Fix calico/apiserver /tmp folder permission

This change backports changes from [1] for `calico/apiserver` only to fix the `/tmp` folder permission. Currently, when `/tmp` folder is copied form ubi stage to scratch, the folder permission is 0755 so it isn't writable for non-root processes. With the changes in [2], apiserver won't be ready because `/tmp/ready` flag can't be written. [1] #8299 [2] tigera/operator#2906
projectcalico · Feb 28, 2024 · 3fb8e72 · 3fb8e72
1 parent 36413f2
commit 3fb8e72
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 154 deletions.
diff --git a/apiserver/.init b/apiserver/.init
diff --git a/apiserver/Dockerfile b/apiserver/Dockerfile
@@ -0,0 +1,15 @@
+FROM scratch as source
+
+ARG BIN_DIR
+ARG TARGETARCH
+
+COPY ${BIN_DIR}/apiserver-${TARGETARCH} /code/apiserver
+COPY ${BIN_DIR}/filecheck-${TARGETARCH} /code/filecheck
+
+FROM calico/base
+
+COPY --from=source / /
+
+WORKDIR /code
+
+ENTRYPOINT ["/code/apiserver"]
diff --git a/apiserver/Makefile b/apiserver/Makefile
@@ -67,9 +67,6 @@ CONTAINER_MARKER=$(CONTAINER_CREATED)
 BINDIR=bin
 endif
 
-# Use ARCH specific build image.
-CALICO_BUILD:=$(CALICO_BUILD)-$(ARCH)
-
 ###############################################################################
 # Static checks
 ###############################################################################
@@ -117,14 +114,14 @@ sub-image-%:
 sub-image-fips-%:
 	$(MAKE) image FIPS=true ARCH=$*
 
-$(API_SERVER_IMAGE): register $(CONTAINER_MARKER)
-$(CONTAINER_CREATED): docker-image/Dockerfile.$(ARCH) $(BINDIR)/apiserver-$(ARCH) $(BINDIR)/filecheck-$(ARCH)
-	$(DOCKER_BUILD) --build-arg BIN_DIR=$(BINDIR) -t $(API_SERVER_IMAGE):latest-$(ARCH) -f docker-image/Dockerfile.$(ARCH) . --load
+$(API_SERVER_IMAGE): $(CONTAINER_MARKER)
+$(CONTAINER_CREATED): Dockerfile $(BINDIR)/apiserver-$(ARCH) $(BINDIR)/filecheck-$(ARCH)
+	$(DOCKER_BUILD) --build-arg BIN_DIR=$(BINDIR) -t $(API_SERVER_IMAGE):latest-$(ARCH) -f Dockerfile .
 	$(MAKE) retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest
 	touch $@
 
-$(CONTAINER_FIPS_CREATED): docker-image/Dockerfile.$(ARCH) $(BINDIR)/apiserver-$(ARCH) $(BINDIR)/filecheck-$(ARCH)
-	$(DOCKER_BUILD) --build-arg BIN_DIR=$(BINDIR) -t $(API_SERVER_IMAGE):latest-fips-$(ARCH) -f docker-image/Dockerfile.$(ARCH) . --load
+$(CONTAINER_FIPS_CREATED): Dockerfile $(BINDIR)/apiserver-$(ARCH) $(BINDIR)/filecheck-$(ARCH)
+	$(DOCKER_BUILD) --build-arg BIN_DIR=$(BINDIR) -t $(API_SERVER_IMAGE):latest-fips-$(ARCH) -f Dockerfile .
 	$(MAKE) FIPS=true retag-build-images-with-registries VALIDARCHES=$(ARCH) IMAGETAG=latest-fips LATEST_IMAGE_TAG=latest-fips
 	touch $@
 
@@ -212,12 +209,10 @@ clean: clean-bin clean-hack-lib
 	find . -name '.*.created*' -type f -delete
 	find . -name '.*.published*' -type f -delete
 	rm -rf .lint-cache
-	docker rmi $(API_SERVER_IMAGE):latest-$(ARCH) || true
-	docker rmi $(API_SERVER_IMAGE):latest-fips-$(ARCH) || true
+	-docker image rm -f $$(docker images $(API_SERVER_IMAGE) -a -q)
 
 clean-bin:
-	rm -rf $(BINDIR) \
-	    docker-image/bin
+	rm -rf $(BINDIR)
 
 clean-hack-lib:
 	rm -rf hack/lib/

diff --git a/apiserver/docker-image/Dockerfile.amd64 b/apiserver/docker-image/Dockerfile.amd64
diff --git a/apiserver/docker-image/Dockerfile.arm64 b/apiserver/docker-image/Dockerfile.arm64
diff --git a/apiserver/docker-image/Dockerfile.ppc64le b/apiserver/docker-image/Dockerfile.ppc64le
diff --git a/apiserver/docker-image/Dockerfile.s390x b/apiserver/docker-image/Dockerfile.s390x
diff --git a/lib.Makefile b/lib.Makefile
@@ -24,6 +24,11 @@ ifeq ($(ARCHES),)
 	ARCHES=$(patsubst Dockerfile.%,%,$(wildcard Dockerfile.*))
 endif
 
+# If architectures cannot infer from Dockerfiles, set default supported architecture.
+ifeq ($(ARCHES),)
+	ARCHES=amd64 arm64 ppc64le s390x
+endif
+
 # list of arches *not* to build when doing *-all
 EXCLUDEARCH?=
 VALIDARCHES = $(filter-out $(EXCLUDEARCH),$(ARCHES))
@@ -278,26 +283,11 @@ endif
 REPO_ROOT := $(shell git rev-parse --show-toplevel)
 CERTS_PATH := $(REPO_ROOT)/hack/test/certs
 
-# Set the platform correctly for building docker images so that
-# cross-builds get the correct architecture set in the produced images.
-ifeq ($(ARCH),arm64)
-TARGET_PLATFORM=--platform=linux/arm64/v8
-endif
-ifeq ($(ARCH),armv7)
-TARGET_PLATFORM=--platform=linux/arm/v7
-endif
-ifeq ($(ARCH),ppc64le)
-TARGET_PLATFORM=--platform=linux/ppc64le
-endif
-ifeq ($(ARCH),s390x)
-TARGET_PLATFORM=--platform=linux/s390x
-endif
-
 # DOCKER_BUILD is the base build command used for building all images.
-DOCKER_BUILD=docker buildx build --pull \
+DOCKER_BUILD=docker buildx build --load --platform=linux/$(ARCH) --pull \
 	     --build-arg QEMU_IMAGE=$(CALICO_BUILD) \
 	     --build-arg UBI_IMAGE=$(UBI_IMAGE) \
-	     --build-arg GIT_VERSION=$(GIT_VERSION) $(TARGET_PLATFORM)
+	     --build-arg GIT_VERSION=$(GIT_VERSION)
 
 DOCKER_RUN := mkdir -p ../.go-pkg-cache bin $(GOMOD_CACHE) && \
 	docker run --rm \