forked from kubeovn/kube-ovn
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathDockerfile.base
More file actions
302 lines (265 loc) · 14.8 KB
/
Dockerfile.base
File metadata and controls
302 lines (265 loc) · 14.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
# syntax = docker/dockerfile:experimental
# renovate: datasource=golang-version depName=go
ARG GO_VERSION=1.26.0
FROM ubuntu:24.04 AS openssl-builder
ARG DEBIAN_FRONTEND=noninteractive
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
sed -i 's/^Types: deb$/Types: deb deb-src/g' /etc/apt/sources.list.d/ubuntu.sources && \
apt update && \
apt install -y apt-src && \
apt-src update && \
apt-src install openssl
RUN cd openssl-* && \
sed -i '/^CONFARGS/a CONFARGS += enable-fips no-unit-test' debian/rules && \
echo >> debian/control && \
echo 'Package: libssl3t64-fips' >> debian/control && \
echo 'Section: libs' >> debian/control && \
echo 'Architecture: any' >> debian/control && \
echo 'Multi-Arch: same' >> debian/control && \
echo 'Depends: libssl3t64 (= ${binary:Version}), ${misc:Depends}' >> debian/control && \
echo 'Description: OpenSSL fips module' >> debian/control && \
echo 'usr/lib/ssl/fipsmodule.cnf' >> debian/libssl3t64-fips.install && \
echo 'usr/lib/*/ossl-modules/fips.so' >> debian/libssl3t64-fips.install && \
DEB_BUILD_OPTIONS='parallel=8 nocheck' fakeroot debian/rules binary
RUN mkdir /packages/ && \
cp *fips*.deb /packages
FROM ubuntu:24.04 AS ovs-builder
ARG ARCH
ARG LEGACY
ARG DEBIAN_FRONTEND=noninteractive
ARG SRC_DIR='/usr/src'
ADD patches/4228eab1d722087ba795e310eadc9e25c4513ec1.patch $SRC_DIR
ADD patches/5e52d4373a819ea739ace68219b771445e2813bd.patch $SRC_DIR
ADD patches/54056ea65dc28aa1c4c721a2a34d7913f79f8376.patch $SRC_DIR
ADD patches/6b4dcb311f171d81a5d40ea51a273fc356c123db.patch $SRC_DIR
ADD patches/f627b7721ec282f2edaf798913b1559b939687f0.patch $SRC_DIR
ADD patches/3f3e3a436ff5eb2eaafbeeae8ea9dc0c514fe8a3.patch $SRC_DIR
ADD patches/a6cb8215a80635129e4fada4c0d25c25fb746bf7.patch $SRC_DIR
ADD patches/d4d76ddb2e12cdd9e73bb5e008ebb9fd1b4d6ca6.patch $SRC_DIR
ADD patches/53b9837f7fe89cd63af735b039b8c26107d6579d.patch $SRC_DIR
ADD patches/ffd2328d4a55271569e2b89e54a2c18f4e186af8.patch $SRC_DIR
ADD patches/d088c5d8c263552c5a31d87813991aee30ab74de.patch $SRC_DIR
ADD patches/1b31f07dc60c016153fa35d936cdda0e02e58492.patch $SRC_DIR
ADD patches/54b767822916606dbb78335a3197983f435b5b8a.patch $SRC_DIR
ADD patches/e490f5ac0b644101913c2a3db8e03d85e859deff.patch $SRC_DIR
ADD patches/b973ec477b43df1c3ef3cdb69f8646948fcf94ae.patch $SRC_DIR
ADD patches/5593e614e51a5dce28941e5bf760f9ee5397cede.patch $SRC_DIR
ADD patches/f9e97031b56ab5747b5d73629198331a6daacdfd.patch $SRC_DIR
ADD patches/53d961492036f1d41d9d1b04bab628375a9c6eb5.patch $SRC_DIR
ADD patches/44229317de74d1e97f7499b371a86c015be6b7a6.patch $SRC_DIR
ADD patches/786756870f12ac69a5d7bc498693574c6591c5e9.patch $SRC_DIR
ADD patches/505dc82f54d4ce54e0378fd3bac1052ee644ac59.patch $SRC_DIR
ADD patches/f4b1f5fbf0f5aff68299efaa2d0577c90cb2568e.patch $SRC_DIR
ADD patches/b3af07690e7b2328c02318b1bd812c5665c0632b.patch $SRC_DIR
ADD patches/4a8e051f2fde25ea558e0c4ccb9f5d2f1ea3c018.patch $SRC_DIR
ADD patches/03e35ed9c5b4de0fa8acbc2c057cdd5957a8d605.patch $SRC_DIR
ADD patches/b5e2975eb65f37315545300254fc0f58a9df52b1.patch $SRC_DIR
ADD patches/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch $SRC_DIR
