├── images ├── bpftool │ ├── .dockerignore │ ├── version.sh │ ├── test │ │ └── spec.yaml │ └── Dockerfile ├── llvm │ ├── .dockerignore │ ├── test │ │ ├── test.c │ │ └── spec.yaml │ ├── version.sh │ ├── build-llvm.sh │ └── Dockerfile ├── maker │ ├── .dockerignore │ ├── Dockerfile.dockerginore │ ├── build-go-deps.sh │ └── Dockerfile ├── tester │ ├── .dockerignore │ ├── test │ │ └── spec.yaml │ ├── Dockerfile │ └── cst │ │ ├── main.go │ │ ├── go.mod │ │ └── go.sum ├── compilers │ ├── .dockerignore │ ├── test │ │ ├── arm64 │ │ │ └── spec.yaml │ │ └── amd64 │ │ │ └── spec.yaml │ ├── Dockerfile │ └── install-deps.sh ├── startup-script │ ├── .dockerignore │ ├── Dockerfile │ └── manage-startup-script.sh ├── checkpatch │ ├── deprecated_terms.txt │ ├── version.sh │ ├── fixes │ │ ├── recognize-co-authored-by.diff │ │ ├── ignore-C99-comments-for-SPDX-tags.diff │ │ └── ignore-_Static_assert.diff │ ├── Dockerfile │ ├── README.md │ └── checkpatch.sh ├── iptables │ ├── version.sh │ └── Dockerfile └── network-perf │ ├── version.sh │ └── Dockerfile ├── .gitignore ├── .hadolint.yaml ├── LICENSE ├── .github ├── workflows │ ├── pr-checks.yaml │ └── images.yaml └── renovate.json5 ├── scripts ├── lint.sh ├── get-image-digest.sh ├── find-commit-for-tree-hash.sh ├── make-image-tag.sh └── build-image.sh ├── CODEOWNERS ├── Makefile └── README.md /images/bpftool/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /images/llvm/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /images/maker/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /images/tester/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /images/compilers/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .buildx_builder 2 | .buildx 3 | *.oci 4 | -------------------------------------------------------------------------------- /images/llvm/test/test.c: -------------------------------------------------------------------------------- 1 | int main() { return 0; } 2 | -------------------------------------------------------------------------------- /images/maker/Dockerfile.dockerginore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /images/startup-script/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /images/checkpatch/deprecated_terms.txt: -------------------------------------------------------------------------------- 1 | master||frontend 2 | slave||backend 3 | -------------------------------------------------------------------------------- /images/bpftool/version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | DOCKERFILE=$(dirname "$0")/Dockerfile 11 | VERSION=$(sed -n 's/ARG BPFTOOL_VERSION="v\([^"]*\)"/\1/p' "$DOCKERFILE") 12 | echo "${VERSION}" 13 | -------------------------------------------------------------------------------- /images/iptables/version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | DOCKERFILE=$(dirname "$0")/Dockerfile 11 | VERSION=$(sed -n 's/ARG IPTABLES_VERSION="\([^"]*\)"/\1/p' "$DOCKERFILE") 12 | echo "${VERSION}" 13 | -------------------------------------------------------------------------------- /images/llvm/version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | DOCKERFILE=$(dirname "$0")/Dockerfile 11 | VERSION=$(sed -n 's/ARG LLVM_VERSION="llvmorg-\([^"]*\)"/\1/p' "$DOCKERFILE") 12 | echo "${VERSION}" 13 | -------------------------------------------------------------------------------- /images/network-perf/version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | DOCKERFILE=$(dirname "$0")/Dockerfile 11 | VERSION=$(sed -n 's/ARG IPERF_VERSION="\([^"]*\)"/\1/p' "$DOCKERFILE") 12 | echo "${VERSION}" 13 | -------------------------------------------------------------------------------- /images/checkpatch/version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | DOCKERFILE=$(dirname "$0")/Dockerfile 11 | VERSION=$(sed -n 's/ARG CHECKPATCH_VERSION="v\([^"]*\)"/\1/p' "$DOCKERFILE") 12 | echo "${VERSION}" 13 | -------------------------------------------------------------------------------- /images/compilers/test/arm64/spec.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: "2.0.0" 2 | 3 | commandTests: 4 | - name: "gcc command is in path" 5 | command: "which" 6 | args: ["gcc"] 7 | expectedOutput: ["/usr/bin/gcc"] 8 | - name: "gcc version" 9 | command: "gcc" 10 | args: ["-v"] 11 | expectedError: 12 | - 'Target:\ aarch64-linux-gnu' 13 | - 'gcc\ version\ 9\.5\.0' 14 | -------------------------------------------------------------------------------- /images/checkpatch/fixes/recognize-co-authored-by.diff: -------------------------------------------------------------------------------- 1 | diff --git a/script/checkpatch.pl b/script/checkpatch.pl 2 | index 3cacc12..21244d4 100755 3 | --- a/checkpatch.pl 4 | +++ b/checkpatch.pl 5 | @@ -498,6 +498,7 @@ our $allocFunctions = qr{(?x: 6 | our $signature_tags = qr{(?xi: 7 | Signed-off-by:| 8 | Co-developed-by:| 9 | + Co-authored-by:| 10 | Acked-by:| 11 | Tested-by:| 12 | Reviewed-by:| 13 | -------------------------------------------------------------------------------- /images/maker/build-go-deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o xtrace 7 | set -o errexit 8 | set -o pipefail 9 | set -o nounset 10 | 11 | cd /src 12 | 13 | unset GOPATH 14 | export CGO_ENABLED=0 15 | export GOBIN=/out/usr/local/bin 16 | mkdir -p $GOBIN 17 | 18 | go install -ldflags '-s -w' github.com/errordeveloper/docker-credential-env@v0.1.5 19 | go install -ldflags '-s -w' github.com/docker/buildx/cmd/buildx@v0.13.1 20 | mv $GOBIN/buildx $GOBIN/docker-buildx 21 | -------------------------------------------------------------------------------- /.hadolint.yaml: -------------------------------------------------------------------------------- 1 | ignored: 2 | # it cannot parse `FROM ${BASE_IMAGE}` 3 | - DL3006 4 | # alpine doesn't keep old versions around, so we cannot rely on package pinning, 5 | # which is also very tedious and is deemed uncessary 6 | - DL3018 7 | # also disable pining checks for ubuntu, as it currently deemed uncessary and, 8 | # in most cases, packages are installed via scripts and those don't get checked 9 | # (albeit, ubuntu repos tend to keep old versions around) 10 | - DL3008 11 | # similar as the two above, disable package version pinning for dnf 12 | - DL3041 13 | -------------------------------------------------------------------------------- /images/checkpatch/fixes/ignore-C99-comments-for-SPDX-tags.diff: -------------------------------------------------------------------------------- 1 | diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl 2 | index 3cacc122c528..67f350c580ea 100755 3 | --- a/checkpatch.pl 4 | +++ b/checkpatch.pl 5 | @@ -4308,7 +4308,10 @@ sub process { 6 | } 7 | 8 | # no C99 // comments 9 | - if ($line =~ m{//}) { 10 | + if ($line =~ m{//} && 11 | + !($rawline =~ m{// SPDX-License-Identifier:} && 12 | + $realfile =~ /\.c$/ && 13 | + $realline == $checklicenseline)) { 14 | if (ERROR("C99_COMMENTS", 15 | "do not use C99 // comments\n" . $herecurr) && 16 | $fix) { 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Authors of Cilium. All rights reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /.github/workflows/pr-checks.yaml: -------------------------------------------------------------------------------- 1 | name: PR Check 2 | on: 3 | pull_request: {} 4 | push: 5 | branches: 6 | - master 7 | 8 | jobs: 9 | lint: 10 | name: Run static checks 11 | runs-on: ubuntu-24.04 12 | steps: 13 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 14 | - uses: docker://quay.io/cilium/image-maker:1755027480-74de989@sha256:be90a4b1ccb7553e54f8eb8224a82a5f886cdbd6057dafc9d36205615f46d696 15 | name: Run make lint 16 | with: 17 | entrypoint: sh 18 | args: -c "git config --global --add safe.directory /github/workspace && make lint" 19 | -------------------------------------------------------------------------------- /images/tester/test/spec.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: "2.0.0" 2 | 3 | fileExistenceTests: 4 | - name: 'root' 5 | path: '/' 6 | shouldExist: true 7 | permissions: 'drwxr-xr-x' 8 | - name: 'test' 9 | path: '/test' 10 | shouldExist: true 11 | permissions: 'drwxr-xr-x' 12 | - name: 'test bin' 13 | path: '/test/bin' 14 | shouldExist: true 15 | permissions: 'drwxr-xr-x' 16 | - name: 'test bin cst' 17 | path: '/test/bin/cst' 18 | shouldExist: true 19 | permissions: '-rwxr-xr-x' 20 | 21 | commandTests: 22 | - name: '/test/bin/cst -V' 23 | command: '/test/bin/cst' 24 | args: ['-V'] 25 | expectedOutput: 26 | - 'go1\..*\ linux/(amd64|arm64)' 27 | -------------------------------------------------------------------------------- /images/checkpatch/fixes/ignore-_Static_assert.diff: -------------------------------------------------------------------------------- 1 | diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl 2 | index df8b23d..b8fc887 100755 3 | --- a/checkpatch.pl 4 | +++ b/checkpatch.pl 5 | @@ -5558,6 +5558,8 @@ sub process { 6 | $var !~ /^(?:[A-Z]+_){1,5}[A-Z]{1,3}[a-z]/ && 7 | #Ignore Page variants 8 | $var !~ /^(?:Clear|Set|TestClear|TestSet|)Page[A-Z]/ && 9 | +# Ignore _Static_assert 10 | + $var !~ /^_Static_assert/ && 11 | #Ignore SI style variants like nS, mV and dB 12 | #(ie: max_uV, regulator_min_uA_show, RANGE_mA_VALUE) 13 | $var !~ /^(?:[a-z0-9_]*|[A-Z0-9_]*)?_?[a-z][A-Z](?:_[a-z0-9_]+|_[A-Z0-9_]+)?$/ && 14 | -------------------------------------------------------------------------------- /images/bpftool/test/spec.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: "2.0.0" 2 | 3 | fileExistenceTests: 4 | - name: '/usr/local/bin/bpftool' 5 | path: '/usr/local/bin/bpftool' 6 | shouldExist: true 7 | permissions: '-rwxr-xr-x' 8 | 9 | commandTests: 10 | - name: "bpftool command is in path" 11 | command: "which" 12 | args: ["bpftool"] 13 | expectedOutput: ["/usr/local/bin/bpftool"] 14 | - name: "bpftool version" 15 | command: "bpftool" 16 | args: ["version"] 17 | expectedOutput: 18 | - 'bpftool\ v7\.4\.0' 19 | - name: "bpftool is statically linked" 20 | command: "ldd" 21 | args: ["/usr/local/bin/bpftool"] 22 | expectedError: ["not a dynamic executable"] 23 | exitCode: 1 24 | -------------------------------------------------------------------------------- /images/compilers/test/amd64/spec.