From 850380ac8bcca7ac370a771fbafd003316d18e8e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 9 May 2025 17:59:16 -0700 Subject: [PATCH 001/154] Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index 78baa7b981..10623f0eeb 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -43,3 +43,29 @@ jobs: target: $(name) os: $(OS) arch: $(ARCH) + + + - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), eq(parameters.official, 'true')) }}: + - job: sign_${{ job_data.job }} + displayName: "Sign Binary - ${{ job_data.displayName }} -" + strategy: ${{ job_data.strategy }} + dependsOn: + - binaries_${{ job_data.job }} + pool: + type: linux + variables: + ob_outputDirectory: $(Build.SourcesDirectory) + ob_artifactSuffix: _$(artifact) + ob_git_checkout: false + steps: + - task: DownloadPipelineArtifact@2 + inputs: + targetPath: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} + artifact: '${{ job_data.templateContext.repositoryArtifact }}' + + - task: onebranch.pipeline.signing@1 + inputs: + command: 'sign' + signing_profile: 'external_distribution' + files_to_sign: '**/*' + search_root: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} From 1e5ce3815e0788fcab969e403101e74a1270a9f3 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 9 May 2025 19:11:47 -0700 Subject: [PATCH 002/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 7 ++-- .pipelines/run-pipeline.yaml | 52 +++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index 10623f0eeb..bb4d495e7a 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -49,10 +49,11 @@ jobs: - job: sign_${{ job_data.job }} displayName: "Sign Binary - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} - dependsOn: - - binaries_${{ job_data.job }} pool: - type: linux + ${{ if eq(job_data.job, 'windows_amd64') }}: + type: windows + ${{ else }}: + type: linux variables: ob_outputDirectory: $(Build.SourcesDirectory) ob_artifactSuffix: _$(artifact) diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index eac5f2a62c..c3b143bdd1 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -331,6 +331,58 @@ stages: NPM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/npm:$(Build.BuildNumber) NPM_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/npm:$(Build.BuildNumber) jobs: + - template: build/binaries.jobs.yaml + parameters: + binaries: + - job: linux_amd64 + displayName: "Linux/AMD64" + templateContext: + action: sign + repositoryArtifact: drop_build_binaries_linux_amd64_$(artifact) + strategy: + matrix: + azure_ipam: + artifact: azure-ipam + cni: + artifact: cni + cns: + artifact: cns + ipv6_hp_bpf: + artifact: ipv6-hp-bpf + npm: + artifact: npm + - job: windows_amd64 + displayName: "Windows/AMD64" + templateContext: + action: sign + repositoryArtifact: drop_build_binaries_windows_amd64_$(artifact) + strategy: + matrix: + cni: + artifact: cni + cns: + artifact: cns + npm: + artifact: npm + - job: linux_arm64 + displayName: "Linux/ARM64" + templateContext: + action: sign + repositoryArtifact: drop_build_binaries_linux_arm64_$(artifact) + strategy: + matrix: + azure_ipam: + artifact: azure-ipam + cni: + artifact: cni + cns: + artifact: cns + ipv6_hp_bpf: + artifact: ipv6-hp-bpf + npm: + artifact: npm + + - template: build/manifests.jobs.yaml parameters: generate: From 0bfb59dc1245511cd118821350cb4249823ac522 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 12 May 2025 14:42:22 -0700 Subject: [PATCH 003/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/ob-prepare.steps.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/ob-prepare.steps.yaml b/.pipelines/build/ob-prepare.steps.yaml index 4726bd7c08..f1a6aab049 100644 --- a/.pipelines/build/ob-prepare.steps.yaml +++ b/.pipelines/build/ob-prepare.steps.yaml @@ -51,7 +51,7 @@ steps: echo "##vso[task.setvariable variable=Tag;isOutput=true]$TAG" echo "Tag: $TAG" - IMAGEREPOPATH="artifact/dd590928-4e04-48cb-9d3d-ee06c5f0e17f/buddy" + IMAGEREPOPATH="artifact/dd590928-4e04-48cb-9d3d-ee06c5f0e17f/$BUILD_TYPE" echo "##vso[task.setvariable variable=imageRepositoryPath;isOutput=true]$IMAGEREPOPATH" echo "imageRepositoryPath: $IMAGEREPOPATH" @@ -90,3 +90,8 @@ steps: displayName: "Set environmental variables" condition: always() workingDirectory: $(ACN_DIR) + env: + ${{ if parameters.official }}: + BUILD_TYPE: official + ${{ else }}: + BUILD_TYPE: buddy From 8e938dc55a81c90428f1fc9d0a1e91e65e122b98 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 12 May 2025 16:42:59 -0700 Subject: [PATCH 004/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 2 +- .pipelines/run-pipeline.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index bb4d495e7a..e4ab94e3ca 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -45,7 +45,7 @@ jobs: arch: $(ARCH) - - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), eq(parameters.official, 'true')) }}: + - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), eq(parameters.isOfficial, 'true')) }}: - job: sign_${{ job_data.job }} displayName: "Sign Binary - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index c3b143bdd1..4ca0113305 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -13,6 +13,10 @@ stages: ob_artifactSuffix: _source ACR_DIR: $(Build.SourcesDirectory)/azure-container-networking + ${{ if parameters.isOfficial }}: + BUILD_TYPE: official + ${{ else }}: + BUILD_TYPE: buddy steps: - checkout: azure-container-networking - template: build/ob-prepare.steps.yaml From bb7195470bb09f3071ad84bf1e65e15880558a97 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 12 May 2025 18:33:50 -0700 Subject: [PATCH 005/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/ob-prepare.steps.yaml | 5 ----- .pipelines/run-pipeline.yaml | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.pipelines/build/ob-prepare.steps.yaml b/.pipelines/build/ob-prepare.steps.yaml index f1a6aab049..eb58389f6d 100644 --- a/.pipelines/build/ob-prepare.steps.yaml +++ b/.pipelines/build/ob-prepare.steps.yaml @@ -90,8 +90,3 @@ steps: displayName: "Set environmental variables" condition: always() workingDirectory: $(ACN_DIR) - env: - ${{ if parameters.official }}: - BUILD_TYPE: official - ${{ else }}: - BUILD_TYPE: buddy diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 4ca0113305..964f437780 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -337,6 +337,7 @@ stages: jobs: - template: build/binaries.jobs.yaml parameters: + isOfficial: ${{ parameters.isOfficial }} binaries: - job: linux_amd64 displayName: "Linux/AMD64" From 15631848caaec7ccbd4f7d5d727973d9e9b1ab18 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 12 May 2025 18:41:47 -0700 Subject: [PATCH 006/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 2 +- .pipelines/run-pipeline.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index e4ab94e3ca..bfd504e1d1 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -45,7 +45,7 @@ jobs: arch: $(ARCH) - - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), eq(parameters.isOfficial, 'true')) }}: + - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), parameters.isOfficial) }}: - job: sign_${{ job_data.job }} displayName: "Sign Binary - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 964f437780..4ca0113305 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -337,7 +337,6 @@ stages: jobs: - template: build/binaries.jobs.yaml parameters: - isOfficial: ${{ parameters.isOfficial }} binaries: - job: linux_amd64 displayName: "Linux/AMD64" From 8c7f0ccc3fe8c3c3bc767661fb8b223c88bdc992 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 12 May 2025 18:50:15 -0700 Subject: [PATCH 007/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 2 +- .pipelines/run-pipeline.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index bfd504e1d1..8bdaf2be0b 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -45,7 +45,7 @@ jobs: arch: $(ARCH) - - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), parameters.isOfficial) }}: + - ${{ elseif and(eq(job_data.templateContext.action, 'sign'), job_data.templateContext.isOfficial) }}: - job: sign_${{ job_data.job }} displayName: "Sign Binary - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 4ca0113305..0b125f8ea5 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -54,6 +54,7 @@ stages: displayName: "Linux/AMD64" templateContext: action: build + isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_setup_env_source strategy: maxParallel: 5 @@ -77,6 +78,7 @@ stages: displayName: "Windows/AMD64" templateContext: action: build + isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_setup_env_source strategy: maxParallel: 5 @@ -94,6 +96,7 @@ stages: displayName: "Linux/ARM64" templateContext: action: build + isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_setup_env_source strategy: maxParallel: 5 @@ -342,6 +345,7 @@ stages: displayName: "Linux/AMD64" templateContext: action: sign + isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_build_binaries_linux_amd64_$(artifact) strategy: matrix: @@ -359,6 +363,7 @@ stages: displayName: "Windows/AMD64" templateContext: action: sign + isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_build_binaries_windows_amd64_$(artifact) strategy: matrix: @@ -372,6 +377,7 @@ stages: displayName: "Linux/ARM64" templateContext: action: sign + isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_build_binaries_linux_arm64_$(artifact) strategy: matrix: From ce4ed329b8900d895648ad71f28c28ddafdab3e7 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 12 May 2025 20:49:35 -0700 Subject: [PATCH 008/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index 8bdaf2be0b..c4e64fe8c5 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -50,14 +50,16 @@ jobs: displayName: "Sign Binary - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} pool: + type: docker ${{ if eq(job_data.job, 'windows_amd64') }}: - type: windows + os: windows ${{ else }}: - type: linux + os: linux variables: ob_outputDirectory: $(Build.SourcesDirectory) ob_artifactSuffix: _$(artifact) ob_git_checkout: false + ob_extract_root_artifact: true steps: - task: DownloadPipelineArtifact@2 inputs: From 53305c1df09a4dde8a0b8298548e2b89c314dbfb Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 13 May 2025 11:02:39 -0700 Subject: [PATCH 009/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index c4e64fe8c5..aff8350dd0 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -50,22 +50,26 @@ jobs: displayName: "Sign Binary - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} pool: - type: docker ${{ if eq(job_data.job, 'windows_amd64') }}: - os: windows + type: windows ${{ else }}: - os: linux + type: linux variables: - ob_outputDirectory: $(Build.SourcesDirectory) + ob_outputDirectory: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} ob_artifactSuffix: _$(artifact) ob_git_checkout: false - ob_extract_root_artifact: true steps: - task: DownloadPipelineArtifact@2 inputs: targetPath: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} artifact: '${{ job_data.templateContext.repositoryArtifact }}' + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '**/*.tgz;**/*.tgz.gz;**/*.zip' + destinationFolder: $(Build.SourcesDirectory) + overwriteExistingFiles: true + - task: onebranch.pipeline.signing@1 inputs: command: 'sign' From 42180dd6dad26ef94317ed5f2367244733696496 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 13 May 2025 12:02:51 -0700 Subject: [PATCH 010/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index aff8350dd0..67b5f3cb1f 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -55,19 +55,20 @@ jobs: ${{ else }}: type: linux variables: - ob_outputDirectory: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} + ob_outputDirectory: $(Build.SourcesDirectory) ob_artifactSuffix: _$(artifact) ob_git_checkout: false steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} + targetPath: $(Build.SourcesDirectory) artifact: '${{ job_data.templateContext.repositoryArtifact }}' - task: ExtractFiles@1 inputs: archiveFilePatterns: '**/*.tgz;**/*.tgz.gz;**/*.zip' destinationFolder: $(Build.SourcesDirectory) + cleanDestinationFolder: false overwriteExistingFiles: true - task: onebranch.pipeline.signing@1 @@ -75,4 +76,4 @@ jobs: command: 'sign' signing_profile: 'external_distribution' files_to_sign: '**/*' - search_root: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} + search_root: $(Build.SourcesDirectory) From 69251e4827b799dfe83a4965812230046019f5c6 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 13 May 2025 12:14:44 -0700 Subject: [PATCH 011/154] fixup! Add Explicit Binary Signing Task --- .pipelines/build/binaries.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/binaries.jobs.yaml b/.pipelines/build/binaries.jobs.yaml index 67b5f3cb1f..1311f243d3 100644 --- a/.pipelines/build/binaries.jobs.yaml +++ b/.pipelines/build/binaries.jobs.yaml @@ -66,7 +66,7 @@ jobs: - task: ExtractFiles@1 inputs: - archiveFilePatterns: '**/*.tgz;**/*.tgz.gz;**/*.zip' + archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)' destinationFolder: $(Build.SourcesDirectory) cleanDestinationFolder: false overwriteExistingFiles: true From 48b7c0ff1824c386dd2568c02e54b62dffec4e87 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 01:07:05 -0700 Subject: [PATCH 012/154] Use Signed Binaries for Docker Build --- .../build/dockerfiles/azure-ipam.Dockerfile | 11 + .pipelines/build/dockerfiles/cni.Dockerfile | 16 + .pipelines/build/dockerfiles/cns.Dockerfile | 23 + .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 8 + .pipelines/build/dockerfiles/npm.Dockerfile | 20 + .pipelines/build/images.jobs.yaml | 114 ++++ .pipelines/build/scripts/azure-ipam.sh | 18 + .pipelines/build/scripts/cns.sh | 12 + .pipelines/build/scripts/ipv6-hp-bpf.sh | 58 +++ .pipelines/build/scripts/npm.sh | 13 + .pipelines/run-pipeline.yaml | 486 ++++++++---------- 11 files changed, 503 insertions(+), 276 deletions(-) create mode 100644 .pipelines/build/dockerfiles/azure-ipam.Dockerfile create mode 100644 .pipelines/build/dockerfiles/cni.Dockerfile create mode 100644 .pipelines/build/dockerfiles/cns.Dockerfile create mode 100644 .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile create mode 100644 .pipelines/build/dockerfiles/npm.Dockerfile create mode 100644 .pipelines/build/images.jobs.yaml create mode 100644 .pipelines/build/scripts/azure-ipam.sh create mode 100644 .pipelines/build/scripts/cns.sh create mode 100644 .pipelines/build/scripts/ipv6-hp-bpf.sh create mode 100644 .pipelines/build/scripts/npm.sh diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile new file mode 100644 index 0000000000..eafca141f4 --- /dev/null +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -0,0 +1,11 @@ +ARG ARTIFACT_DIR + +FROM scratch AS linux +COPY ${ARTIFACT_DIR}/bins/dropgz dropgz +ENTRYPOINT [ "/dropgz" ] + + +# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" +FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows +COPY ${ARTIFACT_DIR}/bins/dropgz dropgz.exe +ENTRYPOINT [ "/dropgz.exe" ] diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile new file mode 100644 index 0000000000..11612c94b0 --- /dev/null +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -0,0 +1,16 @@ +ARG ARCH +ARG ARTIFACT_DIR + +FROM scratch AS linux +ADD ${ARTIFACT_DIR}/bins/dropgz dropgz +ENTRYPOINT [ "/dropgz" ] + + +# mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 +FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as hpc + +FROM hpc as windows +ADD ${ARTIFACT_DIR}/bins/dropgz dropgz.exe +ENTRYPOINT [ "/dropgz.exe" ] + + diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile new file mode 100644 index 0000000000..1e448d0ad3 --- /dev/null +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -0,0 +1,23 @@ +ARG ARCH +ARG ARCHIVE_DIR + +# mcr.microsoft.com/cbl-mariner/base/core:2.0 +FROM mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS iptables +RUN tdnf install -y iptables + +# mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux +COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ +COPY --from=iptables /usr/lib /usr/lib +COPY ${ARCHIVE_DIR}/bins/azure-cns /usr/local/bin/azure-cns +ENTRYPOINT [ "/usr/local/bin/azure-cns" ] +EXPOSE 10090 + + +# mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 +FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows +COPY ${ARCHIVE_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml +COPY ${ARCHIVE_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 +COPY ${ARCHIVE_DIR}/bins/azure-cns /azure-cns.exe +ENTRYPOINT ["azure-cns.exe"] +EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile new file mode 100644 index 0000000000..8266effe5f --- /dev/null +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -0,0 +1,8 @@ +ARG ARCHIVE_DIR + +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux +COPY ${ARCHIVE_DIR}/lib/* /lib +COPY ${ARCHIVE_DIR}/bins/ipv6-hp-bpf /ipv6-hp-bpf +COPY ${ARCHIVE_DIR}/bins/nft /usr/sbin/nft +COPY ${ARCHIVE_DIR}/bins/ip /sbin/ip +CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile new file mode 100644 index 0000000000..8c6baa4de6 --- /dev/null +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -0,0 +1,20 @@ +FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux + +RUN apt-get update && \ + apt-get install -y libc-bin=2.31-0ubuntu9.17 libc6=2.31-0ubuntu9.17 libtasn1-6=4.16.0-2ubuntu0.1 libgnutls30=3.6.13-2ubuntu1.12 iptables ipset ca-certificates && \ + apt-get autoremove -y && \ + apt-get clean + +RUN chmod +x /usr/bin/azure-npm +ENTRYPOINT ["/usr/bin/azure-npm", "start"] + + +# intermediate for win-ltsc2022 +FROM mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows + +COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml +COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 +COPY ${ARTIFACT_DIR}/files/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1 +COPY ${ARTIFACT_DIR}/bins/azure-npm.exe npm.exe + +CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"] diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml new file mode 100644 index 0000000000..1570257dd6 --- /dev/null +++ b/.pipelines/build/images.jobs.yaml @@ -0,0 +1,114 @@ +parameters: +- name: images + type: jobList + + +jobs: +- ${{ each job_data in parameters.images }}: + - job: pkg_${{ job_data.job }} + displayName: "Build Image Package - ${{ job_data.displayName }} -" + strategy: ${{ job_data.strategy }} + pool: + type: linux + ${{ if eq(job_data.job, 'linux_arm64') }}: + hostArchitecture: arm64 + + variables: + ob_outputDirectory: $(Build.ArtifactStagingDirectory) + ob_artifactSuffix: _$(artifact) + ob_git_checkout: false + ${{ if eq(job_data.job, 'linux_amd64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + ARCH: amd64 + GOARCH: amd64 + OS: linux + GOOS: linux + ${{ elseif eq(job_data.job, 'windows_amd64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + ARCH: amd64 + GOARCH: amd64 + OS: windows + GOOS: windows + ${{ elseif eq(job_data.job, 'linux_arm64') }}: + ob_enable_qemu: true + ARCH: arm64 + GOARCH: arm64 + OS: linux + GOOS: linux + # keep these variables concerned with instrumentation. + ob_outputDirectory: $(Build.ArtifactStagingDirectory) + GEN_DIR: $(Build.SourcesDirectory)/temp + REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} + OUT_DIR: $(Build.ArtifactStagingDirectory) + steps: + - task: DownloadPipelineArtifact@2 + inputs: + targetPath: $(REPO_ROOT) + artifact: '${{ job_data.templateContext.repositoryArtifact }}' + + - task: ShellScript@2 + inputs: + scriptPath: ${{ job_data.templateContext.buildScript }} + + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)' + destinationFolder: $(OUT_DIR) + cleanDestinationFolder: false + overwriteExistingFiles: true + + - shell: | + cp "$SOURCE" "$DEST" + env: + SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} + DEST: $(OUT_DIR)/Dockerfile + + - task: onebranch.pipeline.signing@1 + inputs: + command: 'sign' + signing_profile: 'external_distribution' + files_to_sign: '**/*' + search_root: $(OUT_DIR) + + + - job: images_${{ job_data.job }} + displayName: "Build Images - ${{ job_data.displayName }} -" + dependsOn: + - pkg_${{ job_data.job }} + strategy: ${{ job_data.strategy }} + pool: + os: linux + type: docker + ${{ if eq(job_data.job, 'linux_arm64') }}: + hostArchitecture: arm64 + LinuxHostVersion: + distribution: mariner + architecture: arm64 + variables: + ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch) + ob_artifactSuffix: _$(name) + ob_git_checkout: false + ${{ if eq(job_data.job, 'linux_amd64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + ARCH: amd64 + OS: linux + ${{ elseif eq(job_data.job, 'windows_amd64') }}: + ob_enable_qemu: true + ARCH: amd64 + OS: windows + ${{ elseif eq(job_data.job, 'linux_arm64') }}: + ob_build_container: true + ARCH: arm64 + OS: linux + + steps: + - template: build/image.steps.yaml + parameters: + arch: $(ARCH) + os: $(OS) + name: $(name) + dockerfile_path: ${{ job_data.templateContext.pkgArtifact }} + build_tag: $(imageTag) + extra_args: $(extraArgs) + archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) + source: ${{ job_data.templateContext.pkgArtifact }} diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh new file mode 100644 index 0000000000..3f303ed9d3 --- /dev/null +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -nex + +DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" +IPAM_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") + +pushd "$ROOT_DIR"/azure-ipam + GOOS=$OS CGO_ENABLED=0 go build -v -a -o "$IPAM_BUILD_DIR"/azure-ipam -trimpath -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" main.version="$VERSION"" -gcflags="-dwarflocationlists=true" + cp *.conflist "$IPAM_BUILD_DIR" + sha256sum * > sum.txt + gzip --verbose --best --recursive . && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done +popd + +go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION +pushd "$GOPATH"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION + cp "$IPAM_BUILD_DIR"/* pkg/embed/fs/ + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go +popd diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh new file mode 100644 index 0000000000..52536048c5 --- /dev/null +++ b/.pipelines/build/scripts/cns.sh @@ -0,0 +1,12 @@ +#!/bin/bash +#ARG CNS_AI_ID +#ARG CNS_AI_PATH + +mkdir -p "$OUT_DIR"/files +mkdir -p "$OUT_DIR"/bins + +pushd "$REPO_ROOT" + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" cns/service/*.go + cp cns/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml + cp npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 +popd diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh new file mode 100644 index 0000000000..7f6b36092e --- /dev/null +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +mkdir -p "$OUT_DIR"/bins +mkdir -p "$OUT_DIR"/lib + +apt-get update -y +apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 + +# Copy Needed Library Binaries +cp /usr/sbin/nft "$OUT_DIR"/bins/nft +cp /sbin/ip "$OUT_DIR"/bins/ip + +# Package up Needed C Files +if [ "$ARCH" = "arm64" ]; then + apt-get install -y gcc-aarch64-linux-gnu + ARCH=aarch64-linux-gnu + cp /lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ + + for dir in /usr/include/"$ARCH"/*; do + ln -s "$dir" /usr/include/$(basename "$dir") + done + +elif [ "$ARCH" = "amd64" ]; then + apt-get install -y gcc-multilib + ARCH=x86_64-linux-gnu + cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + + for dir in /usr/include/"$ARCH"/*; do + ln -s "$dir" /usr/include/$(basename "$dir") + done +fi + +ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm +cp /lib/"$ARCH"/libnftables.so.1 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libedit.so.2 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libc.so.6 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libmnl.so.0 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libnftnl.so.11 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libxtables.so.12 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libjansson.so.4 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libgmp.so.10 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libtinfo.so.6 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ +cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ + + +# Build IPv6 HP BPF +export C_INCLUDE_PATH=/usr/include/bpf +pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf + cp ./cmd/ipv6-hp-bpf/*.go ./ + + if [ "$DEBUG" = "true" ]; then + echo "\n#define DEBUG" >> ./include/helper.h + fi + + GOOS=$OS CGO_ENABLED=0 go generate ./... + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . +popd diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh new file mode 100644 index 0000000000..30381715f4 --- /dev/null +++ b/.pipelines/build/scripts/npm.sh @@ -0,0 +1,13 @@ +#!/bin/bash +set -nex + +mkdir -p "$OUT_DIR"/files +mkdir -p "$OUT_DIR"/bins + +pushd "$ROOT_DIR"/npm + GOOS=$OS CGO_ENABLED=0 go build -v -o "$OUT_DIR"/bins/azure-npm -ldflags "-X main.version="$VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" -gcflags="-dwarflocationlists=true" ./cmd/*.go + + cp ./examples/windows/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml + cp ./examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 + cp ./examples/windows/setkubeconfigpath-capz.ps1 "$OUT_DIR"/files/setkubeconfigpath-capz.ps1 +popd diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 0b125f8ea5..1bd9dcd71c 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -47,262 +47,196 @@ stages: IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ] NPM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.npmVersion'] ] jobs: - - template: build/binaries.jobs.yaml +# - template: build/binaries.jobs.yaml +# parameters: +# binaries: +# - job: linux_amd64 +# displayName: "Linux/AMD64" +# templateContext: +# action: build +# isOfficial: ${{ parameters.isOfficial }} +# repositoryArtifact: drop_setup_env_source +# strategy: +# maxParallel: 5 +# matrix: +# azure_ipam: +# name: azure-ipam-archive +# artifact: azure-ipam +# cni: +# name: cni-archive +# artifact: cni +# cns: +# name: cns-archive +# artifact: cns +# ipv6_hp_bpf: +# name: ipv6-hp-bpf-archive +# artifact: ipv6-hp-bpf +# npm: +# name: npm-archive +# artifact: npm +# - job: windows_amd64 +# displayName: "Windows/AMD64" +# templateContext: +# action: build +# isOfficial: ${{ parameters.isOfficial }} +# repositoryArtifact: drop_setup_env_source +# strategy: +# maxParallel: 5 +# matrix: +# cni: +# name: cni-archive +# artifact: cni +# cns: +# name: cns-archive +# artifact: cns +# npm: +# name: npm-archive +# artifact: npm +# - job: linux_arm64 +# displayName: "Linux/ARM64" +# templateContext: +# action: build +# isOfficial: ${{ parameters.isOfficial }} +# repositoryArtifact: drop_setup_env_source +# strategy: +# maxParallel: 5 +# matrix: +# azure_ipam: +# name: azure-ipam-archive +# artifact: azure-ipam +# cni: +# name: cni-archive +# artifact: cni +# cns: +# name: cns-archive +# artifact: cns +# ipv6_hp_bpf: +# name: ipv6-hp-bpf-archive +# artifact: ipv6-hp-bpf +# npm: +# name: npm-archive +# artifact: npm + + + - template: /.pipelines/build/images.jobs.yaml parameters: - binaries: + images: - job: linux_amd64 displayName: "Linux/AMD64" templateContext: - action: build - isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_setup_env_source + pkgArtifact: drop_pkg_linux_amd64_$(name) + buildScript: .pipelines/build/scripts/$(name).sh + obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: maxParallel: 5 matrix: azure_ipam: - name: azure-ipam-archive - artifact: azure-ipam + name: azure-ipam + extraArgs: '' + archiveName: azure-ipam + archiveVersion: $(AZURE_IPAM_VERSION) + imageTag: $(Build.BuildNumber) cni: - name: cni-archive - artifact: cni + name: cni + extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' + archiveName: azure-cni + archiveVersion: $(CNI_VERSION) + imageTag: $(Build.BuildNumber) cns: - name: cns-archive - artifact: cns + name: cns + extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' + archiveName: azure-cns + archiveVersion: $(CNS_VERSION) + imageTag: $(Build.BuildNumber) ipv6_hp_bpf: - name: ipv6-hp-bpf-archive - artifact: ipv6-hp-bpf + name: ipv6-hp-bpf + extraArgs: "--build-arg DEBUG=$(System.Debug)" + archiveName: ipv6-hp-bpf + archiveVersion: $(IPV6_HP_BPF_VERSION) + imageTag: $(Build.BuildNumber) npm: - name: npm-archive - artifact: npm + name: npm + extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' + archiveName: azure-npm + archiveVersion: $(NPM_VERSION) + imageTag: $(Build.BuildNumber) + - job: windows_amd64 - displayName: "Windows/AMD64" + displayName: "Windows" templateContext: - action: build - isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_setup_env_source + pkgArtifact: drop_pkg_windows_amd64_$(name) + buildScript: .pipelines/build/scripts/$(name).sh + obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: maxParallel: 5 matrix: + azure_ipam: + name: azure-ipam + extraArgs: '' + archiveName: azure-ipam + archiveVersion: $(OS)-$(ARCH)-$(AZURE_IPAM_VERSION) + imageTag: $(Build.BuildNumber) cni: - name: cni-archive - artifact: cni + name: cni + extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' + archiveName: azure-cni + archiveVersion: $(CNI_VERSION) + imageTag: $(Build.BuildNumber) cns: - name: cns-archive - artifact: cns + name: cns + extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' + archiveName: azure-cns + archiveVersion: $(CNS_VERSION) + imageTag: $(Build.BuildNumber) npm: - name: npm-archive - artifact: npm + name: npm + extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' + archiveName: azure-npm + archiveVersion: $(NPM_VERSION) + imageTag: $(Build.BuildNumber) + - job: linux_arm64 displayName: "Linux/ARM64" templateContext: - action: build - isOfficial: ${{ parameters.isOfficial }} repositoryArtifact: drop_setup_env_source + pkgArtifact: drop_pkg_linux_arm64_$(name) + buildScript: .pipelines/build/scripts/$(name).sh + obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: - maxParallel: 5 + maxParallel: 3 matrix: azure_ipam: - name: azure-ipam-archive - artifact: azure-ipam + name: azure-ipam + archiveName: azure-ipam + archiveVersion: $(AZURE_IPAM_VERSION) + extraArgs: '' + imageTag: $(Build.BuildNumber) cni: - name: cni-archive - artifact: cni + name: cni + extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' + archiveName: azure-cni + archiveVersion: $(CNI_VERSION) + imageTag: $(Build.BuildNumber) cns: - name: cns-archive - artifact: cns + name: cns + extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' + archiveName: azure-cns + archiveVersion: $(CNS_VERSION) + imageTag: $(Build.BuildNumber) ipv6_hp_bpf: - name: ipv6-hp-bpf-archive - artifact: ipv6-hp-bpf + name: ipv6-hp-bpf + extraArgs: "--build-arg DEBUG=$(System.Debug)" + archiveName: ipv6-hp-bpf + archiveVersion: $(IPV6_HP_BPF_VERSION) + imageTag: $(Build.BuildNumber) npm: - name: npm-archive - artifact: npm - - - - job: images_linux_amd64 - displayName: "Build Linux/AMD64 Images" - pool: - os: linux - type: docker - variables: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' - ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch) - ob_artifactSuffix: _$(name) - - ARCH: amd64 - OS: linux - strategy: - maxParallel: 5 - matrix: - azure_ipam: - name: azure-ipam - dockerfilePath: $(ACN_DIR)/azure-ipam - extraArgs: '' - archiveName: azure-ipam - archiveVersion: $(AZURE_IPAM_VERSION) - imageTag: $(Build.BuildNumber) - cni: - name: cni - dockerfilePath: $(ACN_DIR)/cni - extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' - archiveName: azure-cni - archiveVersion: $(CNI_VERSION) - imageTag: $(Build.BuildNumber) - cns: - name: cns - dockerfilePath: $(ACN_DIR)/cns - extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' - archiveName: azure-cns - archiveVersion: $(CNS_VERSION) - imageTag: $(Build.BuildNumber) - ipv6_hp_bpf: - name: ipv6-hp-bpf - dockerfilePath: $(ACN_DIR)/bpf-prog/ipv6-hp-bpf - extraArgs: "--build-arg DEBUG=$(System.Debug)" - archiveName: ipv6-hp-bpf - archiveVersion: $(IPV6_HP_BPF_VERSION) - imageTag: $(Build.BuildNumber) - npm: - name: npm - dockerfilePath: $(ACN_DIR)/npm - extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' - archiveName: azure-npm - archiveVersion: $(NPM_VERSION) - imageTag: $(Build.BuildNumber) - steps: - - template: build/image.steps.yaml - parameters: - arch: $(ARCH) - os: $(OS) - name: $(name) - dockerfile_path: $(dockerfilePath) - build_tag: $(imageTag) - extra_args: $(extraArgs) - archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) - - - job: images_windows_amd64 - displayName: "Build Windows Images" - pool: - os: linux - type: docker - variables: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' - ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch) - ob_artifactSuffix: _$(name) - ob_enable_qemu: true - - ARCH: amd64 - OS: windows - strategy: - maxParallel: 5 - matrix: - azure_ipam: - name: azure-ipam - dockerfilePath: $(ACN_DIR)/azure-ipam - extraArgs: '' - archiveName: azure-ipam - archiveVersion: $(OS)-$(ARCH)-$(AZURE_IPAM_VERSION) - imageTag: $(Build.BuildNumber) - cni: - name: cni - dockerfilePath: $(ACN_DIR)/cni - extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' - archiveName: azure-cni - archiveVersion: $(CNI_VERSION) - imageTag: $(Build.BuildNumber) - cns: - name: cns - dockerfilePath: $(ACN_DIR)/cns - extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' - archiveName: azure-cns - archiveVersion: $(CNS_VERSION) - imageTag: $(Build.BuildNumber) - npm: - name: npm - dockerfilePath: $(ACN_DIR)/npm-windows - extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' - archiveName: azure-npm - archiveVersion: $(NPM_VERSION) - imageTag: $(Build.BuildNumber) - steps: - - template: build/image.steps.yaml - parameters: - arch: $(ARCH) - os: $(OS) - name: $(name) - dockerfile_path: $(dockerfilePath) - build_tag: $(imageTag) - extra_args: $(extraArgs) - archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) - - - job: images_linux_arm64 - displayName: "Build Linux/ARM64 Images" - pool: - os: linux - type: docker - hostArchitecture: arm64 - LinuxHostVersion: - distribution: mariner - architecture: arm64 - variables: - ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch) - ob_artifactSuffix: _$(name) - ob_build_container: true - - ARCH: arm64 - OS: linux - strategy: - maxParallel: 3 - matrix: - azure_ipam: - name: azure-ipam - os: linux - dockerfilePath: $(ACN_DIR)/azure-ipam - archiveName: azure-ipam - archiveVersion: $(AZURE_IPAM_VERSION) - extraArgs: '' - imageTag: $(Build.BuildNumber) - cni: - name: cni - os: linux - dockerfilePath: $(ACN_DIR)/cni - extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' - archiveName: azure-cni - archiveVersion: $(CNI_VERSION) - imageTag: $(Build.BuildNumber) - cns: - name: cns - os: linux - dockerfilePath: $(ACN_DIR)/cns - extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' - archiveName: azure-cns - archiveVersion: $(CNS_VERSION) - imageTag: $(Build.BuildNumber) - ipv6_hp_bpf: - name: ipv6-hp-bpf - os: linux - dockerfilePath: $(ACN_DIR)/bpf-prog/ipv6-hp-bpf - extraArgs: "--build-arg DEBUG=$(System.Debug)" - archiveName: ipv6-hp-bpf - archiveVersion: $(IPV6_HP_BPF_VERSION) - imageTag: $(Build.BuildNumber) - npm: - name: npm - os: linux - dockerfilePath: $(ACN_DIR)/npm - extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' - archiveName: azure-npm - archiveVersion: $(NPM_VERSION) - imageTag: $(Build.BuildNumber) - steps: - - template: build/image.steps.yaml - parameters: - arch: $(ARCH) - os: $(OS) - name: $(name) - dockerfile_path: $(dockerfilePath) - build_tag: $(imageTag) - extra_args: $(extraArgs) - archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) + name: npm + extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' + archiveName: azure-npm + archiveVersion: $(NPM_VERSION) + imageTag: $(Build.BuildNumber) - stage: manifests @@ -338,59 +272,59 @@ stages: NPM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/npm:$(Build.BuildNumber) NPM_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/npm:$(Build.BuildNumber) jobs: - - template: build/binaries.jobs.yaml - parameters: - binaries: - - job: linux_amd64 - displayName: "Linux/AMD64" - templateContext: - action: sign - isOfficial: ${{ parameters.isOfficial }} - repositoryArtifact: drop_build_binaries_linux_amd64_$(artifact) - strategy: - matrix: - azure_ipam: - artifact: azure-ipam - cni: - artifact: cni - cns: - artifact: cns - ipv6_hp_bpf: - artifact: ipv6-hp-bpf - npm: - artifact: npm - - job: windows_amd64 - displayName: "Windows/AMD64" - templateContext: - action: sign - isOfficial: ${{ parameters.isOfficial }} - repositoryArtifact: drop_build_binaries_windows_amd64_$(artifact) - strategy: - matrix: - cni: - artifact: cni - cns: - artifact: cns - npm: - artifact: npm - - job: linux_arm64 - displayName: "Linux/ARM64" - templateContext: - action: sign - isOfficial: ${{ parameters.isOfficial }} - repositoryArtifact: drop_build_binaries_linux_arm64_$(artifact) - strategy: - matrix: - azure_ipam: - artifact: azure-ipam - cni: - artifact: cni - cns: - artifact: cns - ipv6_hp_bpf: - artifact: ipv6-hp-bpf - npm: - artifact: npm +# - template: build/binaries.jobs.yaml +# parameters: +# binaries: +# - job: linux_amd64 +# displayName: "Linux/AMD64" +# templateContext: +# action: sign +# isOfficial: ${{ parameters.isOfficial }} +# repositoryArtifact: drop_build_binaries_linux_amd64_$(artifact) +# strategy: +# matrix: +# azure_ipam: +# artifact: azure-ipam +# cni: +# artifact: cni +# cns: +# artifact: cns +# ipv6_hp_bpf: +# artifact: ipv6-hp-bpf +# npm: +# artifact: npm +# - job: windows_amd64 +# displayName: "Windows/AMD64" +# templateContext: +# action: sign +# isOfficial: ${{ parameters.isOfficial }} +# repositoryArtifact: drop_build_binaries_windows_amd64_$(artifact) +# strategy: +# matrix: +# cni: +# artifact: cni +# cns: +# artifact: cns +# npm: +# artifact: npm +# - job: linux_arm64 +# displayName: "Linux/ARM64" +# templateContext: +# action: sign +# isOfficial: ${{ parameters.isOfficial }} +# repositoryArtifact: drop_build_binaries_linux_arm64_$(artifact) +# strategy: +# matrix: +# azure_ipam: +# artifact: azure-ipam +# cni: +# artifact: cni +# cns: +# artifact: cns +# ipv6_hp_bpf: +# artifact: ipv6-hp-bpf +# npm: +# artifact: npm - template: build/manifests.jobs.yaml From 259ab4a8b9235fc3cb834eed80883440f6ac2806 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 01:10:43 -0700 Subject: [PATCH 013/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 1570257dd6..b09a5f79c9 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -36,7 +36,6 @@ jobs: OS: linux GOOS: linux # keep these variables concerned with instrumentation. - ob_outputDirectory: $(Build.ArtifactStagingDirectory) GEN_DIR: $(Build.SourcesDirectory)/temp REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} OUT_DIR: $(Build.ArtifactStagingDirectory) From 364b478fe9a7fe7a7e1c6b358bbd25e149a3f609 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 01:12:03 -0700 Subject: [PATCH 014/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index b09a5f79c9..9c28f3b329 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -56,7 +56,7 @@ jobs: cleanDestinationFolder: false overwriteExistingFiles: true - - shell: | + - script: | cp "$SOURCE" "$DEST" env: SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} From c868cbb12023e8ded8493707530105ada9f07b17 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 01:14:31 -0700 Subject: [PATCH 015/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 9c28f3b329..1745068b1f 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -101,7 +101,7 @@ jobs: OS: linux steps: - - template: build/image.steps.yaml + - template: image.steps.yaml parameters: arch: $(ARCH) os: $(OS) From 4aaedc35dc67ca6530144d91e081c171fe4471c4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 01:40:34 -0700 Subject: [PATCH 016/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 6 +++++- .pipelines/build/scripts/ipv6-hp-bpf.sh | 28 +++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 1745068b1f..248ef50e5c 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -45,9 +45,13 @@ jobs: targetPath: $(REPO_ROOT) artifact: '${{ job_data.templateContext.repositoryArtifact }}' + - task: GoTool@0 + inputs: + version: '$(GOVERSION)' + - task: ShellScript@2 inputs: - scriptPath: ${{ job_data.templateContext.buildScript }} + scriptPath: ${{ job_data.templateContext.repositoryArtifact }}/${{ job_data.templateContext.buildScript }} - task: ExtractFiles@1 inputs: diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 7f6b36092e..6fe4afb568 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -3,8 +3,32 @@ mkdir -p "$OUT_DIR"/bins mkdir -p "$OUT_DIR"/lib -apt-get update -y -apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 +if [[ -f /etc/debian_version ]];then + sudo apt-get update -y + if [[ $GOARCH =~ amd64 ]]; then + apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 + #apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib tree + for dir in /usr/include/x86_64-linux-gnu/*; do + sudo ln -sfn "$dir" /usr/include/$(basename "$dir") + done + + elif [[ $GOARCH =~ arm64 ]]; then + sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu tree + for dir in /usr/include/aarch64-linux-gnu/*; do + sudo ln -sfn "$dir" /usr/include/$(basename "$dir") + done + fi +# Mariner +else + sudo tdnf install -y llvm clang libbpf-devel nftables tree + for dir in /usr/include/aarch64-linux-gnu/*; do + if [[ -d $dir ]]; then + sudo ln -sfn "$dir" /usr/include/$(basename "$dir") + elif [[ -f "$dir" ]]; then + sudo ln -Tsfn "$dir" /usr/include/$(basename "$dir") + fi + done +fi # Copy Needed Library Binaries cp /usr/sbin/nft "$OUT_DIR"/bins/nft From 96b082df71fae30114ca56d42af2cf4dbade9e33 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 10:19:19 -0700 Subject: [PATCH 017/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/ob-prepare.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/ob-prepare.steps.yaml b/.pipelines/build/ob-prepare.steps.yaml index eb58389f6d..8f866e25e9 100644 --- a/.pipelines/build/ob-prepare.steps.yaml +++ b/.pipelines/build/ob-prepare.steps.yaml @@ -27,7 +27,7 @@ steps: source_dockerfile: linux.Dockerfile - bash: | - rm -rf .pipelines .hooks .github + rm -rf .hooks .github displayName: "Remove Unnecessary Dirs from Source" workingDirectory: $(Build.SourcesDirectory)/azure-container-networking From a35f48729b9e9ff399125fd04c0303c50a49d867 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 10:44:28 -0700 Subject: [PATCH 018/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- .pipelines/build/scripts/cni.sh | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 .pipelines/build/scripts/cni.sh diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 248ef50e5c..e5dd1a268f 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -15,7 +15,7 @@ jobs: variables: ob_outputDirectory: $(Build.ArtifactStagingDirectory) - ob_artifactSuffix: _$(artifact) + ob_artifactSuffix: _$(name) ob_git_checkout: false ${{ if eq(job_data.job, 'linux_amd64') }}: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh new file mode 100644 index 0000000000..e3cc20c3ad --- /dev/null +++ b/.pipelines/build/scripts/cni.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +#ARG CNI_AI_PATH +#ARG CNI_AI_ID +# WORKDIR /azure-container-networking + +CNI_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") +pushd "$REPO_ROOT" + GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/plugin/main.go + GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet-telemetry -trimpath -ldflags "-X main.version="$VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" -gcflags="-dwarflocationlists=true" cni/telemetry/service/telemetrymain.go + GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet-ipam -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/ipam/plugin/main.go + GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet-stateless -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/stateless/main.go + + cp cni/azure-$OS.conflist "$CNI_BUILD_DIR"/azure.conflist + cp cni/azure-$OS-swift.conflist "$CNI_BUILD_DIR"/azure-swift.conflist + cp cni/azure-linux-multitenancy-transparent-vlan.conflist "$CNI_BUILD_DIR"/azure-multitenancy-transparent-vlan.conflist + cp cni/azure-$OS-swift-overlay.conflist "$CNI_BUILD_DIR"/azure-swift-overlay.conflist + cp cni/azure-$OS-swift-overlay-dualstack.conflist "$CNI_BUILD_DIR"/azure-swift-overlay-dualstack.conflist + cp cni/azure-$OS-multitenancy.conflist "$CNI_BUILD_DIR"/azure-multitenancy.conflist + cp telemetry/azure-vnet-telemetry.config "$CNI_BUILD_DIR"/azure-vnet-telemetry.config + sha256sum * > sum.txt + gzip --verbose --best --recursive "$CNI_BUILD_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done +popd + +go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION +pushd "$GOPATH"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION + cp "$CNI_BUILD_DIR"/* pkg/embed/fs/ + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go +popd From 40ddd03423a54442d6ecbed87e14fc5573171a7c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 12:57:10 -0700 Subject: [PATCH 019/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/azure-ipam.sh | 4 ++- .pipelines/build/scripts/cni.sh | 38 +++++++++++---------- .pipelines/build/scripts/cns.sh | 12 +++---- .pipelines/build/scripts/ipv6-hp-bpf.sh | 44 ++++++++----------------- 4 files changed, 42 insertions(+), 56 deletions(-) diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 3f303ed9d3..dbd78b421e 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,6 +1,8 @@ #!/bin/bash set -nex +mkdir -p "$OUT_DIR"/bins + DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" IPAM_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") @@ -8,7 +10,7 @@ pushd "$ROOT_DIR"/azure-ipam GOOS=$OS CGO_ENABLED=0 go build -v -a -o "$IPAM_BUILD_DIR"/azure-ipam -trimpath -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cp *.conflist "$IPAM_BUILD_DIR" sha256sum * > sum.txt - gzip --verbose --best --recursive . && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done + gzip --verbose --best --recursive "$IPAM_BUILD_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done popd go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index e3cc20c3ad..281d1be33e 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,29 +1,31 @@ #!/bin/bash +set -nex -#ARG CNI_AI_PATH -#ARG CNI_AI_ID -# WORKDIR /azure-container-networking +mkdir -p "$OUT_DIR"/files +mkdir -p "$OUT_DIR"/bins -CNI_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") -pushd "$REPO_ROOT" - GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/plugin/main.go - GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet-telemetry -trimpath -ldflags "-X main.version="$VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" -gcflags="-dwarflocationlists=true" cni/telemetry/service/telemetrymain.go - GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet-ipam -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/ipam/plugin/main.go - GOOS=$OS CGO_ENABLED=0 go build -a -o "$CNI_BUILD_DIR"/azure-vnet-stateless -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" cni/network/stateless/main.go +#CNI_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") - cp cni/azure-$OS.conflist "$CNI_BUILD_DIR"/azure.conflist - cp cni/azure-$OS-swift.conflist "$CNI_BUILD_DIR"/azure-swift.conflist - cp cni/azure-linux-multitenancy-transparent-vlan.conflist "$CNI_BUILD_DIR"/azure-multitenancy-transparent-vlan.conflist - cp cni/azure-$OS-swift-overlay.conflist "$CNI_BUILD_DIR"/azure-swift-overlay.conflist - cp cni/azure-$OS-swift-overlay-dualstack.conflist "$CNI_BUILD_DIR"/azure-swift-overlay-dualstack.conflist - cp cni/azure-$OS-multitenancy.conflist "$CNI_BUILD_DIR"/azure-multitenancy.conflist - cp telemetry/azure-vnet-telemetry.config "$CNI_BUILD_DIR"/azure-vnet-telemetry.config +pushd "$REPO_ROOT"/cni + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" network/plugin/main.go + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet-telemetry -trimpath -ldflags "-X main.version="$VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" -gcflags="-dwarflocationlists=true" ../telemetry/service/telemetrymain.go + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet-ipam -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" ipam/plugin/main.go + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet-stateless -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" network/stateless/main.go + + cp azure-$OS.conflist "$OUT_DIR"/files/azure.conflist + cp azure-$OS-swift.conflist "$OUT_DIR"/files/azure-swift.conflist + cp azure-linux-multitenancy-transparent-vlan.conflist "$OUT_DIR"/files/azure-multitenancy-transparent-vlan.conflist + cp azure-$OS-swift-overlay.conflist "$OUT_DIR"/files/azure-swift-overlay.conflist + cp azure-$OS-swift-overlay-dualstack.conflist "$OUT_DIR"/files/azure-swift-overlay-dualstack.conflist + cp azure-$OS-multitenancy.conflist "$OUT_DIR"/files/multitenancy.conflist + cp ../telemetry/azure-vnet-telemetry.config "$OUT_DIR"/files/azure-vnet-telemetry.config sha256sum * > sum.txt - gzip --verbose --best --recursive "$CNI_BUILD_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done + gzip --verbose --best --recursive "$OUT_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done popd go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION pushd "$GOPATH"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION - cp "$CNI_BUILD_DIR"/* pkg/embed/fs/ + cp "$OUT_DIR"/files/* pkg/embed/fs/ + cp "$OUT_DIR"/bins/* pkg/embed/fs/ GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go popd diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 52536048c5..7bc2e8b4ca 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,12 +1,12 @@ #!/bin/bash -#ARG CNS_AI_ID -#ARG CNS_AI_PATH +set -nex mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bins -pushd "$REPO_ROOT" - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" cns/service/*.go - cp cns/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml - cp npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 +pushd "$REPO_ROOT"/cns + GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" service/*.go + cp kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml + cp ../npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 + cp configuration/cns_config.json "$BUILD_DIR"/files/cns_config.json popd diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 6fe4afb568..a6bff3a057 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,59 +1,37 @@ #!/bin/bash +set -nex mkdir -p "$OUT_DIR"/bins mkdir -p "$OUT_DIR"/lib +# Package up Needed C Files if [[ -f /etc/debian_version ]];then - sudo apt-get update -y + apt-get update -y if [[ $GOARCH =~ amd64 ]]; then apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 #apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib tree for dir in /usr/include/x86_64-linux-gnu/*; do - sudo ln -sfn "$dir" /usr/include/$(basename "$dir") + ln -sfn "$dir" /usr/include/$(basename "$dir") done elif [[ $GOARCH =~ arm64 ]]; then - sudo apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu tree + apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu tree for dir in /usr/include/aarch64-linux-gnu/*; do - sudo ln -sfn "$dir" /usr/include/$(basename "$dir") + ln -sfn "$dir" /usr/include/$(basename "$dir") done fi # Mariner else - sudo tdnf install -y llvm clang libbpf-devel nftables tree + tdnf install -y llvm clang libbpf-devel nftables tree for dir in /usr/include/aarch64-linux-gnu/*; do if [[ -d $dir ]]; then - sudo ln -sfn "$dir" /usr/include/$(basename "$dir") + ln -sfn "$dir" /usr/include/$(basename "$dir") elif [[ -f "$dir" ]]; then - sudo ln -Tsfn "$dir" /usr/include/$(basename "$dir") + ln -Tsfn "$dir" /usr/include/$(basename "$dir") fi done fi -# Copy Needed Library Binaries -cp /usr/sbin/nft "$OUT_DIR"/bins/nft -cp /sbin/ip "$OUT_DIR"/bins/ip - -# Package up Needed C Files -if [ "$ARCH" = "arm64" ]; then - apt-get install -y gcc-aarch64-linux-gnu - ARCH=aarch64-linux-gnu - cp /lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ - - for dir in /usr/include/"$ARCH"/*; do - ln -s "$dir" /usr/include/$(basename "$dir") - done - -elif [ "$ARCH" = "amd64" ]; then - apt-get install -y gcc-multilib - ARCH=x86_64-linux-gnu - cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - - for dir in /usr/include/"$ARCH"/*; do - ln -s "$dir" /usr/include/$(basename "$dir") - done -fi - ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm cp /lib/"$ARCH"/libnftables.so.1 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libedit.so.2 "$OUT_DIR"/lib/ @@ -67,6 +45,10 @@ cp /lib/"$ARCH"/libtinfo.so.6 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ +# Add Needed Binararies +cp /usr/sbin/nft "$OUT_DIR"/bins/nft +cp /sbin/ip "$OUT_DIR"/bins/ip + # Build IPv6 HP BPF export C_INCLUDE_PATH=/usr/include/bpf From dbec50886171d05d6c22ecd46787cd302d4b52f4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 13:48:29 -0700 Subject: [PATCH 020/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 13 ++++++++----- .pipelines/build/scripts/azure-ipam.sh | 4 ++++ .pipelines/build/scripts/cni.sh | 2 ++ .pipelines/build/scripts/cns.sh | 2 +- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 ++ .pipelines/build/scripts/npm.sh | 2 ++ 6 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index e5dd1a268f..84b5e5bf51 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -14,9 +14,14 @@ jobs: hostArchitecture: arm64 variables: - ob_outputDirectory: $(Build.ArtifactStagingDirectory) ob_artifactSuffix: _$(name) ob_git_checkout: false + # keep these variables concerned with instrumentation. + GEN_DIR: $(Build.SourcesDirectory)/temp + REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} + OUT_DIR: $(Build.ArtifactStagingDirectory) + DROPGZ_VERSION: v0.0.12 + ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ARCH: amd64 @@ -35,10 +40,6 @@ jobs: GOARCH: arm64 OS: linux GOOS: linux - # keep these variables concerned with instrumentation. - GEN_DIR: $(Build.SourcesDirectory)/temp - REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} - OUT_DIR: $(Build.ArtifactStagingDirectory) steps: - task: DownloadPipelineArtifact@2 inputs: @@ -62,6 +63,8 @@ jobs: - script: | cp "$SOURCE" "$DEST" + ls -la "$DEST" + ls -la "$SOURCE" env: SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} DEST: $(OUT_DIR)/Dockerfile diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index dbd78b421e..dfac21813a 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,7 +1,11 @@ #!/bin/bash set -nex +pwd +ls -la + mkdir -p "$OUT_DIR"/bins +mkdir -p "$GEN_DIR" DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" IPAM_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 281d1be33e..1bd3407277 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,5 +1,7 @@ #!/bin/bash set -nex +pwd +ls -la mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bins diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 7bc2e8b4ca..09bb3f0b11 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -8,5 +8,5 @@ pushd "$REPO_ROOT"/cns GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" service/*.go cp kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml cp ../npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 - cp configuration/cns_config.json "$BUILD_DIR"/files/cns_config.json + cp configuration/cns_config.json "$OUT_DIR"/files/cns_config.json popd diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index a6bff3a057..04d9120f9c 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,5 +1,7 @@ #!/bin/bash set -nex +pwd +ls -la mkdir -p "$OUT_DIR"/bins mkdir -p "$OUT_DIR"/lib diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index 30381715f4..2264d1a81e 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,6 +1,8 @@ #!/bin/bash set -nex +pwd +ls -la mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bins From cd243156571be231f40daa18eb648ca6f0a930e5 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 14:54:23 -0700 Subject: [PATCH 021/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 12 ++--- .pipelines/build/scripts/cni.sh | 80 +++++++++++++++++++++++++++---- .pipelines/run-pipeline.yaml | 6 +-- 3 files changed, 79 insertions(+), 19 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 84b5e5bf51..4957429115 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -54,12 +54,12 @@ jobs: inputs: scriptPath: ${{ job_data.templateContext.repositoryArtifact }}/${{ job_data.templateContext.buildScript }} - - task: ExtractFiles@1 - inputs: - archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)' - destinationFolder: $(OUT_DIR) - cleanDestinationFolder: false - overwriteExistingFiles: true +# - task: ExtractFiles@1 +# inputs: +# archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)' +# destinationFolder: $(OUT_DIR) +# cleanDestinationFolder: false +# overwriteExistingFiles: true - script: | cp "$SOURCE" "$DEST" diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 1bd3407277..c6dde31617 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -6,14 +6,67 @@ ls -la mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bins -#CNI_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") +export GOOS=$OS +export GOARCH=$ARCH +export CGO_ENABLED=0 -pushd "$REPO_ROOT"/cni - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" network/plugin/main.go - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet-telemetry -trimpath -ldflags "-X main.version="$VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" -gcflags="-dwarflocationlists=true" ../telemetry/service/telemetrymain.go - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet-ipam -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" ipam/plugin/main.go - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-vnet-stateless -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" network/stateless/main.go +CNI_BUILD_DIR="$BUILD_DIR"/cni +STATELESS_CNI_BUILD_DIR="$CNI_BUILD_DIR"/stateless +CNI_MULTITENANCY_BUILD_DIR="$BUILD_DIR"/cni-multitenancy +CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR="$BUILD_DIR"/cni-multitenancy-transparent-vlan +CNI_SWIFT_BUILD_DIR="$BUILD_DIR"/cni-swift +CNI_OVERLAY_BUILD_DIR="$BUILD_DIR"/cni-overlay +CNI_BAREMETAL_BUILD_DIR="$BUILD_DIR"/cni-baremetal +CNI_DUALSTACK_BUILD_DIR="$BUILD_DIR"/cni-dualstack + +CNI_TEMP_DIR=$(mktemp -d -p "$GEN_DIR") + +CNI_NET_DIR="$REPO_ROOT"/cni/network/plugin +pushd "$CNI_NET_DIR" + go build -v -a -trimpath \ + -o "$OUT_DIR"/bins/azure-vnet \ + -ldflags "-X main.version="$CNI_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + ./main.go +popd + +STATELESS_CNI_NET_DIR="$REPO_ROOT"/cni/network/stateless +pushd "$STATELESS_CNI_NET_DIR" + go build -v -a -trimpath \ + -o "$OUT_DIR"/bins/azure-vnet-stateless \ + -ldflags "-X main.version="$CNI_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + ./main.go +popd + +CNI_IPAM_DIR="$REPO_ROOT"/cni/ipam/plugin +pushd "$CNI_IPAM_DIR" + go build -v -a -trimpath \ + -o "$OUT_DIR"/bins/azure-vnet-ipam \ + -ldflags "-X main.version="$CNI_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + ./main.go +popd +CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 +pushd "$CNI_IPAMV6_DIR" + go build -v -a -trimpath \ + -o "$OUT_DIR"/bins/azure-vnet-ipamv6 + -ldflags "-X main.version="$CNI_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + ./main.go +popd + +CNI_TELEMETRY_DIR="$REPO_ROOT"/cni/telemetry/service +pushd "$CNI_TELEMETRY_DIR" + go build -v -a -trimpath \ + -o "$OUT_DIR"/bins/azure-vnet-telemetry \ + -ldflags "-X main.version="$CNI_VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" \ + -gcflags="-dwarflocationlists=true" \ + ./telemetrymain.go +popd + +pushd "$REPO_ROOT"/cni cp azure-$OS.conflist "$OUT_DIR"/files/azure.conflist cp azure-$OS-swift.conflist "$OUT_DIR"/files/azure-swift.conflist cp azure-linux-multitenancy-transparent-vlan.conflist "$OUT_DIR"/files/azure-multitenancy-transparent-vlan.conflist @@ -22,12 +75,19 @@ pushd "$REPO_ROOT"/cni cp azure-$OS-multitenancy.conflist "$OUT_DIR"/files/multitenancy.conflist cp ../telemetry/azure-vnet-telemetry.config "$OUT_DIR"/files/azure-vnet-telemetry.config sha256sum * > sum.txt - gzip --verbose --best --recursive "$OUT_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done + #gzip --verbose --best --recursive "$OUT_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done popd -go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION -pushd "$GOPATH"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION + +mkdir -p "$CNI_TEMP_DIR" +GOPATH="$CNI_TEMP_DIR" go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION + +pushd "$CNI_TEMP_DIR"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION cp "$OUT_DIR"/files/* pkg/embed/fs/ cp "$OUT_DIR"/bins/* pkg/embed/fs/ - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go + go build -a \ + -o "$OUT_DIR"/bins/dropgz \ + -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + ./main.go popd diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 1bd9dcd71c..343b412547 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -125,7 +125,7 @@ stages: displayName: "Linux/AMD64" templateContext: repositoryArtifact: drop_setup_env_source - pkgArtifact: drop_pkg_linux_amd64_$(name) + pkgArtifact: drop_build_pkg_$(os)_$(arch)_$(name) buildScript: .pipelines/build/scripts/$(name).sh obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: @@ -166,7 +166,7 @@ stages: displayName: "Windows" templateContext: repositoryArtifact: drop_setup_env_source - pkgArtifact: drop_pkg_windows_amd64_$(name) + pkgArtifact: drop_build_pkg_$(os)_$(arch)_$(name) buildScript: .pipelines/build/scripts/$(name).sh obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: @@ -201,7 +201,7 @@ stages: displayName: "Linux/ARM64" templateContext: repositoryArtifact: drop_setup_env_source - pkgArtifact: drop_pkg_linux_arm64_$(name) + pkgArtifact: drop_build_pkg_$(os)_$(arch)_$(name) buildScript: .pipelines/build/scripts/$(name).sh obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: From 0f643ebc5bf654795073503d83e75160a18732ad Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 15:39:34 -0700 Subject: [PATCH 022/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/cns.Dockerfile | 10 +++++----- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 10 +++++----- .pipelines/build/images.jobs.yaml | 2 +- .pipelines/build/scripts/cni.sh | 14 +++++++------- .pipelines/build/scripts/cns.sh | 10 +++++++++- 5 files changed, 27 insertions(+), 19 deletions(-) diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 1e448d0ad3..72e0197151 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -1,5 +1,5 @@ ARG ARCH -ARG ARCHIVE_DIR +ARG ARTIFACT_DIR # mcr.microsoft.com/cbl-mariner/base/core:2.0 FROM mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS iptables @@ -9,15 +9,15 @@ RUN tdnf install -y iptables FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ COPY --from=iptables /usr/lib /usr/lib -COPY ${ARCHIVE_DIR}/bins/azure-cns /usr/local/bin/azure-cns +COPY ${ARTIFACT_DIR}/bins/azure-cns /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 # mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows -COPY ${ARCHIVE_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml -COPY ${ARCHIVE_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 -COPY ${ARCHIVE_DIR}/bins/azure-cns /azure-cns.exe +COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml +COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 +COPY ${ARTIFACT_DIR}/bins/azure-cns /azure-cns.exe ENTRYPOINT ["azure-cns.exe"] EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 8266effe5f..385c24da50 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -1,8 +1,8 @@ -ARG ARCHIVE_DIR +ARG ARTIFACT_DIR FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux -COPY ${ARCHIVE_DIR}/lib/* /lib -COPY ${ARCHIVE_DIR}/bins/ipv6-hp-bpf /ipv6-hp-bpf -COPY ${ARCHIVE_DIR}/bins/nft /usr/sbin/nft -COPY ${ARCHIVE_DIR}/bins/ip /sbin/ip +COPY ${ARTIFACT_DIR}/lib/* /lib +COPY ${ARTIFACT_DIR}/bins/ipv6-hp-bpf /ipv6-hp-bpf +COPY ${ARTIFACT_DIR}/bins/nft /usr/sbin/nft +COPY ${ARTIFACT_DIR}/bins/ip /sbin/ip CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 4957429115..3438531414 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -115,6 +115,6 @@ jobs: name: $(name) dockerfile_path: ${{ job_data.templateContext.pkgArtifact }} build_tag: $(imageTag) - extra_args: $(extraArgs) + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="${{ job_data.templateContext.pkgArtifact }}" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: ${{ job_data.templateContext.pkgArtifact }} diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index c6dde31617..8bd693a6ac 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -10,14 +10,14 @@ export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 -CNI_BUILD_DIR="$BUILD_DIR"/cni +CNI_BUILD_DIR="$REPO_ROOT"/cni STATELESS_CNI_BUILD_DIR="$CNI_BUILD_DIR"/stateless -CNI_MULTITENANCY_BUILD_DIR="$BUILD_DIR"/cni-multitenancy -CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR="$BUILD_DIR"/cni-multitenancy-transparent-vlan -CNI_SWIFT_BUILD_DIR="$BUILD_DIR"/cni-swift -CNI_OVERLAY_BUILD_DIR="$BUILD_DIR"/cni-overlay -CNI_BAREMETAL_BUILD_DIR="$BUILD_DIR"/cni-baremetal -CNI_DUALSTACK_BUILD_DIR="$BUILD_DIR"/cni-dualstack +CNI_MULTITENANCY_BUILD_DIR="$REPO_ROOT"/cni-multitenancy +CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR="$REPO_ROOT"/cni-multitenancy-transparent-vlan +CNI_SWIFT_BUILD_DIR="$REPO_ROOT"/cni-swift +CNI_OVERLAY_BUILD_DIR="$REPO_ROOT"/cni-overlay +CNI_BAREMETAL_BUILD_DIR="$REPO_ROOT"/cni-baremetal +CNI_DUALSTACK_BUILD_DIR="$REPO_ROOT"/cni-dualstack CNI_TEMP_DIR=$(mktemp -d -p "$GEN_DIR") diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 09bb3f0b11..900a91677a 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,11 +1,19 @@ #!