diff --git a/.gitignore b/.gitignore index e53642de..d46ced73 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ cmd/bin -images/.qemu-user-static.created images/calico-go-build/bin diff --git a/.semaphore/promotions/calico-base.yml b/.semaphore/promotions/calico-base.yml index 24135725..bf7ff436 100644 --- a/.semaphore/promotions/calico-base.yml +++ b/.semaphore/promotions/calico-base.yml @@ -27,7 +27,7 @@ blocks: task: env_vars: - name: BRANCH_NAME - value: latest + value: ${SEMAPHORE_JOB_CREATION_TIME} jobs: - name: Linux multi-arch commands: diff --git a/.semaphore/promotions/qemu-user-static.yml b/.semaphore/promotions/qemu-user-static.yml deleted file mode 100644 index 8f70ac83..00000000 --- a/.semaphore/promotions/qemu-user-static.yml +++ /dev/null @@ -1,34 +0,0 @@ -version: v1.0 -name: Publish calico/qemu-user-static image -agent: - machine: - type: f1-standard-2 - os_image: ubuntu2204 - -execution_time_limit: - minutes: 30 - -global_job_config: - env_vars: - - name: DEV_REGISTRIES - value: calico - secrets: - - name: docker - prologue: - commands: - - echo $DOCKER_TOKEN | docker login --username "$DOCKER_USER" --password-stdin - - checkout - -blocks: - - name: Publish calico/qemu-user-static amd64 image - dependencies: [] - run: - when: "branch = 'master' OR tag =~ '^1\\.\\d+\\.\\d-llvm\\d+\\.\\d\\.\\d-k8s1\\.\\d+\\.\\d'" - task: - env_vars: - - name: BRANCH_NAME - value: latest - jobs: - - name: Linux amd64 - commands: - - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make -C images qemu-user-static-cd CONFIRM=true; fi diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml index fe9ee9dd..5a3f30e9 100644 --- a/.semaphore/semaphore.yml +++ b/.semaphore/semaphore.yml @@ -23,12 +23,6 @@ global_job_config: # Semaphore is doing shallow clone on a commit without tags. # unshallow it for GIT_VERSION:=$(shell git describe --tags --dirty --always) @ Makefile.common - git fetch --unshallow - - | - if [ "${SEMAPHORE_GIT_REF_TYPE}" = "tag" ]; then - export VERSION_TAG=${SEMAPHORE_GIT_TAG_NAME} - else - export VERSION_TAG=${SEMAPHORE_GIT_WORKING_BRANCH} - fi promotions: # Publish images for master or release tags (example: 1.23.3-llvm18.1.8-k8s1.30.5). @@ -40,10 +34,6 @@ promotions: pipeline_file: promotions/calico-go-build.yml auto_promote: when: "branch = 'master' OR tag =~ '^1\\.\\d+\\.\\d-llvm\\d+\\.\\d\\.\\d-k8s1\\.\\d+\\.\\d'" - - name: Publish calico/qemu-user-static image - pipeline_file: promotions/qemu-user-static.yml - auto_promote: - when: "branch = 'master' OR tag =~ '^1\\.\\d+\\.\\d-llvm\\d+\\.\\d\\.\\d-k8s1\\.\\d+\\.\\d'" blocks: - name: calico/go-build image @@ -53,13 +43,21 @@ blocks: # The branch to test the current go-build against - name: CALICO_BRANCH value: master + prologue: + commands: + - | + if [ "${SEMAPHORE_GIT_REF_TYPE}" = "tag" ]; then + export CALICO_GO_BUILD_IMAGETAG=${SEMAPHORE_GIT_TAG_NAME} + else + export CALICO_GO_BUILD_IMAGETAG=${SEMAPHORE_GIT_WORKING_BRANCH} + fi jobs: - name: Build calico/go-build image commands: - make -C images calico-go-build-image ARCH=$ARCH - git clone -b "${CALICO_BRANCH}" --depth 1 git@github.com:projectcalico/calico.git calico - cd calico - - sed -i 's/^GO_BUILD_VER=.*$/GO_BUILD_VER=${VERSION_TAG}/' metadata.mk + - sed -i 's/^GO_BUILD_VER=.