github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

base-images: Migrate Debian base images to k/release

Browse Source 
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
This commit is contained in:
Stephen Augustus 2020-02-26 22:37:01 -05:00
parent 30ee970640
commit 1ccc8e3ac4
14 changed files with 0 additions and 505 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
build/debian-base/Dockerfile
View File

@ -1,19 +0,0 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM scratch
ADD rootfs.tar /
CMD ["/bin/sh"]

88
build/debian-base/Dockerfile.build
View File

@ -1,88 +0,0 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM BASEIMAGE
# If we're building for another architecture than amd64, the CROSS_BUILD_ placeholder is removed so
# e.g. CROSS_BUILD_COPY turns into COPY
# If we're building normally, for amd64, CROSS_BUILD lines are removed
CROSS_BUILD_COPY qemu-ARCH-static /usr/bin/
ENV DEBIAN_FRONTEND=noninteractive
# Smaller package install size.
COPY excludes /etc/dpkg/dpkg.cfg.d/excludes
# Convenience script for building on this base image.
COPY clean-install /usr/local/bin/clean-install
# Update system packages.
RUN apt-get update \
&& apt-get dist-upgrade -y
# Hold required packages to avoid breaking the installation of packages
RUN apt-mark hold apt gnupg adduser passwd libsemanage1 libcap2
# Remove unnecessary packages.
# This list was generated manually by listing the installed packages (`apt list --installed`),
# then running `apt-cache rdepends --installed --no-recommends` to find the "root" packages.
# The root packages were evaluated based on whether they were needed in the container image.
# Several utilities (e.g. ping) were kept for usefulness, but may be removed in later versions.
RUN echo "Yes, do as I say!" | apt-get purge \
bash \
e2fsprogs \
libcap2-bin \
libmount1 \
libsmartcols1 \
libblkid1 \
libss2 \
ncurses-base \
ncurses-bin \
tzdata
# No-op stubs replace some unnecessary binaries that may be depended on in the install process (in
# particular we don't run an init process).
WORKDIR /usr/local/bin
RUN touch noop && \
chmod 555 noop && \
ln -s noop runlevel && \
ln -s noop invoke-rc.d && \
ln -s noop update-rc.d
WORKDIR /
# Cleanup cached and unnecessary files.
RUN apt-get autoremove -y && \
apt-get clean -y && \
tar -czf /usr/share/copyrights.tar.gz /usr/share/common-licenses /usr/share/doc/*/copyright && \
rm -rf \
/usr/share/doc \
/usr/share/man \
/usr/share/info \
/usr/share/locale \
/var/lib/apt/lists/* \
/var/log/* \
/var/cache/debconf/* \
/usr/share/common-licenses* \
/usr/share/bash-completion \
~/.bashrc \
~/.profile \
/etc/systemd \
/lib/lsb \
/lib/udev \
/usr/lib/x86_64-linux-gnu/gconv/IBM* \
/usr/lib/x86_64-linux-gnu/gconv/EBC* && \
mkdir -p /usr/share/man/man1 /usr/share/man/man2 \
/usr/share/man/man3 /usr/share/man/man4 \
/usr/share/man/man5 /usr/share/man/man6 \
/usr/share/man/man7 /usr/share/man/man8