/bin/bash set -nex +export GOOS=$OS +export GOARCH=$ARCH +export CGO_ENABLED=0 + mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bins pushd "$REPO_ROOT"/cns - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/azure-cns -ldflags "-X main.version="$VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" -gcflags="-dwarflocationlists=true" service/*.go + go build -v -a \ + -o "$OUT_DIR"/bins/azure-cns \ + -ldflags "-X main.version="$CNS_VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" \ + -gcflags="-dwarflocationlists=true" \ + service/*.go cp kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml cp ../npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 cp configuration/cns_config.json "$OUT_DIR"/files/cns_config.json From f701af0acbacfa5ac625cec121c9dd2212d295ed Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 17:02:10 -0700 Subject: [PATCH 023/154] fixup! Use Signed Binaries for Docker Build --- .../build/dockerfiles/azure-ipam.Dockerfile | 4 +- .pipelines/build/dockerfiles/cni.Dockerfile | 4 +- .pipelines/build/dockerfiles/cns.Dockerfile | 4 +- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 6 +-- .pipelines/build/dockerfiles/npm.Dockerfile | 5 ++- .pipelines/build/scripts/azure-ipam.sh | 27 +++++------ .pipelines/build/scripts/cni.sh | 45 +++++-------------- .pipelines/build/scripts/cns.sh | 4 +- .pipelines/build/scripts/dropgz.sh | 23 ++++++++++ .pipelines/build/scripts/ipv6-hp-bpf.sh | 23 ++++++---- .pipelines/build/scripts/npm.sh | 14 ++++-- 11 files changed, 88 insertions(+), 71 deletions(-) create mode 100644 .pipelines/build/scripts/dropgz.sh diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index eafca141f4..5f50b96765 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -1,11 +1,11 @@ ARG ARTIFACT_DIR FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bins/dropgz dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz dropgz ENTRYPOINT [ "/dropgz" ] # skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows -COPY ${ARTIFACT_DIR}/bins/dropgz dropgz.exe +COPY ${ARTIFACT_DIR}/bin/dropgz dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile index 11612c94b0..b0533a7e51 100644 --- a/.pipelines/build/dockerfiles/cni.Dockerfile +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -2,7 +2,7 @@ ARG ARCH ARG ARTIFACT_DIR FROM scratch AS linux -ADD ${ARTIFACT_DIR}/bins/dropgz dropgz +ADD ${ARTIFACT_DIR}/bin/dropgz dropgz ENTRYPOINT [ "/dropgz" ] @@ -10,7 +10,7 @@ ENTRYPOINT [ "/dropgz" ] FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as hpc FROM hpc as windows -ADD ${ARTIFACT_DIR}/bins/dropgz dropgz.exe +ADD ${ARTIFACT_DIR}/bin/dropgz dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 72e0197151..30c421baba 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -9,7 +9,7 @@ RUN tdnf install -y iptables FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ COPY --from=iptables /usr/lib /usr/lib -COPY ${ARTIFACT_DIR}/bins/azure-cns /usr/local/bin/azure-cns +COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 @@ -18,6 +18,6 @@ EXPOSE 10090 FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 -COPY ${ARTIFACT_DIR}/bins/azure-cns /azure-cns.exe +COPY ${ARTIFACT_DIR}/bin/azure-cns /azure-cns.exe ENTRYPOINT ["azure-cns.exe"] EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 385c24da50..693b95c07c 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -2,7 +2,7 @@ ARG ARTIFACT_DIR FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux COPY ${ARTIFACT_DIR}/lib/* /lib -COPY ${ARTIFACT_DIR}/bins/ipv6-hp-bpf /ipv6-hp-bpf -COPY ${ARTIFACT_DIR}/bins/nft /usr/sbin/nft -COPY ${ARTIFACT_DIR}/bins/ip /sbin/ip +COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf +COPY ${ARTIFACT_DIR}/bin/nft /usr/sbin/nft +COPY ${ARTIFACT_DIR}/bin/ip /sbin/ip CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index 8c6baa4de6..a55db18df7 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -1,3 +1,5 @@ +ARG ARTIFACT_DIR + FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux RUN apt-get update && \ @@ -5,6 +7,7 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean +COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm RUN chmod +x /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] @@ -15,6 +18,6 @@ FROM mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcd COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 COPY ${ARTIFACT_DIR}/files/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1 -COPY ${ARTIFACT_DIR}/bins/azure-npm.exe npm.exe +COPY ${ARTIFACT_DIR}/bin/azure-npm npm.exe CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"] diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index dfac21813a..51502301fc 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -4,21 +4,22 @@ set -nex pwd ls -la -mkdir -p "$OUT_DIR"/bins -mkdir -p "$GEN_DIR" +export GOOS=$OS +export GOARCH=$ARCH +export CGO_ENABLED=0 -DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" -IPAM_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") +mkdir -p "$OUT_DIR"/bin +mkdir -p "$OUT_DIR"/files pushd "$ROOT_DIR"/azure-ipam - GOOS=$OS CGO_ENABLED=0 go build -v -a -o "$IPAM_BUILD_DIR"/azure-ipam -trimpath -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" main.version="$VERSION"" -gcflags="-dwarflocationlists=true" - cp *.conflist "$IPAM_BUILD_DIR" - sha256sum * > sum.txt - gzip --verbose --best --recursive "$IPAM_BUILD_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done -popd + go build -v -a -trimpath \ + -o "$OUT_DIR"/bin/azure-ipam \ + -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ -go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION -pushd "$GOPATH"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION - cp "$IPAM_BUILD_DIR"/* pkg/embed/fs/ - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go + cp *.conflist "$OUT_DIR"/files/ popd + + +# Build with DropGZ +./dropgz.sh diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 8bd693a6ac..2d4691ae0b 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -4,36 +4,26 @@ pwd ls -la mkdir -p "$OUT_DIR"/files -mkdir -p "$OUT_DIR"/bins +mkdir -p "$OUT_DIR"/bin export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 -CNI_BUILD_DIR="$REPO_ROOT"/cni -STATELESS_CNI_BUILD_DIR="$CNI_BUILD_DIR"/stateless -CNI_MULTITENANCY_BUILD_DIR="$REPO_ROOT"/cni-multitenancy -CNI_MULTITENANCY_TRANSPARENT_VLAN_BUILD_DIR="$REPO_ROOT"/cni-multitenancy-transparent-vlan -CNI_SWIFT_BUILD_DIR="$REPO_ROOT"/cni-swift -CNI_OVERLAY_BUILD_DIR="$REPO_ROOT"/cni-overlay -CNI_BAREMETAL_BUILD_DIR="$REPO_ROOT"/cni-baremetal -CNI_DUALSTACK_BUILD_DIR="$REPO_ROOT"/cni-dualstack - -CNI_TEMP_DIR=$(mktemp -d -p "$GEN_DIR") CNI_NET_DIR="$REPO_ROOT"/cni/network/plugin pushd "$CNI_NET_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bins/azure-vnet \ + -o "$OUT_DIR"/bin/azure-vnet \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go popd -STATELESS_CNI_NET_DIR="$REPO_ROOT"/cni/network/stateless -pushd "$STATELESS_CNI_NET_DIR" +STATELESS_CNI_BUILD_DIR="$REPO_ROOT"/cni/network/stateless +pushd "$STATELESS_CNI_BUILD_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bins/azure-vnet-stateless \ + -o "$OUT_DIR"/bin/azure-vnet-stateless \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -42,7 +32,7 @@ popd CNI_IPAM_DIR="$REPO_ROOT"/cni/ipam/plugin pushd "$CNI_IPAM_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bins/azure-vnet-ipam \ + -o "$OUT_DIR"/bin/azure-vnet-ipam \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -51,7 +41,7 @@ popd CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 pushd "$CNI_IPAMV6_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bins/azure-vnet-ipamv6 + -o "$OUT_DIR"/bin/azure-vnet-ipamv6 -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -60,7 +50,7 @@ popd CNI_TELEMETRY_DIR="$REPO_ROOT"/cni/telemetry/service pushd "$CNI_TELEMETRY_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bins/azure-vnet-telemetry \ + -o "$OUT_DIR"/bin/azure-vnet-telemetry \ -ldflags "-X main.version="$CNI_VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./telemetrymain.go @@ -73,21 +63,10 @@ pushd "$REPO_ROOT"/cni cp azure-$OS-swift-overlay.conflist "$OUT_DIR"/files/azure-swift-overlay.conflist cp azure-$OS-swift-overlay-dualstack.conflist "$OUT_DIR"/files/azure-swift-overlay-dualstack.conflist cp azure-$OS-multitenancy.conflist "$OUT_DIR"/files/multitenancy.conflist - cp ../telemetry/azure-vnet-telemetry.config "$OUT_DIR"/files/azure-vnet-telemetry.config - sha256sum * > sum.txt + cp "$REPO_ROOT"/telemetry/azure-vnet-telemetry.config "$OUT_DIR"/files/azure-vnet-telemetry.config + #sha256sum * > sum.txt #gzip --verbose --best --recursive "$OUT_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done popd - -mkdir -p "$CNI_TEMP_DIR" -GOPATH="$CNI_TEMP_DIR" go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION - -pushd "$CNI_TEMP_DIR"/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION - cp "$OUT_DIR"/files/* pkg/embed/fs/ - cp "$OUT_DIR"/bins/* pkg/embed/fs/ - go build -a \ - -o "$OUT_DIR"/bins/dropgz \ - -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" \ - -gcflags="-dwarflocationlists=true" \ - ./main.go -popd +# Build with DropGZ +./dropgz.sh diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 900a91677a..e0b03a86f4 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -6,11 +6,11 @@ export GOARCH=$ARCH export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/files -mkdir -p "$OUT_DIR"/bins +mkdir -p "$OUT_DIR"/bin pushd "$REPO_ROOT"/cns go build -v -a \ - -o "$OUT_DIR"/bins/azure-cns \ + -o "$OUT_DIR"/bin/azure-cns \ -ldflags "-X main.version="$CNS_VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ service/*.go diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh new file mode 100644 index 0000000000..a8cb81dd8d --- /dev/null +++ b/.pipelines/build/scripts/dropgz.sh @@ -0,0 +1,23 @@ +export GOOS=$OS +export GOARCH=$ARCH +export CGO_ENABLED=0 + +DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" +DROPGZ_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") +DROPGZ_MOD_DOWNLOAD_PATH=""$ACN_PACKAGE_PATH"/dropgz@"$DROPGZ_VERSION"" + +mkdir -p "$OUT_DIR"/bin +mkdir -p "$DROPGZ_BUILD_DIR" + +GOPATH="$DROPGZ_BUILD_DIR" \ + go mod download "$DROPGZ_MOD_DOWNLOAD_PATH" + +pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" + [[ -n $(stat "$OUT_DIR"/files 2>/dev/null || true) ]] && cp "$OUT_DIR"/files/* pkg/embed/fs/ + [[ -n $(stat "$OUT_DIR"/bin 2>/dev/null || true) ]] && cp "$OUT_DIR"/bin/* pkg/embed/fs/ + go build -v -trimpath -a \ + -o "$OUT_DIR"/bin/dropgz \ + -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$DROPGZ_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + main.go +popd diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 04d9120f9c..103984bfec 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,9 +1,12 @@ #!/bin/bash set -nex -pwd -ls -la -mkdir -p "$OUT_DIR"/bins +export GOOS=$OS +export GOARCH=$ARCH +export CGO_ENABLED=0 +export C_INCLUDE_PATH=/usr/include/bpf + +mkdir -p "$OUT_DIR"/bin mkdir -p "$OUT_DIR"/lib # Package up Needed C Files @@ -48,19 +51,21 @@ cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ # Add Needed Binararies -cp /usr/sbin/nft "$OUT_DIR"/bins/nft -cp /sbin/ip "$OUT_DIR"/bins/ip +cp /usr/sbin/nft "$OUT_DIR"/bin/nft +cp /sbin/ip "$OUT_DIR"/bin/ip # Build IPv6 HP BPF -export C_INCLUDE_PATH=/usr/include/bpf pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf - cp ./cmd/ipv6-hp-bpf/*.go ./ + cp ./cmd/ipv6-hp-bpf/*.go . if [ "$DEBUG" = "true" ]; then echo "\n#define DEBUG" >> ./include/helper.h fi - GOOS=$OS CGO_ENABLED=0 go generate ./... - GOOS=$OS CGO_ENABLED=0 go build -a -o "$OUT_DIR"/bins/ipv6-hp-bpf -trimpath -ldflags "-X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . + go generate ./... + go build -v -a -trimpath \ + -o "$OUT_DIR"/bin/ipv6-hp-bpf \ + -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ + -gcflags="-dwarflocationlists=true" . popd diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index 2264d1a81e..d180bcf8a8 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,13 +1,19 @@ #!/bin/bash set -nex -pwd -ls -la +export GOOS=$OS +export GOARCH=$ARCH +export CGO_ENABLED=0 + mkdir -p "$OUT_DIR"/files -mkdir -p "$OUT_DIR"/bins +mkdir -p "$OUT_DIR"/bin pushd "$ROOT_DIR"/npm - GOOS=$OS CGO_ENABLED=0 go build -v -o "$OUT_DIR"/bins/azure-npm -ldflags "-X main.version="$VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" -gcflags="-dwarflocationlists=true" ./cmd/*.go + go build -a -v -trimpath \ + -o "$OUT_DIR"/bin/azure-npm \ + -ldflags "-X main.version="$NPM_VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" \ + -gcflags="-dwarflocationlists=true" \ + ./cmd/*.go cp ./examples/windows/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml cp ./examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 From d86128c7eebd6700c02dd149b0ba1829ea250d5e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 17:20:48 -0700 Subject: [PATCH 024/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 3438531414..4367976bbe 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -6,7 +6,7 @@ parameters: jobs: - ${{ each job_data in parameters.images }}: - job: pkg_${{ job_data.job }} - displayName: "Build Image Package - ${{ job_data.displayName }} -" + displayName: "Prepare Image Package - ${{ job_data.displayName }} -" strategy: ${{ job_data.strategy }} pool: type: linux @@ -50,9 +50,12 @@ jobs: inputs: version: '$(GOVERSION)' - - task: ShellScript@2 - inputs: - scriptPath: ${{ job_data.templateContext.repositoryArtifact }}/${{ job_data.templateContext.buildScript }} + - script: | + ./"$SCRIPT_SRC" + displayName: "Build Package" + workingDirectory: $(REPO_ROOT) + env: + SCRIPT_SRC: ${{ job_data.templateContext.buildScript }} # - task: ExtractFiles@1 # inputs: From ccc1e9105008f2471f086d4ec41cae917cfd681d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 18:13:41 -0700 Subject: [PATCH 025/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 4367976bbe..4b73ead3ca 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -51,6 +51,7 @@ jobs: version: '$(GOVERSION)' - script: | + chmod +x "$SCRIPT_SRC" ./"$SCRIPT_SRC" displayName: "Build Package" workingDirectory: $(REPO_ROOT) From 91bc0cd39f353d9f7b7aa98dcb2d9d3d303c453b Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 18:52:04 -0700 Subject: [PATCH 026/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 4b73ead3ca..efa7a5e797 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -50,8 +50,18 @@ jobs: inputs: version: '$(GOVERSION)' - - script: | + - bash: | + echo "Start" + set -x + echo "List" + ls -la + ls -la .pipelines + ls -la .pipelines/build + ls -la .pipelines/build/scripts + ls -la .pipelines/build/dockerfiles + echo "Chown" chmod +x "$SCRIPT_SRC" + echo "Execute" ./"$SCRIPT_SRC" displayName: "Build Package" workingDirectory: $(REPO_ROOT) From 7022b523b12f5dde8a4d6c5598eb27dfc78f8cb4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 21:18:31 -0700 Subject: [PATCH 027/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 6 +----- .pipelines/build/images.jobs.yaml | 24 +++++------------------- .pipelines/build/scripts/azure-ipam.sh | 5 +---- .pipelines/build/scripts/cni.sh | 4 +--- .pipelines/build/scripts/cns.sh | 2 +- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- .pipelines/build/scripts/npm.sh | 2 +- 7 files changed, 11 insertions(+), 34 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 989050f70e..1497326704 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -15,10 +15,6 @@ parameters: type: string default: "" -- name: dockerfile_path - type: string - default: "" - - name: archive_file type: string default: '$(name)-$(os)-$(platform)-$(Tag)' @@ -70,7 +66,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.dockerfile_path }}/Dockerfile + dockerFileRelPath: Dockerfile dockerFileContextPath: ${{ parameters.source }} enable_network: true enable_pull: true diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index efa7a5e797..674690472a 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -50,23 +50,10 @@ jobs: inputs: version: '$(GOVERSION)' - - bash: | - echo "Start" - set -x - echo "List" - ls -la - ls -la .pipelines - ls -la .pipelines/build - ls -la .pipelines/build/scripts - ls -la .pipelines/build/dockerfiles - echo "Chown" - chmod +x "$SCRIPT_SRC" - echo "Execute" - ./"$SCRIPT_SRC" - displayName: "Build Package" - workingDirectory: $(REPO_ROOT) - env: - SCRIPT_SRC: ${{ job_data.templateContext.buildScript }} + - task: ShellScript@2 + inputs: + scriptPath: '${{ job_data.templateContext.buildScript }}' + workingDirectory: $(REPO_ROOT) # - task: ExtractFiles@1 # inputs: @@ -76,9 +63,9 @@ jobs: # overwriteExistingFiles: true - script: | + ls -la "$SOURCE" cp "$SOURCE" "$DEST" ls -la "$DEST" - ls -la "$SOURCE" env: SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} DEST: $(OUT_DIR)/Dockerfile @@ -127,7 +114,6 @@ jobs: arch: $(ARCH) os: $(OS) name: $(name) - dockerfile_path: ${{ job_data.templateContext.pkgArtifact }} build_tag: $(imageTag) extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="${{ job_data.templateContext.pkgArtifact }}" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 51502301fc..7aac121faa 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,8 +1,5 @@ #!/bin/bash -set -nex - -pwd -ls -la +set -eux export GOOS=$OS export GOARCH=$ARCH diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 2d4691ae0b..8cbd044871 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,7 +1,5 @@ #!/bin/bash -set -nex -pwd -ls -la +set -eux mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index e0b03a86f4..86bc9838ab 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -nex +set -eux export GOOS=$OS export GOARCH=$ARCH diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 103984bfec..9aab7228ca 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -nex +set -eux export GOOS=$OS export GOARCH=$ARCH diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index d180bcf8a8..f62ad0db18 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -nex +set -eux export GOOS=$OS export GOARCH=$ARCH From 060e2f93677eae62dabe44d735a210bf7fcc6e41 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 21:48:54 -0700 Subject: [PATCH 028/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 674690472a..1332f65e2b 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -52,8 +52,7 @@ jobs: - task: ShellScript@2 inputs: - scriptPath: '${{ job_data.templateContext.buildScript }}' - workingDirectory: $(REPO_ROOT) + scriptPath: $(REPO_ROOT)/${{ job_data.templateContext.buildScript }} # - task: ExtractFiles@1 # inputs: From 0e570025bd8ee2cfe4cf6e183214037e992e1fe2 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 23:04:56 -0700 Subject: [PATCH 029/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 7 ------- .pipelines/build/scripts/azure-ipam.sh | 7 ++++--- .pipelines/build/scripts/dropgz.sh | 21 ++++++++++++++++++--- .pipelines/build/scripts/npm.sh | 2 +- 4 files changed, 23 insertions(+), 14 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 1332f65e2b..ef279e3a59 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -54,13 +54,6 @@ jobs: inputs: scriptPath: $(REPO_ROOT)/${{ job_data.templateContext.buildScript }} -# - task: ExtractFiles@1 -# inputs: -# archiveFilePatterns: '**/*.?(tgz|tgz.gz|zip)' -# destinationFolder: $(OUT_DIR) -# cleanDestinationFolder: false -# overwriteExistingFiles: true - - script: | ls -la "$SOURCE" cp "$SOURCE" "$DEST" diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 7aac121faa..55a4061425 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -8,11 +8,12 @@ export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/bin mkdir -p "$OUT_DIR"/files -pushd "$ROOT_DIR"/azure-ipam +pushd "$REPO_ROOT"/azure-ipam go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-ipam \ - -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ - -gcflags="-dwarflocationlists=true" \ + -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ + -gcflags="-dwarflocationlists=true" \ + main.go cp *.conflist "$OUT_DIR"/files/ popd diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index a8cb81dd8d..8f9cd665cd 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -2,19 +2,34 @@ export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 -DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" DROPGZ_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") +PAYLOAD_DIR=$(mktemp -d -p "$GEN_DIR") +DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" DROPGZ_MOD_DOWNLOAD_PATH=""$ACN_PACKAGE_PATH"/dropgz@"$DROPGZ_VERSION"" mkdir -p "$OUT_DIR"/bin mkdir -p "$DROPGZ_BUILD_DIR" +echo >&2 "##[section]Construct DropGZ Embedded Payload" +pushd "$PAYLOAD_DIR" + [[ -n $(stat "$OUT_DIR"/files 2>/dev/null || true) ]] && cp "$OUT_DIR"/files/* . + [[ -n $(stat "$OUT_DIR"/bin 2>/dev/null || true) ]] && cp "$OUT_DIR"/bin/* . + + sha256sum * > sum.txt + gzip --verbose --best --recursive . + + for file in $(find . -name '*.gz'); do + mv "$file" "${file%%.gz}" + done +popd + +echo >&2 "##[section]Download DropGZ ($DROPGZ_VERSION)" GOPATH="$DROPGZ_BUILD_DIR" \ go mod download "$DROPGZ_MOD_DOWNLOAD_PATH" +echo >&2 "##[section]Build DropGZ with Embedded Payload" pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" - [[ -n $(stat "$OUT_DIR"/files 2>/dev/null || true) ]] && cp "$OUT_DIR"/files/* pkg/embed/fs/ - [[ -n $(stat "$OUT_DIR"/bin 2>/dev/null || true) ]] && cp "$OUT_DIR"/bin/* pkg/embed/fs/ + mv "$PAYLOAD_DIR"/* pkg/embed/fs/ go build -v -trimpath -a \ -o "$OUT_DIR"/bin/dropgz \ -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$DROPGZ_VERSION"" \ diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index f62ad0db18..f0aef228b9 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -8,7 +8,7 @@ export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin -pushd "$ROOT_DIR"/npm +pushd "$REPO_ROOT"/npm go build -a -v -trimpath \ -o "$OUT_DIR"/bin/azure-npm \ -ldflags "-X main.version="$NPM_VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" \ From 08c2a9c0d3fd431e9dc63b51cdcc4f62b85047ab Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 14 May 2025 23:22:45 -0700 Subject: [PATCH 030/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/cni.sh | 4 +--- .pipelines/build/scripts/ipv6-hp-bpf.sh | 8 +++++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 8cbd044871..39fbc109d7 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -39,7 +39,7 @@ popd CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 pushd "$CNI_IPAMV6_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipamv6 + -o "$OUT_DIR"/bin/azure-vnet-ipamv6 \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -62,8 +62,6 @@ pushd "$REPO_ROOT"/cni cp azure-$OS-swift-overlay-dualstack.conflist "$OUT_DIR"/files/azure-swift-overlay-dualstack.conflist cp azure-$OS-multitenancy.conflist "$OUT_DIR"/files/multitenancy.conflist cp "$REPO_ROOT"/telemetry/azure-vnet-telemetry.config "$OUT_DIR"/files/azure-vnet-telemetry.config - #sha256sum * > sum.txt - #gzip --verbose --best --recursive "$OUT_DIR" && for f in *.gz; do mv -- "$f" "${f%%.gz}"; done popd # Build with DropGZ diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 9aab7228ca..b58048b21b 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -13,14 +13,15 @@ mkdir -p "$OUT_DIR"/lib if [[ -f /etc/debian_version ]];then apt-get update -y if [[ $GOARCH =~ amd64 ]]; then - apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 - #apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib tree + apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib tree + cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ for dir in /usr/include/x86_64-linux-gnu/*; do ln -sfn "$dir" /usr/include/$(basename "$dir") done elif [[ $GOARCH =~ arm64 ]]; then apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu tree + cp /lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ for dir in /usr/include/aarch64-linux-gnu/*; do ln -sfn "$dir" /usr/include/$(basename "$dir") done @@ -28,7 +29,8 @@ if [[ -f /etc/debian_version ]];then # Mariner else tdnf install -y llvm clang libbpf-devel nftables tree - for dir in /usr/include/aarch64-linux-gnu/*; do + cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + for dir in /usr/include/x86_64-linux-gnu/*; do if [[ -d $dir ]]; then ln -sfn "$dir" /usr/include/$(basename "$dir") elif [[ -f "$dir" ]]; then From 79e7db3c28babd2a0009aae72707a444a0265a02 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 01:46:02 -0700 Subject: [PATCH 031/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 15 +++++++++ .pipelines/build/scripts/azure-ipam.sh | 6 +--- .pipelines/build/scripts/cni.sh | 3 -- .pipelines/build/scripts/dropgz.sh | 3 ++ .pipelines/build/scripts/ipv6-hp-bpf.sh | 44 +++++++++++++++---------- .pipelines/run-pipeline.yaml | 6 ++++ 6 files changed, 51 insertions(+), 26 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index ef279e3a59..aae38cf335 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -70,6 +70,21 @@ jobs: search_root: $(OUT_DIR) + - task: ShellScript@2 + displayName: "Package with DropGZ" + condition: and(succeeded(), eq('$(packageWithDropGZ)', 'True')) + inputs: + scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh + + - task: onebranch.pipeline.signing@1 + condition: and(succeeded(), eq('$(packageWithDropGZ)', 'True')) + inputs: + command: 'sign' + signing_profile: 'external_distribution' + files_to_sign: '**/dropgz' + search_root: $(OUT_DIR) + + - job: images_${{ job_data.job }} displayName: "Build Images - ${{ job_data.displayName }} -" dependsOn: diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 55a4061425..5d250084a9 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -13,11 +13,7 @@ pushd "$REPO_ROOT"/azure-ipam -o "$OUT_DIR"/bin/azure-ipam \ -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ -gcflags="-dwarflocationlists=true" \ - main.go + . cp *.conflist "$OUT_DIR"/files/ popd - - -# Build with DropGZ -./dropgz.sh diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 39fbc109d7..c3f678e236 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -63,6 +63,3 @@ pushd "$REPO_ROOT"/cni cp azure-$OS-multitenancy.conflist "$OUT_DIR"/files/multitenancy.conflist cp "$REPO_ROOT"/telemetry/azure-vnet-telemetry.config "$OUT_DIR"/files/azure-vnet-telemetry.config popd - -# Build with DropGZ -./dropgz.sh diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 8f9cd665cd..4bcc4387e6 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -1,3 +1,6 @@ +#!/bin/bash +set -eux + export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index b58048b21b..ff3b7181b7 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -12,25 +12,31 @@ mkdir -p "$OUT_DIR"/lib # Package up Needed C Files if [[ -f /etc/debian_version ]];then apt-get update -y - if [[ $GOARCH =~ amd64 ]]; then - apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib tree - cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - for dir in /usr/include/x86_64-linux-gnu/*; do - ln -sfn "$dir" /usr/include/$(basename "$dir") - done + if [[ $ARCH =~ amd64 ]]; then + apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib build-essential binutils + + ARCH=x86_64-linux-gnu + cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - elif [[ $GOARCH =~ arm64 ]]; then - apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu tree - cp /lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ - for dir in /usr/include/aarch64-linux-gnu/*; do - ln -sfn "$dir" /usr/include/$(basename "$dir") - done + elif [[ $ARCH =~ arm64 ]]; then + apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu + + ARCH=aarch64-linux-gnu + PLAT=linux-aarch64 + cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ fi + + for dir in /usr/include/"$ARCH"/*; do + ln -sfn "$dir" /usr/include/$(basename "$dir") + done + + # Mariner else - tdnf install -y llvm clang libbpf-devel nftables tree - cp /lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - for dir in /usr/include/x86_64-linux-gnu/*; do + tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc-devel.i686 + ARCH=x86_64-linux-gnu + cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + for dir in /usr/include/"$ARCH"/*; do if [[ -d $dir ]]; then ln -sfn "$dir" /usr/include/$(basename "$dir") elif [[ -f "$dir" ]]; then @@ -39,6 +45,8 @@ else done fi + +# Copy Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm cp /lib/"$ARCH"/libnftables.so.1 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libedit.so.2 "$OUT_DIR"/lib/ @@ -61,13 +69,13 @@ cp /sbin/ip "$OUT_DIR"/bin/ip pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf cp ./cmd/ipv6-hp-bpf/*.go . - if [ "$DEBUG" = "true" ]; then + if [[ "$DEBUG" =~ ^[T|t]rue$ ]]; then echo "\n#define DEBUG" >> ./include/helper.h fi go generate ./... go build -v -a -trimpath \ -o "$OUT_DIR"/bin/ipv6-hp-bpf \ - -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ - -gcflags="-dwarflocationlists=true" . + -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ + -gcflags="-dwarflocationlists=true" . popd diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 343b412547..48edb6343f 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -137,12 +137,14 @@ stages: archiveName: azure-ipam archiveVersion: $(AZURE_IPAM_VERSION) imageTag: $(Build.BuildNumber) + packageWithDropGZ: True cni: name: cni extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' archiveName: azure-cni archiveVersion: $(CNI_VERSION) imageTag: $(Build.BuildNumber) + packageWithDropGZ: True cns: name: cns extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' @@ -178,12 +180,14 @@ stages: archiveName: azure-ipam archiveVersion: $(OS)-$(ARCH)-$(AZURE_IPAM_VERSION) imageTag: $(Build.BuildNumber) + packageWithDropGZ: True cni: name: cni extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' archiveName: azure-cni archiveVersion: $(CNI_VERSION) imageTag: $(Build.BuildNumber) + packageWithDropGZ: True cns: name: cns extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' @@ -213,12 +217,14 @@ stages: archiveVersion: $(AZURE_IPAM_VERSION) extraArgs: '' imageTag: $(Build.BuildNumber) + packageWithDropGZ: True cni: name: cni extraArgs: '--build-arg CNI_AI_PATH=$(CNI_AI_PATH) --build-arg CNI_AI_ID=$(CNI_AI_ID)' archiveName: azure-cni archiveVersion: $(CNI_VERSION) imageTag: $(Build.BuildNumber) + packageWithDropGZ: True cns: name: cns extraArgs: '--build-arg CNS_AI_PATH=$(CNS_AI_PATH) --build-arg CNS_AI_ID=$(CNS_AI_ID)' From b335d5f1b7f4afa5f92d706d061f1f3b2fb7613a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 09:30:59 -0700 Subject: [PATCH 032/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- .pipelines/build/images.jobs.yaml | 1 + .