From a391d4467d288d1b8844c62ba71e65c0026ca49b Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Thu, 2 Apr 2026 14:25:21 -0700 Subject: [PATCH 1/8] metis: add glibc floor qualification test and makefile target Adds a GitHub Actions workflow to qualify glibc floor compatibility on ubuntu-22.04 runners for the metis CNI. Adds a new test-glibc-floor make target to run the verification locally inside a container, ensuring safety for the glibc 2.35 floor. --- .github/workflows/metis-glibc-floor-test.yml | 30 ++++++++++++++++++++ metis/Makefile | 16 +++++++++++ 2 files changed, 46 insertions(+) create mode 100644 .github/workflows/metis-glibc-floor-test.yml diff --git a/.github/workflows/metis-glibc-floor-test.yml b/.github/workflows/metis-glibc-floor-test.yml new file mode 100644 index 0000000000..ceebb566f3 --- /dev/null +++ b/.github/workflows/metis-glibc-floor-test.yml @@ -0,0 +1,30 @@ +name: Metis GLIBC Floor Test + +on: + pull_request: + paths: + - 'metis/**/*.go' + - 'metis/Dockerfile' + +jobs: + native-execution-test: + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build Docker image + run: | + cd metis + docker build -t metis-candidate . + + - name: Extract binary + run: | + docker create --name temp-metis metis-candidate + docker cp temp-metis:/metis ./metis-candidate + docker rm temp-metis + chmod +x ./metis-candidate + + - name: Execute binary natively + run: | + ./metis-candidate --help diff --git a/metis/Makefile b/metis/Makefile index a43784ce59..2215f7b796 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -61,6 +61,22 @@ push-image: ## Build and push the multi-arch image independently. --build-arg BUILD_DATE=$(BUILD_DATE) \ -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG) --push . +.PHONY: test-glibc-floor +test-glibc-floor: ## Build image and test glibc floor locally in container + docker build \ + --build-arg GIT_VERSION=v1.0.0 \ + --build-arg GIT_COMMIT=$(GIT_COMMIT) \ + --build-arg BUILD_DATE=$(BUILD_DATE) \ + -t metis-candidate . + @mkdir -p bin + -docker rm -f temp-metis 2>/dev/null + docker create --name temp-metis metis-candidate + docker cp temp-metis:/metis bin/metis-candidate + docker rm temp-metis + chmod +x bin/metis-candidate + docker run --rm -v $(CURDIR)/bin/metis-candidate:/metis ubuntu:22.04 /metis --help + rm bin/metis-candidate + ##@ Help .PHONY: help From 07ff035da186f011bbcf15ed60847eba30be0af8 Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Fri, 3 Apr 2026 12:30:21 -0700 Subject: [PATCH 2/8] update makefile to use GIT_VERSION --- metis/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metis/Makefile b/metis/Makefile index 2215f7b796..f6fe89196a 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -64,7 +64,7 @@ push-image: ## Build and push the multi-arch image independently. .PHONY: test-glibc-floor test-glibc-floor: ## Build image and test glibc floor locally in container docker build \ - --build-arg GIT_VERSION=v1.0.0 \ + --build-arg GIT_VERSION=$(GIT_VERSION) \ --build-arg GIT_COMMIT=$(GIT_COMMIT) \ --build-arg BUILD_DATE=$(BUILD_DATE) \ -t metis-candidate . From 70361a9c0b8acc9fb81da80c7be87a17697b3039 Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Fri, 3 Apr 2026 15:43:39 -0700 Subject: [PATCH 3/8] metis: refactor glibc floor test per PR review comments --- .github/workflows/metis-glibc-floor-test.yml | 18 ++----- metis/Makefile | 53 +++++++++++++------- 2 files changed, 38 insertions(+), 33 deletions(-) diff --git a/.github/workflows/metis-glibc-floor-test.yml b/.github/workflows/metis-glibc-floor-test.yml index ceebb566f3..9cd498333c 100644 --- a/.github/workflows/metis-glibc-floor-test.yml +++ b/.github/workflows/metis-glibc-floor-test.yml @@ -3,8 +3,7 @@ name: Metis GLIBC Floor Test on: pull_request: paths: - - 'metis/**/*.go' - - 'metis/Dockerfile' + - 'metis/**' jobs: native-execution-test: @@ -13,18 +12,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Build Docker image + - name: Test GLIBC compatibility run: | cd metis - docker build -t metis-candidate . - - - name: Extract binary - run: | - docker create --name temp-metis metis-candidate - docker cp temp-metis:/metis ./metis-candidate - docker rm temp-metis - chmod +x ./metis-candidate - - - name: Execute binary natively - run: | - ./metis-candidate --help + make test-glibc-floor diff --git a/metis/Makefile b/metis/Makefile index f6fe89196a..5dfe69496a 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -3,10 +3,10 @@ # Variables for local development IMAGE_REGISTRY ?