From 9fee7d27e7392ada890f533be78c5950f4d56c86 Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Tue, 20 Feb 2024 20:48:18 -0800 Subject: [PATCH] Disable cgo for all Antrea binaries (#5988) * Disable cgo for all Antrea binaries Instead of selectively disabling cgo for some binaries (e.g., release assets), we now unconditionally disable cgo for all binaries, even those that only run inside the container image for which they were built (e.g., antrea-controller). After some analysis, there seems to be no downside in doing this. We also get some benefits such as reduced build time for the default make command. Fixes #5724 * Revert "Add git to antrea-build image for UBI build (#5727)" This reverts commit 2f8441bdc780a3eedd82a578e3bbfde370bde77c. * Revert "Fix antrea-ubi image build (#5723)" This reverts commit 2afab060a789225e6c92d1e5f74822aefa500912. --------- Signed-off-by: Antonin Bas --- Makefile | 26 ++++++++------ build/images/Dockerfile.build.agent.coverage | 6 +--- build/images/Dockerfile.build.agent.ubi | 5 +-- build/images/Dockerfile.build.agent.ubuntu | 5 +-- .../Dockerfile.build.controller.coverage | 6 +--- build/images/Dockerfile.build.controller.ubi | 5 +-- .../images/Dockerfile.build.controller.ubuntu | 5 +-- build/images/Dockerfile.build.coverage | 10 +++--- build/images/Dockerfile.build.ubi | 34 ++++--------------- build/images/Dockerfile.build.ubuntu | 9 +++-- hack/release/prepare-assets.sh | 5 +-- 11 files changed, 38 insertions(+), 78 deletions(-) diff --git a/Makefile b/Makefile index 5a95d12ecad..62b9b3075f7 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,10 @@ SHELL := /bin/bash GO ?= go LDFLAGS := GOFLAGS := +# By default, disable cgo for all Go binaries. +# For binaries meant to be published as release assets or copied to a different host, cgo should +# always be disabled. +CGO_ENABLED ?= 0 BINDIR ?= $(CURDIR)/bin GO_FILES := $(shell find . -type d -name '.cache' -prune -o -type f -name '*.go' -print) GOPATH ?= $$($(GO) env GOPATH) @@ -33,6 +37,8 @@ WIN_BUILD_ARGS += --build-arg NANOSERVER_VERSION=$(NANOSERVER_VERSION) WIN_BUILD_ARGS += --build-arg WIN_BUILD_TAG=$(WIN_BUILD_TAG) WIN_BUILD_ARGS += --build-arg WIN_BUILD_OVS_TAG=$(WIN_BUILD_OVS_TAG) +export CGO_ENABLED + .PHONY: all all: build @@ -78,7 +84,7 @@ antrea-agent: .PHONY: antrea-agent-release antrea-agent-release: @mkdir -p $(BINDIR) - @CGO_ENABLED=0 $(GO) build -o $(BINDIR)/$(ANTREA_AGENT_BINARY_NAME) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-agent + $(GO) build -o $(BINDIR)/$(ANTREA_AGENT_BINARY_NAME) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-agent .PHONY: antrea-agent-simulator antrea-agent-simulator: @@ -104,29 +110,25 @@ antrea-controller-instr-binary: @mkdir -p $(BINDIR) GOOS=linux $(GO) test -tags testbincover -covermode count -coverpkg=antrea.io/antrea/pkg/... -c -o $(BINDIR)/antrea-controller-coverage $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-controller -# diable cgo for antrea-cni since it can be installed on some systems with -# incompatible or missing system libraries. .PHONY: antrea-cni antrea-cni: @mkdir -p $(BINDIR) - GOOS=linux CGO_ENABLED=0 $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni + GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni .PHONY: antrea-cni antrea-cni-release: @mkdir -p $(BINDIR) - @CGO_ENABLED=0 $(GO) build -o $(BINDIR)/$(ANTREA_CNI_BINARY_NAME) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni + $(GO) build -o $(BINDIR)/$(ANTREA_CNI_BINARY_NAME) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni .PHONY: antctl-instr-binary antctl-instr-binary: @mkdir -p $(BINDIR) GOOS=linux $(GO) test -tags testbincover -covermode count -coverpkg=antrea.io/antrea/pkg/... -c -o $(BINDIR)/antctl-coverage $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antctl -# diable cgo for antrea-cni and antrea-agent: antrea-cni is meant to be -# installed on the host and the antrea-agent is run as a process on Windows. .PHONY: windows-bin windows-bin: @mkdir -p $(BINDIR) - GOOS=windows CGO_ENABLED=0 $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni antrea.io/antrea/cmd/antrea-agent antrea.io/antrea/cmd/antctl + GOOS=windows $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni antrea.io/antrea/cmd/antrea-agent antrea.io/antrea/cmd/antctl .PHONY: flow-aggregator flow-aggregator: @@ -235,7 +237,7 @@ antctl: $(ANTCTL_BINARIES) .PHONY: antctl-release antctl-release: - @CGO_ENABLED=0 $(GO) build -o $(BINDIR)/$(ANTCTL_BINARY_NAME) $(GOFLAGS) -ldflags '-s -w $(LDFLAGS)' antrea.io/antrea/cmd/antctl + $(GO) build -o $(BINDIR)/$(ANTCTL_BINARY_NAME) $(GOFLAGS) -ldflags '-s -w $(LDFLAGS)' antrea.io/antrea/cmd/antctl .PHONY: check-copyright check-copyright: @@ -245,11 +247,13 @@ check-copyright: add-copyright: @GO=$(GO) $(CURDIR)/hack/add-license.sh --add +# Cgo is required to run the race detector. + .PHONY: .linux-test-unit .linux-test-unit: .coverage @echo @echo "==> Running unit tests <==" - $(GO) test -race -coverpkg=antrea.io/antrea/cmd/...,antrea.io/antrea/pkg/...,antrea.io/antrea/multicluster/cmd/...,antrea.io/antrea/multicluster/controllers/... \ + CGO_ENABLED=1 $(GO) test -race -coverpkg=antrea.io/antrea/cmd/...,antrea.io/antrea/pkg/...,antrea.io/antrea/multicluster/cmd/...,antrea.io/antrea/multicluster/controllers/... \ -coverprofile=.coverage/coverage-unit.txt -covermode=atomic \ antrea.io/antrea/cmd/... antrea.io/antrea/pkg/... antrea.io/antrea/multicluster/cmd/... antrea.io/antrea/multicluster/controllers/... @@ -257,7 +261,7 @@ add-copyright: .windows-test-unit: .coverage @echo @echo "==> Running unit tests <==" - $(GO) test -race -coverpkg=antrea.io/antrea/cmd/...,antrea.io/antrea/pkg/... \ + CGO_ENABLED=1 $(GO) test -race -coverpkg=antrea.io/antrea/cmd/...,antrea.io/antrea/pkg/... \ -coverprofile=.coverage/coverage-unit.txt -covermode=atomic \ antrea.io/antrea/cmd/... antrea.io/antrea/pkg/... diff --git a/build/images/Dockerfile.build.agent.coverage b/build/images/Dockerfile.build.agent.coverage index 389b247df57..e318b41f2a6 100644 --- a/build/images/Dockerfile.build.agent.coverage +++ b/build/images/Dockerfile.build.agent.coverage @@ -24,11 +24,7 @@ RUN go mod download COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. -RUN CGO_ENABLED=0 make antctl-linux antctl-instr-binary -RUN mv bin/antctl-linux bin/antctl +RUN make antctl-linux antctl-instr-binary && mv bin/antctl-linux bin/antctl RUN make antrea-agent antrea-cni antrea-agent-instr-binary diff --git a/build/images/Dockerfile.build.agent.ubi b/build/images/Dockerfile.build.agent.ubi index 7bc48ea9b1f..634212d384f 100644 --- a/build/images/Dockerfile.build.agent.ubi +++ b/build/images/Dockerfile.build.agent.ubi @@ -46,12 +46,9 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ - CGO_ENABLED=0 make antctl-linux && mv bin/antctl-linux bin/antctl + make antctl-linux && mv bin/antctl-linux bin/antctl RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ diff --git a/build/images/Dockerfile.build.agent.ubuntu b/build/images/Dockerfile.build.agent.ubuntu index c539f890e72..4d1168aff46 100644 --- a/build/images/Dockerfile.build.agent.ubuntu +++ b/build/images/Dockerfile.build.agent.ubuntu @@ -25,12 +25,9 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ - CGO_ENABLED=0 make antctl-linux && mv bin/antctl-linux bin/antctl + make antctl-linux && mv bin/antctl-linux bin/antctl RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ diff --git a/build/images/Dockerfile.build.controller.coverage b/build/images/Dockerfile.build.controller.coverage index 085975116bc..6e3499f76d9 100644 --- a/build/images/Dockerfile.build.controller.coverage +++ b/build/images/Dockerfile.build.controller.coverage @@ -24,11 +24,7 @@ RUN go mod download COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. -RUN CGO_ENABLED=0 make antctl-linux antctl-instr-binary -RUN mv bin/antctl-linux bin/antctl +RUN make antctl-linux antctl-instr-binary && mv bin/antctl-linux bin/antctl RUN make antrea-controller antrea-controller-instr-binary diff --git a/build/images/Dockerfile.build.controller.ubi b/build/images/Dockerfile.build.controller.ubi index 1631f6a0edd..5bb43b96c7b 100644 --- a/build/images/Dockerfile.build.controller.ubi +++ b/build/images/Dockerfile.build.controller.ubi @@ -46,12 +46,9 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ - CGO_ENABLED=0 make antctl-linux && mv bin/antctl-linux bin/antctl + make antctl-linux && mv bin/antctl-linux bin/antctl RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ diff --git a/build/images/Dockerfile.build.controller.ubuntu b/build/images/Dockerfile.build.controller.ubuntu index 543c50c9859..9a2e03bfb21 100644 --- a/build/images/Dockerfile.build.controller.ubuntu +++ b/build/images/Dockerfile.build.controller.ubuntu @@ -25,12 +25,9 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ - CGO_ENABLED=0 make antctl-linux && mv bin/antctl-linux bin/antctl + make antctl-linux && mv bin/antctl-linux bin/antctl RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ diff --git a/build/images/Dockerfile.build.coverage b/build/images/Dockerfile.build.coverage index 86c33688032..d54245db2c5 100644 --- a/build/images/Dockerfile.build.coverage +++ b/build/images/Dockerfile.build.coverage @@ -24,13 +24,11 @@ RUN go mod download COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. -RUN CGO_ENABLED=0 make antctl-linux antctl-instr-binary -RUN mv bin/antctl-linux bin/antctl +# Build antctl first in order to share an extra layer with +# build/images/Dockerfile.build.agent.coverage and build/images/Dockerfile.build.controller.coverage. +RUN make antctl-linux antctl-instr-binary && mv bin/antctl-linux bin/antctl -# Build antrea-agent and antrea-cni first in order to share an extra layer with +# Then build antrea-agent and antrea-cni, in order to share an extra layer with # build/images/Dockerfile.build.agent.coverage. RUN make antrea-agent antrea-cni antrea-agent-instr-binary diff --git a/build/images/Dockerfile.build.ubi b/build/images/Dockerfile.build.ubi index 3ea6f847d9a..5f5f9488e9c 100644 --- a/build/images/Dockerfile.build.ubi +++ b/build/images/Dockerfile.build.ubi @@ -12,30 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILD_TAG -FROM registry.access.redhat.com/ubi8 as antrea-build - -ADD https://go.dev/dl/?mode=json&include=all go-versions.json - -RUN yum install ca-certificates gcc git jq make wget -y - ARG GO_VERSION - -# GO_VERSION is a Go minor version, we use the downloaded go-versions.json file -# to identify and install the latest patch release for this minor version. -RUN set -eux; \ - arch="$(uname -m)"; \ - case "${arch##*-}" in \ - x86_64) goArch='amd64' ;; \ - arm) goArch='armv6l' ;; \ - aarch64) goArch='arm64' ;; \ - *) goArch=''; echo >&2; echo >&2 "unsupported architecture '$arch'"; echo >&2 ; exit 1 ;; \ - esac; \ - GO_ARCHIVE=$(jq --arg version_prefix "go${GO_VERSION}." --arg arch "$goArch" -r '. | map(select(. | .version | startswith($version_prefix))) | first | .files[] | select(.os == "linux" and .arch == $arch and .kind == "archive").filename' go-versions.json); \ - wget -q -O - https://go.dev/dl/${GO_ARCHIVE} | tar xz -C /usr/local/ - -# Using ENV makes the change persistent, but this is just a builder image. -ENV PATH /usr/local/go/bin:$PATH +ARG BUILD_TAG +FROM golang:${GO_VERSION} as antrea-build WORKDIR /antrea @@ -46,14 +25,13 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. +# Build antctl first in order to share an extra layer with +# build/images/Dockerfile.build.agent.ubi and build/images/Dockerfile.build.controller.ubi. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ - CGO_ENABLED=0 make antctl-linux && mv bin/antctl-linux bin/antctl + make antctl-linux && mv bin/antctl-linux bin/antctl -# Build antrea-agent and antrea-cni first in order to share an extra layer with +# Then build antrea-agent and antrea-cni, in order to share an extra layer with # build/images/Dockerfile.build.agent.ubi. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ diff --git a/build/images/Dockerfile.build.ubuntu b/build/images/Dockerfile.build.ubuntu index 130f4cdeb2d..0e2c3e8dfd4 100644 --- a/build/images/Dockerfile.build.ubuntu +++ b/build/images/Dockerfile.build.ubuntu @@ -25,14 +25,13 @@ RUN --mount=type=cache,target=/go/pkg/mod/ \ COPY . /antrea -# Disable CGO for antctl in case it is copied outside of the container image. It -# also reduces the size of the binary and aligns with how we distribute antctl -# in release assets. +# Build antctl first in order to share an extra layer with +# build/images/Dockerfile.build.agent.ubuntu and build/images/Dockerfile.build.controller.ubuntu. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ - CGO_ENABLED=0 make antctl-linux && mv bin/antctl-linux bin/antctl + make antctl-linux && mv bin/antctl-linux bin/antctl -# Build antrea-agent and antrea-cni first in order to share an extra layer with +# Then build antrea-agent and antrea-cni, in order to share an extra layer with # build/images/Dockerfile.build.agent.ubuntu. RUN --mount=type=cache,target=/go/pkg/mod/ \ --mount=type=cache,target=/root/.cache/go-build/ \ diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh index 81a8aee36c0..91d47506ce8 100755 --- a/hack/release/prepare-assets.sh +++ b/hack/release/prepare-assets.sh @@ -49,6 +49,9 @@ pushd $THIS_DIR/../.. > /dev/null mkdir -p "$1" OUTPUT_DIR=$(cd "$1" && pwd) +# Cgo should always be disabled for release assets. +export CGO_ENABLED=0 + ANTREA_BUILDS=( "linux amd64 linux-x86_64" "linux arm64 linux-arm64" @@ -63,8 +66,6 @@ for build in "${ANTREA_BUILDS[@]}"; do arch="${args[1]}" suffix="${args[2]}" - # all "*-release" targets disable cgo, which is appropriate when - # distributing release assets, for portability. GOOS=$os GOARCH=$arch ANTCTL_BINARY_NAME="antctl-$suffix" BINDIR="$OUTPUT_DIR" make antctl-release done