diff --git a/metis/Dockerfile b/metis/Dockerfile index feeb21323..5c469a0b0 100644 --- a/metis/Dockerfile +++ b/metis/Dockerfile @@ -38,7 +38,13 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then \ -X 'k8s.io/component-base/version.buildDate=${BUILD_DATE}'" \ ./cmd -# Use ubuntu as base image to package the binary +# CAUTION: The Metis binary leverages CGO and links against the host's C library. +# To prevent runtime panics on baseline GKE fleet nodes, this image must remain +# compatible with the active GLIBC floor constraint defined in the Makefile. +# +# Always verify any base image upgrades by running `make test-glibc-floor`. +# +# See metis/Makefile for the full historical context and version baseline. FROM ubuntu:22.04 RUN apt-get update && apt-get install -y \ sqlite3 \ diff --git a/metis/Makefile b/metis/Makefile index 22d2dbb7f..97b5e6c9e 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -3,10 +3,10 @@ # Variables for local development IMAGE_REGISTRY ?= gcr.io/$(USER)-gke-dev IMAGE_NAME ?= metis -TAG ?= $(shell git describe --tags --match "metis-v*" --always --dirty | sed 's|.*/||') +TAG ?= $(shell git describe --tags --always --dirty | sed 's|.*/||') # Get version metadata from git for version injection -GIT_VERSION ?= $(shell git describe --tags --match "metis-v*" --always --dirty) +GIT_VERSION ?= $(shell git describe --tags --always --dirty | sed 's|.*/||') GIT_COMMIT ?= $(shell git rev-parse HEAD) BUILD_DATE ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ') @@ -19,6 +19,20 @@ VERSION_LDFLAGS := \ # Platforms for multi-arch container builds PLATFORMS ?= linux/amd64,linux/arm64 +# GLIBC Compatibility Test Image +# +# Context: Across GKE fleet nodes, the CGO Metis CNI binary executes natively +# inside the host OS space (via the Kubelet) rather than within a container. +# This rigidly binds its link constraints to the host's C standard library. +# +# Baseline: During the GKE release baseline of 1.30.14-gke.2250000, the +# lowest available GLIBC version across the active fleet OS footprints +# (Ubuntu 22.04 LTS and COS Milestone 117) was precisely GLIBC 2.35. +# +# WARNING: Do not link this binary against newer GLIBC symbols. Doing so +# will cause immediate runtime panics when scheduled on baseline fleet nodes. +GLIBC_FLOOR_IMAGE := ubuntu:22.04 + ##@ Development .PHONY: tidy @@ -56,15 +70,33 @@ clean: ## Clean up build artifacts. ##@ Docker +DOCKER_BUILD_ARGS := \ + --build-arg GIT_VERSION=$(GIT_VERSION) \ + --build-arg GIT_COMMIT=$(GIT_COMMIT) \ + --build-arg BUILD_DATE=$(BUILD_DATE) + .PHONY: push-image push-image: ## Build and push the multi-arch image independently. @echo "Building and Pushing multi-arch image: $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG)..." - docker buildx build --platform $(PLATFORMS) \ - --build-arg GIT_VERSION=$(GIT_VERSION) \ - --build-arg GIT_COMMIT=$(GIT_COMMIT) \ - --build-arg BUILD_DATE=$(BUILD_DATE) \ + docker buildx build --platform $(PLATFORMS) $(DOCKER_BUILD_ARGS) \ -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG) --push . +.PHONY: build-image-local +build-image-local: + docker build $(DOCKER_BUILD_ARGS) -t metis-candidate . + +_tmp/metis-candidate: build-image-local + @mkdir -p _tmp + -docker rm -f temp-metis 2>/dev/null + docker create --name temp-metis metis-candidate + docker cp temp-metis:/metis _tmp/metis-candidate + docker rm temp-metis + +.PHONY: test-glibc-floor +test-glibc-floor: _tmp/metis-candidate ## Build image and test glibc floor locally in container + # Verify symbol compatibility by running natively within the configured floor environment. + docker run --rm -v $(CURDIR)/_tmp/metis-candidate:/metis $(GLIBC_FLOOR_IMAGE) /metis --help + ##@ Help .PHONY: help