105
build/debian-base/Makefile
View File

@ -1,105 +0,0 @@
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
all: all-build
REGISTRY ?= gcr.io/k8s-staging-build-image
IMAGE ?= $(REGISTRY)/debian-base
BUILD_IMAGE ?= debian-build
TAG ?= v2.1.1
TAR_FILE ?= rootfs.tar
ARCH?=amd64
ALL_ARCH = amd64 arm arm64 ppc64le s390x
TEMP_DIR:=$(shell mktemp -d)
QEMUVERSION=v4.2.0-6
SUDO=$(if $(filter 0,$(shell id -u)),,sudo)
# This option is for running docker manifest command
export DOCKER_CLI_EXPERIMENTAL := enabled
ifeq ($(ARCH),amd64)
BASEIMAGE?=debian:buster-slim
endif
ifeq ($(ARCH),arm)
BASEIMAGE?=arm32v7/debian:buster-slim
QEMUARCH=arm
endif
ifeq ($(ARCH),arm64)
BASEIMAGE?=arm64v8/debian:buster-slim
QEMUARCH=aarch64
endif
ifeq ($(ARCH),ppc64le)
BASEIMAGE?=ppc64le/debian:buster-slim
QEMUARCH=ppc64le
endif
ifeq ($(ARCH),s390x)
BASEIMAGE?=s390x/debian:buster-slim
QEMUARCH=s390x
endif
sub-build-%:
$(MAKE) ARCH=$* build
all-build: $(addprefix sub-build-,$(ALL_ARCH))
sub-push-image-%:
$(MAKE) ARCH=$* push
all-push-images: $(addprefix sub-push-image-,$(ALL_ARCH))
all-push: all-push-images push-manifest
push-manifest:
docker manifest create --amend $(IMAGE):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(IMAGE)\-&:$(TAG)~g")
@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${IMAGE}:${TAG} ${IMAGE}-$${arch}:${TAG}; done
docker manifest push --purge ${IMAGE}:${TAG}
build: clean
cp ./* $(TEMP_DIR)
cat Dockerfile.build \
| sed "s|BASEIMAGE|$(BASEIMAGE)|g" \
| sed "s|ARCH|$(QEMUARCH)|g" \
> $(TEMP_DIR)/Dockerfile.build
ifeq ($(ARCH),amd64)
# When building "normally" for amd64, remove the whole line, it has no part in the amd64 image
sed "/CROSS_BUILD_/d" $(TEMP_DIR)/Dockerfile.build > $(TEMP_DIR)/Dockerfile.build.tmp
else
# When cross-building, only the placeholder "CROSS_BUILD_" should be removed
# Register /usr/bin/qemu-ARCH-static as the handler for non-x86 binaries in the kernel
$(SUDO) ../../third_party/multiarch/qemu-user-static/register/register.sh --reset
curl -sSL https://github.com/multiarch/qemu-user-static/releases/download/$(QEMUVERSION)/x86_64_qemu-$(QEMUARCH)-static.tar.gz | tar -xz -C $(TEMP_DIR)
# Ensure we don't get surprised by umask settings
chmod 0755 $(TEMP_DIR)/qemu-$(QEMUARCH)-static
sed "s/CROSS_BUILD_//g" $(TEMP_DIR)/Dockerfile.build > $(TEMP_DIR)/Dockerfile.build.tmp
endif
mv $(TEMP_DIR)/Dockerfile.build.tmp $(TEMP_DIR)/Dockerfile.build
docker build --pull -t $(BUILD_IMAGE) -f $(TEMP_DIR)/Dockerfile.build $(TEMP_DIR)
docker create --name $(BUILD_IMAGE) $(BUILD_IMAGE)
docker export $(BUILD_IMAGE) > $(TEMP_DIR)/$(TAR_FILE)
docker build -t $(IMAGE)-$(ARCH):$(TAG) $(TEMP_DIR)
rm -rf $(TEMP_DIR)
push: build
docker push $(IMAGE)-$(ARCH):$(TAG)
clean:
docker rmi -f $(IMAGE)-$(ARCH):$(TAG) || true
docker rmi -f $(BUILD_IMAGE) || true
docker rm -f $(BUILD_IMAGE) || true

12
build/debian-base/OWNERS
View File

@ -1,12 +0,0 @@
# See the OWNERS docs at https://go.k8s.io/owners
reviewers:
- build-image-reviewers
- BenTheElder
- mkumatag
- tallclair
approvers:
- build-image-approvers
- BenTheElder
- mkumatag
- tallclair

12
build/debian-base/README.md
View File

@ -1,12 +0,0 @@
# Kubernetes Debian Base
The Kubernetes debian-base image provides a common base for Kubernetes system images that require
external dependencies (such as `iptables`, `sh`, or anything that is more than a static go-binary).
This image differs from the standard debian image by removing a lot of packages and files that are
generally not necessary in containers. The end result is an image that is just over 40 MB, down from
123 MB.
The image also provides a convenience script `/usr/local/bin/clean-install` that encapsulates the
process of updating apt repositories, installing the packages, and then cleaning up unnecessary
caches & logs.