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: "2.0.0" 2 | 3 | commandTests: 4 | - name: "gcc command is in path" 5 | command: "which" 6 | args: ["gcc"] 7 | expectedOutput: ["/usr/bin/gcc"] 8 | - name: "gcc version" 9 | command: "gcc" 10 | args: ["-v"] 11 | expectedError: 12 | - 'Target:\ x86_64-linux-gnu' 13 | - 'gcc\ version\ 9\.5\.0' 14 | - name: "aarch64-linux-gnu-gcc command is in path" 15 | command: "which" 16 | args: ["aarch64-linux-gnu-gcc"] 17 | expectedOutput: ["/usr/bin/aarch64-linux-gnu-gcc"] 18 | - name: "aarch64-linux-gnu-gcc version" 19 | command: "aarch64-linux-gnu-gcc" 20 | args: ["-v"] 21 | expectedError: 22 | - 'Target:\ aarch64-linux-gnu' 23 | - 'gcc\ version\ 9\.5\.0' 24 | -------------------------------------------------------------------------------- /images/compilers/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | ARG UBUNTU_IMAGE=docker.io/library/ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 5 | ARG TESTER_IMAGE=quay.io/cilium/image-tester:1755027438-ef4e849@sha256:ff0eb08901053e72afcfadc58e9d1736c6d1b257ffdf0779966d44e4872bfae5 6 | 7 | FROM ${UBUNTU_IMAGE} as builder 8 | 9 | COPY install-deps.sh /tmp/install-deps.sh 10 | RUN /tmp/install-deps.sh 11 | 12 | FROM ${TESTER_IMAGE} as test 13 | COPY --from=builder / / 14 | COPY test /test 15 | ARG TARGETARCH 16 | RUN /test/bin/cst -C /test/${TARGETARCH} 17 | 18 | FROM scratch 19 | LABEL maintainer="maintainer@cilium.io" 20 | COPY --from=builder / / 21 | -------------------------------------------------------------------------------- /scripts/lint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | MAKER_IMAGE="${MAKER_IMAGE:-quay.io/cilium/image-maker:1755027480-74de989@sha256:be90a4b1ccb7553e54f8eb8224a82a5f886cdbd6057dafc9d36205615f46d696}" 11 | 12 | root_dir="$(git rev-parse --show-toplevel)" 13 | 14 | if [ -z "${MAKER_CONTAINER+x}" ] ; then 15 | exec docker run --rm --volume "${root_dir}:/src" --workdir /src "${MAKER_IMAGE}" \ 16 | sh -c "git config --global --add safe.directory /src && /src/scripts/$(basename "${0}")" 17 | fi 18 | 19 | cd "${root_dir}" 20 | find . -name '*.sh' -exec shellcheck {} + 21 | find . -name Dockerfile -exec hadolint {} + 22 | -------------------------------------------------------------------------------- /images/llvm/build-llvm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o xtrace 7 | set -o errexit 8 | set -o pipefail 9 | set -o nounset 10 | 11 | cmake .. -G "Ninja" \ 12 | -DLLVM_TARGETS_TO_BUILD="BPF" \ 13 | -DLLVM_ENABLE_PROJECTS="clang" \ 14 | -DBUILD_SHARED_LIBS="OFF" \ 15 | -DLLVM_BUILD_STATIC="ON" \ 16 | -DCMAKE_CXX_FLAGS="-s -flto" \ 17 | -DCMAKE_BUILD_TYPE="Release" \ 18 | -DLLVM_BUILD_RUNTIME="OFF" \ 19 | -DCMAKE_INSTALL_PREFIX="/usr/local" 20 | 21 | ninja clang llc llvm-objcopy llvm-strip 22 | 23 | strip bin/clang 24 | strip bin/llc 25 | strip bin/llvm-objcopy 26 | strip bin/llvm-strip 27 | 28 | mkdir -p /out/bin 29 | cp bin/clang bin/llc bin/llvm-objcopy bin/llvm-strip /out/bin 30 | -------------------------------------------------------------------------------- /images/startup-script/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | ARG ALPINE_BASE_IMAGE=docker.io/library/alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 5 | 6 | FROM ${ALPINE_BASE_IMAGE} as builder 7 | 8 | RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ 9 | 10 | RUN apk add --initdb --no-cache --root /out \ 11 | bash \ 12 | util-linux \ 13 | && true 14 | 15 | COPY manage-startup-script.sh /out/usr/bin/manage-startup-script.sh 16 | 17 | FROM ${ALPINE_BASE_IMAGE} as certs 18 | RUN apk --no-cache add ca-certificates 19 | 20 | FROM scratch 21 | COPY --from=builder /out / 22 | COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt 23 | CMD [ "/usr/bin/manage-startup-script.sh" ] 24 | -------------------------------------------------------------------------------- /scripts/get-image-digest.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | MAKER_IMAGE="${MAKER_IMAGE:-quay.io/cilium/image-maker:1755027480-74de989@sha256:be90a4b1ccb7553e54f8eb8224a82a5f886cdbd6057dafc9d36205615f46d696}" 11 | 12 | if [ "$#" -ne 1 ] ; then 13 | echo "$0 supports exactly 1 argument" 14 | exit 1 15 | fi 16 | 17 | root_dir="$(git rev-parse --show-toplevel)" 18 | 19 | if [ -z "${MAKER_CONTAINER+x}" ] ; then 20 | exec docker run --env DOCKER_HUB_PUBLIC_ACCESS_ONLY=true --env QUAY_PUBLIC_ACCESS_ONLY=true --rm --volume "${root_dir}:/src" --workdir /src "${MAKER_IMAGE}" \ 21 | sh -c "git config --global --add safe.directory /src && /src/scripts/$(basename "${0}") \"${1}\"" 22 | fi 23 | 24 | crane digest "${1}" 2> /dev/null 25 | -------------------------------------------------------------------------------- /scripts/find-commit-for-tree-hash.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | # This script find the commit hash for a given subdir tree hash. 11 | # It can be used to find what commit in the subdir was used to build a given image tag. 12 | 13 | # TODO: allow different modes, e.g. 14 | # - show last revision of top-level tree for the given sudir hash, which would encompas 15 | # top-level changees since e.g. `.github` and `scripts` etc 16 | 17 | if [ "$#" -gt 2 ] ; then 18 | echo "$0 supports exactly 2 arguments - tree hash & subdir" 19 | exit 1 20 | fi 21 | 22 | tree_hash="${1}" 23 | dir="${2}" 24 | 25 | for i in $(git rev-list @ -- "${dir}") ; do 26 | if git ls-tree --full-tree "${i}" -- "${dir}" | grep -q "${tree_hash}" ; then 27 | echo "${i}" 28 | exit 0 29 | fi 30 | done 31 | 32 | exit 1 33 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Code owners groups assigned to this repository and a brief description of their areas: 2 | # @cilium/build Building and packaging 3 | # @cilium/ci-structure Continuous integration, testing 4 | # @cilium/contributing Developer documentation & tools 5 | # @cilium/github-sec GitHub security (handling of secrets, consequences of pull_request_target, etc.) 6 | # @cilium/loader All related to LLVM, bpftool, Cilium loader, templating, etc. 7 | # @cilium/sig-datapath BPF Data Path 8 | 9 | # The following filepaths should be sorted so that more specific paths occur 10 | # after the less specific paths, otherwise the ownership for the specific paths 11 | # is not properly picked up in Github. 12 | * @cilium/build 13 | /.github/workflows/ @cilium/github-sec @cilium/ci-structure @cilium/build 14 | /CODEOWNERS @cilium/contributing 15 | /images/bpftool @cilium/loader 16 | /images/checkpatch @cilium/sig-datapath 17 | /images/llvm @cilium/loader 18 | -------------------------------------------------------------------------------- /images/tester/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | ARG GOLANG_IMAGE=docker.io/library/golang:1.25.4@sha256:698183780de28062f4ef46f82a79ec0ae69d2d22f7b160cf69f71ea8d98bf25d 5 | ARG ALPINE_BASE_IMAGE=docker.io/library/alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 6 | 7 | FROM ${GOLANG_IMAGE} AS go-builder 8 | 9 | WORKDIR /go/src/github.com/cilium/image-tools/images/tester/cst 10 | 11 | # hadolint ignore=SC2215 12 | RUN --mount=type=bind,readwrite,target=/go/src/github.com/cilium/image-tools/images/tester \ 13 | --mount=type=cache,target=/root/.cache \ 14 | --mount=type=cache,target=/go/pkg \ 15 | mkdir -p /out/bin && \ 16 | CGO_ENABLED=0 go build -tags netgo -ldflags '-s -w -extldflags "-static"' -o /out/bin/cst 17 | 18 | FROM ${ALPINE_BASE_IMAGE} AS test 19 | 20 | COPY --from=go-builder /out/bin /test/bin 21 | COPY test /test 22 | RUN /test/bin/cst -C /test 23 | 24 | FROM scratch 25 | LABEL maintainer="maintainer@cilium.io" 26 | 27 | COPY --from=go-builder /out/bin /test/bin 28 | -------------------------------------------------------------------------------- /images/iptables/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | # This file builds iptables 1.8.8-1 from source using Ubuntu 24.04 5 | # The source code comes from Debian Bookworm snapshots 6 | # To upgrade to a new iptables version, change also the snapshot date. 7 | 8 | ARG IPTABLES_VERSION="1.8.8-1" 9 | ARG SNAPSHOT_DATE="20230116T212610Z" 10 | 11 | FROM docker.io/library/ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 12 | 13 | RUN mkdir /iptables 14 | WORKDIR /iptables 15 | 16 | ARG IPTABLES_VERSION 17 | ARG SNAPSHOT_DATE 18 | 19 | RUN apt-get update && \ 20 | apt-get install -y --no-install-recommends debian-archive-keyring apt-src ca-certificates && \ 21 | echo "deb-src [check-valid-until=no signed-by=/usr/share/keyrings/debian-archive-bullseye-automatic.gpg] https://snapshot.debian.org/archive/debian/${SNAPSHOT_DATE}/ bookworm main" > /etc/apt/sources.list.d/iptables-snapshot.list && \ 22 | apt-get update && \ 23 | apt-src -b install iptables="${IPTABLES_VERSION}" && \ 24 | apt-get clean && \ 25 | rm -rf /var/lib/apt/lists/* 26 | -------------------------------------------------------------------------------- /images/checkpatch/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1.1-experimental@sha256:de85b2f3a3e8a2f7fe48e8e84a65f6fdd5cd5183afa6412fff9caa6871649c44 2 | # SPDX-License-Identifier: Apache-2.0 3 | # Copyright Authors of Cilium 4 | 5 | ARG ALPINE_BASE_IMAGE=docker.io/library/alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 6 | 7 | FROM ${ALPINE_BASE_IMAGE} as builder 8 | LABEL maintainer="maintainer@cilium.io" 9 | 10 | ARG CHECKPATCH_VERSION="v5.12" 11 | 12 | COPY . /checkpatch 13 | 14 | RUN apk add --no-cache bash curl git jq moreutils patch perl 15 | 16 | RUN \ 17 | curl -sSL --output /checkpatch/checkpatch.pl \ 18 | "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/checkpatch.pl?h=${CHECKPATCH_VERSION}" && \ 19 | chmod a+x /checkpatch/checkpatch.pl && \ 20 | curl -sSL --output /checkpatch/spelling.txt \ 21 | "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/spelling.txt?h=${CHECKPATCH_VERSION}" 22 | 23 | RUN for i in /checkpatch/fixes/*.diff; do \ 24 | patch -p1 /checkpatch/checkpatch.pl < "$i"; \ 25 | done 26 | 27 | ENTRYPOINT ["/checkpatch/checkpatch.sh"] 28 | -------------------------------------------------------------------------------- /images/llvm/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | ARG COMPILERS_IMAGE=quay.io/cilium/image-compilers:1732033829-330cbaf@sha256:5c54f614fb8ee7939492aa4b7d74b37922d98199f5993f6d957a1637ce30eb9e 5 | ARG UBUNTU_IMAGE=docker.io/library/ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 6 | ARG TESTER_IMAGE=quay.io/cilium/image-tester:1755027438-ef4e849@sha256:ff0eb08901053e72afcfadc58e9d1736c6d1b257ffdf0779966d44e4872bfae5 7 | ARG BASE_IMAGE=scratch 8 | 9 | FROM ${TESTER_IMAGE} AS tester 10 | FROM ${COMPILERS_IMAGE} AS builder 11 | 12 | ARG LLVM_VERSION="llvmorg-19.1.7" 13 | ADD https://github.com/llvm/llvm-project/archive/${LLVM_VERSION}.tar.gz /tmp/llvm.tar.gz 14 | WORKDIR /src/llvm 15 | RUN tar -xf /tmp/llvm.tar.gz --strip-components=1 --directory /src/llvm 16 | 17 | WORKDIR /src/llvm/llvm/build 18 | COPY build-llvm.sh /tmp/build-llvm.sh 19 | RUN /tmp/build-llvm.sh 20 | 21 | FROM ${UBUNTU_IMAGE} AS test 22 | COPY --from=builder /out/bin /usr/local/bin 23 | COPY test /test 24 | COPY --from=tester /test/bin /test/bin 25 | RUN /test/bin/cst -C /test 26 | 27 | FROM ${BASE_IMAGE} AS release 28 | LABEL maintainer="maintainer@cilium.io" 29 | COPY --from=builder /out/bin /usr/local/bin 30 | -------------------------------------------------------------------------------- /images/network-perf/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG BASE_IMAGE=registry.access.redhat.com/ubi8/ubi@sha256:a444712276a635c9312d83a4ff7c6ee7f2ce08eeb5bd9ca291b5fdba257a5e63 2 | 3 | FROM ${BASE_IMAGE} AS builder 4 | 5 | # We can ignore this warning here because we run `dnf clean all` later and then squash all layers in the final image 6 | # hadolint ignore=DL3040 7 | RUN dnf install -y --nodocs gcc make 8 | 9 | # Install and configure iperf 10 | ARG IPERF_VERSION="3.19" 11 | WORKDIR /iperf 12 | RUN curl -L -o iperf.tar.gz https://github.com/esnet/iperf/archive/refs/tags/${IPERF_VERSION}.tar.gz && \ 13 | tar xzf iperf.tar.gz --strip-components=1 -C /iperf && \ 14 | ./configure && \ 15 | make && \ 16 | make install && \ 17 | rm -rf /iperf 18 | 19 | # Install and configure netperf 20 | ARG NETPERF_VERSION=80bf19d563eebd1eca23f4092f96819296020fa5 21 | WORKDIR /netperf 22 | RUN curl -L -o netperf.tar.gz https://github.com/HewlettPackard/netperf/archive/${NETPERF_VERSION}.tar.gz && \ 23 | tar xzf netperf.tar.gz --strip-components=1 -C /netperf && \ 24 | ./configure && \ 25 | make && \ 26 | make install && \ 27 | rm -rf /netperf 28 | 29 | # Remove build dependencies 30 | RUN dnf remove -y gcc make && \ 31 | dnf clean all 32 | 33 | FROM scratch 34 | LABEL maintainer="maintainer@cilium.io" 35 | COPY --from=builder / / 36 | -------------------------------------------------------------------------------- /images/bpftool/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | ARG COMPILERS_IMAGE=quay.io/cilium/image-compilers:1732033829-330cbaf@sha256:5c54f614fb8ee7939492aa4b7d74b37922d98199f5993f6d957a1637ce30eb9e 5 | ARG UBUNTU_IMAGE=docker.io/library/ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 6 | ARG TESTER_IMAGE=quay.io/cilium/image-tester:1755027438-ef4e849@sha256:ff0eb08901053e72afcfadc58e9d1736c6d1b257ffdf0779966d44e4872bfae5 7 | ARG BASE_IMAGE=scratch 8 | 9 | FROM ${TESTER_IMAGE} AS tester 10 | FROM ${COMPILERS_IMAGE} AS builder 11 | 12 | # renovate: datasource=github-releases depName=libbpf/bpftool 13 | ARG BPFTOOL_VERSION="v7.4.0" 14 | WORKDIR /bpftool 15 | RUN git clone --recurse-submodules --branch "${BPFTOOL_VERSION}" https://github.com/libbpf/bpftool.git /bpftool 16 | 17 | RUN \ 18 | # From Ubuntu 24.04 builder image, libzstd must be added at the end of LIBS and LIBS_BOOTSTRAP to compile statically 19 | # See https://github.com/libbpf/bpftool/issues/152 20 | sed -i "s/\(LIBS = \$(LIBBPF) -lelf -lz\)/\1 -lzstd/; s/\(LIBS_BOOTSTRAP = \$(LIBBPF_BOOTSTRAP) -lelf -lz\)/\1 -lzstd/" /bpftool/src/Makefile \ 21 | && make -C src EXTRA_CFLAGS=--static BPFTOOL_VERSION="${BPFTOOL_VERSION#v}" -j "$(nproc)" \ 22 | && strip /bpftool/src/bpftool \ 23 | && mkdir -p /out/bin \ 24 | && mv /bpftool/src/bpftool /out/bin/ 25 | 26 | FROM ${UBUNTU_IMAGE} AS test 27 | COPY --from=builder /out/bin/bpftool /usr/local/bin/bpftool 28 | COPY test /test 29 | COPY --from=tester /test/bin /test/bin 30 | RUN /test/bin/cst -C /test 31 | 32 | FROM ${BASE_IMAGE} AS release 33 | LABEL maintainer="maintainer@cilium.io" 34 | COPY --from=builder /out/bin/bpftool /usr/local/bin/bpftool 35 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | REGISTRIES ?= quay.io/cilium 5 | 6 | PUSH ?= false 7 | EXPORT ?= false 8 | PLATFORMS ?= linux/amd64,linux/arm64 9 | 10 | all-images: lint maker-image tester-image compilers-image bpftool-image llvm-image network-perf-image startup-script-image checkpatch-image iptables-image 11 | 12 | 13 | lint: 14 | scripts/lint.sh 15 | 16 | .buildx_builder: 17 | docker buildx create --platform $(PLATFORMS) --buildkitd-flags '--debug' > $@ 18 | 19 | maker-image: .buildx_builder 20 | PUSH=$(PUSH) EXPORT=$(EXPORT) scripts/build-image.sh image-maker images/maker $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 21 | 22 | tester-image: .buildx_builder 23 | PUSH=$(PUSH) EXPORT=$(EXPORT) TEST=true scripts/build-image.sh image-tester images/tester $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 24 | 25 | compilers-image: .buildx_builder 26 | PUSH=$(PUSH) EXPORT=$(EXPORT) TEST=true scripts/build-image.sh image-compilers images/compilers $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 27 | 28 | bpftool-image: .buildx_builder 29 | PUSH=$(PUSH) EXPORT=$(EXPORT) TEST=true scripts/build-image.sh cilium-bpftool images/bpftool $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 30 | 31 | llvm-image: .buildx_builder 32 | PUSH=$(PUSH) EXPORT=$(EXPORT) TEST=true scripts/build-image.sh cilium-llvm images/llvm $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 33 | 34 | startup-script-image: .buildx_builder 35 | PUSH=$(PUSH) EXPORT=$(EXPORT) scripts/build-image.sh startup-script images/startup-script $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 36 | 37 | checkpatch-image: .buildx_builder 38 | PUSH=$(PUSH) EXPORT=$(EXPORT) scripts/build-image.sh cilium-checkpatch images/checkpatch $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 39 | 40 | network-perf-image: .buildx_builder 41 | PUSH=$(PUSH) EXPORT=$(EXPORT) scripts/build-image.sh network-perf images/network-perf $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 42 | 43 | iptables-image: .buildx_builder 44 | PUSH=$(PUSH) EXPORT=$(EXPORT) scripts/build-image.sh iptables images/iptables $(PLATFORMS) "$$(cat .buildx_builder)" $(REGISTRIES) 45 | -------------------------------------------------------------------------------- /images/compilers/install-deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o xtrace 7 | set -o errexit 8 | set -o pipefail 9 | set -o nounset 10 | 11 | packages=( 12 | automake 13 | binutils 14 | bison 15 | build-essential 16 | ca-certificates 17 | cmake 18 | curl 19 | flex 20 | g++ 21 | gcc-9 22 | git 23 | libelf-dev 24 | libmnl-dev 25 | libtool 26 | make 27 | ninja-build 28 | pkg-config 29 | python3 30 | python3-pip 31 | unzip 32 | ) 33 | 34 | packages_amd64=( 35 | binutils-aarch64-linux-gnu 36 | crossbuild-essential-arm64 37 | g++-aarch64-linux-gnu 38 | gcc-9-aarch64-linux-gnu 39 | libelf-dev:arm64 40 | ) 41 | 42 | export DEBIAN_FRONTEND=noninteractive 43 | 44 | cat > /etc/apt/sources.list.d/ubuntu.sources << EOF 45 | Types: deb 46 | URIs: http://archive.ubuntu.com/ubuntu/ 47 | Suites: noble noble-updates noble-backports 48 | Components: main universe restricted multiverse 49 | Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg 50 | Architectures: amd64 51 | 52 | ## Ubuntu security updates. Aside from URIs and Suites, 53 | ## this should mirror your choices in the previous section. 54 | Types: deb 55 | URIs: http://security.ubuntu.com/ubuntu/ 56 | Suites: noble-security 57 | Components: main universe restricted multiverse 58 | Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg 59 | Architectures: amd64 60 | 61 | Types: deb 62 | URIs: http://ports.ubuntu.com/ 63 | Suites: noble noble-updates noble-backports 64 | Components: main restricted universe multiverse 65 | Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg 66 | Architectures: arm64 67 | 68 | Types: deb 69 | URIs: http://ports.ubuntu.com/ubuntu-ports/ 70 | Suites: noble-security 71 | Components: main universe restricted multiverse 72 | Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg 73 | Architectures: arm64 74 | EOF 75 | 76 | if [ "$(uname -m)" == "x86_64" ] ; then 77 | dpkg --add-architecture arm64 78 | fi 79 | 80 | apt-get update 81 | 82 | ln -fs /usr/share/zoneinfo/UTC /etc/localtime 83 | 84 | apt-get install -y --no-install-recommends "${packages[@]}" 85 | if [ "$(uname -m)" == "x86_64" ] ; then 86 | apt-get install -y --no-install-recommends "${packages_amd64[@]}" 87 | fi 88 | 89 | update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 2 90 | if [ "$(uname -m)" == "x86_64" ] ; then 91 | update-alternatives --install /usr/bin/aarch64-linux-gnu-gcc aarch64-linux-gnu-gcc /usr/bin/aarch64-linux-gnu-gcc-9 3 92 | fi 93 | -------------------------------------------------------------------------------- /images/startup-script/manage-startup-script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 The Kubernetes Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | set -o errexit 17 | set -o nounset 18 | set -o pipefail 19 | 20 | # This image enables calling a simle scripts inlined in a pod spec as 21 | # an environment variable `STARTUP_SCRIPT`. It will normally only call 22 | # once. It can be use as a container, not an init container (although 23 | # that maybe change). If pod gets restarted with the new version of 24 | # `STARTUP_SCRIPT`, the scrips will re-run, otherwise it won't (see 25 | # `CHECKPOINT_PATH` below). 26 | # 27 | # Example usage: 28 | # 29 | # kind: DaemonSet 30 | # apiVersion: extensions/v1beta1 31 | # metadata: 32 | # name: startup-script 33 | # labels: 34 | # app: startup-script 35 | # spec: 36 | # template: 37 | # metadata: 38 | # labels: 39 | # app: startup-script 40 | # spec: 41 | # hostPID: true 42 | # containers: 43 | # - name: startup-script 44 | # image: quay.io/cilium/startup-script: 45 | # imagePullPolicy: Always 46 | # securityContext: 47 | # privileged: true 48 | # env: 49 | # - name: STARTUP_SCRIPT 50 | # value: | 51 | # #! /bin/bash 52 | # set -o errexit 53 | # set -o pipefail 54 | # set -o nounset 55 | # touch /tmp/foo 56 | # echo done 57 | 58 | CHECKPOINT_PATH="${CHECKPOINT_PATH:-/tmp/startup-script.kubernetes.io_$(md5sum <<<"${STARTUP_SCRIPT}" | cut -c-32)}" 59 | CHECK_INTERVAL_SECONDS="30" 60 | EXEC=(nsenter -t 1 -m -u -i -n -p --) 61 | 62 | do_startup_script() { 63 | local err=0; 64 | 65 | "${EXEC[@]}" bash -c "${STARTUP_SCRIPT}" && err=0 || err=$? 66 | if [[ ${err} != 0 ]]; then 67 | echo "!!! startup-script failed! exit code '${err}'" 1>&2 68 | return 1 69 | fi 70 | 71 | "${EXEC[@]}" touch "${CHECKPOINT_PATH}" 72 | echo "!!! startup-script succeeded!" 1>&2 73 | return 0 74 | } 75 | 76 | while :; do 77 | "${EXEC[@]}" stat "${CHECKPOINT_PATH}" > /dev/null 2>&1 && err=0 || err=$? 78 | if [[ ${err} != 0 ]]; then 79 | do_startup_script 80 | fi 81 | 82 | sleep "${CHECK_INTERVAL_SECONDS}" 83 | done 84 | -------------------------------------------------------------------------------- /images/llvm/test/spec.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: "2.0.0" 2 | 3 | commandTests: 4 | # clang tests 5 | - name: "clang command is in path" 6 | command: "which" 7 | args: ["clang"] 8 | expectedOutput: ["/usr/local/bin/clang"] 9 | 10 | - name: "clang is statically linked" 11 | command: "ldd" 12 | args: ["/usr/local/bin/clang"] 13 | expectedError: ["not a dynamic executable"] 14 | exitCode: 1 15 | 16 | - name: "clang --version" 17 | command: "clang" 18 | args: ["--version"] 19 | expectedOutput: 20 | - 'clang\ version\ 19\.1\.7' 21 | - 'InstalledDir:\ /usr/local/bin' 22 | 23 | - name: "clang can compile a simple BPF program" 24 | command: "clang" 25 | args: [ "-O2", "-target", "bpf", "-c", "test.c", "-o", "/tmp/test.o" ] 26 | 27 | # llc tests 28 | - name: "llc command is in path" 29 | command: "which" 30 | args: ["llc"] 31 | expectedOutput: ["/usr/local/bin/llc"] 32 | 33 | - name: "llc is statically linked" 34 | command: "ldd" 35 | args: ["/usr/local/bin/llc"] 36 | expectedError: ["not a dynamic executable"] 37 | exitCode: 1 38 | 39 | - name: "llc --version" 40 | command: "llc" 41 | args: ["--version"] 42 | expectedOutput: 43 | - 'LLVM\ \(http://llvm\.org/\):' 44 | - 'LLVM\ version\ 19\.1\.7' 45 | - 'Optimized\ build\.' 46 | - 'Registered\ Targets:' 47 | - '(bpf|bpfeb|bpfel)[\ ]+-\ BPF\ \((host|big|little)\ endian\)' 48 | excludedOutput: 49 | - '(aarch64|arm|misp|ppc|risc|sparc|thumb|wasm|x86).*\[\ ]+-\ .*' 50 | 51 | # llvm-objcopy tests 52 | - name: "llvm-objcopy command is in path" 53 | command: "which" 54 | args: ["llvm-objcopy"] 55 | expectedOutput: ["/usr/local/bin/llvm-objcopy"] 56 | 57 | - name: "llvm-objcopy is statically linked" 58 | command: "ldd" 59 | args: ["/usr/local/bin/llvm-objcopy"] 60 | expectedError: ["not a dynamic executable"] 61 | exitCode: 1 62 | 63 | - name: "llvm-objcopy --version" 64 | command: "llvm-objcopy" 65 | args: ["--version"] 66 | expectedOutput: 67 | - 'llvm-objcopy,\ compatible\ with\ GNU\ objcopy' 68 | - 'LLVM\ \(http://llvm\.org/\):' 69 | - 'LLVM\ version\ 19\.1\.7' 70 | - 'Optimized\ build\.' 