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 1497326704..79cb95c3c2 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -66,7 +66,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: Dockerfile + dockerFileRelPath: ${{ parameters.source }}/Dockerfile dockerFileContextPath: ${{ parameters.source }} enable_network: true enable_pull: true diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index aae38cf335..ef89363535 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -21,6 +21,7 @@ jobs: REPO_ROOT: $(Build.SourcesDirectory)/${{ job_data.templateContext.repositoryArtifact }} OUT_DIR: $(Build.ArtifactStagingDirectory) DROPGZ_VERSION: v0.0.12 + DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index ff3b7181b7..168c756598 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -33,7 +33,7 @@ if [[ -f /etc/debian_version ]];then # Mariner else - tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc-devel.i686 + tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc-devel ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ for dir in /usr/include/"$ARCH"/*; do From 62f666232a8ab69d4ea53a2060d194b7d98517ca Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 09:45:48 -0700 Subject: [PATCH 033/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index ef89363535..b49df61651 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -73,12 +73,12 @@ jobs: - task: ShellScript@2 displayName: "Package with DropGZ" - condition: and(succeeded(), eq('$(packageWithDropGZ)', 'True')) + condition: and(succeeded(), eq(variables.packageWithDropGZ, 'True')) inputs: scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh - task: onebranch.pipeline.signing@1 - condition: and(succeeded(), eq('$(packageWithDropGZ)', 'True')) + condition: and(succeeded(), eq(variables.packageWithDropGZ, 'True')) inputs: command: 'sign' signing_profile: 'external_distribution' From d6e8d426f53afd39667b391abf422c7a7dda6ff6 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 09:57:13 -0700 Subject: [PATCH 034/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 168c756598..7a51dfec94 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -70,7 +70,7 @@ pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf cp ./cmd/ipv6-hp-bpf/*.go . if [[ "$DEBUG" =~ ^[T|t]rue$ ]]; then - echo "\n#define DEBUG" >> ./include/helper.h + echo "#define DEBUG" >> ./include/helper.h fi go generate ./... From 32cab91891fc8bd96e4b512693eaadf7dccbaad4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 10:08:36 -0700 Subject: [PATCH 035/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/dropgz.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 4bcc4387e6..9c2431de55 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -5,12 +5,14 @@ export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 +mkdir -p "$GEN_DIR" +mkdir -p "$OUT_DIR"/bin + DROPGZ_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") PAYLOAD_DIR=$(mktemp -d -p "$GEN_DIR") DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" DROPGZ_MOD_DOWNLOAD_PATH=""$ACN_PACKAGE_PATH"/dropgz@"$DROPGZ_VERSION"" -mkdir -p "$OUT_DIR"/bin mkdir -p "$DROPGZ_BUILD_DIR" echo >&2 "##[section]Construct DropGZ Embedded Payload" From 85fe83dd62fabc241c3d1d3fb9da2b8763de13c8 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 10:20:12 -0700 Subject: [PATCH 036/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 7a51dfec94..8b81dd659a 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -22,7 +22,6 @@ if [[ -f /etc/debian_version ]];then apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu - PLAT=linux-aarch64 cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ fi @@ -34,8 +33,13 @@ if [[ -f /etc/debian_version ]];then # Mariner else tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc-devel - ARCH=x86_64-linux-gnu - cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + if [[ $ARCH =~ amd64 ]]; then + ARCH=x86_64-linux-gnu + cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + elif [[ $ARCH =~ arm64 ]]; then + ARCH=aarch64-linux-gnu + cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ + fi for dir in /usr/include/"$ARCH"/*; do if [[ -d $dir ]]; then ln -sfn "$dir" /usr/include/$(basename "$dir") From 5f2bb306ef27822ff59ffe68b7beb86082a2caa2 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 10:46:10 -0700 Subject: [PATCH 037/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/dropgz.sh | 5 +++++ .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 9c2431de55..e23c2383a8 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -32,6 +32,11 @@ echo >&2 "##[section]Download DropGZ ($DROPGZ_VERSION)" GOPATH="$DROPGZ_BUILD_DIR" \ go mod download "$DROPGZ_MOD_DOWNLOAD_PATH" +ls -la +ls -la "$GEN_DIR" +ls -la "$DROPGZ_BUILD_DIR" +apt-get install -y tree || tdnf install -y tree +tree "$GEN_DIR" echo >&2 "##[section]Build DropGZ with Embedded Payload" pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" mv "$PAYLOAD_DIR"/* pkg/embed/fs/ diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 8b81dd659a..12d12acaa5 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -74,7 +74,7 @@ pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf cp ./cmd/ipv6-hp-bpf/*.go . if [[ "$DEBUG" =~ ^[T|t]rue$ ]]; then - echo "#define DEBUG" >> ./include/helper.h + echo -e "\n#define DEBUG" >> ./include/helper.h fi go generate ./... From ee182d20954f8de4e43be507fdc424e5c8b51aba Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 10:54:50 -0700 Subject: [PATCH 038/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/dropgz.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index e23c2383a8..37f7430e50 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -12,6 +12,7 @@ DROPGZ_BUILD_DIR=$(mktemp -d -p "$GEN_DIR") PAYLOAD_DIR=$(mktemp -d -p "$GEN_DIR") DROPGZ_VERSION="${DROPGZ_VERSION:-v0.0.12}" DROPGZ_MOD_DOWNLOAD_PATH=""$ACN_PACKAGE_PATH"/dropgz@"$DROPGZ_VERSION"" +DROPGZ_MOD_DOWNLOAD_PATH=$(echo "$DROPGZ_MOD_DOWNLOAD_PATH" | tr '[:upper:]' '[:lower:]') mkdir -p "$DROPGZ_BUILD_DIR" From 828b3ab19654133afb62e1d86036b3000a66b9d5 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 12:22:29 -0700 Subject: [PATCH 039/154] fixup! Use Signed Binaries for Docker Build --- .../build/dockerfiles/azure-ipam.Dockerfile | 4 ++-- .pipelines/build/dockerfiles/cni.Dockerfile | 6 ++---- .pipelines/build/dockerfiles/cns.Dockerfile | 6 +++--- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 6 +++--- .pipelines/build/dockerfiles/npm.Dockerfile | 8 ++++---- .pipelines/build/scripts/cni.sh | 10 +++++----- .pipelines/build/scripts/cns.sh | 5 +++-- .pipelines/build/scripts/dropgz.sh | 3 ++- .pipelines/build/scripts/ipv6-hp-bpf.sh | 19 +++++++++++-------- .pipelines/build/scripts/npm.sh | 7 ++++--- 10 files changed, 39 insertions(+), 35 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index 5f50b96765..be27a1978a 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -1,11 +1,11 @@ ARG ARTIFACT_DIR FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bin/dropgz dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz.exe dropgz ENTRYPOINT [ "/dropgz" ] # skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows -COPY ${ARTIFACT_DIR}/bin/dropgz dropgz.exe +COPY ${ARTIFACT_DIR}/bin/dropgz.exe dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile index b0533a7e51..6232ae6497 100644 --- a/.pipelines/build/dockerfiles/cni.Dockerfile +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -2,7 +2,7 @@ ARG ARCH ARG ARTIFACT_DIR FROM scratch AS linux -ADD ${ARTIFACT_DIR}/bin/dropgz dropgz +ADD ${ARTIFACT_DIR}/bin/dropgz.exe dropgz ENTRYPOINT [ "/dropgz" ] @@ -10,7 +10,5 @@ ENTRYPOINT [ "/dropgz" ] FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as hpc FROM hpc as windows -ADD ${ARTIFACT_DIR}/bin/dropgz dropgz.exe +ADD ${ARTIFACT_DIR}/bin/dropgz.exe dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] - - diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 30c421baba..e08708d23a 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -9,7 +9,7 @@ RUN tdnf install -y iptables FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ COPY --from=iptables /usr/lib /usr/lib -COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns +COPY ${ARTIFACT_DIR}/bin/azure-cns.exe /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 @@ -17,7 +17,7 @@ EXPOSE 10090 # mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml -COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 -COPY ${ARTIFACT_DIR}/bin/azure-cns /azure-cns.exe +COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1 +COPY ${ARTIFACT_DIR}/bin/azure-cns.exe /azure-cns.exe ENTRYPOINT ["azure-cns.exe"] EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 693b95c07c..1ae34ad146 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -2,7 +2,7 @@ ARG ARTIFACT_DIR FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux COPY ${ARTIFACT_DIR}/lib/* /lib -COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf -COPY ${ARTIFACT_DIR}/bin/nft /usr/sbin/nft -COPY ${ARTIFACT_DIR}/bin/ip /sbin/ip +COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf.exe /ipv6-hp-bpf +COPY ${ARTIFACT_DIR}/bin/nft.exe /usr/sbin/nft +COPY ${ARTIFACT_DIR}/bin/ip.exe /sbin/ip CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index a55db18df7..a061c2cb85 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -7,7 +7,7 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean -COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm +COPY ${ARTIFACT_DIR}/bin/azure-npm.exe /usr/bin/azure-npm RUN chmod +x /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] @@ -16,8 +16,8 @@ ENTRYPOINT ["/usr/bin/azure-npm", "start"] FROM mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml -COPY ${ARTIFACT_DIR}/files/setkubeconfigpath.ps1 setkubeconfigpath.ps1 -COPY ${ARTIFACT_DIR}/files/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1 -COPY ${ARTIFACT_DIR}/bin/azure-npm npm.exe +COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1 +COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1 +COPY ${ARTIFACT_DIR}/bin/azure-npm.exe npm.exe CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"] diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index c3f678e236..811948ca52 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -12,7 +12,7 @@ export CGO_ENABLED=0 CNI_NET_DIR="$REPO_ROOT"/cni/network/plugin pushd "$CNI_NET_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet \ + -o "$OUT_DIR"/bin/azure-vnet.exe \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -21,7 +21,7 @@ popd STATELESS_CNI_BUILD_DIR="$REPO_ROOT"/cni/network/stateless pushd "$STATELESS_CNI_BUILD_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-stateless \ + -o "$OUT_DIR"/bin/azure-vnet-stateless.exe \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -30,7 +30,7 @@ popd CNI_IPAM_DIR="$REPO_ROOT"/cni/ipam/plugin pushd "$CNI_IPAM_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipam \ + -o "$OUT_DIR"/bin/azure-vnet-ipam.exe \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -39,7 +39,7 @@ popd CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 pushd "$CNI_IPAMV6_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipamv6 \ + -o "$OUT_DIR"/bin/azure-vnet-ipamv6.exe \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -48,7 +48,7 @@ popd CNI_TELEMETRY_DIR="$REPO_ROOT"/cni/telemetry/service pushd "$CNI_TELEMETRY_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-telemetry \ + -o "$OUT_DIR"/bin/azure-vnet-telemetry.exe \ -ldflags "-X main.version="$CNI_VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./telemetrymain.go diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 86bc9838ab..c3094666d5 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -7,14 +7,15 @@ export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin +mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/cns go build -v -a \ - -o "$OUT_DIR"/bin/azure-cns \ + -o "$OUT_DIR"/bin/azure-cns.exe \ -ldflags "-X main.version="$CNS_VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ service/*.go cp kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml - cp ../npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 cp configuration/cns_config.json "$OUT_DIR"/files/cns_config.json + cp ../npm/examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/scripts/setkubeconfigpath.ps1 popd diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 37f7430e50..c9734dcb1e 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -19,6 +19,7 @@ mkdir -p "$DROPGZ_BUILD_DIR" echo >&2 "##[section]Construct DropGZ Embedded Payload" pushd "$PAYLOAD_DIR" [[ -n $(stat "$OUT_DIR"/files 2>/dev/null || true) ]] && cp "$OUT_DIR"/files/* . + [[ -n $(stat "$OUT_DIR"/scripts 2>/dev/null || true) ]] && cp "$OUT_DIR"/scripts/* . [[ -n $(stat "$OUT_DIR"/bin 2>/dev/null || true) ]] && cp "$OUT_DIR"/bin/* . sha256sum * > sum.txt @@ -42,7 +43,7 @@ echo >&2 "##[section]Build DropGZ with Embedded Payload" pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" mv "$PAYLOAD_DIR"/* pkg/embed/fs/ go build -v -trimpath -a \ - -o "$OUT_DIR"/bin/dropgz \ + -o "$OUT_DIR"/bin/dropgz.exe \ -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$DROPGZ_VERSION"" \ -gcflags="-dwarflocationlists=true" \ main.go diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 12d12acaa5..127030b374 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -12,14 +12,15 @@ mkdir -p "$OUT_DIR"/lib # Package up Needed C Files if [[ -f /etc/debian_version ]];then apt-get update -y + apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 if [[ $ARCH =~ amd64 ]]; then - apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-multilib build-essential binutils + apt-get install -y gcc-multilib build-essential binutils ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ elif [[ $ARCH =~ arm64 ]]; then - apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 gcc-aarch64-linux-gnu + apt-get install -y gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ @@ -32,13 +33,15 @@ if [[ -f /etc/debian_version ]];then # Mariner else - tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc-devel + tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute cross-gcc if [[ $ARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu - cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + #tdnf install -y gcc-x86_64-linux-gnu + cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' elif [[ $ARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu - cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ + #tdnf install -y gcc-aarch64-linux-gnu + cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' fi for dir in /usr/include/"$ARCH"/*; do if [[ -d $dir ]]; then @@ -65,8 +68,8 @@ cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ # Add Needed Binararies -cp /usr/sbin/nft "$OUT_DIR"/bin/nft -cp /sbin/ip "$OUT_DIR"/bin/ip +cp /usr/sbin/nft "$OUT_DIR"/bin/nft.exe +cp /sbin/ip "$OUT_DIR"/bin/ip.exe # Build IPv6 HP BPF @@ -79,7 +82,7 @@ pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf go generate ./... go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/ipv6-hp-bpf \ + -o "$OUT_DIR"/bin/ipv6-hp-bpf.exe \ -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ -gcflags="-dwarflocationlists=true" . popd diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index f0aef228b9..acb7533e7b 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -7,15 +7,16 @@ export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin +mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/npm go build -a -v -trimpath \ - -o "$OUT_DIR"/bin/azure-npm \ + -o "$OUT_DIR"/bin/azure-npm.exe \ -ldflags "-X main.version="$NPM_VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./cmd/*.go cp ./examples/windows/kubeconfigtemplate.yaml "$OUT_DIR"/files/kubeconfigtemplate.yaml - cp ./examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/files/setkubeconfigpath.ps1 - cp ./examples/windows/setkubeconfigpath-capz.ps1 "$OUT_DIR"/files/setkubeconfigpath-capz.ps1 + cp ./examples/windows/setkubeconfigpath.ps1 "$OUT_DIR"/scripts/setkubeconfigpath.ps1 + cp ./examples/windows/setkubeconfigpath-capz.ps1 "$OUT_DIR"/scripts/setkubeconfigpath-capz.ps1 popd From 3efb67abff787dac4111e9f5d1da1e8a490f89bb Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 14:50:08 -0700 Subject: [PATCH 040/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/azure-ipam.Dockerfile | 2 +- .pipelines/build/dockerfiles/cni.Dockerfile | 2 +- .pipelines/build/dockerfiles/cns.Dockerfile | 2 +- .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile | 6 +++--- .pipelines/build/dockerfiles/npm.Dockerfile | 2 +- .pipelines/build/scripts/azure-ipam.sh | 4 +++- .pipelines/build/scripts/cni.sh | 12 +++++++----- .pipelines/build/scripts/cns.sh | 4 +++- .pipelines/build/scripts/dropgz.sh | 4 +++- .pipelines/build/scripts/ipv6-hp-bpf.sh | 8 +++++--- .pipelines/build/scripts/npm.sh | 4 +++- 11 files changed, 31 insertions(+), 19 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index be27a1978a..d5010f13b0 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -1,7 +1,7 @@ ARG ARTIFACT_DIR FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bin/dropgz.exe dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz.bin dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile index 6232ae6497..737902f6d8 100644 --- a/.pipelines/build/dockerfiles/cni.Dockerfile +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -2,7 +2,7 @@ ARG ARCH ARG ARTIFACT_DIR FROM scratch AS linux -ADD ${ARTIFACT_DIR}/bin/dropgz.exe dropgz +ADD ${ARTIFACT_DIR}/bin/dropgz.bin dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index e08708d23a..4136702b1c 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -9,7 +9,7 @@ RUN tdnf install -y iptables FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ COPY --from=iptables /usr/lib /usr/lib -COPY ${ARTIFACT_DIR}/bin/azure-cns.exe /usr/local/bin/azure-cns +COPY ${ARTIFACT_DIR}/bin/azure-cns.bin /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 1ae34ad146..d021d0a048 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -2,7 +2,7 @@ ARG ARTIFACT_DIR FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux COPY ${ARTIFACT_DIR}/lib/* /lib -COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf.exe /ipv6-hp-bpf -COPY ${ARTIFACT_DIR}/bin/nft.exe /usr/sbin/nft -COPY ${ARTIFACT_DIR}/bin/ip.exe /sbin/ip +COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf.bin /ipv6-hp-bpf +COPY ${ARTIFACT_DIR}/bin/nft.bin /usr/sbin/nft +COPY ${ARTIFACT_DIR}/bin/ip.bin /sbin/ip CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index a061c2cb85..d4863c8d50 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -7,7 +7,7 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean -COPY ${ARTIFACT_DIR}/bin/azure-npm.exe /usr/bin/azure-npm +COPY ${ARTIFACT_DIR}/bin/azure-npm.bin /usr/bin/azure-npm RUN chmod +x /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 5d250084a9..14137a2d4d 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,6 +1,8 @@ #!/bin/bash set -eux +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' + export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 @@ -10,7 +12,7 @@ mkdir -p "$OUT_DIR"/files pushd "$REPO_ROOT"/azure-ipam go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-ipam \ + -o "$OUT_DIR"/bin/azure-ipam."$FILE_EXT" \ -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ -gcflags="-dwarflocationlists=true" \ . diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 811948ca52..60630e9110 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,6 +1,8 @@ #!/bin/bash set -eux +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' + mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin @@ -12,7 +14,7 @@ export CGO_ENABLED=0 CNI_NET_DIR="$REPO_ROOT"/cni/network/plugin pushd "$CNI_NET_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet.exe \ + -o "$OUT_DIR"/bin/azure-vnet."$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -21,7 +23,7 @@ popd STATELESS_CNI_BUILD_DIR="$REPO_ROOT"/cni/network/stateless pushd "$STATELESS_CNI_BUILD_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-stateless.exe \ + -o "$OUT_DIR"/bin/azure-vnet-stateless."$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -30,7 +32,7 @@ popd CNI_IPAM_DIR="$REPO_ROOT"/cni/ipam/plugin pushd "$CNI_IPAM_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipam.exe \ + -o "$OUT_DIR"/bin/azure-vnet-ipam."$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -39,7 +41,7 @@ popd CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 pushd "$CNI_IPAMV6_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipamv6.exe \ + -o "$OUT_DIR"/bin/azure-vnet-ipamv6."$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -48,7 +50,7 @@ popd CNI_TELEMETRY_DIR="$REPO_ROOT"/cni/telemetry/service pushd "$CNI_TELEMETRY_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-telemetry.exe \ + -o "$OUT_DIR"/bin/azure-vnet-telemetry."$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./telemetrymain.go diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index c3094666d5..8011bca0ed 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,6 +1,8 @@ #!/bin/bash set -eux +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' + export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 @@ -11,7 +13,7 @@ mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/cns go build -v -a \ - -o "$OUT_DIR"/bin/azure-cns.exe \ + -o "$OUT_DIR"/bin/azure-cns."$FILE_EXT" \ -ldflags "-X main.version="$CNS_VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ service/*.go diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index c9734dcb1e..55bd52ff25 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -1,6 +1,8 @@ #!/bin/bash set -eux +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' + export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 @@ -43,7 +45,7 @@ echo >&2 "##[section]Build DropGZ with Embedded Payload" pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" mv "$PAYLOAD_DIR"/* pkg/embed/fs/ go build -v -trimpath -a \ - -o "$OUT_DIR"/bin/dropgz.exe \ + -o "$OUT_DIR"/bin/dropgz."$FILE_EXT" \ -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$DROPGZ_VERSION"" \ -gcflags="-dwarflocationlists=true" \ main.go diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 127030b374..34be32f989 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,6 +1,8 @@ #!/bin/bash set -eux +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' + export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 @@ -68,8 +70,8 @@ cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ # Add Needed Binararies -cp /usr/sbin/nft "$OUT_DIR"/bin/nft.exe -cp /sbin/ip "$OUT_DIR"/bin/ip.exe +cp /usr/sbin/nft "$OUT_DIR"/bin/nft."$FILE_EXT" +cp /sbin/ip "$OUT_DIR"/bin/ip."$FILE_EXT" # Build IPv6 HP BPF @@ -82,7 +84,7 @@ pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf go generate ./... go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/ipv6-hp-bpf.exe \ + -o "$OUT_DIR"/bin/ipv6-hp-bpf."$FILE_EXT" \ -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ -gcflags="-dwarflocationlists=true" . popd diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index acb7533e7b..6f090be06e 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,6 +1,8 @@ #!/bin/bash set -eux +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' + export GOOS=$OS export GOARCH=$ARCH export CGO_ENABLED=0 @@ -11,7 +13,7 @@ mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/npm go build -a -v -trimpath \ - -o "$OUT_DIR"/bin/azure-npm.exe \ + -o "$OUT_DIR"/bin/azure-npm."$FILE_EXT" \ -ldflags "-X main.version="$NPM_VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./cmd/*.go From 0dca5ea3f90e5d10e2d59b7031a77ca07671eaab Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 15:49:43 -0700 Subject: [PATCH 041/154] fixup! Use Signed Binaries for Docker Build --- .../build/dockerfiles/azure-ipam.Dockerfile | 2 +- .pipelines/build/dockerfiles/cni.Dockerfile | 2 +- .pipelines/build/dockerfiles/cns.Dockerfile | 2 +- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 6 +- .pipelines/build/dockerfiles/npm.Dockerfile | 2 +- .pipelines/build/images.jobs.yaml | 5 +- .pipelines/build/scripts/azure-ipam.sh | 4 +- .pipelines/build/scripts/cni.sh | 10 +- .pipelines/build/scripts/cns.sh | 4 +- .pipelines/build/scripts/dropgz.sh | 4 +- .pipelines/build/scripts/ipv6-hp-bpf.sh | 8 +- .pipelines/build/scripts/npm.sh | 4 +- .pipelines/run-pipeline.yaml | 125 ------------------ 13 files changed, 28 insertions(+), 150 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index d5010f13b0..fd7bfa13a8 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -1,7 +1,7 @@ ARG ARTIFACT_DIR FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bin/dropgz.bin dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile index 737902f6d8..aa288d093b 100644 --- a/.pipelines/build/dockerfiles/cni.Dockerfile +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -2,7 +2,7 @@ ARG ARCH ARG ARTIFACT_DIR FROM scratch AS linux -ADD ${ARTIFACT_DIR}/bin/dropgz.bin dropgz +ADD ${ARTIFACT_DIR}/bin/dropgz dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 4136702b1c..4f5629c56d 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -9,7 +9,7 @@ RUN tdnf install -y iptables FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ COPY --from=iptables /usr/lib /usr/lib -COPY ${ARTIFACT_DIR}/bin/azure-cns.bin /usr/local/bin/azure-cns +COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index d021d0a048..693b95c07c 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -2,7 +2,7 @@ ARG ARTIFACT_DIR FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux COPY ${ARTIFACT_DIR}/lib/* /lib -COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf.bin /ipv6-hp-bpf -COPY ${ARTIFACT_DIR}/bin/nft.bin /usr/sbin/nft -COPY ${ARTIFACT_DIR}/bin/ip.bin /sbin/ip +COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf +COPY ${ARTIFACT_DIR}/bin/nft /usr/sbin/nft +COPY ${ARTIFACT_DIR}/bin/ip /sbin/ip CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index d4863c8d50..ac24ce09c1 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -7,7 +7,7 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean -COPY ${ARTIFACT_DIR}/bin/azure-npm.bin /usr/bin/azure-npm +COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm RUN chmod +x /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index b49df61651..003b17f7d4 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -78,7 +78,10 @@ jobs: scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh - task: onebranch.pipeline.signing@1 - condition: and(succeeded(), eq(variables.packageWithDropGZ, 'True')) + condition: and( + succeeded(), + eq(variables.os, 'windows'), + eq(variables.packageWithDropGZ, 'True')) inputs: command: 'sign' signing_profile: 'external_distribution' diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 14137a2d4d..64e6c9826f 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export GOOS=$OS export GOARCH=$ARCH @@ -12,7 +12,7 @@ mkdir -p "$OUT_DIR"/files pushd "$REPO_ROOT"/azure-ipam go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-ipam."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-ipam"$FILE_EXT" \ -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ -gcflags="-dwarflocationlists=true" \ . diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 60630e9110..c7985037a1 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -14,7 +14,7 @@ export CGO_ENABLED=0 CNI_NET_DIR="$REPO_ROOT"/cni/network/plugin pushd "$CNI_NET_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-vnet"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -23,7 +23,7 @@ popd STATELESS_CNI_BUILD_DIR="$REPO_ROOT"/cni/network/stateless pushd "$STATELESS_CNI_BUILD_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-stateless."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-vnet-stateless"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -32,7 +32,7 @@ popd CNI_IPAM_DIR="$REPO_ROOT"/cni/ipam/plugin pushd "$CNI_IPAM_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipam."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-vnet-ipam"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -41,7 +41,7 @@ popd CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 pushd "$CNI_IPAMV6_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-ipamv6."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-vnet-ipamv6"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ ./main.go @@ -50,7 +50,7 @@ popd CNI_TELEMETRY_DIR="$REPO_ROOT"/cni/telemetry/service pushd "$CNI_TELEMETRY_DIR" go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/azure-vnet-telemetry."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-vnet-telemetry"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./telemetrymain.go diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 8011bca0ed..e7dde9a368 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export GOOS=$OS export GOARCH=$ARCH @@ -13,7 +13,7 @@ mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/cns go build -v -a \ - -o "$OUT_DIR"/bin/azure-cns."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-cns"$FILE_EXT" \ -ldflags "-X main.version="$CNS_VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ service/*.go diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 55bd52ff25..0f18687d00 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export GOOS=$OS export GOARCH=$ARCH @@ -45,7 +45,7 @@ echo >&2 "##[section]Build DropGZ with Embedded Payload" pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" mv "$PAYLOAD_DIR"/* pkg/embed/fs/ go build -v -trimpath -a \ - -o "$OUT_DIR"/bin/dropgz."$FILE_EXT" \ + -o "$OUT_DIR"/bin/dropgz"$FILE_EXT" \ -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$DROPGZ_VERSION"" \ -gcflags="-dwarflocationlists=true" \ main.go diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 34be32f989..844d694ab0 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export GOOS=$OS export GOARCH=$ARCH @@ -70,8 +70,8 @@ cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ # Add Needed Binararies -cp /usr/sbin/nft "$OUT_DIR"/bin/nft."$FILE_EXT" -cp /sbin/ip "$OUT_DIR"/bin/ip."$FILE_EXT" +cp /usr/sbin/nft "$OUT_DIR"/bin/nft"$FILE_EXT" +cp /sbin/ip "$OUT_DIR"/bin/ip"$FILE_EXT" # Build IPv6 HP BPF @@ -84,7 +84,7 @@ pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf go generate ./... go build -v -a -trimpath \ - -o "$OUT_DIR"/bin/ipv6-hp-bpf."$FILE_EXT" \ + -o "$OUT_DIR"/bin/ipv6-hp-bpf"$FILE_EXT" \ -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ -gcflags="-dwarflocationlists=true" . popd diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index 6f090be06e..83eac20b7d 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export GOOS=$OS export GOARCH=$ARCH @@ -13,7 +13,7 @@ mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/npm go build -a -v -trimpath \ - -o "$OUT_DIR"/bin/azure-npm."