All projects in this repo follow a common building (and updating) process. Make targets are standardized across the repo.
Projects can be built on a Mac or Linux host. By default when running go build
, and some of the other key targerts
such as gather_licenses
and attribution
, the builder-base docker image used in prow will be used.
This is to ensure checksums and attributions match what is generated in our CI and release systems.
To force running targets on the host: export FORCE_GO_BUILD_ON_HOST=true
.
- Docker
sudo yum install -y docker && sudo usermod -a -G docker ec2-user && id ec2-user && newgrp docker
sudo systemctl enable docker.service && sudo systemctl start docker.service
- Common utils required
sudo yum -y install bc jq git-core make lz4 rsync
yq
is required by a number of targetssudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$([ "x86_64" = "$(uname -m)" ] && echo amd64 || echo arm64) && sudo chmod +x /usr/local/bin/yq
- Building helm charts requires
helm
andskopeo
- https://helm.sh/docs/intro/install/ -
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- https://github.com/containers/skopeo - There is no binary release of skopeo for linux see installing or
copy from builder-base image to host:
CONTAINER_ID=$(docker run -d -i public.ecr.aws/eks-distro-build-tooling/builder-base:standard-latest.al2 bash) && sudo docker cp $CONTAINER_ID:/usr/bin/skopeo /usr/local/bin && docker rm -vf $CONTAINER_ID
- https://helm.sh/docs/intro/install/ -
- To make pushing to ECR easier:
sudo yum install amazon-ecr-credential-helper -y
- (Skip for AL23) Upgrade to aws cli v2: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- To ensure string sorting matches our build pipelines -
export LANG=C.UTF-8
- Building CGO or other projects which require cross platform builds will
qemu
- NOTE: This will need to be ran after each reboot
docker run --privileged --rm public.ecr.aws/eks-distro-build-tooling/binfmt-misc:qemu-v6.1.0 --install aarch64,amd64
- (rare) Building image-builder
tuftool
to download Bottlerocket images - https://github.com/awslabs/tough - There is no binary release of tuftool for linux see Readme or copy from builder-base image to host:CONTAINER_ID=$(docker run -d -i public.ecr.aws/eks-distro-build-tooling/builder-base:standard-latest.al2 bash) && sudo docker cp $CONTAINER_ID:/usr/bin/tuftool /usr/local/bin && docker rm -vf $CONTAINER_ID
- (Skip for AL23) python 3.9 is required for the version of ansible required. AL2 does not ship a python 3.9 package so the easiest way to install it is building it with pyenv:
- https://github.com/pyenv/pyenv
curl https://pyenv.run | bash
sudo yum install gcc make patch zlib-devel bzip2 bzip2-devel readline-devel sqlite sqlite-devel openssl11-devel tk-devel libffi-devel xz-devel -y
pyenv install 3.9 && pyenv global 3.9
- Docker Desktop - https://docs.docker.com/desktop/install/mac-install/
- Common utils required -
brew install jq yq
- Bash 4.2+ is required -
brew install bash
- A number of targets which run on the host require the gnu variants of common tools
such as
date
find
sed
stat
tar
-brew install coreutils findutils gnu-sed gnu-tar
- Building helm charts requires
helm
andskopeo
- https://helm.sh/docs/intro/install/ -
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
- https://github.com/containers/skopeo -
brew install skopeo
- https://helm.sh/docs/intro/install/ -
- To make pushing to ECR easier:
brew install docker-credential-helper-ecr
- aws cli v2: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- (rare) Building image-builder
tuftool
to download Bottlerocket images - https://github.com/awslabs/tough- python 3.9 is required for the version of ansible required.
brew install python@3.9
Each project folder contains a Makefile with the following build targets.
