For Security

charts/kube-ovn/templates/ovncni-ds.yaml

@@ -35,7 +35,7 @@ spec:
         command:
           - sh
           - -xec
-          - iptables -V
+          - sysctl -w net.ipv4.conf.all.arp_filter=0; sysctl -w net.ipv4.conf.default.arp_filter=0; iptables -V
         securityContext:
           allowPrivilegeEscalation: true
           capabilities:

dist/images/Dockerfile

@@ -1,7 +1,7 @@
 # syntax = docker/dockerfile:experimental
 ARG VERSION
 ARG BASE_TAG=$VERSION
-FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap
+FROM yichanglu/kube-ovn-base:$BASE_TAG AS setcap
 
 COPY *.sh /kube-ovn/
 COPY kubectl-ko /kube-ovn/kubectl-ko
@@ -21,7 +21,7 @@ RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
     setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-controller && \
     setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
 
-FROM kubeovn/kube-ovn-base:$BASE_TAG
+FROM yichanglu/kube-ovn-base:$BASE_TAG
 
 COPY --chmod=0644 logrotate/* /etc/logrotate.d/
 COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller

dist/images/Dockerfile.base

@@ -6,95 +6,14 @@ FROM ubuntu:24.04 AS ovs-builder
 ARG ARCH
 ARG LEGACY
 ARG DEBIAN_FRONTEND=noninteractive
-ARG SRC_DIR='/usr/src'
-
-ADD patches/4228eab1d722087ba795e310eadc9e25c4513ec1.patch $SRC_DIR
-ADD patches/54056ea65dc28aa1c4c721a2a34d7913f79f8376.patch $SRC_DIR
-ADD patches/6b4dcb311f171d81a5d40ea51a273fc356c123db.patch $SRC_DIR
-ADD patches/f627b7721ec282f2edaf798913b1559b939687f0.patch $SRC_DIR
-ADD patches/3f3e3a436ff5eb2eaafbeeae8ea9dc0c514fe8a3.patch $SRC_DIR
-ADD patches/a6cb8215a80635129e4fada4c0d25c25fb746bf7.patch $SRC_DIR
-ADD patches/d4d76ddb2e12cdd9e73bb5e008ebb9fd1b4d6ca6.patch $SRC_DIR
-ADD patches/ffd2328d4a55271569e2b89e54a2c18f4e186af8.patch $SRC_DIR
-ADD patches/d088c5d8c263552c5a31d87813991aee30ab74de.patch $SRC_DIR
-ADD patches/1b31f07dc60c016153fa35d936cdda0e02e58492.patch $SRC_DIR
-ADD patches/54b767822916606dbb78335a3197983f435b5b8a.patch $SRC_DIR
-ADD patches/e490f5ac0b644101913c2a3db8e03d85e859deff.patch $SRC_DIR
-ADD patches/b973ec477b43df1c3ef3cdb69f8646948fcf94ae.patch $SRC_DIR
-ADD patches/5593e614e51a5dce28941e5bf760f9ee5397cede.patch $SRC_DIR
-ADD patches/f9e97031b56ab5747b5d73629198331a6daacdfd.patch $SRC_DIR
-ADD patches/53d961492036f1d41d9d1b04bab628375a9c6eb5.patch $SRC_DIR
-ADD patches/44229317de74d1e97f7499b371a86c015be6b7a6.patch $SRC_DIR
-ADD patches/786756870f12ac69a5d7bc498693574c6591c5e9.patch $SRC_DIR
-ADD patches/505dc82f54d4ce54e0378fd3bac1052ee644ac59.patch $SRC_DIR
-ADD patches/f4b1f5fbf0f5aff68299efaa2d0577c90cb2568e.patch $SRC_DIR
-ADD patches/b3af07690e7b2328c02318b1bd812c5665c0632b.patch $SRC_DIR
-ADD patches/49834fdd3fa3b066650bc8b7a8b05a773d217d95.patch $SRC_DIR
-ADD patches/03e35ed9c5b4de0fa8acbc2c057cdd5957a8d605.patch $SRC_DIR
-ADD patches/b5e2975eb65f37315545300254fc0f58a9df52b1.patch $SRC_DIR
-ADD patches/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch $SRC_DIR
-ADD patches/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch $SRC_DIR
+ENV SRC_DIR='/usr/src'
 
