kube-ovn/dist/images/Dockerfile.base at e22de020bd341f9b8297d8bf31ad47b71ceaa8d1 · kubeovn/kube-ovn · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# syntax = docker/dockerfile:experimental
ARG GO_VERSION=1.24.2

FROM ubuntu:24.04 AS ovs-builder

ARG ARCH
ARG LEGACY
ARG DEBIAN_FRONTEND=noninteractive
ENV SRC_DIR='/usr/src'

RUN apt update && apt install -y git curl

RUN cd /usr/src/ && \
    git clone -b clyi-3.3 --depth=1 https://github.com/changluyi/ovs.git

RUN cd /usr/src/ && git clone -b clyi-24.03 --depth=1 https://github.com/kubeovn/ovn.git

RUN apt install -y build-essential fakeroot \
    autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \
    graphviz iproute2 libcap-ng-dev libdbus-1-dev libnuma-dev libpcap-dev libssl-dev libtool libunbound-dev \
    openssl pkg-config procps python3-all-dev python3-setuptools python3-sortedcontainers python3-sphinx

RUN cd /usr/src/ovs && \
    ./boot.sh && \
    ./configure --disable-ssl && \
    rm -rf .git && \
    CONFIGURE_OPTS='--disable-ssl CFLAGS="-fPIC"' && \
    if [ "$ARCH" = "amd64" ] && [ "$LEGACY" != "true" ]; then CONFIGURE_OPTS='--disable-ssl CFLAGS="-O2 -g -msse4.2 -mpopcnt -fPIC"'; fi && \
    DATAPATH_CONFIGURE_OPTS='--prefix=/usr' EXTRA_CONFIGURE_OPTS=$CONFIGURE_OPTS make debian-deb

RUN cd /usr/src/ovn && \
    sed -i 's/OVN/ovn/g' debian/changelog && \
    rm -rf .git && \
    ./boot.sh && \
    CONFIGURE_OPTS='--with-ovs-build=/usr/src/ovs/_debian CFLAGS="-fPIC"' && \
    if [ "$ARCH" = "amd64" ] && [ "$LEGACY" != "true" ]; then CONFIGURE_OPTS="--with-ovs-build=/usr/src/ovs/_debian CFLAGS='-O2 -g -msse4.2 -mpopcnt -fPIC'"; fi && \
    OVSDIR=/usr/src/ovs EXTRA_CONFIGURE_OPTS=$CONFIGURE_OPTS DEB_BUILD_OPTIONS='parallel=8 nocheck' fakeroot debian/rules binary

RUN mkdir -p /usr/src/openbfdd && \
    curl -sSf -L --retry 5 https://github.com/dyninc/OpenBFDD/archive/e35f43ad8d2b3f084e96a84c392528a90d05a287.tar.gz | \
    tar -xz -C /usr/src/openbfdd --strip-components=1

ADD OpenBFDD-compile.patch /usr/src/
ADD OpenBFDD-allow-ttl-254.patch /usr/src/

RUN cd /usr/src/openbfdd && \
    rm -vf missing && \
    git apply --no-apply /usr/src/OpenBFDD-compile.patch && \
    git apply --no-apply /usr/src/OpenBFDD-allow-ttl-254.patch && \
    autoupdate && \
    ./autogen.sh && \
    ./configure --enable-silent-rules && \
    make

RUN mkdir /packages/ && \
    mv /usr/src/openbfdd/bfdd-beacon /usr/src/openbfdd/bfdd-control /packages/ && \
    cp /usr/src/openvswitch-*deb /packages && \
    cp /usr/src/python3-openvswitch*deb /packages && \
    cp /usr/src/ovn-*deb /packages && \
    cp /usr/src/ovs/tutorial/ovs-sandbox /packages && \
    cd /packages && rm -f *source* *doc* *datapath* *docker* *vtep* *test* *dev*

FROM ghcr.io/aquasecurity/trivy:latest AS trivy

ARG ARCH
ARG CNI_PLUGINS_VERSION="v1.7.1"
ARG KUBECTL_VERSION="v1.32.4"
ARG GOBGP_VERSION="3.36.0"
ARG TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2"

RUN apk --no-cache add curl jq
ADD go-deps/download-go-deps.sh /
RUN sh -x /download-go-deps.sh

FROM golang:$GO_VERSION-alpine AS go-deps

RUN apk --no-cache add bash curl jq
ADD go-deps/rebuild-go-deps.sh /
RUN --mount=type=bind,target=/trivy,from=trivy,source=/godeps \
    bash -x /rebuild-go-deps.sh

FROM ubuntu:24.04

ARG DEBIAN_FRONTEND=noninteractive
RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname libunwind8 netbase \
        ethtool iproute2 ncat libunbound8 procps libatomic1 kmod iptables python3-netifaces python3-sortedcontainers \
        tcpdump ipvsadm ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 conntrack traceroute iputils-tracepath \
        logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins libmnl0 \
        libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins -y --no-install-recommends && \
        setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ip)) && \
        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ipset)) && \
        setcap CAP_NET_ADMIN,CAP_NET_RAW+eip $(readlink -f $(which xtables-legacy-multi)) && \
        setcap CAP_NET_ADMIN,CAP_NET_RAW+eip $(readlink -f $(which xtables-nft-multi)) && \
        setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
        setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
        setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
        setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
        setcap CAP_SYS_ADMIN+eip $(readlink -f $(which sysctl)) && \
        setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
        setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
        rm -rf /var/lib/apt/lists/* && \
        rm -rf /etc/localtime && \
        rm -f /usr/bin/nc && \
        rm -f /usr/bin/netcat && \
        rm -f /usr/lib/apt/methods/mirror && \
        deluser sync

RUN mkdir -p /var/run/openvswitch && \
    mkdir -p /var/run/ovn && \
    mkdir -p /etc/cni/net.d && \
    mkdir -p /opt/cni/bin

ARG DUMB_INIT_VERSION="1.2.5"
RUN curl -sSf -L --retry 5 -o /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_$(arch) && \
    chmod +x /usr/bin/dumb-init

RUN --mount=type=bind,target=/godeps,from=go-deps,source=/godeps \
    cp /godeps/loopback /godeps/portmap /godeps/macvlan ./ && \
    cp /godeps/kubectl /godeps/gobgp /usr/bin/

ARG DEBUG=false

RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages  \
    cp /packages/bfdd-beacon /packages/bfdd-control /usr/bin/ && \
    cp /packages/ovs-sandbox /usr/bin/ && chmod +x /usr/bin/ovs-sandbox && \
    setcap CAP_NET_BIND_SERVICE+eip /usr/bin/bfdd-beacon && \
    dpkg -i /packages/openvswitch-*.deb /packages/python3-openvswitch*.deb && \
    dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/ovn-*.deb && \
    rm -rf /var/lib/openvswitch/pki/ && \
    chown -R nobody: /var/lib/logrotate && \
    setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl)) && \
    if [ "${DEBUG}" != "true" ]; then \
        setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
        setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
    else \
        apt update && apt install -y --no-install-recommends gdb valgrind && \
        rm -rf /var/lib/apt/lists/* && \
        dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/*.ddeb; \
    fi

ENTRYPOINT ["/usr/bin/dumb-init", "--"]