cilium, docker: switch to {clang,llvm}-10.0 and externalize build deps

Dockerfile

@@ -15,7 +15,7 @@ LABEL cilium-sha=${CILIUM_SHA}
 # versions to be built while allowing the new versions to make changes
 # that are not backwards compatible.
 #
-FROM quay.io/cilium/cilium-builder:2020-04-29 as builder
+FROM quay.io/cilium/cilium-builder:2020-05-05 as builder
 ARG CILIUM_SHA=""
 LABEL cilium-sha=${CILIUM_SHA}
 LABEL maintainer="maintainer@cilium.io"
@@ -41,7 +41,7 @@ RUN make LOCKDEBUG=$LOCKDEBUG PKG_BUILD=1 V=$V LIBNETWORK_PLUGIN=$LIBNETWORK_PLU
 # built while allowing the new versions to make changes that are not
 # backwards compatible.
 #
-FROM quay.io/cilium/cilium-runtime:2020-04-29
+FROM quay.io/cilium/cilium-runtime:2020-05-05
 ARG CILIUM_SHA=""
 LABEL cilium-sha=${CILIUM_SHA}
 LABEL maintainer="maintainer@cilium.io"

Dockerfile.builder

@@ -1,13 +1,9 @@
 #
-# Cilium build-time dependencies.
-# Image created from this file is used to build Cilium.
+# Cilium build-time base image (image created from this file is used to build Cilium)
 #
-FROM docker.io/library/ubuntu:20.04
-
+FROM quay.io/cilium/cilium-runtime:2020-05-05
 LABEL maintainer="maintainer@cilium.io"
-
 ARG ARCH=amd64
-
 WORKDIR /go/src/github.com/cilium/cilium
 
 #
@@ -21,38 +17,29 @@ ENV GO_VERSION 1.14.2
 #
 # Build dependencies
 #
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y --no-install-recommends \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-		apt-utils \
-		binutils \
-		ca-certificates \
-		clang-7 \
-		coreutils \
-		curl \
-		gcc \
-		git \
-		iproute2 \
-		libc6-dev \
-		libelf-dev \
-		llvm-7 \
-		m4 \
-		make \
-		pkg-config \
-		python \
-		rsync \
-		unzip \
-		wget \
-		zip \
-		zlib1g-dev \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
-	&& update-alternatives --install /usr/bin/clang clang /usr/bin/clang-7 100 \
-	&& update-alternatives --install /usr/bin/llc llc /usr/bin/llc-7 100
+RUN apt-get update && \
+    apt-get upgrade -y --no-install-recommends && \
+    apt-get install -y --no-install-recommends \
+      # Base Cilium-build dependencies
+      binutils \
+      coreutils \
+      curl \
+      gcc \
+      git \
+      libc6-dev \
+      libelf-dev \
+      make \
+      rsync \
+      unzip \
+      wget \
+      zip && \
+    apt-get purge --auto-remove && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 #
 # Install Go
 #
 RUN curl -sfL https://dl.google.com/go/go${GO_VERSION}.linux-${ARCH}.tar.gz | tar -xzC /usr/local && \
-        GO111MODULE=on go get github.com/gordonklaus/ineffassign@1003c8bd00dc2869cb5ca5282e6ce33834fed514 && \
-        go clean -cache -modcache
+    GO111MODULE=on go get github.com/gordonklaus/ineffassign@1003c8bd00dc2869cb5ca5282e6ce33834fed514 && \
+    go clean -cache -modcache

bpf/Makefile

@@ -197,7 +197,8 @@ endif
 $(TARGET): $(TARGET).c
 	@$(ECHO_CC)
 	@# Due to gcc bug, -lelf needs to be at the end.
-	$(QUIET) ${HOSTCC} -Wall -O2 -Wno-format-truncation -I include/ $@.c -lelf -o $@
+	$(QUIET) ${HOST_CC} -Wall -O2 -Wno-format-truncation -I include/ $@.c -lelf -o $@
+	$(QUIET) ${HOST_STRIP} $@
 
 install:
 	$(QUIET)$(INSTALL) -m 0755 $(TARGET) $(DESTDIR)$(BINDIR)

bpf/Makefile.bpf

@@ -20,9 +20,11 @@ LIB := $(shell find $(ROOT_DIR)/bpf -name '*.h') $(BUILD_PERMUTATIONS_DEP)
 BPF_C := $(patsubst %.o,%.c,$(BPF))
 BPF_ASM := $(patsubst %.o,%.s,$(BPF))
 
