On 6/9/21 2:44 PM, Michal Rostecki wrote:
Hi,
I would like to talk about packages related to Cilium and Envoy. As probably many of you know, Envoy-related packages in openSUSE:
- envoy-proxy - cilium-proxy
are quite hard to maintain. That's due to Envoy using Bazel build system and bundling a lot of dependencies (mostly C and C++ projects) through it.
Some time ago, we agreed to pack the most of those dependencies into a tarball (vendor.tar.gz) while force dynamic linking of libraries which are anyhow cryptography- or security-related (boringssl, curl, nghttp2, zlib). Doing so automatically was achieved by this project:
https://github.com/kubic-project/obs-service-bazel_repositories
The problem is, that this project doesn't work for newest versions of Envoy anymore (at least >=1.17). Now Envoy also pulls some Python dependencies even for building the main binary and it requires concrete versions with concrete hashes through pip. For example:
https://github.com/envoyproxy/envoy/blob/main/configs/requirements.txt
Honestly speaking, I'm getting really frustrated by chasing over all the new Envoy/Bazel build features and trying to get them working with OBS offline builds.
That's why I'm thinking about removing those packages (also Cilium, since it doesn't provide the whole functionality without Envoy) from Kubic.
Since we already describe on the Kubic blog how to use rke2, Rancher is a SUSE product and rke2/rancher is based on mirrored (+ sometimes slightly patched) upstream container images, I think it's reasonable to stick to this approach. As well as, for example, we trust Flathub in openSUSE MicroOS Desktop.
If curious about how Rancher does that:
https://github.com/rancher/image-mirror
I would be happy to keep Cilium in Kubic if there would be any possibility for using Dockerfiles (online when building), in that case I would be even happy to provide some set of patches to convert the base image layer to openSUSE TW and replace `apt` with `microdnf`/`zypper`. But if there is no such possibility of plan of supporting such workflow, I think I would rather remove Cilium from Kubic packaging and focus on maintaining it in rke2 and providing it to MicroOS users through Rancher tools.
Please let me know what are your thoughts on that.
Cheers, Michal
I take the lack of replies as lack of opposition towards removing cilium packages and images from OBS. Here are the requests: https://build.opensuse.org/request/show/899929 https://build.opensuse.org/request/show/899930 https://build.opensuse.org/request/show/899931 https://build.opensuse.org/request/show/899932 https://build.opensuse.org/request/show/899933 I will write up some docs on openSUSE Wiki this week about using rke2 on MicroOS to deploy Cilium. Cheers, Michal