 RUN apt update && apt install -y git curl
 
 RUN cd /usr/src/ && \
-    git clone -b branch-3.3 --depth=1 https://github.com/openvswitch/ovs.git && \
-    cd ovs && \
-    # fix memory leak by ofport_usage and trim memory periodically
-    git apply $SRC_DIR/4228eab1d722087ba795e310eadc9e25c4513ec1.patch && \
-    # increase election timer
-    git apply $SRC_DIR/54056ea65dc28aa1c4c721a2a34d7913f79f8376.patch && \
-    # add fdb update logging
-    git apply $SRC_DIR/6b4dcb311f171d81a5d40ea51a273fc356c123db.patch && \
-    # fdb: fix mac learning in environments with hairpin enabled
-    git apply $SRC_DIR/f627b7721ec282f2edaf798913b1559b939687f0.patch && \
-    # ovsdb-tool: add optional server id parameter for "join-cluster" command
-    git apply $SRC_DIR/3f3e3a436ff5eb2eaafbeeae8ea9dc0c514fe8a3.patch && \
-    # fix memory leak in qos
-    git apply $SRC_DIR/a6cb8215a80635129e4fada4c0d25c25fb746bf7.patch && \
-    # ovsdb-tool: add command fix-cluster
-    git apply $SRC_DIR/d4d76ddb2e12cdd9e73bb5e008ebb9fd1b4d6ca6.patch && \
-    # netdev: reduce cpu utilization for getting device addresses
-    git apply $SRC_DIR/ffd2328d4a55271569e2b89e54a2c18f4e186af8.patch && \
-    # ovs-router: skip getting source address for kube-ipvs0
-    git apply $SRC_DIR/d088c5d8c263552c5a31d87813991aee30ab74de.patch && \
-    # increase the default probe interval for large cluster
-    git apply $SRC_DIR/1b31f07dc60c016153fa35d936cdda0e02e58492.patch && \
-    # update ovs-sandbox for docker run
-    git apply $SRC_DIR/54b767822916606dbb78335a3197983f435b5b8a.patch
-
-RUN cd /usr/src/ && git clone -b branch-24.03 --depth=1 https://github.com/ovn-org/ovn.git && \
-    cd ovn && \
-    # change hash type from dp_hash to hash with field src_ip
-    git apply $SRC_DIR/e490f5ac0b644101913c2a3db8e03d85e859deff.patch && \
-    # modify src route priority
-    git apply $SRC_DIR/b973ec477b43df1c3ef3cdb69f8646948fcf94ae.patch && \
-    # fix reaching resubmit limit in underlay
-    git apply $SRC_DIR/5593e614e51a5dce28941e5bf760f9ee5397cede.patch && \
-    # ovn-controller: do not send GARP on localnet for Kube-OVN ports
-    git apply $SRC_DIR/f9e97031b56ab5747b5d73629198331a6daacdfd.patch && \
-    # northd: add nb option version_compatibility
-    git apply $SRC_DIR/53d961492036f1d41d9d1b04bab628375a9c6eb5.patch && \
-    # add support for conditionally skipping conntrack
-    git apply $SRC_DIR/44229317de74d1e97f7499b371a86c015be6b7a6.patch && \
-    # northd: skip conntrack when access node local dns ip
-    git apply $SRC_DIR/786756870f12ac69a5d7bc498693574c6591c5e9.patch && \
-    # lflow: do not send direct traffic between lports to conntrack
-    git apply $SRC_DIR/505dc82f54d4ce54e0378fd3bac1052ee644ac59.patch && \
-    # direct output to lsp for dnat packets in logical switch ingress pipelines
-    git apply $SRC_DIR/f4b1f5fbf0f5aff68299efaa2d0577c90cb2568e.patch && \
-    # fix lr-lb dnat with multiple distributed gateway ports
-    git apply $SRC_DIR/b3af07690e7b2328c02318b1bd812c5665c0632b.patch && \
-    # northd: skip arp/nd request for lrp addresses from localnet ports
-    git apply $SRC_DIR/49834fdd3fa3b066650bc8b7a8b05a773d217d95.patch && \
-    # ovn-controller: make activation strategy work for single chassis
-    git apply $SRC_DIR/03e35ed9c5b4de0fa8acbc2c057cdd5957a8d605.patch && \
-    # support dedicated BFD LRP
-    git apply $SRC_DIR/b5e2975eb65f37315545300254fc0f58a9df52b1.patch && \
-    # skip node local dns ip conntrack when set acl
-    git apply $SRC_DIR/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch && \
-    # select local backend first
-    git apply $SRC_DIR/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch
+    git clone -b clyi-3.3 --depth=1 https://github.com/changluyi/ovs.git
+
+RUN cd /usr/src/ && git clone -b clyi-24.03 --depth=1 https://github.com/kubeovn/ovn.git
 
 RUN apt install -y build-essential fakeroot \
     autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \
@@ -103,10 +22,10 @@ RUN apt install -y build-essential fakeroot \
 
 RUN cd /usr/src/ovs && \
     ./boot.sh && \
-    ./configure && \
+    ./configure --disable-ssl && \
     rm -rf .git && \
-    CONFIGURE_OPTS='CFLAGS="-fPIC"' && \
-    if [ "$ARCH" = "amd64" ] && [ "$LEGACY" != "true" ]; then CONFIGURE_OPTS='CFLAGS="-O2 -g -msse4.2 -mpopcnt -fPIC"'; fi && \
+    CONFIGURE_OPTS='--disable-ssl CFLAGS="-fPIC"' && \
+    if [ "$ARCH" = "amd64" ] && [ "$LEGACY" != "true" ]; then CONFIGURE_OPTS='--disable-ssl CFLAGS="-O2 -g -msse4.2 -mpopcnt -fPIC"'; fi && \
     DATAPATH_CONFIGURE_OPTS='--prefix=/usr' EXTRA_CONFIGURE_OPTS=$CONFIGURE_OPTS make debian-deb
 
 RUN cd /usr/src/ovn && \

dist/images/install.sh

@@ -4681,7 +4681,7 @@ spec:
         command:
           - sh
           - -xec
-          - iptables -V
+          - sysctl -w net.ipv4.conf.all.arp_filter=0; sysctl -w net.ipv4.conf.default.arp_filter=0; iptables -V
         securityContext:
           allowPrivilegeEscalation: true
           capabilities: