diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..ae379f4 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,176 @@ +--- +kind: pipeline +name: k3s-root-linux-amd64 +platform: + os: linux + arch: amd64 + +workspace: + path: /workdir + +steps: + - name: build-amd64 + image: rancher/dapper:v0.5.0 + environment: + BUILDARCH: amd64 + commands: + - dapper ci + volumes: + - name: docker + path: /var/run/docker.sock + - name: github-amd64-binary-release + image: plugins/github-release + settings: + api_key: + from_secret: github_token + checksum: + - sha256 + checksum_file: CHECKSUMsum-amd64.txt + checksum_flatten: true + prerelease: true + files: + - "/workdir/dist/k3s-*amd64.tar" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag +volumes: +- name: docker + host: + path: /var/run/docker.sock +--- +kind: pipeline +name: k3s-root-linux-arm64 +platform: + os: linux + arch: amd64 + +workspace: + path: /workdir + +steps: + - name: build-arm64 + image: rancher/dapper:v0.5.0 + environment: + BUILDARCH: arm64 + commands: + - dapper ci + volumes: + - name: docker + path: /var/run/docker.sock + - name: github-arm64-binary-release + image: plugins/github-release + settings: + api_key: + from_secret: github_token + checksum: + - sha256 + checksum_file: CHECKSUMsum-arm64.txt + checksum_flatten: true + prerelease: true + files: + - "/workdir/dist/k3s-*arm64.tar" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag +volumes: +- name: docker + host: + path: /var/run/docker.sock +--- +kind: pipeline +name: k3s-root-linux-arm +platform: + os: linux + arch: amd64 + +workspace: + path: /workdir + +steps: + - name: build-arm + image: rancher/dapper:v0.5.0 + environment: + BUILDARCH: arm + commands: + - dapper ci + volumes: + - name: docker + path: /var/run/docker.sock + - name: github-arm-binary-release + image: plugins/github-release + settings: + api_key: + from_secret: github_token + checksum: + - sha256 + checksum_file: CHECKSUMsum-arm.txt + checksum_flatten: true + prerelease: true + files: + - "/workdir/dist/k3s-*arm.tar" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag +volumes: +- name: docker + host: + path: /var/run/docker.sock +--- +kind: pipeline +name: k3s-root-linux-ppc64le +platform: + os: linux + arch: amd64 + +workspace: + path: /workdir + +steps: + - name: build-ppc64le + image: rancher/dapper:v0.5.0 + environment: + BUILDARCH: ppc64le + commands: + - dapper ci + volumes: + - name: docker + path: /var/run/docker.sock + - name: github-ppc64le-binary-release + image: plugins/github-release + settings: + api_key: + from_secret: github_token + checksum: + - sha256 + checksum_file: CHECKSUMsum-ppc64le.txt + checksum_flatten: true + prerelease: true + files: + - "/workdir/dist/k3s-*ppc64le.tar" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag +volumes: +- name: docker + host: + path: /var/run/docker.sock \ No newline at end of file diff --git a/.gitignore b/.gitignore index ddc7384..313abcd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ /dist +/artifacts /build +/.dapper \ No newline at end of file diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index ce6edad..0000000 --- a/Dockerfile +++ /dev/null @@ -1,74 +0,0 @@ -FROM ubuntu:18.04 AS ubuntu -RUN yes | unminimize - -# setup prereqs -RUN apt-get update -RUN apt-get install -y \ - build-essential \ - ccache \ - gcc \ - git \ - g++ \ - rsync \ - bc \ - wget \ - curl \ - ca-certificates \ - ncurses-dev \ - python \ - unzip - -# download buildroot -ARG BUILDROOT_VERSION=2020.02.2 -RUN mkdir /usr/src/buildroot -RUN curl -fL https://buildroot.org/downloads/buildroot-${BUILDROOT_VERSION}.tar.bz2 | tar xvjf - -C /usr/src/buildroot --strip-components=1 - -# build -ARG ARCH=amd64 -WORKDIR /usr/src/buildroot -COPY ./package/. ./package/ -COPY buildroot/config /usr/src/buildroot/.config -COPY buildroot/${ARCH}config /usr/src/buildroot/.config-arch -RUN cat .config-arch >> .config - -COPY patches patches -RUN set -e -x; for p in patches/*.patch; do patch -p1 -i $p; done - -RUN make oldconfig -RUN make - -# save build -WORKDIR /usr/src - -# copy binaries -RUN mkdir bin && \ - cp -d buildroot/output/target/usr/sbin/*tables* bin/ && \ - cp buildroot/output/target/usr/sbin/conntrack bin/ && \ - cp buildroot/output/target/usr/sbin/ethtool bin/ && \ - cp buildroot/output/target/usr/sbin/ipset bin/ && \ - cp buildroot/output/target/usr/bin/find bin/ && \ - cp buildroot/output/target/usr/bin/nsenter bin/ && \ - cp buildroot/output/target/usr/bin/pigz bin/ && \ - cp buildroot/output/target/usr/bin/slirp4netns bin/ && \ - cp buildroot/output/target/usr/bin/socat bin/ && \ - cp buildroot/output/target/usr/bin/coreutils bin/ && \ - cp buildroot/output/target/sbin/ip bin/ && \ - cp buildroot/output/target/sbin/blkid bin/ && \ - cp buildroot/output/target/sbin/losetup bin/ && \ - cp buildroot/output/target/bin/busybox bin/ && \ - cp buildroot/output/target/usr/sbin/swanctl bin/ && \ - cp buildroot/output/target/usr/libexec/ipsec/charon bin/ - -# save etc -RUN mkdir etc && \ - cp -rp buildroot/output/target/var/lib/rancher/k3s/agent/* etc/ - -# setup links -RUN set -e -x; \ - link() { \ - for l in $(find -L buildroot/output/target/ -samefile buildroot/output/target/$1/$2 | xargs -n 1 basename | sort -u | grep -v "^$2\$"); do \ - ln -s $2 bin/$l; \ - done; \ - }; \ - link bin busybox; \ - link usr/bin coreutils; diff --git a/Dockerfile.dapper b/Dockerfile.dapper new file mode 100644 index 0000000..726b106 --- /dev/null +++ b/Dockerfile.dapper @@ -0,0 +1,28 @@ +FROM ubuntu:18.04 AS ubuntu +RUN yes | unminimize + +# setup prereqs +RUN apt-get update +RUN apt-get install -y \ + build-essential \ + ccache \ + gcc \ + git \ + g++ \ + rsync \ + bc \ + wget \ + curl \ + ca-certificates \ + ncurses-dev \ + python \ + unzip + +ENV DAPPER_SOURCE /source +ENV DAPPER_OUTPUT ./artifacts ./dist +ENV DAPPER_ENV BUILDARCH +ENV HOME ${DAPPER_SOURCE} +WORKDIR ${DAPPER_SOURCE} + +ENTRYPOINT ["./scripts/entry"] +CMD ["ci"] \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c48fec9 --- /dev/null +++ b/Makefile @@ -0,0 +1,25 @@ +ARCH ?= amd64 +ALL_ARCH = amd64 arm64 arm ppc64le + +export BUILDARCH = $(ARCH) + +TARGETS := $(shell ls scripts) + +.dapper: + @echo Downloading dapper + @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp + @@chmod +x .dapper.tmp + @./.dapper.tmp -v + @mv .dapper.tmp .dapper + +$(TARGETS): .dapper + ./.dapper $@ + +all-build: $(addprefix sub-build-,$(ALL_ARCH)) + +sub-build-%: + $(MAKE) ARCH=$* ci + +.DEFAULT_GOAL := ci + +.PHONY: $(TARGETS) \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..d68f04d --- /dev/null +++ b/README.md @@ -0,0 +1,15 @@ +# k3s-root + +`k3s-root` is based on https://github.com/buildroot/buildroot and provides the userspace binaries for `rancher/k3s` + +## Building + +`k3s-root` is dapper powered, which means you should be able to simply `make` on your machine to compile. By default, `make` will compile for `amd64`. If you want to compile for other architectures, you can run commands like: +``` +make ARCH=arm64 +``` + +or alternatively, if you want to compile all architectures at once, you can run: +``` +make all-build +``` diff --git a/build.sh b/build.sh deleted file mode 100755 index 54d910f..0000000 --- a/build.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -set -x -e - -BUILD_ARCHS=${BUILD_ARCHS:-amd64 arm64 arm ppc64le} - -mkdir -p dist -for arch in ${BUILD_ARCHS}; do - docker build --build-arg ARCH=${arch} --tag k3s-root . - docker run --rm k3s-root \ - tar cf - -C /usr/src ./bin ./etc > dist/k3s-root-${arch}.tar -done diff --git a/iptables-detect/README.md b/iptables-detect/README.md new file mode 100644 index 0000000..bef75ad --- /dev/null +++ b/iptables-detect/README.md @@ -0,0 +1,13 @@ +# iptables-detect + +This is a set of scripts designed to interoperate with the upstream netfilter/iptables 1.8.3 project. The intention of using these scripts is the following: + +### Requirements: +1. `xtables-nft-multi` and `xtables-legacy-multi` binaries exist and are in the same folder as the `.sh` scripts +2. Initially, symlinks are set up for `iptables-detect.sh` from `iptables` `ip6tables` `iptables-restore` `ip6tables-restore` `iptables-save` `ip6tables-save` + +### Expectations: +When `iptables-detect.sh` is invoked without a symlink in place, it will simply spit out what it detects via what mode. This can be useful for debugging. + +### More Info +The `iptables-detect.sh` script started out as the base `debian-iptables` script from https://github.com/kubernetes/kubernetes/blob/master/build/debian-iptables/iptables-wrapper but was modified to call a designated script called `xtables-set-mode.sh`. This is due to the fact that the original intention of usage of this script was for `k3s-root`, and we should not be updating system level alternatives. In addition, due to the multi-platform nature of K3s, there was no guarantee that `update-alternatives` would even exist on the underlying host system (let alone `/etc/alternatives`) and as such, we only use system-level alternatives to attempt to detect version. \ No newline at end of file diff --git a/iptables-detect/iptables-detect.sh b/iptables-detect/iptables-detect.sh new file mode 100755 index 0000000..32be8d9 --- /dev/null +++ b/iptables-detect/iptables-detect.sh @@ -0,0 +1,242 @@ +#!/bin/sh + +# Copyright 2019 The Kubernetes Authors. +# Copyright 2020 Rancher Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script is only meant for use when operating in a non-containerized +# environment but using non-host binaries (i.e. K3s with k3s-root), but +# will fall back to operating in a containerized environment if necessary. +# It relies on the underlying host system not having cgroups set up for PID +# 1, as this is how it detects whether it is operating in a containerized +# environment or not. + +# Four step process to inspect for which version of iptables we're operating +# with. +# 1. Detect whether we are operating in a containerized environment by inspecting cgroups for PID 1. +# 2. Run iptables-nft-save and iptables-legacy-save to inspect for rules. If +# no rules are found from either binaries, then +# 3. Check /etc/alternatives/iptables on the host to see if there is a symlink +# pointing towards the iptables binary we are using, if there is, run the +# binary and grep it's output for version higher than 1.8 and "legacy" to see +# if we are operating in legacy +# 4. Last chance is to do a rough check of the operating system, to make an +# educated guess at which mode we can operate in. + +# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in +# some circumstances, so we have to run the nft check in a timeout. To +# avoid hitting that timeout, we only bother to even check nft if +# legacy iptables was empty / mostly empty. + +mode=unknown + +detected_via=unknown + +containerized=false + +# Check to see if the nf_tables kernel module is loaded, if it is, we should operate in nft mode, else just fall back to legacy. This should only be run when in a container, ideally the klipper-lb container. + +nft_module_check() { + lsmod | grep "nf_tables" 2> /dev/null + if [ $? = 0 ]; then + detected_via=modules + mode=nft + else + detected_via=modules + mode=legacy + fi +} + +# Check to see if we are containerized -- essentially look at the cgroup for PID 1 and check for things at the end of the "/" which