ADD patches/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch $SRC_DIR
ADD patches/fb0108d8fc29c1bd29666f1eb2a27bf34628fa11.patch $SRC_DIR
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update && apt install -y git curl
RUN cd /usr/src/ && \
git clone -b branch-3.3 --depth=1 https://github.com/openvswitch/ovs.git && \
cd ovs && \
# fix memory leak by ofport_usage and trim memory periodically
git apply $SRC_DIR/4228eab1d722087ba795e310eadc9e25c4513ec1.patch && \
# increase election timer
git apply $SRC_DIR/54056ea65dc28aa1c4c721a2a34d7913f79f8376.patch && \
# add fdb update logging
git apply $SRC_DIR/6b4dcb311f171d81a5d40ea51a273fc356c123db.patch && \
# fdb: fix mac learning in environments with hairpin enabled
git apply $SRC_DIR/f627b7721ec282f2edaf798913b1559b939687f0.patch && \
# ovsdb-tool: add optional server id parameter for "join-cluster" command
git apply $SRC_DIR/3f3e3a436ff5eb2eaafbeeae8ea9dc0c514fe8a3.patch && \
# fix memory leak in qos
git apply $SRC_DIR/a6cb8215a80635129e4fada4c0d25c25fb746bf7.patch && \
# ovsdb-tool: add command fix-cluster
git apply $SRC_DIR/d4d76ddb2e12cdd9e73bb5e008ebb9fd1b4d6ca6.patch && \
# ovsdb-tool: add commands db-raft-header/rejoin-cluster
git apply $SRC_DIR/53b9837f7fe89cd63af735b039b8c26107d6579d.patch && \
# netdev: reduce cpu utilization for getting device addresses
git apply $SRC_DIR/ffd2328d4a55271569e2b89e54a2c18f4e186af8.patch && \
# ovs-router: skip getting source address for kube-ipvs0
git apply $SRC_DIR/d088c5d8c263552c5a31d87813991aee30ab74de.patch && \
# increase the default probe interval for large cluster
git apply $SRC_DIR/1b31f07dc60c016153fa35d936cdda0e02e58492.patch && \
# update ovs-sandbox for docker run
git apply $SRC_DIR/54b767822916606dbb78335a3197983f435b5b8a.patch
RUN cd /usr/src/ && git clone -b branch-24.03 --depth=10 https://github.com/ovn-org/ovn.git && \
cd ovn && \
git checkout ef8f5c1ac63e8094eaf13507013e310991db45a2 && \
# change hash type from dp_hash to hash with field src_ip
git apply $SRC_DIR/e490f5ac0b644101913c2a3db8e03d85e859deff.patch && \
# modify route offset
git apply $SRC_DIR/5e52d4373a819ea739ace68219b771445e2813bd.patch && \
# modify src route priority
git apply $SRC_DIR/b973ec477b43df1c3ef3cdb69f8646948fcf94ae.patch && \
# fix reaching resubmit limit in underlay
git apply $SRC_DIR/5593e614e51a5dce28941e5bf760f9ee5397cede.patch && \
# ovn-controller: do not send GARP on localnet for Kube-OVN ports
git apply $SRC_DIR/f9e97031b56ab5747b5d73629198331a6daacdfd.patch && \
# northd: add nb option version_compatibility
git apply $SRC_DIR/53d961492036f1d41d9d1b04bab628375a9c6eb5.patch && \
# add support for conditionally skipping conntrack
git apply $SRC_DIR/44229317de74d1e97f7499b371a86c015be6b7a6.patch && \
# northd: skip conntrack when access node local dns ip
git apply $SRC_DIR/786756870f12ac69a5d7bc498693574c6591c5e9.patch && \
# lflow: do not send direct traffic between lports to conntrack
git apply $SRC_DIR/505dc82f54d4ce54e0378fd3bac1052ee644ac59.patch && \
# direct output to lsp for dnat packets in logical switch ingress pipelines
git apply $SRC_DIR/f4b1f5fbf0f5aff68299efaa2d0577c90cb2568e.patch && \
# fix lr-lb dnat with multiple distributed gateway ports
git apply $SRC_DIR/b3af07690e7b2328c02318b1bd812c5665c0632b.patch && \
# northd: skip arp/nd request for lrp addresses from localnet ports
git apply $SRC_DIR/4a8e051f2fde25ea558e0c4ccb9f5d2f1ea3c018.patch && \
