Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build: New runtime image with multi-platform support
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
- Loading branch information
1 parent
3e6765c
commit e091612
Showing
10 changed files
with
255 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# syntax=docker/dockerfile:1.1-experimental | ||
|
||
# Copyright 2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
ARG COMPILERS_IMAGE=docker.io/cilium/image-compilers:57f235db9a07e81c5b60c536498ecbf2501dd267@sha256:080245ac0d7d061e05613e6bf887dc3c8bb07392cd2ce265b8a4aaaad17f2125 | ||
ARG TESTER_IMAGE=docker.io/cilium/image-tester:70724309b859786e0a347605e407c5261f316eb0@sha256:89cc1f577d995021387871d3dbeb771b75ab4d70073d9bcbc42e532792719781 | ||
ARG GOLANG_IMAGE=docker.io/library/golang:1.14.4@sha256:d39a459086c75920390c9b9d42bbc7c52fef1fe7666e7633a02508c607c889d4 | ||
ARG UBUNTU_IMAGE=docker.io/library/ubuntu:20.04@sha256:8bce67040cd0ae39e0beb55bcb976a824d9966d2ac8d2e4bf6119b45505cee64 | ||
|
||
ARG CILIUM_LLVM_IMAGE=docker.io/cilium/cilium-llvm:3355296c86c669ca92077e37bd5901d41c8142b9 | ||
ARG CILIUM_BPFTOOL_IMAGE=docker.io/cilium/cilium-bpftool:fbb2e86339609f6755f53fcefd2257e4beea4423 | ||
ARG CILIUM_IPROUTE2_IMAGE=docker.io/cilium/cilium-iproute2:44d4c6ebc57b78af0f1080ef52da2bae2605a439 | ||
|
||
FROM ${CILIUM_LLVM_IMAGE} as llvm-dist | ||
FROM ${CILIUM_BPFTOOL_IMAGE} as bpftool-dist | ||
FROM ${CILIUM_IPROUTE2_IMAGE} as iproute2-dist | ||
|
||
FROM --platform=linux/amd64 ${COMPILERS_IMAGE} as builder | ||
|
||
COPY cni-version.sh /tmp/cni-version.sh | ||
COPY download-cni.sh /tmp/download-cni.sh | ||
RUN /tmp/download-cni.sh | ||
|
||
FROM --platform=linux/amd64 ${GOLANG_IMAGE} as go-builder | ||
|
||
COPY build-gops.sh /tmp/build-gops.sh | ||
RUN --mount=target=/root/.cache,type=cache --mount=target=/go/pkg/mod,type=cache /tmp/build-gops.sh | ||
|
||
FROM ${UBUNTU_IMAGE} as rootfs | ||
|
||
COPY install-runtime-deps.sh /tmp/install-runtime-deps.sh | ||
RUN /tmp/install-runtime-deps.sh | ||
|
||
COPY iptables-wrapper /usr/sbin/iptables-wrapper | ||
COPY configure-iptables-wrapper.sh /tmp/configure-iptables-wrapper.sh | ||
RUN /tmp/configure-iptables-wrapper.sh | ||
|
||
COPY --from=llvm-dist /usr/local /usr/local | ||
COPY --from=bpftool-dist /usr/local /usr/local | ||
COPY --from=iproute2-dist /usr/local /usr/local | ||
|
||
ARG TARGETPLATFORM | ||
COPY --from=builder /out/${TARGETPLATFORM}/bin /bin | ||
COPY --from=go-builder /out/${TARGETPLATFORM}/bin /bin | ||
|
||
FROM ${TESTER_IMAGE} as test | ||
COPY --from=rootfs / / | ||
COPY --from=llvm-dist /test /test | ||
COPY --from=bpftool-dist /test /test | ||
COPY --from=iproute2-dist /test /test | ||
RUN /test/bin/cst -C /test/llvm | ||
RUN /test/bin/cst -C /test/bpftool | ||
RUN /test/bin/cst -C /test/iproute2 | ||
|
||
FROM scratch | ||
LABEL maintainer="maintainer@cilium.io" | ||
COPY --from=rootfs / / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# Copyright 2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
Dockerfile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2017-2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
set -o xtrace | ||
set -o errexit | ||
set -o pipefail | ||
set -o nounset | ||
|
||
mkdir /src | ||
|
||
cd /src | ||
|
||
unset GOPATH | ||
|
||
# when updating this version, also update contrib/packaging/docker/Dockerfile.runtime | ||
gops_version="0.3.10" | ||
|
||
go mod init github.com/cilium/cilium/images/runtime | ||
go get "github.com/google/gops@v${gops_version}" | ||
|
||
for arch in amd64 arm64 ; do | ||
mkdir -p "/out/linux/${arch}/bin" | ||
GOARCH="${arch}" go build -ldflags "-s -w" -o "/out/linux/${arch}/bin/gops" github.com/google/gops | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
cni_version="0.8.6" | ||
declare -A cni_sha512 | ||
cni_sha512[amd64]="76b29cc629449723fef45db6a6999b0617e6c9084678a4a3361caf3fc5e935084bc0644e47839b1891395e3cec984f7bfe581dd9455c4991ddeee1c78392e538" | ||
cni_sha512[arm64]="a779f25e0cfeea18185664c59d3e6cd71c56b530f8ccb1df829288d90d52b6b117addcc2e3cae113077646a9b67a461fe3d30bbfafe80c96a50c2a9ad204b677" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2017-2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
set -o xtrace | ||
set -o errexit | ||
set -o pipefail | ||
set -o nounset | ||
|
||
update-alternatives \ | ||
--install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \ | ||
--slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \ | ||
--slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper && \ | ||
|
||
update-alternatives \ | ||
--install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \ | ||
--slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \ | ||
--slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2017-2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
set -o xtrace | ||
set -o errexit | ||
set -o pipefail | ||
set -o nounset | ||
|
||
source /tmp/cni-version.sh | ||
|
||
for arch in amd64 arm64 ; do | ||
curl --fail --show-error --silent --location "https://github.com/containernetworking/plugins/releases/download/v${cni_version}/cni-plugins-linux-${arch}-v${cni_version}.tgz" --output "/tmp/cni-${arch}.tgz" | ||
printf "%s %s" "${cni_sha512[${arch}]}" "/tmp/cni-${arch}.tgz" | sha512sum -c | ||
mkdir -p "/out/linux/${arch}/bin" | ||
tar -C "/out/linux/${arch}/bin" -xf "/tmp/cni-${arch}.tgz" ./loopback | ||
done | ||
|
||
strip /out/linux/amd64/bin/loopback | ||
aarch64-linux-gnu-strip /out/linux/arm64/bin/loopback |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2017-2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
set -o xtrace | ||
set -o errexit | ||
set -o pipefail | ||
set -o nounset | ||
|
||
packages=( | ||
libelf1 | ||
libmnl0 | ||
bash-completion | ||
iptables | ||
kmod | ||
ca-certificates | ||
) | ||
|
||
apt-get update | ||
|
||
# tzdata is one of the dependencies and a timezone must be set | ||
# to avoid interactive prompt when it is being installed | ||
ln -fs /usr/share/zoneinfo/UTC /etc/localtime | ||
|
||
apt-get install -y --no-install-recommends "${packages[@]}" | ||
|
||
apt-get purge --auto-remove | ||
apt-get clean | ||
rm -rf /var/lib/apt/lists/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
#!/bin/sh | ||
|
||
# Copyright 2019 The Kubernetes Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
set -e | ||
|
||
# Detect whether the base system is using iptables-legacy or | ||
# iptables-nft. This assumes that some non-containerized process (eg | ||
# kubelet) has already created some iptables rules. | ||
|
||
# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in | ||
# some circumstances, so we have to run the nft check in a timeout. To | ||
# avoid hitting that timeout, we only bother to even check nft if | ||
# legacy iptables was empty / mostly empty. | ||
|
||
num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l) | ||
if [ "${num_legacy_lines}" -ge 10 ]; then | ||
mode=legacy | ||
else | ||
num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l) | ||
if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then | ||
mode=legacy | ||
else | ||
mode=nft | ||
fi | ||
fi | ||
|
||
update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null | ||
update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null | ||
|
||
# Now re-exec the original command with the newly-selected alternative | ||
exec "$0" "$@" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
#!/bin/bash | ||
|
||
# Copyright 2017-2020 Authors of Cilium | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
set -o errexit | ||
set -o pipefail | ||
set -o nounset | ||
|
||
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
|
||
root_dir="$(git rev-parse --show-toplevel)" | ||
|
||
cd "${root_dir}" | ||
|
||
if [ "$#" -ne 1 ] ; then | ||
echo "$0 supports exactly 1 argument - <cni_version>" | ||
exit 1 | ||
fi | ||
|
||
cni_version="${1}" | ||
|
||
# this is a simple array that assumes the order of the loop; | ||
# it's not an associative array because this script needs to | ||
# work on any version of bash, and (most notably) macOS ships | ||
# an old version that doesn't support associative arrays | ||
cni_sha512=() | ||
|
||
for arch in amd64 arm64 ; do | ||
tmpout="$(mktemp)" | ||
curl --fail --show-error --silent --location \ | ||
"https://github.com/containernetworking/plugins/releases/download/v${cni_version}/cni-plugins-linux-${arch}-v${cni_version}.tgz.sha512" \ | ||
--output "${tmpout}" | ||
read -ra sha512 < "${tmpout}" | ||
rm -f "${tmpout}" | ||
cni_sha512+=("${sha512[0]}") | ||
done | ||
|
||
cat > "${root_dir}/images/runtime/cni-version.sh" << EOF | ||
# Code generated by images/scripts/update-cni-version.sh; DO NOT EDIT. | ||
cni_version="${cni_version}" | ||
declare -A cni_sha512 | ||
cni_sha512[amd64]="${cni_sha512[0]}" | ||
cni_sha512[arm64]="${cni_sha512[1]}" | ||
EOF |