[backport v1.7] feat: adding dokcerfile templates for ACN images that are missing it and bumping Go version to 1.24.13#4341
Open
behzad-mir wants to merge 1 commit intorelease/v1.7from
Conversation
behzad-mir
changed the title
behzad-mir
requested review from
QxBytes,
camrynl and
santhoshmprabhu
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Backport to release/v1.7 that extends the Dockerfile templating/rendering system to additional Go-based ACN images and updates pinned base image digests to pick up the Go 1.24.13 toolchain for CVE remediation, along with CI pipeline updates to source Go from the msft-go container image.
Changes:
- Add Dockerfile templates (and rendered Dockerfiles) for azure-ipam, azure-ip-masq-merger, azure-iptables-monitor, and cilium-log-collector; refresh pinned base image digests (including ipv6-hp-bpf).
- Extend Dockerfile rendering support in
build/images.mkand wire new images intomake dockerfiles. - Update OneBranch pipeline jobs to install Go via crane-based extraction from the pinned msft-go image, plus add new pipeline Dockerfile templates for the added images.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Adds new image paths to make dockerfiles rendering. |
| build/images.mk | Adds render-simple / render-pipe targets for selective template rendering. |
| cilium-log-collector/Dockerfile.tmpl | New source-build Dockerfile template for cilium-log-collector. |
| cilium-log-collector/Dockerfile | Rendered Dockerfile updated to new pinned golang digest and autogen header. |
| azure-ipam/Dockerfile.tmpl | New source-build Dockerfile template for azure-ipam (linux + windows targets). |
| azure-ipam/Dockerfile | Rendered Dockerfile updated to new pinned golang/base image digests and autogen header. |
| azure-ip-masq-merger/Dockerfile.tmpl | New source-build Dockerfile template for azure-ip-masq-merger. |
| azure-ip-masq-merger/Dockerfile | Rendered Dockerfile updated to new pinned golang digest and autogen header. |
| azure-iptables-monitor/Dockerfile.tmpl | New source-build Dockerfile template for azure-iptables-monitor (includes azure-block-iptables build stage). |
| azure-iptables-monitor/Dockerfile | Rendered Dockerfile updated to new pinned golang/base image digests and autogen header. |
| bpf-prog/ipv6-hp-bpf/linux.Dockerfile | Updates pinned golang digest used to build ipv6-hp-bpf artifacts. |
| .pipelines/build/scripts/install-crane.sh | New helper to install crane for daemonless image extraction. |
| .pipelines/build/scripts/install-go.sh | New helper to install Go by extracting /usr/local/go from the msft-go container image. |
| .pipelines/build/images.jobs.yaml | Replaces GoTool with crane + msft-go installation steps for image packaging jobs. |
| .pipelines/build/binary.steps.yaml | Replaces GoTool with msft-go installation for binary build jobs. |
| .pipelines/build/dockerfiles/azure-ipam.Dockerfile.tmpl | New pipeline Dockerfile template for azure-ipam. |
| .pipelines/build/dockerfiles/azure-ipam.Dockerfile | Rendered pipeline Dockerfile for azure-ipam with autogen header. |
| .pipelines/build/dockerfiles/azure-ip-masq-merger.Dockerfile.tmpl | New pipeline Dockerfile template for azure-ip-masq-merger. |
| .pipelines/build/dockerfiles/azure-ip-masq-merger.Dockerfile | Rendered pipeline Dockerfile for azure-ip-masq-merger with autogen header. |
| .pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile.tmpl | New pipeline Dockerfile template for azure-iptables-monitor. |
| .pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile | Rendered pipeline Dockerfile for azure-iptables-monitor with autogen header and updated base image digests. |
| .pipelines/build/dockerfiles/cilium-log-collector.Dockerfile.tmpl | New pipeline Dockerfile template for cilium-log-collector. |
| .pipelines/build/dockerfiles/cilium-log-collector.Dockerfile | Rendered pipeline Dockerfile for cilium-log-collector with autogen header. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1
to
+2
| # !! AUTOGENERATED - DO NOT EDIT !! | ||
| # SOURCE: .pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile.tmpl |
There was a problem hiding this comment.
This file is marked as autogenerated from .pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile.tmpl, but its contents don’t match the template (e.g., template stage name/installed packages and copied files differ). Please re-render this Dockerfile from the template (or update the template/header) so the rendered output and declared source stay consistent.
Suggested change
| # !! AUTOGENERATED - DO NOT EDIT !! | |
| # SOURCE: .pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile.tmpl | |
| # Maintained in-place. This file is not declared as autogenerated from a template. |
Contributor
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
jpayne3506
approved these changes
Apr 10, 2026
Contributor
|
Rebase against release train to take in merge queue check |
…an dbumping Go version to 1.24.13 (#4289) * feat: add Dockerfile templates for ACN images and bump Go to 1.24.13 This PR extends the Dockerfile template system (used by CNI/CNS) to all remaining Go-based images for consistent base image version management. Changes: - Added Dockerfile templates for azure-ipam, azure-ip-masq-merger, azure-iptables-monitor, and cilium-log-collector - Added corresponding pipeline Dockerfile templates - Updated build/images.mk with render-simple and render-pipe targets - Bumped Go version to 1.24.13 (via rolling tag 1.24-azurelinux3.0) - Bumped ipv6-hp-bpf Go version to 1.24.13 (Debian bookworm image) CVE Impact: - Fixes 5 stdlib CVEs including CRITICAL CVE-2025-68121 (crypto/tls) - Remaining: CVE-2026-25679 (requires Go 1.25.8+) * fix: use msft-go in signed pipeline Cherry-picked from jpayne3506/msft-goSigned (0ffec35) This removes the dependency on the ADO GOVERSION variable and instead extracts Go directly from the msft-go container image referenced in each project's Dockerfile, keeping the signed pipeline in sync with the Dockerfile-based build.
behzad-mir
force-pushed
the
backport/go-cve-fix-to-release-v1.7
branch
from
1efb094 to
1a82dca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #4289 to
release/v1.7Original PR: #4289
Summary
This backports the Go version bump and Dockerfile template changes to fix critical CVEs in the Go stdlib.
Changes
CVE Impact
Verification