From 8dff164c1c80e707fee616c6116553044f8e0047 Mon Sep 17 00:00:00 2001 From: jayaramsatya Date: Tue, 5 Jan 2021 16:29:58 -0800 Subject: [PATCH] ACI CNI base images We are introducing the following layered hierarchy for the ACI CNI images: aci-containers-base aci-containers--base aci-containers- with the goal of: a. Normalizing the ACI CNI common packages of the current images into a common base, and such additional packages can be added in one common image layer as opposed to being added independently in each component image (this goes into the aci-containers-base image) b. Identifying the static parts of the component- specific images such that they are not required to pulled everytime (this goes into the aci-containers--base image which builds on top of the aci-containers-base image) The ACI CNI compiled artifacts go into the final aci-containers- image which builds on top of the above two. The base images need to be built less frequently and can be cached thus substantially reducing the final image build time in the CI setup. This approach is similar to what has already been adopted for the opflex container. In this PR only the Dockerfiles for images used in the on-prem deployment are being updated. --- docker/Dockerfile-aci-containers-base | 3 ++ docker/Dockerfile-cnideploy | 11 ++++--- docker/Dockerfile-cnideploy-base | 7 +++++ docker/Dockerfile-controller | 11 ++----- docker/Dockerfile-controller-base | 9 ++++++ docker/Dockerfile-host | 41 ++------------------------- docker/Dockerfile-host-base | 41 +++++++++++++++++++++++++++ docker/Dockerfile-openvswitch | 7 ++--- docker/Dockerfile-openvswitch-base | 7 +++++ docker/Dockerfile-operator | 8 ++---- docker/Dockerfile-operator-base | 8 ++++++ 11 files changed, 92 insertions(+), 61 deletions(-) create mode 100644 docker/Dockerfile-aci-containers-base create mode 100644 docker/Dockerfile-cnideploy-base create mode 100644 docker/Dockerfile-controller-base create mode 100644 docker/Dockerfile-host-base create mode 100644 docker/Dockerfile-openvswitch-base create mode 100644 docker/Dockerfile-operator-base diff --git a/docker/Dockerfile-aci-containers-base b/docker/Dockerfile-aci-containers-base new file mode 100644 index 0000000000..e4e045a2f2 --- /dev/null +++ b/docker/Dockerfile-aci-containers-base @@ -0,0 +1,3 @@ +FROM registry.access.redhat.com/ubi8/ubi:latest +RUN yum --disablerepo=\*ubi\* install -y curl +CMD ["/usr/bin/sh"] diff --git a/docker/Dockerfile-cnideploy b/docker/Dockerfile-cnideploy index c1f201a503..a5ca9bfa8b 100644 --- a/docker/Dockerfile-cnideploy +++ b/docker/Dockerfile-cnideploy @@ -1,7 +1,6 @@ -FROM registry.access.redhat.com/ubi8/ubi-minimal:latest -RUN microdnf --disablerepo=\*ubi\* install wget ca-certificates tar gzip \ - && microdnf clean all \ - && mkdir -p /opt/cni/bin && wget -O- https://github.com/containernetworking/plugins/releases/download/v0.8.7/cni-plugins-linux-amd64-v0.8.7.tgz | tar xz -C /opt/cni/bin +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-cnideploy-base:${basetag} # Required OpenShift Labels LABEL name="ACI CNI cnideploy" \ vendor="Cisco" \ @@ -10,6 +9,6 @@ release="1" \ summary="This is an ACI CNI cnideploy." \ description="This operator will deploy a single instance of ACI CNI cnideploy." # Required Licenses -COPY licenses /licenses -COPY launch-cnideploy.sh /usr/local/bin/ +COPY docker/licenses /licenses +COPY docker/launch-cnideploy.sh /usr/local/bin/ CMD ["/usr/local/bin/launch-cnideploy.sh"] diff --git a/docker/Dockerfile-cnideploy-base b/docker/Dockerfile-cnideploy-base new file mode 100644 index 0000000000..18856e6fef --- /dev/null +++ b/docker/Dockerfile-cnideploy-base @@ -0,0 +1,7 @@ +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-base:${basetag} +RUN yum --disablerepo=\*ubi\* install -y wget ca-certificates tar gzip \ + && yum clean all \ + && mkdir -p /opt/cni/bin && wget -O- https://github.com/containernetworking/plugins/releases/download/v0.8.7/cni-plugins-linux-amd64-v0.8.7.tgz | tar xz -C /opt/cni/bin +CMD ["/usr/bin/sh"] diff --git a/docker/Dockerfile-controller b/docker/Dockerfile-controller index 65d01e2dcd..30e16bd1db 100644 --- a/docker/Dockerfile-controller +++ b/docker/Dockerfile-controller @@ -1,11 +1,6 @@ -FROM registry.access.redhat.com/ubi8/ubi:latest -RUN yum --disablerepo=\*ubi\* install -y curl \ - && yum clean all \ - && curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl \ - && chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl \ - && curl -sL "https://github.com/istio/istio/releases/download/1.6.5/istioctl-1.6.5-linux-amd64.tar.gz" | tar xz \ - && chmod u+x istioctl && mv istioctl /usr/local/bin/istioctl \ - && mkdir -p /usr/local/var/lib/aci-cni +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-controller-base:${basetag} # Required OpenShift Labels LABEL name="ACI CNI Containers Controller" \ vendor="Cisco" \ diff --git a/docker/Dockerfile-controller-base b/docker/Dockerfile-controller-base new file mode 100644 index 0000000000..122a066824 --- /dev/null +++ b/docker/Dockerfile-controller-base @@ -0,0 +1,9 @@ +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-base:${basetag} +RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl \ + && chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl \ + && curl -sL "https://github.com/istio/istio/releases/download/1.6.5/istioctl-1.6.5-linux-amd64.tar.gz" | tar xz \ + && chmod u+x istioctl && mv istioctl /usr/local/bin/istioctl \ + && mkdir -p /usr/local/var/lib/aci-cni +CMD ["/usr/bin/sh"] diff --git a/docker/Dockerfile-host b/docker/Dockerfile-host index f07589b257..b23a0d4f13 100644 --- a/docker/Dockerfile-host +++ b/docker/Dockerfile-host @@ -1,7 +1,6 @@ -FROM registry.access.redhat.com/ubi8/ubi:latest -RUN yum --disablerepo=\*ubi\* --enablerepo=openstack-15-for-rhel-8-x86_64-rpms \ - --enablerepo=fast-datapath-for-rhel-8-x86_64-rpms --enablerepo codeready-builder-for-rhel-8-x86_64-rpms install -y iproute nftables openvswitch libnetfilter_conntrack-devel \ - && yum clean all +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-host-base:${basetag} # Required OpenShift Labels LABEL name="ACI CNI Host-Agent" \ vendor="Cisco" \ @@ -9,40 +8,6 @@ version="v1.0.0" \ release="1" \ summary="This is an ACI CNI Host-Agent." \ description="This will deploy a single instance of ACI CNI Host-Agent." -COPY dist-static/iptables-libs.tar.gz dist-static/iptables-bin.tar.gz dist-static/iptables-wrapper-installer.sh /tmp/ -RUN tar -zxf /tmp/iptables-bin.tar.gz -C /usr/sbin \ - && tar -zxf /tmp/iptables-libs.tar.gz -C /lib64 -RUN for i in iptables-legacy iptables-legacy-restore iptables-legacy-save iptables iptables-restore iptables-save; \ - do \ - ln -s -f xtables-legacy-multi "/sbin/$i"; \ - done; -RUN for i in ip6tables-legacy ip6tables-legacy-restore ip6tables-legacy-save ip6tables ip6tables-restore ip6tables-save; \ - do \ - ln -s -f xtables-legacy-multi "/sbin/$i"; \ - done; -RUN for i in iptables-nft iptables-nft-restore iptables-nft-save ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \ - iptables-translate ip6tables-translate iptables-restore-translate ip6tables-restore-translate \ - arptables-nft arptables arptables-nft-restore arptables-restore arptables-nft-save arptables-save \ - ebtables-nft ebtables ebtables-nft-restore ebtables-restore ebtables-nft-save ebtables-save xtables-monitor; \ - do \ - ln -s -f xtables-nft-multi "/sbin/$i"; \ - done; -# Add iptables alternatives at lowst priority before running wrappers -RUN alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-legacy 1 \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-legacy-restore \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-legacy-save \ - --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-legacy \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-legacy-restore \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-legacy-save \ - && alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 1 \ - --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ - --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ - --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ - --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ - --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save -# Add iptables-wrapper alternative at prio 100 that would -# at run time use one of the above alternatives installed -RUN /tmp/iptables-wrapper-installer.sh # Required Licenses COPY docker/licenses /licenses COPY dist-static/aci-containers-host-agent dist-static/opflex-agent-cni docker/launch-hostagent.sh docker/enable-hostacc.sh docker/enable-droplog.sh /usr/local/bin/ diff --git a/docker/Dockerfile-host-base b/docker/Dockerfile-host-base new file mode 100644 index 0000000000..33d073b365 --- /dev/null +++ b/docker/Dockerfile-host-base @@ -0,0 +1,41 @@ +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-base:${basetag} +RUN yum --disablerepo=\*ubi\* --enablerepo=openstack-15-for-rhel-8-x86_64-rpms \ + --enablerepo=fast-datapath-for-rhel-8-x86_64-rpms --enablerepo codeready-builder-for-rhel-8-x86_64-rpms