From 622d9520eb57e887c6d27bec94aa9689b4f83d09 Mon Sep 17 00:00:00 2001 From: Daichi Sakaue Date: Thu, 5 Dec 2024 19:16:59 +0900 Subject: [PATCH] Fix cilium-agent image Signed-off-by: Daichi Sakaue --- .../actions/build_cilium-agent/action.yaml | 66 ---- .../actions/build_cilium-envoy/action.yaml | 75 ---- .../build_cilium-image-tools/action.yaml | 83 ---- .github/workflows/main.yaml | 26 +- cilium/.dockerignore | 3 + cilium/.gitignore | 2 + cilium/Dockerfile | 354 ++++++++++++++---- cilium/Makefile | 125 +++++++ cilium/TAG | 2 +- cilium/e2e/Makefile | 45 +++ cilium/e2e/values.yaml | 16 + maintenance.md | 33 +- 12 files changed, 503 insertions(+), 327 deletions(-) delete mode 100644 .github/actions/build_cilium-agent/action.yaml delete mode 100644 .github/actions/build_cilium-envoy/action.yaml delete mode 100644 .github/actions/build_cilium-image-tools/action.yaml create mode 100644 cilium/.gitignore create mode 100644 cilium/Makefile create mode 100644 cilium/e2e/Makefile create mode 100644 cilium/e2e/values.yaml diff --git a/.github/actions/build_cilium-agent/action.yaml b/.github/actions/build_cilium-agent/action.yaml deleted file mode 100644 index e234739b3..000000000 --- a/.github/actions/build_cilium-agent/action.yaml +++ /dev/null @@ -1,66 +0,0 @@ -name: "Build Cilium Agent" -description: "Building cilium-agent" -inputs: - github_token: - description: "GitHub Token" - required: true - yamory_token: - description: "Yamory Access Token" - required: true - cilium-proxy_version: - description: "cilium/proxy(envoy) version" - required: true - image-tools_version: - description: "cilium/image-tools version" - required: true -runs: - using: composite - steps: - - name: Setup build environment - uses: ./.github/actions/setup - with: - github_token: ${{ inputs.github_token }} - - - id: prepare - name: Prepare build parameters - uses: ./.github/actions/prepare_build_params - with: - dir: ./cilium - container-image: cilium - github_token: ${{ inputs.github_token }} - request-scan: "true" - - - name: Build Cilium Envoy - if: ${{ steps.prepare.outputs.build }} - uses: ./.github/actions/build_cilium-envoy - with: - github_token: ${{ inputs.github_token }} - cilium-proxy_version: ${{ inputs.cilium-proxy_version }} - - - name: Build Cilium image tools - if: ${{ steps.prepare.outputs.build }} - uses: ./.github/actions/build_cilium-image-tools - with: - github_token: ${{ inputs.github_token }} - image-tools_version: ${{ inputs.image-tools_version }} - - - name: Build cilium-agent image and push - if: ${{ steps.prepare.outputs.build }} - uses: docker/build-push-action@v5 - with: - context: cilium - platforms: "linux/amd64" - provenance: false - push: ${{ steps.prepare.outputs.docker_push }} - tags: | - ${{ steps.prepare.outputs.tag }} - ${{ steps.prepare.outputs.branch }} - - - name: Scan images - if: ${{ steps.prepare.outputs.scan }} - uses: ./.github/actions/trivy_scan - with: - dir: ./cilium - container-image: cilium - tag: ${{ steps.prepare.outputs.tag }} - yamory_token: ${{ inputs.yamory_token }} diff --git a/.github/actions/build_cilium-envoy/action.yaml b/.github/actions/build_cilium-envoy/action.yaml deleted file mode 100644 index 216bcead2..000000000 --- a/.github/actions/build_cilium-envoy/action.yaml +++ /dev/null @@ -1,75 +0,0 @@ -name: "Build Cilium Envoy" -description: "Build Cilium Envoy" -inputs: - cilium-proxy_version: - description: "cilium-proxy(envoy) version" - required: true -runs: - using: composite - steps: - - name: Install dependencies - shell: bash - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends \ - ca-certificates \ - autoconf \ - automake \ - cmake \ - coreutils \ - curl \ - git \ - libtool \ - make \ - ninja-build \ - patch \ - patchelf \ - python3 \ - python-is-python3 \ - unzip \ - virtualenv \ - wget \ - zip \ - software-properties-common - wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc > /dev/null - sudo apt-add-repository -y "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-17 main" - sudo apt-get update - - - name: Download cilium/proxy - shell: bash - run: | - mkdir -p cilium/src/workspace/usr/bin cilium/src/cilium-proxy - curl -sSLf https://github.com/cilium/proxy/archive/${{ inputs.cilium-proxy_version }}.tar.gz | \ - tar zxf - --strip-components 1 -C cilium/src/cilium-proxy - - - name: Setup Clang - shell: bash - working-directory: cilium/src/cilium-proxy - run: | - make clang.bazelrc - - - name: Build libcilium.so - shell: bash - run: | - mkdir -p cilium/src/workspace/usr/lib - cd cilium/src/cilium-proxy - make -C proxylib all && mv proxylib/libcilium.so ../workspace/usr/lib - - - name: Build cilium-envoy - shell: bash - env: - # https://github.com/envoyproxy/envoy/issues/34368 - BAZEL_BUILD_OPTS: "--remote_upload_local_results=false --disk_cache=/tmp/bazel-cache --verbose_failures --copt=--gcc-install-dir=/usr/lib/gcc/x86_64-linux-gnu/11" - PKG_BUILD: 1 - DESTDIR: /tmp/install - run: | - rm -rf cilium/proxy/.cache/* - export PKG_BUILD=${{ env.PKG_BUILD }} - export DESTDIR=${{ env.DESTDIR }} - cd cilium/src/cilium-proxy - echo ${{ inputs.cilium-proxy_version }} > SOURCE_VERSION - make bazel-bin/cilium-envoy-starter bazel-bin/cilium-envoy BAZEL_BUILD_OPTS="${{ env.BAZEL_BUILD_OPTS }}" - ./bazel/get_workspace_status - make install - sudo mv /tmp/install/usr/bin/cilium-envoy ../workspace/usr/bin/ - sudo mv /tmp/install/usr/bin/cilium-envoy-starter ../workspace/usr/bin/ diff --git a/.github/actions/build_cilium-image-tools/action.yaml b/.github/actions/build_cilium-image-tools/action.yaml deleted file mode 100644 index 3c15365b8..000000000 --- a/.github/actions/build_cilium-image-tools/action.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: "Build Cilium Image Tools" -description: "Build tools which are used to build Cilium images" -inputs: - image-tools_version: - description: "cilium/image-tools version" - required: true -runs: - using: composite - steps: - - name: Install dependencies - shell: bash - env: - DEBIAN_FRONTEND: noninteractive - run: | - sudo apt-get update - sudo ln -fs /usr/share/zoneinfo/UTC /etc/localtime - sudo apt-get install -y --no-install-recommends \ - automake \ - binutils \ - bison \ - build-essential \ - ca-certificates \ - cmake \ - curl \ - flex \ - g++ \ - gcc-9 \ - git \ - libelf-dev \ - libmnl-dev \ - libtool \ - make \ - ninja-build \ - pkg-config \ - python2 \ - python3 \ - python3-pip \ - llvm \ - unzip - sudo update-alternatives --install /usr/bin/python python /usr/bin/python2 1 - sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 2 - - - name: Download cilium/image-tools - shell: bash - run: | - mkdir -p cilium/src/workspace/bin cilium/src/workspace/usr/local/bin cilium/src/workspace/usr/lib cilium/src/image-tools - curl -sSLf https://github.com/cilium/image-tools/archive/${{ inputs.image-tools_version }}.tar.gz | \ - tar zxf - --strip-components 1 -C cilium/src/image-tools - - - name: Build llvm - shell: bash - run: | - WORKSPACE=$(pwd)/cilium/src/workspace - cd cilium/src/image-tools - sudo images/llvm/checkout-llvm.sh - - # images/llvm/build-llvm-native.sh - sudo mkdir -p /src/llvm/llvm/build-native - cd /src/llvm/llvm/build-native - sudo cmake .. -G "Ninja" \ - -DLLVM_TARGETS_TO_BUILD="BPF" \ - -DLLVM_ENABLE_PROJECTS="clang" \ - -DBUILD_SHARED_LIBS="OFF" \ - -DCMAKE_BUILD_TYPE="Release" \ - -DLLVM_BUILD_RUNTIME="OFF" \ - -DCMAKE_INSTALL_PREFIX="/usr/local" \ - -DLLVM_ENABLE_Z3_SOLVER="OFF" - sudo ninja clang llc llvm-objcopy - sudo strip bin/clang - sudo strip bin/llc - sudo strip bin/llvm-objcopy - sudo mkdir -p /out/linux/amd64/bin - sudo cp bin/clang bin/llc bin/llvm-objcopy /out/linux/amd64/bin - - sudo mv /out/linux/amd64/bin/clang /out/linux/amd64/bin/llc /out/linux/amd64/bin/llvm-objcopy ${WORKSPACE}/bin/ - - - name: Build bpftool - shell: bash - run: | - cd cilium/src/image-tools - sudo images/bpftool/checkout-linux.sh - sudo images/bpftool/build-bpftool-native.sh - sudo mv /out/linux/amd64/bin/bpftool ../workspace/usr/local/bin/ diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 11c162e50..badcf7bd7 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -302,12 +302,22 @@ jobs: build_cilium: runs-on: neco-containers-ubuntu-22.04 + env: + go-version: "1.23.3" steps: - - uses: actions/checkout@v4 - - name: Build cilium-agent image - uses: ./.github/actions/build_cilium-agent - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - yamory_token: ${{ secrets.YAMORY_ACCESS_TOKEN }} - cilium-proxy_version: 97edc2815e2c6a174d3d12e71731d54f5d32ea16 - image-tools_version: de666b61919632fb1e91fcf6259531f6bee467ee + - uses: actions/checkout@v4 + - name: Setup build environment + uses: ./.github/actions/setup + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + go-version: ${{ env.go-version }} + - name: Build container image + uses: ./.github/actions/build_push + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + yamory_token: ${{ secrets.YAMORY_ACCESS_TOKEN }} + dir: cilium + container-image: cilium + make-targets: "checkout status test-e2e-setup test-e2e-upgrade-inotify" + make-post-targets: "test test-e2e" + request-scan: "true" diff --git a/cilium/.dockerignore b/cilium/.dockerignore index 0eb754e96..07b5be7f9 100644 --- a/cilium/.dockerignore +++ b/cilium/.dockerignore @@ -1,4 +1,7 @@ * !TAG +!src/cilium +!src/image-tools +!src/proxy !src/workspace !