mirror of https://github.com/slackhq/nebula.git
Push Docker images as part of the release workflow (#1037)
This commit is contained in:
parent
f39bfbb7fa
commit
b5c3486796
|
@ -109,6 +109,52 @@ jobs:
|
||||||
name: darwin-latest
|
name: darwin-latest
|
||||||
path: ./release/*
|
path: ./release/*
|
||||||
|
|
||||||
|
build-docker:
|
||||||
|
name: Create and Upload Docker Images
|
||||||
|
# Technically we only need build-linux to succeed, but if any platforms fail we'll
|
||||||
|
# want to investigate and restart the build
|
||||||
|
needs: [build-linux, build-darwin, build-windows]
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
HAS_DOCKER_CREDS: ${{ vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
||||||
|
# XXX It's not possible to write a conditional here, so instead we do it on every step
|
||||||
|
#if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
|
||||||
|
steps:
|
||||||
|
# Be sure to checkout the code before downloading artifacts, or they will
|
||||||
|
# be overwritten
|
||||||
|
- name: Checkout code
|
||||||
|
if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Download artifacts
|
||||||
|
if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
|
||||||
|
uses: actions/download-artifact@v3
|
||||||
|
with:
|
||||||
|
name: linux-latest
|
||||||
|
path: artifacts
|
||||||
|
|
||||||
|
- name: Login to Docker Hub
|
||||||
|
if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
username: ${{ vars.DOCKERHUB_USERNAME }}
|
||||||
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
|
- name: Build and push images
|
||||||
|
if: ${{ env.HAS_DOCKER_CREDS == 'true' }}
|
||||||
|
env:
|
||||||
|
DOCKER_IMAGE_REPO: ${{ vars.DOCKER_IMAGE_REPO || 'nebulaoss/nebula' }}
|
||||||
|
DOCKER_IMAGE_TAG: ${{ vars.DOCKER_IMAGE_TAG || 'latest' }}
|
||||||
|
run: |
|
||||||
|
mkdir -p build/linux-{amd64,arm64}
|
||||||
|
tar -zxvf artifacts/nebula-linux-amd64.tar.gz -C build/linux-amd64/
|
||||||
|
tar -zxvf artifacts/nebula-linux-arm64.tar.gz -C build/linux-arm64/
|
||||||
|
docker buildx build . --push -f docker/Dockerfile --platform linux/amd64,linux/arm64 --tag "${DOCKER_IMAGE_REPO}:${DOCKER_IMAGE_TAG}" --tag "${DOCKER_IMAGE_REPO}:${GITHUB_REF#refs/tags/v}"
|
||||||
|
|
||||||
release:
|
release:
|
||||||
name: Create and Upload Release
|
name: Create and Upload Release
|
||||||
needs: [build-linux, build-darwin, build-windows]
|
needs: [build-linux, build-darwin, build-windows]
|
||||||
|
|
8
Makefile
8
Makefile
|
@ -22,6 +22,9 @@ ifndef BUILD_NUMBER
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
DOCKER_IMAGE_REPO ?= nebulaoss/nebula
|
||||||
|
DOCKER_IMAGE_TAG ?= latest
|
||||||
|
|
||||||
LDFLAGS = -X main.Build=$(BUILD_NUMBER)
|
LDFLAGS = -X main.Build=$(BUILD_NUMBER)
|
||||||
|
|
||||||
ALL_LINUX = linux-amd64 \
|
ALL_LINUX = linux-amd64 \
|
||||||
|
@ -79,6 +82,8 @@ DOCKER_BIN = build/linux-amd64/nebula build/linux-amd64/nebula-cert
|
||||||
|
|
||||||
all: $(ALL:%=build/%/nebula) $(ALL:%=build/%/nebula-cert)
|
all: $(ALL:%=build/%/nebula) $(ALL:%=build/%/nebula-cert)
|
||||||
|
|
||||||
|
docker: docker/linux-$(shell go env GOARCH)
|
||||||
|
|
||||||
release: $(ALL:%=build/nebula-%.tar.gz)
|
release: $(ALL:%=build/nebula-%.tar.gz)
|
||||||
|
|
||||||
release-linux: $(ALL_LINUX:%=build/nebula-%.tar.gz)
|
release-linux: $(ALL_LINUX:%=build/nebula-%.tar.gz)
|
||||||
|
@ -151,6 +156,9 @@ build/nebula-%.tar.gz: build/%/nebula build/%/nebula-cert
|
||||||
build/nebula-%.zip: build/%/nebula.exe build/%/nebula-cert.exe
|
build/nebula-%.zip: build/%/nebula.exe build/%/nebula-cert.exe
|
||||||
cd build/$* && zip ../nebula-$*.zip nebula.exe nebula-cert.exe
|
cd build/$* && zip ../nebula-$*.zip nebula.exe nebula-cert.exe
|
||||||
|
|
||||||
|
docker/%: build/%/nebula build/%/nebula-cert
|
||||||
|
docker build . $(DOCKER_BUILD_ARGS) -f docker/Dockerfile --platform "$(subst -,/,$*)" --tag "${DOCKER_IMAGE_REPO}:${DOCKER_IMAGE_TAG}" --tag "${DOCKER_IMAGE_REPO}:$(BUILD_NUMBER)"
|
||||||
|
|
||||||
vet:
|
vet:
|
||||||
go vet $(VET_FLAGS) -v ./...
