From bdaf3b7f7de25cabe9cd7803af59a55b0809b4b7 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Tue, 4 Jun 2024 20:49:17 +0000 Subject: [PATCH 1/9] build ipv6-hp-bpf img in pipeline --- .pipelines/pipeline.yaml | 11 + ...um-dualstackoverlay-e2e-step-template.yaml | 3 +- Makefile | 23 +- bpf-prog/ipv6-hp-bpf/{README => README.md} | 0 ...inux.Dockerfile => linux-amd64.Dockerfile} | 0 bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile | 32 ++ .../templates/daemonset-dualstack.yaml | 456 ++++++++++++++++++ .../cilium-config-dualstack.yaml | 1 + 8 files changed, 522 insertions(+), 4 deletions(-) rename bpf-prog/ipv6-hp-bpf/{README => README.md} (100%) rename bpf-prog/ipv6-hp-bpf/{linux.Dockerfile => linux-amd64.Dockerfile} (100%) create mode 100644 bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile create mode 100644 test/integration/manifests/cilium/v1.14/cilium-agent/templates/daemonset-dualstack.yaml diff --git a/.pipelines/pipeline.yaml b/.pipelines/pipeline.yaml index 2cb68aba4a..c720d0cd93 100644 --- a/.pipelines/pipeline.yaml +++ b/.pipelines/pipeline.yaml @@ -249,6 +249,10 @@ stages: name: cns os: windows os_version: ltsc2022 + ipv6_hp_bpf_linux_amd64: + arch: amd64 + name: ipv6-hp-bpf + os: linux npm_linux_amd64: arch: amd64 name: npm @@ -289,6 +293,10 @@ stages: arch: arm64 name: cns os: linux + ipv6_hp_bpf_linux_arm64: + arch: arm64 + name: ipv6-hp-bpf + os: linux npm_linux_arm64: arch: arm64 name: npm @@ -362,6 +370,9 @@ stages: name: cns os_versions: ltsc2019 ltsc2022 platforms: linux/amd64 linux/arm64 windows/amd64 + ipv6_hp_bpf: + name: ipv6-hp-bpf + platforms: linux/amd64 linux/arm64 npm: name: npm os_versions: ltsc2022 diff --git a/.pipelines/singletenancy/cilium-dualstack-overlay/cilium-dualstackoverlay-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-dualstack-overlay/cilium-dualstackoverlay-e2e-step-template.yaml index b7c98ec214..d83135426c 100644 --- a/.pipelines/singletenancy/cilium-dualstack-overlay/cilium-dualstackoverlay-e2e-step-template.yaml +++ b/.pipelines/singletenancy/cilium-dualstack-overlay/cilium-dualstackoverlay-e2e-step-template.yaml @@ -42,8 +42,9 @@ steps: kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-operator/files export CILIUM_VERSION_TAG=${CILIUM_DUALSTACK_VERSION} + export IPV6_HP_BPF_VERSION=$(make ipv6-hp-bpf-version) echo "install Cilium ${CILIUM_DUALSTACK_VERSION} onto Overlay Cluster" - envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/v${DIR}/cilium-agent/templates/daemonset.yaml | kubectl apply -f - + envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY},${IPV6_HP_BPF_VERSION}' < test/integration/manifests/cilium/v${DIR}/cilium-agent/templates/daemonset-dualstack.yaml | kubectl apply -f - envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/v${DIR}/cilium-operator/templates/deployment.yaml | kubectl apply -f - kubectl get po -owide -A name: "installCilium" diff --git a/Makefile b/Makefile index e18e9a07d0..a25db04d9d 100644 --- a/Makefile +++ b/Makefile @@ -127,8 +127,8 @@ all-binaries-platforms: ## Make all platform binaries # OS specific binaries/images ifeq ($(GOOS),linux) -all-binaries: acncli azure-cni-plugin azure-cns azure-npm azure-ipam -all-images: npm-image cns-image cni-manager-image +all-binaries: acncli azure-cni-plugin azure-cns azure-npm azure-ipam ipv6-hp-bpf +all-images: npm-image cns-image cni-manager-image ipv6-hp-bpf-image else all-binaries: azure-cni-plugin azure-cns azure-npm all-images: @@ -392,7 +392,7 @@ ipv6-hp-bpf-image-name-and-tag: # util target to print the ipv6-hp-bpf image nam ipv6-hp-bpf-image: ## build ipv6-hp-bpf container image. $(MAKE) container \ - DOCKERFILE=bpf-prog/ipv6-hp-bpf/$(OS).Dockerfile \ + DOCKERFILE=bpf-prog/ipv6-hp-bpf/$(OS)-$(ARCH).Dockerfile \ IMAGE=$(IPV6_HP_BPF_IMAGE) \ EXTRA_BUILD_ARGS='--build-arg OS=$(OS) --build-arg ARCH=$(ARCH) --build-arg OS_VERSION=$(OS_VERSION) --build-arg DEBUG=$(DEBUG)'\ PLATFORM=$(PLATFORM) \ @@ -623,6 +623,23 @@ azure-ipam-skopeo-archive: ## export tar archive of azure-ipam multiplat contain IMAGE=$(AZURE_IPAM_IMAGE) \ TAG=$(AZURE_IPAM_VERSION) +ipv6-hp-bpf-manifest-build: ## build ipv6-hp-bpf multiplat container manifest. + $(MAKE) manifest-build \ + PLATFORMS="$(PLATFORMS)" \ + IMAGE=$(IPV6_HP_BPF_IMAGE) \ + TAG=$(IPV6_HP_BPF_VERSION) \ + OS_VERSIONS="$(OS_VERSIONS)" + +ipv6-hp-bpf-manifest-push: ## push ipv6-hp-bpf multiplat container manifest + $(MAKE) manifest-push \ + IMAGE=$(IPV6_HP_BPF_IMAGE) \ + TAG=$(IPV6_HP_BPF_VERSION) + +ipv6-hp-bpf-skopeo-archive: ## export tar archive of ipv6-hp-bpf multiplat container manifest. + $(MAKE) manifest-skopeo-archive \ + IMAGE=$(IPV6_HP_BPF_IMAGE) \ + TAG=$(IPV6_HP_BPF_VERSION) + cni-manifest-build: ## build cni multiplat container manifest. $(MAKE) manifest-build \ PLATFORMS="$(PLATFORMS)" \ diff --git a/bpf-prog/ipv6-hp-bpf/README b/bpf-prog/ipv6-hp-bpf/README.md similarity index 100% rename from bpf-prog/ipv6-hp-bpf/README rename to bpf-prog/ipv6-hp-bpf/README.md diff --git a/bpf-prog/ipv6-hp-bpf/linux.Dockerfile b/bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile similarity index 100% rename from bpf-prog/ipv6-hp-bpf/linux.Dockerfile rename to bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile diff --git a/bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile b/bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile new file mode 100644 index 0000000000..db3d8c76d7 --- /dev/null +++ b/bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile @@ -0,0 +1,32 @@ +FROM mcr.microsoft.com/oss/go/microsoft/golang:1.21 AS builder +ARG VERSION +ARG DEBUG +ARG OS +WORKDIR /bpf-prog/ipv6-hp-bpf +COPY ./bpf-prog/ipv6-hp-bpf . +COPY ./bpf-prog/ipv6-hp-bpf/cmd/ipv6-hp-bpf/*.go /bpf-prog/ipv6-hp-bpf/ +COPY ./bpf-prog/ipv6-hp-bpf/include/helper.h /bpf-prog/ipv6-hp-bpf/include/helper.h +RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu +RUN for dir in /usr/include/aarch64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; +ENV C_INCLUDE_PATH=/usr/include/bpf +RUN if [ "$DEBUG" = "true" ]; then echo "\n#define DEBUG" >> /bpf-prog/ipv6-hp-bpf/include/helper.h; fi +RUN GOOS=$OS CGO_ENABLED=0 go generate ./... +RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . + +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS final-arm64 +COPY --from=builder /go/bin/ipv6-hp-bpf /ipv6-hp-bpf +COPY --from=builder /usr/sbin/nft /usr/sbin/nft +COPY --from=builder /sbin/ip /sbin/ip +COPY --from=builder /lib/aarch64-linux-gnu/libnftables.so.1 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libedit.so.2 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libc.so.6 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libmnl.so.0 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libnftnl.so.11 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libxtables.so.12 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libjansson.so.4 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libgmp.so.10 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libtinfo.so.6 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libbsd.so.0 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/libmd.so.0 /lib/aarch64-linux-gnu/ +COPY --from=builder /lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 /lib/aarch64-linux-gnu/ +CMD ["/ipv6-hp-bpf"] diff --git a/test/integration/manifests/cilium/v1.14/cilium-agent/templates/daemonset-dualstack.yaml b/test/integration/manifests/cilium/v1.14/cilium-agent/templates/daemonset-dualstack.yaml new file mode 100644 index 0000000000..5fd28303be --- /dev/null +++ b/test/integration/manifests/cilium/v1.14/cilium-agent/templates/daemonset-dualstack.yaml @@ -0,0 +1,456 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + name: cilium + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined + container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined + container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined + container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - name: install-cni-binaries + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + command: + - "/install-plugin.sh" + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + drop: + - ALL + volumeMounts: + - name: cni-path + mountPath: /host/opt/cni/bin + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - command: + - bash + - -cex + - | + export