$FILE_EXT" \ + -o "$OUT_DIR"/bin/azure-npm"$FILE_EXT" \ -ldflags "-X main.version="$NPM_VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ ./cmd/*.go diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 48edb6343f..f751e08e56 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -47,77 +47,6 @@ stages: IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ] NPM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.npmVersion'] ] jobs: -# - template: build/binaries.jobs.yaml -# parameters: -# binaries: -# - job: linux_amd64 -# displayName: "Linux/AMD64" -# templateContext: -# action: build -# isOfficial: ${{ parameters.isOfficial }} -# repositoryArtifact: drop_setup_env_source -# strategy: -# maxParallel: 5 -# matrix: -# azure_ipam: -# name: azure-ipam-archive -# artifact: azure-ipam -# cni: -# name: cni-archive -# artifact: cni -# cns: -# name: cns-archive -# artifact: cns -# ipv6_hp_bpf: -# name: ipv6-hp-bpf-archive -# artifact: ipv6-hp-bpf -# npm: -# name: npm-archive -# artifact: npm -# - job: windows_amd64 -# displayName: "Windows/AMD64" -# templateContext: -# action: build -# isOfficial: ${{ parameters.isOfficial }} -# repositoryArtifact: drop_setup_env_source -# strategy: -# maxParallel: 5 -# matrix: -# cni: -# name: cni-archive -# artifact: cni -# cns: -# name: cns-archive -# artifact: cns -# npm: -# name: npm-archive -# artifact: npm -# - job: linux_arm64 -# displayName: "Linux/ARM64" -# templateContext: -# action: build -# isOfficial: ${{ parameters.isOfficial }} -# repositoryArtifact: drop_setup_env_source -# strategy: -# maxParallel: 5 -# matrix: -# azure_ipam: -# name: azure-ipam-archive -# artifact: azure-ipam -# cni: -# name: cni-archive -# artifact: cni -# cns: -# name: cns-archive -# artifact: cns -# ipv6_hp_bpf: -# name: ipv6-hp-bpf-archive -# artifact: ipv6-hp-bpf -# npm: -# name: npm-archive -# artifact: npm - - - template: /.pipelines/build/images.jobs.yaml parameters: images: @@ -278,60 +207,6 @@ stages: NPM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/npm:$(Build.BuildNumber) NPM_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/npm:$(Build.BuildNumber) jobs: -# - template: build/binaries.jobs.yaml -# parameters: -# binaries: -# - job: linux_amd64 -# displayName: "Linux/AMD64" -# templateContext: -# action: sign -# isOfficial: ${{ parameters.isOfficial }} -# repositoryArtifact: drop_build_binaries_linux_amd64_$(artifact) -# strategy: -# matrix: -# azure_ipam: -# artifact: azure-ipam -# cni: -# artifact: cni -# cns: -# artifact: cns -# ipv6_hp_bpf: -# artifact: ipv6-hp-bpf -# npm: -# artifact: npm -# - job: windows_amd64 -# displayName: "Windows/AMD64" -# templateContext: -# action: sign -# isOfficial: ${{ parameters.isOfficial }} -# repositoryArtifact: drop_build_binaries_windows_amd64_$(artifact) -# strategy: -# matrix: -# cni: -# artifact: cni -# cns: -# artifact: cns -# npm: -# artifact: npm -# - job: linux_arm64 -# displayName: "Linux/ARM64" -# templateContext: -# action: sign -# isOfficial: ${{ parameters.isOfficial }} -# repositoryArtifact: drop_build_binaries_linux_arm64_$(artifact) -# strategy: -# matrix: -# azure_ipam: -# artifact: azure-ipam -# cni: -# artifact: cni -# cns: -# artifact: cns -# ipv6_hp_bpf: -# artifact: ipv6-hp-bpf -# npm: -# artifact: npm - - template: build/manifests.jobs.yaml parameters: From c62243568b007e3a734094c1681a36e33848cfde Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 15:58:04 -0700 Subject: [PATCH 042/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 844d694ab0..57e9a16646 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -35,14 +35,14 @@ if [[ -f /etc/debian_version ]];then # Mariner else - tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute cross-gcc + tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute if [[ $ARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu - #tdnf install -y gcc-x86_64-linux-gnu + tdnf install -y cross-gcc cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' elif [[ $ARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu - #tdnf install -y gcc-aarch64-linux-gnu + tdnf install -y gcc-aarch64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' fi for dir in /usr/include/"$ARCH"/*; do From ec48952a604dadee93bcb33fb322289841e7627a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 17:39:35 -0700 Subject: [PATCH 043/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 15 ++++++--------- .pipelines/build/scripts/ipv6-hp-bpf.sh | 9 ++++----- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 003b17f7d4..706c1fa4f1 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -10,9 +10,6 @@ jobs: strategy: ${{ job_data.strategy }} pool: type: linux - ${{ if eq(job_data.job, 'linux_arm64') }}: - hostArchitecture: arm64 - variables: ob_artifactSuffix: _$(name) ob_git_checkout: false @@ -25,22 +22,22 @@ jobs: ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' - ARCH: amd64 - GOARCH: amd64 OS: linux + ARCH: amd64 GOOS: linux + GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' - ARCH: amd64 - GOARCH: amd64 OS: windows + ARCH: amd64 GOOS: windows + GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: ob_enable_qemu: true - ARCH: arm64 - GOARCH: arm64 OS: linux + ARCH: amd64 GOOS: linux + GOARCH: arm64 steps: - task: DownloadPipelineArtifact@2 inputs: diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 57e9a16646..3344f45517 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -34,15 +34,14 @@ if [[ -f /etc/debian_version ]];then # Mariner +# This is not set up to build on arm _hosts_ else - tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute - if [[ $ARCH =~ amd64 ]]; then + tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute cross-gcc + if [[ $GOARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu - tdnf install -y cross-gcc cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' - elif [[ $ARCH =~ arm64 ]]; then + elif [[ $GOARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu - tdnf install -y gcc-aarch64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' fi for dir in /usr/include/"$ARCH"/*; do From 18eb0190d2aa93c0d634dbb591e1e899e91aeb77 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 20:30:17 -0700 Subject: [PATCH 044/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 3344f45517..325ceefec7 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -36,7 +36,7 @@ if [[ -f /etc/debian_version ]];then # Mariner # This is not set up to build on arm _hosts_ else - tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute cross-gcc + tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc if [[ $GOARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' From c3eea8930220799a3040b5826c6f3b72af3f4c22 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 20:43:24 -0700 Subject: [PATCH 045/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 6 +++--- .pipelines/build/scripts/azure-ipam.sh | 4 +--- .pipelines/build/scripts/cni.sh | 4 +--- .pipelines/build/scripts/cns.sh | 4 +--- .pipelines/build/scripts/dropgz.sh | 4 +--- .pipelines/build/scripts/ipv6-hp-bpf.sh | 5 ++--- .pipelines/build/scripts/npm.sh | 4 +--- 7 files changed, 10 insertions(+), 21 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 706c1fa4f1..ab93d8c085 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -20,15 +20,15 @@ jobs: DROPGZ_VERSION: v0.0.12 DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ${{ if eq(job_data.job, 'linux_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' OS: linux ARCH: amd64 GOOS: linux GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' - OS: windows + ob_enable_qemu: true + OS: linux ARCH: amd64 GOOS: windows GOARCH: amd64 diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 64e6c9826f..625d027a81 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,10 +1,8 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' -export GOOS=$OS -export GOARCH=$ARCH export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/bin diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index c7985037a1..f16ae5d116 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,13 +1,11 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $GOOS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin -export GOOS=$OS -export GOARCH=$ARCH export CGO_ENABLED=0 diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index e7dde9a368..2697f41387 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,10 +1,8 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' -export GOOS=$OS -export GOARCH=$ARCH export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/files diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 0f18687d00..fb40143567 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -1,10 +1,8 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' -export GOOS=$OS -export GOARCH=$ARCH export CGO_ENABLED=0 mkdir -p "$GEN_DIR" diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 325ceefec7..40ecf4d666 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,10 +1,8 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' -export GOOS=$OS -export GOARCH=$ARCH export CGO_ENABLED=0 export C_INCLUDE_PATH=/usr/include/bpf @@ -20,6 +18,7 @@ if [[ -f /etc/debian_version ]];then ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + cp /usr/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || echo "Skipped." elif [[ $ARCH =~ arm64 ]]; then apt-get install -y gcc-aarch64-linux-gnu diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index 83eac20b7d..bbe1fb301e 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,10 +1,8 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' -export GOOS=$OS -export GOARCH=$ARCH export CGO_ENABLED=0 mkdir -p "$OUT_DIR"/files From 6c6dbcd1ac5cd259c734193cae7a6262a51c3aa0 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 21:45:38 -0700 Subject: [PATCH 046/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 40ecf4d666..75c05f27b8 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -13,14 +13,13 @@ mkdir -p "$OUT_DIR"/lib if [[ -f /etc/debian_version ]];then apt-get update -y apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 - if [[ $ARCH =~ amd64 ]]; then + if [[ $GOARCH =~ amd64 ]]; then apt-get install -y gcc-multilib build-essential binutils ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - cp /usr/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || echo "Skipped." - elif [[ $ARCH =~ arm64 ]]; then + elif [[ $GOARCH =~ arm64 ]]; then apt-get install -y gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu From fa4cf77a49fce0f94d8d0e0acab85b6167907086 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 15 May 2025 23:54:51 -0700 Subject: [PATCH 047/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 75c05f27b8..9967100be5 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -23,7 +23,10 @@ if [[ -f /etc/debian_version ]];then apt-get install -y gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu - cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ + ls -la /usr/lib + ls -la /usr/lib/"$ARCH" || true + ls -la /usr/lib/"$GOARCH" || true + cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || true fi for dir in /usr/include/"$ARCH"/*; do From 46c56e3c8179a0c5378c96e3e689d99dbaed643d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 16 May 2025 11:06:49 -0700 Subject: [PATCH 048/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 5 ++++- .pipelines/build/scripts/ipv6-hp-bpf.sh | 7 +++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index ab93d8c085..9afe3a9777 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -10,6 +10,9 @@ jobs: strategy: ${{ job_data.strategy }} pool: type: linux + ${{ if eq(job_data.job, 'linux_arm64') }}: + hostArchitecture: arm64 + variables: ob_artifactSuffix: _$(name) ob_git_checkout: false @@ -35,7 +38,7 @@ jobs: ${{ elseif eq(job_data.job, 'linux_arm64') }}: ob_enable_qemu: true OS: linux - ARCH: amd64 + ARCH: arm64 GOOS: linux GOARCH: arm64 steps: diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 9967100be5..581c30939d 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -13,13 +13,13 @@ mkdir -p "$OUT_DIR"/lib if [[ -f /etc/debian_version ]];then apt-get update -y apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 - if [[ $GOARCH =~ amd64 ]]; then - apt-get install -y gcc-multilib build-essential binutils + if [[ $ARCH =~ amd64 ]]; then + apt-get install -y gcc-multilib ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - elif [[ $GOARCH =~ arm64 ]]; then + elif [[ $ARCH =~ arm64 ]]; then apt-get install -y gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu @@ -35,7 +35,6 @@ if [[ -f /etc/debian_version ]];then # Mariner -# This is not set up to build on arm _hosts_ else tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc if [[ $GOARCH =~ amd64 ]]; then From 30ef1ac78e4effdd20cbc463651c53942206d7f7 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 16 May 2025 11:36:55 -0700 Subject: [PATCH 049/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 3 ++- .pipelines/build/scripts/ipv6-hp-bpf.sh | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 9afe3a9777..341590b4ec 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -23,13 +23,14 @@ jobs: DROPGZ_VERSION: v0.0.12 DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ${{ if eq(job_data.job, 'linux_amd64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' OS: linux ARCH: amd64 GOOS: linux GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true OS: linux ARCH: amd64 diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 581c30939d..cff2a16e6b 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -40,9 +40,9 @@ else if [[ $GOARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' - elif [[ $GOARCH =~ arm64 ]]; then - ARCH=aarch64-linux-gnu - cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' + #elif [[ $GOARCH =~ arm64 ]]; then + # ARCH=aarch64-linux-gnu + # cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' fi for dir in /usr/include/"$ARCH"/*; do if [[ -d $dir ]]; then From 0efbbc79c2383ac48af23ee98823f59c5e5aeb73 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 16 May 2025 11:41:18 -0700 Subject: [PATCH 050/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/run-pipeline.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index f751e08e56..e2dcb5c81c 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -160,12 +160,12 @@ stages: archiveName: azure-cns archiveVersion: $(CNS_VERSION) imageTag: $(Build.BuildNumber) - ipv6_hp_bpf: - name: ipv6-hp-bpf - extraArgs: "--build-arg DEBUG=$(System.Debug)" - archiveName: ipv6-hp-bpf - archiveVersion: $(IPV6_HP_BPF_VERSION) - imageTag: $(Build.BuildNumber) + #ipv6_hp_bpf: + # name: ipv6-hp-bpf + # extraArgs: "--build-arg DEBUG=$(System.Debug)" + # archiveName: ipv6-hp-bpf + # archiveVersion: $(IPV6_HP_BPF_VERSION) + # imageTag: $(Build.BuildNumber) npm: name: npm extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' @@ -189,7 +189,7 @@ stages: NPM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.npmVersion'] ] IPAM_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/azure-ipam:$(Build.BuildNumber) - IPAM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-ipam:$(Build.BuildNumber) + #IPAM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-ipam:$(Build.BuildNumber) IPAM_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/azure-ipam:$(Build.BuildNumber) CNI_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/cni:$(Build.BuildNumber) @@ -251,8 +251,8 @@ stages: platforms: - platform: linux/amd64 imageReference: $(IPV6_LINUX_AMD64_REF) - - platform: linux/arm64 - imageReference: $(IPV6_LINUX_ARM64_REF) + #- platform: linux/arm64 + # imageReference: $(IPV6_LINUX_ARM64_REF) - job: npm templateContext: name: npm From f3dadea4c1a804ed1fc5b158b958085b19fac628 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 16 May 2025 12:33:34 -0700 Subject: [PATCH 051/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/run-pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index e2dcb5c81c..5540b17b0f 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -189,7 +189,7 @@ stages: NPM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.npmVersion'] ] IPAM_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/azure-ipam:$(Build.BuildNumber) - #IPAM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-ipam:$(Build.BuildNumber) + IPAM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/azure-ipam:$(Build.BuildNumber) IPAM_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/azure-ipam:$(Build.BuildNumber) CNI_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/cni:$(Build.BuildNumber) @@ -201,7 +201,7 @@ stages: CNS_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/cns:$(Build.BuildNumber) IPV6_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/ipv6-hp-bpf:$(Build.BuildNumber) - IPV6_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/ipv6-hp-bpf:$(Build.BuildNumber) + #IPV6_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/ipv6-hp-bpf:$(Build.BuildNumber) NPM_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/npm:$(Build.BuildNumber) NPM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/npm:$(Build.BuildNumber) From f025bcc5a657ec311c5cadb0874c75ecd2f3da6b Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 16 May 2025 15:13:49 -0700 Subject: [PATCH 052/154] fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/azure-ipam.Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index fd7bfa13a8..274a120377 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -1,11 +1,13 @@ ARG ARTIFACT_DIR FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bin/dropgz dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz +RUN chmod +x /dropgz ENTRYPOINT [ "/dropgz" ] # skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows -COPY ${ARTIFACT_DIR}/bin/dropgz.exe dropgz.exe +COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe +RUN chmod +x /dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] From c1023e75b64d67cf68c8953178f16ccd95b9a027 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 19 May 2025 22:51:23 -0700 Subject: [PATCH 053/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 12 +++++++++--- .pipelines/run-pipeline.yaml | 17 +++++++---------- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 341590b4ec..27c8623cb4 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -7,7 +7,10 @@ jobs: - ${{ each job_data in parameters.images }}: - job: pkg_${{ job_data.job }} displayName: "Prepare Image Package - ${{ job_data.displayName }} -" - strategy: ${{ job_data.strategy }} + ${{ if job_data.strategy }}: + strategy: ${{ job_data.strategy }} + ${{ if job_data.dependsOn }}: + dependsOn: ${{ job_data.dependsOn }} pool: type: linux ${{ if eq(job_data.job, 'linux_arm64') }}: @@ -37,6 +40,7 @@ jobs: GOOS: windows GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true OS: linux ARCH: arm64 @@ -107,6 +111,7 @@ jobs: ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch) ob_artifactSuffix: _$(name) ob_git_checkout: false + ob_extract_root_artifact: true ${{ if eq(job_data.job, 'linux_amd64') }}: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ARCH: amd64 @@ -127,6 +132,7 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="${{ job_data.templateContext.pkgArtifact }}" + # Artifact dir is added here since it is specific to the images this file was created for. + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="${{ job_data.job }}_$(name)" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) - source: ${{ job_data.templateContext.pkgArtifact }} + source: ${{ job_data.job }}_$(name) diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 5540b17b0f..5ee77707b2 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -54,7 +54,6 @@ stages: displayName: "Linux/AMD64" templateContext: repositoryArtifact: drop_setup_env_source - pkgArtifact: drop_build_pkg_$(os)_$(arch)_$(name) buildScript: .pipelines/build/scripts/$(name).sh obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: @@ -97,7 +96,6 @@ stages: displayName: "Windows" templateContext: repositoryArtifact: drop_setup_env_source - pkgArtifact: drop_build_pkg_$(os)_$(arch)_$(name) buildScript: .pipelines/build/scripts/$(name).sh obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: @@ -134,7 +132,6 @@ stages: displayName: "Linux/ARM64" templateContext: repositoryArtifact: drop_setup_env_source - pkgArtifact: drop_build_pkg_$(os)_$(arch)_$(name) buildScript: .pipelines/build/scripts/$(name).sh obDockerfile: .pipelines/build/dockerfiles/$(name).Dockerfile strategy: @@ -160,12 +157,12 @@ stages: archiveName: azure-cns archiveVersion: $(CNS_VERSION) imageTag: $(Build.BuildNumber) - #ipv6_hp_bpf: - # name: ipv6-hp-bpf - # extraArgs: "--build-arg DEBUG=$(System.Debug)" - # archiveName: ipv6-hp-bpf - # archiveVersion: $(IPV6_HP_BPF_VERSION) - # imageTag: $(Build.BuildNumber) + ipv6_hp_bpf: + name: ipv6-hp-bpf + extraArgs: "--build-arg DEBUG=$(System.Debug)" + archiveName: ipv6-hp-bpf + archiveVersion: $(IPV6_HP_BPF_VERSION) + imageTag: $(Build.BuildNumber) npm: name: npm extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' @@ -201,7 +198,7 @@ stages: CNS_WINDOWS_AMD64_REF: $(IMAGE_REPO_PATH)/windows-amd64/cns:$(Build.BuildNumber) IPV6_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/ipv6-hp-bpf:$(Build.BuildNumber) - #IPV6_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/ipv6-hp-bpf:$(Build.BuildNumber) + IPV6_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/ipv6-hp-bpf:$(Build.BuildNumber) NPM_LINUX_AMD64_REF: $(IMAGE_REPO_PATH)/linux-amd64/npm:$(Build.BuildNumber) NPM_LINUX_ARM64_REF: $(IMAGE_REPO_PATH)/linux-arm64/npm:$(Build.BuildNumber) From 5d0bcea6606e4393a3b1ad33e19f4af8d88ef102 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 19 May 2025 23:00:59 -0700 Subject: [PATCH 054/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/azure-ipam.Dockerfile | 2 -- .pipelines/build/images.jobs.yaml | 7 ++++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index 274a120377..49d8e227b1 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -2,12 +2,10 @@ ARG ARTIFACT_DIR FROM scratch AS linux COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz -RUN chmod +x /dropgz ENTRYPOINT [ "/dropgz" ] # skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe -RUN chmod +x /dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 27c8623cb4..a6733a5b46 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -40,7 +40,6 @@ jobs: GOOS: windows GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true OS: linux ARCH: arm64 @@ -93,6 +92,12 @@ jobs: files_to_sign: '**/dropgz' search_root: $(OUT_DIR) + - script: | + tar cvf "$OUT_DIR"/"$TAR_NAME".tar --exclude="$TAR_NAME".tar "$OUT_DIR"/. + displayName: "Zip to Preserve Linux File Permissions" + env: + TAR_NAME: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) + - job: images_${{ job_data.job }} displayName: "Build Images - ${{ job_data.displayName }} -" From 0d4ba390fbc0dd242697769dc421e73a1f110243 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 01:05:11 -0700 Subject: [PATCH 055/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 5 ++--- .pipelines/build/scripts/ipv6-hp-bpf.sh | 8 ++++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index a6733a5b46..2404810b18 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -137,7 +137,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - # Artifact dir is added here since it is specific to the images this file was created for. - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="${{ job_data.job }}_$(name)" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_pkg_${{ job_data.job }}_$(name)" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) - source: ${{ job_data.job }}_$(name) + source: drop_pkg_${{ job_data.job }}_$(name) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index cff2a16e6b..b9643a6a8d 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -39,10 +39,10 @@ else tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc if [[ $GOARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu - cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' - #elif [[ $GOARCH =~ arm64 ]]; then - # ARCH=aarch64-linux-gnu - # cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' + cp /usr/lib64/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' || true + elif [[ $GOARCH =~ arm64 ]]; then + ARCH=aarch64-linux-gnu + cp /lib64/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' || true fi for dir in /usr/include/"$ARCH"/*; do if [[ -d $dir ]]; then From 96e73d5ae0efaaf31e5a53927898254f8bfd6f6d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 10:00:05 -0700 Subject: [PATCH 056/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 1 + .pipelines/build/scripts/ipv6-hp-bpf.sh | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 79cb95c3c2..79e05a5299 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -48,6 +48,7 @@ steps: inputs: targetPath: $(Build.SourcesDirectory)/dst/${{ parameters.source }} artifact: '${{ parameters.source }}' + patterns: '*.tgz' - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index b9643a6a8d..c903cd5797 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -39,10 +39,18 @@ else tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc if [[ $GOARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu - cp /usr/lib64/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-x86-64.so.2' || true + if [[ -f '/usr/$ARCH/ld-linux-x86-64.so.2' ]]; then + cp /usr/$ARCH/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ + else + find /usr/$ARCH -name 'ld-linux-x86-64.so.2' || find /lib64 -name 'ld-linux-x86-64.so.2' || true + fi elif [[ $GOARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu - cp /lib64/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || find /usr/lib/ -name 'ld-linux-aarch64.so.1' || true + if [[ -f '/usr/$ARCH/ld-linux-aarch64.so.1' ]]; then + cp /usr/$ARCH/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ + else + find /usr/lib -name 'ld-linux-aarch64.so.1' || find /lib64 -name 'ld-linux-aarch64.so.1' || true + fi fi for dir in /usr/include/"$ARCH"/*; do if [[ -d $dir ]]; then @@ -53,6 +61,8 @@ else done fi +ls -la /lib/$ARCH +ls -la /uar/lib # Copy Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm From 3e08ca5179a5e33dbb6859f03f5fed1ac6049ea1 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 10:19:36 -0700 Subject: [PATCH 057/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 38 ++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 2404810b18..1fde696783 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -33,9 +33,9 @@ jobs: GOOS: linux GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2004:latest' ob_enable_qemu: true - OS: linux + OS: windows ARCH: amd64 GOOS: windows GOARCH: amd64 @@ -67,12 +67,13 @@ jobs: SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} DEST: $(OUT_DIR)/Dockerfile - - task: onebranch.pipeline.signing@1 - inputs: - command: 'sign' - signing_profile: 'external_distribution' - files_to_sign: '**/*' - search_root: $(OUT_DIR) + - ${{ if not(job_data.job, 'linux_arm64') }}: + - task: onebranch.pipeline.signing@1 + inputs: + command: 'sign' + signing_profile: 'external_distribution' + files_to_sign: '**/*' + search_root: $(OUT_DIR) - task: ShellScript@2 @@ -81,16 +82,17 @@ jobs: inputs: scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh - - task: onebranch.pipeline.signing@1 - condition: and( - succeeded(), - eq(variables.os, 'windows'), - eq(variables.packageWithDropGZ, 'True')) - inputs: - command: 'sign' - signing_profile: 'external_distribution' - files_to_sign: '**/dropgz' - search_root: $(OUT_DIR) + - ${{ if not(job_data.job, 'linux_arm64') }}: + - task: onebranch.pipeline.signing@1 + condition: and( + succeeded(), + eq(variables.os, 'windows'), + eq(variables.packageWithDropGZ, 'True')) + inputs: + command: 'sign' + signing_profile: 'external_distribution' + files_to_sign: '**/dropgz' + search_root: $(OUT_DIR) - script: | tar cvf "$OUT_DIR"/"$TAR_NAME".tar --exclude="$TAR_NAME".tar "$OUT_DIR"/. From d3b14147abe57991edc25c9878af42cae714a0b8 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 10:21:00 -0700 Subject: [PATCH 058/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 1fde696783..4f57624011 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -67,7 +67,7 @@ jobs: SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} DEST: $(OUT_DIR)/Dockerfile - - ${{ if not(job_data.job, 'linux_arm64') }}: + - ${{ if not(eq(job_data.job, 'linux_arm64')) }}: - task: onebranch.pipeline.signing@1 inputs: command: 'sign' @@ -82,7 +82,7 @@ jobs: inputs: scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh - - ${{ if not(job_data.job, 'linux_arm64') }}: + - ${{ if not(eq(job_data.job, 'linux_arm64')) }}: - task: onebranch.pipeline.signing@1 condition: and( succeeded(), From 78d031cbd930b32474c5d710e4f93730bb34c8e8 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 10:27:00 -0700 Subject: [PATCH 059/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index c903cd5797..0cd3354b44 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -62,7 +62,7 @@ else fi ls -la /lib/$ARCH -ls -la /uar/lib +ls -la /usr/lib # Copy Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm From ec47d29ee1420ae2104088533c4e19ada0af8d72 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 10:28:21 -0700 Subject: [PATCH 060/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 0cd3354b44..82029135fc 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -61,8 +61,9 @@ else done fi -ls -la /lib/$ARCH -ls -la /usr/lib +ls -la /lib/$ARCH || true +ls -la /usr/lib || true +ls -la /usr/lib/ldscripts || true # Copy Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm From 4c7a209af3cc89896e133e086bb808edd60dd7cf Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 12:31:10 -0700 Subject: [PATCH 061/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 +- .pipelines/build/scripts/ipv6-hp-bpf.sh | 93 +++++++++++++++++++------ 2 files changed, 74 insertions(+), 23 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 4f57624011..09e6cef26b 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -139,6 +139,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_pkg_${{ job_data.job }}_$(name)" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_build_pkg_${{ job_data.job }}_$(name)" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) - source: drop_pkg_${{ job_data.job }}_$(name) + source: drop_build_pkg_${{ job_data.job }}_$(name) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 82029135fc..00d206b2cf 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -1,6 +1,36 @@ #!/bin/bash set -eux +function findcp::shared_library() { + local filename + filename="${1}" + local copy_to + copy_to="${2}" + local search_dirs + search_dirs="{@:3}" + + for dir in $search_dirs; do + if [[ -d "$dir" ]]; then + if [[ "$filename" =~ ^.*\.so.