From c7eb28aed94270a0051d01a26e55c19821183f0f Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 28 Apr 2026 15:25:32 -0400 Subject: [PATCH 1/3] Dockerfile: remove rhel8 build stage and use rhel9 as base RHEL 8 is end-of-life. Remove the rhel8 build stage, switch the windows builder to the rhel-9 image, and use rhel9-built binaries as the default in /usr/src/plugins/bin/. Co-Authored-By: Claude Opus 4.6 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- Dockerfile | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 66d975c1..92904f2a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,15 +7,7 @@ RUN ./build_linux.sh && \ cd /usr/src/plugins/bin WORKDIR / -FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.25-openshift-4.22 AS rhel8 -COPY . /usr/src/plugins -WORKDIR /usr/src/plugins -ENV CGO_ENABLED=0 -RUN ./build_linux.sh && \ - cd /usr/src/plugins/bin -WORKDIR / - -FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.25-openshift-4.22 AS windows +FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS windows COPY . /usr/src/plugins WORKDIR /usr/src/plugins ENV CGO_ENABLED=0 @@ -25,12 +17,9 @@ WORKDIR / FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 RUN mkdir -p /usr/src/plugins/bin && \ - mkdir -p /usr/src/plugins/rhel8/bin && \ mkdir -p /usr/src/plugins/rhel9/bin && \ mkdir -p /usr/src/plugins/windows/bin -COPY --from=rhel8 /usr/src/plugins/bin/* /usr/src/plugins/rhel8/bin/ -# pod container image is RHEL8 based, so use rhel8 -COPY --from=rhel8 /usr/src/plugins/bin/* /usr/src/plugins/bin/ +COPY --from=rhel9 /usr/src/plugins/bin/* /usr/src/plugins/bin/ COPY --from=rhel9 /usr/src/plugins/bin/* /usr/src/plugins/rhel9/bin/ COPY --from=windows /usr/src/plugins/bin/* /usr/src/plugins/windows/bin/ From 0ab1d696a1b99097e20c7e547976671945a1891c Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 28 Apr 2026 15:25:53 -0400 Subject: [PATCH 2/3] Dockerfile: use hardlinks for rhel9/bin/ instead of a separate COPY The rhel9/bin/ directory contains the same binaries as bin/. Use hardlinks to avoid duplicating them in the image layer. Co-Authored-By: Claude Opus 4.6 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 92904f2a..355eef9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN mkdir -p /usr/src/plugins/bin && \ mkdir -p /usr/src/plugins/rhel9/bin && \ mkdir -p /usr/src/plugins/windows/bin COPY --from=rhel9 /usr/src/plugins/bin/* /usr/src/plugins/bin/ -COPY --from=rhel9 /usr/src/plugins/bin/* /usr/src/plugins/rhel9/bin/ +RUN ln /usr/src/plugins/bin/* /usr/src/plugins/rhel9/bin/ COPY --from=windows /usr/src/plugins/bin/* /usr/src/plugins/windows/bin/ LABEL io.k8s.display-name="Container Networking Plugins" \ From 25477afa2553edb98bfeb34b4a8327ca7e669dc0 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 28 Apr 2026 15:46:44 -0400 Subject: [PATCH 3/3] build_linux.sh: strip symbols and debug info from binaries Pass -ldflags "-s -w" to go build to reduce binary size by stripping the symbol table and DWARF debug information. Co-Authored-By: Claude Opus 4.6 rh-pre-commit.version: 2.4.0 rh-pre-commit.check-secrets: ENABLED --- build_linux.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build_linux.sh b/build_linux.sh index b6d054e7..99ee3340 100755 --- a/build_linux.sh +++ b/build_linux.sh @@ -10,6 +10,9 @@ export GOFLAGS="${GOFLAGS} -mod=vendor" mkdir -p "${PWD}/bin" +# Prepend -s -w to any caller-supplied ldflags so strip flags are always present. +LDFLAGS="-s -w ${LDFLAGS:-}" + echo "Building plugins ${GOOS}" PLUGINS="plugins/meta/* plugins/main/* plugins/ipam/*" for d in $PLUGINS; do @@ -17,7 +20,7 @@ for d in $PLUGINS; do plugin="$(basename "$d")" if [ "${plugin}" != "windows" ]; then echo " $plugin" - ${GO:-go} build -o "${PWD}/bin/$plugin" "$@" ./"$d" + ${GO:-go} build -o "${PWD}/bin/$plugin" -ldflags "$LDFLAGS" "$@" ./"$d" fi fi done