*$/GO_BUILD_VER=${CALICO_GO_BUILD_IMAGETAG}/' metadata.mk - if [ "${ARCH}" == "amd64" ]; then cd felix && make ut && cd ../calicoctl && make ut && cd ../libcalico-go && make ut; fi matrix: - env_var: ARCH diff --git a/Makefile.common b/Makefile.common index c0138586..b83be6f4 100644 --- a/Makefile.common +++ b/Makefile.common @@ -75,7 +75,7 @@ endif # This is only needed when running non-native binaries. register: ifneq ($(BUILDARCH),$(ARCH)) - docker run --rm --privileged multiarch/qemu-user-static:register || true + docker run --privileged --rm tonistiigi/binfmt --install all || true endif # If this is a release, also tag and push additional images. diff --git a/README.md b/README.md index 319185fc..f3666292 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ For example, if you registered the `s390x` emulator at `/usr/bin/qemu-s390x-stat To register emulators, we run: ```bash -docker run -it --rm --privileged multiarch/qemu-user-static:register +docker run --privileged --rm tonistiigi/binfmt --install all ``` or simply @@ -69,7 +69,7 @@ To _run_ a binary from a different architecture, you need to use `binfmt` and `q Register `qemu-*-static` for all supported processors except the current one using the following command: ```bash -docker run --rm --privileged multiarch/qemu-user-static:register +docker run --privileged --rm tonistiigi/binfmt --install all ``` If a cross built binary is executed in the go-build container qemu-static will automatically be used. diff --git a/images/Makefile b/images/Makefile index 29ed4055..1e9796ec 100644 --- a/images/Makefile +++ b/images/Makefile @@ -1,33 +1,14 @@ include ../lib.Makefile include ../Makefile.common -VERSION_TAG ?= latest - CALICO_BASE ?= base CALICO_GO_BUILD ?= go-build -QEMU_USER_STATIC ?= $(DEV_REGISTRIES)/qemu-user-static -QEMU_USER_STATIC_IMAGE_CREATED = .qemu-user-static.created - .PHONY: image -image: qemu-user-static-image calico-base-image calico-go-build-image +image: calico-base-image calico-go-build-image .PHONY: image-all -image-all: qemu-user-static-image calico-base-image-all calico-go-build-image-all - -# Holder image for all qemu-*-static binaries Calico supports. -# It only builds for linux/amd64 platform. -.PHONY: qemu-user-static-image -qemu-user-static-image: $(QEMU_USER_STATIC_IMAGE_CREATED) -$(QEMU_USER_STATIC_IMAGE_CREATED): - docker buildx build $(DOCKER_PROGRESS) --load --platform=linux/amd64 --pull \ - -t $(QEMU_USER_STATIC):latest \ - -f qemu-user-static/Dockerfile qemu-user-static/ - touch $@ - -.PHONY: qemu-user-static-cd -qemu-user-static-cd: qemu-user-static-image - docker push $(QEMU_USER_STATIC):latest +image-all: calico-base-image-all calico-go-build-image-all # Base image for all calico components. @@ -44,9 +25,11 @@ else ifeq ($(ARCH),s390) endif .PHONY: calico-base-image -calico-base-image: register qemu-user-static-image - $(DOCKER_BUILD) --build-arg LDSONAME=$(LDSONAME) -t $(CALICO_BASE):latest-$(ARCH) -f calico-base/Dockerfile calico-base/ - $(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest +calico-base-image: register + $(DOCKER_BUILD) --build-arg LDSONAME=$(LDSONAME) -t $(CALICO_BASE):ubi8-latest-$(ARCH) -f calico-base/Dockerfile.ubi8 calico-base/ + $(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries VALIDARCHES=$(ARCH) LATEST_IMAGE_TAG=ubi8-latest IMAGETAG=ubi8-latest + $(DOCKER_BUILD) --build-arg