*$ ]]; then + found=$(find "$dir" -name "$filename") + else + found=$(find "$dir" -name ""$filename".so*") + fi + else + echo >&2 "##[debug]Not a directory. Skipping..." + echo >&2 "##[debug]Dir: "$dir"" + fi + done + + echo -e >&2 "##[debug]Found: \n$found" + select=$(echo "$found" | head -n1) + + echo -e >&2 "##[debug]Selected: \n$select" + echo >&2 "##[debug]cp "$select" "$copy_to"" + cp "$select" "$copy_to" +} + + [[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 @@ -33,21 +63,37 @@ if [[ -f /etc/debian_version ]];then ln -sfn "$dir" /usr/include/$(basename "$dir") done +ls -la /lib/$ARCH || true +ls -la /usr/lib || true +ls -la /usr/lib/ldscripts || true + + # Copy Shared Library Files + ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm + cp /lib/"$ARCH"/libnftables.so.1 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libedit.so.2 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libc.so.6 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libmnl.so.0 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libnftnl.so.11 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libxtables.so.12 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libjansson.so.4 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libgmp.so.10 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libtinfo.so.6 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ + cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ + # Mariner else tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc if [[ $GOARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu - if [[ -f '/usr/$ARCH/ld-linux-x86-64.so.2' ]]; then - cp /usr/$ARCH/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ - else - find /usr/$ARCH -name 'ld-linux-x86-64.so.2' || find /lib64 -name 'ld-linux-x86-64.so.2' || true + if [[ -f '/usr/lib/ld-linux-x86-64.so.2' ]]; then + cp /usr/lib/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ fi elif [[ $GOARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu - if [[ -f '/usr/$ARCH/ld-linux-aarch64.so.1' ]]; then - cp /usr/$ARCH/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ + if [[ -f '/usr/lib/ld-linux-aarch64.so.1' ]]; then + cp /usr/lib/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ else find /usr/lib -name 'ld-linux-aarch64.so.1' || find /lib64 -name 'ld-linux-aarch64.so.1' || true fi @@ -59,25 +105,30 @@ else ln -Tsfn "$dir" /usr/include/$(basename "$dir") fi done -fi -ls -la /lib/$ARCH || true + ls -la /usr/ +ls -la /usr/include || true ls -la /usr/lib || true ls -la /usr/lib/ldscripts || true -# Copy Library Files -ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm -cp /lib/"$ARCH"/libnftables.so.1 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libedit.so.2 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libc.so.6 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libmnl.so.0 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libnftnl.so.11 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libxtables.so.12 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libjansson.so.4 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libgmp.so.10 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libtinfo.so.6 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libbsd.so.0 "$OUT_DIR"/lib/ -cp /lib/"$ARCH"/libmd.so.0 "$OUT_DIR"/lib/ + # Copy Shared Library Files + ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm + cp /usr/lib/libnftables.so.1 "$OUT_DIR"/lib/ + cp /usr/lib/libedit.so.2 "$OUT_DIR"/lib/ + cp /usr/lib/libc.so.6 "$OUT_DIR"/lib/ + cp /usr/lib/libmnl.so.0 "$OUT_DIR"/lib/ + cp /usr/lib/libnftnl.so.11 "$OUT_DIR"/lib/ + cp /usr/lib/libxtables.so.12 "$OUT_DIR"/lib/ + cp /usr/lib/libjansson.so.4 "$OUT_DIR"/lib/ + cp /usr/lib/libgmp.so.10 "$OUT_DIR"/lib/ + cp /usr/lib/libtinfo.so.6 "$OUT_DIR"/lib/ + + cp /usr/lib/libbsd.so.0 "$OUT_DIR"/lib/ || tdnf install -y libbsd-devel || true + findcp::shared_library libbsd.so.0 "$OUT_DIR"/lib /usr/lib /lib /lib32 /lib64 || true + cp /usr/lib/libmd.so.0 "$OUT_DIR"/lib/ || tdnf install -y libmd-devel || true + findcp::shared_library libmd.so.0 "$OUT_DIR"/lib /usr/lib /lib /lib32 /lib64 || true +fi + # Add Needed Binararies cp /usr/sbin/nft "$OUT_DIR"/bin/nft"$FILE_EXT" From 7c5288879abd4f1f8c821ef3e79bee790a08c5f2 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 13:03:19 -0700 Subject: [PATCH 062/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 00d206b2cf..ad1871a73e 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -114,7 +114,7 @@ ls -la /usr/lib/ldscripts || true # Copy Shared Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm cp /usr/lib/libnftables.so.1 "$OUT_DIR"/lib/ - cp /usr/lib/libedit.so.2 "$OUT_DIR"/lib/ + cp /usr/lib/libedit.so.0 "$OUT_DIR"/lib/ cp /usr/lib/libc.so.6 "$OUT_DIR"/lib/ cp /usr/lib/libmnl.so.0 "$OUT_DIR"/lib/ cp /usr/lib/libnftnl.so.11 "$OUT_DIR"/lib/ From 280f5f34235edb8c14771c0d4a35623f1c5ef6cc Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 13:14:17 -0700 Subject: [PATCH 063/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 09e6cef26b..993dec75c0 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -95,10 +95,8 @@ jobs: search_root: $(OUT_DIR) - script: | - tar cvf "$OUT_DIR"/"$TAR_NAME".tar --exclude="$TAR_NAME".tar "$OUT_DIR"/. + tar cvf "$OUT_DIR"/root_artifact.tar --exclude=root_artifact.tar "$OUT_DIR"/. displayName: "Zip to Preserve Linux File Permissions" - env: - TAR_NAME: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) - job: images_${{ job_data.job }} From d1e7a2250d393554efd405f93483070d67f8923b Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 13:41:58 -0700 Subject: [PATCH 064/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 7 +++++++ .pipelines/build/scripts/ipv6-hp-bpf.sh | 3 +-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 993dec75c0..5426e2700e 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -94,6 +94,13 @@ jobs: files_to_sign: '**/dropgz' search_root: $(OUT_DIR) + # OneBranch artifacts are stored on a Windows machine which obliterates + # Linux file permissions. + # This task is added (along with ob_extract_root_artifact in jobs that + # download the artifact) to protect those file permissions from changing + # during image build time. + # + # See: https://eng.ms/docs/products/onebranch/build/containerbasedworkflow/dockerimagesandacr/preservefilepermissionsfordockerbuild - script: | tar cvf "$OUT_DIR"/root_artifact.tar --exclude=root_artifact.tar "$OUT_DIR"/. displayName: "Zip to Preserve Linux File Permissions" diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index ad1871a73e..12e93bbb5c 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -7,7 +7,7 @@ function findcp::shared_library() { local copy_to copy_to="${2}" local search_dirs - search_dirs="{@:3}" + search_dirs="${@:3}" for dir in $search_dirs; do if [[ -d "$dir" ]]; then @@ -65,7 +65,6 @@ if [[ -f /etc/debian_version ]];then ls -la /lib/$ARCH || true ls -la /usr/lib || true -ls -la /usr/lib/ldscripts || true # Copy Shared Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm From e0192dae0398325250e0e4028bf66652bf418379 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 14:45:04 -0700 Subject: [PATCH 065/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 43 ++++++++++++++++--------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 12e93bbb5c..7e3a2ede2c 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -16,6 +16,10 @@ function findcp::shared_library() { else found=$(find "$dir" -name ""$filename".so*") fi + + if [[ -n $found ]]; then + break; + fi else echo >&2 "##[debug]Not a directory. Skipping..." echo >&2 "##[debug]Dir: "$dir"" @@ -53,18 +57,22 @@ if [[ -f /etc/debian_version ]];then apt-get install -y gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu - ls -la /usr/lib - ls -la /usr/lib/"$ARCH" || true - ls -la /usr/lib/"$GOARCH" || true - cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ || true + cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ fi for dir in /usr/include/"$ARCH"/*; do ln -sfn "$dir" /usr/include/$(basename "$dir") done -ls -la /lib/$ARCH || true -ls -la /usr/lib || true + echo >&2 "##[group]lib $ARCH directory list" + ls -la /lib/"$ARCH" || true + echo >&2 "##[endgroup]" + echo >&2 "##[group]usr lib directory list" + ls -la /usr/lib || true + echo >&2 "##[endgroup]" + echo >&2 "##[group]usr lib $ARCH directory list" + ls -la /usr/lib/"$ARCH" || true + echo >&2 "##[endgroup]" # Copy Shared Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm @@ -93,8 +101,6 @@ else ARCH=aarch64-linux-gnu if [[ -f '/usr/lib/ld-linux-aarch64.so.1' ]]; then cp /usr/lib/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ - else - find /usr/lib -name 'ld-linux-aarch64.so.1' || find /lib64 -name 'ld-linux-aarch64.so.1' || true fi fi for dir in /usr/include/"$ARCH"/*; do @@ -105,10 +111,15 @@ else fi done - ls -la /usr/ -ls -la /usr/include || true -ls -la /usr/lib || true -ls -la /usr/lib/ldscripts || true + echo >&2 "##[group]usr include $ARCH directory list" + ls -la /usr/include/"$ARCH" || true + echo >&2 "##[endgroup]" + echo >&2 "##[group]usr lib directory list" + ls -la /usr/lib || true + echo >&2 "##[endgroup]" + echo >&2 "##[group]usr lib ldscripts directory list" + ls -la /usr/lib/ldscripts || true + echo >&2 "##[endgroup]" # Copy Shared Library Files ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm @@ -122,10 +133,10 @@ ls -la /usr/lib/ldscripts || true cp /usr/lib/libgmp.so.10 "$OUT_DIR"/lib/ cp /usr/lib/libtinfo.so.6 "$OUT_DIR"/lib/ - cp /usr/lib/libbsd.so.0 "$OUT_DIR"/lib/ || tdnf install -y libbsd-devel || true - findcp::shared_library libbsd.so.0 "$OUT_DIR"/lib /usr/lib /lib /lib32 /lib64 || true - cp /usr/lib/libmd.so.0 "$OUT_DIR"/lib/ || tdnf install -y libmd-devel || true - findcp::shared_library libmd.so.0 "$OUT_DIR"/lib /usr/lib /lib /lib32 /lib64 || true + cp /usr/lib/libbsd.so.0 "$OUT_DIR"/lib/ || tdnf install -y libbsd-devel + findcp::shared_library libbsd.so "$OUT_DIR"/lib/ /usr/lib /lib /lib32 /lib64 + cp /usr/lib/libmd.so.0 "$OUT_DIR"/lib/ || tdnf install -y libmd-devel + findcp::shared_library libmd.so "$OUT_DIR"/lib/ /usr/lib /lib /lib32 /lib64 fi From b609f18d7287b76f091657ac7d47e9fd50fcace3 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 14:49:14 -0700 Subject: [PATCH 066/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 79e05a5299..1061827e59 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -48,7 +48,7 @@ steps: inputs: targetPath: $(Build.SourcesDirectory)/dst/${{ parameters.source }} artifact: '${{ parameters.source }}' - patterns: '*.tgz' + patterns: '*.tar' - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" From 5cfcea60076cf363d9cc7309021f1a4bf95a15e2 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 16:24:20 -0700 Subject: [PATCH 067/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 1061827e59..9d2929452b 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -48,7 +48,7 @@ steps: inputs: targetPath: $(Build.SourcesDirectory)/dst/${{ parameters.source }} artifact: '${{ parameters.source }}' - patterns: '*.tar' + patterns: '**/*.tar' - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" From d9c2a84392fec479797f0cffb41f832d70a5cc83 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 17:10:26 -0700 Subject: [PATCH 068/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 9d2929452b..33355d6259 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,8 +67,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: ${{ parameters.source }} + dockerFileRelPath: root_artifact/${{ parameters.source }}/Dockerfile + dockerFileContextPath: root_artifact/${{ parameters.source }} enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From f8207efa62c4bc85acd072adb70589015aa75b0c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 17:59:05 -0700 Subject: [PATCH 069/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 33355d6259..04fd630b37 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,8 +67,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: root_artifact/${{ parameters.source }}/Dockerfile - dockerFileContextPath: root_artifact/${{ parameters.source }} + dockerFileRelPath: Dockerfile + dockerFileContextPath: . enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 655584922e544fd14e65281f14c789a7b79288b4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 18:00:15 -0700 Subject: [PATCH 070/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 04fd630b37..7758107d37 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,8 +67,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: Dockerfile - dockerFileContextPath: . + dockerFileRelPath: artifacts/Dockerfile + dockerFileContextPath: artifacts/ enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 750928434c2e9111f06ef5f9cba0af80d2065a15 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 18:04:15 -0700 Subject: [PATCH 071/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 7758107d37..4bf064b120 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -50,6 +50,13 @@ steps: artifact: '${{ parameters.source }}' patterns: '**/*.tar' +- task: ExtractFiles@1 + inputs: + archiveFilePatterns: '**/*.?(tar|tgz|gz|zip)' + destinationFolder: $(Build.SourcesDirectory)/dst/${{ parameters.source }} + cleanDestinationFolder: false + overwriteExistingFiles: true + - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" inputs: @@ -67,8 +74,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: artifacts/Dockerfile - dockerFileContextPath: artifacts/ + dockerFileRelPath: ${{ parameters.source }}/Dockerfile + dockerFileContextPath: ${{ parameters.source }} enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 60a42c78cb143576533633e5a9008fe0eb5e80fe Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 19:50:21 -0700 Subject: [PATCH 072/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 4bf064b120..dcbe11c6d2 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,17 +46,9 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: $(Build.SourcesDirectory)/dst/${{ parameters.source }} artifact: '${{ parameters.source }}' patterns: '**/*.tar' -- task: ExtractFiles@1 - inputs: - archiveFilePatterns: '**/*.?(tar|tgz|gz|zip)' - destinationFolder: $(Build.SourcesDirectory)/dst/${{ parameters.source }} - cleanDestinationFolder: false - overwriteExistingFiles: true - - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" inputs: @@ -74,8 +66,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: ${{ parameters.source }} + dockerFileRelPath: Dockerfile + dockerFileContextPath: '' enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 64dd467f77231e5fdd60e69c0ed05a857147d588 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 20:21:57 -0700 Subject: [PATCH 073/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index dcbe11c6d2..ddb8d031b5 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,6 +46,7 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: + targetPath: artifact/ artifact: '${{ parameters.source }}' patterns: '**/*.tar' From f7aae3e23dbcadb52aa454eb9cda3ee8521586ca Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 20:44:50 -0700 Subject: [PATCH 074/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 5426e2700e..ab4c116277 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_build_pkg_${{ job_data.job }}_$(name)" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="root_artifact" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From 8c9d05f2055325cd4884738878737b3d2d6fe481 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 20:49:20 -0700 Subject: [PATCH 075/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index ab4c116277..e632f3d216 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="root_artifact" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="." archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From 4c65fe39154f42ecdce33c48bed18a56edf4cac4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 22:21:59 -0700 Subject: [PATCH 076/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index ddb8d031b5..934f93e471 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,8 +67,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: Dockerfile - dockerFileContextPath: '' + dockerFileRelPath: artifact/Dockerfile + dockerFileContextPath: 'artifact/' enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From d9836f17581864da764b41a2c76290c67326f04d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 22:23:37 -0700 Subject: [PATCH 077/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index e632f3d216..3c57aec222 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="." + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="artifact/" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From 7fc5d46817ec414bb42821d362f14691c1532274 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 20 May 2025 23:34:52 -0700 Subject: [PATCH 078/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 7 ++++--- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 934f93e471..7cf28c6ef9 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,7 +46,8 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: artifact/ + buildTYpe: current + targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' @@ -67,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: artifact/Dockerfile - dockerFileContextPath: 'artifact/' + dockerFileRelPath: ${{ parameters.source }}/out/Dockerfile + # dockerFileContextPath: 'out/' enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 3c57aec222..102d6b308c 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="artifact/" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_build_pkg_${{ job_data.job }}_$(name)/out" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From 7c0300579aca04db9282b650b625166aaccb22ef Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 01:45:56 -0700 Subject: [PATCH 079/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 7cf28c6ef9..4051afc942 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/out/Dockerfile - # dockerFileContextPath: 'out/' + dockerFileRelPath: ${{ parameters.source }}/Dockerfile + dockerFileContextPath: ${{ parameters.source }} enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 102d6b308c..5426e2700e 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_build_pkg_${{ job_data.job }}_$(name)/out" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_build_pkg_${{ job_data.job }}_$(name)" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From 7948f3309f6118a63359db1d85f9a5b56d964730 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 02:27:34 -0700 Subject: [PATCH 080/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 5426e2700e..c8e3a64e1e 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -102,7 +102,7 @@ jobs: # # See: https://eng.ms/docs/products/onebranch/build/containerbasedworkflow/dockerimagesandacr/preservefilepermissionsfordockerbuild - script: | - tar cvf "$OUT_DIR"/root_artifact.tar --exclude=root_artifact.tar "$OUT_DIR"/. + tar cvf "$OUT_DIR"/root_artifact.tar --exclude=root_artifact.tar "$OUT_DIR" displayName: "Zip to Preserve Linux File Permissions" From 748675b995295000a668f0bac8cf983a58cf88c4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 10:29:34 -0700 Subject: [PATCH 081/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 6 +++--- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 4051afc942..8d9f63a472 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,7 +46,7 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - buildTYpe: current + buildType: current targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: ${{ parameters.source }} + dockerFileRelPath: Dockerfile + #dockerFileContextPath: ${{ parameters.source }} enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index c8e3a64e1e..c2f828da7b 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -120,7 +120,7 @@ jobs: distribution: mariner architecture: arm64 variables: - ob_outputDirectory: $(Build.SourcesDirectory)/out/images/$(os)_$(arch) + ob_outputDirectory: $(Build.SourcesDirectory)/images/$(os)_$(arch) ob_artifactSuffix: _$(name) ob_git_checkout: false ob_extract_root_artifact: true From 45f09a1a1d6ac8144df17394bf4742df0ec0301c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 10:32:24 -0700 Subject: [PATCH 082/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 5 +++-- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 8d9f63a472..17b46d9f46 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,9 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: Dockerfile - #dockerFileContextPath: ${{ parameters.source }} + dockerFileRelPath: out/Dockerfile + dockerFileContextPath: out + # ${{ parameters.source }} enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index c2f828da7b..0c44c9b3c1 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -120,7 +120,7 @@ jobs: distribution: mariner architecture: arm64 variables: - ob_outputDirectory: $(Build.SourcesDirectory)/images/$(os)_$(arch) + ob_outputDirectory: out ob_artifactSuffix: _$(name) ob_git_checkout: false ob_extract_root_artifact: true From a3af40971e38ed535514beb2722a7d409615bb6a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 10:34:23 -0700 Subject: [PATCH 083/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 17b46d9f46..16c2126a73 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -47,7 +47,7 @@ steps: - task: DownloadPipelineArtifact@2 inputs: buildType: current - targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' + targetPath: 'artifacts/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: out/Dockerfile - dockerFileContextPath: out + dockerFileRelPath: ${{ parameters.source }}/Dockerfile + dockerFileContextPath: ${{ parameters.source }} # ${{ parameters.source }} enable_network: true enable_pull: true From 024c0efcc5a26d3060a607de7ab8192910cc2068 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:04:22 -0700 Subject: [PATCH 084/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 16c2126a73..5edf1c29b1 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: ${{ parameters.source }} + dockerFileRelPath: artifacts/${{ parameters.source }}/Dockerfile + dockerFileContextPath: artifacts/${{ parameters.source }} # ${{ parameters.source }} enable_network: true enable_pull: true From 5805044b74d2db273ebdf9b86af2369bcae803c1 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:05:56 -0700 Subject: [PATCH 085/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 5edf1c29b1..cdc3ad1d11 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -47,7 +47,7 @@ steps: - task: DownloadPipelineArtifact@2 inputs: buildType: current - targetPath: 'artifacts/${{ parameters.source }}' + targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' From 9e179600c4f80238b77bf6324fb41a1e55448127 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:07:50 -0700 Subject: [PATCH 086/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index cdc3ad1d11..3a47fafac2 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: artifacts/${{ parameters.source }}/Dockerfile - dockerFileContextPath: artifacts/${{ parameters.source }} + dockerFileRelPath: artifacts/Dockerfile + dockerFileContextPath: artifacts/ # ${{ parameters.source }} enable_network: true enable_pull: true From 10bf21c886f1ba714492ebeea24f6156bff3f108 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:08:57 -0700 Subject: [PATCH 087/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 3a47fafac2..f12f037304 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,7 +68,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: artifacts/Dockerfile + dockerFileRelPath: artifacts/${{ parameters.source }}/Dockerfile dockerFileContextPath: artifacts/ # ${{ parameters.source }} enable_network: true From 9c1234c584ed7e694a191d648fbb9ecf8d1ab246 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:09:55 -0700 Subject: [PATCH 088/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index f12f037304..bd9cd13683 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,7 +68,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: artifacts/${{ parameters.source }}/Dockerfile + dockerFileRelPath: ${{ parameters.source }}/Dockerfile dockerFileContextPath: artifacts/ # ${{ parameters.source }} enable_network: true From f1e6349e3cad12c91e035de2235dba0399d1541e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:38:06 -0700 Subject: [PATCH 089/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index bd9cd13683..710e341493 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -47,9 +47,10 @@ steps: - task: DownloadPipelineArtifact@2 inputs: buildType: current - targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' + targetPath: '${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' + workingDirectory: $(Build.ArtifactStagingDirectory) - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" @@ -69,7 +70,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: artifacts/ + dockerFileContextPath: $(Build.ArtifactStagingDirectory) # ${{ parameters.source }} enable_network: true enable_pull: true From 7266bc29612837b3a705905f9113d7ac9e1a2314 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:39:36 -0700 Subject: [PATCH 090/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 710e341493..c0da3ee8cd 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -69,7 +69,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile + dockerFileRelPath: $(Build.ArtifactStagingDirectory)/${{ parameters.source }}/Dockerfile dockerFileContextPath: $(Build.ArtifactStagingDirectory) # ${{ parameters.source }} enable_network: true From de65ecabae87701632ba51c96ac494679b7a229a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:40:23 -0700 Subject: [PATCH 091/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index c0da3ee8cd..610a718152 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -69,7 +69,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: $(Build.ArtifactStagingDirectory)/${{ parameters.source }}/Dockerfile + dockerFileRelPath: $(Build.ArtifactStagingDirectory)/Dockerfile dockerFileContextPath: $(Build.ArtifactStagingDirectory) # ${{ parameters.source }} enable_network: true From 52a3bc93c52dcd3b115130c4e34d9603f4203928 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:41:25 -0700 Subject: [PATCH 092/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 610a718152..3f829b24d2 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -69,7 +69,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: $(Build.ArtifactStagingDirectory)/Dockerfile + dockerFileRelPath: Dockerfile dockerFileContextPath: $(Build.ArtifactStagingDirectory) # ${{ parameters.source }} enable_network: true From b91d4600d2516a4738fb1115ec409edf7acbcb92 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:43:10 -0700 Subject: [PATCH 093/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 3f829b24d2..710e341493 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -69,7 +69,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: Dockerfile + dockerFileRelPath: ${{ parameters.source }}/Dockerfile dockerFileContextPath: $(Build.ArtifactStagingDirectory) # ${{ parameters.source }} enable_network: true From b3845f326bd95680a7e9168c4876b180c52568d9 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:44:21 -0700 Subject: [PATCH 094/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 710e341493..f33d486076 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -70,7 +70,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: $(Build.ArtifactStagingDirectory) + dockerFileContextPath: $(Build.ArtifactStagingDirectory)/${{ parameters.source }} # ${{ parameters.source }} enable_network: true enable_pull: true From 7b81d4a82d8826400c660eff5546d78eea7f7be4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:45:34 -0700 Subject: [PATCH 095/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index f33d486076..16c47df012 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -70,7 +70,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: $(Build.ArtifactStagingDirectory)/${{ parameters.source }} + dockerFileContextPath: $(Build.ArtifactStagingDirectory)/out # ${{ parameters.source }} enable_network: true enable_pull: true From eb8be05b1b880c28790085767695f5d991a2798b Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:50:50 -0700 Subject: [PATCH 096/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 16c47df012..ae0e65e698 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -47,7 +47,7 @@ steps: - task: DownloadPipelineArtifact@2 inputs: buildType: current - targetPath: '${{ parameters.source }}' + targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' workingDirectory: $(Build.ArtifactStagingDirectory) @@ -69,8 +69,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: $(Build.ArtifactStagingDirectory)/out + dockerFileRelPath: root_artifact/${{ parameters.source }}/Dockerfile + dockerFileContextPath: root_artifact/${{ parameters.source }} # ${{ parameters.source }} enable_network: true enable_pull: true From c1b58c38b347912df11f33f55d103f9bbef76f1c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:51:59 -0700 Subject: [PATCH 097/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index ae0e65e698..fb25c0588e 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -50,7 +50,6 @@ steps: targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' - workingDirectory: $(Build.ArtifactStagingDirectory) - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" From 3cb260286fe5cb0a1f7d51fa3f411b0d913e383f Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:53:17 -0700 Subject: [PATCH 098/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index fb25c0588e..c66e27378c 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: root_artifact/${{ parameters.source }}/Dockerfile - dockerFileContextPath: root_artifact/${{ parameters.source }} + dockerFileRelPath: root_artifacts/${{ parameters.source }}/Dockerfile + dockerFileContextPath: root_artifacts/${{ parameters.source }} # ${{ parameters.source }} enable_network: true enable_pull: true From 5054e6aee7d51d8ce47c8e6ee74cceaea4890460 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:57:17 -0700 Subject: [PATCH 099/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index c66e27378c..ceb36d157c 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: root_artifacts/${{ parameters.source }}/Dockerfile - dockerFileContextPath: root_artifacts/${{ parameters.source }} + dockerFileRelPath: root_artifacts/Dockerfile + dockerFileContextPath: root_artifacts # ${{ parameters.source }} enable_network: true enable_pull: true From ae5bb5e4f326f70303bd086bcce9bf550a7d1a7d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 11:58:20 -0700 Subject: [PATCH 100/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index ceb36d157c..2096e3a779 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: root_artifacts/Dockerfile - dockerFileContextPath: root_artifacts + dockerFileRelPath: root_artifact/Dockerfile + dockerFileContextPath: root_artifact # ${{ parameters.source }} enable_network: true enable_pull: true From 3b3c405db48ce4c7729503d9a2c28d0ff4ddb64a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 12:35:48 -0700 Subject: [PATCH 101/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 2096e3a779..5148b1fe59 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -47,7 +47,7 @@ steps: - task: DownloadPipelineArtifact@2 inputs: buildType: current - targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' + targetPath: '$(Build.ArtifactStagingDirectory)/${{ parameters.source }}' artifact: '${{ parameters.source }}' patterns: '**/*.tar' From 0b8f10800fd6f33c175d861bf82a93239fd08f83 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 12:36:57 -0700 Subject: [PATCH 102/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 5148b1fe59..79f86c76e1 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -68,8 +68,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: root_artifact/Dockerfile - dockerFileContextPath: root_artifact + dockerFileRelPath: root_artifacts/Dockerfile + dockerFileContextPath: root_artifacts # ${{ parameters.source }} enable_network: true enable_pull: true From 090846594152502b488aa4f1be0353d10898dcd5 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 12:50:29 -0700 Subject: [PATCH 103/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 7 +++---- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 79f86c76e1..a4cbf07c30 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,8 +46,7 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - buildType: current - targetPath: '$(Build.ArtifactStagingDirectory)/${{ parameters.source }}' + targetPath: '$(Build.SourcesDirectory)/dst/artifacts' artifact: '${{ parameters.source }}' patterns: '**/*.tar' @@ -68,8 +67,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: root_artifacts/Dockerfile - dockerFileContextPath: root_artifacts + dockerFileRelPath: artifacts/Dockerfile + dockerFileContextPath: artifacts # ${{ parameters.source }} enable_network: true enable_pull: true diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 0c44c9b3c1..6ba7126322 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -120,7 +120,7 @@ jobs: distribution: mariner architecture: arm64 variables: - ob_outputDirectory: out + ob_outputDirectory: $(Build.ArtifactStagingDirectory) ob_artifactSuffix: _$(name) ob_git_checkout: false ob_extract_root_artifact: true From 09aa4b3317bb014e87599c0fd7e856fa424710fc Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 12:54:42 -0700 Subject: [PATCH 104/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index a4cbf07c30..8a755f56ce 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,7 +46,7 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: '$(Build.SourcesDirectory)/dst/artifacts' + targetPath: '$(Build.ArtifactStagingDirectory)/artifacts' artifact: '${{ parameters.source }}' patterns: '**/*.tar' From 6b5e9cf64507881dd4f88d349f055bf8a6b0e45e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 13:41:55 -0700 Subject: [PATCH 105/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 8 +++----- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 8a755f56ce..e29a5c3423 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,9 +46,8 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: '$(Build.ArtifactStagingDirectory)/artifacts' + targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' - patterns: '**/*.tar' - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" @@ -67,9 +66,8 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: artifacts/Dockerfile - dockerFileContextPath: artifacts - # ${{ parameters.source }} + dockerFileRelPath: ${{ parameters.source }}/Dockerfile + #dockerFileContextPath: ${{ parameters.source }}/root_artifacts enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 6ba7126322..651faea1ae 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="drop_build_pkg_${{ job_data.job }}_$(name)" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="$(Build.ArtifactStagingDirectory)" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From 70df05ce8005e49531bca152746becade38dc6cb Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 13:43:18 -0700 Subject: [PATCH 106/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index e29a5c3423..d675fce832 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,7 +67,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - #dockerFileContextPath: ${{ parameters.source }}/root_artifacts + dockerFileContextPath: ${{ parameters.source }}/root_artifacts enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 8d941a36e99b52b3ed339acde4d14f0b4a3df2c7 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 13:44:21 -0700 Subject: [PATCH 107/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index d675fce832..62177e33e5 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,7 +67,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: ${{ parameters.source }}/root_artifacts + dockerFileContextPath: ${{ parameters.source }}/root_artifact enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From adef5d13f9f49ca25b42a2268c66194b6e5a70f3 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 13:47:49 -0700 Subject: [PATCH 108/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 62177e33e5..9c107ca30d 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,7 +67,6 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: ${{ parameters.source }}/root_artifact enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From c8faca5662a736903c8ad0f8de9f99a934168ac3 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 13:49:41 -0700 Subject: [PATCH 109/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 9c107ca30d..30388c2646 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,6 +67,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile + dockerFileContextPath: artifacts/ enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 3fa3041757da388259728efd639b2075a1bf569e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 14:37:38 -0700 Subject: [PATCH 110/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- .pipelines/build/scripts/cni.