71 | 72 | # llvm-strip tests 73 | - name: "llvm-strip command is in path" 74 | command: "which" 75 | args: ["llvm-strip"] 76 | expectedOutput: ["/usr/local/bin/llvm-strip"] 77 | 78 | - name: "llvm-strip is statically linked" 79 | command: "ldd" 80 | args: ["/usr/local/bin/llvm-strip"] 81 | expectedError: ["not a dynamic executable"] 82 | exitCode: 1 83 | 84 | - name: "llvm-strip --version" 85 | command: "llvm-strip" 86 | args: ["--version"] 87 | expectedOutput: 88 | - 'llvm-strip,\ compatible\ with\ GNU\ strip' 89 | - 'LLVM\ \(http://llvm\.org/\):' 90 | - 'LLVM\ version\ 19\.1\.7' 91 | - 'Optimized\ build\.' 92 | -------------------------------------------------------------------------------- /images/checkpatch/README.md: -------------------------------------------------------------------------------- 1 | # Checkpatch Image 2 | 3 | This directory contains the files necessary to package a custom version of 4 | checkpatch as a Docker image. 5 | 6 | ## Checkpatch.pl Script 7 | 8 | The `checkpatch.pl` script and the `spelling.txt` file from the Linux 9 | repository are no longer included in this directory, but is required to run the 10 | checks. 11 | 12 | The latest version of the script should be available at 13 | . 14 | 15 | The latest version for the accompanying spelling file can be downloaded from 16 | . 17 | 18 | ## Bash Script and Other Additions 19 | 20 | The bash wrapper is used to call the `checkpatch.pl` script with the relevant 21 | options and arguments for working on Cilium's code base. It makes sure 22 | `checkpatch.pl` is run on the latest commits or, if the `-a` option is passed, 23 | on the source files under the `bpf/` directory. It should be executed from the 24 | root of Cilium's repository: 25 | 26 | ``` 27 | docker run --rm --user $(id -u):$(id -g) -it --workdir /workspace -v $PWD:/workspace 28 | ``` 29 | 30 | The list of deprecated terms was specifically added for Cilium. 31 | 32 | ## Custom Patches 33 | 34 | When building the Docker image, several patches are applied to the script. 35 | 36 | * `fixes/ignore-C99-comments-for-SPDX-tags.diff`: Cilium follows the kernel 37 | coding style, and avoids the use of C99-style comments in its eBPF programs. 38 | The script `checkpatch.pl` is instructed to report such comments, but it is 39 | not able to distinguish when they are used for SPDX license tags, which is a 40 | legitimate use. This script fixes `checkpatch.pl` accordingly. Note that it 41 | was [submitted for upstream inclusion](https://lore.kernel.org/patchwork/patch/1265784/), 42 | but rejected by the maintainer. 43 | 44 | * `fixes/recognize-co-authored-by.diff`: Cilium developers sometimes use the 45 | `Co-authored-by:` tag in commit logs, to indicate that several authors 46 | contributed to the patch. Checkpatch understands this is some kind of tag, 47 | but not one it knows of, and it complains with a warning. This patch teaches 48 | it about the tag. 49 | 50 | * `fixes/ignore-_Static_assert.diff`: Allow Cilium and Tetragon developers to use `_Static_assert`, 51 | even though it is camel-cased. 52 | 53 | The patches should apply cleanly to the version of ``checkpatch.pl`` used for 54 | Cilium's CI. Refer to the Dockerfile in this directory to find the version in 55 | use. 56 | 57 | ## Custom Checks 58 | 59 | In addition to running `checkpatch.pl`, the bash script runs a few checks of 60 | its own on all commits (whether or not they touch the code under `bpf`). 61 | 62 | * Ensure that the width of the subject for the commit message is lower or equal 63 | to 75 characters. 64 | -------------------------------------------------------------------------------- /images/maker/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright Authors of Cilium 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | ARG DOCKER_IMAGE=docker.io/library/docker:29.1.1-dind@sha256:9b20eb23e1f0443655673efb9db76c4b18cc1b45de1fcf82b3c1b749b9647bdf 5 | ARG CRANE_IMAGE=gcr.io/go-containerregistry/crane:latest@sha256:004539de370c46a99e976c1ca9570716b6096dc6ad4987c57f8c4f1a4763a819 6 | ARG ALPINE_BASE_IMAGE=docker.io/library/alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 7 | ARG GOLANG_IMAGE=docker.io/library/golang:1.25.4@sha256:698183780de28062f4ef46f82a79ec0ae69d2d22f7b160cf69f71ea8d98bf25d 8 | 9 | FROM ${DOCKER_IMAGE} AS docker-dist 10 | FROM ${CRANE_IMAGE} AS crane-dist 11 | 12 | FROM ${GOLANG_IMAGE} AS go-builder 13 | 14 | # hadolint ignore=SC2215 15 | RUN --mount=type=bind,readwrite,target=/src \ 16 | --mount=type=cache,target=/root/.cache \ 17 | --mount=type=cache,target=/go/pkg/mod \ 18 | /src/build-go-deps.sh 19 | 20 | FROM ${ALPINE_BASE_IMAGE} AS builder 21 | ARG TARGETARCH 22 | 23 | RUN apk add --no-cache \ 24 | curl \ 25 | && true 26 | 27 | RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ 28 | 29 | RUN apk add --initdb --no-cache --root /out \ 30 | alpine-baselayout \ 31 | bash \ 32 | ca-certificates \ 33 | coreutils \ 34 | git \ 35 | make \ 36 | shellcheck \ 37 | jq \ 38 | yq \ 39 | && true 40 | 41 | COPY --from=docker-dist /usr/local/bin /out/usr/local/bin 42 | COPY --from=crane-dist /ko-app/crane /out/usr/local/bin/crane 43 | COPY --from=go-builder /out /out 44 | 45 | ARG HADOLINT_VERSION=2.12.0 46 | 47 | RUN case "${TARGETARCH}" in \ 48 | 'amd64') export ARCH='x86_64' ;; \ 49 | 'arm64') export ARCH='arm64' ;; \ 50 | esac && \ 51 | curl --fail --show-error --silent --location \ 52 | "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-${ARCH}" \ 53 | --output /out/usr/local/bin/hadolint \ 54 | && chmod +x /out/usr/local/bin/hadolint 55 | 56 | RUN mkdir -p /out/etc/docker/cli-plugins \ 57 | && echo '{ "experimental": "enabled", "credsStore" : "env" }' > /out/etc/docker/config.json \ 58 | && ln -fs /usr/local/bin/docker-buildx /out/etc/docker/cli-plugins 59 | 60 | FROM scratch 61 | ENV DOCKER_CONFIG=/etc/docker 62 | # when `buldx create` is used, by default it stores configs of builder isntances in 63 | # $BUILDX_CONFIG/buildx (or custom path set with $BUILDX_CONFIG); 64 | # default location works as long as home directory is persisted, across invocations, 65 | # but when invoked from inside a container the $DOCKER_CONFIG/buildx directory is not 66 | # persisten unless it's mounted from the host; 67 | # in GitHub Actions it is relatively safe to assume that $PWD/.buildx is where the 68 | # builder instance of a single job need to be stored, which can be achived by using 69 | # relative path here (see also https://github.com/docker/buildx/issues/308) 70 | ENV BUILDX_CONFIG=.buildx 71 | ENV MAKER_CONTAINER=true 72 | COPY --from=builder /out / 73 | -------------------------------------------------------------------------------- /images/tester/cst/main.go: -------------------------------------------------------------------------------- 1 | // Copyright Authors of Cilium 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package main 5 | 6 | import ( 7 | "flag" 8 | "fmt" 9 | "os" 10 | "runtime" 11 | 12 | "github.com/GoogleContainerTools/container-structure-test/cmd/container-structure-test/app/cmd/test" 13 | "github.com/GoogleContainerTools/container-structure-test/pkg/color" 14 | "github.com/GoogleContainerTools/container-structure-test/pkg/drivers" 15 | "github.com/GoogleContainerTools/container-structure-test/pkg/types/unversioned" 16 | ) 17 | 18 | const ( 19 | configFile = "spec.yaml" 20 | ) 21 | 22 | /* container-structure-test can be used inside a container, however multiple flags have to be set and 23 | metadata file has to be provided also, namely: 24 | 25 | /usr/local/bin/container-structure-test --force --driver host --metadata /tmp/metadata.json --config /test/spec.yaml 26 | 27 | this version eliminates all of the flags, stubs out metadata and expects to find test specs at 28 | /test/spec.yaml, so the invocation is as simple as: 29 | 30 | /test/bin/cst 31 | */ 32 | 33 | func main() { 34 | version := flag.Bool("V", false, "print version and exit") 35 | testDir := flag.String("C", "/test", "directory to chdir, and read `spec.yaml`") 36 | 37 | flag.Parse() 38 | 39 | if *version { 40 | fmt.Printf("%s %s/%s", runtime.Version(), runtime.GOOS, runtime.GOARCH) 41 | os.Exit(0) 42 | } 43 | 44 | color.NoColor = true 45 | 46 | if err := os.Chdir(*testDir); err != nil { 47 | fmt.Printf("unable to run tests: %s\n", err) 48 | os.Exit(5) 49 | } 50 | 51 | fakeMetadataPath, err := fakeMetadata() 52 | if err != nil { 53 | fmt.Printf("unable to write fake metadata: %s\n", err) 54 | os.Exit(4) 55 | } 56 | defer os.Remove(fakeMetadataPath) 57 | 58 | driverConfig := &drivers.DriverConfig{ 59 | Metadata: fakeMetadataPath, 60 | } 61 | 62 | channel := make(chan interface{}, 1) 63 | 64 | go func() { 65 | tests, err := test.Parse(configFile, driverConfig, drivers.InitDriverImpl(drivers.Host)) 66 | if err != nil { 67 | channel <- &unversioned.TestResult{ 68 | Errors: []string{ 69 | fmt.Sprintf("error parsing config file: %s", err), 70 | }, 71 | } 72 | fmt.Printf("failed to load test spec: %s\n", err) 73 | os.Exit(3) 74 | } 75 | if tests == nil { 76 | fmt.Printf("failed to test: no tests\n") 77 | os.Exit(2) 78 | } 79 | 80 | tests.RunAll(channel, configFile) 81 | close(channel) 82 | }() 83 | 84 | if err := test.ProcessResults(os.Stdout, unversioned.Text, "", channel); err != nil { 85 | os.Exit(1) 86 | } 87 | } 88 | 89 | func fakeMetadata() (string, error) { 90 | content := []byte(`{ "config": {} }`) 91 | file, err := os.CreateTemp("", "metadata") 92 | if err != nil { 93 | return "", err 94 | } 95 | if _, err := file.Write(content); err != nil { 96 | return "", err 97 | } 98 | if err := file.Close(); err != nil { 99 | return "", err 100 | } 101 | return file.Name(), nil 102 | } 103 | -------------------------------------------------------------------------------- /images/tester/cst/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cilium/image-tools/images/tester/cst 2 | 3 | go 1.25 4 | 5 | require github.com/GoogleContainerTools/container-structure-test v1.22.0 6 | 7 | require ( 8 | github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect 9 | github.com/Microsoft/go-winio v0.6.2 // indirect 10 | github.com/cenkalti/backoff/v4 v4.3.0 // indirect 11 | github.com/containerd/errdefs v1.0.0 // indirect 12 | github.com/containerd/errdefs/pkg v0.3.0 // indirect 13 | github.com/containerd/log v0.1.0 // indirect 14 | github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect 15 | github.com/distribution/reference v0.6.0 // indirect 16 | github.com/docker/cli v28.2.2+incompatible // indirect 17 | github.com/docker/distribution v2.8.3+incompatible // indirect 18 | github.com/docker/docker v28.3.3+incompatible // indirect 19 | github.com/docker/docker-credential-helpers v0.9.3 // indirect 20 | github.com/docker/go-connections v0.5.0 // indirect 21 | github.com/docker/go-units v0.5.0 // indirect 22 | github.com/felixge/httpsnoop v1.0.4 // indirect 23 | github.com/fsouza/go-dockerclient v1.11.2 // indirect 24 | github.com/go-logr/logr v1.4.3 // indirect 25 | github.com/go-logr/stdr v1.2.2 // indirect 26 | github.com/gogo/protobuf v1.3.2 // indirect 27 | github.com/google/go-containerregistry v0.20.6 // indirect 28 | github.com/joho/godotenv v1.5.1 // indirect 29 | github.com/klauspost/compress v1.18.0 // indirect 30 | github.com/mitchellh/go-homedir v1.1.0 // indirect 31 | github.com/moby/docker-image-spec v1.3.1 // indirect 32 | github.com/moby/go-archive v0.1.0 // indirect 33 | github.com/moby/patternmatcher v0.6.0 // indirect 34 | github.com/moby/sys/sequential v0.6.0 // indirect 35 | github.com/moby/sys/user v0.4.0 // indirect 36 | github.com/moby/sys/userns v0.1.0 // indirect 37 | github.com/moby/term v0.5.0 // indirect 38 | github.com/morikuni/aec v1.0.0 // indirect 39 | github.com/opencontainers/go-digest v1.0.0 // indirect 40 | github.com/opencontainers/image-spec v1.1.1 // indirect 41 | github.com/pkg/errors v0.9.1 // indirect 42 | github.com/sirupsen/logrus v1.9.3 // indirect 43 | github.com/vbatts/tar-split v0.12.1 // indirect 44 | go.opentelemetry.io/auto/sdk v1.1.0 // indirect 45 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect 46 | go.opentelemetry.io/otel v1.37.0 // indirect 47 | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect 48 | go.opentelemetry.io/otel/metric v1.37.0 // indirect 49 | go.opentelemetry.io/otel/trace v1.37.0 // indirect 50 | go.opentelemetry.io/proto/otlp v1.4.0 // indirect 51 | golang.org/x/crypto v0.45.0 // indirect 52 | golang.org/x/sync v0.15.0 // indirect 53 | golang.org/x/sys v0.38.0 // indirect 54 | golang.org/x/term v0.37.0 // indirect 55 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect 56 | google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect 57 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect 58 | google.golang.org/grpc v1.68.1 // indirect 59 | gopkg.in/yaml.v2 v2.4.0 // indirect 60 | ) 61 | -------------------------------------------------------------------------------- /scripts/make-image-tag.