= gcr.io/$(USER)-gke-dev IMAGE_NAME ?= metis -TAG ?= $(shell git describe --tags --match "metis-v*" --always --dirty | sed 's|.*/||') +TAG ?= $(shell git describe --tags --always --dirty | sed 's|.*/||') # Get version metadata from git for version injection -GIT_VERSION ?= $(shell git describe --tags --match "metis-v*" --always --dirty) +GIT_VERSION ?= $(shell git describe --tags --always --dirty) GIT_COMMIT ?= $(shell git rev-parse HEAD) BUILD_DATE ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ') @@ -19,6 +19,20 @@ VERSION_LDFLAGS := \ # Platforms for multi-arch container builds PLATFORMS ?= linux/amd64,linux/arm64 +# GLIBC Compatibility Test Image +# +# Context: Across GKE fleet nodes, the CGO Metis CNI binary executes natively +# inside the host OS space (via the Kubelet) rather than within a container. +# This rigidly binds its link constraints to the host's C standard library. +# +# Baseline: During the GKE release baseline of 1.30.14-gke.2250000, the +# lowest available GLIBC version across the active fleet OS footprints +# (Ubuntu 22.04 LTS and COS Milestone 117) was precisely GLIBC 2.35. +# +# WARNING: Do not link this binary against newer GLIBC symbols. Doing so +# will cause immediate runtime panics when scheduled on baseline fleet nodes. +GLIBC_FLOOR_IMAGE := ubuntu:22.04 + ##@ Development .PHONY: tidy @@ -52,30 +66,33 @@ clean: ## Clean up build artifacts. ##@ Docker +DOCKER_BUILD_ARGS := \ + --build-arg GIT_VERSION=$(GIT_VERSION) \ + --build-arg GIT_COMMIT=$(GIT_COMMIT) \ + --build-arg BUILD_DATE=$(BUILD_DATE) + .PHONY: push-image push-image: ## Build and push the multi-arch image independently. @echo "Building and Pushing multi-arch image: $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG)..." - docker buildx build --platform $(PLATFORMS) \ - --build-arg GIT_VERSION=$(GIT_VERSION) \ - --build-arg GIT_COMMIT=$(GIT_COMMIT) \ - --build-arg BUILD_DATE=$(BUILD_DATE) \ + docker buildx build --platform $(PLATFORMS) $(DOCKER_BUILD_ARGS) \ -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(TAG) --push . -.PHONY: test-glibc-floor -test-glibc-floor: ## Build image and test glibc floor locally in container - docker build \ - --build-arg GIT_VERSION=$(GIT_VERSION) \ - --build-arg GIT_COMMIT=$(GIT_COMMIT) \ - --build-arg BUILD_DATE=$(BUILD_DATE) \ - -t metis-candidate . - @mkdir -p bin +.PHONY: build-image-local +build-image-local: + docker build $(DOCKER_BUILD_ARGS) -t metis-candidate . + +_tmp/metis-candidate: build-image-local + @mkdir -p _tmp -docker rm -f temp-metis 2>/dev/null docker create --name temp-metis metis-candidate - docker cp temp-metis:/metis bin/metis-candidate + docker cp temp-metis:/metis _tmp/metis-candidate docker rm temp-metis - chmod +x bin/metis-candidate - docker run --rm -v $(CURDIR)/bin/metis-candidate:/metis ubuntu:22.04 /metis --help - rm bin/metis-candidate + +.ONESHELL: +.PHONY: test-glibc-floor +test-glibc-floor: _tmp/metis-candidate ## Build image and test glibc floor locally in container + # Verify compatibility against glibc 2.35 by running in the floor environment. + docker run --rm -v $(CURDIR)/_tmp/metis-candidate:/metis $(GLIBC_FLOOR_IMAGE) /metis --help ##@ Help From 696d8f2da5aa704c38c6974e526f332dd21c67c2 Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Fri, 3 Apr 2026 15:49:39 -0700 Subject: [PATCH 4/8] metis: perfectly generalize glibc version strings in recipe comment --- metis/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metis/Makefile