checkout-repo
- clones project repo, checkouts GIT_TAG and patches ifpatches
directory exists for current project.- (Runs in Docker)
binaries
- builds binaries for current project. - (Runs in Docker)
gather-licenses
- copies licenses from all project dependencies and puts in_output/LICENSES
to be included in tarballs and container images. - (Runs in Docker)
attribution
- regenerate the ATTRIBUTION.txt file. checksums
- update CHECKSUMS file based on currently built binaries. This should be run when bumping GIT_TAG, changing patches or changing build flags, otherwise should not be changed. Builds will fail if these do not match, but the correct checksums will be outputted to make updating easier.local-images
- builds container images, for the current host architecture, and exports to/tmp/{project}.tar
.images
- builds container images, for bothlinux/amd64
andlinux/arm64
and pushes to configured (IMAGE_REPO
) registry.build
- run via presubmit, clones repo, build binary(s), gather licenses, build container images, build tarballs and generate attribution file. Useslocal-images
to build images which does not push to a registry.release
- run via postsubmit, same asbuild
except runsimages
to push to a remote registry and to push tars/binaries to s3.clean
- removes source and _output directory.clean-repo
- removes source directory.clean-go-cache
- removes theGOMODCACHE
ANDGOCACHE
folders.
- There are two options for building container images
- (Experimental)
docker buildx
can be used which may be easier to setup since docker now ships with the buildx plugin. docker buildx also uses buildkit behind the scenes so it should result in creating an image which is the same as usingbuildctl
directly as prow does.- You need to create a builder using either the
docker-container
orremote
driver. For example:docker buildx create --name multiarch --driver docker-container --use
- You need to create a builder using either the
buildctl
can be used instead of docker to match our prow builds. Runninglocal-images
targets will export images to a tar, but if runningimages
targets which push images, a registry is required. By default, an ECR repo in the currently logged in AWS account will be used. A common alternative is to run docker registry locally and override this default behavior. This can be done withIMAGE_REPO=localhost:5000 make images
. To run buildkit and the docker registry run from the repo root (or a specific project folder):curl -L https://github.com/moby/buildkit/releases/download/v0.12.2/buildkit-v0.12.2.linux-$([ "x86_64" = "$(uname -m)" ] && echo amd64 || echo arm64).tar.gz -o /tmp/buildkit.tgz && sudo tar -xf /tmp/buildkit.tgz -C /usr/local bin/buildctl
make run-buildkit-and-registry
export BUILDKIT_HOST=docker-container://buildkitd
make stop-buildkit-and-registry
to cleanup
- (Experimental)
- See docker-auth.md for helpful tips for configuring, securing, and using your AWS credentials with the targets in this project.
- The following is a basic docker config for ecr-helper:
~/.docker/config.json
{ "auths": {}, "credsStore": "ecr-login" }
- If building packages with helm charts, skopeo auth has to be setup. The following is a basic skopeo config for ecr-helper:
~/.config/containers/registries.conf
credential-helpers = ["ecr-login"]
~/.config/containers/policy.json
{ "default": [ { "type": "insecureAcceptAnything" } ] }
- The following is a basic docker config for ecr-helper:
- By default,
IMAGE_REPO
will be set to your AWS account's private ECR registry based on your AWS_REGION. If you want to create the neccessary registeries for the current project:make create-ecr-repos
- If you would like to create these repos in your ECR public registry set
IMAGE_REPO=public.ecr.aws/<id> create-ecr-repos
- Some projects download built artifacts from our dev pipelines. To pull these from the EKS-Anywere dev bucket
export ARTIFACTS_BUCKET=s3://projectbuildpipeline-857-pipelineoutputartifactsb-10ajmk30khe3f
- Multiple versions of golang are required to build the various projects. There is a helper
script modeled from the builder-base to install all golang versions locally.
Note Our build and release pipelines use EKS Go which the helper script does not install from. If building on the host, checksums will almost certainly mismatch with what is checked into this repo. - If testing gathering licenses and generating attribution files on the host, please follow these instructions to setup.
By default targets are run in a short-lived container using the builder-base image. If you would like to create a long lived container for testing:
make start-docker-builder
- The container will be named
eks-a-builder
and can be accessed to manually run targets or cleanup:docker exec -it eks-a-builder bash
- To stop the container:
make stop-docker-builder
- If you use a private
GOPROXY
, addexport GOPROXY=<custom proxy>
to your ~/.bashrc or ~/.zshrc- If your private proxy requires authentication, consider creating
~/.netrc
, ex:machine <machine> login <basic auth name> password <basic auth password>
chmod og-rw ~/.netrc
- If your private proxy requires authentication, consider creating