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | # This script provides two image tagging mechanisms. 11 | # 12 | # For general images that use most of the tree as input, it's most sensible to 13 | # use git commit hash as a tag, or git version tag. Any tags that do not match 14 | # a simple 2-dot version pattern are ignored, and commit hash is used. 15 | # 16 | # For images that use contents of a subdirectory as input, it's convenient to use 17 | # a git tree hash. Running `git show` with tree hash based tag will display the 18 | # contents of the subdirectory that was used as build input, mitigating any doubts 19 | # in what was used to build this image. 20 | # 21 | # For both types of tags To differentiate any non-authoritative builds, i.e. 22 | # builds from development branches, `-dev` suffix is added. Any builds that may 23 | # include uncommitted changes will have `-wip` tag. 24 | 25 | if [ "$#" -gt 1 ] ; then 26 | echo "$0 supports exactly 1 or no arguments" 27 | exit 1 28 | fi 29 | 30 | root_dir="$(git rev-parse --show-toplevel)" 31 | 32 | cd "${root_dir}" 33 | 34 | if [ "$#" -eq 1 ] ; then 35 | # if one argument was given, assume it's a directory and retrieve its last commit to generate a tag 36 | image_dir="${1}" 37 | if ! [ -d "${image_dir}" ] ; then 38 | echo "${image_dir} is not a directory (path is relative to git root)" 39 | exit 1 40 | fi 41 | timestamp="$(git log -1 --pretty=format:"%ct" "${image_dir}")" 42 | short_commit="$(git log -1 --pretty=format:"%h" "${image_dir}")" 43 | 44 | # If the image has a version script, use it as version prefix 45 | version_prefix="" 46 | if [ -f "${image_dir}/version.sh" ] ; then 47 | version_prefix="$("./${image_dir}/version.sh")" 48 | if [ -n "${version_prefix}" ] ; then 49 | version_prefix="${version_prefix}-" 50 | fi 51 | fi 52 | 53 | image_tag="${version_prefix}${timestamp}-${short_commit}" 54 | else 55 | # if no arguments are given, attempt detecting if version tag is present, 56 | # otherwise use the a short commit hash 57 | image_dir="${root_dir}" 58 | git_tag="$(git name-rev --name-only --tags HEAD)" 59 | if printf "%s" "${git_tag}" | grep -q -E '^[v]?[0-9]+\.[0-9]+\.[0-9]+.*$' ; then 60 | # get tag in conventional format, since name-rev use the format with ^0 suffix, 61 | # however name-rev is required to determine presence of a tag 62 | git_tag="$(git tag --sort tag --points-at "${git_tag}")" 63 | # ensure version tag always has the v prefix and drop duplicates 64 | image_tag="$(printf "%s" "${git_tag}" | sed 's/^[v]*/v/' | uniq)" 65 | else 66 | # if no version tag is given, use commit hash 67 | image_tag="$(git rev-parse --short HEAD)" 68 | # only append -dev suffix when no version tag is used, since tags 69 | # can be set on release branches 70 | if [ -z "${WITHOUT_SUFFIX+x}" ] ; then 71 | if ! git merge-base --is-ancestor "$(git rev-parse HEAD)" origin/master ; then 72 | image_tag="${image_tag}-dev" 73 | fi 74 | fi 75 | fi 76 | fi 77 | 78 | if [ -z "${WITHOUT_SUFFIX+x}" ] ; then 79 | if [ "$(git status --porcelain "${image_dir}" | wc -l)" -gt 0 ] ; then 80 | image_tag="${image_tag}-wip" 81 | fi 82 | fi 83 | 84 | printf "%s" "${image_tag}" 85 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base", 5 | ":gitSignOff", 6 | "helpers:pinGitHubActionDigests" 7 | ], 8 | // This ensures that the gitAuthor and gitSignOff fields match 9 | "gitAuthor": "renovate[bot] ", 10 | "includePaths": [ 11 | ".github/workflows/**", 12 | "images/**/go.mod", 13 | "images/**/go.sum", 14 | "images/**/Dockerfile" 15 | ], 16 | postUpdateOptions: [ 17 | "gomodTidy" 18 | ], 19 | "pinDigests": true, 20 | "ignorePresets": [":prHourlyLimit2"], 21 | "separateMajorMinor": true, 22 | "separateMultipleMajor": true, 23 | "separateMinorPatch": true, 24 | "pruneStaleBranches": true, 25 | "baseBranches": [ 26 | "master" 27 | ], 28 | "vulnerabilityAlerts": { 29 | "enabled": true 30 | }, 31 | "labels": [ 32 | "renovate/stop-updating", 33 | ], 34 | "stopUpdatingLabel": "renovate/stop-updating", 35 | "packageRules": [ 36 | { 37 | "groupName": "all github action dependencies", 38 | "groupSlug": "all-github-action", 39 | "matchPaths": [ 40 | ".github/workflows/**", 41 | ], 42 | "matchUpdateTypes": [ 43 | "major", 44 | "minor", 45 | "digest", 46 | "patch", 47 | "pin", 48 | "pinDigest" 49 | ] 50 | }, 51 | { 52 | "groupName": "all go dependencies", 53 | "groupSlug": "all-go-deps", 54 | "matchFiles": [ 55 | "go.mod", 56 | "go.sum" 57 | ], 58 | "postUpdateOptions": [ 59 | // update source import paths on major updates 60 | "gomodUpdateImportPaths", 61 | ], 62 | "matchUpdateTypes": [ 63 | "major", 64 | "minor", 65 | "digest", 66 | "patch", 67 | "pin", 68 | "pinDigest" 69 | ], 70 | matchBaseBranches: [ 71 | "master" 72 | ], 73 | }, 74 | { 75 | // Avoid updating patch releases of golang in go.mod 76 | "enabled": "false", 77 | "matchFiles": [ 78 | "go.mod", 79 | ], 80 | "matchDepNames": [ 81 | "go" 82 | ], 83 | "matchDatasources": [ 84 | "golang-version" 85 | ], 86 | "matchUpdateTypes": [ 87 | "patch" 88 | ], 89 | matchBaseBranches: [ 90 | "master", 91 | ] 92 | }, 93 | // Group base images updates 94 | { 95 | "matchDatasources": ["docker"], 96 | "matchPackageNames": [ 97 | "docker.io/library/alpine", 98 | "docker.io/library/docker", 99 | "docker.io/library/golang", 100 | "docker.io/library/ubuntu", 101 | "gcr.io/go-containerregistry/crane", 102 | "registry.access.redhat.com/ubi8/ubi" 103 | ], 104 | "schedule": ["on the first day of the month"] 105 | }, 106 | ], 107 | "regexManagers": [ 108 | { 109 | "managerFilePatterns": [ 110 | "^\\.github/workflows/[^/]+\\.yaml$" 111 | ], 112 | // This regex manages version strings in GitHub actions workflow files, 113 | // similar to the examples shown here: 114 | // https://docs.renovatebot.com/modules/manager/regex/#advanced-capture 115 | "matchStrings": [ 116 | "# renovate: datasource=(?.*?) depName=(?.*?)\\s+.+version: (?.*)" 117 | ] 118 | }, 119 | { 120 | "managerFilePatterns": [ 121 | "^go\\.mod$" 122 | ], 123 | "matchStrings": [ 124 | "// renovate: datasource=(?.*?) depName=(?.*?)\\s+go (?.*)" 125 | ] 126 | }, 127 | { 128 | "managerFilePatterns": [ 129 | "images/**/Dockerfile" 130 | ], 131 | "matchStrings": [ 132 | '# renovate: datasource=(?.*?) depName=(?.*?)\\s+ARG .*_VERSION="(?.*)"', 133 | "# renovate: datasource=(?.*?) depName=(?.*?)\\s+ARG .*_VERSION=(?.*)" 134 | ] 135 | }, 136 | ] 137 | } 138 | -------------------------------------------------------------------------------- /scripts/build-image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright Authors of Cilium 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -o errexit 7 | set -o pipefail 8 | set -o nounset 9 | 10 | MAKER_IMAGE="${MAKER_IMAGE:-quay.io/cilium/image-maker:1755027480-74de989@sha256:be90a4b1ccb7553e54f8eb8224a82a5f886cdbd6057dafc9d36205615f46d696}" 11 | 12 | with_root_context="${ROOT_CONTEXT:-false}" 13 | 14 | if [ "$#" -lt 5 ] ; then 15 | echo "$0 supports minimum 5 argument" 16 | exit 1 17 | fi 18 | 19 | script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" 20 | 21 | root_dir="$(git rev-parse --show-toplevel)" 22 | 23 | cd "${root_dir}" 24 | 25 | image_name="${1}" 26 | image_dir="${2}" 27 | 28 | platform="${3}" 29 | builder="${4}" 30 | 31 | shift 4 32 | 33 | registries=("${@}") 34 | 35 | do_build="${FORCE:-false}" 36 | 37 | do_push="${PUSH:-false}" 38 | output="type=image,push=${do_push}" 39 | 40 | if [ "${do_push}" == "false" ]; then 41 | export DOCKER_HUB_PUBLIC_ACCESS_ONLY=true 42 | export QUAY_PUBLIC_ACCESS_ONLY=true 43 | fi 44 | 45 | do_export="${EXPORT:-false}" 46 | 47 | if [ "${with_root_context}" = "false" ] ; then 48 | image_tag="$("${script_dir}/make-image-tag.sh" "${image_dir}")" 49 | else 50 | image_tag="$("${script_dir}/make-image-tag.sh")" 51 | fi 52 | 53 | if [ "${registries[*]}" = "local" ] ; then 54 | echo "will build ${image_name}:${image_tag} due to local mode" 55 | output="type=docker" 56 | do_build="true" 57 | fi 58 | 59 | if [ "${do_export}" = "true" ] ; then 60 | output="type=docker,dest=${image_name}.oci" 61 | fi 62 | 63 | tag_args=() 64 | for registry in "${registries[@]}" ; do 65 | tag_args+=(--tag "${registry}/${image_name}:${image_tag}") 66 | done 67 | 68 | check_image_tag() { 69 | if [ -n "${MAKER_CONTAINER+x}" ] || [ "${image_name}" == "image-maker" ] ; then 70 | which crane || (echo "WARNING: crane expected but not found, unable to check if image tag exists" ; return 1) 71 | crane digest "${1}" || (echo "error: crane returned $?" ; return 1) 72 | else 73 | # unlike with other utility scripts we don't want to self-re-exec inside the container, as native `docker buildx` is preferred 74 | docker run --env DOCKER_HUB_PUBLIC_ACCESS_ONLY=true --env QUAY_PUBLIC_ACCESS_ONLY=true --rm --volume "${root_dir}:/src" --workdir /src "${MAKER_IMAGE}" crane digest "${1}" || (echo "error: crane returned $?" ; return 1) 75 | fi 76 | } 77 | 78 | check_registries() { 79 | for registry in "${registries[@]}" ; do 80 | if [ "${registry}" = "local" ] ; then 81 | continue 82 | fi 83 | i="${registry}/${image_name}:${image_tag}" 84 | if ! check_image_tag "${i}" ; then 85 | echo "${i} doesn't exist" 86 | return 1 87 | fi 88 | done 89 | } 90 | 91 | 92 | if [ "${do_build}" = "true" ] ; then 93 | echo "will force-build ${image_name}:${image_tag} without checking the registries" 94 | fi 95 | 96 | if [ "${do_build}" = "false" ] ; then 97 | case "${image_tag}" in 98 | *-dev) 99 | echo "will build ${image_name}:${image_tag} as it has dev suffix" 100 | do_build="true" 101 | ;; 102 | *-wip) 103 | echo "will build ${image_name}:${image_tag} as it has wip suffix" 104 | do_build="true" 105 | ;; 106 | *) 107 | if check_registries ; then 108 | echo "image ${image_name}:${image_tag} is