Add support for ubuntu noble (#188)

Update the ci and test suites to run against noble in parallel.

Compatability fixes:

- Ported xdp-root-shim to libbpf 1.x that ships with noble, while preserving libbpf 0.5 that's included on focal.
- Changed the xdp test to only compiles the CLI tool (which has no DPDK deps) instead of also pulling in glb-config-check / glb-director-pcap / glb-director-stub-server (which need the DPDK headers, which are absent on noble).
- Added -I .../arch/x86/include/generated flag to support noble's newer 6.8 kernel headers. They require auto-generated asm/* headers that live only in that directory. Without it, the BPF clang compile fails with a missing-header error.
- Added $(EXTRA_BPF_INCLUDES) flag. The is an empty-by-default extension hook that lets the Dockerfile/CI inject extra include paths without editing the Makefile.
- Converted all 7 BPF maps from the legacy struct bpf_map_def SEC("maps") syntax (rejected by libbpf 1.0+) to the modern BTF-style anonymous-struct SEC(".maps") syntax
- Added -g to clang in the BPF Makefile so the resulting ELF actually contains the .BTF section that BTF-style maps require.
- Convert the various tentative definitions of debug (from log.h) to proper declarations to avoid linking issues.

Author: mpenny-github

.github/workflows/ci.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        distro: [focal]
+        distro: [focal, noble]
     steps:
     - uses: actions/checkout@v6
     - name: Run package build ${{ matrix.distro }}

.github/workflows/test.yml

@@ -20,7 +20,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        distro: [focal]
+        distro: [focal, noble]
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -49,7 +49,14 @@ jobs:
       fail-fast: false
       matrix:
         test-suite: [director, director-xdp, healthcheck, redirect]
-        distro: [focal]
+        distro: [focal, noble]
+        exclude:
+          # The DPDK-based glb-director only builds on focal (DPDK 17 / KNI).
+          # On other distros the supported forwarder is glb-director-xdp, so
+          # skip the director suite there. This mirrors the same exclusion in
+          # script/test-local.
+          - distro: noble
+            test-suite: director
     steps:
       - name: Checkout code
         uses: actions/checkout@v6

Makefile

@@ -1,11 +1,23 @@
+# Set GLB_SKIP_DPDK_DIRECTOR=1 to skip building the DPDK glb-director package.
+# In that mode we still build glb-director-cli (a runtime dep of glb-director-xdp)
+# via GLB_CLI_ONLY=1. This is used on distros where DPDK 17 / KNI is unavailable
+# (e.g. Ubuntu noble).
+GLB_SKIP_DPDK_DIRECTOR ?=
+
 mkdeb:
 	make -C src/glb-redirect mkdeb
 	make -C src/glb-healthcheck mkdeb
 	cd src/glb-director-xdp && script/create-packages
+ifeq ($(GLB_SKIP_DPDK_DIRECTOR),1)
+	cd src/glb-director && GLB_CLI_ONLY=1 script/create-packages
+else
 	cd src/glb-director && script/create-packages
+endif
 
 clean:
 	make -C src/glb-redirect clean
 	make -C src/glb-healthcheck clean
+ifneq ($(GLB_SKIP_DPDK_DIRECTOR),1)
 	make -C src/glb-director clean
+endif
 	make -C src/glb-director/cli clean