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 30388c2646..817d115084 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,7 +67,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: artifacts/ + dockerFileContextPath: root_artifacts/ enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index f16ae5d116..a6d2d5f4a5 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $GOOS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='bin' +[[ $GOOS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='' mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin From 8f858ec0c5e326a96242cbf3b8d52b6796112e53 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 14:39:48 -0700 Subject: [PATCH 111/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 817d115084..f637ef7c62 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,7 +46,6 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: '$(Build.SourcesDirectory)/dst/${{ parameters.source }}' artifact: '${{ parameters.source }}' - task: onebranch.pipeline.containercontrol@1 From 6d4c0452e1dc276c43b7704ca67899cad10d36d0 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 14:42:38 -0700 Subject: [PATCH 112/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index f637ef7c62..8f52800d53 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,6 +46,7 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: + targetPath: artifacts artifact: '${{ parameters.source }}' - task: onebranch.pipeline.containercontrol@1 @@ -65,8 +66,7 @@ steps: repositoryName: $(os)-$(arch)/${{ parameters.name }} os: '${{ parameters.os }}' buildkit: 1 - dockerFileRelPath: ${{ parameters.source }}/Dockerfile - dockerFileContextPath: root_artifacts/ + dockerFileRelPath: artifacts/Dockerfile enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 52e5ce10a5f8ef778a3a11a4949cdc0d99bf510e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Wed, 21 May 2025 20:11:11 -0700 Subject: [PATCH 113/154] fixup! fixup! Use Signed Binaries for Docker Build --- .../build/dockerfiles/azure-ipam.Dockerfile | 22 ++++++++--- .pipelines/build/dockerfiles/base.Dockerfile | 38 +++++++++++++++++++ .pipelines/build/dockerfiles/cni.Dockerfile | 25 +++++++----- .pipelines/build/dockerfiles/cns.Dockerfile | 34 ++++++++++------- .../build/dockerfiles/dropgz.Dockerfile | 25 ++++++++++++ .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 20 +++++++--- .pipelines/build/dockerfiles/npm.Dockerfile | 20 +++++++--- .pipelines/build/image.steps.yaml | 5 ++- 8 files changed, 148 insertions(+), 41 deletions(-) create mode 100644 .pipelines/build/dockerfiles/base.Dockerfile create mode 100644 .pipelines/build/dockerfiles/dropgz.Dockerfile diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index 49d8e227b1..6ecd9229c2 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -1,11 +1,21 @@ -ARG ARTIFACT_DIR - -FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz -ENTRYPOINT [ "/dropgz" ] +ARG ARCH # skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" -FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows +FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows +ARG ARTIFACT_DIR . + COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] + + +# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" +FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:a490e0b0869dc570ae29782c2bc17643aaaad1be102aca83ce0b96e0d0d2d328 AS archive-helper +ARG ARTIFACT_DIR . + +COPY ${ARTIFACT_DIR}/root_artifact.tar . +RUN tar xvf root_artifact.tar /artifacts/ + +FROM scratch AS linux +COPY --from=archive-helper /artifacts/bin/dropgz /dropgz +ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/base.Dockerfile b/.pipelines/build/dockerfiles/base.Dockerfile new file mode 100644 index 0000000000..428023689d --- /dev/null +++ b/.pipelines/build/dockerfiles/base.Dockerfile @@ -0,0 +1,38 @@ +ARG ARCH + +# mcr.microsoft.com/oss/go/microsoft/golang:1.23-cbl-mariner2.0 +FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b06999cae63b9b6f43bcb16bd16bcbedae847684515317e15607a601ed108030 AS go + +# skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.23.2 --format "{{.Name}}@{{.Digest}}" +FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:86c5b00bbed2a6e7157052d78bf4b45c0bf26545ed6e8fd7dbad51ac9415f534 AS builder-ipv6-hp-bpf +ARG VERSION +ARG DEBUG +ARG OS +ARG ARCH + +RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 +RUN mkdir -p /tmp/lib +RUN if [ "$ARCH" = "arm64" ]; then \ + apt-get install -y gcc-aarch64-linux-gnu && \ + ARCH=aarch64-linux-gnu && \ + cp /lib/"$ARCH"/ld-linux-aarch64.so.1 /tmp/lib/ && \ + for dir in /usr/include/"$ARCH"/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; \ + elif [ "$ARCH" = "amd64" ]; then \ + apt-get install -y gcc-multilib && \ + ARCH=x86_64-linux-gnu && \ + cp /lib/"$ARCH"/ld-linux-x86-64.so.2 /tmp/lib/ && \ + for dir in /usr/include/"$ARCH"/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; \ + fi && \ + ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm && \ + cp /lib/"$ARCH"/libnftables.so.1 /tmp/lib/ && \ + cp /lib/"$ARCH"/libedit.so.2 /tmp/lib/ && \ + cp /lib/"$ARCH"/libc.so.6 /tmp/lib/ && \ + cp /lib/"$ARCH"/libmnl.so.0 /tmp/lib/ && \ + cp /lib/"$ARCH"/libnftnl.so.11 /tmp/lib/ && \ + cp /lib/"$ARCH"/libxtables.so.12 /tmp/lib/ && \ + cp /lib/"$ARCH"/libjansson.so.4 /tmp/lib/ && \ + cp /lib/"$ARCH"/libgmp.so.10 /tmp/lib/ && \ + cp /lib/"$ARCH"/libtinfo.so.6 /tmp/lib/ && \ + cp /lib/"$ARCH"/libbsd.so.0 /tmp/lib/ && \ + cp /lib/"$ARCH"/libmd.so.0 /tmp/lib/ +ENV C_INCLUDE_PATH=/usr/include/bpf diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile index aa288d093b..6ecd9229c2 100644 --- a/.pipelines/build/dockerfiles/cni.Dockerfile +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -1,14 +1,21 @@ ARG ARCH -ARG ARTIFACT_DIR - -FROM scratch AS linux -ADD ${ARTIFACT_DIR}/bin/dropgz dropgz -ENTRYPOINT [ "/dropgz" ] -# mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 -FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as hpc +# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" +FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows +ARG ARTIFACT_DIR . -FROM hpc as windows -ADD ${ARTIFACT_DIR}/bin/dropgz.exe dropgz.exe +COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] + + +# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" +FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:a490e0b0869dc570ae29782c2bc17643aaaad1be102aca83ce0b96e0d0d2d328 AS archive-helper +ARG ARTIFACT_DIR . + +COPY ${ARTIFACT_DIR}/root_artifact.tar . +RUN tar xvf root_artifact.tar /artifacts/ + +FROM scratch AS linux +COPY --from=archive-helper /artifacts/bin/dropgz /dropgz +ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 4f5629c56d..4f05c3664f 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -1,23 +1,31 @@ ARG ARCH -ARG ARTIFACT_DIR - -# mcr.microsoft.com/cbl-mariner/base/core:2.0 -FROM mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS iptables -RUN tdnf install -y iptables - -# mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 -FROM mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux -COPY --from=iptables /usr/sbin/*tables* /usr/sbin/ -COPY --from=iptables /usr/lib /usr/lib -COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns -ENTRYPOINT [ "/usr/local/bin/azure-cns" ] -EXPOSE 10090 # mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 FROM --platform=windows/${ARCH} mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b AS windows +ARG ARTIFACT_DIR . + COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1 COPY ${ARTIFACT_DIR}/bin/azure-cns.exe /azure-cns.exe ENTRYPOINT ["azure-cns.exe"] EXPOSE 10090 + + +# mcr.microsoft.com/cbl-mariner/base/core:2.0 +# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" +FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS build-helper +ARG ARTIFACT_DIR . + +COPY ${ARTIFACT_DIR}/root_artifact.tar . +RUN tar xvf root_artifact.tar /artifacts/ +RUN tdnf install -y iptables + +# mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 +FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux + +COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/ +COPY --from=build-helper /usr/lib /usr/lib +COPY --from=build-helper /artifacts/bin/azure-cns /usr/local/bin/azure-cns +ENTRYPOINT [ "/usr/local/bin/azure-cns" ] +EXPOSE 10090 diff --git a/.pipelines/build/dockerfiles/dropgz.Dockerfile b/.pipelines/build/dockerfiles/dropgz.Dockerfile new file mode 100644 index 0000000000..9095a49d88 --- /dev/null +++ b/.pipelines/build/dockerfiles/dropgz.Dockerfile @@ -0,0 +1,25 @@ +ARG ARTIFACT_DIR + +FROM go AS dropgz +ARG DROPGZ_VERSION +ARG OS +ARG VERSION +ARG ARTIFACT_DIR + +RUN go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION +WORKDIR /go/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION +ADD ${ARTIFACT_DIR}/ pkg/embed/fs/ +RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go + + +FROM scratch AS linux +COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz +RUN chmod +x /dropgz +ENTRYPOINT [ "/dropgz" ] + + +# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" +FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows +COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe +RUN chmod +x /dropgz.exe +ENTRYPOINT [ "/dropgz.exe" ] diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 693b95c07c..e5a14677ff 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -1,8 +1,16 @@ ARG ARTIFACT_DIR -FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux -COPY ${ARTIFACT_DIR}/lib/* /lib -COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf -COPY ${ARTIFACT_DIR}/bin/nft /usr/sbin/nft -COPY ${ARTIFACT_DIR}/bin/ip /sbin/ip -CMD ["/ipv6-hp-bpf"] +# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" +FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:a490e0b0869dc570ae29782c2bc17643aaaad1be102aca83ce0b96e0d0d2d328 AS linux +ARG ARTIFACT_DIR . + +ADD . . +#COPY ${ARTIFACT_DIR}/root_artifact.tar . +#RUN tar xvf root_artifact.tar /artifacts/ + +#FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux +#COPY --from=archive-helper /artifacts/lib/* /lib +#COPY --from=archive-helper /artifacts/bin/ipv6-hp-bpf /ipv6-hp-bpf +#COPY --from=archive-helper /artifacts/bin/nft /usr/sbin/nft +#COPY --from=archive-helper /artifacts/bin/ip /sbin/ip +#CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index ac24ce09c1..9cd794830b 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -1,14 +1,24 @@ ARG ARTIFACT_DIR +FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as archive-helper +ARG ARTIFACT_DIR . + +COPY ${ARTIFACT_DIR}/root_artifact.tar . +RUN tar xvf root_artifact.tar /artifacts/ + FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux RUN apt-get update && \ - apt-get install -y libc-bin=2.31-0ubuntu9.17 libc6=2.31-0ubuntu9.17 libtasn1-6=4.16.0-2ubuntu0.1 libgnutls30=3.6.13-2ubuntu1.12 iptables ipset ca-certificates && \ - apt-get autoremove -y && \ - apt-get clean + apt-get install -y \ + libc-bin=2.31-0ubuntu9.17 \ + libc6=2.31-0ubuntu9.17 \ + libtasn1-6=4.16.0-2ubuntu0.1 \ + libgnutls30=3.6.13-2ubuntu1.12 \ + iptables ipset ca-certificates && \ + apt-get autoremove -y && \ + apt-get clean -COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm -RUN chmod +x /usr/bin/azure-npm +COPY --from=archive-helper /artifacts/bin/azure-npm /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 8f52800d53..3af90c0538 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -46,8 +46,8 @@ parameters: steps: - task: DownloadPipelineArtifact@2 inputs: - targetPath: artifacts - artifact: '${{ parameters.source }}' + targetPath: $(Build.SourcesDirectory)/dst/artifacts + artifact: ${{ parameters.source }} - task: onebranch.pipeline.containercontrol@1 displayName: "Login to ACR" @@ -67,6 +67,7 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: artifacts/Dockerfile + dockerFileContextPath: artifacts/ enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From 5b21b79eb987161cf4884762521161803452fdbf Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 11:19:21 -0700 Subject: [PATCH 114/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/azure-ipam.Dockerfile | 12 ++++++------ .pipelines/build/image.steps.yaml | 1 - 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index 6ecd9229c2..78d619b94f 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -9,13 +9,13 @@ COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] -# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" -FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:a490e0b0869dc570ae29782c2bc17643aaaad1be102aca83ce0b96e0d0d2d328 AS archive-helper +FROM scratch AS linux ARG ARTIFACT_DIR . -COPY ${ARTIFACT_DIR}/root_artifact.tar . -RUN tar xvf root_artifact.tar /artifacts/ +RUN ls -la / +RUN ls -la /artifacts +RUN ls -la /__w/1/a +RUN ls -la /${ARTIFACT_DIR} -FROM scratch AS linux -COPY --from=archive-helper /artifacts/bin/dropgz /dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index 3af90c0538..cd31eb8f8b 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -67,7 +67,6 @@ steps: os: '${{ parameters.os }}' buildkit: 1 dockerFileRelPath: artifacts/Dockerfile - dockerFileContextPath: artifacts/ enable_network: true enable_pull: true build_tag: ${{ parameters.build_tag }} From a7a4f314d1044dbfc9eaf60265cb70b960e9914d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 12:32:38 -0700 Subject: [PATCH 115/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/cns.Dockerfile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 4f05c3664f..b8979a20ae 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -15,17 +15,19 @@ EXPOSE 10090 # mcr.microsoft.com/cbl-mariner/base/core:2.0 # skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:961bfedbbbdc0da51bc664f51d959da292eced1ad46c3bf674aba43b9be8c703 AS build-helper -ARG ARTIFACT_DIR . - -COPY ${ARTIFACT_DIR}/root_artifact.tar . -RUN tar xvf root_artifact.tar /artifacts/ RUN tdnf install -y iptables # mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux +ARG ARTIFACT_DIR . +RUN ls -la / +RUN ls -la /artifacts +RUN ls -la /__w/1/a +RUN ls -la /${ARTIFACT_DIR} COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/ COPY --from=build-helper /usr/lib /usr/lib -COPY --from=build-helper /artifacts/bin/azure-cns /usr/local/bin/azure-cns +ADD ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns +COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 From 1ec9eea301f2d628375dcae7524e1fff5322fd46 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 13:03:36 -0700 Subject: [PATCH 116/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/image.steps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/image.steps.yaml b/.pipelines/build/image.steps.yaml index cd31eb8f8b..28ec223990 100644 --- a/.pipelines/build/image.steps.yaml +++ b/.pipelines/build/image.steps.yaml @@ -71,8 +71,8 @@ steps: enable_pull: true build_tag: ${{ parameters.build_tag }} enable_acr_push: true - saveImageToPath: images/$(os)-$(arch)/${{ parameters.archive_file }}.tar.gz + enabled_cache: false #compress: true #saveMetadataToPath: images/$(os)-$(arch)/metadata/${{ parameters.archive_file }}-metadata.json #enable_isolated_acr_push: true From f6d05b5045bad5e45954fbcb990a09be7489fa65 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 13:05:02 -0700 Subject: [PATCH 117/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/cns.Dockerfile | 2 +- .pipelines/build/images.jobs.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index b8979a20ae..56f152d5d9 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -24,7 +24,7 @@ ARG ARTIFACT_DIR . RUN ls -la / RUN ls -la /artifacts RUN ls -la /__w/1/a -RUN ls -la /${ARTIFACT_DIR} +RUN ls -la ${ARTIFACT_DIR} COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/ COPY --from=build-helper /usr/lib /usr/lib ADD ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 651faea1ae..f68701a404 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -144,6 +144,6 @@ jobs: os: $(OS) name: $(name) build_tag: $(imageTag) - extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="$(Build.ArtifactStagingDirectory)" + extra_args: $(extraArgs) --build-arg ARTIFACT_DIR="/__w/1/a" archive_file: $(archiveName)-$(OS)-$(ARCH)-$(archiveVersion) source: drop_build_pkg_${{ job_data.job }}_$(name) From b37637711e6c0ba952f902e407889b1fc9db435a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 15:58:08 -0700 Subject: [PATCH 118/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/cns.Dockerfile | 4 ---- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 21 ++++++------------- .pipelines/build/dockerfiles/npm.Dockerfile | 5 +++++ 3 files changed, 11 insertions(+), 19 deletions(-) diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 56f152d5d9..3e27843467 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -21,10 +21,6 @@ RUN tdnf install -y iptables FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:7778a86d86947d5f64c1280a7ee0cf36c6c6d76b5749dd782fbcc14f113961bf AS linux ARG ARTIFACT_DIR . -RUN ls -la / -RUN ls -la /artifacts -RUN ls -la /__w/1/a -RUN ls -la ${ARTIFACT_DIR} COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/ COPY --from=build-helper /usr/lib /usr/lib ADD ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index e5a14677ff..1b003d7acd 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -1,16 +1,7 @@ -ARG ARTIFACT_DIR -# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" -FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:a490e0b0869dc570ae29782c2bc17643aaaad1be102aca83ce0b96e0d0d2d328 AS linux -ARG ARTIFACT_DIR . - -ADD . . -#COPY ${ARTIFACT_DIR}/root_artifact.tar . -#RUN tar xvf root_artifact.tar /artifacts/ - -#FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux -#COPY --from=archive-helper /artifacts/lib/* /lib -#COPY --from=archive-helper /artifacts/bin/ipv6-hp-bpf /ipv6-hp-bpf -#COPY --from=archive-helper /artifacts/bin/nft /usr/sbin/nft -#COPY --from=archive-helper /artifacts/bin/ip /sbin/ip -#CMD ["/ipv6-hp-bpf"] +FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux +COPY /artifacts/lib/* /lib +COPY /artifacts/bin/ipv6-hp-bpf /ipv6-hp-bpf +COPY /artifacts/bin/nft /usr/sbin/nft +COPY /artifacts/bin/ip /sbin/ip +CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index 9cd794830b..da65c31687 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -3,6 +3,11 @@ ARG ARTIFACT_DIR FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as archive-helper ARG ARTIFACT_DIR . +RUN ls -la +ADD . . +RUN ls -la +RUN ls -la / +RUN ls -la / COPY ${ARTIFACT_DIR}/root_artifact.tar . RUN tar xvf root_artifact.tar /artifacts/ From d653e4d335f2f25feb9287a466a8360a9e541d12 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 17:01:16 -0700 Subject: [PATCH 119/154] fixup! fixup! Use Signed Binaries for Docker Build --- .../build/dockerfiles/azure-ipam.Dockerfile | 5 ----- .pipelines/build/dockerfiles/cni.Dockerfile | 9 ++------- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 9 +++++---- .pipelines/build/dockerfiles/npm.Dockerfile | 16 +++------------- 4 files changed, 10 insertions(+), 29 deletions(-) diff --git a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile index 78d619b94f..dd4d32a4f2 100644 --- a/.pipelines/build/dockerfiles/azure-ipam.Dockerfile +++ b/.pipelines/build/dockerfiles/azure-ipam.Dockerfile @@ -12,10 +12,5 @@ ENTRYPOINT [ "/dropgz.exe" ] FROM scratch AS linux ARG ARTIFACT_DIR . -RUN ls -la / -RUN ls -la /artifacts -RUN ls -la /__w/1/a -RUN ls -la /${ARTIFACT_DIR} - COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/cni.Dockerfile b/.pipelines/build/dockerfiles/cni.Dockerfile index 6ecd9229c2..dd4d32a4f2 100644 --- a/.pipelines/build/dockerfiles/cni.Dockerfile +++ b/.pipelines/build/dockerfiles/cni.Dockerfile @@ -9,13 +9,8 @@ COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe ENTRYPOINT [ "/dropgz.exe" ] -# skopeo inspect docker://mcr.microsoft.com/cbl-mariner/base/core:2.0 --format "{{.Name}}@{{.Digest}}" -FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/base/core@sha256:a490e0b0869dc570ae29782c2bc17643aaaad1be102aca83ce0b96e0d0d2d328 AS archive-helper +FROM scratch AS linux ARG ARTIFACT_DIR . -COPY ${ARTIFACT_DIR}/root_artifact.tar . -RUN tar xvf root_artifact.tar /artifacts/ - -FROM scratch AS linux -COPY --from=archive-helper /artifacts/bin/dropgz /dropgz +COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz ENTRYPOINT [ "/dropgz" ] diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 1b003d7acd..51c13a6605 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -1,7 +1,8 @@ FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux -COPY /artifacts/lib/* /lib -COPY /artifacts/bin/ipv6-hp-bpf /ipv6-hp-bpf -COPY /artifacts/bin/nft /usr/sbin/nft -COPY /artifacts/bin/ip /sbin/ip +ARG ARTIFACT_DIR +COPY ${ARTIFACT_DIR}/lib/* /lib +COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf +COPY ${ARTIFACT_DIR}/bin/nft /usr/sbin/nft +COPY ${ARTIFACT_DIR}/bin/ip /sbin/ip CMD ["/ipv6-hp-bpf"] diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index da65c31687..9ebf975bb7 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -1,17 +1,6 @@ -ARG ARTIFACT_DIR - -FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as archive-helper -ARG ARTIFACT_DIR . - -RUN ls -la -ADD . . -RUN ls -la -RUN ls -la / -RUN ls -la / -COPY ${ARTIFACT_DIR}/root_artifact.tar . -RUN tar xvf root_artifact.tar /artifacts/ FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux +ARG ARTIFACT_DIR RUN apt-get update && \ apt-get install -y \ @@ -23,12 +12,13 @@ RUN apt-get update && \ apt-get autoremove -y && \ apt-get clean -COPY --from=archive-helper /artifacts/bin/azure-npm /usr/bin/azure-npm +COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] # intermediate for win-ltsc2022 FROM mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows +ARG ARTIFACT_DIR COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1 From cc6f18e21c75dad485094a04f0f6d6a8057ae3d4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Thu, 22 May 2025 17:50:21 -0700 Subject: [PATCH 120/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index 51c13a6605..accd207afc 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -1,3 +1,4 @@ +ARG ARCH FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux ARG ARTIFACT_DIR From 0f6219f2a53f94ebbe540ff64e3de4765af4fed4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 23 May 2025 16:42:05 -0700 Subject: [PATCH 121/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index f68701a404..a6ded9e826 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -91,7 +91,7 @@ jobs: inputs: command: 'sign' signing_profile: 'external_distribution' - files_to_sign: '**/dropgz' + files_to_sign: '**/dropgz*' search_root: $(OUT_DIR) # OneBranch artifacts are stored on a Windows machine which obliterates From 2d811df3d3c8cfba9359bc292b0d559c46acd2fb Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 23 May 2025 16:49:43 -0700 Subject: [PATCH 122/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index a6ded9e826..3ff11fd52d 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -67,26 +67,26 @@ jobs: SOURCE: $(REPO_ROOT)/${{ job_data.templateContext.obDockerfile }} DEST: $(OUT_DIR)/Dockerfile - - ${{ if not(eq(job_data.job, 'linux_arm64')) }}: - - task: onebranch.pipeline.signing@1 - inputs: - command: 'sign' - signing_profile: 'external_distribution' - files_to_sign: '**/*' - search_root: $(OUT_DIR) + - task: onebranch.pipeline.signing@1 + inputs: + command: 'sign' + signing_profile: 'external_distribution' + files_to_sign: '**/*' + search_root: $(OUT_DIR) - task: ShellScript@2 displayName: "Package with DropGZ" - condition: and(succeeded(), eq(variables.packageWithDropGZ, 'True')) + condition: and( + succeeded(), + eq(variables.packageWithDropGZ, 'True')) inputs: scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh - - ${{ if not(eq(job_data.job, 'linux_arm64')) }}: + - ${{ if not(contains(job_data.job, 'linux')) }}: - task: onebranch.pipeline.signing@1 condition: and( succeeded(), - eq(variables.os, 'windows'), eq(variables.packageWithDropGZ, 'True')) inputs: command: 'sign' From 9668101892d6c45f135a49476216cebcc718da55 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 23 May 2025 16:50:53 -0700 Subject: [PATCH 123/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 3ff11fd52d..8fa6b834fa 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -77,9 +77,9 @@ jobs: - task: ShellScript@2 displayName: "Package with DropGZ" - condition: and( - succeeded(), - eq(variables.packageWithDropGZ, 'True')) + condition: and( + succeeded(), + eq(variables.packageWithDropGZ, 'True')) inputs: scriptPath: $(REPO_ROOT)/.pipelines/build/scripts/dropgz.sh From 843ff202769eb86af56730ebfee0468d0c668f0c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Fri, 23 May 2025 16:54:00 -0700 Subject: [PATCH 124/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/base.Dockerfile | 38 ------------------- .../build/dockerfiles/dropgz.Dockerfile | 25 ------------ 2 files changed, 63 deletions(-) delete mode 100644 .pipelines/build/dockerfiles/base.Dockerfile delete mode 100644 .pipelines/build/dockerfiles/dropgz.Dockerfile diff --git a/.pipelines/build/dockerfiles/base.Dockerfile b/.pipelines/build/dockerfiles/base.Dockerfile deleted file mode 100644 index 428023689d..0000000000 --- a/.pipelines/build/dockerfiles/base.Dockerfile +++ /dev/null @@ -1,38 +0,0 @@ -ARG ARCH - -# mcr.microsoft.com/oss/go/microsoft/golang:1.23-cbl-mariner2.0 -FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:b06999cae63b9b6f43bcb16bd16bcbedae847684515317e15607a601ed108030 AS go - -# skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.23.2 --format "{{.Name}}@{{.Digest}}" -FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:86c5b00bbed2a6e7157052d78bf4b45c0bf26545ed6e8fd7dbad51ac9415f534 AS builder-ipv6-hp-bpf -ARG VERSION -ARG DEBUG -ARG OS -ARG ARCH - -RUN apt-get update && apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 -RUN mkdir -p /tmp/lib -RUN if [ "$ARCH" = "arm64" ]; then \ - apt-get install -y gcc-aarch64-linux-gnu && \ - ARCH=aarch64-linux-gnu && \ - cp /lib/"$ARCH"/ld-linux-aarch64.so.1 /tmp/lib/ && \ - for dir in /usr/include/"$ARCH"/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; \ - elif [ "$ARCH" = "amd64" ]; then \ - apt-get install -y gcc-multilib && \ - ARCH=x86_64-linux-gnu && \ - cp /lib/"$ARCH"/ld-linux-x86-64.so.2 /tmp/lib/ && \ - for dir in /usr/include/"$ARCH"/*; do ln -s "$dir" /usr/include/$(basename "$dir"); done; \ - fi && \ - ln -sfn /usr/include/"$ARCH"/asm /usr/include/asm && \ - cp /lib/"$ARCH"/libnftables.so.1 /tmp/lib/ && \ - cp /lib/"$ARCH"/libedit.so.2 /tmp/lib/ && \ - cp /lib/"$ARCH"/libc.so.6 /tmp/lib/ && \ - cp /lib/"$ARCH"/libmnl.so.0 /tmp/lib/ && \ - cp /lib/"$ARCH"/libnftnl.so.11 /tmp/lib/ && \ - cp /lib/"$ARCH"/libxtables.so.12 /tmp/lib/ && \ - cp /lib/"$ARCH"/libjansson.so.4 /tmp/lib/ && \ - cp /lib/"$ARCH"/libgmp.so.10 /tmp/lib/ && \ - cp /lib/"$ARCH"/libtinfo.so.6 /tmp/lib/ && \ - cp /lib/"$ARCH"/libbsd.so.0 /tmp/lib/ && \ - cp /lib/"$ARCH"/libmd.so.0 /tmp/lib/ -ENV C_INCLUDE_PATH=/usr/include/bpf diff --git a/.pipelines/build/dockerfiles/dropgz.Dockerfile b/.pipelines/build/dockerfiles/dropgz.Dockerfile deleted file mode 100644 index 9095a49d88..0000000000 --- a/.pipelines/build/dockerfiles/dropgz.Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -ARG ARTIFACT_DIR - -FROM go AS dropgz -ARG DROPGZ_VERSION -ARG OS -ARG VERSION -ARG ARTIFACT_DIR - -RUN go mod download github.com/azure/azure-container-networking/dropgz@$DROPGZ_VERSION -WORKDIR /go/pkg/mod/github.com/azure/azure-container-networking/dropgz\@$DROPGZ_VERSION -ADD ${ARTIFACT_DIR}/ pkg/embed/fs/ -RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/dropgz -trimpath -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$VERSION"" -gcflags="-dwarflocationlists=true" main.go - - -FROM scratch AS linux -COPY ${ARTIFACT_DIR}/bin/dropgz /dropgz -RUN chmod +x /dropgz -ENTRYPOINT [ "/dropgz" ] - - -# skopeo inspect docker://mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 --format "{{.Name}}@{{.Digest}}" -FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image@sha256:b4c9637e032f667c52d1eccfa31ad8c63f1b035e8639f3f48a510536bf34032b as windows -COPY ${ARTIFACT_DIR}/bin/dropgz.exe /dropgz.exe -RUN chmod +x /dropgz.exe -ENTRYPOINT [ "/dropgz.exe" ] From d7a78fb5f79dcdfe0d03ee99c2a40903e2a8aeee Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 19:40:11 -0700 Subject: [PATCH 125/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 8fa6b834fa..3246d2c2f3 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -13,8 +13,6 @@ jobs: dependsOn: ${{ job_data.dependsOn }} pool: type: linux - ${{ if eq(job_data.job, 'linux_arm64') }}: - hostArchitecture: arm64 variables: ob_artifactSuffix: _$(name) @@ -33,7 +31,6 @@ jobs: GOOS: linux GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2004:latest' ob_enable_qemu: true OS: windows ARCH: amd64 From 66cc4f6d8e76bc2dc2c3f33f7b3dcfe843c615e0 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 19:55:10 -0700 Subject: [PATCH 126/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 3246d2c2f3..c83794c93f 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -116,6 +116,9 @@ jobs: LinuxHostVersion: distribution: mariner architecture: arm64 + ${{ else }}: + LinuxHostVersion: + distribution: mariner variables: ob_outputDirectory: $(Build.ArtifactStagingDirectory) ob_artifactSuffix: _$(name) @@ -126,6 +129,7 @@ jobs: ARCH: amd64 OS: linux ${{ elseif eq(job_data.job, 'windows_amd64') }}: + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true ARCH: amd64 OS: windows From ee719ceffeeb1c077d9cb1e2b71f93686634419a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 20:06:23 -0700 Subject: [PATCH 127/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index c83794c93f..fd4dc88e3b 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -125,11 +125,11 @@ jobs: ob_git_checkout: false ob_extract_root_artifact: true ${{ if eq(job_data.job, 'linux_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + #LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ARCH: amd64 OS: linux ${{ elseif eq(job_data.job, 'windows_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + #LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true ARCH: amd64 OS: windows From 3688939d3b60ccf19c50b9e03383b9c23219be82 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 20:20:26 -0700 Subject: [PATCH 128/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index fd4dc88e3b..fbae44f5de 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -112,13 +112,9 @@ jobs: os: linux type: docker ${{ if eq(job_data.job, 'linux_arm64') }}: - hostArchitecture: arm64 - LinuxHostVersion: - distribution: mariner - architecture: arm64 + LinuxHostVersion: 'AzLinux3.0ARM64' ${{ else }}: - LinuxHostVersion: - distribution: mariner + LinuxHostVersion: 'AzLinux3.0AMD64' variables: ob_outputDirectory: $(Build.ArtifactStagingDirectory) ob_artifactSuffix: _$(name) From 65cb53894c7c4039e2d4b89825c9252b63869f5a Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 20:43:27 -0700 Subject: [PATCH 129/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/generate-manifest.steps.yaml | 2 +- .pipelines/build/images.jobs.yaml | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.pipelines/build/generate-manifest.steps.yaml b/.pipelines/build/generate-manifest.steps.yaml index 0d6a10395e..5077e99a73 100644 --- a/.pipelines/build/generate-manifest.steps.yaml +++ b/.pipelines/build/generate-manifest.steps.yaml @@ -10,7 +10,7 @@ steps: MANIFEST_DATA=$(echo "$IMAGE_PLATFORM_DATA" | \ jq -r '.