already present in all of the registries" 109 | exit 0 110 | else 111 | echo "will build ${image_name}:${image_tag} as it's either a new version or not present in all of the registries" 112 | do_build="true" 113 | fi 114 | ;; 115 | esac 116 | fi 117 | 118 | do_test="${TEST:-false}" 119 | 120 | run_buildx() { 121 | build_args=( 122 | "--platform=${platform}" 123 | "--builder=${builder}" 124 | "--file=${image_dir}/Dockerfile" 125 | ) 126 | if [ "${with_root_context}" = "false" ] ; then 127 | build_args+=("${image_dir}") 128 | else 129 | build_args+=("${root_dir}") 130 | fi 131 | if [ "${do_test}" = "true" ] ; then 132 | if ! docker buildx build --target=test "${build_args[@]}" ; then 133 | exit 1 134 | fi 135 | fi 136 | docker buildx build --output="${output}" "${tag_args[@]}" "${build_args[@]}" 137 | } 138 | 139 | if [ "${do_build}" = "true" ] ; then 140 | echo "building ${image_name}:${image_tag}" 141 | set -o xtrace 142 | if ! run_buildx ; then 143 | if [ -n "${DEBUG+x}" ] ; then 144 | buildkitd_container="$(docker ps --filter "ancestor=moby/buildkit:buildx-stable-1" --filter "name=${builder}" --format "{{.ID}}")" 145 | docker logs "${buildkitd_container}" 146 | fi 147 | exit 1 148 | fi 149 | fi 150 | -------------------------------------------------------------------------------- /.github/workflows/images.yaml: -------------------------------------------------------------------------------- 1 | name: Images 2 | on: 3 | pull_request: {} 4 | push: 5 | branches: [master] 6 | 7 | jobs: 8 | generate-images-matrix: 9 | runs-on: ubuntu-24.04 10 | outputs: 11 | matrix: ${{ steps.generate-images-matrix.outputs.matrix }} 12 | steps: 13 | - name: Checkout repository 14 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 15 | - name: Generate images matrix 16 | id: generate-images-matrix 17 | run: echo "matrix=$(ls images | jq -R . | jq -sc '{images:.}')" | tee $GITHUB_OUTPUT 18 | 19 | build-and-push: 20 | name: ${{ github.event_name == 'push' && 'Build and push' || 'Build' }} ${{ matrix.image }} image 21 | runs-on: oracle-vm-32cpu-128gb-x86-64 22 | needs: generate-images-matrix 23 | strategy: 24 | fail-fast: false 25 | matrix: 26 | image: ${{ fromJSON(needs.generate-images-matrix.outputs.matrix).images }} 27 | timeout-minutes: 720 28 | steps: 29 | - name: Checkout repository 30 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 31 | with: 32 | fetch-depth: 0 33 | 34 | - name: Set up QEMU 35 | uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 36 | 37 | - name: Set up Docker Buildx 38 | uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 39 | 40 | - name: Set up job variables 41 | id: vars 42 | run: | 43 | if [ ${{ github.event.issue.pull_request || github.event.pull_request }} ]; then 44 | echo "push=false" >> $GITHUB_OUTPUT 45 | else 46 | echo "push=true" >> $GITHUB_OUTPUT 47 | fi 48 | 49 | if [[ -d images/${{ matrix.image }}/test ]]; then 50 | echo "test=true" >> $GITHUB_OUTPUT 51 | else 52 | echo "test=false" >> $GITHUB_OUTPUT 53 | fi 54 | 55 | IMAGE_TAG=$(scripts/make-image-tag.sh images/${{ matrix.image }}) 56 | echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT 57 | 58 | # Map image directory name to image name 59 | case "${{ matrix.image }}" in 60 | bpftool) IMAGE_NAME="cilium-bpftool" ;; 61 | checkpatch) IMAGE_NAME="cilium-checkpatch" ;; 62 | compilers) IMAGE_NAME="image-compilers" ;; 63 | iptables) IMAGE_NAME="iptables" ;; 64 | llvm) IMAGE_NAME="cilium-llvm" ;; 65 | maker) IMAGE_NAME="image-maker" ;; 66 | network-perf) IMAGE_NAME="network-perf" ;; 67 | startup-script) IMAGE_NAME="startup-script" ;; 68 | tester) IMAGE_NAME="image-tester" ;; 69 | *) IMAGE_NAME="${{ matrix.image }}" ;; 70 | esac 71 | echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT 72 | 73 | # Check if image exists in registry 74 | if docker buildx imagetools inspect "quay.io/cilium/${IMAGE_NAME}:${IMAGE_TAG}" >/dev/null 2>&1; then 75 | echo "Image ${IMAGE_NAME}:${IMAGE_TAG} already exists in registry" 76 | echo "build=false" >> $GITHUB_OUTPUT 77 | else 78 | echo "Will build ${IMAGE_NAME}:${IMAGE_TAG} as it's not present in registry" 79 | echo "build=true" >> $GITHUB_OUTPUT 80 | fi 81 | 82 | cat $GITHUB_OUTPUT 83 | 84 | - name: Login to quay.io 85 | if: steps.vars.outputs.build == 'true' && steps.vars.outputs.push == 'true' 86 | uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 87 | with: 88 | registry: quay.io 89 | username: ${{ secrets.QUAY_USERNAME_IMAGE_TOOLS }} 90 | password: ${{ secrets.QUAY_PASSWORD_IMAGE_TOOLS }} 91 | 92 | - name: ${{ steps.vars.outputs.push == 'true' && 'Build and push' || 'Build' }} image 93 | if: steps.vars.outputs.build == 'true' 94 | uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 95 | with: 96 | context: images/${{ matrix.image }} 97 | file: images/${{ matrix.image }}/Dockerfile 98 | platforms: linux/amd64,linux/arm64 99 | provenance: false 100 | push: ${{ steps.vars.outputs.push }} 101 | tags: quay.io/cilium/${{ steps.vars.outputs.image_name }}:${{ steps.vars.outputs.image_tag }} 102 | 103 | - name: Test image 104 | if: steps.vars.outputs.build == 'true' && steps.vars.outputs.test == 'true' 105 | uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 106 | with: 107 | context: images/${{ matrix.image }} 108 | file: images/${{ matrix.image }}/Dockerfile 109 | platforms: linux/amd64,linux/arm64 110 | provenance: false 111 | target: test 112 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cilium Dependency Packaging 2 | 3 | This repository contains build definitions for a number of images that are components of the official and development images of Cilium. 4 | 5 | The builds are currently hosted in GitHub Actions, but can be ported to any other container-based CI system. 6 | 7 | Portability between CI systems and ability to run locally is critical, that's why some of these images are preferred over pre-packaged GitHub Actions. 8 | Also, pre-package action often download dependencies on-the-fly, potentially increasing build times and causing flakiness. Registry is a network 9 | resource, which could be unreliable at times, however it can be mirrored easily, unlike GitHub releases. 10 | Some of the image do depend on GitHub releases or other HTTP blob storage providers, but there is no easy way around that, as the only alternative 11 | would be to build all of the dependencies from source, which is not feasible. 12 | 13 | All images are [multi-platform](https://docs.docker.com/build/building/multi-platform/) images supporting the following platforms: 14 | * `linux/amd64` 15 | * `linux/arm64` 16 | 17 | ## Images 18 | 19 | ### [`images/maker`](images/maker/Dockerfile) 20 | 21 | This image consists of core tools used for building all other images, which include `bash`, `make` and `docker` (with [`buildx`](https://github.com/docker/buildx)) 22 | and [`crane`](https://github.com/google/go-containerregistry/blob/master/cmd/crane). 23 | This image enables using latest BuildKit features without depending on whatever Docker daemon/client CI host provides. 24 | Since `buildx` runs a BuildKit daemon inside a container, it's largely independent of what version of Docker daemon it runs on. 25 | 26 | This image also includes a secure credentials helper - [`docker-credential-env`](http://github.com/errordeveloper/docker-credential-env), 27 | which prevents having to use `docker login` which stores a plain text token in `${DOCKER_CONFIG}/config.json`. 28 | 29 | ### [`images/compiler`](images/compilers/Dockerfile) 30 | 31 | This image consists of compilers and libraries needed to build other images for `amd64` and `arm64`. 32 | 33 | ### [`images/bpftool`](images/bpftool/Dockerfile) 34 | 35 | This image consists of the `bpftool` binary statically linked and built from [`libbpf/bpftool`](https://github.com/libbpf/bpftool). 36 | 37 | ### [`images/llvm`](images/llvm/Dockerfile) 38 | 39 | This image consists of the `llc`, `clang`, `llvm-objcopy` and `llvm-strip` binaries statically linked and built from [`llvm/llvm-project`](https://github.com/llvm/llvm-project). 40 | 41 | This image is a custom BPF-only distribution of LLVM. 42 | 43 | ### [`images/checkpatch`](images/checkpatch/Dockerfile) 44 | 45 | This image packages the [checkpatch.pl](images/checkpatch/checkpatch.pl) script used to check format and consistency for the patches submitted for inclusion to the Linux kernel, along with related files and a wrapper script. 46 | 47 | While the script itself is directly copied from [the upstream version in the kernel repository](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/checkpatch.pl), a number of patches are applied before the script is run. These patch mostly address a number of false positives for Cilium's code base. 48 | 49 | ### [`images/tester`](images/tester/Dockerfile) 50 | 51 | This image contains a [simple Go program](images/tester/cst/main.go), which is a minimal version of [`container-structure-test`](https://github.com/GoogleContainerTools/container-structure-test). 52 | It's adapted to run inside a container build context more easily than the original `container-structure-tests`. 53 | 54 | Here is how testing is accomplished in the `llvm` image: 55 | - [`images/llvm/Dockerfile`](https://github.com/cilium/image-tools/blob/3686e2885e854242f8835d6edfc7413dd7c4c476/images/llvm/Dockerfile#L25-L27) 56 | - [`images/llvm/test/spec.yaml`](https://github.com/cilium/image-tools/blob/3686e2885e854242f8835d6edfc7413dd7c4c476/images/llvm/test/spec.yaml) 57 | 58 | 59 | ## Usage 60 | 61 | ### Making changes 62 | 63 | All images get automatic tags based on the latest commit of the image directory. Tags used to be based on unique [git tree object hash](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects), but due to setting up renovate to automatically update images, and the inability to order sha1 values by time, the new tagging system uses a combination of the timestamp and the short sha1 of the latest commit for the image directory, using the [git log command with the image directory as a path parameter](https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History). 64 | 65 | As the result of this, following stands: 66 | 67 | - image build definitions can be obtained with `git show ` 68 | - image build is defined by the last commit that modified the image directory 69 | - when changes are committed to image directory, new tag is generated 70 | - if there is a new tag, image is rebuilt and pushed with that new tag 71 | 72 | This does not cater for reproducible builds, however it serves as basis for reliable builds, especially when following rules 73 | are also applied to any build definitions: 74 | 75 | - all `FROM` statements use digests (use `scripts/get-image-digest.sh`) 76 | - any system packages are installed in a separate image that is references by a digests (that's how `images/compilers` is designed) 77 | - pining system packages can be quite laborious, especially because most of the time what you want is newer than what the distribution offers, 78 | so what's much easier to let the package manager get the latest and then pin down the result by digest, so every time there is a change 79 | in underlying system packages, that is explicitly recorded by change of digest in each image that uses the base image 80 | 81 | Be sure to use `make lint`, which will run [`shellcheck`](https://github.com/koalaman/shellcheck) and [`hadolint`](https://github.com/hadolint/hadolint). 