LDSONAME=$(LDSONAME) -t $(CALICO_BASE):ubi9-latest-$(ARCH) -f calico-base/Dockerfile.ubi9 calico-base/ + $(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries VALIDARCHES=$(ARCH) LATEST_IMAGE_TAG=ubi9-latest IMAGETAG=ubi9-latest .PHONY: calico-base-image-all calico-base-image-all: $(addprefix sub-calico-base-image-,$(VALIDARCHES)) @@ -55,7 +38,8 @@ sub-calico-base-image-%: .PHONY: calico-base-cd calico-base-cd: calico-base-image-all var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME - $(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries push-images-to-registries push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" + $(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries push-images-to-registries push-manifests LATEST_IMAGE_TAG=ubi8-latest IMAGETAG=ubi8-$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" + $(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries push-images-to-registries push-manifests LATEST_IMAGE_TAG=ubi9-latest IMAGETAG=ubi9-$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" # Calico builder which contains Go/Clang compilers and necessary utilities for UT/FVs. .PHONY: build @@ -64,10 +48,12 @@ build: mkdir -p calico-go-build/bin/ cp ../cmd/bin/semvalidator-$(ARCH) calico-go-build/bin/semvalidator-$(ARCH) +CALICO_GO_BUILD_IMAGETAG ?= latest + .PHONY: calico-go-build-image -calico-go-build-image: register qemu-user-static-image build +calico-go-build-image: register build $(DOCKER_BUILD) -t $(CALICO_GO_BUILD):latest-$(ARCH) -f calico-go-build/Dockerfile calico-go-build/ - $(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=$(VERSION_TAG) + $(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=$(CALICO_GO_BUILD_IMAGETAG) .PHONY: calico-go-build-image-all calico-go-build-image-all: $(addprefix sub-calico-go-build-image-,$(VALIDARCHES)) @@ -76,16 +62,14 @@ sub-calico-go-build-image-%: .PHONY: calico-go-build-cd calico-go-build-cd: calico-go-build-image var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME - $(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" + $(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" .PHONY: push-calico-go-build-manifests push-calico-go-build-manifests: var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME - $(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" + $(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) push-manifests IMAGETAG=$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)" .PHONY: clean clean: - rm -f $(QEMU_USER_STATIC_IMAGE_CREATED) rm -fr calico-go-build/bin -docker image rm -f $$(docker images $(CALICO_BASE) -a -q) -docker image rm -f $$(docker images $(CALICO_GO_BUILD) -a -q) - -docker image rm -f $$(docker images $(QEMU_USER_STATIC) -a -q) diff --git a/images/calico-base/Dockerfile b/images/calico-base/Dockerfile.ubi8 similarity index 86% rename from images/calico-base/Dockerfile rename to images/calico-base/Dockerfile.ubi8 index 7531a2b6..4dfaa3db 100644 --- a/images/calico-base/Dockerfile +++ b/images/calico-base/Dockerfile.ubi8 @@ -1,11 +1,7 @@ -FROM --platform=linux/amd64 calico/qemu-user-static:latest AS qemu - FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS ubi ARG LDSONAME -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/ - RUN microdnf upgrade -y # Prepare a rootfs for necessary