[] | .args = [ (.platform | split("/")[0]), (.platform | split("/")[1]) ] | - .args = [ ("--os " + .args[0] ), ("--arch " + .args[1] ) ] | + .args = [ ("--os " + .args[0] ), ("--arch " + .args[1] ) ] | if .osVersion then .args += ["--os-version " + .osVersion] else . end | { image: .imageReference, annotate: .args }' | \ jq -rcs) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index fbae44f5de..221de902e4 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -111,25 +111,28 @@ jobs: pool: os: linux type: docker - ${{ if eq(job_data.job, 'linux_arm64') }}: - LinuxHostVersion: 'AzLinux3.0ARM64' - ${{ else }}: - LinuxHostVersion: 'AzLinux3.0AMD64' + ${{ if eq(job_data.job, 'linux_arm64') }}: + hostArchitecture: arm64 +# ${{ else }}: +# LinuxHostVersion: 'AzLinux3.0AMD64' variables: ob_outputDirectory: $(Build.ArtifactStagingDirectory) ob_artifactSuffix: _$(name) ob_git_checkout: false ob_extract_root_artifact: true ${{ if eq(job_data.job, 'linux_amd64') }}: - #LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2404:latest' ARCH: amd64 OS: linux ${{ elseif eq(job_data.job, 'windows_amd64') }}: + LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' #LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true ARCH: amd64 OS: windows ${{ elseif eq(job_data.job, 'linux_arm64') }}: + LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ob_build_container: true ARCH: arm64 OS: linux From 8e690a6f971f325a2ec0c0afe51a872d71ce13f3 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 20:47:01 -0700 Subject: [PATCH 130/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 221de902e4..c84d9fe2bd 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -111,8 +111,8 @@ jobs: pool: os: linux type: docker - ${{ if eq(job_data.job, 'linux_arm64') }}: - hostArchitecture: arm64 + ${{ if eq(job_data.job, 'linux_arm64') }}: + hostArchitecture: arm64 # ${{ else }}: # LinuxHostVersion: 'AzLinux3.0AMD64' variables: From 6854cecfdbdac92e27db2aa655404d893bf341fb Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 21:03:21 -0700 Subject: [PATCH 131/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index c84d9fe2bd..7c2f8b0831 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -25,7 +25,7 @@ jobs: DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' + #LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' OS: linux ARCH: amd64 GOOS: linux @@ -127,7 +127,6 @@ jobs: OS: linux ${{ elseif eq(job_data.job, 'windows_amd64') }}: LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' - #LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' ob_enable_qemu: true ARCH: amd64 OS: windows From d20d048d46dc9a146f0b38db843e6cc8ac68bb1e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 21:04:46 -0700 Subject: [PATCH 132/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 7c2f8b0831..50cf3a5f5e 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -25,7 +25,7 @@ jobs: DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: - #LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' + LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' OS: linux ARCH: amd64 GOOS: linux @@ -122,7 +122,7 @@ jobs: ob_extract_root_artifact: true ${{ if eq(job_data.job, 'linux_amd64') }}: #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' - LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2404:latest' + LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' ARCH: amd64 OS: linux ${{ elseif eq(job_data.job, 'windows_amd64') }}: From 35d5bf9707fe0b83c9c1d01156b9f317fc14361d Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sat, 24 May 2025 21:06:22 -0700 Subject: [PATCH 133/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 50cf3a5f5e..f87e4e1c27 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -26,6 +26,7 @@ jobs: ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' + #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: amd64 GOOS: linux @@ -121,8 +122,7 @@ jobs: ob_git_checkout: false ob_extract_root_artifact: true ${{ if eq(job_data.job, 'linux_amd64') }}: - #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' - LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' + LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ARCH: amd64 OS: linux ${{ elseif eq(job_data.job, 'windows_amd64') }}: From d8d935680a9781f87bd428b9299af0f1534f7527 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 15:52:48 -0700 Subject: [PATCH 134/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index f87e4e1c27..b704a48a13 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -13,6 +13,8 @@ jobs: dependsOn: ${{ job_data.dependsOn }} pool: type: linux + ${{ if eq(job_data.job, 'linux_arm64') }}: + hostArchitecture: arm64 variables: ob_artifactSuffix: _$(name) From a8c393da0ddbb49f51c70821c079dd5dc13d449b Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 16:46:02 -0700 Subject: [PATCH 135/154] fixup! fixup! Use Signed Binaries for Docker Build --- .../build/dockerfiles/ipv6-hp-bpf.Dockerfile | 3 +- .pipelines/build/dockerfiles/npm.Dockerfile | 28 ++++++++++--------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile index accd207afc..045244f870 100644 --- a/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile +++ b/.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile @@ -1,6 +1,7 @@ ARG ARCH -FROM --platform=linux/${ARCH} mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux + +FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/distroless/minimal:3.0 AS linux ARG ARTIFACT_DIR COPY ${ARTIFACT_DIR}/lib/* /lib COPY ${ARTIFACT_DIR}/bin/ipv6-hp-bpf /ipv6-hp-bpf diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index 9ebf975bb7..a969483958 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -1,5 +1,19 @@ +ARG ARCH -FROM mcr.microsoft.com/mirror/docker/library/ubuntu:20.04 as linux + +# intermediate for win-ltsc2022 +FROM --platform=windows/${ARCH} mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows +ARG ARTIFACT_DIR + +COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml +COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1 +COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1 +COPY ${ARTIFACT_DIR}/bin/azure-npm.exe npm.exe + +CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"] + + +FROM --platform=linux/${ARCH} mcr.microsoft.com/mirror/docker/library/ubuntu:22.04 as linux ARG ARTIFACT_DIR RUN apt-get update && \ @@ -14,15 +28,3 @@ RUN apt-get update && \ COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] - - -# intermediate for win-ltsc2022 -FROM mcr.microsoft.com/windows/servercore@sha256:45952938708fbde6ec0b5b94de68bcdec3f8c838be018536b1e9e5bd95e6b943 as windows -ARG ARTIFACT_DIR - -COPY ${ARTIFACT_DIR}/files/kubeconfigtemplate.yaml kubeconfigtemplate.yaml -COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath.ps1 setkubeconfigpath.ps1 -COPY ${ARTIFACT_DIR}/scripts/setkubeconfigpath-capz.ps1 setkubeconfigpath-capz.ps1 -COPY ${ARTIFACT_DIR}/bin/azure-npm.exe npm.exe - -CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"] From 4bf3d887827416fe11212bb1aa5859b627b0a14c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 16:47:56 -0700 Subject: [PATCH 136/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index b704a48a13..55735f2a4a 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -37,14 +37,14 @@ jobs: ob_enable_qemu: true OS: windows ARCH: amd64 - GOOS: windows - GOARCH: amd64 + #GOOS: windows + #GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: ob_enable_qemu: true OS: linux ARCH: arm64 - GOOS: linux - GOARCH: arm64 + #GOOS: linux + #GOARCH: arm64 steps: - task: DownloadPipelineArtifact@2 inputs: From 649349647acdd7f78aceca6dcf75382c225a0fe0 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 16:50:50 -0700 Subject: [PATCH 137/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 55735f2a4a..905e205cc4 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -26,9 +26,10 @@ jobs: DROPGZ_VERSION: v0.0.12 DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) + LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ${{ if eq(job_data.job, 'linux_amd64') }}: - LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' - #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' + #LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' + #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: amd64 GOOS: linux From 1d28d3e28ced2fee17b86a2d1f06df4a9214f894 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 16:56:14 -0700 Subject: [PATCH 138/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 3 ++- .pipelines/build/scripts/ipv6-hp-bpf.sh | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 905e205cc4..7e0386f463 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -28,7 +28,8 @@ jobs: ob_outputDirectory: $(Build.ArtifactStagingDirectory) LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ${{ if eq(job_data.job, 'linux_amd64') }}: - #LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' + DEBIAN_FRONTEND: noninteractive + LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: amd64 diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 7e3a2ede2c..61dc10b487 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -46,15 +46,15 @@ mkdir -p "$OUT_DIR"/lib # Package up Needed C Files if [[ -f /etc/debian_version ]];then apt-get update -y - apt-get install -y llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 + apt-get install -y --no-install-recommends llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2 if [[ $ARCH =~ amd64 ]]; then - apt-get install -y gcc-multilib + apt-get install -y --no-install-recommends gcc-multilib ARCH=x86_64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ elif [[ $ARCH =~ arm64 ]]; then - apt-get install -y gcc-aarch64-linux-gnu + apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu ARCH=aarch64-linux-gnu cp /usr/lib/"$ARCH"/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ @@ -114,9 +114,11 @@ else echo >&2 "##[group]usr include $ARCH directory list" ls -la /usr/include/"$ARCH" || true echo >&2 "##[endgroup]" + echo >&2 "##[group]usr lib directory list" ls -la /usr/lib || true echo >&2 "##[endgroup]" + echo >&2 "##[group]usr lib ldscripts directory list" ls -la /usr/lib/ldscripts || true echo >&2 "##[endgroup]" From 393c86b89f8249f06dd8eb88dcc0bf92c4146f8e Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 16:57:59 -0700 Subject: [PATCH 139/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 7e0386f463..ec106a92c9 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -26,7 +26,6 @@ jobs: DROPGZ_VERSION: v0.0.12 DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) - LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ${{ if eq(job_data.job, 'linux_amd64') }}: DEBIAN_FRONTEND: noninteractive LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' @@ -36,13 +35,14 @@ jobs: GOOS: linux GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: + LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ob_enable_qemu: true OS: windows ARCH: amd64 #GOOS: windows #GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: - ob_enable_qemu: true + LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: arm64 #GOOS: linux From af4447b3d8b281dd9a9177ac8d9aebc2f98170ba Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 17:05:29 -0700 Subject: [PATCH 140/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index ec106a92c9..806523a844 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -28,7 +28,8 @@ jobs: ob_outputDirectory: $(Build.ArtifactStagingDirectory) ${{ if eq(job_data.job, 'linux_amd64') }}: DEBIAN_FRONTEND: noninteractive - LinuxContainerImage: 'mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' + LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2404:latest' + #mcr.microsoft.com/mirror/docker/library/ubuntu:24.04' #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: amd64 From e300638445c9fc0823d9ec9f3a8a74695a5d71c4 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 17:09:31 -0700 Subject: [PATCH 141/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index 806523a844..c565cb73bb 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -40,13 +40,13 @@ jobs: ob_enable_qemu: true OS: windows ARCH: amd64 - #GOOS: windows + GOOS: windows #GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: arm64 - #GOOS: linux + GOOS: linux #GOARCH: arm64 steps: - task: DownloadPipelineArtifact@2 From 0e6fffd1824579fb36edbe4172857acc0a2816de Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 17:29:49 -0700 Subject: [PATCH 142/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 61dc10b487..9d2ed1bf9e 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -92,13 +92,14 @@ if [[ -f /etc/debian_version ]];then # Mariner else tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc - if [[ $GOARCH =~ amd64 ]]; then + if [[ $ARCH =~ amd64 ]]; then ARCH=x86_64-linux-gnu if [[ -f '/usr/lib/ld-linux-x86-64.so.2' ]]; then cp /usr/lib/ld-linux-x86-64.so.2 "$OUT_DIR"/lib/ fi - elif [[ $GOARCH =~ arm64 ]]; then + elif [[ $ARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu + tdnf install -y glibc-devel.i386 if [[ -f '/usr/lib/ld-linux-aarch64.so.1' ]]; then cp /usr/lib/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ fi From cbab609a2dea28c8fce7d182788f8e45a96c9e07 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 17:49:52 -0700 Subject: [PATCH 143/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/ipv6-hp-bpf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 9d2ed1bf9e..33ce5df098 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -99,7 +99,7 @@ else fi elif [[ $ARCH =~ arm64 ]]; then ARCH=aarch64-linux-gnu - tdnf install -y glibc-devel.i386 + #tdnf install -y glibc-devel.i386 if [[ -f '/usr/lib/ld-linux-aarch64.so.1' ]]; then cp /usr/lib/ld-linux-aarch64.so.1 "$OUT_DIR"/lib/ fi From 23e1faf469476ba35f7d2cad99dc2621086b41ad Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 18:51:52 -0700 Subject: [PATCH 144/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/npm.Dockerfile | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.pipelines/build/dockerfiles/npm.Dockerfile b/.pipelines/build/dockerfiles/npm.Dockerfile index a969483958..381d8862cb 100644 --- a/.pipelines/build/dockerfiles/npm.Dockerfile +++ b/.pipelines/build/dockerfiles/npm.Dockerfile @@ -13,18 +13,17 @@ COPY ${ARTIFACT_DIR}/bin/azure-npm.exe npm.exe CMD ["npm.exe", "start" "--kubeconfig=.\\kubeconfig"] -FROM --platform=linux/${ARCH} mcr.microsoft.com/mirror/docker/library/ubuntu:22.04 as linux +FROM --platform=linux/${ARCH} mcr.microsoft.com/mirror/docker/library/ubuntu:24.04 as linux ARG ARTIFACT_DIR -RUN apt-get update && \ - apt-get install -y \ - libc-bin=2.31-0ubuntu9.17 \ - libc6=2.31-0ubuntu9.17 \ - libtasn1-6=4.16.0-2ubuntu0.1 \ - libgnutls30=3.6.13-2ubuntu1.12 \ - iptables ipset ca-certificates && \ - apt-get autoremove -y && \ - apt-get clean +RUN apt-get update && apt-get install -y iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean +#RUN apt-get update && \ +# apt-get install -y \ +# linux-libc-dev \ +# libc6-dev \ +# libtasn1-6 \ +# gnutls30 iptables ipset ca-certificates +#RUN apt-get autoremove -y && apt-get clean COPY ${ARTIFACT_DIR}/bin/azure-npm /usr/bin/azure-npm ENTRYPOINT ["/usr/bin/azure-npm", "start"] From 1d12e2868fbfeabcfae62262987a2b3bafbfd662 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 21:06:42 -0700 Subject: [PATCH 145/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index c565cb73bb..d02f23bbb6 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -26,6 +26,7 @@ jobs: DROPGZ_VERSION: v0.0.12 DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) + ob_containers_signing_enabled: false ${{ if eq(job_data.job, 'linux_amd64') }}: DEBIAN_FRONTEND: noninteractive LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2404:latest' From 61c10fe4ddee8f69ca8a1280d31af22337d39cad Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 22:22:12 -0700 Subject: [PATCH 146/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/images.jobs.yaml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/.pipelines/build/images.jobs.yaml b/.pipelines/build/images.jobs.yaml index d02f23bbb6..7589f20e9e 100644 --- a/.pipelines/build/images.jobs.yaml +++ b/.pipelines/build/images.jobs.yaml @@ -26,7 +26,6 @@ jobs: DROPGZ_VERSION: v0.0.12 DEBUG: $[ coalesce(variables['System.Debug'], 'False') ] ob_outputDirectory: $(Build.ArtifactStagingDirectory) - ob_containers_signing_enabled: false ${{ if eq(job_data.job, 'linux_amd64') }}: DEBIAN_FRONTEND: noninteractive LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2404:latest' @@ -34,21 +33,16 @@ jobs: #LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: amd64 - GOOS: linux - GOARCH: amd64 ${{ elseif eq(job_data.job, 'windows_amd64') }}: LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' ob_enable_qemu: true OS: windows ARCH: amd64 - GOOS: windows - #GOARCH: amd64 ${{ elseif eq(job_data.job, 'linux_arm64') }}: LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' OS: linux ARCH: arm64 - GOOS: linux - #GOARCH: arm64 + GOARCH: arm64 steps: - task: DownloadPipelineArtifact@2 inputs: @@ -118,8 +112,8 @@ jobs: pool: os: linux type: docker - ${{ if eq(job_data.job, 'linux_arm64') }}: - hostArchitecture: arm64 +# ${{ if eq(job_data.job, 'linux_arm64') }}: +# hostArchitecture: arm64 # ${{ else }}: # LinuxHostVersion: 'AzLinux3.0AMD64' variables: @@ -138,9 +132,10 @@ jobs: OS: windows ${{ elseif eq(job_data.job, 'linux_arm64') }}: LinuxContainerImage: 'mcr.microsoft.com/onebranch/azurelinux/build:3.0' - ob_build_container: true + ob_enable_qemu: true ARCH: arm64 OS: linux + GOARCH: arm64 steps: - template: image.steps.yaml From 93f2ec8ba25cccac1d387c4e216c89e1f2d89e1c Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 22:45:07 -0700 Subject: [PATCH 147/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/azure-ipam.sh | 2 +- .pipelines/build/scripts/cni.sh | 12 ++++++------ .pipelines/build/scripts/cns.sh | 4 ++-- .pipelines/build/scripts/dropgz.sh | 9 ++------- .pipelines/build/scripts/ipv6-hp-bpf.sh | 4 ++-- .pipelines/build/scripts/npm.sh | 4 ++-- 6 files changed, 15 insertions(+), 20 deletions(-) diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index 625d027a81..bee0909ed2 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index a6d2d5f4a5..8741115cb1 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $GOOS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='' mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin @@ -11,7 +11,7 @@ export CGO_ENABLED=0 CNI_NET_DIR="$REPO_ROOT"/cni/network/plugin pushd "$CNI_NET_DIR" - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-vnet"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ @@ -20,7 +20,7 @@ popd STATELESS_CNI_BUILD_DIR="$REPO_ROOT"/cni/network/stateless pushd "$STATELESS_CNI_BUILD_DIR" - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-vnet-stateless"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ @@ -29,7 +29,7 @@ popd CNI_IPAM_DIR="$REPO_ROOT"/cni/ipam/plugin pushd "$CNI_IPAM_DIR" - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-vnet-ipam"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ @@ -38,7 +38,7 @@ popd CNI_IPAMV6_DIR="$REPO_ROOT"/cni/ipam/pluginv6 pushd "$CNI_IPAMV6_DIR" - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-vnet-ipamv6"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION"" \ -gcflags="-dwarflocationlists=true" \ @@ -47,7 +47,7 @@ popd CNI_TELEMETRY_DIR="$REPO_ROOT"/cni/telemetry/service pushd "$CNI_TELEMETRY_DIR" - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-vnet-telemetry"$FILE_EXT" \ -ldflags "-X main.version="$CNI_VERSION" -X "$CNI_AI_PATH"="$CNI_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ diff --git a/.pipelines/build/scripts/cns.sh b/.pipelines/build/scripts/cns.sh index 2697f41387..fbb4c4a221 100644 --- a/.pipelines/build/scripts/cns.sh +++ b/.pipelines/build/scripts/cns.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 @@ -10,7 +10,7 @@ mkdir -p "$OUT_DIR"/bin mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/cns - go build -v -a \ + GOOS="$OS" go build -v -a \ -o "$OUT_DIR"/bin/azure-cns"$FILE_EXT" \ -ldflags "-X main.version="$CNS_VERSION" -X "$CNS_AI_PATH"="$CNS_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index fb40143567..4258f11710 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 @@ -34,15 +34,10 @@ echo >&2 "##[section]Download DropGZ ($DROPGZ_VERSION)" GOPATH="$DROPGZ_BUILD_DIR" \ go mod download "$DROPGZ_MOD_DOWNLOAD_PATH" -ls -la -ls -la "$GEN_DIR" -ls -la "$DROPGZ_BUILD_DIR" -apt-get install -y tree || tdnf install -y tree -tree "$GEN_DIR" echo >&2 "##[section]Build DropGZ with Embedded Payload" pushd "$DROPGZ_BUILD_DIR"/pkg/mod/"$DROPGZ_MOD_DOWNLOAD_PATH" mv "$PAYLOAD_DIR"/* pkg/embed/fs/ - go build -v -trimpath -a \ + GOOS="$OS" go build -v -trimpath -a \ -o "$OUT_DIR"/bin/dropgz"$FILE_EXT" \ -ldflags "-X github.com/Azure/azure-container-networking/dropgz/internal/buildinfo.Version="$DROPGZ_VERSION"" \ -gcflags="-dwarflocationlists=true" \ diff --git a/.pipelines/build/scripts/ipv6-hp-bpf.sh b/.pipelines/build/scripts/ipv6-hp-bpf.sh index 33ce5df098..121ad88399 100644 --- a/.pipelines/build/scripts/ipv6-hp-bpf.sh +++ b/.pipelines/build/scripts/ipv6-hp-bpf.sh @@ -35,7 +35,7 @@ function findcp::shared_library() { } -[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 export C_INCLUDE_PATH=/usr/include/bpf @@ -157,7 +157,7 @@ pushd "$REPO_ROOT"/bpf-prog/ipv6-hp-bpf fi go generate ./... - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/ipv6-hp-bpf"$FILE_EXT" \ -ldflags "-X main.version="$IPV6_HP_BPF_VERSION"" \ -gcflags="-dwarflocationlists=true" . diff --git a/.pipelines/build/scripts/npm.sh b/.pipelines/build/scripts/npm.sh index bbe1fb301e..29e274b9f2 100644 --- a/.pipelines/build/scripts/npm.sh +++ b/.pipelines/build/scripts/npm.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $GOOS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 @@ -10,7 +10,7 @@ mkdir -p "$OUT_DIR"/bin mkdir -p "$OUT_DIR"/scripts pushd "$REPO_ROOT"/npm - go build -a -v -trimpath \ + GOOS="$OS" go build -a -v -trimpath \ -o "$OUT_DIR"/bin/azure-npm"$FILE_EXT" \ -ldflags "-X main.version="$NPM_VERSION" -X "$NPM_AI_PATH"="$NPM_AI_ID"" \ -gcflags="-dwarflocationlists=true" \ From dad6c6ee7b5176d703200415d96aef0a4dfef9ac Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 23:08:36 -0700 Subject: [PATCH 148/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/cni.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/cni.sh b/.pipelines/build/scripts/cni.sh index 8741115cb1..8d9c210e46 100644 --- a/.pipelines/build/scripts/cni.sh +++ b/.pipelines/build/scripts/cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -[[ $OS =~ windows ]] && FILE_EXT='exe' || FILE_EXT='' +[[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' mkdir -p "$OUT_DIR"/files mkdir -p "$OUT_DIR"/bin From fb4caa0b490f6c7a9f6d9a8f8ae0dd88155472d9 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Sun, 25 May 2025 23:33:03 -0700 Subject: [PATCH 149/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/dockerfiles/cns.Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/.pipelines/build/dockerfiles/cns.Dockerfile b/.pipelines/build/dockerfiles/cns.Dockerfile index 3e27843467..97e3f36477 100644 --- a/.pipelines/build/dockerfiles/cns.Dockerfile +++ b/.pipelines/build/dockerfiles/cns.Dockerfile @@ -23,7 +23,6 @@ ARG ARTIFACT_DIR . COPY --from=build-helper /usr/sbin/*tables* /usr/sbin/ COPY --from=build-helper /usr/lib /usr/lib -ADD ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns COPY ${ARTIFACT_DIR}/bin/azure-cns /usr/local/bin/azure-cns ENTRYPOINT [ "/usr/local/bin/azure-cns" ] EXPOSE 10090 From f2b5e84ffb7ab91cf837a996796bd5eeef3a9de6 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Mon, 26 May 2025 23:48:20 -0700 Subject: [PATCH 150/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/azure-ipam.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/build/scripts/azure-ipam.sh b/.pipelines/build/scripts/azure-ipam.sh index bee0909ed2..6bf2dfd96d 100644 --- a/.pipelines/build/scripts/azure-ipam.sh +++ b/.pipelines/build/scripts/azure-ipam.sh @@ -9,7 +9,7 @@ mkdir -p "$OUT_DIR"/bin mkdir -p "$OUT_DIR"/files pushd "$REPO_ROOT"/azure-ipam - go build -v -a -trimpath \ + GOOS="$OS" go build -v -a -trimpath \ -o "$OUT_DIR"/bin/azure-ipam"$FILE_EXT" \ -ldflags "-X github.com/Azure/azure-container-networking/azure-ipam/internal/buildinfo.Version="$AZURE_IPAM_VERSION" -X main.version="$AZURE_IPAM_VERSION"" \ -gcflags="-dwarflocationlists=true" \ From 69082796e876df2247a96fcaa3ac4c1ef00af98b Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 27 May 2025 15:10:57 -0700 Subject: [PATCH 151/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/build/scripts/dropgz.sh | 25 ++++++++++++++++++++++--- .pipelines/run-pipeline.yaml | 4 ++-- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/.pipelines/build/scripts/dropgz.sh b/.pipelines/build/scripts/dropgz.sh index 4258f11710..711a0bbfc0 100644 --- a/.pipelines/build/scripts/dropgz.sh +++ b/.pipelines/build/scripts/dropgz.sh @@ -1,6 +1,23 @@ #!/bin/bash set -eux +function _remove_exe_extension() { + local file_path + file_path="${1}" + file_dir=$(dirname "$file_path") + file_dir=$(realpath "$file_dir") + file_basename=$(basename "$file_path" '.exe') + mv "$file_path" "$file_dir"/"$file_basename" +} +function files::remove_exe_extensions() { + local target_dir + target_dir="${1}" + + for file in $(find "$target_dir" -type f -name '*.exe'); do + _remove_exe_extension "$file" + done +} + [[ $OS =~ windows ]] && FILE_EXT='.exe' || FILE_EXT='' export CGO_ENABLED=0 @@ -18,9 +35,11 @@ mkdir -p "$DROPGZ_BUILD_DIR" echo >&2 "##[section]Construct DropGZ Embedded Payload" pushd "$PAYLOAD_DIR" - [[ -n $(stat "$OUT_DIR"/files 2>/dev/null || true) ]] && cp "$OUT_DIR"/files/* . - [[ -n $(stat "$OUT_DIR"/scripts 2>/dev/null || true) ]] && cp "$OUT_DIR"/scripts/* . - [[ -n $(stat "$OUT_DIR"/bin 2>/dev/null || true) ]] && cp "$OUT_DIR"/bin/* . + [[ -d "$OUT_DIR"/files ]] && cp "$OUT_DIR"/files/* . || true + [[ -d "$OUT_DIR"/scripts ]] && cp "$OUT_DIR"/scripts/* . || true + [[ -d "$OUT_DIR"/bin ]] && cp "$OUT_DIR"/bin/* . || true + + [[ $OS =~ windows ]] && files::remove_exe_extensions . sha256sum * > sum.txt gzip --verbose --best --recursive . diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 5ee77707b2..ba2adc13c9 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -248,8 +248,8 @@ stages: platforms: - platform: linux/amd64 imageReference: $(IPV6_LINUX_AMD64_REF) - #- platform: linux/arm64 - # imageReference: $(IPV6_LINUX_ARM64_REF) + - platform: linux/arm64 + imageReference: $(IPV6_LINUX_ARM64_REF) - job: npm templateContext: name: npm From 10267d0d45f9d9c1756352cdb46c77a42d4adb63 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 27 May 2025 18:00:02 -0700 Subject: [PATCH 152/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/run-pipeline.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index ba2adc13c9..50cf8fac58 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -13,10 +13,7 @@ stages: ob_artifactSuffix: _source ACR_DIR: $(Build.SourcesDirectory)/azure-container-networking - ${{ if parameters.isOfficial }}: - BUILD_TYPE: official - ${{ else }}: - BUILD_TYPE: buddy + BUILD_TYPE: $(BUILD_TYPE) steps: - checkout: azure-container-networking - template: build/ob-prepare.steps.yaml @@ -105,7 +102,7 @@ stages: name: azure-ipam extraArgs: '' archiveName: azure-ipam - archiveVersion: $(OS)-$(ARCH)-$(AZURE_IPAM_VERSION) + archiveVersion: $(AZURE_IPAM_VERSION) imageTag: $(Build.BuildNumber) packageWithDropGZ: True cni: From 1bb2b163726c015738c2ac468b050ee67437f5a1 Mon Sep 17 00:00:00 2001 From: Sheyla Trudo Date: Tue, 27 May 2025 18:09:52 -0700 Subject: [PATCH 153/154] fixup! fixup! Use Signed Binaries for Docker Build --- .pipelines/run-pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index 50cf8fac58..edc81dc20f 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -13,7 +13,7 @@ stages: ob_artifactSuffix: _source ACR_DIR: $(Build.SourcesDirectory)/azure-container-networking - BUILD_TYPE: $(BUILD_TYPE) + BUILD_TYPE: $(IMAGE_ACR_TYPE) steps: - checkout: azure-container-networking - template: build/ob-prepare.steps.yaml From e550bbd9962e6160ebce60330190bfc11b41f8e1 Mon Sep 17 00:00:00 2001 From: jpayne3506 Date: Wed, 28 May 2025 15:32:18 -0700 Subject: [PATCH 154/154] chore: comment out NPM jobs/steps --- .pipelines/build/ob-prepare.steps.yaml | 34 +++++++-------- .pipelines/run-pipeline.yaml | 60 +++++++++++++------------- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/.pipelines/build/ob-prepare.steps.yaml b/.pipelines/build/ob-prepare.steps.yaml index 8f866e25e9..bfd6f004b5 100644 --- a/.pipelines/build/ob-prepare.steps.yaml +++ b/.pipelines/build/ob-prepare.steps.yaml @@ -8,23 +8,23 @@ steps: target_path: bpf-prog/ipv6-hp-bpf source_dockerfile: linux.Dockerfile -- template: utils/rename-dockerfile-references.steps.yaml - parameters: - topic: "Windows - npm" - replace_references: true - working_directory: $(ACN_DIR) - source_path: npm - target_path: npm-windows - source_dockerfile: windows.Dockerfile +# - template: utils/rename-dockerfile-references.steps.yaml +# parameters: +# topic: "Windows - npm" +# replace_references: true +# working_directory: $(ACN_DIR) +# source_path: npm +# target_path: npm-windows +# source_dockerfile: windows.Dockerfile -- template: utils/rename-dockerfile-references.steps.yaml - parameters: - topic: "Linux - npm" - replace_references: true - working_directory: $(ACN_DIR) - source_path: npm - target_path: npm - source_dockerfile: linux.Dockerfile +# - template: utils/rename-dockerfile-references.steps.yaml +# parameters: +# topic: "Linux - npm" +# replace_references: true +# working_directory: $(ACN_DIR) +# source_path: npm +# target_path: npm +# source_dockerfile: linux.Dockerfile - bash: | rm -rf .hooks .github @@ -41,7 +41,7 @@ steps: STORAGE_ID=$(echo "${BUILD_BUILDNUMBER//./-}") echo "##vso[task.setvariable variable=StorageID;isOutput=true]$STORAGE_ID" echo "StorageID: $STORAGE_ID" - + COMMITID=$(git rev-parse --short HEAD) COMMITID="$COMMITID"-"$(date "+%d%H%M")" echo "##vso[task.setvariable variable=commitID;isOutput=true]$COMMITID" diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml index edc81dc20f..851bf9289f 100644 --- a/.pipelines/run-pipeline.yaml +++ b/.pipelines/run-pipeline.yaml @@ -82,12 +82,12 @@ stages: archiveName: ipv6-hp-bpf archiveVersion: $(IPV6_HP_BPF_VERSION) imageTag: $(Build.BuildNumber) - npm: - name: npm - extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' - archiveName: azure-npm - archiveVersion: $(NPM_VERSION) - imageTag: $(Build.BuildNumber) + # npm: + # name: npm + # extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' + # archiveName: azure-npm + # archiveVersion: $(NPM_VERSION) + # imageTag: $(Build.BuildNumber) - job: windows_amd64 displayName: "Windows" @@ -118,13 +118,13 @@ stages: archiveName: azure-cns archiveVersion: $(CNS_VERSION) imageTag: $(Build.BuildNumber) - npm: - name: npm - extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' - archiveName: azure-npm - archiveVersion: $(NPM_VERSION) - imageTag: $(Build.BuildNumber) - + # npm: + # name: npm + # extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' + # archiveName: azure-npm + # archiveVersion: $(NPM_VERSION) + # imageTag: $(Build.BuildNumber) + - job: linux_arm64 displayName: "Linux/ARM64" templateContext: @@ -160,12 +160,12 @@ stages: archiveName: ipv6-hp-bpf archiveVersion: $(IPV6_HP_BPF_VERSION) imageTag: $(Build.BuildNumber) - npm: - name: npm - extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' - archiveName: azure-npm - archiveVersion: $(NPM_VERSION) - imageTag: $(Build.BuildNumber) + # npm: + # name: npm + # extraArgs: '--build-arg NPM_AI_PATH=$(NPM_AI_PATH) --build-arg NPM_AI_ID=$(NPM_AI_ID)' + # archiveName: azure-npm + # archiveVersion: $(NPM_VERSION) + # imageTag: $(Build.BuildNumber) - stage: manifests @@ -247,17 +247,17 @@ stages: imageReference: $(IPV6_LINUX_AMD64_REF) - platform: linux/arm64 imageReference: $(IPV6_LINUX_ARM64_REF) - - job: npm - templateContext: - name: npm - image_tag: $(NPM_VERSION) - platforms: - - platform: linux/amd64 - imageReference: $(NPM_LINUX_AMD64_REF) - - platform: linux/arm64 - imageReference: $(NPM_LINUX_ARM64_REF) - - platform: windows/amd64 - imageReference: $(NPM_WINDOWS_AMD64_REF) + # - job: npm + # templateContext: + # name: npm + # image_tag: $(NPM_VERSION) + # platforms: + # - platform: linux/amd64 + # imageReference: $(NPM_LINUX_AMD64_REF) + # - platform: linux/arm64 + # imageReference: $(NPM_LINUX_ARM64_REF) + # - platform: windows/amd64 + # imageReference: $(NPM_WINDOWS_AMD64_REF) # Cilium Podsubnet E2E tests