82 | 83 | For details of how this works, see the following: 84 | 85 | - [`Makefile`](Makefile) 86 | - [`scripts/build-image.sh`](`scripts/build-image.sh`) 87 | - [`scripts/make-image-tag.sh`](scripts/make-image-tag.sh). 88 | - [`images/maker`](images/maker/Dockerfile) 89 | - [`images/compilers`](images/compilers/Dockerfile) 90 | 91 | ### Building Locally 92 | 93 | One should be able to build images locally as long as they have Docker installed with [`buildx` plug-in](https://docs.docker.com/buildx/working-with-buildx/). 94 | 95 | ### Updating `images/{maker,compilers}` 96 | 97 | When you have dependencies that need to be added to these images before using them in one of the other images, e.g. if you need to add a system 98 | library in `compilers` image that will be used for compiling something else, you should make a PR to update `compilers` first. 99 | However, that's only required for full integration, and you can build images locally if you prefer, you can also push them to your own Docker Hub 100 | account or any other registry. 101 | 102 | When changes to these images are merged into master, builds should run and push new images to each of the registries. 103 | Once new images are out, renovatebot will open a PR to update all dependent images. 104 | -------------------------------------------------------------------------------- /images/checkpatch/checkpatch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: Apache-2.0 3 | # Copyright Authors of Cilium 4 | 5 | set -eu -o pipefail 6 | 7 | # Default options for checkpatch 8 | options=( 9 | --no-tree 10 | --strict 11 | --no-summary 12 | --show-types 13 | "--color=always" 14 | ) 15 | 16 | # Report types to ignore 17 | ignore_list=( 18 | # Errors 19 | COMPLEX_MACRO 20 | GIT_COMMIT_ID 21 | MULTISTATEMENT_MACRO_USE_DO_WHILE 22 | NOT_UNIFIED_DIFF 23 | # Warnings 24 | COMMIT_LOG_LONG_LINE 25 | COMMIT_MESSAGE 26 | CONSTANT_CONVERSION 27 | CONST_STRUCT 28 | EMAIL_SUBJECT 29 | FILE_PATH_CHANGES 30 | FROM_SIGN_OFF_MISMATCH 31 | JIFFIES_COMPARISON 32 | LEADING_SPACE 33 | MACRO_WITH_FLOW_CONTROL 34 | PRINTK_WITHOUT_KERN_LEVEL 35 | TRAILING_SEMICOLON 36 | TRAILING_STATEMENTS 37 | VOLATILE 38 | # Checks 39 | BIT_MACRO 40 | LONG_LINE_COMMENT 41 | # Ignore tolerance that comes by default 42 | C99_COMMENT_TOLERANCE 43 | ) 44 | ignores=$(IFS=,; echo "${ignore_list[*]}") 45 | 46 | # Report types that checkpatch downgrades from warning to checks for --file 47 | type_list=( 48 | AVOID_BUG 49 | DEPRECATED_TERM 50 | FSF_MAILING_ADDRESS 51 | LONG_LINE 52 | #LONG_LINE_COMMENT # Not desired 53 | LONG_LINE_STRING 54 | #PREFER_FALLTHROUGH # fallthrough; not implemented 55 | #SPDX_LICENSE_TAG # Downgraded for a specific case, not relevant here 56 | TYPO_SPELLING 57 | ) 58 | types=$(IFS=,; echo "${type_list[*]}") 59 | 60 | script_dir="$(dirname "$(realpath "$0")")" 61 | 62 | # Script checkpatch.pl comes from the Linux repository. It is available at: 63 | # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/checkpatch.pl 64 | # The accompanying spelling file can be downloaded from: 65 | # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/spelling.txt 66 | checkpatch="$script_dir/checkpatch.pl" 67 | 68 | HL_START="\e[1;34m" 69 | HL_END="\e[0m" 70 | 71 | GH_ERROR_PREFIX="::error::" 72 | GH_WARN_PREFIX="::warning::" 73 | 74 | usage() { 75 | echo "Usage: $0 [options] [-- checkpatch.pl options]" 76 | echo " Run checkpatch on BPF code. By default, run checkpatch on:" 77 | echo " - All commits from a PR, if run as a GitHub action" 78 | echo " - All commits since parent ref, and diff from HEAD otherwise" 79 | echo "Options:" 80 | echo " -a (all code) Run checkpatch on all BPF files instead of Git commits" 81 | echo " -i (indulgent) Do not pass '--strict' to checkpatch" 82 | echo " -q (quiet) Pass '--quiet' to checkpatch" 83 | echo " -h Display this help" 84 | echo " Options passed after a ' -- ' delimiter are directly passed to" 85 | echo " checkpatch.pl (e.g. '$0 -- --fix-inplace')" 86 | exit "$1" 87 | } 88 | 89 | check_cmd() { 90 | for cmd in "$@"; do 91 | if ! (command -v "$cmd" >/dev/null); then 92 | echo "Error: $cmd not found." 93 | exit 1 94 | fi 95 | done 96 | } 97 | 98 | update_sources() { 99 | readarray -d '' sources < <(find bpf -name "*.[ch]" ! -path "bpf/include/elf/*" ! -path "bpf/include/linux/*" -print0) 100 | if [ "${#sources[@]}" -eq 0 ]; then 101 | echo "Please run this script from the root of Cilium's repository." 102 | exit 1 103 | fi 104 | } 105 | 106 | check_commit_subject_width() { 107 | # Skip check for renovate commits 108 | author_email=$(git show -s --pretty=format:%ae "$1") 109 | if [[ "$author_email" == *"cilium-renovate"* ]]; then 110 | return 0 111 | fi 112 | 113 | subject=$(git show -s --pretty=format:%s "$1") 114 | width="${#2}" 115 | if [ "$width" -gt 75 ]; then 116 | echo -e "${gh_action:+$GH_ERROR_PREFIX}\e[;31mERROR:\e[34mCUSTOM:${HL_END} Please avoid long commit subjects (max: 75, found: $width)" 117 | ret=1 118 | fi 119 | } 120 | 121 | custom_checks() { 122 | # If the list of custom tests grows, consider moving it to another file. 123 | check_commit_subject_width "$@" 124 | } 125 | 126 | prepend_gh_action_commands() { 127 | gh_action="$1" 128 | if [ -n "$gh_action" ]; then 129 | sed -e "s/^\x1b\[31mERROR:/$GH_ERROR_PREFIX&/" -e "s/^\x1b\[\(33mWARNING\|34mCHECK\):/$GH_WARN_PREFIX&/" 130 | else 131 | cat 132 | fi 133 | } 134 | 135 | check_commit() { 136 | local i nb_commits sha subject gh_action 137 | i="$1" 138 | nb_commits="$2" 139 | sha="$3" 140 | subject="$4" 141 | gh_action="$5" 142 | 143 | echo "=========================================================" 144 | echo "[$i/$nb_commits] Running on $sha" 145 | echo -e "$HL_START$subject$HL_END" 146 | echo "=========================================================" 147 | # Recompute list of source files each time in case commit changes it 148 | update_sources 149 | ( 150 | # Show diff for patches touching bpf/, show log otherwise 151 | # If we show log, fake some content, because checkpatch.pl checks the 152 | # length of the commit object only once it's out of the headers. 153 | git show --format=email "$sha" -- "${sources[@]}" | 154 | ifne -n cat \ 155 | <(git log --format=email "$sha"~.."$sha") \ 156 | <(echo 'diff --git a/dev/null b/dev/null') \ 157 | <(echo 'index 000000000000..000000000001 100644') \ 158 | <(echo '--- a/dev/null') \ 159 | <(echo '+++ b/dev/null') \ 160 | <(echo '@@ -1,1 +1,1 @@') \ 161 | <(echo '-') \ 162 | <(echo '+.') | 163 | "$checkpatch" "${options[@]}" --ignore "$ignores" "${cli_options[@]}" | 164 | prepend_gh_action_commands "$gh_action" 165 | # prepend_gh_action_commands() does not preserve the return code from 166 | # checkpatch. Make sure the subshell returns with the status from the 167 | # second-to-last command of the pipeline. 168 | test "${PIPESTATUS[${#PIPESTATUS[@]}-2]}" -eq 0 169 | ) || ret=1 170 | # Apply custom checks on all commits, whether or not they touch bpf/ 171 | custom_checks "$sha" "$subject" "$gh_action" 172 | } 173 | 174 | all_code=0 175 | indulgent=0 176 | OPTIND=1 177 | while getopts "haiq" opt; do 178 | case "$opt" in 179 | h) 180 | usage 0 181 | ;; 182 | a) 183 | all_code=1 184 | ;; 185 | i) 186 | indulgent=1 187 | for i in "${!options[@]}"; do 188 | if [[ "${options[i]}" = "--strict" ]]; then 189 | unset 'options[i]' 190 | break 191 | fi 192 | done 193 | ;; 194 | q) 195 | options+=(--quiet) 196 | ;; 197 | *) 198 | usage 1 199 | ;; 200 | esac 201 | done 202 | shift $((OPTIND-1)) 203 | [[ "${1:-}" = "--" ]] && shift 204 | cli_options=( "$@" ) 205 | 206 | # If -a option provided, simply run checkpatch on all *.c *.h code and exit 207 | if [ $all_code -eq 1 ]; then 208 | update_sources 209 | echo -e "${HL_START}Checking files:$HL_END $(echo "${sources[@]}" | tr '\n' ' ')" 210 | ret=0 211 | "$checkpatch" "${options[@]}" --ignore "$ignores" "${cli_options[@]}" -f "${sources[@]}" || ret=1 212 | if [ $indulgent -eq 1 ]; then 213 | echo -e "${HL_START}Second run, to report 'checks' that should normally be 'warnings'...$HL_END" 214 | # Re-run to cover types downgraded to checks by checkpatch when running 215 | # on files, to be on par with what we do for commits. 216 | "$checkpatch" "${options[@]}" --strict --types "$types" "${cli_options[@]}" -f "${sources[@]}" || ret=1 217 | fi 218 | echo -e "${HL_START}All done$HL_END" 219 | exit $ret 220 | fi 221 | 222 | check_cmd git ifne jq 223 | 224 | if [ -n "${GITHUB_REF-}" ]; then 225 | # Running as GitHub action 226 | # We'll run checkpatch on each commit from the PR 227 | check_cmd curl 228 | pr=${GITHUB_REF#"refs/pull/"} 229 | prnum=${pr%"/merge"} 230 | commits_url="https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${prnum}/commits?per_page=100" 231 | list_commits=$(curl --fail --show-error --silent \ 232 | -H "Accept: application/vnd.github+json" \ 233 | -H "Authorization: Bearer ${GITHUB_TOKEN}" \ 234 | -H "X-GitHub-Api-Version: 2022-11-28" \ 235 | "$commits_url" | \ 236 | jq '[.[]|{sha: .sha, subject: (.commit.message | sub("\n\n.*"; ""; "m"))}]') 237 | pr_info="from PR #$prnum" 238 | else 239 | # Running locally 240 | # We'll run checkpatch on each commit since newest parent ref 241 | parent_ref=$(git log --simplify-by-decoration --pretty=format:'%D' -n 2 | sed -n '2{s/,.*//;s/^tag: //;p}') 242 | list_commits=$(git log --pretty=format:"%H %s" "$parent_ref".. | awk ' 243 | BEGIN {print "["} 244 | { 245 | if (NR>1) 246 | print ","; 247 | sha=$1; 248 | sub(/[^ ]* /, ""); 249 | gsub(/"/, "\\\""); 250 | print "{\"sha\":\"" sha "\", \"subject\":\"" $0 "\"}" 251 | } 252 | END {print "]"}') 253 | pr_info="on top of ref $parent_ref" 254 | fi 255 | nb_commits=$(echo "$list_commits" | jq length) 256 | 257 | echo "Retrieved $nb_commits commits $pr_info" 258 | echo 259 | 260 | ret=0 261 | # Run checkpatch for BPF changes on all selected commits 262 | for ((i=0; i/dev/null; then 270 | echo "=========================================================" 271 | echo -e "${HL_START}Running on changes from local HEAD$HL_END" 272 | echo "=========================================================" 273 | update_sources 274 | (git diff HEAD -- "${sources[@]}" | "$checkpatch" "${options[@]}" --ignore "$ignores" "${cli_options[@]}") || ret=1 275 | fi 276 | 277 | echo -e "${HL_START}All done$HL_END" 278 | 279 | exit $ret 280 | -------------------------------------------------------------------------------- /images/tester/cst/go.sum: -------------------------------------------------------------------------------- 1 | github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= 2 | github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= 3 | github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= 4 | github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= 5 | github.com/GoogleContainerTools/container-structure-test v1.22.0 h1:hbM/12QOt0gnWzXDLo6HevLRdXWbjrkDPzHfsOOtAto= 6 | github.com/GoogleContainerTools/container-structure-test v1.22.0/go.mod h1:w5z7D64oqetKtZp7iMXUe1gj+i38ypPAHW7FXETg4QA= 7 | github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= 8 | github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= 9 | github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= 10 | github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= 11 | github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= 12 | github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= 13 | github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= 14 | github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= 15 | github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= 16 | github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= 17 | github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= 18 | github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= 19 | github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= 20 | github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= 21 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 22 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 23 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 24 | github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= 25 | github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= 26 | github.com/docker/cli v28.2.2+incompatible h1:qzx5BNUDFqlvyq4AHzdNB7gSyVTmU4cgsyN9SdInc1A= 27 | github.com/docker/cli v28.2.