LD_LIBRARY_PATH=/host/lib/systemd:/host/usr/lib/aarch64-linux-gnu:/host/usr/lib/x86_64-linux-gnu + export SYSTEMD_VERSION="$(/host/lib/systemd/systemd --version | head -n 1 | cut -d' ' -f2)" + [[ $SYSTEMD_VERSION -ge 249 ]] && { + mkdir -p /host/etc/systemd/networkd.conf.d + echo -e "[Network]\nManageForeignRoutes=no\nManageForeignRoutingPolicyRules=no\n" \ + >/host/etc/systemd/networkd.conf.d/99-cilium-foreign-routes.conf + chmod -R u+rwX,go+rX /host/etc/systemd/networkd.conf.d + } || exit 0 + image: mcr.microsoft.com/cbl-mariner/base/core:2.0 + imagePullPolicy: IfNotPresent + name: systemd-networkd-overrides + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/etc/systemd + name: host-etc-systemd + - mountPath: /host/lib/systemd + name: host-lib-systemd + readOnly: true + - mountPath: /host/usr/lib + name: host-usr-lib + readOnly: true + - name: start-ipv6-hp-bpf + image: acnpublic.azurecr.io/ipv6-hp-bpf:$IPV6_HP_BPF_VERSION + imagePullPolicy: IfNotPresent + command: [/ipv6-hp-bpf] + securityContext: + privileged: true + volumeMounts: + - mountPath: /var/log + name: ipv6-hp-bpf + - name: block-wireserver + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -cx + - | + iptables -t mangle -C FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP + status=$? + set -e + if [ $status -eq 0 ]; then + echo "Skip adding iptables as it already exists" + else + iptables -t mangle -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP + fi + securityContext: + capabilities: + add: + - NET_ADMIN + drop: + - ALL + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /var/log + type: DirectoryOrCreate + name: ipv6-hp-bpf + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + type: "" + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 2 + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.14/cilium-config/cilium-config-dualstack.yaml b/test/integration/manifests/cilium/v1.14/cilium-config/cilium-config-dualstack.yaml index abff1b585c..acc4fa0f04 100644 --- a/test/integration/manifests/cilium/v1.14/cilium-config/cilium-config-dualstack.yaml +++ b/test/integration/manifests/cilium/v1.14/cilium-config/cilium-config-dualstack.yaml @@ -9,6 +9,7 @@ data: bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" bpf-root: /sys/fs/bpf + bpf-filter-priority: "2" cgroup-root: /run/cilium/cgroupv2 cilium-endpoint-gc-interval: 5m0s cluster-id: "0" From 5cf7ffaecd5e18cc4e98593e09ee6354eb8befd1 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Tue, 4 Jun 2024 21:03:51 +0000 Subject: [PATCH 2/9] test binary build --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index a25db04d9d..7a7d23d626 100644 --- a/Makefile +++ b/Makefile @@ -184,6 +184,7 @@ azure-ipam-binary: # Build the ipv6-hp-bpf binary. ipv6-hp-bpf-binary: + sudo apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" From 999186350379dc53a5672aaa8480b0ce2713d83d Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Tue, 4 Jun 2024 22:25:11 +0000 Subject: [PATCH 3/9] use sudo --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7a7d23d626..81b7edbbc4 100644 --- a/Makefile +++ b/Makefile @@ -184,7 +184,7 @@ azure-ipam-binary: # Build the ipv6-hp-bpf binary. ipv6-hp-bpf-binary: - sudo apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 + sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" From 1390f1b1f0def7c2ceb52565e1228aa62250095b Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Tue, 4 Jun 2024 23:19:15 +0000 Subject: [PATCH 4/9] build separate binaries --- Makefile | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 81b7edbbc4..ad7239bf92 100644 --- a/Makefile +++ b/Makefile @@ -142,7 +142,7 @@ azure-cns: azure-cns-binary cns-archive acncli: acncli-binary acncli-archive azure-npm: azure-npm-binary npm-archive azure-ipam: azure-ipam-binary azure-ipam-archive -ipv6-hp-bpf: ipv6-hp-bpf-binary ipv6-hp-bpf-archive +ipv6-hp-bpf: ipv6-hp-bpf-binary-amd64 ipv6-hp-bpf-binary-arm64 ipv6-hp-bpf-archive ##@ Versioning @@ -183,8 +183,17 @@ azure-ipam-binary: cd $(AZURE_IPAM_DIR) && CGO_ENABLED=0 go build -v -o $(AZURE_IPAM_BUILD_DIR)/azure-ipam$(EXE_EXT) -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version=$(AZURE_IPAM_VERSION)" -gcflags="-dwarflocationlists=true" # Build the ipv6-hp-bpf