Build calico/base from UBI 8 and 9 and tag with timestamp

.gitignore

@@ -1,3 +1,2 @@
 cmd/bin
-images/.qemu-user-static.created
 images/calico-go-build/bin

.semaphore/promotions/calico-base.yml

@@ -27,7 +27,7 @@ blocks:
     task:
       env_vars:
         - name: BRANCH_NAME
-          value: latest
+          value: ${SEMAPHORE_JOB_CREATION_TIME}
       jobs:
         - name: Linux multi-arch
           commands:

.semaphore/semaphore.yml

@@ -23,12 +23,6 @@ global_job_config:
       # Semaphore is doing shallow clone on a commit without tags.
       # unshallow it for GIT_VERSION:=$(shell git describe --tags --dirty --always) @ Makefile.common
       - git fetch --unshallow
-      - |
-        if [ "${SEMAPHORE_GIT_REF_TYPE}" = "tag" ]; then
-          export VERSION_TAG=${SEMAPHORE_GIT_TAG_NAME}
-        else
-          export VERSION_TAG=${SEMAPHORE_GIT_WORKING_BRANCH}
-        fi
 
 promotions:
   # Publish images for master or release tags (example: 1.23.3-llvm18.1.8-k8s1.30.5).
@@ -40,10 +34,6 @@ promotions:
     pipeline_file: promotions/calico-go-build.yml
     auto_promote:
       when: "branch = 'master' OR tag =~ '^1\\.\\d+\\.\\d-llvm\\d+\\.\\d\\.\\d-k8s1\\.\\d+\\.\\d'"
-  - name: Publish calico/qemu-user-static image
-    pipeline_file: promotions/qemu-user-static.yml
-    auto_promote:
-      when: "branch = 'master' OR tag =~ '^1\\.\\d+\\.\\d-llvm\\d+\\.\\d\\.\\d-k8s1\\.\\d+\\.\\d'"
 
 blocks:
   - name: calico/go-build image
@@ -53,13 +43,21 @@ blocks:
         # The branch to test the current go-build against
         - name: CALICO_BRANCH
           value: master
+      prologue:
+        commands:
+          - |
+            if [ "${SEMAPHORE_GIT_REF_TYPE}" = "tag" ]; then
+              export CALICO_GO_BUILD_IMAGETAG=${SEMAPHORE_GIT_TAG_NAME}
+            else
+              export CALICO_GO_BUILD_IMAGETAG=${SEMAPHORE_GIT_WORKING_BRANCH}
+            fi
       jobs:
         - name: Build calico/go-build image
           commands:
             - make -C images calico-go-build-image ARCH=$ARCH
             - git clone -b "${CALICO_BRANCH}" --depth 1 git@github.com:projectcalico/calico.git calico
             - cd calico
-            - sed -i 's/^GO_BUILD_VER=.*$/GO_BUILD_VER=${VERSION_TAG}/' metadata.mk
+            - sed -i 's/^GO_BUILD_VER=.*$/GO_BUILD_VER=${CALICO_GO_BUILD_IMAGETAG}/' metadata.mk
             - if [ "${ARCH}" == "amd64" ]; then cd felix && make ut && cd ../calicoctl && make ut && cd ../libcalico-go && make ut; fi
           matrix:
             - env_var: ARCH

Makefile.common

@@ -75,7 +75,7 @@ endif
 # This is only needed when running non-native binaries.
 register:
 ifneq ($(BUILDARCH),$(ARCH))
-	docker run --rm --privileged multiarch/qemu-user-static:register || true
+	docker run --privileged --rm tonistiigi/binfmt --install all || true
 endif
 
 # If this is a release, also tag and push additional images.

README.md

@@ -51,7 +51,7 @@ For example, if you registered the `s390x` emulator at `/usr/bin/qemu-s390x-stat
 To register emulators, we run:
 
 ```bash
-docker run -it --rm --privileged multiarch/qemu-user-static:register
+docker run --privileged --rm tonistiigi/binfmt --install all
 ```
 
 or simply
@@ -69,7 +69,7 @@ To _run_ a binary from a different architecture, you need to use `binfmt` and `q
 Register `qemu-*-static` for all supported processors except the current one using the following command:
 
 ```bash
-docker run --rm --privileged multiarch/qemu-user-static:register
+docker run --privileged --rm tonistiigi/binfmt --install all
 ```
 
 If a cross built binary is executed in the go-build container qemu-static will automatically be used.