files from UBI. @@ -13,7 +9,6 @@ RUN microdnf upgrade -y RUN mkdir -p /rootfs/lib64 /rootfs/etc # Copy dynamic loader and symbolic links. -# Note: The dynamic loader name and links might be different in a future release. RUN cp /lib64/ld-2.28.so /rootfs/lib64/ld-2.28.so RUN set -eux; \ cp -a /lib64/${LDSONAME} /rootfs/lib64/${LDSONAME}; \ diff --git a/images/calico-base/Dockerfile.ubi9 b/images/calico-base/Dockerfile.ubi9 new file mode 100644 index 00000000..2614fee8 --- /dev/null +++ b/images/calico-base/Dockerfile.ubi9 @@ -0,0 +1,48 @@ +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS ubi + +ARG LDSONAME + +RUN microdnf upgrade -y + +# Prepare a rootfs for necessary files from UBI. +# Symbolic links are preserved. +RUN mkdir -p /rootfs/lib64 /rootfs/etc + +# Copy dynamic loader and symbolic links. +RUN set -eux; \ + if [ -f /lib64/${LDSONAME} ]; then \ + cp -a /lib64/${LDSONAME} /rootfs/lib64/${LDSONAME}; \ + fi; \ + if [ -f /lib/${LDSONAME} ]; then \ + mkdir -p /rootfs/lib && cp -a /lib/${LDSONAME} /rootfs/lib/${LDSONAME}; \ + fi + +# Required external C dependencies for CGO builds. +RUN cp /lib64/libc.so.6 /rootfs/lib64/libc.so.6 +RUN cp /lib64/libpthread.so.0 /rootfs/lib64/libpthread.so.0 +RUN cp /lib64/libresolv.so.2 /rootfs/lib64/libresolv.so.2 + +# glibc NSS plugins and config files. +RUN cp /lib64/libnss_dns.so.2 /rootfs/lib64/libnss_dns.so.2 +RUN cp /lib64/libnss_files.so.2 /rootfs/lib64/libnss_files.so.2 + +RUN cp /etc/host.conf /rootfs/etc/host.conf +RUN cp /etc/hosts /rootfs/etc/hosts +RUN cp /etc/networks /rootfs/etc/networks +RUN cp /etc/nsswitch.conf /rootfs/etc/nsswitch.conf + +# Copy base image release info. +RUN cp /etc/os-release /rootfs/etc/os-release + +FROM scratch AS source + +COPY --from=ubi /rootfs / + +# tmp.tar has a /tmp with the correct permissions 01777. +ADD tmp.tar / + +COPY licenses /licenses/ + +FROM scratch + +COPY --from=source / / diff --git a/images/calico-go-build/Dockerfile b/images/calico-go-build/Dockerfile index c85bf417..7c86582d 100644 --- a/images/calico-go-build/Dockerfile +++ b/images/calico-go-build/Dockerfile @@ -2,8 +2,6 @@ ARG TARGETARCH=${TARGETARCH} FROM calico/bpftool:v7.4.0 AS bpftool -FROM --platform=amd64 calico/qemu-user-static:latest AS qemu - FROM registry.access.redhat.com/ubi8/ubi:latest AS ubi ARG TARGETARCH @@ -16,10 +14,6 @@ ARG YQ_VERSION=v4.45.1 ENV PATH=/usr/local/go/bin:$PATH -# Enable non-native runs on amd64 architecture hosts -# Supported qemu-user-static arch files are copied in Makefile `download-qemu` target -COPY --from=qemu /usr/bin/qemu-*-static /usr/bin - # Install system dependencies RUN dnf upgrade -y && dnf install -y \ autoconf \ diff --git a/images/qemu-user-static/Dockerfile b/images/qemu-user-static/Dockerfile deleted file mode 100644 index 2f8dca26..00000000 --- a/images/qemu-user-static/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM fedora:latest AS qemu - -RUN dnf install -y qemu-user-static - -FROM scratch AS source - -COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin/qemu-aarch64-static -COPY --from=qemu /usr/bin/qemu-ppc64le-static /usr/bin/qemu-ppc64le-static -COPY --from=qemu /usr/bin/qemu-s390x-static /usr/bin/qemu-s390x-static -COPY --from=qemu /usr/bin/qemu-x86_64-static /usr/bin/qemu-x86_64-static - -FROM scratch - -COPY --from=source / /