[v0.21.0] release build fix (#4146)

* chore(ci): use dev tag for docker image building (#4138)

When SNAPSHOT=1, the local docker image will be tagged with dev tag to
differentiate it from the official release which is tagged with the
latest tag.

commit: 1085fc5 (main), cherry-pick

* chore: install last version of golang

commit: 6c111b4 (main), cherry-pick

* chore: golang binary move to tmp

commit: 221b0ac (main), cherry-pick

* fix: arm64 clang issue

commit: 6cc06b2 (main), cherry-pick

* fix(ci): make release rule to have prerequisites (#4141)

These changes ensure that the 'release' rule will require the other
rules to be executed (splitting the commands into different rules). This
way, if any some of the rules fail, the build will be aborted right away.

commit: 86c2c16 (main), cherry-pick

* fix(build): extract OPA 0.66 from OPA dev image

This workaround is required since OPA 0.65.0 (latest published release)
has cve-2024-24790.

After solved we can rollback to the previouw installation method.

commit: ef7d74e (main), cherry-pick

* fix(build): mv gh release logic to release rule (#4145)

Continuation of #4141.

commit: 6f94719 (main), cherry-pick

---------

Co-authored-by: Raphael Campos <[email protected]>

Author: geyslan

builder/Dockerfile.alpine-tracee-container

@@ -5,6 +5,20 @@
 ARG BTFHUB=0
 ARG FLAVOR=tracee-ebpf-core
 
+#
+# Version
+#
+
+ARG GO_VERSION=1.22.0
+ARG OPA_VERSION=v0.63.0
+
+
+# This workaround is required since OPA 0.65.0 (latest published release) has cve-2024-24790.
+# After solved we can rollback to the commented installation lines below.
+#
+# Stage 1: Set the base image to get the OPA binary
+FROM openpolicyagent/opa:0.66.0-dev-static as opa-extractor
+
 #
 # tracee-base
 #
@@ -23,9 +37,13 @@ RUN apk --no-cache update && \
 
 # install OPA
 
-RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${altarch}_static && \
-    chmod 755 /usr/bin/opa
+# ARG OPA_VERSION
+# RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
+# curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
+# chmod 755 /usr/bin/opa
+
+# Stage 2: Copy the OPA binary from the OPA extractor
+COPY --from=opa-extractor /opa /usr/bin/opa
 
 #
 # tracee-make-base
@@ -41,13 +59,14 @@ RUN apk --no-cache update && \
     apk --no-cache add bash git rsync && \
     apk --no-cache add coreutils findutils && \
     apk --no-cache add llvm14 clang14 && \
-    apk --no-cache add go make gcc && \
+    apk --no-cache add make gcc && \
     apk --no-cache add musl-dev && \
     apk --no-cache add linux-headers && \
     apk --no-cache add elfutils-dev && \
     apk --no-cache add libelf-static && \
     apk --no-cache add zlib-static && \
     apk --no-cache add zstd-static && \
+    apk --no-cache add binutils-gold && \
     rm -f /usr/bin/cc && \
     rm -f /usr/bin/clang && \
     rm -f /usr/bin/clang++ && \
@@ -81,6 +100,17 @@ RUN apk --no-cache update && \
     ln -s /usr/lib/llvm14/bin/llvm-readelf /usr/bin/llvm-readelf && \
     ln -s /usr/lib/llvm14/bin/opt /usr/bin/opt
 
+# install GO
+ARG GO_VERSION
+RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
+    curl -L -o go${GO_VERSION}.linux-${altarch}.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-${altarch}.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-${altarch}.tar.gz && \
+    echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile && \
+    echo 'export GOROOT=/usr/local/go' >> /etc/profile && \
+    echo 'export GOPATH=$HOME/go' >> /etc/profile && \
+    echo 'export GOTOOLCHAIN=auto' >> /etc/profile && \
+    echo 'export PATH=$PATH:$GOPATH/bin' >> /etc/profile
+
 # install bpftool from btfhub
 
 RUN cd /tmp && \
@@ -101,7 +131,8 @@ WORKDIR /tracee
 
 COPY . /tracee
 
-RUN make clean && \
+RUN source /etc/profile && \
+    make clean && \
     BTFHUB=$BTFHUB make tracee && \
     BTFHUB=$BTFHUB make tracee-ebpf && \
     make tracee-rules && \

builder/Dockerfile.ubuntu-tracee-make

@@ -7,6 +7,13 @@ FROM ubuntu:jammy
 ARG uid=1000
 ARG gid=1000
 
+#
+# Version
+#
+
+ARG GO_VERSION=1.22.0
+ARG OPA_VERSION=v0.63.0
+
 # install needed environment
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
@@ -30,9 +37,8 @@ RUN cd /tmp && \
     ./3rdparty/bpftool.sh
 
 # install OPA
-
 RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
-    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.63.0/opa_linux_${altarch}_static && \
+    curl -L -o /usr/bin/opa https://github.com/open-policy-agent/opa/releases/download/${OPA_VERSION}/opa_linux_${altarch}_static && \
     chmod 755 /usr/bin/opa
 
 # extra tools for testing things
@@ -66,12 +72,11 @@ RUN export uid=$uid gid=$gid && \
     ln -s /home/tracee/.bashrc /home/tracee/.profile
 
