debian-iptables: Build bullseye-v1.0.0 images

Signed-off-by: Stephen Augustus <[email protected]>

Author: justaugustus

dependencies.yaml

@@ -445,7 +445,7 @@ dependencies:
     #  match: "DEBIAN_BASE_VERSION: '(bullseye|buster)-v((([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)'"
 
   - name: "k8s.gcr.io/build-image/debian-iptables (next candidate)"
-    version: buster-v1.6.7
+    version: bullseye-v1.0.0
     refPaths:
     - path: images/build/debian-iptables/variants.yaml
       match: "IMAGE_VERSION: '(bullseye|buster)-v((([0-9]+)\\.([0-9]+)\\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)'"

images/build/debian-iptables/bullseye/Dockerfile

@@ -0,0 +1,47 @@
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG BASEIMAGE
+
+FROM ${BASEIMAGE} as build
+
+# Install iptables and ebtables packages from bullseye-backports
+RUN echo deb http://deb.debian.org/debian bullseye-backports main >> /etc/apt/sources.list \
+    && apt-get update \
+    && apt-get -t bullseye-backports -y --no-install-recommends install \
+        iptables \
+        ebtables
+
+# Install other dependencies and then clean up apt caches
+RUN clean-install \
+    conntrack \
+    ipset \
+    kmod \
+    netbase
+
+# Install iptables wrapper scripts to detect the correct iptables mode
+# the first time any of them is run
+COPY iptables-wrapper /usr/sbin/iptables-wrapper
+
+RUN update-alternatives \
+	--install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
+	--slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
+	--slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper
+RUN update-alternatives \
+	--install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 100 \
+	--slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
+	--slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper
+
+FROM scratch
+COPY --from=build / /

images/build/debian-iptables/bullseye/iptables-wrapper

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+# Detect whether the base system is using iptables-legacy or
+# iptables-nft. This assumes that some non-containerized process (eg
+# kubelet) has already created some iptables rules.
+
+# Bugs in iptables-nft 1.8.3 may cause it to get stuck in a loop in
+# some circumstances, so we have to run the nft check in a timeout. To
+# avoid hitting that timeout, we only bother to even check nft if
+# legacy iptables was empty / mostly empty.
+
+num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep '^-' | wc -l || true)
+num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep '^-' | wc -l || true)
+if [ "${num_legacy_lines}" -ge "${num_nft_lines}" ]; then
+    mode=legacy
+  else
+    mode=nft
+fi
+
+update-alternatives --set iptables "/usr/sbin/iptables-${mode}" > /dev/null
+update-alternatives --set ip6tables "/usr/sbin/ip6tables-${mode}" > /dev/null
+
+# Now re-exec the original command with the newly-selected alternative
+exec "$0" "$@"