# ovn-controller: make activation strategy work for single chassis
git apply $SRC_DIR/03e35ed9c5b4de0fa8acbc2c057cdd5957a8d605.patch && \
# support dedicated BFD LRP
git apply $SRC_DIR/b5e2975eb65f37315545300254fc0f58a9df52b1.patch && \
# skip node local dns ip conntrack when set acl
git apply $SRC_DIR/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch && \
# loadbalancer select local backend first
git apply $SRC_DIR/a9e009136a42cf6d985f97e2bf1ec41df6b5ca29.patch && \
# set dl_src for packets redirected by router port
git apply $SRC_DIR/fb0108d8fc29c1bd29666f1eb2a27bf34628fa11.patch
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update && \
apt install -y wget build-essential fakeroot && \
apt install -y autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \
graphviz iproute2 libcap-ng-dev libdbus-1-dev libnuma-dev libpcap-dev libssl-dev libtool libunbound-dev \
pkg-config procps python3-all-dev python3-setuptools python3-sortedcontainers python3-sphinx
RUN cd /usr/src/ovs && \
./boot.sh && \
./configure && \
rm -rf .git && \
CONFIGURE_OPTS='CFLAGS="-fPIC"' && \
if [ "$ARCH" = "amd64" ] && [ "$LEGACY" != "true" ]; then CONFIGURE_OPTS='CFLAGS="-O2 -g -msse4.2 -mpopcnt -fPIC"'; fi && \
DATAPATH_CONFIGURE_OPTS='--prefix=/usr' EXTRA_CONFIGURE_OPTS=$CONFIGURE_OPTS make debian-deb
RUN cd /usr/src/ovn && \
sed -i 's/OVN/ovn/g' debian/changelog && \
rm -rf .git && \
./boot.sh && \
CONFIGURE_OPTS='--with-ovs-build=/usr/src/ovs/_debian CFLAGS="-fPIC"' && \
if [ "$ARCH" = "amd64" ] && [ "$LEGACY" != "true" ]; then CONFIGURE_OPTS="--with-ovs-build=/usr/src/ovs/_debian CFLAGS='-O2 -g -msse4.2 -mpopcnt -fPIC'"; fi && \
OVSDIR=/usr/src/ovs EXTRA_CONFIGURE_OPTS=$CONFIGURE_OPTS DEB_BUILD_OPTIONS='parallel=8 nocheck' fakeroot debian/rules binary
RUN mkdir -p /usr/src/openbfdd && \
curl -sSf -L --retry 5 https://github.com/dyninc/OpenBFDD/archive/e35f43ad8d2b3f084e96a84c392528a90d05a287.tar.gz | \
tar -xz -C /usr/src/openbfdd --strip-components=1
ADD OpenBFDD-compile.patch /usr/src/
ADD OpenBFDD-allow-ttl-254.patch /usr/src/
RUN cd /usr/src/openbfdd && \
rm -vf missing && \
git apply --no-apply /usr/src/OpenBFDD-compile.patch && \
git apply --no-apply /usr/src/OpenBFDD-allow-ttl-254.patch && \
autoupdate && \
./autogen.sh && \
./configure --enable-silent-rules && \
make -j8
RUN mkdir /packages/ && \
mv /usr/src/openbfdd/bfdd-beacon /usr/src/openbfdd/bfdd-control /packages/ && \
cp /usr/src/openvswitch-*deb /packages && \
cp /usr/src/python3-openvswitch*deb /packages && \
cp /usr/src/ovn-*deb /packages && \
cp /usr/src/ovs/tutorial/ovs-sandbox /packages && \
cd /packages && rm -f *source* *doc* *datapath* *docker* *vtep* *test* *dev*
FROM ghcr.io/aquasecurity/trivy:latest AS trivy
ARG ARCH
# renovate: datasource=github-releases depName=cni-plugin packageName=containernetworking/plugins versioning=semver
ARG CNI_PLUGINS_VERSION=v1.9.0
# renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes versioning=semver
ARG KUBECTL_VERSION=v1.32.13
# renovate: datasource=github-releases depName=gobgp packageName=osrg/gobgp versioning=semver
ARG GOBGP_VERSION=3.37.0
ARG TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2"
RUN apk --no-cache add curl jq
ADD go-deps/download-go-deps.sh /
RUN sh -x /download-go-deps.sh
FROM golang:$GO_VERSION-alpine AS go-deps
RUN apk --no-cache add bash curl jq
ADD go-deps/rebuild-go-deps.sh /