b/metis/Makefile index 5dfe69496a..0362e0299b 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -91,7 +91,7 @@ _tmp/metis-candidate: build-image-local .ONESHELL: .PHONY: test-glibc-floor test-glibc-floor: _tmp/metis-candidate ## Build image and test glibc floor locally in container - # Verify compatibility against glibc 2.35 by running in the floor environment. + # Verify symbol compatibility by running natively within the configured floor environment. docker run --rm -v $(CURDIR)/_tmp/metis-candidate:/metis $(GLIBC_FLOOR_IMAGE) /metis --help ##@ Help From deaa1f3649ceabef5f626b149f70501ad7551d76 Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Mon, 6 Apr 2026 09:28:59 -0700 Subject: [PATCH 5/8] remove ONESHELL --- metis/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/metis/Makefile b/metis/Makefile index 160403e693..86172a7c2e 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -92,7 +92,6 @@ _tmp/metis-candidate: build-image-local docker cp temp-metis:/metis _tmp/metis-candidate docker rm temp-metis -.ONESHELL: .PHONY: test-glibc-floor test-glibc-floor: _tmp/metis-candidate ## Build image and test glibc floor locally in container # Verify symbol compatibility by running natively within the configured floor environment. From bfdaad5dcb75c74bf119b5586294ab17d08a0dbe Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Mon, 6 Apr 2026 10:01:29 -0700 Subject: [PATCH 6/8] remove github actions, moving it to prow --- .github/workflows/metis-glibc-floor-test.yml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 .github/workflows/metis-glibc-floor-test.yml diff --git a/.github/workflows/metis-glibc-floor-test.yml b/.github/workflows/metis-glibc-floor-test.yml deleted file mode 100644 index 9cd498333c..0000000000 --- a/.github/workflows/metis-glibc-floor-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Metis GLIBC Floor Test - -on: - pull_request: - paths: - - 'metis/**' - -jobs: - native-execution-test: - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Test GLIBC compatibility - run: | - cd metis - make test-glibc-floor From 040f6389b56aca23cf1cfeccb0948d99c16aa512 Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Mon, 6 Apr 2026 14:16:43 -0700 Subject: [PATCH 7/8] fix(metis): sanitize GIT_VERSION to remove prefix for k8s compatibility --- metis/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metis/Makefile b/metis/Makefile index 86172a7c2e..97b5e6c9ea 100644 --- a/metis/Makefile +++ b/metis/Makefile @@ -6,7 +6,7 @@ IMAGE_NAME ?= metis TAG ?= $(shell git describe --tags --always --dirty | sed 's|.*/||') # Get version metadata from git for version injection -GIT_VERSION ?= $(shell git describe --tags --always --dirty) +GIT_VERSION ?= $(shell git describe --tags --always --dirty | sed 's|.*/||') GIT_COMMIT ?= $(shell git rev-parse HEAD) BUILD_DATE ?= $(shell date -u +'%Y-%m-%dT%H:%M:%SZ') From d7402496fb6ee0316d9ad9c0e976f6623dceeb01 Mon Sep 17 00:00:00 2001 From: Arvind Bright Date: Mon, 6 Apr 2026 15:55:28 -0700 Subject: [PATCH 8/8] docs(metis): add warning comment in Dockerfile regarding GLIBC floor --- metis/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/metis/Dockerfile b/metis/Dockerfile index feeb213234..5c469a0b02 100644 --- a/metis/Dockerfile +++ b/metis/Dockerfile @@ -38,7 +38,13 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then \ -X 'k8s.io/component-base/version.buildDate=${BUILD_DATE}'" \ ./cmd -# Use ubuntu as base image to package the binary +# CAUTION: The Metis binary leverages CGO and links against the host's C library. +# To prevent runtime panics on baseline GKE fleet nodes, this image must remain +# compatible with the active GLIBC floor constraint defined in the Makefile. +# +# Always verify any base image upgrades by running `make test-glibc-floor`. +# +# See metis/Makefile for the full historical context and version baseline. FROM ubuntu:22.04 RUN apt-get update && apt-get install -y \ sqlite3 \