 # install extra packages (if needed)
-
 RUN export DEBIAN_FRONTEND=noninteractive && \
     altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \
     apt-get update && \
-    curl -L -o /tmp/golang.tar.xz https://go.dev/dl/go1.21.5.linux-${altarch}.tar.gz && \
-    tar -C /usr/local -xzf /tmp/golang.tar.xz && \
+    curl -L -o /tmp/golang.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-${altarch}.tar.gz && \
+    tar -C /usr/local -xzf /tmp/golang.tar.gz && \
     update-alternatives --install /usr/bin/go go /usr/local/go/bin/go 1 && \
     update-alternatives --install /usr/bin/gofmt gofmt /usr/local/go/bin/gofmt 1
 

builder/Makefile.release

@@ -145,38 +145,16 @@ PUSH_DOCKER_REPO ?= aquasec/tracee
 .PHONY: release
 release: \
 	$(OUTPUT_DIR) \
+	build-tracee-btfhub \
+	build-tracee-binary-static \
+	build-tracee-binary-shared \
+	archive \
 	| .check_tree \
 	.check_$(CMD_DOCKER) \
 	.check_$(CMD_TAR) \
 	.check_$(CMD_CHECKSUM) \
 	.check_$(CMD_GITHUB)
 #
-# SNAPSHOT
-#
-
-#
-# build official container image (CO-RE + BTFHUB).
-#
-	$(MAKE) -f builder/Makefile.tracee-make alpine-prepare
-	$(MAKE) -f builder/Makefile.tracee-make alpine-make ARG="clean"
-#
-	BTFHUB=1 $(MAKE) -f builder/Makefile.tracee-container build-tracee
-#
-# build binaries (tracee, tracee-ebpf, tracee-rules, rules)
-#
-	$(MAKE) -f builder/Makefile.tracee-make ubuntu-prepare
-	$(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="clean"
-# static
-	BTFHUB=0 STATIC=1 $(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="tracee-ebpf"
-	BTFHUB=0 STATIC=1 $(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="tracee"
-	$(CMD_MV) dist/tracee-ebpf dist/tracee-ebpf-static
-	$(CMD_MV) dist/tracee dist/tracee-static
-# shared libs
-	BTFHUB=0 STATIC=0 $(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="all"
-# tarball
-	$(CMD_TAR) -cvzf $(OUT_ARCHIVE) $(RELEASE_FILES)
-	$(CMD_CHECKSUM) $(OUT_ARCHIVE) > $(OUT_CHECKSUMS)
-#
 # note: TAGS created by release-snapshot workflow
 #
 
@@ -212,6 +190,48 @@ endif
 
 endif
 
+#
+# build tracee
+#
+
+.PHONY: alpine-prepare
+alpine-prepare:
+	$(MAKE) -f builder/Makefile.tracee-make alpine-prepare && \
+		$(MAKE) -f builder/Makefile.tracee-make alpine-prepare ARG="clean"
+
+.PHONY: build-tracee-btfhub
+build-tracee-btfhub: alpine-prepare
+# build official container image (CO-RE + BTFHUB)
+	BTFHUB=1 SNAPSHOT=$(SNAPSHOT) $(MAKE) -f builder/Makefile.tracee-container build-tracee
+
+#
+# build binaries (tracee, tracee-ebpf, tracee-rules, rules)
+#
+
+.PHONY: ubuntu-prepare
+ubuntu-prepare:
+	$(MAKE) -f builder/Makefile.tracee-make ubuntu-prepare && \
+		$(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="clean"
+
+.PHONY: build-tracee-binary-static
+build-tracee-binary-static: ubuntu-prepare
+# static
+	BTFHUB=0 STATIC=1 $(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="tracee-ebpf" && \
+		BTFHUB=0 STATIC=1 $(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="tracee" && \
+		$(CMD_MV) dist/tracee-ebpf dist/tracee-ebpf-static
+		$(CMD_MV) dist/tracee dist/tracee-static
+
+.PHONY: build-tracee-binary-shared
+build-tracee-binary-shared: ubuntu-prepare
+# shared libs
+	BTFHUB=0 STATIC=0 $(MAKE) -f builder/Makefile.tracee-make ubuntu-make ARG="all"
+
+.PHONY: archive
+archive:
+# tarball
+	$(CMD_TAR) -cvzf $(OUT_ARCHIVE) $(RELEASE_FILES) && \
+		$(CMD_CHECKSUM) $(OUT_ARCHIVE) > $(OUT_CHECKSUMS)
+
 .PHONY: clean
 clean:
 #

builder/Makefile.tracee-container

@@ -101,7 +101,14 @@ ifeq ($(BTFHUB),)
 BTFHUB=0
 endif
 
-TRACEE_CONT_NAME = tracee:latest
+SNAPSHOT ?= 0
+TAG ?= latest
+
+ifeq ($(SNAPSHOT),1)
+	TAG=dev
+endif
+
+TRACEE_CONT_NAME = tracee:$(TAG)
 TRACEE_CONT_DOCKERFILE = builder/Dockerfile.alpine-tracee-container
 
 .PHONY: build-tracee