binary. -ipv6-hp-bpf-binary: - sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 +ipv6-hp-bpf-binary-amd64: + sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib + for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done + cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... + cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" + +# Build the ipv6-hp-bpf binary (arm64). +ipv6-hp-bpf-binary-arm64: + sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu + for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done + sudo ln -sfn /usr/include/x86_64-linux-gnu/asm /usr/include/asm cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" @@ -804,7 +813,7 @@ endif # Create a ipv6-hp-bpf archive for the target platform. .PHONY: ipv6-hp-bpf-archive -ipv6-hp-bpf-archive: ipv6-hp-bpf-binary +ipv6-hp-bpf-archive: ipv6-hp-bpf-binary-amd64 ipv6-hp-bpf-binary-arm64 ifeq ($(GOOS),linux) $(MKDIR) $(IPV6_HP_BPF_BUILD_DIR) cd $(IPV6_HP_BPF_BUILD_DIR) && $(ARCHIVE_CMD) $(IPV6_HP_BPF_ARCHIVE_NAME) ipv6-hp-bpf$(EXE_EXT) From d8deb1780644bd34555a3c49a4211ad93547e66e Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Wed, 5 Jun 2024 00:49:46 +0000 Subject: [PATCH 5/9] test archives --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ad7239bf92..98c0421b2d 100644 --- a/Makefile +++ b/Makefile @@ -106,6 +106,7 @@ CNM_ARCHIVE_NAME = azure-vnet-cnm-$(GOOS)-$(GOARCH)-$(ACN_VERSION).$(ARCHIVE_EXT CNS_ARCHIVE_NAME = azure-cns-$(GOOS)-$(GOARCH)-$(CNS_VERSION).$(ARCHIVE_EXT) NPM_ARCHIVE_NAME = azure-npm-$(GOOS)-$(GOARCH)-$(NPM_VERSION).$(ARCHIVE_EXT) AZURE_IPAM_ARCHIVE_NAME = azure-ipam-$(GOOS)-$(GOARCH)-$(AZURE_IPAM_VERSION).$(ARCHIVE_EXT) +IPV6_HP_BPF_ARCHIVE_NAME = ipv6-hp-bpf-$(GOOS)-$(GOARCH)-$(IPV6_HP_BPF_VERSION).$(ARCHIVE_EXT) # Image info file names. CNI_IMAGE_INFO_FILE = azure-cni-$(CNI_VERSION).txt @@ -187,7 +188,7 @@ ipv6-hp-bpf-binary-amd64: sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... - cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" + cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" # Build the ipv6-hp-bpf binary (arm64). ipv6-hp-bpf-binary-arm64: @@ -195,7 +196,7 @@ ipv6-hp-bpf-binary-arm64: for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done sudo ln -sfn /usr/include/x86_64-linux-gnu/asm /usr/include/asm cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... - cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" + cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" # Build the Azure CNM binary. cnm-binary: From 9696ec521b770b5c3226af75a736ef1bfdb8d369 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Thu, 6 Jun 2024 00:25:43 +0000 Subject: [PATCH 6/9] combine dockerfiles and build cmds --- Makefile | 23 +++------ bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile | 32 ------------ bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile | 32 ------------ bpf-prog/ipv6-hp-bpf/linux.Dockerfile | 55 +++++++++++++++++++++ 4 files changed, 62 insertions(+), 80 deletions(-) delete mode 100644 bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile delete mode 100644 bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile create mode 100644 bpf-prog/ipv6-hp-bpf/linux.Dockerfile diff --git a/Makefile b/Makefile index 98c0421b2d..9b2ac0e934 100644 --- a/Makefile +++ b/Makefile @@ -143,7 +143,7 @@ azure-cns: azure-cns-binary cns-archive acncli: acncli-binary acncli-archive azure-npm: azure-npm-binary npm-archive azure-ipam: azure-ipam-binary azure-ipam-archive -ipv6-hp-bpf: ipv6-hp-bpf-binary-amd64 ipv6-hp-bpf-binary-arm64 ipv6-hp-bpf-archive +ipv6-hp-bpf: ipv6-hp-bpf-binary ipv6-hp-bpf-archive ##@ Versioning @@ -184,19 +184,10 @@ azure-ipam-binary: cd $(AZURE_IPAM_DIR) && CGO_ENABLED=0 go build -v -o $(AZURE_IPAM_BUILD_DIR)/azure-ipam$(EXE_EXT) -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version=$(AZURE_IPAM_VERSION)" -gcflags="-dwarflocationlists=true" # Build the ipv6-hp-bpf binary. -ipv6-hp-bpf-binary-amd64: - sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib - for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done - cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... - cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" - -# Build