36
build/debian-base/clean-install
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# A script encapsulating a common Dockerimage pattern for installing packages
# and then cleaning up the unnecessary install artifacts.
# e.g. clean-install iptables ebtables conntrack
set -o errexit
if [ $# = 0 ]; then
echo >&2 "No packages specified"
exit 1
fi
apt-get update
apt-get install -y --no-install-recommends $@
apt-get clean -y
rm -rf \
/var/cache/debconf/* \
/var/lib/apt/lists/* \
/var/log/* \
/tmp/* \
/var/tmp/*

16
build/debian-base/cloudbuild.yaml
View File

@ -1,16 +0,0 @@
# See https://cloud.google.com/cloud-build/docs/build-config
timeout: 1200s
options:
substitution_option: ALLOW_LOOSE
machineType: 'N1_HIGHCPU_8'
steps:
- name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20200422-b25d964'
entrypoint: make
dir: ./build/debian-base
env:
- DOCKER_CLI_EXPERIMENTAL=enabled
- REGISTRY=gcr.io/$PROJECT_ID
- IMAGE=gcr.io/$PROJECT_ID/debian-base
- BUILD_IMAGE=debian-build
args:
- all-push

10
build/debian-base/excludes
View File

@ -1,10 +0,0 @@
path-exclude /usr/share/doc/*
path-include /usr/share/doc/*/copyright
path-exclude /usr/share/groff/*
path-exclude /usr/share/i18n/locales/*
path-include /usr/share/i18n/locales/en_US*
path-exclude /usr/share/info/*
path-exclude /usr/share/locale/*
path-include /usr/share/locale/en_US*
path-include /usr/share/locale/locale.alias
path-exclude /usr/share/man/*

41
build/debian-iptables/Dockerfile
View File

@ -1,41 +0,0 @@
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM BASEIMAGE
# Install latest iptables package from buster-backports
RUN echo deb http://deb.debian.org/debian buster-backports main >> /etc/apt/sources.list; \
apt-get update; \
apt-get -t buster-backports -y --no-install-recommends install iptables
# Install other dependencies and then clean up apt caches
RUN clean-install \
conntrack \
ebtables \
ipset \
kmod \
netbase
# Install iptables wrapper scripts to detect the correct iptables mode
# the first time any of them is run
COPY iptables-wrapper /usr/sbin/iptables-wrapper
RUN update-alternatives \
--install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
--slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
--slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper
RUN update-alternatives \
--install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \
--slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
--slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper

63
build/debian-iptables/Makefile
View File

@ -1,63 +0,0 @@
# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
.PHONY: build push all all-build all-push-images all-push push-manifest
REGISTRY?="gcr.io/k8s-staging-build-image"
IMAGE=$(REGISTRY)/debian-iptables
TAG?=v12.1.0
ARCH?=amd64
ALL_ARCH = amd64 arm arm64 ppc64le s390x
TEMP_DIR:=$(shell mktemp -d)
BASE_REGISTRY?=k8s.gcr.io/build-image
BASEIMAGE?=$(BASE_REGISTRY)/debian-base-$(ARCH):v2.1.0
# This option is for running docker manifest command
export DOCKER_CLI_EXPERIMENTAL := enabled
SUDO=$(if $(filter 0,$(shell id -u)),,sudo)
build:
cp ./* $(TEMP_DIR)
cd $(TEMP_DIR) && sed -i "s|BASEIMAGE|$(BASEIMAGE)|g" Dockerfile
ifneq ($(ARCH),amd64)
# Register /usr/bin/qemu-ARCH-static as the handler for non-x86 binaries in the kernel
$(SUDO) ../../third_party/multiarch/qemu-user-static/register/register.sh --reset
endif
docker build --pull -t $(IMAGE)-$(ARCH):$(TAG) $(TEMP_DIR)
push: build
docker push $(IMAGE)-$(ARCH):$(TAG)
sub-build-%:
$(MAKE) ARCH=$* build
all-build: $(addprefix sub-build-,$(ALL_ARCH))
sub-push-image-%:
$(MAKE) ARCH=$* push
all-push-images: $(addprefix sub-push-image-,$(ALL_ARCH))
all-push: all-push-images push-manifest
push-manifest:
docker manifest create --amend $(IMAGE):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(IMAGE)\-&:$(TAG)~g")
@for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${IMAGE}:${TAG} ${IMAGE}-$${arch}:${TAG}; done
docker manifest push --purge ${IMAGE}:${TAG}
all: all-push

20
build/debian-iptables/OWNERS
View File

@ -1,20 +0,0 @@
# See the OWNERS docs at https://go.k8s.io/owners
reviewers:
- build-image-reviewers
- BenTheElder
- bowei
- freehan
- jingax10
- mkumatag
- mrhohn
- tallclair
approvers:
- build-image-approvers
- BenTheElder
- bowei
- freehan
- jingax10
- mkumatag
- mrhohn
- tallclair

24
build/debian-iptables/README.md
View File

@ -1,24 +0,0 @@
### debian-iptables
Serves as the base image for `k8s.gcr.io/kube-proxy-${ARCH}` and multiarch (not `amd64`) `k8s.gcr.io/flannel-${ARCH}` images.
This image is compiled for multiple architectures.
#### How to release
If you're editing the Dockerfile or some other thing, please bump the `TAG` in the Makefile.
```console
Build and push images for all the architectures
$ make all-push
# ---> staging-k8s.gcr.io/debian-iptables-amd64:TAG
# ---> staging-k8s.gcr.io/debian-iptables-arm:TAG
# ---> staging-k8s.gcr.io/debian-iptables-arm64:TAG
# ---> staging-k8s.gcr.io/debian-iptables-ppc64le:TAG
# ---> staging-k8s.gcr.io/debian-iptables-s390x:TAG
```
If you don't want to push the images, run `make build ARCH={target_arch}` or `make all-build` instead
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/build/debian-iptables/README.md?pixel)]()

15
build/debian-iptables/cloudbuild.yaml
View File

@ -1,15 +0,0 @@
# See https://cloud.google.com/cloud-build/docs/build-config
timeout: 1200s
options:
substitution_option: ALLOW_LOOSE
machineType: 'N1_HIGHCPU_8'
steps:
- name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20200422-b25d964'
entrypoint: make
dir: ./build/debian-iptables
env:
- DOCKER_CLI_EXPERIMENTAL=enabled
- REGISTRY=gcr.io/$PROJECT_ID
- IMAGE=gcr.io/$PROJECT_ID/debian-iptables
args:
- all-push

44
build/debian-iptables/iptables-wrapper
View File

@ -1,44 +0,0 @@
#!/bin/sh
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
# Detect whether the base system is using iptables-legacy or
# iptables-nft. This assumes that some non-containerized process (eg
# kubelet) has already created some iptables rules.
# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in
# some circumstances, so we have to run the nft check in a timeout. To
# avoid hitting that timeout, we only bother to even check nft if
# legacy iptables was empty / mostly empty.
num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l)
if [ "${num_legacy_lines}" -ge 10 ]; then
mode=legacy
else
num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l)
if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
mode=legacy
else
mode=nft
fi
fi
update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null
update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null
# Now re-exec the original command with the newly-selected alternative
exec "$0" "$@"