install -y iproute nftables openvswitch libnetfilter_conntrack-devel \ + && yum clean all +COPY dist-static/iptables-libs.tar.gz dist-static/iptables-bin.tar.gz dist-static/iptables-wrapper-installer.sh /tmp/ +RUN tar -zxf /tmp/iptables-bin.tar.gz -C /usr/sbin \ + && tar -zxf /tmp/iptables-libs.tar.gz -C /lib64 +RUN for i in iptables-legacy iptables-legacy-restore iptables-legacy-save iptables iptables-restore iptables-save; \ + do \ + ln -s -f xtables-legacy-multi "/sbin/$i"; \ + done; +RUN for i in ip6tables-legacy ip6tables-legacy-restore ip6tables-legacy-save ip6tables ip6tables-restore ip6tables-save; \ + do \ + ln -s -f xtables-legacy-multi "/sbin/$i"; \ + done; +RUN for i in iptables-nft iptables-nft-restore iptables-nft-save ip6tables-nft ip6tables-nft-restore ip6tables-nft-save \ + iptables-translate ip6tables-translate iptables-restore-translate ip6tables-restore-translate \ + arptables-nft arptables arptables-nft-restore arptables-restore arptables-nft-save arptables-save \ + ebtables-nft ebtables ebtables-nft-restore ebtables-restore ebtables-nft-save ebtables-save xtables-monitor; \ + do \ + ln -s -f xtables-nft-multi "/sbin/$i"; \ + done; +# Add iptables alternatives at lowst priority before running wrappers +RUN alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-legacy 1 \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-legacy-restore \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-legacy-save \ + --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-legacy \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-legacy-restore \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-legacy-save \ + && alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-nft 1 \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-nft-restore \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-nft-save \ + --slave /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-nft \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-nft-restore \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-nft-save +# Add iptables-wrapper alternative at prio 100 that would +# at run time use one of the above alternatives installed +RUN /tmp/iptables-wrapper-installer.sh +CMD ["/usr/bin/sh"] diff --git a/docker/Dockerfile-openvswitch b/docker/Dockerfile-openvswitch index addb009505..90e6b420db 100644 --- a/docker/Dockerfile-openvswitch +++ b/docker/Dockerfile-openvswitch @@ -1,7 +1,6 @@ -FROM registry.access.redhat.com/ubi8/ubi:latest -RUN yum install -y --enablerepo=openstack-15-for-rhel-8-x86_64-rpms \ - --enablerepo=fast-datapath-for-rhel-8-x86_64-rpms openvswitch2.13 logrotate conntrack-tools \ - tcpdump curl strace ltrace iptables net-tools && yum clean all +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-openvswitch-base:${basetag} # Required OpenShift Labels LABEL name="ACI CNI Openvswitch" \ vendor="Cisco" \ diff --git a/docker/Dockerfile-openvswitch-base b/docker/Dockerfile-openvswitch-base new file mode 100644 index 0000000000..7a9bb4cddc --- /dev/null +++ b/docker/Dockerfile-openvswitch-base @@ -0,0 +1,7 @@ +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-base:${basetag} +RUN yum install -y --enablerepo=openstack-15-for-rhel-8-x86_64-rpms \ + --enablerepo=fast-datapath-for-rhel-8-x86_64-rpms openvswitch2.13 logrotate conntrack-tools \ + tcpdump curl strace ltrace iptables net-tools && yum clean all +CMD ["/usr/bin/sh"] diff --git a/docker/Dockerfile-operator b/docker/Dockerfile-operator index 23104ae01f..ccc299150b 100644 --- a/docker/Dockerfile-operator +++ b/docker/Dockerfile-operator @@ -1,8 +1,6 @@ -FROM registry.access.redhat.com/ubi8/ubi:latest -RUN yum --disablerepo=\*ubi\* install -y curl git \ - && yum clean all \ - && curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.14.6/bin/linux/amd64/kubectl \ - && chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-operator-base:${basetag} # Required OpenShift Labels LABEL name="ACI CNI Operator" \ vendor="Cisco" \ diff --git a/docker/Dockerfile-operator-base b/docker/Dockerfile-operator-base new file mode 100644 index 0000000000..cbb2ef4918 --- /dev/null +++ b/docker/Dockerfile-operator-base @@ -0,0 +1,8 @@ +ARG basetag=latest +ARG baserepo=quay.io/noirolabs +FROM ${baserepo}/aci-containers-base:${basetag} +RUN yum --disablerepo=\*ubi\* install -y curl git \ + && yum clean all \ + && curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.14.6/bin/linux/amd64/kubectl \ + && chmod u+x kubectl && mv kubectl /usr/local/bin/kubectl +CMD ["/usr/bin/sh"]