the ipv6-hp-bpf binary (arm64). -ipv6-hp-bpf-binary-arm64: - sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu - for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done - sudo ln -sfn /usr/include/x86_64-linux-gnu/asm /usr/include/asm - cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... - cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" +ipv6-hp-bpf-binary: ipv6-hp-bpf-image + container=$$(docker create $(IMAGE_REGISTRY)/$(IPV6_HP_BPF_IMAGE):$(IPV6_HP_BPF_IMAGE_PLATFORM_TAG)) && \ + docker cp $$container:/ipv6-hp-bpf $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf && \ + docker rm $$container # Build the Azure CNM binary. cnm-binary: @@ -403,7 +394,7 @@ ipv6-hp-bpf-image-name-and-tag: # util target to print the ipv6-hp-bpf image nam ipv6-hp-bpf-image: ## build ipv6-hp-bpf container image. $(MAKE) container \ - DOCKERFILE=bpf-prog/ipv6-hp-bpf/$(OS)-$(ARCH).Dockerfile \ + DOCKERFILE=bpf-prog/ipv6-hp-bpf/$(OS).Dockerfile \ IMAGE=$(IPV6_HP_BPF_IMAGE) \ EXTRA_BUILD_ARGS='--build-arg OS=$(OS) --build-arg ARCH=$(ARCH) --build-arg OS_VERSION=$(OS_VERSION) --build-arg DEBUG=$(DEBUG)'\ PLATFORM=$(PLATFORM) \ @@ -814,7 +805,7 @@ endif # Create a ipv6-hp-bpf archive for the target platform. .PHONY: ipv6-hp-bpf-archive -ipv6-hp-bpf-archive: ipv6-hp-bpf-binary-amd64 ipv6-hp-bpf-binary-arm64 +ipv6-hp-bpf-archive: ipv6-hp-bpf-binary ifeq ($(GOOS),linux) $(MKDIR) $(IPV6_HP_BPF_BUILD_DIR) cd $(IPV6_HP_BPF_BUILD_DIR) && $(ARCHIVE_CMD) $(IPV6_HP_BPF_ARCHIVE_NAME) ipv6-hp-bpf$(EXE_EXT) diff --git a/bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile b/bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile deleted file mode 100644 index 3a21f8d05f..0000000000 --- a/bpf-prog/ipv6-hp-bpf/linux-amd64.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -FROM mcr.microsoft.com/oss/go/microsoft/golang:1.21 AS builder -ARG VERSION -ARG DEBUG -ARG OS -WORKDIR /bpf-prog/ipv6-hp-bpf -COPY ./bpf-prog/ipv6-hp-bpf . -COPY ./bpf-prog/ipv6-hp-bpf/cmd/ipv6-hp-bpf/*.go /bpf-prog/ipv6-hp-bpf/ -COPY ./bpf-prog/ipv6-hp-bpf/include/helper.h /bpf-prog/ipv6-hp-bpf/include/helper.h -RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev gcc-multilib nftables iproute2 -RUN for dir in /usr/include/x86_64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done -ENV C_INCLUDE_PATH=/usr/include/bpf -RUN if [ "$DEBUG" = "true" ]; then echo "\n#define DEBUG" >> /bpf-prog/ipv6-hp-bpf/include/helper.h; fi -RUN GOOS=$OS CGO_ENABLED=0 go generate ./... -RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . - -FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 -COPY --from=builder /go/bin/ipv6-hp-bpf /ipv6-hp-bpf -COPY --from=builder /usr/sbin/nft /usr/sbin/nft -COPY --from=builder /sbin/ip /sbin/ip -COPY --from=builder /lib/x86_64-linux-gnu/libnftables.so.1 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libedit.so.2 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libmnl.so.0 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libnftnl.so.11 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libxtables.so.12 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libjansson.so.4 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libgmp.so.10 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libtinfo.so.6 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib/x86_64-linux-gnu/libbsd.so.0 /lib/x86_64-linux-gnu/ -COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ -COPY --from=builder /lib/x86_64-linux-gnu/libmd.so.0 /lib/x86_64-linux-gnu/ -CMD ["/ipv6-hp-bpf"] \ No newline at end of file diff --git a/bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile b/bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile deleted file mode 100644 index db3d8c76d7..0000000000 --- a/bpf-prog/ipv6-hp-bpf/linux-arm64.