*.patch diff --git a/cilium/.gitignore b/cilium/.gitignore new file mode 100644 index 000000000..531a5c7e2 --- /dev/null +++ b/cilium/.gitignore @@ -0,0 +1,2 @@ +e2e/bin +src diff --git a/cilium/Dockerfile b/cilium/Dockerfile index ece300607..81b751b91 100644 --- a/cilium/Dockerfile +++ b/cilium/Dockerfile @@ -1,98 +1,292 @@ -ARG GOLANG_IMAGE=ghcr.io/cybozu/golang:1.22-jammy +# Image Name Mapping: +# cilium-compiler: docker.io/cilium/image-compilers +# cilium-llvm: docker.io/cilium/cilium-llvm +# cilium-bpftool docker.io/cilium/cilium-bpftool +# cilium-iptables intermediate (https://github.com/cilium/image-tools/blob/main/images/iptables/Dockerfile) +# cilium-envoy-builder quay.io/cilium/cilium-envoy-builder +# cilium-proxylib intermediate (https://github.com/cilium/proxy/blob/main/Dockerfile) +# cilium-envoy-builder-fresh intermediate (https://github.com/cilium/proxy/blob/main/Dockerfile) +# cilium-envoy quay.io/cilium/cilium-envoy +# gops-cni-builder intermediate (https://github.com/cilium/cilium/blob/main/images/runtime/Dockerfile) +# cilium-runtime quay.io/cilium/cilium-runtime +# cilium-builder quay.io/cilium/cilium-builder +# cilium-hubble intermediate (https://github.com/cilium/cilium/blob/main/images/cilium/Dockerfile) +# cilium-agent-builder intermediate (https://github.com/cilium/cilium/blob/main/images/cilium/Dockerfile) +# +# ref: https://docs.cilium.io/en/stable/contributing/development/images/ + +ARG GOLANG_IMAGE=ghcr.io/cybozu/golang:1.23-jammy ARG UBUNTU_IMAGE=ghcr.io/cybozu/ubuntu:22.04 ARG DESTDIR=/tmp/install/linux/amd64 -# Stage1: build common -FROM ${GOLANG_IMAGE} as build-base -ARG DESTDIR -ENV DESTDIR=${DESTDIR} -COPY TAG / - -WORKDIR /go/src/github.com/cilium/ -RUN mkdir -p ${DESTDIR} \ - && VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \ - && BRANCH=v${VERSION} \ - && git clone --depth 1 --branch ${BRANCH} https://github.com/cilium/cilium \ - && cd cilium \ - && make licenses-all \ - && mv LICENSE.all ${DESTDIR}/LICENSE \ - && apt-get update \ - && apt-get install -y --no-install-recommends binutils-aarch64-linux-gnu \ - libelf1 \ - libmnl0 \ - iptables \ - ipset \ - kmod \ - && images/runtime/build-gops.sh \ - && images/runtime/download-cni.sh \ - && mkdir -p ${DESTDIR}/usr/sbin \ - && cp images/runtime/iptables-wrapper-installer.sh \ - images/cilium/init-container.sh \ - plugins/cilium-cni/install-plugin.sh \ - plugins/cilium-cni/cni-uninstall.sh \ - ${DESTDIR} \ - && images/cilium/download-hubble.sh - - -FROM build-base as builder -COPY src/workspace/bin/llvm-objcopy /bin/ -COPY src/workspace/bin/clang src/workspace/bin/llc /bin/ -WORKDIR /go/src/github.com/cilium/cilium -ARG LIBNETWORK_PLUGIN -ARG DESTDIR -ENV PKG_BUILD=1 -ENV SKIP_DOCS=true -ENV DESTDIR=${DESTDIR} -ENV LIBNETWORK_PLUGIN=${LIBNETWORK_PLUGIN} -RUN apt-get install -y --no-install-recommends binutils \ +# ----------------------------------- +FROM ${GOLANG_IMAGE} AS cybozu-golang + +# ------------------------------------------------------------------------------------------ +# https://github.com/cilium/image-tools/blob/master/images/compilers/Dockerfile (AS builder) +FROM ${UBUNTU_IMAGE} AS cilium-compiler +COPY src/image-tools/images/compilers/install-deps.sh /tmp/install-deps.sh + +RUN /tmp/install-deps.sh + +# ------------------------------------------------------------------------------------- +# https://github.com/cilium/image-tools/blob/master/images/llvm/Dockerfile (AS builder) +FROM cilium-compiler AS cilium-llvm +COPY src/image-tools/images/llvm/checkout-llvm.sh /tmp/checkout-llvm.sh +COPY src/image-tools/images/llvm/build-llvm-native.sh /tmp/build-llvm-native.sh + +RUN /tmp/checkout-llvm.sh +RUN /tmp/build-llvm-native.sh +RUN cp /out/linux/amd64/bin/* /usr/local/bin/ + +# ---------------------------------------------------------------------------------------- +# https://github.com/cilium/image-tools/blob/master/images/bpftool/Dockerfile (AS builder) +FROM cilium-compiler AS cilium-bpftool +COPY src/image-tools/images/bpftool/checkout-linux.sh /tmp/checkout-linux.sh +COPY src/image-tools/images/bpftool/build-bpftool-native.sh /tmp/build-bpftool-native.sh + +RUN /tmp/checkout-linux.sh +RUN /tmp/build-bpftool-native.sh + +RUN apt-get update \ + && apt-get install -y --no-install-recommends libelf1 \ + && apt-get purge --auto-remove -y + +# ----------------------------------------------------------------------------------- +# https://github.com/cilium/image-tools/blob/master/images/iptables/Dockerfile (AS .) +FROM ${UBUNTU_IMAGE} AS cilium-iptables +ENV IPTABLES_VERSION=1.8.8-1 +ENV SNAPSHOT_DATE=20230116T212610Z + +RUN mkdir /iptables +WORKDIR /iptables + +RUN apt-get update && \ + apt-get install -y --no-install-recommends debian-archive-keyring apt-src ca-certificates && \ + echo "deb-src [check-valid-until=no signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE}/ bookworm main" > /etc/apt/sources.list.d/iptables-snapshot.list && \ + apt-get update && \ + apt-src -b install iptables=${IPTABLES_VERSION} && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +# ---------------------------------------------------------------------- +# https://github.com/cilium/proxy/blob/main/Dockerfile.builder (AS base) +FROM ${GOLANG_IMAGE} AS cilium-envoy-builder +ARG GOLANG_IMAGE +ENV TZ=Etc/UTC +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone + +RUN CODENAME=$(echo ${GOLANG_IMAGE} | cut -d- -f2); \ + apt-get update && \ + apt-get upgrade -y --no-install-recommends && \ + apt-get install -y --no-install-recommends \ + gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libc6-dev-arm64-cross binutils-aarch64-linux-gnu \ + gcc-x86-64-linux-gnu g++-x86-64-linux-gnu libc6-dev-amd64-cross binutils-x86-64-linux-gnu \ + libc6-dev \ + autoconf automake cmake coreutils curl git libtool make ninja-build patch patchelf \ + python3 python-is-python3 unzip virtualenv wget zip \ + # Cilium-envoy build dependencies + software-properties-common && \ + wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc && \ + apt-add-repository -y "deb http://apt.llvm.org/${CODENAME}/ llvm-toolchain-${CODENAME}-17 main" && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + clang-17 clang-tools-17 llvm-17-dev lldb-17 lld-17 clang-format-17 libc++-17-dev libc++abi-17-dev && \ + apt-get purge --auto-remove && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +## https://github.com/bazelbuild/bazelisk?tab=readme-ov-file#installation +RUN curl -sfL https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 -o /usr/bin/bazel && \ + chmod +x /usr/bin/bazel + +## Switch to non-root user for builds +RUN groupadd -f -g 1337 cilium && useradd -m -d /cilium/proxy -g cilium -u 1337 cilium +USER 1337:1337 +WORKDIR /cilium/proxy + +# ------------------------------------------------------------------ +# https://github.com/cilium/proxy/blob/main/Dockerfile (AS proxylib) +FROM cilium-envoy-builder AS cilium-proxylib +WORKDIR /cilium/proxy +COPY --chown=1337:1337 src/proxy ./ +ENV TARGETARCH=amd64 +RUN PATH=${PATH}:/usr/local/go/bin GOARCH=${TARGETARCH} make -C proxylib all && \ + mv proxylib/libcilium.so /tmp/libcilium.so + +# ----------------------------------------------------------------- +# https://github.com/cilium/proxy/blob/main/Dockerfile (AS builder) +FROM cilium-envoy-builder AS cilium-envoy-builder-fresh +ARG V +ARG BAZEL_BUILD_OPTS +ENV TARGETARCH=amd64 + +WORKDIR /cilium/proxy +COPY src/proxy ./ + +## https://github.com/cilium/proxy/blob/main/.github/workflows/build-envoy-images-release.yaml +## Without the next line, the program fails with "fatal: detected dubious ownership" +RUN git config --global --add safe.directory /cilium/proxy +RUN git rev-parse HEAD > SOURCE_VERSION +RUN ./bazel/get_workspace_status +RUN BAZEL_BUILD_OPTS="${BAZEL_BUILD_OPTS}" PKG_BUILD=1 V="$V" DESTDIR=/tmp/install make install + +## Copy proxylib after build to allow install as non-root to succeed +COPY --from=cilium-proxylib /tmp/libcilium.so /tmp/install/usr/lib/libcilium.so + +# ----------------------------------------------------------------- +# https://github.com/cilium/proxy/blob/main/Dockerfile (AS default) +FROM ${UBUNTU_IMAGE} AS cilium-envoy +RUN apt-get update && apt-get upgrade -y \ + && apt-get install --no-install-recommends -y ca-certificates \ + && apt-get autoremove -y && apt-get clean \ + && rm -rf /tmp/* /var/tmp/* \ + && rm -rf /var/lib/apt/lists/* +COPY --from=cilium-envoy-builder-fresh /tmp/install / + +# ------------------------------------------------------------------------------------------ +# https://github.com/cilium/cilium/blob/main/images/runtime/Dockerfile (AS gops-cni-builder) +FROM ${GOLANG_IMAGE} AS gops-cni-builder +RUN apt-get update && apt-get install -y binutils-aarch64-linux-gnu binutils-x86-64-linux-gnu + +COPY src/cilium/images/runtime/build-gops.sh build-gops.sh +COPY src/cilium/images/runtime/cni-version.sh cni-version.sh +COPY src/cilium/images/runtime/download-cni.sh download-cni.sh + +RUN ./build-gops.sh +RUN ./download-cni.sh + +# -------------------------------------------------------------------------------- +# https://github.com/cilium/cilium/blob/main/images/runtime/Dockerfile (AS rootfs) +# !! WARNING !! +# This is the base of the final image, do not leave anything unrelated to the final output. +FROM ${UBUNTU_IMAGE} AS cilium-runtime + +## Need investigation +RUN apt-get update && \ + apt-get upgrade -y && \ + apt-get install -y jq && \ + apt-get install -y libmnl0 libnetfilter-conntrack3 libnfnetlink0 libnftnl11 && \ + rm -rf /var/lib/apt/lists/* + +COPY --from=cilium-iptables /iptables /iptables +RUN dpkg -i /iptables/*\.deb && rm -rf /iptables + +WORKDIR /go/src/github.com/cilium/cilium/images/runtime +RUN --mount=type=bind,readwrite,source=src/cilium/images/runtime,target=/go/src/github.com/cilium/cilium/images/runtime \ + ./install-runtime-deps.sh && \ + ./iptables-wrapper-installer.sh --no-sanity-check + +COPY --from=cilium-llvm /usr/local/bin/clang /usr/local/bin/llc /usr/local/bin/ +COPY --from=cilium-bpftool /out/linux/amd64/bin/bpftool /usr/local/bin/ +COPY --from=gops-cni-builder /out/linux/amd64/bin/loopback /cni/loopback +COPY --from=gops-cni-builder /out/linux/amd64/bin/gops /bin/gops + +# -------------------------------------------------------------------------------- +# https://github.com/cilium/cilium/blob/main/images/builder/Dockerfile (AS rootfs) +FROM cilium-runtime AS cilium-builder + +# TARGETARCH is an automatic platform ARG enabled by Docker BuildKit. +ARG TARGETARCH +RUN apt-get update && \ + apt-get upgrade -y --no-install-recommends && \ + apt-get install -y --no-install-recommends \ + # Install cross tools for both arm64 on amd64 + gcc-aarch64-linux-gnu \ + g++-aarch64-linux-gnu \ + libc6-dev-arm64-cross \ + binutils-aarch64-linux-gnu \ + gcc-x86-64-linux-gnu \ + g++-x86-64-linux-gnu \ + libc6-dev-amd64-cross \ + binutils-x86-64-linux-gnu \ + # Dependencies to unzip protoc + unzip \ + # Base Cilium-build dependencies binutils \ coreutils \ curl \ gcc \ git \ libc6-dev \ - libelf-dev \ - make \ - unzip \ - libz3-dev \ - && images/builder/install-protoc.sh \ - && make build-container install-container-binary + make && \ + apt-get purge --auto-remove && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +COPY --from=cilium-compiler /usr/lib/aarch64-linux-gnu /usr/lib/aarch64-linux-gnu +COPY --from=cybozu-golang /usr/local/go /usr/local/go + +RUN mkdir -p /go +ENV GOROOT /usr/local/go +ENV GOPATH /go +ENV PATH "${GOROOT}/bin:${GOPATH}/bin:${PATH}" + +RUN CGO_ENABLED=0 go install github.com/go-delve/delve/cmd/dlv@latest + +WORKDIR /go/src/github.com/cilium/cilium/images/builder +RUN --mount=type=bind,readwrite,source=src/cilium/images/builder,target=/go/src/github.com/cilium/cilium/images/builder \ + ./install-gitconfig.sh -FROM ${UBUNTU_IMAGE} +WORKDIR /go/src/github.com/cilium/cilium/images/builder +RUN --mount=type=bind,readwrite,source=src/cilium/images/builder,target=/go/src/github.com/cilium/cilium/images/builder \ + --mount=type=cache,target=/root/.cache \ + --mount=type=cache,target=/go/pkg \ + ./build-debug-wrapper.sh + +WORKDIR /go/src/github.com/cilium/cilium/images/builder +RUN --mount=type=bind,readwrite,source=src/cilium/images/builder,target=/go/src/github.com/cilium/cilium/images/builder \ + ./install-protoc.sh + +RUN --mount=type=bind,readwrite,source=src/cilium/images/builder,target=/go/src/github.com/cilium/cilium/images/builder \ + ./install-protoplugins.sh + +# used to facilitate the verifier tests +COPY --from=cilium-llvm /usr/local/bin/llvm-objcopy /bin/ + +# ------------------------------------------------------------------------------- +# https://github.com/cilium/cilium/blob/main/images/cilium/Dockerfile (AS hubble) +FROM cilium-builder AS cilium-hubble +COPY src/cilium/images/cilium/download-hubble.sh /tmp/download-hubble.sh + +RUN /tmp/download-hubble.sh +RUN /out/linux/amd64/bin/hubble completion bash > /out/linux/bash_completion + +# -------------------------------------------------------------------------------- +# https://github.com/cilium/cilium/blob/main/images/cilium/Dockerfile (AS builder) +FROM cilium-builder AS cilium-agent-builder +WORKDIR /go/src/github.com/cilium/cilium + +RUN --mount=type=bind,readwrite,source=src/cilium,target=/go/src/github.com/cilium/cilium \ + make GOARCH=amd64 DESTDIR=/tmp/install/linux/amd64 PKG_BUILD=1 \ + build-container install-container-binary + +RUN --mount=type=bind,readwrite,source=src/cilium,target=/go/src/github.com/cilium/cilium \ + make GOARCH=amd64 DESTDIR=/tmp/install/linux/amd64 PKG_BUILD=1 \ + install-bash-completion licenses-all && \ + mv LICENSE.all /tmp/install/linux/amd64/LICENSE.all + +COPY src/cilium/images/cilium/init-container.sh \ + src/cilium/plugins/cilium-cni/install-plugin.sh \ + src/cilium/plugins/cilium-cni/cni-uninstall.sh \ + /tmp/install/linux/amd64 + +# -------------------------------------------------------------------------------- +# https://github.com/cilium/cilium/blob/main/images/cilium/Dockerfile (AS release) +FROM cilium-runtime LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers" -ARG DESTDIR -COPY src/workspace/bin/clang src/workspace/bin/llc /bin/ -COPY src/workspace/usr/local/bin /usr/local/bin -COPY src/workspace/usr/bin /usr/bin -COPY src/workspace/usr/lib /usr/lib -# When used within the Cilium container, Hubble CLI should target the -# local unix domain socket instead of Hubble Relay. +## When used within the Cilium container, Hubble CLI should target the +## local unix domain socket instead of Hubble Relay. ENV HUBBLE_SERVER=unix:///var/run/cilium/hubble.sock -# This version of Cilium originally shipped with an older verison of the -# Hubble CLI using legacy JSON output which we want to preserve. -ENV HUBBLE_COMPAT=legacy-json-output -COPY --from=build-base /out/linux/amd64/bin/loopback /cni/loopback -COPY --from=build-base /out/linux/amd64/bin/gops /bin/gops -COPY --from=build-base /out/linux/amd64/bin/hubble /usr/bin/hubble -COPY --from=builder ${DESTDIR} / -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - libelf1 \ - libmnl0 \ - bash-completion \ - iptables \ - ipset \ - kmod \ - ca-certificates \ - jq \ - && apt-get purge --auto-remove \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - && /iptables-wrapper-installer.sh --no-sanity-check +RUN echo ". /etc/profile.d/bash_completion.sh" >> /etc/bash.bashrc +COPY --from=cilium-envoy /usr/lib/libcilium.so /usr/lib/libcilium.so +COPY --from=cilium-envoy /usr/bin/cilium-envoy /usr/bin/cilium-envoy-starter /usr/bin/ +COPY --from=cilium-hubble /out/linux/amd64/bin/hubble /usr/bin/hubble +COPY --from=cilium-hubble /out/linux/bash_completion /etc/bash_completion.d/hubble +COPY --from=cilium-agent-builder /tmp/install/linux/amd64/ / WORKDIR /home/cilium - ENV INITSYSTEM="SYSTEMD" ENTRYPOINT ["/usr/bin/cilium-dbg"] diff --git a/cilium/Makefile b/cilium/Makefile new file mode 100644 index 000000000..0df638107 --- /dev/null +++ b/cilium/Makefile @@ -0,0 +1,125 @@ +CILIUM_REPO ?= https://github.com/cilium/cilium.git +CILIUM_TARGET ?= v$(shell cat TAG | cut -d'.' -f1-3) +CILIUM_IMAGE_TOOLS_REPO ?= https://github.com/cilium/image-tools.git +CILIUM_IMAGE_TOOLS_TARGET ?= ff8fb49706288a4b2346abc274e7a2f84d7dc02c +CILIUM_PROXY_REPO ?= https://github.com/cilium/proxy.git +CILIUM_PROXY_TARGET ?= 97edc2815e2c6a174d3d12e71731d54f5d32ea16 + +IMAGE_TAG ?= ghcr.io/cybozu/cilium:$(shell cat TAG) + +# ---- Development ---- + +.PHONY: checkout-repo +checkout-repo: + @if [ -z "$(CHECKOUT_DIR)" ]; then \ + echo "Please specify CHECKOUT_DIR."; \ + exit 1; \ + fi + @if [ -z "$(CHECKOUT_REPO)" ]; then \ + echo "Please specify CHECKOUT_REPO."; \ + exit 1; \ + fi + @if [ -z "$(CHECKOUT_TARGET)" ]; then \ + echo "Please specify CHECKOUT_TARGET."; \ + exit 1; \ + fi + if [ -d "$(CHECKOUT_DIR)" ]; then \ + echo "Skip: $(CHECKOUT_REPO) already checked out."; \ + else \ + mkdir -p $(CHECKOUT_DIR); \ + cd $(CHECKOUT_DIR); \ + git init 2>/dev/null; \ + git remote add origin $(CHECKOUT_REPO); \ + git fetch --depth 1 origin $(CHECKOUT_TARGET); \ + git checkout FETCH_HEAD 2>/dev/null; \ + fi + +.PHONY: checkout-cilium +checkout-cilium: + @CHECKOUT_DIR=src/cilium CHECKOUT_REPO=$(CILIUM_REPO) CHECKOUT_TARGET=$(CILIUM_TARGET) \ + $(MAKE) --no-print-directory checkout-repo + +.PHONY: checkout-image-tools +checkout-image-tools: + @CHECKOUT_DIR=src/image-tools CHECKOUT_REPO=$(CILIUM_IMAGE_TOOLS_REPO) CHECKOUT_TARGET=$(CILIUM_IMAGE_TOOLS_TARGET) \ + $(MAKE) --no-print-directory checkout-repo + +.PHONY: checkout-proxy +checkout-proxy: + @CHECKOUT_DIR=src/proxy CHECKOUT_REPO=$(CILIUM_PROXY_REPO) CHECKOUT_TARGET=$(CILIUM_PROXY_TARGET) \ + $(MAKE) --no-print-directory checkout-repo + +.PHONY: checkout +checkout: checkout-cilium checkout-image-tools checkout-proxy + +# The following command displays the HEAD of the locally-checkoued-out upstream repositories. +.PHONY: status +status: + @echo "cilium: $$(cd src/cilium; git log -n1 --decorate --pretty=oneline)" + @echo "image-tools: $$(cd src/image-tools; git log -n1 --decorate --pretty=oneline)" + @echo "proxy: $$(cd src/proxy; git log -n1 --decorate --pretty=oneline)" + +.PHONY: clean +clean: + rm -rf src + +.PHONY: build +build: checkout + docker build . --tag=$(IMAGE_TAG) + +# ---- Test & Investigation ---- + +# The following command shows tools version of the upstream image. +.PHONY: reference +reference: + @IMAGE_TAG=quay.io/cilium/cilium:$(CILIUM_TARGET) \ + $(MAKE) --no-print-directory test + +.PHONY: test +test: + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'cilium version' + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'bpftool version' + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'clang --version' + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'llc --version' + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'ip -V' + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'ss -V' + docker run --rm --entrypoint bash $(IMAGE_TAG) -c 'iptables -V' + +.PHONY: test-e2e-setup +test-e2e-setup: + @$(MAKE) --no-print-directory -C e2e setup + +.PHONY: test-e2e +test-e2e-upgrade-inotify: + @$(MAKE) --no-print-directory -C e2e upgrade-inotify + +.PHONY: test-e2e +test-e2e: + @$(MAKE) --no-print-directory -C e2e start + @$(MAKE) --no-print-directory -C e2e test + @$(MAKE) --no-print-directory -C e2e stop + +# The following command inspects the files of the final container image. +# You can inspect any intermediate image by running `docker build . --target --tag :dev`. +.PHONY: dive +dive: + @if ! which dive; then \ + echo '! Please install dive to inspect the container files.'; \ + echo ' https://github.com/wagoodman/dive'; \ + echo; \ + exit 1; \ + fi + dive $(IMAGE_TAG) + +# The following command displays the URLs of the upstream Dockerfiles to see. +.PHONY: urls +urls: + @echo "https://github.com/cilium/image-tools/blob/$(CILIUM_IMAGE_TOOLS_TARGET)/images/compilers/Dockerfile" + @echo "https://github.com/cilium/image-tools/blob/$(CILIUM_IMAGE_TOOLS_TARGET)/images/llvm/Dockerfile" + @echo "https://github.com/cilium/image-tools/blob/$(CILIUM_IMAGE_TOOLS_TARGET)/images/bpftool/Dockerfile" + @echo "https://github.com/cilium/image-tools/blob/$(CILIUM_IMAGE_TOOLS_TARGET)/images/iptables/Dockerfile" + @echo "https://github.com/cilium/proxy/blob/$(CILIUM_PROXY_TARGET)/Dockerfile.builder" + @echo "https://github.com/cilium/proxy/blob/$(CILIUM_PROXY_TARGET)/Dockerfile" + @echo "https://github.com/cilium/cilium/blob/$(CILIUM_TARGET)/images/runtime/Dockerfile" + @echo "https://github.com/cilium/cilium/blob/$(CILIUM_TARGET)/images/builder/Dockerfile" + @echo "https://github.com/cilium/cilium/blob/$(CILIUM_TARGET)/images/cilium/Dockerfile" diff --git a/cilium/TAG b/cilium/TAG index 1171808b7..c2848110f 100644 --- a/cilium/TAG +++ b/cilium/TAG @@ -1 +1 @@ -1.15.11.1-rc.1 +1.15.12.1-rc.1 diff --git a/cilium/e2e/Makefile b/cilium/e2e/Makefile new file mode 100644 index 000000000..6c3018e03 --- /dev/null +++ b/cilium/e2e/Makefile @@ -0,0 +1,45 @@ +SUDO ?= sudo +IMAGE_TAG ?= ghcr.io/cybozu/cilium:$(shell cat ../TAG) +CILIUM := bin/cilium +CILIUM_DIR := ../src/cilium + +.PHONY: setup +setup: + mkdir -p bin + curl -sL -o- https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz | tar -xz -C bin/ + helm repo add cilium https://helm.cilium.io/ + helm repo update + +.PHONY: format +format: + yq -i values.yaml + +# If connectivity test fails with "too many open files", run the follwing command +# https://kind.sigs.k8s.io/docs/user/known-issues/#pod-errors-due-to-too-many-open-files +.PHONY: upgrade-inotify +upgrade-inotify: + $(SUDO) sysctl fs.inotify.max_user_watches=524288 + $(SUDO) sysctl fs.inotify.max_user_instances=512 + +.PHONY: start +start: + cd $(CILIUM_DIR); ./contrib/scripts/kind.sh --xdp "" 3 "" "" "none" "ipv4" + kind load docker-image $(IMAGE_TAG) + $(CILIUM) install --wait \ + --chart-directory=$(CILIUM_DIR)/install/kubernetes/cilium \ + --values values.yaml \ + --set image.repository=$(shell echo $(IMAGE_TAG) | cut -d':' -f1) \ + --set image.tag=$(shell echo $(IMAGE_TAG) | cut -d':' -f2) \ + +# check-log-errors is disabled in CI to accomodate with the following issue: +# https://github.com/cilium/image-tools/pull/267 +# +# However, it ignores other valuable error messages, so please check them manually +# when upgrading Cilium. +.PHONY: test +test: + $(CILIUM) connectivity test --test=!check-log-errors + +.PHONY: stop +stop: + kind delete cluster diff --git a/cilium/e2e/values.yaml b/cilium/e2e/values.yaml new file mode 100644 index 000000000..34547d846 --- /dev/null +++ b/cilium/e2e/values.yaml @@ -0,0 +1,16 @@ +autoDirectNodeRoutes: true +devices: eth+ +enableIPv6Masquerade: false +image: + pullPolicy: Never + useDigest: false +ipv4NativeRoutingCIDR: 10.244.0.0/16 +ipv6: + enabled: false +kubeProxyReplacement: true +loadBalancer: + acceleration: disabled + dsrDispatch: geneve + mode: dsr +routingMode: native +tunnelProtocol: geneve diff --git a/maintenance.md b/maintenance.md index 4009c8fb6..b3562ca1e 100644 --- a/maintenance.md +++ b/maintenance.md @@ -337,20 +337,25 @@ follow these steps. ![Regular Update](./regular_update.svg) 1. Check the [releases](https://github.com/cilium/cilium/releases) page for changes. -2. If necessary, update `cilium-proxy_version` and `image-tools_version` parameters in the `.github/workflows/main.yaml`. - 1. The `version` for envoy is referenced in the Dockerfile for `cilium` in the source repository and is a commit hash from [cilium/proxy](https://github.com/cilium/proxy) - 2. Check the upstream Dockerfile and update the `.github/actions/build_cilium-envoy/action.yaml` as needed. - - [Dockerfile.builder](https://github.com/cilium/proxy/blob/master/Dockerfile.builder) that includes installation of dependencies and Bazel. - - [Dockerfile](https://github.com/cilium/proxy/blob/master/Dockerfile) that builds and installs cilium-envoy. - 3. For `image-tools_version`, use the latest commit hash from [cilium/image-tools](https://github.com/cilium/image-tools) - 4. Check the upstream Dockerfile and update the `.github/actions/build_cilium-image-tools/action.yaml` as needed. - - [compilers/Dockerfile](https://github.com/cilium/image-tools/blob/master/images/compilers/Dockerfile) that includes installation of dependencies. - - [bpftool/Dockerfile](https://github.com/cilium/image-tools/blob/master/images/bpftool/Dockerfile) - - [llvm/Dockerfile](https://github.com/cilium/image-tools/blob/master/images/llvm/Dockerfile) -3. Check the upstream Dockerfile. If there are any updates, update our `Dockerfile`. - - `https://github.com/cilium/cilium/blob/vX.Y.Z/images/cilium/Dockerfile` -4. Check whether manually applied patches have been included in the new release and remove them accordingly. -5. Update the `BRANCH` and `TAG` files accordingly. +2. Update `CILIUM_IMAGE_TOOLS_TARGET` and `CILIUM_PROXY_TARGET` in `neco-containers/cilium/Makefile`. + 1. `CILIUM_IMAGE_TOOLS_TARGET` is a commit SHA of https://github.com/cilium/image-tools . + Update to the latest one and go backward to find an appropriate SHA. + 2. `CILIUM_PROXY_TARGET` is a commit SHA of https://github.com/cilium/proxy . To find the appropriate one, do: + 1. Update `BRANCH` and `TAG` files. + 2. Run `make clean checkout-cilium`. It checks out `cilium/cilium` at `neco-containers/cilium/src/cilium`. + 3. Run `cat src/cilium/images/cilium/Dockerfile | grep cilium-envoy:`. +3. Checkout `cilium/cilium`, `cilium/image-tools`, and `cilium/proxy` at the relevant SHA. + 1. Run `make checkout` and download them under `neco-containers/cilium/src`. +4. Check the upstream `Dockerfile`s to make necessary changes for `neco-containers/cilium`. + 1. Run `make urls`. It displays all the URLs of the upstream `Dockerfile`s. + 2. All the build specification is written in `neco-containers/cilium/Dockerfile`. Please check the header comment of the file to find the mapping of our build targets and the upstream ones. +5. Build `ghcr.io/cybozu/cilium` and see the result. + 1. Run `make build` to build. + 2. Run `make test` to make sanity check. + 3. Run `make test-e2e` to run the standard connectivity test. + 1. Remove `--test=!check-log-errors` in `e2e/Makefile` to confirm no important error is ignored. + 2. Restore the flag until we catch up with the upstream that solves the LLVM-17-related issue. + 4. If any problem found, `dive ghcr.io/cybozu/cilium:$(cat TAG)` will help. > [!Note] > The cilium-operator-generic and hubble-relay images should be updated at the same time as the cilium image for consistency.