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= 28 | github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= 29 | github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= 30 | github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI= 31 | github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= 32 | github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= 33 | github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= 34 | github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= 35 | github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= 36 | github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= 37 | github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= 38 | github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= 39 | github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= 40 | github.com/fsouza/go-dockerclient v1.11.2 h1:Wos4OMUwIjOW2rt8Z10TZSJHxgQH0KcYyf3O86dqFII= 41 | github.com/fsouza/go-dockerclient v1.11.2/go.mod h1:HZN6ky2Mg5mfZO/WZBFDe6XCricqTnDJntfXHZTYnQQ= 42 | github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 43 | github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= 44 | github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= 45 | github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= 46 | github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= 47 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 48 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 49 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 50 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 51 | github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= 52 | github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= 53 | github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= 54 | github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 55 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE= 56 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= 57 | github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0= 58 | github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4= 59 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 60 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 61 | github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= 62 | github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= 63 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 64 | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 65 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 66 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 67 | github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= 68 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= 69 | github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= 70 | github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= 71 | github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ= 72 | github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo= 73 | github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= 74 | github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= 75 | github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= 76 | github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= 77 | github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= 78 | github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= 79 | github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs= 80 | github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= 81 | github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= 82 | github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= 83 | github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= 84 | github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= 85 | github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= 86 | github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= 87 | github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= 88 | github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= 89 | github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= 90 | github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= 91 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 92 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 93 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 94 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 95 | github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= 96 | github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= 97 | github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= 98 | github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 99 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 100 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 101 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= 102 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 103 | github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= 104 | github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= 105 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 106 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 107 | go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= 108 | go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= 109 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= 110 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= 111 | go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= 112 | go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= 113 | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= 114 | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= 115 | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU= 116 | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0= 117 | go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE= 118 | go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E= 119 | go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= 120 | go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= 121 | go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= 122 | go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= 123 | go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= 124 | go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= 125 | go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= 126 | go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= 127 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 128 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 129 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 130 | golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= 131 | golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= 132 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 133 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 134 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 135 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 136 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 137 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 138 | golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= 139 | golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= 140 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 141 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 142 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 143 | golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= 144 | golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 145 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 146 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 147 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 148 | golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 149 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 150 | golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= 151 | golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= 152 | golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU= 153 | golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254= 154 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 155 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 156 | golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= 157 | golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= 158 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= 159 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 160 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 161 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 162 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 163 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 164 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 165 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 166 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 167 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 168 | google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q= 169 | google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= 170 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= 171 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= 172 | google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= 173 | google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= 174 | google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU= 175 | google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= 176 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 177 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 178 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 179 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 180 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 181 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 182 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 183 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 184 | gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= 185 | gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= 186 | --------------------------------------------------------------------------------