script/Dockerfile.noble

@@ -0,0 +1,107 @@
+FROM --platform=linux/amd64 ubuntu:noble@sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get -y install curl git
+
+# Build deps for glb-director-cli and glb-director-xdp.
+# Note: we do NOT install DPDK on noble. The DPDK-based glb-director is only
+# built on focal; on noble the supported forwarder is glb-director-xdp.
+RUN apt-get update && apt-get install --assume-yes \
+    build-essential \
+    wget \
+    pkg-config \
+    libjansson-dev \
+    libsystemd-dev
+
+# iptables / DKMS
+RUN apt-get update
+RUN apt-get install --assume-yes --fix-broken \
+    wget \
+    pkg-config \
+    libsystemd-dev \
+    dkms \
+    dh-dkms \
+    dpkg-dev \
+    fakeroot \
+    debhelper \
+    libxtables-dev
+
+# noble's dkms 3.x dropped `dkms mkdeb`, which the glb-redirect Makefile needs
+# (template-dkms-mkdeb + `dkms mkdeb --source-only`). Restore it by extracting
+# focal's dkms 2.x alongside 3.x and shimming `dkms mkdeb` to the legacy binary.
+#
+# We `apt-get download` the focal dkms from a GPG-verified focal source (full
+# apt chain of trust, no hardcoded/unverified URL). The focal pockets are
+# pinned below noble's so they're only used for this download, never installs.
+RUN set -eux; \
+    keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg; \
+    printf 'deb [signed-by=%s] http://archive.ubuntu.com/ubuntu focal main\ndeb [signed-by=%s] http://archive.ubuntu.com/ubuntu focal-updates main\n' "$keyring" "$keyring" > /etc/apt/sources.list.d/focal-dkms.list; \
+    printf 'Package: *\nPin: release n=focal\nPin-Priority: 100\n\nPackage: *\nPin: release n=focal-updates\nPin-Priority: 100\n' > /etc/apt/preferences.d/focal-dkms.pref; \
+    apt-get update; \
+    # Sanity check: the focal pin must not change the dkms candidate (stays 3.x).
+    case "$(apt-cache policy dkms | awk '/Candidate:/{print $2}')" in 3.*) : ;; *) echo "ERROR: dkms candidate changed by focal pin" >&2; exit 1 ;; esac; \
+    cd /tmp; \
+    apt-get download dkms/focal-updates; \
+    deb="$(ls dkms_*_all.deb)"; \
+    dpkg-deb -x "$deb" /tmp/dkms-focal; \
+    cp -r /tmp/dkms-focal/etc/dkms/template-dkms-mkdeb /etc/dkms/template-dkms-mkdeb; \
+    install -m 0755 /tmp/dkms-focal/usr/sbin/dkms /usr/sbin/dkms-legacy; \
+    rm -rf /tmp/dkms-focal "/tmp/$deb"; \
+    # Remove the temporary focal source + pin so they don't linger in the image.
+    rm -f /etc/apt/sources.list.d/focal-dkms.list /etc/apt/preferences.d/focal-dkms.pref; \
+    apt-get update; \
+    printf '#!/bin/sh\nif [ "$1" = "mkdeb" ]; then exec /usr/sbin/dkms-legacy "$@"; fi\nexec /usr/sbin/dkms.real "$@"\n' > /usr/local/bin/dkms; \
+    chmod 0755 /usr/local/bin/dkms; \
+    mv /usr/sbin/dkms /usr/sbin/dkms.real
+
+# golang
+RUN ARCH=$(dpkg --print-architecture) && wget --quiet https://golang.org/dl/go1.24.5.linux-${ARCH}.tar.gz -O- | tar -C /usr/local -zxvf -
+ENV GOROOT /usr/local/go
+ENV GOPATH /go
+ENV GOFLAGS=-buildvcs=false
+ENV PATH="${GOPATH}/bin:${GOROOT}/bin:${PATH}"
+
+
+# fpm for packaging
+RUN apt-get update && apt-get install -y ruby ruby-dev rubygems build-essential
+
+# See fpm dependency breakage issue: https://github.com/jordansissel/fpm/issues/1918
+RUN gem install --version 2.7.6 dotenv
+RUN gem install ffi -f
+RUN gem install rake fpm
+
+# XDP
+# linux-libc-dev must be upgraded to get a bpf.h that matches what we use. the rest match what we do in Vagrant for testing.
+RUN apt-get update && apt install -y apt-transport-https curl software-properties-common
+RUN apt-get update && apt install -y iproute2 libbpf-dev linux-libc-dev clang-20 clang-tools-20
+
+# The xdp bpf/Makefile defaults CLANG/LLC to clang-10/llc-10 (focal). On noble
+# we ship clang-20 instead, so steer the BPF build at it.
+ENV CLANG=clang-20
+ENV LLC=llc-20
+
+
+# Hack because the kernel headers are not installed in the right place (linuxkit vs generic)
+RUN ln -s /usr/src/$(ls /usr/src/ | grep generic) /usr/src/linux-headers-$(uname -r)
+
+# Hack for C99 math
+RUN sed -i '1s/^/#define __USE_C99_MATH\n/' /usr/src/$(ls /usr/src/ | grep generic)/include/linux/kasan-checks.h
+RUN sed -i '2s/^/#include <stdbool.h>\n/' /usr/src/$(ls /usr/src/ | grep generic)/include/linux/kasan-checks.h
+
+# Newer kernel headers (6.8 in noble) added linux/kcsan-checks.h which uses
+# `size_t` without pulling stddef.h, breaking the bpf clang build. Inject a
+# stddef.h up front, mirroring the kasan-checks.h hack above.
+RUN sed -i '1s|^|#include <stddef.h>\n|' /usr/src/$(ls /usr/src/ | grep generic)/include/linux/kcsan-checks.h
+
+
+# Python test dependencies (scapy/pytest etc.) used by the test suites.
+RUN apt-get update && apt-get install -y python3 python3-pip python3-dev
+COPY requirements.txt /tmp/requirements.txt
+RUN pip3 install --no-cache-dir --break-system-packages -r /tmp/requirements.txt
+
+# valgrind is required by the glb-director test suite
+RUN apt-get update && apt-get install -y valgrind
+
+# netcat and jq are required by the glb-healthcheck test suite
+RUN apt-get update && apt-get install -y netcat-openbsd jq tcpdump

