ci: add ebpf diff check

This adds a GitHub action to build the eBPF programs and check for a diff since this can easily be forgotten e.g. when updating cilium/ebpf.
ctrox · Apr 28, 2024 · f321b69 · f321b69
1 parent 15e6806
commit f321b69
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 6 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,6 +31,30 @@ jobs:
       - name: test
         run: sudo --preserve-env make test
 
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          install: true
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.22"
+
+      - name: build ebpf image
+        run: make build-ebpf
+
+      - name: generate ebpf
+        run: make generate
+
+      - name: check for diff
+        run: git diff --exit-code
+
   e2e:
     runs-on: ubuntu-latest
     steps:

diff --git a/Makefile b/Makefile
@@ -62,15 +62,15 @@ test:
 # of the host into the container. For now this is the only way to run the e2e
 # tests on Mac OS with apple silicon as the shim requires GOOS=linux.
 docker-test-e2e: build-test
-	docker run --rm -ti --privileged --network=host --rm -v $(DOCKER_SOCK):$(DOCKER_SOCK) -v $(PWD):/app $(TEST_IMAGE) make test-e2e
+	docker run --rm --privileged --network=host --rm -v $(DOCKER_SOCK):$(DOCKER_SOCK) -v $(PWD):/app $(TEST_IMAGE) make test-e2e
 
 docker-bench: build-test
-	docker run --rm -ti --privileged --network=host --rm -v $(DOCKER_SOCK):$(DOCKER_SOCK) -v $(PWD):/app $(TEST_IMAGE) make bench
+	docker run --rm --privileged --network=host --rm -v $(DOCKER_SOCK):$(DOCKER_SOCK) -v $(PWD):/app $(TEST_IMAGE) make bench
 
 # has to have SYS_ADMIN because the test tries to set netns and mount bpffs
 # we use --pid=host to make the ebpf tracker work without a pid resolver
 docker-test:
-	docker run --rm -ti --cap-add=SYS_ADMIN --cap-add=NET_ADMIN --pid=host -v $(PWD):/app $(TEST_IMAGE) make test
+	docker run --rm --cap-add=SYS_ADMIN --cap-add=NET_ADMIN --pid=host -v $(PWD):/app $(TEST_IMAGE) make test
 
 CLANG ?= clang
 CFLAGS := -O2 -g -Wall -Werror
@@ -81,4 +81,10 @@ CFLAGS := -O2 -g -Wall -Werror
 generate: export BPF_CLANG := $(CLANG)
 generate: export BPF_CFLAGS := $(CFLAGS)
 generate:
-	docker run --rm -ti -v $(PWD):/app --env=BPF_CLANG="$(CLANG)" --env=BPF_CFLAGS="$(CFLAGS)" $(EBPF_IMAGE) go generate ./...
+	docker run --rm -v $(PWD):/app:Z --user $(shell id -u):$(shell id -g) --env=BPF_CLANG="$(CLANG)" --env=BPF_CFLAGS="$(CFLAGS)" $(EBPF_IMAGE)
+
+# to improve reproducibility of the bpf builds, we dump the vmlinux.h and
+# store it compressed in git instead of dumping it during the build.
+update-vmlinux:
+	docker run --rm -v $(PWD):/app:Z --entrypoint /bin/sh --user $(shell id -u):$(shell id -g) $(EBPF_IMAGE) \
+		-c "bpftool btf dump file /sys/kernel/btf/vmlinux format c" | gzip > socket/vmlinux.h.gz
diff --git a/activator/bpf_bpfel.o b/activator/bpf_bpfel.o
diff --git a/socket/Dockerfile b/socket/Dockerfile
@@ -12,9 +12,14 @@ RUN dnf install -y llvm clang bpftool libbpf-devel golang
 
 RUN mkdir /headers
 RUN cp /usr/include/bpf/bpf_* /headers
-RUN bpftool btf dump file /sys/kernel/btf/vmlinux format c > /headers/vmlinux.h
+COPY socket/vmlinux.h.gz /headers
+RUN gunzip /headers/vmlinux.h.gz
 
-COPY --from=gomod /go /root/go
+COPY --from=gomod /go /tmp
+ENV GOCACHE=/tmp
+ENV GOMODCACHE=/tmp/pkg/mod
+
+RUN mkdir -m 777 /app
 WORKDIR /app
 
 ENTRYPOINT ["go", "generate", "./..."]
diff --git a/socket/bpf_bpfeb.o b/socket/bpf_bpfeb.o
diff --git a/socket/bpf_bpfel.o b/socket/bpf_bpfel.o
diff --git a/socket/vmlinux.h.gz b/socket/vmlinux.h.gz