Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

distroless: move to apko/wolfi images #50925

Merged
merged 2 commits into from
May 9, 2024
Merged

distroless: move to apko/wolfi images #50925

merged 2 commits into from
May 9, 2024

Conversation

howardjohn
Copy link
Member

Fixes #44510

This moves our images over to the new images added in #50545.

This has 2 commits: 1 replaces just our iptables one, the second replaces the other static ones.

The main value is on the iptables one, since that is our fork and has maintenance benefits. I changed static as well to align there (why depend on 2 things when we can depend on 1).

@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 8, 2024
bleggett
bleggett reviewed May 8, 2024
View reviewed changes
Copy link
Contributor

@bleggett bleggett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - one comment:

https://github.com/istio/istio/pull/50545/files#diff-ada3f527bf2549ffcd9ab5ea58b0443f53f72fd0ebbd2ac977a26bfd8b2de841R10

if we do not ship both iptables and iptables-legacy in our iptables image, we effectively will never put our CNI rules into legacy tables, even if the host node primarily uses legacy tables, and this would not work on any boxes that only have legacy support.

IDK if we care about that, though.

@bleggett
Copy link
Contributor

bleggett commented May 8, 2024

LGTM - one comment:

https://github.com/istio/istio/pull/50545/files#diff-ada3f527bf2549ffcd9ab5ea58b0443f53f72fd0ebbd2ac977a26bfd8b2de841R10

if we do not ship both iptables and iptables-legacy in our iptables image, we effectively will never put our CNI rules into legacy tables, even if the host node primarily uses legacy tables, and this would not work on any boxes that only have legacy support.

IDK if we care about that, though.

... the alpine iptables APK includes legacy, if the wolfi one also does (not sure how to check), then disregard this.

@howardjohn
Copy link
Member Author

@bleggett I am not sure I fully grok the question but

old one:

lr-xr-xr-x 0/0               0 1999-12-31 16:00 usr/sbin/iptables -> /usr/sbin/iptables-legacy
lr-xr-xr-x 0/0               0 1999-12-31 16:00 usr/sbin/iptables-restore -> /usr/sbin/iptables-legacy-restore
lr-xr-xr-x 0/0               0 1999-12-31 16:00 usr/sbin/iptables-save -> /usr/sbin/iptables-legacy-save
-rwxr-xr-x 0/0            7037 2023-01-12 02:27 usr/sbin/iptables-apply
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/bin/iptables-xml -> ../sbin/xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/ip6tables-apply -> iptables-apply
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-translate -> xtables-nft-multi

new one:

-rw-r--r-- root/root       351 1969-12-31 16:00 etc/conf.d/iptables
drwxr-xr-x root/root         0 1969-12-31 16:00 etc/iptables
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/ip6tables-apply -> iptables-apply
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables -> xtables-legacy-multi
-rwxr-xr-x root/root      7052 1969-12-31 16:00 sbin/iptables-apply
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-save -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-translate -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 usr/bin/iptables-xml -> /sbin/xtables-legacy-multi

@bleggett
Copy link
Contributor

bleggett commented May 8, 2024

@bleggett I am not sure I fully grok the question but

old one:

lr-xr-xr-x 0/0               0 1999-12-31 16:00 usr/sbin/iptables -> /usr/sbin/iptables-legacy
lr-xr-xr-x 0/0               0 1999-12-31 16:00 usr/sbin/iptables-restore -> /usr/sbin/iptables-legacy-restore
lr-xr-xr-x 0/0               0 1999-12-31 16:00 usr/sbin/iptables-save -> /usr/sbin/iptables-legacy-save
-rwxr-xr-x 0/0            7037 2023-01-12 02:27 usr/sbin/iptables-apply
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/bin/iptables-xml -> ../sbin/xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/ip6tables-apply -> iptables-apply
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 0/0               0 2023-01-16 05:44 usr/sbin/iptables-translate -> xtables-nft-multi

new one:

-rw-r--r-- root/root       351 1969-12-31 16:00 etc/conf.d/iptables
drwxr-xr-x root/root         0 1969-12-31 16:00 etc/iptables
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/ip6tables-apply -> iptables-apply
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables -> xtables-legacy-multi
-rwxr-xr-x root/root      7052 1969-12-31 16:00 sbin/iptables-apply
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-save -> xtables-legacy-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 sbin/iptables-translate -> xtables-nft-multi
lrwxrwxrwx root/root         0 1969-12-31 16:00 usr/bin/iptables-xml -> /sbin/xtables-legacy-multi

That's good enough yep.

I was looking at https://github.com/wolfi-dev/os/blob/main/iptables.yaml and it wasn't clear if they were packaging the -legacy binaries as well, they are.

@howardjohn
Copy link
Member Author 

crane-ls-files () {
        crane export $1 - | tar -tvf -
}

for future reference on how to get the contents

howardjohn added a commit to istio/common-files that referenced this pull request May 8, 2024
@howardjohn
Common: trust cgr.dev as an image source
2c1f291 
See istio/istio#50925
@howardjohn howardjohn mentioned this pull request May 8, 2024
Merged
istio-testing pushed a commit to istio/common-files that referenced this pull request May 8, 2024
@howardjohn
Common: trust cgr.dev as an image source (#1036)
1c39095 
See istio/istio#50925
@howardjohn
Copy link
Member Author

/retest

@howardjohn
Copy link
Member Author

/retest

@istio-testing istio-testing merged commit 1b0a19a into istio:master May 9, 2024
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bleggett bleggett bleggett approved these changes

@dhawton dhawton dhawton approved these changes

@ericvn ericvn ericvn approved these changes

@costinm costinm Awaiting requested review from costinm costinm is a code owner

@linsun linsun Awaiting requested review from linsun linsun is a code owner

@stevenctl stevenctl Awaiting requested review from stevenctl stevenctl is a code owner

@hzxuzhonghu hzxuzhonghu Awaiting requested review from hzxuzhonghu hzxuzhonghu is a code owner

Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider replacing distroless fork with apko
5 participants
@howardjohn @bleggett @dhawton @ericvn @istio-testing