images/Makefile

@@ -1,33 +1,14 @@
 include ../lib.Makefile
 include ../Makefile.common
 
-VERSION_TAG ?= latest
-
 CALICO_BASE ?= base
 CALICO_GO_BUILD ?= go-build
 
-QEMU_USER_STATIC ?= $(DEV_REGISTRIES)/qemu-user-static
-QEMU_USER_STATIC_IMAGE_CREATED = .qemu-user-static.created
-
 .PHONY: image
-image: qemu-user-static-image calico-base-image calico-go-build-image
+image: calico-base-image calico-go-build-image
 
 .PHONY: image-all
-image-all: qemu-user-static-image calico-base-image-all calico-go-build-image-all
-
-# Holder image for all qemu-*-static binaries Calico supports.
-# It only builds for linux/amd64 platform.
-.PHONY: qemu-user-static-image
-qemu-user-static-image: $(QEMU_USER_STATIC_IMAGE_CREATED)
-$(QEMU_USER_STATIC_IMAGE_CREATED):
-	docker buildx build $(DOCKER_PROGRESS) --load --platform=linux/amd64 --pull \
-		-t $(QEMU_USER_STATIC):latest \
-		-f qemu-user-static/Dockerfile qemu-user-static/
-	touch $@
-
-.PHONY: qemu-user-static-cd
-qemu-user-static-cd: qemu-user-static-image
-	docker push $(QEMU_USER_STATIC):latest
+image-all: calico-base-image-all calico-go-build-image-all
 
 # Base image for all calico components.
 
@@ -44,9 +25,11 @@ else ifeq ($(ARCH),s390)
 endif
 
 .PHONY: calico-base-image
-calico-base-image: register qemu-user-static-image
-	$(DOCKER_BUILD) --build-arg LDSONAME=$(LDSONAME) -t $(CALICO_BASE):latest-$(ARCH) -f calico-base/Dockerfile calico-base/
-	$(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest
+calico-base-image: register
+	$(DOCKER_BUILD) --build-arg LDSONAME=$(LDSONAME) -t $(CALICO_BASE):ubi8-latest-$(ARCH) -f calico-base/Dockerfile.ubi8 calico-base/
+	$(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries VALIDARCHES=$(ARCH) LATEST_IMAGE_TAG=ubi8-latest IMAGETAG=ubi8-latest
+	$(DOCKER_BUILD) --build-arg LDSONAME=$(LDSONAME) -t $(CALICO_BASE):ubi9-latest-$(ARCH) -f calico-base/Dockerfile.ubi9 calico-base/
+	$(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries VALIDARCHES=$(ARCH) LATEST_IMAGE_TAG=ubi9-latest IMAGETAG=ubi9-latest
 
 .PHONY: calico-base-image-all
 calico-base-image-all: $(addprefix sub-calico-base-image-,$(VALIDARCHES))
@@ -55,7 +38,8 @@ sub-calico-base-image-%:
 
 .PHONY: calico-base-cd
 calico-base-cd: calico-base-image-all var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME
-	$(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries push-images-to-registries push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
+	$(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries push-images-to-registries push-manifests LATEST_IMAGE_TAG=ubi8-latest IMAGETAG=ubi8-$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
+	$(MAKE) BUILD_IMAGES=$(CALICO_BASE) retag-build-images-with-registries push-images-to-registries push-manifests LATEST_IMAGE_TAG=ubi9-latest IMAGETAG=ubi9-$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
 
 # Calico builder which contains Go/Clang compilers and necessary utilities for UT/FVs.
 .PHONY: build
@@ -64,10 +48,12 @@ build:
 	mkdir -p calico-go-build/bin/
 	cp ../cmd/bin/semvalidator-$(ARCH) calico-go-build/bin/semvalidator-$(ARCH)
 
+CALICO_GO_BUILD_IMAGETAG ?= latest
+
 .PHONY: calico-go-build-image
-calico-go-build-image: register qemu-user-static-image build
+calico-go-build-image: register build
 	$(DOCKER_BUILD) -t $(CALICO_GO_BUILD):latest-$(ARCH) -f calico-go-build/Dockerfile calico-go-build/
-	$(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=$(VERSION_TAG)
+	$(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=$(CALICO_GO_BUILD_IMAGETAG)
 
 .PHONY: calico-go-build-image-all
 calico-go-build-image-all: $(addprefix sub-calico-go-build-image-,$(VALIDARCHES))
@@ -76,16 +62,14 @@ sub-calico-go-build-image-%:
 
 .PHONY: calico-go-build-cd
 calico-go-build-cd: calico-go-build-image var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME
-	$(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
+	$(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
 