RUN --mount=type=bind,target=/trivy,from=trivy,source=/godeps \
bash -x /rebuild-go-deps.sh
FROM ubuntu:24.04 AS ubuntu
RUN rm -rf /etc/localtime
RUN rm -f /usr/lib/apt/methods/mirror
RUN usermod -s /usr/sbin/nologin sync
RUN usermod -s /usr/sbin/nologin ubuntu
RUN apt remove -y --allow-remove-essential --auto-remove login
FROM scratch
LABEL "org.opencontainers.image.ref.name"="ubuntu"
LABEL "org.opencontainers.image.version"="24.04"
ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
CMD ["/bin/bash"]
COPY --from=ubuntu / /
ARG ARCH
ARG DEBIAN_FRONTEND=noninteractive
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update && apt upgrade -y && \
apt install ca-certificates hostname netbase ethtool iproute2 ncat libunbound8 procps \
kmod iptables python3-netifaces python3-sortedcontainers tcpdump ipvsadm ipset curl \
uuid-runtime openssl inetutils-ping arping ndisc6 conntrack traceroute iputils-tracepath \
logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins \
libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins \
-y --no-install-recommends --auto-remove && \
apt remove -y --allow-remove-essential --auto-remove login && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ip)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ipset)) && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which traceroute)) && \
setcap CAP_NET_ADMIN,CAP_NET_RAW+eip $(readlink -f $(which xtables-legacy-multi)) && \
setcap CAP_NET_ADMIN,CAP_NET_RAW+eip $(readlink -f $(which xtables-nft-multi)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
setcap CAP_SYS_ADMIN+eip $(readlink -f $(which sysctl)) && \
setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /etc/localtime && \
rm -f /usr/bin/nc && \
rm -f /usr/bin/netcat && \
rm -f /usr/lib/apt/methods/mirror
RUN mkdir -p /var/run/openvswitch && \
mkdir -p /var/run/ovn && \
mkdir -p /etc/cni/net.d && \
mkdir -p /opt/cni/bin
ARG DUMB_INIT_VERSION="1.2.5"
RUN curl -sSf -L --retry 5 -o /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_$(arch) && \
chmod +x /usr/bin/dumb-init
RUN --mount=type=bind,target=/godeps,from=go-deps,source=/godeps \
cp /godeps/loopback /godeps/portmap /godeps/macvlan ./ && \
cp /godeps/kubectl /godeps/gobgp /usr/bin/
ARG DEBUG=false
RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \
cp /packages/bfdd-beacon /packages/bfdd-control /usr/bin/ && \
cp /packages/ovs-sandbox /usr/bin/ && chmod +x /usr/bin/ovs-sandbox && \
setcap CAP_NET_BIND_SERVICE+eip /usr/bin/bfdd-beacon && \
dpkg -i /packages/openvswitch-*.deb /packages/python3-openvswitch*.deb /packages/ovn-*.deb && \
rm -rf /var/lib/openvswitch/pki/ && \
chown -R nobody: /var/lib/logrotate && \
setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl)) && \
if [ "${DEBUG}" != "true" ]; then \
setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)) && \
dpkg --purge gpgv apt; \
else \
apt update && apt install -y --no-install-recommends gdb valgrind && \
rm -rf /var/lib/apt/lists/* && \
dpkg -i /packages/*.ddeb; \
fi
RUN --mount=type=bind,target=/packages,from=openssl-builder,source=/packages \
dpkg -i /packages/*.deb && \
openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module $(find / -name fips.so) && \
sed -i --follow-symlinks \
-e '/^\[provider_sect\]/a fips = fips_sect' \
-e '/^\[default_sect\]/a activate = 1' \
-e '$a \\n.include /usr/lib/ssl/fipsmodule.cnf' \
/usr/lib/ssl/openssl.cnf
ENTRYPOINT ["/usr/bin/dumb-init", "--"]