Hello,
In my opinion I find this okay. Since official OpenSUSE cilium packages were slow to catch up to upstream I usually favored Cilium's official images instead. The biggest appeal with OBS images was that they were multi-arch. With that being a thing in Cilium 1.10.0 I don't see much of a reason for an offline container build?
One question though. I think kubbictl relies on deploying Cilium with I assume OBS's image of Cilium. Does that need to be swapped?
Thanks,
Anthony
On 6/9/21 2:44 PM, Michal Rostecki wrote:
> Hi,
>
> I would like to talk about packages related to Cilium and Envoy. As
> probably many of you know, Envoy-related packages in openSUSE:
>
> - envoy-proxy
> - cilium-proxy
>
> are quite hard to maintain. That's due to Envoy using Bazel build system
> and bundling a lot of dependencies (mostly C and C++ projects) through it.
>
> Some time ago, we agreed to pack the most of those dependencies into a
> tarball (vendor.tar.gz) while force dynamic linking of libraries which
> are anyhow cryptography- or security-related (boringssl, curl, nghttp2,
> zlib). Doing so automatically was achieved by this project:
>
> https://github.com/kubic-project/obs-service-bazel_repositories
>
> The problem is, that this project doesn't work for newest versions of
> Envoy anymore (at least >=1.17). Now Envoy also pulls some Python
> dependencies even for building the main binary and it requires concrete
> versions with concrete hashes through pip. For example:
>
> https://github.com/envoyproxy/envoy/blob/main/configs/requirements.txt
>
> Honestly speaking, I'm getting really frustrated by chasing over all the
> new Envoy/Bazel build features and trying to get them working with OBS
> offline builds.
>
> That's why I'm thinking about removing those packages (also Cilium,
> since it doesn't provide the whole functionality without Envoy) from Kubic.
>
> Since we already describe on the Kubic blog how to use rke2, Rancher is
> a SUSE product and rke2/rancher is based on mirrored (+ sometimes
> slightly patched) upstream container images, I think it's reasonable to
> stick to this approach. As well as, for example, we trust Flathub in
> openSUSE MicroOS Desktop.
>
> If curious about how Rancher does that:
>
> https://github.com/rancher/image-mirror
>
> I would be happy to keep Cilium in Kubic if there would be any
> possibility for using Dockerfiles (online when building), in that case I
> would be even happy to provide some set of patches to convert the base
> image layer to openSUSE TW and replace `apt` with `microdnf`/`zypper`.
> But if there is no such possibility of plan of supporting such workflow,
> I think I would rather remove Cilium from Kubic packaging and focus on
> maintaining it in rke2 and providing it to MicroOS users through Rancher
> tools.
>
> Please let me know what are your thoughts on that.
>
> Cheers,
> Michal
I take the lack of replies as lack of opposition towards removing cilium
packages and images from OBS.
Here are the requests:
https://build.opensuse.org/request/show/899929
https://build.opensuse.org/request/show/899930
https://build.opensuse.org/request/show/899931
https://build.opensuse.org/request/show/899932
https://build.opensuse.org/request/show/899933
I will write up some docs on openSUSE Wiki this week about using rke2 on
MicroOS to deploy Cilium.
Cheers,
Michal