chore(core): build nftables (#972)

Description
Build nftables package for virt-handler

Why do we need it, and what problem does it solve?
We want more control when building binary files, as well as making images more secure

What is the expected result?
All work as expected


---------

Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>

Author: danilrwx

component_versions/version_map.yml

@@ -6,5 +6,6 @@ package:
   swtpm: 0.10.0
   xorriso: 1.5.6
   numactl: 2.0.19
+  nftables: 1.1.3
   openssl: openssl-3.4.1
   nbdkit: 1.39.5

images/packages/binaries/nftables/werf.inc.yaml

@@ -0,0 +1,77 @@
+---
+image: {{ $.ImageType }}/{{ $.ImageName }}
+final: false
+fromImage: builder/scratch
+import:
+- image: {{ $.ImageType }}/{{ $.ImageName }}-builder
+  add: /out
+  to: /nftables
+  before: setup
+
+---
+{{- $version := get $.Package $.ImageName }}
+{{- $gitRepoUrl := "nftables.git" }}
+
+{{- $name := print $.ImageName "-dependencies" -}}
+{{- define "$name" -}}
+packages:
+- gcc
+- git pkg-config trousers
+- automake autoconf make makeinfo libtool
+- musl-devel-static
+- flex bison asciidoc-a2x
+{{- end -}}
+
+{{ $builderDependencies := include "$name" . | fromYaml }}
+
+image: {{ $.ImageType }}/{{ $.ImageName }}-builder
+final: false
+fromImage: builder/alt
+secrets:
+- id: SOURCE_REPO
+  value: {{ $.SOURCE_REPO_GIT }}
+shell:
+  beforeInstall:
+    - |
+      apt-get update && apt-get install -y \
+        {{ $builderDependencies.packages | join " " }}
+
+      cat >/etc/apt/sources.list.d/alt-sisyphus.list<<EOF
+      rpm [alt] http://ftp.altlinux.org/pub/distributions/ALTLinux/Sisyphus x86_64 classic
+      rpm [alt] http://ftp.altlinux.org/pub/distributions/ALTLinux/Sisyphus noarch classic
+      EOF
+      apt-get update
+      apt-get install -y libmnl-devel libnftnl-devel libgmp-devel libreadline-devel libjansson-devel libedit-devel
+      rm -f /etc/apt/sources.list.d/alt-sisyphus.list
+
+      apt-get update
+      apt-get clean
+      rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
+
+  install:
+    - |
+      OUTDIR=/out
+      mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config
+
+      git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch v{{ $version }} /src
+      cd /src
+
+      ./autogen.sh
+
+      ./configure \
+        --prefix=/usr \
+        --libdir=/usr/lib64 \
+        --with-json \
+        --with-cli=readline
+
+      make -j$(nproc)
+
+      make DESTDIR=$OUTDIR install
+
+      strip $OUTDIR/usr/sbin/nft
+      ldd $OUTDIR/usr/sbin/nft
+
+      # We don't need man, test and samples files
+      rm -rf $OUTDIR/usr/include
+      rm -rf $OUTDIR/usr/share
+      rm -rf $OUTDIR/usr/lib64/pkgconfig

images/virt-handler/werf.inc.yaml

@@ -52,7 +52,8 @@ imageSpec:
 {{- define "$name" -}}
 packages:
 - acl
-- nftables
+- libnftnl
+- libjansson4
 binaries:
 - /usr/bin/mount
 - /usr/bin/umount
@@ -76,6 +77,10 @@ import:
   add: /xorriso
   to: /xorriso
   before: install
+- image: packages/binaries/nftables
+  add: /nftables
+  to: /nftables
+  before: install
 - image: qemu
   add: /qemu-img
   to: /relocate
@@ -88,6 +93,7 @@ shell:
   - apt-get clean
   - rm --recursive --force /var/lib/apt/lists/ftp.altlinux.org* /var/cache/apt/*.bin
   - cp -a /xorriso/. /
+  - cp -a /nftables/. /
   setup:
   - |
     /relocate_binaries.sh -i "{{ $virtHandlerDependencies.binaries | join " " }}" -o /relocate

images/virt-launcher/werf.inc.yaml

@@ -126,7 +126,6 @@ packages:
   - hwclock
   - iptables
   - libffi8
-  - nftables
   - passt
   - pcre
   - procps
@@ -243,7 +242,6 @@ import:
   to: /numactl
   before: install
 
-
 - image: packages/binaries/xorriso
   add: /xorriso
   to: /xorriso
@@ -256,6 +254,7 @@ import:
   after: setup
   includePaths:
   - usr/bin/openssl
+
 - image: tools/coreutils
   add: /
   to: /relocate