indicates we are in a container (PID 1 shouldn't necessarily have a cgroup) + +# there are two cases when we are containerized -- k3d and things that aren't k3s +is_containerized() { + CGT=$(cat /proc/1/cgroup | grep "cpuset" | awk -F: '{print $3}' | sed 's/\///g'); + if [ -z $CGT ]; then + containerized=false + else + containerized=true + fi +} + +rule_check() { + num_legacy_lines=$( ( + iptables-legacy-save || true + ip6tables-legacy-save || true + ) 2>/dev/null | grep '^-' | wc -l) + if [ "${num_legacy_lines}" -ge 10 ]; then + detected_via=rules + mode=legacy + else + num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l) + if [ "${num_legacy_lines}" -gt "${num_nft_lines}" ]; then + detected_via=rules + mode=legacy + elif [ "${num_nft_lines}" = 0 ]; then + mode=unknown + else + detected_via=rules + mode=nft + fi + fi +} + +alternatives_check() { + readlink /etc/alternatives/iptables >/dev/null + + if [ $? = 0 ]; then + readlink /etc/alternatives/iptables | grep -q "nft" + if [ $? = 0 ]; then + detected_via=alternatives + mode=nft + else + detected_via=alternatives + mode=legacy + fi + fi +} + +# we should not run os-detect if we're being run inside of a container +os_detect() { + # perform some very rudimentary platform detection + lsb_dist='' + dist_version='' + if [ -z "$lsb_dist" ] && [ -r /etc/lsb-release ]; then + lsb_dist="$(. /etc/lsb-release && echo "$DISTRIB_ID")" + fi + if [ -z "$lsb_dist" ] && [ -r /etc/debian_version ]; then + lsb_dist='debian' + fi + if [ -z "$lsb_dist" ] && [ -r /etc/fedora-release ]; then + lsb_dist='fedora' + fi + if [ -z "$lsb_dist" ] && [ -r /etc/oracle-release ]; then + lsb_dist='oracleserver' + fi + if [ -z "$lsb_dist" ] && [ -r /etc/centos-release ]; then + lsb_dist='centos' + fi + if [ -z "$lsb_dist" ] && [ -r /etc/redhat-release ]; then + lsb_dist='redhat' + fi + if [ -z "$lsb_dist" ] && [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + + # Special case redhatenterpriseserver + if [ "${lsb_dist}" = "redhatenterpriseserver" ]; then + # Set it to redhat, it will be changed to centos below anyways + lsb_dist='redhat' + fi + + case "$lsb_dist" in + + ubuntu) + # By default, Ubuntu is using iptables in legacy mode. Ideally, this should have been already caught by the alternatives check. + detected_via=os + mode=legacy + ;; + + debian | raspbian) + dist_version="$(cat /etc/debian_version | sed 's/\/.*//' | sed 's/\..*//')" + # If Debian >= 10 (Buster is 10), then NFT. otherwise, assume it is legacy + if [ "$dist_version" -ge 10 ]; then + detected_via=os + mode=nft + else + detected_via=os + mode=legacy + fi + ;; + + oracleserver) + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + if [ "$dist_version" -ge 8 ]; then + detected_via=os + mode=nft + else + detected_via=os + mode=legacy + fi + ;; + + fedora) + # As of 05/15/2020, all Fedora packages appeared to be still `legacy` by default although there is a `iptables-nft` package that installs the nft iptables, so look for that package. + rpm -qa | grep -q "iptables-nft" + if [ $? = 0 ]; then + detected_via=os + mode=nft + else + detected_via=os + mode=legacy + fi + ;; + + centos | redhat) + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + if [ "$dist_version" -ge 8 ]; then + detected_via=os + mode=nft + else + detected_via=os + mode=legacy + fi + ;; + + # We are running an operating system we don't know, default to nf_tables. + *) + detected_via=os + mode=nft + ;; + + esac + +} + +if [ ! -z "$IPTABLES_MODE" ]; then + mode=${IPTABLES_MODE} +else + rule_check + if [ "${mode}" = "unknown" ]; then + is_containerized + # If we're containerized, then just fall back to legacy, in hopes `ip_tables` is loaded. + if [ "${containerized}" = "true" ]; then + mode=legacy + else + alternatives_check + if [ "${mode}" = "unknown" ]; then + os_detect + fi + fi + fi +fi + +if [ "${mode}" = "unknown" ]; then + exit 1 +fi + +if [ "$(basename $0)" = "iptables-detect.sh" ]; then + echo mode is $mode detected via $detected_via and containerized is $containerized + exit 0 +fi + +xtables-set-mode.sh -m ${mode} >/dev/null + +if [ $? = 0 ]; then + exec "$0" "$@" +else + exit 1 +fi \ No newline at end of file diff --git a/iptables-detect/xtables-set-mode.sh b/iptables-detect/xtables-set-mode.sh new file mode 100755 index 0000000..5156bd3 --- /dev/null +++ b/iptables-detect/xtables-set-mode.sh @@ -0,0 +1,105 @@ +#!/bin/sh + +# Copyright 2020 Rancher Labs +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# --- helper functions for logs --- +info() { + echo '[INFO] ' "$@" +} +warn() { + echo '[WARN] ' "$@" >&2 +} +fatal() { + echo '[ERROR] ' "$@" >&2 + exit 1 +} + +script_name=xtables-set-mode.sh + +# Validate that we are in the correct k3s-root path +validate() { + # The existence of the iptables-set-mode.sh in the path indicates the directory we should be calling from. + # Don't put this script in your path unless you want this script to overwrite your iptables links. + if [ "${force}" = 0 ]; then + if ! which $script_name >/dev/null; then + fatal "$script_name was not found in PATH" + fi + fi +} + +set_nft() { + base_path=$(dirname $(which $script_name)) + + for i in iptables iptables-save iptables-restore ip6tables; do ln -sf "xtables-nft-multi" "$base_path/$i"; done + + exit +} + +set_legacy() { + base_path=$(dirname $(which $script_name)) + + for i in iptables iptables-save iptables-restore ip6tables; do ln -sf "xtables-legacy-multi" "$base_path/$i"; done + + exit +} + +usage() { + echo "usage: $script_name [[--mode nft|legacy] [--force] | [--help]]" +} + +force=0 + +if [ -z "$1" ]; then + usage + exit 1 +fi + +while [ "$1" != "" ]; do + case $1 in + -m | --mode) + shift + mode=$1 + ;; + -f | --force) + force=1 + ;; + -h | --help) + usage + exit + ;; + *) + usage + exit 1 + ;; + esac + shift +done + +validate + +case $mode in +nft) + set_nft + exit + ;; +legacy) + set_legacy + exit + ;; +*) + usage + exit 1 + ;; +esac diff --git a/package/iptables/iptables.hash b/package/iptables/iptables.hash index 3600e57..20c7d3d 100644 --- a/package/iptables/iptables.hash +++ b/package/iptables/iptables.hash @@ -1,4 +1,4 @@ # From https://netfilter.org/projects/iptables/downloads.html -sha256 993a3a5490a544c2cbf2ef15cf7e7ed21af1845baf228318d5c36ef8827e157c iptables-1.8.4.tar.bz2 +sha256 a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80 iptables-1.8.3.tar.bz2 # Locally calculated -sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING \ No newline at end of file diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk index 40db763..ae5cf4d 100644 --- a/package/iptables/iptables.mk +++ b/package/iptables/iptables.mk @@ -4,7 +4,7 @@ # ################################################################################ -IPTABLES_VERSION = 1.8.4 +IPTABLES_VERSION = 1.8.3 IPTABLES_SOURCE = iptables-$(IPTABLES_VERSION).tar.bz2 IPTABLES_SITE = https://netfilter.org/projects/iptables/files IPTABLES_INSTALL_STAGING = YES diff --git a/scripts/build b/scripts/build new file mode 100755 index 0000000..b4c001e --- /dev/null +++ b/scripts/build @@ -0,0 +1,19 @@ +#!/bin/bash + +pushd /usr/src/buildroot + +cp -rfv /source/package/* package/ +cp /source/buildroot/config /usr/src/buildroot/.config +cp /source/buildroot/${BUILDARCH}config /usr/src/buildroot/.config-arch +cat .config-arch >> .config + +mkdir -p patches + +cp -rfv /source/patches/* patches/ + +for p in patches/*.patch; do patch -p1 -i $p; done + +make oldconfig +make + +popd \ No newline at end of file diff --git a/scripts/ci b/scripts/ci new file mode 100755 index 0000000..7486fe0 --- /dev/null +++ b/scripts/ci @@ -0,0 +1,10 @@ +#!