build: New runtime image with multi-platform support

Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>

contrib/packaging/docker/Dockerfile.runtime

@@ -30,6 +30,7 @@ RUN update-alternatives \
 #
 FROM docker.io/library/golang:1.14.4 as gops
 WORKDIR /tmp
+# when updating this version, also update images/runtime/build-gops.sh
 RUN go get -d github.com/google/gops && \
     cd /go/src/github.com/google/gops && \
     git checkout -b v0.3.10 v0.3.10 && \
@@ -44,6 +45,8 @@ RUN go get -d github.com/google/gops && \
 FROM runtime-base as tools
 ARG ARCH=amd64
 WORKDIR /tmp
+# when updating this version, also run `images/scripts/update-cni-version.sh <v>`
+# to update images/runtime/cni-version.sh
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
       curl ca-certificates xz-utils binutils && \

images/runtime/Dockerfile

@@ -0,0 +1,58 @@
+# syntax=docker/dockerfile:1.1-experimental
+
+# Copyright 2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+ARG COMPILERS_IMAGE=docker.io/cilium/image-compilers:57f235db9a07e81c5b60c536498ecbf2501dd267@sha256:080245ac0d7d061e05613e6bf887dc3c8bb07392cd2ce265b8a4aaaad17f2125
+ARG TESTER_IMAGE=docker.io/cilium/image-tester:70724309b859786e0a347605e407c5261f316eb0@sha256:89cc1f577d995021387871d3dbeb771b75ab4d70073d9bcbc42e532792719781
+ARG GOLANG_IMAGE=docker.io/library/golang:1.14.4@sha256:d39a459086c75920390c9b9d42bbc7c52fef1fe7666e7633a02508c607c889d4
+ARG UBUNTU_IMAGE=docker.io/library/ubuntu:20.04@sha256:8bce67040cd0ae39e0beb55bcb976a824d9966d2ac8d2e4bf6119b45505cee64
+
+ARG CILIUM_LLVM_IMAGE=docker.io/cilium/cilium-llvm:3355296c86c669ca92077e37bd5901d41c8142b9
+ARG CILIUM_BPFTOOL_IMAGE=docker.io/cilium/cilium-bpftool:fbb2e86339609f6755f53fcefd2257e4beea4423
+ARG CILIUM_IPROUTE2_IMAGE=docker.io/cilium/cilium-iproute2:44d4c6ebc57b78af0f1080ef52da2bae2605a439
+
+FROM ${CILIUM_LLVM_IMAGE} as llvm-dist
+FROM ${CILIUM_BPFTOOL_IMAGE} as bpftool-dist
+FROM ${CILIUM_IPROUTE2_IMAGE} as iproute2-dist
+
+FROM --platform=linux/amd64 ${COMPILERS_IMAGE} as builder
+
+COPY cni-version.sh /tmp/cni-version.sh
+COPY download-cni.sh /tmp/download-cni.sh
+RUN /tmp/download-cni.sh
+
+FROM --platform=linux/amd64 ${GOLANG_IMAGE} as go-builder
+
+COPY build-gops.sh /tmp/build-gops.sh
+RUN --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache /tmp/build-gops.sh
+
+FROM ${UBUNTU_IMAGE} as rootfs
+
+COPY install-runtime-deps.sh /tmp/install-runtime-deps.sh 
+RUN /tmp/install-runtime-deps.sh
+
+COPY iptables-wrapper /usr/sbin/iptables-wrapper
+COPY configure-iptables-wrapper.sh /tmp/configure-iptables-wrapper.sh
+RUN /tmp/configure-iptables-wrapper.sh
+
+COPY --from=llvm-dist /usr/local /usr/local
+COPY --from=bpftool-dist /usr/local /usr/local
+COPY --from=iproute2-dist /usr/local /usr/local
+
+ARG TARGETPLATFORM
+COPY --from=builder /out/${TARGETPLATFORM}/bin /bin
+COPY --from=go-builder /out/${TARGETPLATFORM}/bin /bin
+
+FROM ${TESTER_IMAGE} as test
+COPY --from=rootfs / /
+COPY --from=llvm-dist /test /test
+COPY --from=bpftool-dist /test /test
+COPY --from=iproute2-dist /test /test
+RUN /test/bin/cst -C /test/llvm
+RUN /test/bin/cst -C /test/bpftool
+RUN /test/bin/cst -C /test/iproute2
+
+FROM scratch
+LABEL maintainer="maintainer@cilium.io"
+COPY --from=rootfs / /

images/runtime/Dockerfile.dockerignore

@@ -0,0 +1,4 @@
+# Copyright 2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+Dockerfile

images/runtime/build-gops.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copyright 2017-2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+set -o xtrace
+set -o errexit
+set -o pipefail
+set -o nounset
+
+mkdir /src
+
+cd /src
+
+unset GOPATH
+
+# when updating this version, also update contrib/packaging/docker/Dockerfile.runtime
+gops_version="0.3.10"
+
+go mod init github.com/cilium/cilium/images/runtime
+go get "github.com/google/gops@v${gops_version}"
+
+for arch in amd64 arm64 ; do
+  mkdir -p "/out/linux/${arch}/bin"
+  GOARCH="${arch}" go build -ldflags "-s -w" -o "/out/linux/${arch}/bin/gops" github.com/google/gops
+done