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -FROM mcr.microsoft.com/oss/go/microsoft/golang:1.21 AS builder -ARG VERSION -ARG DEBUG -ARG OS -WORKDIR /bpf-prog/ipv6-hp-bpf -COPY ./bpf-prog/ipv6-hp-bpf . -COPY ./bpf-prog/ipv6-hp-bpf/cmd/ipv6-hp-bpf/*.go /bpf-prog/ipv6-hp-bpf/ -COPY ./bpf-prog/ipv6-hp-bpf/include/helper.h /bpf-prog/ipv6-hp-bpf/include/helper.h -RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu -RUN for dir in /usr/include/aarch64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; -ENV C_INCLUDE_PATH=/usr/include/bpf -RUN if [ "$DEBUG" = "true" ]; then echo "\n#define DEBUG" >> /bpf-prog/ipv6-hp-bpf/include/helper.h; fi -RUN GOOS=$OS CGO_ENABLED=0 go generate ./... -RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . - -FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS final-arm64 -COPY --from=builder /go/bin/ipv6-hp-bpf /ipv6-hp-bpf -COPY --from=builder /usr/sbin/nft /usr/sbin/nft -COPY --from=builder /sbin/ip /sbin/ip -COPY --from=builder /lib/aarch64-linux-gnu/libnftables.so.1 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libedit.so.2 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libc.so.6 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libmnl.so.0 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libnftnl.so.11 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libxtables.so.12 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libjansson.so.4 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libgmp.so.10 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libtinfo.so.6 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libbsd.so.0 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/libmd.so.0 /lib/aarch64-linux-gnu/ -COPY --from=builder /lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 /lib/aarch64-linux-gnu/ -CMD ["/ipv6-hp-bpf"] diff --git a/bpf-prog/ipv6-hp-bpf/linux.Dockerfile b/bpf-prog/ipv6-hp-bpf/linux.Dockerfile new file mode 100644 index 0000000000..03d8e9e513 --- /dev/null +++ b/bpf-prog/ipv6-hp-bpf/linux.Dockerfile @@ -0,0 +1,55 @@ +FROM mcr.microsoft.com/oss/go/microsoft/golang:1.21 AS builder +ARG VERSION +ARG DEBUG +ARG OS +ARG ARCH +WORKDIR /bpf-prog/ipv6-hp-bpf +COPY ./bpf-prog/ipv6-hp-bpf . +COPY ./bpf-prog/ipv6-hp-bpf/cmd/ipv6-hp-bpf/*.go /bpf-prog/ipv6-hp-bpf/ +COPY ./bpf-prog/ipv6-hp-bpf/include/helper.h /bpf-prog/ipv6-hp-bpf/include/helper.h +RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 +RUN mkdir -p /tmp/lib +RUN if [ "$ARCH" = "arm64" ]; then \ + apt-get install -y gcc-aarch64-linux-gnu && \ + for dir in /usr/include/aarch64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done && \ + ln -sfn /usr/include/aarch64-linux-gnu/asm /usr/include/asm && \ + cp /lib/aarch64-linux-gnu/libnftables.so.1 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libedit.so.2 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libc.so.6 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libmnl.so.0 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libnftnl.so.11 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libxtables.so.12 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libjansson.so.4 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libgmp.so.10 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libtinfo.so.6 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libbsd.so.0 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/libmd.so.0 /tmp/lib/ && \ + cp /lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 /tmp/lib/; \ + fi; +RUN if [ "$ARCH" = "amd64" ]; then \ + apt-get install -y gcc-multilib && \ + for dir in /usr/include/x86_64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done && \ + cp /lib/x86_64-linux-gnu/libnftables.so.1 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libedit.so.2 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libmnl.so.0 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libnftnl.so.11 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libxtables.so.12 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libjansson.so.4 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libgmp.so.10 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libtinfo.so.6 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libbsd.so.0 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/libmd.so.0 /tmp/lib/ && \ + cp /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /tmp/lib/; \ + fi; +ENV C_INCLUDE_PATH=/usr/include/bpf +RUN if [ "$DEBUG" = "true" ]; then echo "\n#define DEBUG" >> /bpf-prog/ipv6-hp-bpf/include/helper.h; fi +RUN GOOS=$OS CGO_ENABLED=0 go generate ./... +RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . + +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS final +COPY --from=builder /go/bin/ipv6-hp-bpf /ipv6-hp-bpf +COPY --from=builder /usr/sbin/nft /usr/sbin/nft +COPY --from=builder /sbin/ip /sbin/ip +COPY --from=builder /tmp/lib/* /lib +CMD ["/ipv6-hp-bpf"] From c7c800d8d88c1479790c704ab047a470c7054a5d Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Thu, 6 Jun 2024 16:37:00 +0000 Subject: [PATCH 7/9] setup binary builds --- .pipelines/pipeline.yaml | 2 ++ Makefile | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.pipelines/pipeline.yaml b/.pipelines/pipeline.yaml index c720d0cd93..18ce451fd5 100644 --- a/.pipelines/pipeline.yaml +++ b/.pipelines/pipeline.yaml @@ -155,6 +155,8 @@ stages: name: "$(BUILD_POOL_NAME_DEFAULT)" steps: - script: | + make ipv6-hp-bpf-lib-arm64 + make ipv6-hp-bpf-lib-amd64 make all-binaries-platforms name: "BuildAllPlatformBinaries" displayName: "Build all platform binaries" diff --git a/Makefile b/Makefile index 9b2ac0e934..7cccdaec34 100644 --- a/Makefile +++ b/Makefile @@ -184,10 +184,19 @@ azure-ipam-binary: cd $(AZURE_IPAM_DIR) && CGO_ENABLED=0 go build -v -o $(AZURE_IPAM_BUILD_DIR)/azure-ipam$(EXE_EXT) -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version=$(AZURE_IPAM_VERSION)" -gcflags="-dwarflocationlists=true" # Build the ipv6-hp-bpf binary. -ipv6-hp-bpf-binary: ipv6-hp-bpf-image - container=$$(docker create $(IMAGE_REGISTRY)/$(IPV6_HP_BPF_IMAGE):$(IPV6_HP_BPF_IMAGE_PLATFORM_TAG)) && \ - docker cp $$container:/ipv6-hp-bpf $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf && \ - docker rm $$container +ipv6-hp-bpf-binary: + cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... + cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" + +# Libarires for ipv6-hp-bpf amd64 +ipv6-hp-bpf-lib-amd64: + sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib + for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done + +# Libarires for ipv6-hp-bpf arm64 +ipv6-hp-bpf-lib-arm64: +sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu + for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done # Build the Azure CNM binary. cnm-binary: From e354309ffb7080c1ccd3e55d3b199e32b0e14ad0 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Thu, 6 Jun 2024 16:55:34 +0000 Subject: [PATCH 8/9] fix makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7cccdaec34..db7f775e2c 100644 --- a/Makefile +++ b/Makefile @@ -195,7 +195,7 @@ ipv6-hp-bpf-lib-amd64: # Libarires for ipv6-hp-bpf arm64 ipv6-hp-bpf-lib-arm64: -sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu + sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done # Build the Azure CNM binary. From c981ed43851b05c6dbadbbef8c3888c363233a96 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Fri, 7 Jun 2024 18:54:14 +0000 Subject: [PATCH 9/9] parameterize arch for dockerfile cp and library installation --- .pipelines/pipeline.yaml | 3 +- Makefile | 14 +++---- bpf-prog/ipv6-hp-bpf/linux.Dockerfile | 54 +++++++++++---------------- 3 files changed, 30 insertions(+), 41 deletions(-) diff --git a/.pipelines/pipeline.yaml b/.pipelines/pipeline.yaml index 18ce451fd5..8db588f8af 100644 --- a/.pipelines/pipeline.yaml +++ b/.pipelines/pipeline.yaml @@ -155,8 +155,7 @@ stages: name: "$(BUILD_POOL_NAME_DEFAULT)" steps: - script: | - make ipv6-hp-bpf-lib-arm64 - make ipv6-hp-bpf-lib-amd64 + make ipv6-hp-bpf-lib make all-binaries-platforms name: "BuildAllPlatformBinaries" displayName: "Build all platform binaries" diff --git a/Makefile b/Makefile index db7f775e2c..ad92ef0a03 100644 --- a/Makefile +++ b/Makefile @@ -188,15 +188,15 @@ ipv6-hp-bpf-binary: cd $(IPV6_HP_BPF_DIR) && CGO_ENABLED=0 go generate ./... cd $(IPV6_HP_BPF_DIR)/cmd/ipv6-hp-bpf && CGO_ENABLED=0 go build -v -o $(IPV6_HP_BPF_BUILD_DIR)/ipv6-hp-bpf$(EXE_EXT) -ldflags "-X main.version=$(IPV6_HP_BPF_VERSION)" -gcflags="-dwarflocationlists=true" -# Libarires for ipv6-hp-bpf amd64 -ipv6-hp-bpf-lib-amd64: +# Libraries for ipv6-hp-bpf +ipv6-hp-bpf-lib: +ifeq ($(GOARCH),amd64) sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib - for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done - -# Libarires for ipv6-hp-bpf arm64 -ipv6-hp-bpf-lib-arm64: + for dir in /usr/include/x86_64-linux-gnu/*; do sudo ln -sfn "$$dir" /usr/include/$$(basename "$$dir"); done +else ifeq ($(GOARCH),arm64) sudo apt-get update && sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu - for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$dir" /usr/include/$(basename "$dir"); done + for dir in /usr/include/aarch64-linux-gnu/*; do sudo ln -sfn "$$dir" /usr/include/$$(basename "$$dir"); done +endif # Build the Azure CNM binary. cnm-binary: diff --git a/bpf-prog/ipv6-hp-bpf/linux.Dockerfile b/bpf-prog/ipv6-hp-bpf/linux.Dockerfile index 03d8e9e513..64cbbdadc3 100644 --- a/bpf-prog/ipv6-hp-bpf/linux.Dockerfile +++ b/bpf-prog/ipv6-hp-bpf/linux.Dockerfile @@ -10,38 +10,28 @@ COPY ./bpf-prog/ipv6-hp-bpf/include/helper.h /bpf-prog/ipv6-hp-bpf/include/helpe RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 RUN mkdir -p /tmp/lib RUN if [ "$ARCH" = "arm64" ]; then \ - apt-get install -y gcc-aarch64-linux-gnu && \ - for dir in /usr/include/aarch64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done && \ - ln -sfn /usr/include/aarch64-linux-gnu/asm /usr/include/asm && \ - cp /lib/aarch64-linux-gnu/libnftables.so.1 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libedit.so.2 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libc.so.6 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libmnl.so.0 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libnftnl.so.11 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libxtables.so.12 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libjansson.so.4 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libgmp.so.10 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libtinfo.so.6 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libbsd.so.0 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/libmd.so.0 /tmp/lib/ && \ - cp /lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 /tmp/lib/; \ - fi; -RUN if [ "$ARCH" = "amd64" ]; then \ - apt-get install -y gcc-multilib && \ - for dir in /usr/include/x86_64-linux-gnu/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done && \ - cp /lib/x86_64-linux-gnu/libnftables.so.1 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libedit.so.2 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libmnl.so.0 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libnftnl.so.11 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libxtables.so.12 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libjansson.so.4 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libgmp.so.10 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libtinfo.so.6 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libbsd.so.0 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/libmd.so.0 /tmp/lib/ && \ - cp /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /tmp/lib/; \ - fi; + apt-get install -y gcc-aarch64-linux-gnu && \ + ARCH=aarch64-linux-gnu && \ + cp /lib/"$ARCH"/ld-linux-aarch64.so.1 /tmp/lib/ && \ + for dir in /usr/include/"$ARCH"/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; \ + elif [ "$ARCH" = "amd64" ]; then \ + apt-get install -y gcc-multilib && \ + ARCH=x86_64-linux-gnu && \ + cp /lib/"$ARCH"/ld-linux-x86-64.so.2 /tmp/lib/ && \ + for dir in /usr/include/"$ARCH"/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; \ + fi && \ + ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm && \ + cp /lib/"$ARCH"/libnftables.so.1 /tmp/lib/ && \ + cp /lib/"$ARCH"/libedit.so.2 /tmp/lib/ && \ + cp /lib/"$ARCH"/libc.so.6 /tmp/lib/ && \ + cp /lib/"$ARCH"/libmnl.so.0 /tmp/lib/ && \ + cp /lib/"$ARCH"/libnftnl.so.11 /tmp/lib/ && \ + cp /lib/"$ARCH"/libxtables.so.12 /tmp/lib/ && \ + cp /lib/"$ARCH"/libjansson.so.4 /tmp/lib/ && \ + cp /lib/"$ARCH"/libgmp.so.10 /tmp/lib/ && \ + cp /lib/"$ARCH"/libtinfo.so.6 /tmp/lib/ && \ + cp /lib/"$ARCH"/libbsd.so.0 /tmp/lib/ && \ + cp /lib/"$ARCH"/libmd.so.0 /tmp/lib/ ENV C_INCLUDE_PATH=/usr/include/bpf RUN if [ "$DEBUG" = "true" ]; then echo "\n#define DEBUG" >> /bpf-prog/ipv6-hp-bpf/include/helper.h; fi RUN GOOS=$OS CGO_ENABLED=0 go generate ./...