/bin/sh +set -ex + +cd "$(dirname $0)" + +echo "Buildarch is $BUILDARCH" + +./download +./build +./package \ No newline at end of file diff --git a/scripts/download b/scripts/download new file mode 100755 index 0000000..87b752b --- /dev/null +++ b/scripts/download @@ -0,0 +1,7 @@ +#!/bin/bash + +export BUILDROOT_VERSION=2020.02.2 + +mkdir -p /usr/src/buildroot + +curl -fL https://buildroot.org/downloads/buildroot-${BUILDROOT_VERSION}.tar.bz2 | tar xvjf - -C /usr/src/buildroot --strip-components=1 \ No newline at end of file diff --git a/scripts/entry b/scripts/entry new file mode 100755 index 0000000..6c3dd2c --- /dev/null +++ b/scripts/entry @@ -0,0 +1,12 @@ +#!/bin/sh +set -ex + +if [ -e ./scripts/"$1" ]; then + ./scripts/"$@" +else + exec "$@" +fi + +if [ "$DAPPER_UID" -ne "-1" ]; then + chown -R $DAPPER_UID:$DAPPER_GID . +fi \ No newline at end of file diff --git a/scripts/package b/scripts/package new file mode 100755 index 0000000..bd2802c --- /dev/null +++ b/scripts/package @@ -0,0 +1,53 @@ +#!/bin/bash + +mkdir -p /source/artifacts/${BUILDARCH}/bin /source/artifacts/${BUILDARCH}/xtables-bin /source/artifacts/${BUILDARCH}/etc /source/dist + +pushd /usr/src + +# copy binaries +cp -d buildroot/output/target/usr/sbin/*tables* /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/sbin/conntrack /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/sbin/ethtool /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/sbin/ipset /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/bin/find /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/bin/nsenter /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/bin/pigz /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/bin/slirp4netns /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/bin/socat /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/bin/coreutils /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/sbin/ip /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/sbin/blkid /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/sbin/losetup /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/bin/busybox /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/sbin/swanctl /source/artifacts/${BUILDARCH}/bin/ +cp buildroot/output/target/usr/libexec/ipsec/charon /source/artifacts/${BUILDARCH}/bin/ + +# save etc +cp -rp buildroot/output/target/var/lib/rancher/k3s/agent/* /source/artifacts/${BUILDARCH}/etc/ + +cp -r /source/iptables-detect/*.sh /source/artifacts/${BUILDARCH}/xtables-bin/ + +# setup links +link() { \ + for l in $(find -L buildroot/output/target/ -samefile buildroot/output/target/$1/$2 | xargs -n 1 basename | sort -u | grep -v "^$2\$"); do \ + ln -s $2 /source/artifacts/${BUILDARCH}/bin/$l; \ + done; \ +}; + +link bin busybox; +link usr/bin coreutils; +ln -sf pigz /source/artifacts/${BUILDARCH}/bin/unpigz; +mkdir -p /source/artifacts/${BUILDARCH}/bin/aux; +rm -f /source/artifacts/${BUILDARCH}/bin/mount; +rm -f /source/artifacts/${BUILDARCH}/bin/modprobe; +ln -sf ../busybox /source/artifacts/${BUILDARCH}/bin/aux/mount; +ln -sf ../busybox /source/artifacts/${BUILDARCH}/bin/aux/modprobe; +mv /source/artifacts/${BUILDARCH}/bin/*tables* /source/artifacts/${BUILDARCH}/xtables-bin/; +for target in iptables iptables-save iptables-restore ip6tables ip6tables-save ip6tables-restore; do + ln -sf iptables-detect.sh /source/artifacts/${BUILDARCH}/xtables-bin/$target; +done; +cp -rp /source/artifacts/${BUILDARCH}/xtables-bin/* /source/artifacts/${BUILDARCH}/bin/aux; + +tar cf - -C /source/artifacts/${BUILDARCH} ./bin ./etc > /source/dist/k3s-root-${BUILDARCH}.tar +tar cf - -C /source/artifacts/${BUILDARCH} --transform s/xtables-bin/bin/ ./xtables-bin > /source/dist/k3s-root-xtables-${BUILDARCH}.tar +popd \ No newline at end of file