From d2776a448e1eb4f881a3ec015b0c9221f3cf52c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Fri, 20 Sep 2024 13:34:26 +0800 Subject: [PATCH] base: rebuild go binary deps from source (#4524) Signed-off-by: zhangzujian --- .github/workflows/build-kube-ovn-base.yaml | 20 +++++ .github/workflows/build-x86-image.yaml | 98 ++++++++++++---------- Makefile | 12 +-- dist/images/Dockerfile.base | 37 +++++--- dist/images/Dockerfile.base-dpdk | 4 - dist/images/go-deps/download-go-deps.sh | 45 ++++++++++ dist/images/go-deps/rebuild-go-deps.sh | 66 +++++++++++++++ 7 files changed, 217 insertions(+), 65 deletions(-) create mode 100644 dist/images/go-deps/download-go-deps.sh create mode 100644 dist/images/go-deps/rebuild-go-deps.sh diff --git a/.github/workflows/build-kube-ovn-base.yaml b/.github/workflows/build-kube-ovn-base.yaml index 925bc91e1f3..28b48c953c5 100644 --- a/.github/workflows/build-kube-ovn-base.yaml +++ b/.github/workflows/build-kube-ovn-base.yaml @@ -9,7 +9,17 @@ jobs: - uses: actions/checkout@v4 - uses: docker/setup-buildx-action@v3 + - uses: actions/setup-go@v5 + if: (github.event.inputs.branch || matrix.branch) == matrix.branch + id: setup-go + with: + go-version-file: go.mod + check-latest: true + cache: false + - name: Build + env: + GO_VERSION: ${{ steps.setup-go.outputs.go-version }} run: | make base-amd64 make base-tar-amd64 @@ -30,7 +40,17 @@ jobs: with: platforms: arm64 + - uses: actions/setup-go@v5 + if: (github.event.inputs.branch || matrix.branch) == matrix.branch + id: setup-go + with: + go-version-file: go.mod + check-latest: true + cache: false + - name: Build + env: + GO_VERSION: ${{ steps.setup-go.outputs.go-version }} run: | make base-arm64 || make base-arm64 make base-tar-arm64 diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml index 61c2a1fb839..4c66d4c2403 100644 --- a/.github/workflows/build-x86-image.yaml +++ b/.github/workflows/build-x86-image.yaml @@ -21,7 +21,6 @@ concurrency: cancel-in-progress: true env: - GO_VERSION: '' GOSEC_VERSION: '2.19.0' HELM_VERSION: v3.11.1 @@ -59,9 +58,19 @@ jobs: - uses: docker/setup-buildx-action@v3 if: steps.check.outputs.buildx == 1 - - name: Build + - uses: actions/setup-go@v5 + if: steps.check.outputs.buildx == 1 + id: setup-go + with: + go-version-file: go.mod + check-latest: true + cache: false + + - name: Build kube-ovn-base image id: build if: steps.check.outputs.buildx == 1 + env: + GO_VERSION: ${{ steps.setup-go.outputs.go-version }} run: | if git diff --name-only HEAD^ HEAD | grep -q ^dist/images/Dockerfile.base$; then make base-amd64 @@ -95,8 +104,8 @@ jobs: - uses: actions/checkout@v4 - uses: docker/setup-buildx-action@v3 - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: go.mod check-latest: true cache: false @@ -104,7 +113,7 @@ jobs: - name: Setup environment variables run: | echo "TAG=$(cat VERSION)" >> "$GITHUB_ENV" - echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache@v4 @@ -112,8 +121,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-${{ env.GO_FULL_VER }}-x86-${{ hashFiles('**/go.sum') }} - restore-keys: ${{ runner.os }}-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-x86-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-go-${{ env.GO_VERSION }}-x86- - name: Unit test run: | @@ -285,14 +294,14 @@ jobs: fi - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Lookup Go cache id: lookup-go-cache @@ -301,8 +310,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- lookup-only: true - uses: jlumbroso/free-disk-space@v1.3.1 @@ -323,8 +332,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install