 .PHONY: push-calico-go-build-manifests
 push-calico-go-build-manifests: var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME
-	$(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
+	$(MAKE) BUILD_IMAGES=$(CALICO_GO_BUILD) push-manifests IMAGETAG=$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
 
 .PHONY: clean
 clean:
-	rm -f $(QEMU_USER_STATIC_IMAGE_CREATED)
 	rm -fr calico-go-build/bin
 	-docker image rm -f $$(docker images $(CALICO_BASE) -a -q)
 	-docker image rm -f $$(docker images $(CALICO_GO_BUILD) -a -q)
-	-docker image rm -f $$(docker images $(QEMU_USER_STATIC) -a -q)

images/calico-base/Dockerfile → images/calico-base/Dockerfile.ubi8

@@ -1,19 +1,14 @@
-FROM --platform=linux/amd64 calico/qemu-user-static:latest AS qemu
-
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS ubi
 
 ARG LDSONAME
 
-COPY --from=qemu /usr/bin/qemu-*-static /usr/bin/
-
 RUN microdnf upgrade -y
 
 # Prepare a rootfs for necessary files from UBI.
 # Symbolic links are preserved.
 RUN mkdir -p /rootfs/lib64 /rootfs/etc
 
 # Copy dynamic loader and symbolic links.
-# Note: The dynamic loader name and links might be different in a future release.
 RUN cp /lib64/ld-2.28.so /rootfs/lib64/ld-2.28.so
 RUN set -eux; \
     cp -a /lib64/${LDSONAME} /rootfs/lib64/${LDSONAME}; \

images/calico-base/Dockerfile.ubi9

@@ -0,0 +1,48 @@
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest AS ubi
+
+ARG LDSONAME
+
+RUN microdnf upgrade -y
+
+# Prepare a rootfs for necessary files from UBI.
+# Symbolic links are preserved.
+RUN mkdir -p /rootfs/lib64 /rootfs/etc
+
+# Copy dynamic loader and symbolic links.
+RUN set -eux; \
+    if [ -f /lib64/${LDSONAME} ]; then \
+        cp -a /lib64/${LDSONAME} /rootfs/lib64/${LDSONAME}; \
+    fi; \
+    if [ -f /lib/${LDSONAME} ]; then \
+        mkdir -p /rootfs/lib && cp -a /lib/${LDSONAME} /rootfs/lib/${LDSONAME}; \
+    fi
+
+# Required external C dependencies for CGO builds.
+RUN cp /lib64/libc.so.6 /rootfs/lib64/libc.so.6
+RUN cp /lib64/libpthread.so.0 /rootfs/lib64/libpthread.so.0
+RUN cp /lib64/libresolv.so.2 /rootfs/lib64/libresolv.so.2
+
+# glibc NSS plugins and config files.
+RUN cp /lib64/libnss_dns.so.2 /rootfs/lib64/libnss_dns.so.2
+RUN cp /lib64/libnss_files.so.2 /rootfs/lib64/libnss_files.so.2
+
+RUN cp /etc/host.conf /rootfs/etc/host.conf
+RUN cp /etc/hosts /rootfs/etc/hosts
+RUN cp /etc/networks /rootfs/etc/networks
+RUN cp /etc/nsswitch.conf /rootfs/etc/nsswitch.conf
+
+# Copy base image release info.
+RUN cp /etc/os-release /rootfs/etc/os-release
+
+FROM scratch AS source
+
+COPY --from=ubi /rootfs /
+
+# tmp.tar has a /tmp with the correct permissions 01777.
+ADD tmp.tar /
+
+COPY licenses /licenses/
+
+FROM scratch
+
+COPY --from=source / /

images/calico-go-build/Dockerfile

@@ -2,8 +2,6 @@ ARG TARGETARCH=${TARGETARCH}
 
 FROM calico/bpftool:v7.4.0 AS bpftool
 
-FROM --platform=amd64 calico/qemu-user-static:latest AS qemu
-
 FROM registry.access.redhat.com/ubi8/ubi:latest AS ubi
 
 ARG TARGETARCH
@@ -16,10 +14,6 @@ ARG YQ_VERSION=v4.45.1
 
 ENV PATH=/usr/local/go/bin:$PATH
 
-# Enable non-native runs on amd64 architecture hosts
-# Supported qemu-user-static arch files are copied in Makefile `download-qemu` target
-COPY --from=qemu /usr/bin/qemu-*-static /usr/bin
-
 # Install system dependencies
 RUN dnf upgrade -y && dnf install -y \
     autoconf \