From a4afdcb86af90aee1eb18d56980527fbc2ce8062 Mon Sep 17 00:00:00 2001
From: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
Date: Wed, 14 Aug 2024 17:16:38 +0800
Subject: [PATCH] rollback setcap

Signed-off-by: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
---
 Makefile                    |  4 ----
 dist/images/Dockerfile      | 11 ++++-------
 dist/images/Dockerfile.base | 23 +----------------------
 3 files changed, 5 insertions(+), 33 deletions(-)

diff --git a/Makefile b/Makefile
index cd626338264..ad35faa73e1 100644
--- a/Makefile
+++ b/Makefile
@@ -100,8 +100,6 @@ build-go:
 	go mod tidy
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/images/kube-ovn -v ./cmd/cni
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-cmd -v ./cmd
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-daemon -v ./cmd/daemon
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-pinger -v ./cmd/pinger
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/images/test-server -v ./test/server
 
 .PHONY: build-go-windows
@@ -114,8 +112,6 @@ build-go-windows:
 build-go-arm:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -o $(CURDIR)/dist/images/kube-ovn -v ./cmd/cni
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-cmd -v ./cmd
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-daemon -v ./cmd/daemon
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-pinger -v ./cmd/pinger
 
 .PHONY: build-kube-ovn
 build-kube-ovn: build-debug build-go
diff --git a/dist/images/Dockerfile b/dist/images/Dockerfile
index 9b37ddd5381..555869bd2f0 100644
--- a/dist/images/Dockerfile
+++ b/dist/images/Dockerfile
@@ -9,17 +9,14 @@ COPY 01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
 
 COPY kube-ovn /kube-ovn/kube-ovn
 COPY kube-ovn-cmd /kube-ovn/kube-ovn-cmd
-COPY kube-ovn-daemon /kube-ovn/kube-ovn-daemon
-COPY kube-ovn-pinger /kube-ovn/kube-ovn-pinger
 RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-daemon && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-webhook && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-healthcheck && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
-    setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
-    setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-pinger && \
-    setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller-healthcheck && \
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker
 
 FROM kubeovn/kube-ovn-base:$BASE_TAG
 
diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
index 85a44f8870f..adc157f9e46 100644
--- a/dist/images/Dockerfile.base
+++ b/dist/images/Dockerfile.base
@@ -87,18 +87,6 @@ RUN apt update && apt upgrade -y && apt install ca-certificates python3 hostname
         tcpdump ipvsadm ipset curl uuid-runtime openssl inetutils-ping arping ndisc6 conntrack traceroute iputils-tracepath \
         logrotate dnsutils net-tools strongswan strongswan-pki libcharon-extra-plugins libmnl0 \
         libcharon-extauth-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins -y --no-install-recommends && \
-        setcap CAP_SYS_NICE+eip $(readlink -f $(which nice)) && \
-        setcap CAP_NET_RAW+eip $(readlink -f $(which arping)) && \
-        setcap CAP_NET_RAW+eip $(readlink -f $(which ndisc6)) && \
-        setcap CAP_NET_RAW+eip $(readlink -f $(which tcpdump)) && \
-        setcap CAP_NET_ADMIN+eip $(readlink -f $(which ethtool)) && \
-        setcap CAP_SYS_ADMIN+eip $(readlink -f $(which nsenter)) && \
-        setcap CAP_SYS_MODULE+eip $(readlink -f $(which modprobe)) && \
-        setcap CAP_NET_ADMIN+eip $(readlink -f $(which conntrack)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which ipset)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-legacy-multi)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE+eip $(readlink -f $(which xtables-nft-multi)) && \
-        setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ip)) && \
         rm -rf /var/lib/apt/lists/* && \
         rm -rf /etc/localtime && \
         rm -f /usr/bin/nc && \
@@ -127,9 +115,7 @@ RUN curl -L https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-${ARCH}.ta
 ARG BFDD_VERSION="v0.5.4"
 RUN curl -sSf -L --retry 3 -o /usr/local/bin/bfdd-control https://github.com/bobz965/bfd-binary-for-kube-ovn-cni/releases/download/${BFDD_VERSION}/bfdd-control && \
     curl -sSf -L --retry 3 -o /usr/local/bin/bfdd-beacon https://github.com/bobz965/bfd-binary-for-kube-ovn-cni/releases/download/${BFDD_VERSION}/bfdd-beacon && \
-    chmod +x /usr/local/bin/bfdd-control /usr/local/bin/bfdd-beacon && \
-    setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which bfdd-beacon))
-
+    chmod +x /usr/local/bin/bfdd-control /usr/local/bin/bfdd-beacon
 ARG DEBUG=false
 
 RUN curl -sSf -L --retry 3 -O https://launchpad.net/ubuntu/+archive/primary/+files/libipset13_7.17-1ubuntu1_${ARCH}.deb && \
@@ -144,13 +130,6 @@ RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages  \
     dpkg -i --ignore-depends=openvswitch-switch,openvswitch-common /packages/ovn-*.deb && \
     rm -rf /var/lib/openvswitch/pki/ && \
     chown -R nobody: /var/lib/logrotate && \
-    setcap CAP_NET_ADMIN+eip $(readlink -f $(which ovs-dpctl)) && \
-    if [ "${DEBUG}" != "true" ]; then \
-        setcap CAP_NET_BIND_SERVICE+eip $(readlink -f $(which ovsdb-server)) && \
-        setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_MODULE,CAP_SYS_ADMIN+eip $(readlink -f $(which ovs-vswitchd)); \
-    fi
-
-RUN --mount=type=bind,target=/packages,from=ovs-builder,source=/packages \
     if [ "${DEBUG}" = "true" ]; then \
         apt update && apt install -y --no-install-recommends gdb valgrind && \
         rm -rf /var/lib/apt/lists/* && \