ginkgo if: steps.lookup-go-cache.outputs.cache-hit != 'true' @@ -344,8 +353,8 @@ jobs: steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: go.mod check-latest: true cache: false @@ -426,14 +435,14 @@ jobs: sudo systemctl restart docker - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -441,8 +450,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -574,14 +583,14 @@ jobs: sudo systemctl restart docker - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -589,8 +598,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -732,13 +741,12 @@ jobs: - uses: actions/setup-go@v5 with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -746,8 +754,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -1013,14 +1021,14 @@ jobs: fi - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -1028,8 +1036,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -1151,14 +1159,14 @@ jobs: fi - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -1166,8 +1174,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -1432,14 +1440,14 @@ jobs: fi - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -1447,8 +1455,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -1587,14 +1595,14 @@ jobs: sudo systemctl restart docker - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -1602,8 +1610,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 @@ -1697,14 +1705,14 @@ jobs: fi - uses: actions/setup-go@v5 + id: setup-go with: - go-version: ${{ env.GO_VERSION || '' }} go-version-file: ${{ env.E2E_DIR }}/go.mod check-latest: true cache: false - name: Export Go full version - run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV" + run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV" - name: Go cache uses: actions/cache/restore@v4 @@ -1712,8 +1720,8 @@ jobs: path: | ~/.cache/go-build ~/go/pkg/mod - key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} - restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86- + key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }} + restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86- - name: Install kind uses: helm/kind-action@v1 diff --git a/Makefile b/Makefile index 5305b8a1fca..0132ade7a72 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,8 @@ DEBUG_TAG = $(shell cat VERSION)-debug VERSION = $(shell echo $${VERSION:-$(RELEASE_TAG)}) COMMIT = git-$(shell git rev-parse --short HEAD) DATE = $(shell date +"%Y-%m-%d_%H:%M:%S") + +GO_VERSION = $(shell echo $${GO_VERSION:-1.22.7}) GOLDFLAGS = "-w -s -extldflags '-z now' -X github.com/kubeovn/kube-ovn/versions.COMMIT=$(COMMIT) -X github.com/kubeovn/kube-ovn/versions.VERSION=$(RELEASE_TAG) -X github.com/kubeovn/kube-ovn/versions.BUILDDATE=$(DATE)" CONTROL_PLANE_TAINTS = node-role.kubernetes.io/master node-role.kubernetes.io/control-plane @@ -67,9 +69,9 @@ build-dpdk: .PHONY: base-amd64 base-amd64: - docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ - docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ - docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg NO_AVX512=true -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-amd64-no-avx512 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION=$(GO_VERSION) -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION=$(GO_VERSION) --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION=$(GO_VERSION) --build-arg NO_AVX512=true -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-amd64-no-avx512 -o type=docker -f dist/images/Dockerfile.base dist/images/ .PHONY: base-amd64-dpdk base-amd64-dpdk: @@ -77,8 +79,8 @@ base-amd64-dpdk: .PHONY: base-arm64 base-arm64: - docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ - docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg GO_VERSION=$(GO_VERSION) -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg GO_VERSION=$(GO_VERSION) --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ .PHONY: image-kube-ovn image-kube-ovn: build-go diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base index 61b966eea66..57d46555587 100644 --- a/dist/images/Dockerfile.base +++ b/dist/images/Dockerfile.base @@ -1,5 +1,7 @@ # syntax = docker/dockerfile:experimental -FROM ubuntu:22.04 as ovs-builder +ARG GO_VERSION + +FROM ubuntu:22.04 AS ovs-builder ARG ARCH ARG NO_AVX512=false @@ -78,6 +80,23 @@ RUN mkdir /packages/ && \ cp /usr/src/ovn-*deb /packages && \ cd /packages && rm -f *datapath* *docker* *vtep* *test* *dev* +FROM ghcr.io/aquasecurity/trivy:latest AS trivy + +ARG ARCH +ENV CNI_VERSION="v1.5.1" +ENV KUBE_VERSION="v1.30.5" + +RUN apk --no-cache add curl jq +ADD go-deps/download-go-deps.sh / +RUN sh -x /download-go-deps.sh + +FROM golang:$GO_VERSION-alpine AS go-deps + +RUN apk --no-cache add bash curl jq +ADD go-deps/rebuild-go-deps.sh / +RUN --mount=type=bind,target=/trivy,from=trivy,source=/godeps \ + bash -x /rebuild-go-deps.sh + FROM ubuntu:22.04 ARG DEBIAN_FRONTEND=noninteractive @@ -94,15 +113,6 @@ RUN mkdir -p /var/run/openvswitch && \ mkdir -p /etc/cni/net.d && \ mkdir -p /opt/cni/bin -ARG ARCH -ENV CNI_VERSION=v1.5.1 -RUN curl -sSf -L --retry 5 https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | tar -xz -C . ./loopback ./portmap ./macvlan - -ENV KUBE_VERSION="v1.30.5" - -RUN curl -L https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-${ARCH}.tar.gz | tar -xz -C . && cp ./kubernetes/client/bin/kubectl /usr/bin/kubectl \ - && chmod +x /usr/bin/kubectl && rm -rf ./kubernetes - RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \ dpkg -i /packages/libopenvswitch*.deb && \ dpkg -i /packages/python3-openvswitch*.deb && \ @@ -111,12 +121,17 @@ RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \ mv /usr/lib/python3.7/dist-packages/ovs /usr/lib/python3/dist-packages/ && \ rm -rf /var/lib/openvswitch/pki/ -ENV DUMB_INIT_VERSION="1.2.5" +ARG ARCH +ARG DUMB_INIT_VERSION="1.2.5" RUN dump_arch="x86_64"; \ if [ "$ARCH" = "arm64" ]; then dump_arch="aarch64"; fi; \ curl -sSf -L --retry 5 -o /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_${dump_arch} && \ chmod +x /usr/bin/dumb-init +RUN --mount=type=bind,target=/godeps,from=go-deps,source=/godeps \ + cp /godeps/loopback /godeps/portmap /godeps/macvlan ./ && \ + cp /godeps/kubectl /godeps/gobgp /usr/bin/ + RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \ dpkg -i /packages/openvswitch-*.deb /packages/python3-openvswitch*.deb && \ dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/ovn-*.deb && \ diff --git a/dist/images/Dockerfile.base-dpdk b/dist/images/Dockerfile.base-dpdk index ddcc5d89dff..3698a8cba26 100644 --- a/dist/images/Dockerfile.base-dpdk +++ b/dist/images/Dockerfile.base-dpdk @@ -85,10 +85,6 @@ RUN mkdir -p /var/run/openvswitch && \ mkdir -p /etc/cni/net.d && \ mkdir -p /opt/cni/bin -ARG ARCH -ENV CNI_VERSION=v1.5.1 -RUN curl -sSf -L --retry 5 https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | tar -xz -C . ./loopback ./portmap ./macvlan - RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \ dpkg -i /packages/libopenvswitch*.deb && \ dpkg -i /packages/openvswitch-*.deb && \ diff --git a/dist/images/go-deps/download-go-deps.sh b/dist/images/go-deps/download-go-deps.sh new file mode 100644 index 00000000000..9ea9549c971 --- /dev/null +++ b/dist/images/go-deps/download-go-deps.