Skip to content

Revamp Calico images and enable RISC-V builds#233

Open
twz123 wants to merge 3 commits intok0sproject:mainfrom
twz123:calico-riscv
Open

Revamp Calico images and enable RISC-V builds#233
twz123 wants to merge 3 commits intok0sproject:mainfrom
twz123:calico-riscv

Conversation

@twz123
Copy link
Member

@twz123 twz123 commented Feb 1, 2026

  • Use Alpine 3.23.3 and Go 1.25.6
  • Build Calico BIRD from sources
  • Update the iptables-wrapper
  • Manage GOCACHE via build caches
  • Strip flannel and CNI plugin executables

twz123 added 3 commits February 1, 2026 13:22
@twz123
Copy over Calico images
e89f431 
* v3.29.7-0 -> v3.29.7-1

Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
@twz123
Revamp Calico images
c372efa 
* Use Alpine 3.23.3 and Go 1.25.6
* Build Calico BIRD from sources
* Update the iptables-wrapper
* Manage GOCACHE via build caches
* Strip flannel and CNI plugin executables

Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
@twz123
Include riscv64 in Calico builds
4553c89 
Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
Opvolger
Opvolger reviewed Feb 12, 2026
View reviewed changes
images/calico-node/v3.29.7-1/files/iptables-wrapper.patch
+ # NOTE(k0s): iptables-nft will fail under QEMU with the below error
+ # message, hence use iptables-legacy for the version check
+ if ! version=$("${sbin}/iptables-nft" --version 2>&1); then
+ if [ "$version" != "iptables: Failed to initialize nft: Protocol not supported" ]; then
Copy link

@Opvolger Opvolger Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are missing some kernel options in your QEMU riscv64 kernel. I hade the same problem with my own kernel on real hardware. iptables-nft need some kernel options enabled.

I added some CONFIG_NFT_* options in my .config and did a rebuild of the kernel. No idea with one a needed, but i added all this options after 3 rebuilds and still missing some options:

CONFIG_NETFILTER_SKIP_EGRESS
CONFIG_NETFILTER_FAMILY_ARP
CONFIG_NETFILTER_NETLINK_HOOK
CONFIG_NETFILTER_CONNCOUNT
CONFIG_NETFILTER_SYNPROXY
CONFIG_NF_TABLES_INET
CONFIG_NF_TABLES_NETDEV
CONFIG_NFT_NUMGEN
CONFIG_NFT_CT
CONFIG_NFT_FLOW_OFFLOAD
CONFIG_NFT_CONNLIMIT
CONFIG_NFT_LOG
CONFIG_NFT_LIMIT
CONFIG_NFT_MASQ
CONFIG_NFT_REDIR
CONFIG_NFT_NAT
CONFIG_NFT_TUNNEL
CONFIG_NFT_QUOTA
CONFIG_NFT_REJECT
CONFIG_NFT_REJECT_INET
CONFIG_NFT_COMPAT
CONFIG_NFT_HASH
CONFIG_NFT_FIB
CONFIG_NFT_FIB_INET
CONFIG_NFT_XFRM
CONFIG_NFT_SOCKET
CONFIG_NFT_OSF
CONFIG_NFT_TPROXY
CONFIG_NFT_SYNPROXY
CONFIG_NF_DUP_NETDEV
CONFIG_NFT_DUP_NETDEV
CONFIG_NFT_FWD_NETDEV
CONFIG_NFT_FIB_NETDEV
CONFIG_NFT_REJECT_NETDEV
CONFIG_NF_FLOW_TABLE_INET
CONFIG_NF_FLOW_TABLE
CONFIG_NF_FLOW_TABLE_PROCFS
CONFIG_NETFILTER_XT_TARGET_CT
CONFIG_NF_SOCKET_IPV4
CONFIG_NF_TPROXY_IPV4
CONFIG_NF_TABLES_IPV4
CONFIG_NFT_REJECT_IPV4
CONFIG_NFT_DUP_IPV4
CONFIG_NFT_FIB_IPV4
CONFIG_NF_TABLES_ARP
CONFIG_NF_DUP_IPV4
CONFIG_NFT_COMPAT_ARP
CONFIG_IP_NF_ARP_MANGLE
CONFIG_NF_SOCKET_IPV6
CONFIG_NF_TPROXY_IPV6
CONFIG_NF_TABLES_IPV6
CONFIG_NFT_REJECT_IPV6
CONFIG_NFT_DUP_IPV6
CONFIG_NFT_FIB_IPV6
CONFIG_NF_DUP_IPV6
CONFIG_IP6_NF_TARGET_NPT
CONFIG_NF_TABLES_BRIDGE
CONFIG_NFT_BRIDGE_META
CONFIG_NFT_BRIDGE_REJECT
CONFIG_IFB

ncopa
ncopa approved these changes Mar 2, 2026
View reviewed changes
Copy link
Contributor

@ncopa ncopa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ncopa ncopa ncopa approved these changes

+1 more reviewer

@Opvolger Opvolger Opvolger left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@twz123 @ncopa @Opvolger