 'success' }} uses: aquasecurity/trivy-action@0.19.0 with: scan-type: 'image' - image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' + image-ref: 'antrea/antrea-controller-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}' exit-code: '1' ignore-unfixed: true severity: 'CRITICAL,HIGH' - skip-files: '/opt/cni/bin/whereabouts' format: 'table' output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt' - name: Upload Trivy scan reports diff --git a/.github/workflows/trivy_scan_before_release.yml b/.github/workflows/trivy_scan_before_release.yml index 3b0cdae3ef5..b68f179b74b 100644 --- a/.github/workflows/trivy_scan_before_release.yml +++ b/.github/workflows/trivy_scan_before_release.yml @@ -1,4 +1,4 @@ -name: Scan Antrea Docker image for vulnerabilities before release +name: Scan Antrea Docker images for vulnerabilities before release on: pull_request: @@ -14,12 +14,6 @@ jobs: - name: Build Antrea Docker image run: | ./hack/build-antrea-linux-all.sh --pull - - name: Run Trivy vulnerability scanner on Antrea unified Docker image - uses: aquasecurity/trivy-action@0.19.0 - with: - scan-type: 'image' - image-ref: 'antrea/antrea-ubuntu:latest' - trivy-config: '.trivy.yml' - name: Run Trivy vulnerability scanner on the antrea-agent Docker image uses: aquasecurity/trivy-action@0.19.0 with: diff --git a/Makefile b/Makefile index 9dc908dd652..e6c3946c1cf 100644 --- a/Makefile +++ b/Makefile @@ -335,11 +335,17 @@ mockgen: ### Docker images ### +# This target is for development only. It assumes that "make bin" has been run previously and will +# copy the local binaries to the Docker image, instead of building the binaries inside the image as +# part of the Docker build. + .PHONY: ubuntu ubuntu: - @echo "===> Building antrea/antrea-ubuntu Docker image <===" - docker build -t antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.ubuntu $(DOCKER_BUILD_ARGS) . - docker tag antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu + @echo "===> Building antrea/antrea-agent-ubuntu and antrea/antrea-controller-ubuntu development Docker images <===" + docker build -t antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.agent.ubuntu $(DOCKER_BUILD_ARGS) . + docker tag antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-agent-ubuntu + docker build -t antrea/antrea-controller-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.controller.ubuntu $(DOCKER_BUILD_ARGS) . + docker tag antrea/antrea-controller-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-controller-ubuntu .PHONY: build-controller-ubuntu build-controller-ubuntu: @@ -353,19 +359,14 @@ build-agent-ubuntu: docker build -t antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.agent.ubuntu $(DOCKER_BUILD_ARGS) . docker tag antrea/antrea-agent-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-agent-ubuntu -# Build bins in a golang container, and build the antrea-ubuntu Docker image. +# These 2 targets are here for "backwards-compatibility". They will build the agent and controller +# images for the requested distribution. + .PHONY: build-ubuntu -build-ubuntu: - @echo "===> Building Antrea bins and antrea/antrea-ubuntu Docker image <===" - docker build -t antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.ubuntu $(DOCKER_BUILD_ARGS) . - docker tag antrea/antrea-ubuntu:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu +build-ubuntu: build-agent-ubuntu build-controller-ubuntu -# Build bins in a golang container, and build the antrea-ubi Docker image. .PHONY: build-ubi -build-ubi: - @echo "===> Building Antrea bins and antrea/antrea-ubi Docker image <===" - docker build -t antrea/antrea-ubi:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.ubi $(DOCKER_BUILD_ARGS) . - docker tag antrea/antrea-ubi:$(DOCKER_IMG_VERSION) antrea/antrea-ubi +build-ubi: build-agent-ubi build-controller-ubi .PHONY: build-agent-ubi build-agent-ubi: @@ -386,10 +387,7 @@ build-windows: docker tag antrea/antrea-windows:$(DOCKER_IMG_VERSION) antrea/antrea-windows .PHONY: build-ubuntu-coverage -build-ubuntu-coverage: - @echo "===> Building Antrea bins and antrea/antrea-ubuntu-coverage Docker image <===" - docker build -t antrea/antrea-ubuntu-coverage:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.coverage $(DOCKER_BUILD_ARGS) . - docker tag antrea/antrea-ubuntu-coverage:$(DOCKER_IMG_VERSION) antrea/antrea-ubuntu-coverage +build-ubuntu-coverage: build-controller-ubuntu-coverage build-agent-ubuntu-coverage .PHONY: build-controller-ubuntu-coverage build-controller-ubuntu-coverage: diff --git a/build/images/Dockerfile.ubuntu b/build/images/Dockerfile.ubuntu deleted file mode 100644 index 05db9e4ab77..00000000000 --- a/build/images/Dockerfile.ubuntu +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2022 Antrea Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG BUILD_TAG -FROM antrea/base-ubuntu:${BUILD_TAG} - -LABEL maintainer="Antrea " -LABEL description="The Docker image to deploy the Antrea CNI." - -USER root - -COPY build/images/scripts/* /usr/local/bin/ -COPY bin/* /usr/local/bin/ diff --git a/ci/jenkins/test-vmc.sh b/ci/jenkins/test-vmc.sh index e736360faee..ed79a96ad89 100755 --- a/ci/jenkins/test-vmc.sh +++ b/ci/jenkins/test-vmc.sh @@ -457,22 +457,36 @@ function deliver_antrea { fi echo "====== Pulling old Antrea images ======" - if [[ ${DOCKER_REGISTRY} != "" ]]; then - docker pull ${DOCKER_REGISTRY}/antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + # Old Antrea versions can either use a unified image (pre v1.15) or split images. + local old_agent_image="" + if version_lt "$OLD_ANTREA_VERSION" v1.15; then + if [[ ${DOCKER_REGISTRY} != "" ]]; then + docker pull ${DOCKER_REGISTRY}/antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + docker tag ${DOCKER_REGISTRY}/antrea/antrea-ubuntu:$OLD_ANTREA_VERSION antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + else + docker pull antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + fi + old_agent_image="antrea/antrea-ubuntu:$OLD_ANTREA_VERSION" + agent_image="docker.io/antrea/antrea-ubuntu" else - docker pull antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + if [[ ${DOCKER_REGISTRY} != "" ]]; then + docker pull ${DOCKER_REGISTRY}/antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION + docker tag ${DOCKER_REGISTRY}/antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + else + docker pull antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION + fi + old_agent_image="antrea/antrea-agent-ubuntu:$OLD_ANTREA_VERSION" fi echo "====== Delivering old Antrea images to all the Nodes ======" - docker save -o antrea-ubuntu-old.tar antrea/antrea-ubuntu:$OLD_ANTREA_VERSION + docker save -o antrea-ubuntu-old.tar $old_agent_image node_num=$(kubectl get nodes --no-headers=true | wc -l) - antrea_image="antrea-ubuntu" for i in "${!IPs[@]}" do # We want old-versioned Antrea agents to be more than half in cluster if [[ $i -ge $((${node_num}/2)) ]]; then # Tag old image to latest if we want Antrea agent to be old-versioned - copy_image antrea-ubuntu-old.tar docker.io/antrea/antrea-ubuntu ${IPs[$i]} $OLD_ANTREA_VERSION false + copy_image antrea-ubuntu-old.tar docker.io/antrea/antrea-agent-ubuntu ${IPs[$i]} $OLD_ANTREA_VERSION false fi done } diff --git a/docs/antctl.md b/docs/antctl.md index 5b42efc28b7..fe1ac232fd4 100644 --- a/docs/antctl.md +++ b/docs/antctl.md @@ -42,10 +42,11 @@ running in three different modes: ## Installation -The antctl binary is included in the Antrea Docker image -(`antrea/antrea-ubuntu`) which means that there is no need to install anything -to connect to the Antrea Agent. Simply exec into the antrea-agent container for -the appropriate antrea-agent Pod and run `antctl`: +The antctl binary is included in the Antrea Docker images +(`antrea/antrea-agent-ubuntu`, `antrea/antrea-controller-ubuntu`) which means +that there is no need to install anything to connect to the Antrea Agent. Simply +exec into the antrea-agent container for the appropriate antrea-agent Pod and +run `antctl`: ```bash kubectl exec -it ANTREA-AGENT_POD_NAME -n kube-system -c antrea-agent -- bash diff --git a/docs/getting-started.md b/docs/getting-started.md index 154cb8b9c0e..30fa7d6313d 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -103,8 +103,9 @@ If you want to add Windows Nodes to your cluster, please refer to these Starting with v1.0, Antrea supports arm64 and arm/v7 Nodes. The installation instructions do not change when some (or all) Linux Nodes in a cluster use an ARM architecture: the same deployment YAML can be used, as the -`antrea/antrea-ubuntu` Docker image is actually a manifest list with support for -the amd64, arm64 and arm/v7 architectures. +`antrea/antrea-agent-ubuntu` and `antrea/antrea-controller-ubuntu` Docker images +are actually manifest lists with support for the amd64, arm64 and arm/v7 +architectures. Note that while we do run a subset of the Kubernetes conformance tests on both the arm/v7 and arm64 Docker images (using [k3s](https://k3s.io/) as the diff --git a/docs/maintainers/antrea-docker-image.md b/docs/maintainers/antrea-docker-image.md index 0d7747ccb6f..d6ceac6574c 100644 --- a/docs/maintainers/antrea-docker-image.md +++ b/docs/maintainers/antrea-docker-image.md @@ -1,18 +1,20 @@ # Antrea Docker image -The main Antrea Docker image, `antrea/antrea-ubuntu`, is a multi-arch image. The -`antrea/antrea-ubuntu` manifest is a list of three manifests: -`antrea/antrea-ubuntu-amd64`, `antrea/antrea-ubuntu-arm64` and -`antrea/antrea-ubuntu-arm`. Of these three manifests, only the first one is -built and uploaded to Dockerhub by Github workflows defined in the +The main Antrea Docker images (`antrea/antrea-agent-ubuntu` and +`antrea/antrea-controller-ubuntu`) are multi-arch images. For example, the +`antrea/antrea-agent-ubuntu` manifest is a list of three manifests: +`antrea/antrea-agent-ubuntu-amd64`, `antrea/antrea-agent-ubuntu-arm64` and +`antrea/antrea-agent-ubuntu-arm`. Of these three manifests, only the first one +is built and uploaded to Dockerhub by Github workflows defined in the `antrea-io/antrea` repositories. The other two are built and uploaded by Github workflows defined in a private repository (`vmware-tanzu/antrea-build-infra`), to which only the project maintainers have access. These workflows are triggered every time the `main` branch of `antrea-io/antrea` is updated, as well as every time a new Antrea Github release is created. They build the -`antrea/antrea-ubuntu-arm64` and `antrea/antrea-ubuntu-arm` Docker images on -native arm64 workers, then create the `antrea/antrea-ubuntu` multi-arch manifest -and push it to Dockerhub. They are also in charge of testing the images in a +`antrea/antrea-agent-ubuntu-arm64` and `antrea/antrea-agent-ubuntu-arm` Docker +images on native arm64 workers, then create the `antrea/antrea-agent-ubuntu` +multi-arch manifest and push it to Dockerhub. The same goes for the controller +images. They are also in charge of testing the images in a [K3s](https://github.com/k3s-io/k3s) cluster. ## Why do we use a private repository? @@ -37,3 +39,6 @@ for a public repository. We believe Github will address the issue eventually and provide safeguards to enable using self-hosted runners with public repositories, at which point we will migrate workflows from this repository to the main Antrea repository. + +In the future, we may switch over to ARM hosted Github runners provided by the +CNCF. diff --git a/hack/build-antrea-linux-all.sh b/hack/build-antrea-linux-all.sh index 24894912adb..cfc5cfa4fd6 100755 --- a/hack/build-antrea-linux-all.sh +++ b/hack/build-antrea-linux-all.sh @@ -161,16 +161,13 @@ if [ "$DISTRO" == "ubuntu" ]; then if $COVERAGE; then make build-controller-ubuntu-coverage make build-agent-ubuntu-coverage - make build-ubuntu-coverage else make build-controller-ubuntu make build-agent-ubuntu - make build-ubuntu fi elif [ "$DISTRO" == "ubi" ]; then make build-controller-ubi make build-agent-ubi - make build-ubi fi popd > /dev/null