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +ARCH=${ARCH:-amd64} +CNI_PLUGINS_VERSION=${CNI_PLUGINS_VERSION:-v1.5.1} +KUBECTL_VERSION=${KUBECTL_VERSION:-v1.30.5} + + +DEPS_DIR=/godeps + +mkdir -p "$DEPS_DIR" + +curl -sSf -L --retry 5 https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/cni-plugins-linux-${ARCH}-${CNI_PLUGINS_VERSION}.tgz | \ + tar -xz -C "$DEPS_DIR" ./loopback ./portmap ./macvlan + +curl -L https://dl.k8s.io/${KUBECTL_VERSION}/kubernetes-client-linux-${ARCH}.tar.gz | \ + tar -xz -C "$DEPS_DIR" --strip-components=3 kubernetes/client/bin/kubectl + +ls -lh "$DEPS_DIR" + +trivy rootfs --ignore-unfixed --scanners vuln --pkg-types library -f json --output trivy.json "$DEPS_DIR" + +cat trivy.json + +TARGETS_FILE="$DEPS_DIR/trivy-targets.txt" + +: > "$TARGETS_FILE" +jq -r '.Results[] | select((.Type=="gobinary") and (.Vulnerabilities!=null)) | .Target' trivy.json | while read f; do + name=$(basename $f) + case $name in + loopback|macvlan|portmap) + echo "$name@$CNI_PLUGINS_VERSION" >> "$TARGETS_FILE" + ;; + kubectl) + echo "$name@$KUBECTL_VERSION" >> "$TARGETS_FILE" + ;; + *) + echo "Unknown go binary: $f" + exit 1 + ;; + esac +done + +cat "$TARGETS_FILE" diff --git a/dist/images/go-deps/rebuild-go-deps.sh b/dist/images/go-deps/rebuild-go-deps.sh new file mode 100644 index 00000000000..0f0d431654f --- /dev/null +++ b/dist/images/go-deps/rebuild-go-deps.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +set -e + +GO=${GO:-go} + +export CGO_ENABLED=${CGO_ENABLED:-0} + +TRIVY_DIR=/trivy +DEPS_DIR=/godeps + +GO_INSTALL="$GO install -v -trimpath" + +export GOBIN="$DEPS_DIR" + +for t in $(cat "$TRIVY_DIR/trivy-targets.txt"); do + echo "Building $t from source..." + name=${t%@*} + version=${t#*@} + case $name in + loopback|macvlan) + build_flags="-ldflags '-extldflags -static -X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=$version'" + eval $GO_INSTALL $build_flags github.com/containernetworking/plugins/plugins/main/$name@$version + ;; + portmap) + build_flags="-ldflags '-extldflags -static -X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=$version'" + eval $GO_INSTALL $build_flags github.com/containernetworking/plugins/plugins/meta/$name@$version + ;; + kubectl) + mkdir k8s-$version + curl -sSf -L --retry 5 https://github.com/kubernetes/kubernetes/archive/refs/tags/$version.tar.gz | \ + tar -xz --strip-components=1 -C k8s-$version + cd k8s-$version + source hack/lib/util.sh + source hack/lib/logging.sh + source hack/lib/version.sh + repo=kubernetes/kubernetes + commit=unknown + read type tag_sha < <(echo $(curl -s "https://api.github.com/repos/$repo/git/ref/tags/$version" | jq -r '.object.type,.object.sha')) + if [ $type = "commit" ]; then + commit=$tag_sha + else + commit=$(curl -s "https://api.github.com/repos/$repo/git/tags/$tag_sha" | jq -r '.object.sha') + fi + export KUBE_GIT_COMMIT="${commit}" + export KUBE_GIT_TREE_STATE='clean' + export KUBE_GIT_VERSION="${version}" + export KUBE_GIT_MAJOR=$(echo $KUBE_GIT_VERSION | cut -d. -f1 | sed 's/$v//') + export KUBE_GIT_MINOR=$(echo $KUBE_GIT_VERSION | cut -d. -f2) + goldflags="all=$(kube::version::ldflags) -s -w" + $GO_INSTALL -ldflags="${goldflags}" k8s.io/kubernetes/cmd/kubectl + cd - + ;; + *) + echo "Unknown go binary: $f" + exit 1 + ;; + esac +done + +for f in $(ls "$TRIVY_DIR"); do + f=$(basename $f) + if [ -x "$TRIVY_DIR/$f" -a ! -e "$DEPS_DIR/$f" ]; then + cp "$TRIVY_DIR/$f" "$DEPS_DIR" + fi +done