|
go vet $(VET_FLAGS) -v ./...
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
FROM gcr.io/distroless/static:latest
|
||||||
|
|
||||||
|
ARG TARGETOS TARGETARCH
|
||||||
|
COPY build/$TARGETOS-$TARGETARCH/nebula /nebula
|
||||||
|
COPY build/$TARGETOS-$TARGETARCH/nebula-cert /nebula-cert
|
||||||
|
|
||||||
|
VOLUME ["/config"]
|
||||||
|
|
||||||
|
ENTRYPOINT ["/nebula"]
|
||||||
|
# Allow users to override the args passed to nebula
|
||||||
|
CMD ["-config", "/config/config.yml"]
|
|
@ -0,0 +1,24 @@
|
||||||
|
# NebulaOSS/nebula Docker Image
|
||||||
|
|
||||||
|
## Building
|
||||||
|
|
||||||
|
From the root of the repository, run `make docker`.
|
||||||
|
|
||||||
|
## Running
|
||||||
|
|
||||||
|
To run the built image, use the following command:
|
||||||
|
|
||||||
|
```
|
||||||
|
docker run \
|
||||||
|
--name nebula \
|
||||||
|
--network host \
|
||||||
|
--cap-add NET_ADMIN \
|
||||||
|
--volume ./config:/config \
|
||||||
|
--rm \
|
||||||
|
nebulaoss/nebula
|
||||||
|
```
|
||||||
|
|
||||||
|
A few notes:
|
||||||
|
|
||||||
|
- The `NET_ADMIN` capability is necessary to create the tun adapter on the host (this is unnecessary if the tun device is disabled.)
|
||||||
|
- `--volume ./config:/config` should point to a directory that contains your `config.yml` and any other necessary files.
|
|
@ -81,8 +81,25 @@ func newTunFromFd(c *config.C, l *logrus.Logger, deviceFd int, cidr *net.IPNet)
|
||||||
func newTun(c *config.C, l *logrus.Logger, cidr *net.IPNet, multiqueue bool) (*tun, error) {
|
func newTun(c *config.C, l *logrus.Logger, cidr *net.IPNet, multiqueue bool) (*tun, error) {
|
||||||
fd, err := unix.Open("/dev/net/tun", os.O_RDWR, 0)
|
fd, err := unix.Open("/dev/net/tun", os.O_RDWR, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
// If /dev/net/tun doesn't exist, try to create it (will happen in docker)
|
||||||
|
if os.IsNotExist(err) {
|
||||||
|
err = os.MkdirAll("/dev/net", 0755)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("/dev/net/tun doesn't exist, failed to mkdir -p /dev/net: %w", err)
|
||||||
|
}
|
||||||
|
err = unix.Mknod("/dev/net/tun", unix.S_IFCHR|0600, int(unix.Mkdev(10, 200)))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to create /dev/net/tun: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
fd, err = unix.Open("/dev/net/tun", os.O_RDWR, 0)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("created /dev/net/tun, but still failed: %w", err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var req ifReq
|
var req ifReq
|
||||||
req.Flags = uint16(unix.IFF_TUN | unix.IFF_NO_PI)
|
req.Flags = uint16(unix.IFF_TUN | unix.IFF_NO_PI)
|
||||||
|
|
Loading…
Reference in New Issue