-CLANG  ?= clang
-LLC    ?= llc
-HOSTCC ?= gcc
+CLANG ?= clang
+LLC   ?= llc
+
+HOST_CC    ?= gcc
+HOST_STRIP ?= strip
 
 # Define all at the top here so that Makefiles which include this one will hit
 # the 'all' target first (which we expect to be overridden by the includer).

contrib/packaging/docker/Dockerfile.runtime

@@ -3,148 +3,64 @@
 #
 FROM docker.io/library/ubuntu:20.04 as runtime-base
 RUN apt-get update && \
-apt-get upgrade -y && \
-#
-# Prepackaged Cilium runtime dependencies
-#
-apt-get install -y --no-install-recommends \
-# Additional iproute2 runtime dependencies
-    libelf1 libmnl0 \
-# Bash completion for Cilium
-    bash-completion \
-# Additional misc runtime dependencies
-    iptables kmod ca-certificates && \
-apt-get purge --auto-remove && \
-apt-get clean && \
-rm -rf /var/lib/apt/lists/*
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
+      # Additional iproute2 runtime dependencies
+      libelf1 libmnl0 \
+      # Bash completion for Cilium
+      bash-completion \
+      # Additional misc runtime dependencies
+      iptables kmod ca-certificates && \
+    apt-get purge --auto-remove && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 # Add support for auto-detection of iptables mode
 COPY iptables-wrapper /usr/sbin/iptables-wrapper
 RUN update-alternatives \
-    --install /usr/sbin/iptables \
-        iptables \
-        /usr/sbin/iptables-wrapper \
-        100 \
-    --slave /usr/sbin/iptables-restore \
-        iptables-restore \
-        /usr/sbin/iptables-wrapper \
-    --slave /usr/sbin/iptables-save \
-        iptables-save \
-        /usr/sbin/iptables-wrapper
-RUN update-alternatives \
-    --install /usr/sbin/ip6tables \
-        ip6tables \
-        /usr/sbin/iptables-wrapper \
-        100 \
-    --slave /usr/sbin/ip6tables-restore \
-        ip6tables-restore \
-        /usr/sbin/iptables-wrapper \
-    --slave /usr/sbin/ip6tables-save \
-        ip6tables-save \
-        /usr/sbin/iptables-wrapper
+      --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
+      --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
+      --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper && \
+    update-alternatives \
+      --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \
+      --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
+      --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper
 