images/runtime/cni-version.sh

@@ -0,0 +1,4 @@
+cni_version="0.8.6"
+declare -A cni_sha512
+cni_sha512[amd64]="76b29cc629449723fef45db6a6999b0617e6c9084678a4a3361caf3fc5e935084bc0644e47839b1891395e3cec984f7bfe581dd9455c4991ddeee1c78392e538"
+cni_sha512[arm64]="a779f25e0cfeea18185664c59d3e6cd71c56b530f8ccb1df829288d90d52b6b117addcc2e3cae113077646a9b67a461fe3d30bbfafe80c96a50c2a9ad204b677"

images/runtime/configure-iptables-wrapper.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Copyright 2017-2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+set -o xtrace
+set -o errexit
+set -o pipefail
+set -o nounset
+
+update-alternatives \
+  --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
+  --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
+  --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper && \
+
+update-alternatives \
+  --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \
+  --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
+  --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper

images/runtime/download-cni.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2017-2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+set -o xtrace
+set -o errexit
+set -o pipefail
+set -o nounset
+
+source /tmp/cni-version.sh
+
+for arch in amd64 arm64 ; do
+  curl --fail --show-error --silent --location "https://github.com/containernetworking/plugins/releases/download/v${cni_version}/cni-plugins-linux-${arch}-v${cni_version}.tgz" --output "/tmp/cni-${arch}.tgz"
+  printf "%s %s" "${cni_sha512[${arch}]}" "/tmp/cni-${arch}.tgz" | sha512sum -c
+  mkdir -p "/out/linux/${arch}/bin"
+  tar -C "/out/linux/${arch}/bin" -xf "/tmp/cni-${arch}.tgz" ./loopback
+done
+
+strip /out/linux/amd64/bin/loopback
+aarch64-linux-gnu-strip /out/linux/arm64/bin/loopback

images/runtime/install-runtime-deps.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Copyright 2017-2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+set -o xtrace
+set -o errexit
+set -o pipefail
+set -o nounset
+
+packages=(
+  libelf1
+  libmnl0
+  bash-completion
+  iptables
+  kmod
+  ca-certificates
+)
+
+apt-get update
+
+# tzdata is one of the dependencies and a timezone must be set
+# to avoid interactive prompt when it is being installed
+ln -fs /usr/share/zoneinfo/UTC /etc/localtime
+
+apt-get install -y --no-install-recommends "${packages[@]}"
+
+apt-get purge --auto-remove
+apt-get clean
+rm -rf /var/lib/apt/lists/*

images/runtime/iptables-wrapper

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+# Detect whether the base system is using iptables-legacy or
+# iptables-nft. This assumes that some non-containerized process (eg
+# kubelet) has already created some iptables rules.
+
+# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in
+# some circumstances, so we have to run the nft check in a timeout. To
+# avoid hitting that timeout, we only bother to even check nft if
+# legacy iptables was empty / mostly empty.
+
+num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
+if [ "${num_legacy_lines}" -ge 10 ]; then
+    mode=legacy
+else
+    num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l)
+    if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
+	mode=legacy
+    else
+	mode=nft
+    fi
+fi
+
+update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null
+update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null
+
+# Now re-exec the original command with the newly-selected alternative
+exec "$0" "$@"
+

images/scripts/update-cni-version.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright 2017-2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+root_dir="$(git rev-parse --show-toplevel)"
+
+cd "${root_dir}"
+
+if [ "$#" -ne 1 ] ; then
+  echo "$0 supports exactly 1 argument - <cni_version>"
+  exit 1
+fi
+
+cni_version="${1}"
+
+# this is a simple array that assumes the order of the loop;
+# it's not an associative array because this script needs to
+# work on any version of bash, and (most notably) macOS ships
+# an old version that doesn't support associative arrays
+cni_sha512=()
+
+for arch in amd64 arm64 ; do
+  tmpout="$(mktemp)"
+  curl --fail --show-error --silent --location \
+    "https://github.com/containernetworking/plugins/releases/download/v${cni_version}/cni-plugins-linux-${arch}-v${cni_version}.tgz.sha512" \
+    --output "${tmpout}"
+  read -ra sha512 < "${tmpout}"
+  rm -f "${tmpout}"
+  cni_sha512+=("${sha512[0]}")
+done
+
+cat > "${root_dir}/images/runtime/cni-version.sh" << EOF
+# Code generated by images/scripts/update-cni-version.sh; DO NOT EDIT.
+cni_version="${cni_version}"
+declare -A cni_sha512
+cni_sha512[amd64]="${cni_sha512[0]}"
+cni_sha512[arm64]="${cni_sha512[1]}"
+EOF