ci: add iptables block signed image (#4049)

QxBytes · web-flow · commit d09fdf0efde3 · 2025-09-29T16:16:33.000Z
* add iptables block to signed image

* fix syntax

* mariner version
diff --git a/.pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile b/.pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile
@@ -14,5 +14,6 @@ ARG ARTIFACT_DIR
 COPY --from=iptables /usr/sbin/*tables* /usr/sbin/
 COPY --from=iptables /usr/lib /usr/lib
 COPY ${ARTIFACT_DIR}/bin/azure-iptables-monitor /azure-iptables-monitor
+COPY ${ARTIFACT_DIR}/bin/azure-block-iptables /azure-block-iptables
 
 ENTRYPOINT ["/azure-iptables-monitor"]
diff --git a/.pipelines/build/ob-prepare.steps.yaml b/.pipelines/build/ob-prepare.steps.yaml
@@ -66,6 +66,10 @@ steps:
     echo "##vso[task.setvariable variable=azureIptablesMonitorVersion;isOutput=true]$AZUREIPTABLESMONITORVERSION"
     echo "azureIptablesMonitorVersion: $AZUREIPTABLESMONITORVERSION"
 
+    AZUREBLOCKIPTABLESVERSION=$(make azure-block-iptables-version)
+    echo "##vso[task.setvariable variable=azureBlockIptablesVersion;isOutput=true]$AZUREBLOCKIPTABLESVERSION"
+    echo "azureBlockIptablesVersion: $AZUREBLOCKIPTABLESVERSION"
+
     CNIVERSION=$(make cni-version)
     echo "##vso[task.setvariable variable=cniVersion;isOutput=true]$CNIVERSION"
     echo "cniVersion: $CNIVERSION"
diff --git a/.pipelines/build/scripts/azure-iptables-monitor.sh b/.pipelines/build/scripts/azure-iptables-monitor.sh
@@ -5,6 +5,7 @@ set -eux
 FILE_EXT=''
 
 export CGO_ENABLED=0
+export C_INCLUDE_PATH=/usr/include/bpf
 
 mkdir -p "$OUT_DIR"/bin
 mkdir -p "$OUT_DIR"/files
@@ -16,3 +17,57 @@ pushd "$REPO_ROOT"/azure-iptables-monitor
     -gcflags="-dwarflocationlists=true" \
     .
 popd
+
+echo "Building azure-block-iptables binary..."
+
+# Debian/Ubuntu
+if [[ -f /etc/debian_version ]]; then
+
+  apt-get update -y
+  apt-get install -y --no-install-recommends llvm clang linux-libc-dev linux-headers-generic libbpf-dev libc6-dev nftables iproute2
+  
+  if [[ $ARCH =~ amd64 ]]; then
+    apt-get install -y --no-install-recommends gcc-multilib
+    ARCH_GNU=x86_64-linux-gnu
+  elif [[ $ARCH =~ arm64 ]]; then
+    apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu
+    ARCH_GNU=aarch64-linux-gnu
+  fi
+
+  # Create symlinks for architecture-specific includes
+  for dir in /usr/include/"$ARCH_GNU"/*; do
+    if [[ -d "$dir" || -f "$dir" ]]; then
+      ln -sfn "$dir" /usr/include/$(basename "$dir")
+    fi
+  done
+
+# Mariner
+else
+  tdnf install -y llvm clang libbpf-devel nftables gcc binutils iproute glibc
+  
+  if [[ $ARCH =~ amd64 ]]; then
+    ARCH_GNU=x86_64-linux-gnu
+  elif [[ $ARCH =~ arm64 ]]; then
+    ARCH_GNU=aarch64-linux-gnu
+  fi
+
+  # Create symlinks for architecture-specific includes
+  for dir in /usr/include/"$ARCH_GNU"/*; do
+    if [[ -d "$dir" || -f "$dir" ]]; then
+      ln -sfn "$dir" /usr/include/$(basename "$dir")
+    fi
+  done
+fi
+
+pushd "$REPO_ROOT"
+  # Generate BPF objects
+  GOOS="$OS" CGO_ENABLED=0 go generate ./bpf-prog/azure-block-iptables/...
+  
+  # Build the binary
+  GOOS="$OS" CGO_ENABLED=0 go build -a \
+    -o "$OUT_DIR"/bin/azure-block-iptables"$FILE_EXT" \
+    -trimpath \
+    -ldflags "-s -w -X main.version=$AZURE_BLOCK_IPTABLES_VERSION" \
+    -gcflags="-dwarflocationlists=true" \
+    ./bpf-prog/azure-block-iptables/cmd/azure-block-iptables
+popd
diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml
@@ -39,6 +39,7 @@ stages:
     AZURE_IPAM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpamVersion'] ]
     AZURE_IP_MASQ_MERGER_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpMasqMergerVersion'] ]
     AZURE_IPTABLES_MONITOR_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIptablesMonitorVersion'] ]
+    AZURE_BLOCK_IPTABLES_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureBlockIptablesVersion'] ]
     CNI_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cniVersion'] ]
     CNS_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cnsVersion'] ]
     IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ]
@@ -204,6 +205,7 @@ stages:
       AZURE_IPAM_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpamVersion'] ]
       AZURE_IP_MASQ_MERGER_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIpMasqMergerVersion'] ]
       AZURE_IPTABLES_MONITOR_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureIptablesMonitorVersion'] ]
+      AZURE_BLOCK_IPTABLES_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.azureBlockIptablesVersion'] ]
       CNI_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cniVersion'] ]
       CNS_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.cnsVersion'] ]
       IPV6_HP_BPF_VERSION: $[ stageDependencies.setup.env.outputs['EnvironmentalVariables.ipv6HpBpfVersion'] ]