 #
-# Build Cilium runtime dependencies.
+# Go-based tools for runtime image
 #
-FROM runtime-base as runtime-build
-ARG ARCH=amd64
+FROM docker.io/library/golang:1.14.2 as gops
 WORKDIR /tmp
-RUN \
-#
-# Build dependencies
-#
-apt-get update && \
-DEBIAN_FRONTEND="noninteractive" \
-apt-get install -y --no-install-recommends \
-# Base runtime-build dependencies
-  make curl ca-certificates xz-utils binutils \
-# Additional iproute2 build dependencies
-  gcc git pkg-config bison flex build-essential libelf-dev libmnl-dev \
-# Additional bpftool dependencies
-  python3 \
-# Additional clang/llvm dependencies
-  cmake ninja-build && \
-#
-# iproute2
-#
-git clone --depth 1 -b static-data https://github.com/cilium/iproute2.git iproute2 && \
-cd iproute2 && \
-git --no-pager remote -v && \
-git --no-pager log -1 && \
-./configure && \
-make -j `getconf _NPROCESSORS_ONLN` && \
-strip tc/tc && \
-strip ip/ip && \
-cd .. && \
-#
-# clang/llvm image with only BPF backend
-#
-git clone -b master https://github.com/llvm/llvm-project.git llvm && \
-mkdir -p llvm/llvm/build/install && \
-cd llvm/ && \
-git checkout -b d941df363d1cb621a3836b909c37d79f2a3e27e2 d941df363d1cb621a3836b909c37d79f2a3e27e2 && \
-git --no-pager remote -v && \
-git --no-pager log -1 && \
-cd llvm/build && \
-cmake .. -G "Ninja" -DLLVM_TARGETS_TO_BUILD="BPF" -DLLVM_ENABLE_PROJECTS="clang" -DBUILD_SHARED_LIBS=OFF -DCMAKE_BUILD_TYPE=Release -DLLVM_BUILD_RUNTIME=OFF && \
-ninja clang llc && \
-strip bin/clang && \
-strip bin/llc && \
-cp bin/clang /usr/bin/clang && \
-cp bin/llc /usr/bin/llc && \
-cd ../../../ && \
-#
-# bpftool
-#
-git clone --depth 1 -b master git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git linux && \
-cd linux/tools/bpf/bpftool/ && \
-git --no-pager remote -v && \
-git --no-pager log -1 && \
-make -j `getconf _NPROCESSORS_ONLN` && \
-strip bpftool && \
-cd ../../../../ && \
-#
-# cni/loopback
-#
-curl -sS -L https://github.com/containernetworking/plugins/releases/download/v0.7.5/cni-plugins-${ARCH}-v0.7.5.tgz -o cni.tar.gz && \
-tar -xvf cni.tar.gz ./loopback && \
-strip -s ./loopback && \
-#
-# Cleanup
-#
-apt-get purge --auto-remove -y \
-# Base runtime-build dependencies
-  make curl ca-certificates xz-utils binutils \
-# Additional iproute2 build dependencies
-  gcc git pkg-config bison flex build-essential libelf-dev libmnl-dev \
-# Additional bpftool dependencies
-  python3 \
-# Additional clang/llvm dependencies
-  cmake ninja-build && \
-apt-get clean && \
-rm -rf /var/lib/apt/lists/*
+RUN go get -d github.com/google/gops && \
+    cd /go/src/github.com/google/gops && \
+    git checkout -b v0.3.6 v0.3.6 && \
+    git --no-pager remote -v && \
+    git --no-pager log -1 && \
+    go install && \
+    strip /go/bin/gops
 
 #
-# Go-based tools we need at runtime
+# LLVM, bpftool, iproute2 and loopback for runtime image (cilium/packaging repo)
 #
-FROM docker.io/library/golang:1.14.2 as runtime-gobuild
+FROM runtime-base as tools
+ARG ARCH=amd64
 WORKDIR /tmp
-RUN go get -d github.com/google/gops && \
-cd /go/src/github.com/google/gops && \
-git checkout -b v0.3.6 v0.3.6 && \
-git --no-pager remote -v && \
-git --no-pager log -1 && \
-go install && \
-strip /go/bin/gops
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      curl ca-certificates xz-utils binutils && \
+    curl -sS -L https://github.com/containernetworking/plugins/releases/download/v0.7.5/cni-plugins-${ARCH}-v0.7.5.tgz -o cni.tar.gz && \
+    tar -xvf cni.tar.gz ./loopback && \
+    strip -s ./loopback
+COPY --from=quay.io/cilium/cilium-llvm:2020-05-05 /bin/clang /bin/llc /bin/
+COPY --from=quay.io/cilium/cilium-bpftool:2020-05-05 /bin/bpftool /bin/
+COPY --from=quay.io/cilium/cilium-iproute2:2020-05-05 /bin/tc /bin/ip /bin/
+COPY --from=gops /go/bin/gops /bin/
 
 #
 # Stripped cilium runtime base image
 #
 FROM runtime-base
 LABEL maintainer="maintainer@cilium.io"
 WORKDIR /bin
-COPY --from=runtime-build /tmp/iproute2/tc/tc /tmp/iproute2/ip/ip ./
-COPY --from=runtime-build /tmp/linux/tools/bpf/bpftool/bpftool ./
-COPY --from=runtime-build /tmp/llvm/llvm/build/bin/clang /tmp/llvm/llvm/build/bin/llc ./
-COPY --from=runtime-gobuild /go/bin/gops ./
+COPY --from=tools /bin/tc /bin/ip /bin/bpftool /bin/clang /bin/llc /bin/gops ./
 WORKDIR /cni
-COPY --from=runtime-build /tmp/loopback ./
+COPY --from=tools /tmp/loopback ./