script/cibuild-create-packages

@@ -30,10 +30,18 @@ begin_fold "Building packages"
   rm -rf tmp/build/
   mkdir -p tmp/build/
 
+  # The DPDK glb-director sub-build only works on focal (DPDK 17 / KNI).
+  # On other distros we skip it but still produce glb-director-cli (a runtime
+  # dep of glb-director-xdp).
+  EXTRA_MAKE_ENV=""
+  if [ "$DISTRO" != "focal" ]; then
+    EXTRA_MAKE_ENV="GLB_SKIP_DPDK_DIRECTOR=1"
+  fi
+
   docker run --rm \
     --volume "$HOSTPATH":/glb-director \
     "glb-director-build-$DISTRO" \
     bash -c "cd /glb-director &&
-      make BUILDDIR=/glb-director/tmp/build clean mkdeb"
+      make BUILDDIR=/glb-director/tmp/build $EXTRA_MAKE_ENV clean mkdeb"
 )
 end_fold

script/test-local

@@ -25,7 +25,13 @@ cd "$HOSTPATH"
 echo "==> Building Docker image for ${DISTRO}..."
 docker build --platform linux/amd64 --file "${DOCKERFILE}" --tag "${IMAGE}" .
 
-TEST_SUITES=(director director-xdp healthcheck redirect)
+# The DPDK-based glb-director only builds on focal (DPDK 17 / KNI).
+# On other distros, skip that suite; XDP is the supported forwarder.
+if [[ "$DISTRO" == "focal" ]]; then
+  TEST_SUITES=(director director-xdp healthcheck redirect)
+else
+  TEST_SUITES=(director-xdp healthcheck redirect)
+fi
 
 for suite in "${TEST_SUITES[@]}"; do
   echo ""

src/glb-director-xdp/bpf/Makefile

@@ -1,14 +1,14 @@
 all: glb_encap.o glb_encap_trace.o passer.o tailcall.o
 
-CLANG=clang-10
-LLC=llc-10
+CLANG?=clang-10
+LLC?=llc-10
 
 ifeq ($(KVER),)
 KVER=$(shell uname -r)
 endif
 
 %.o: %.c
-	$(CLANG) -c -O2 -emit-llvm -o - -D__KERNEL__ \
+	$(CLANG) -c -O2 -emit-llvm -o - -D__KERNEL__ -g \
 		-Wall \
 		-Wno-gnu-variable-sized-type-not-at-end \
 		-Wno-address-of-packed-member \
@@ -23,6 +23,8 @@ endif
 		-I /usr/src/linux-headers-$(KVER:-amd64=-common)/include/uapi \
 		-I /usr/src/linux-headers-$(KVER:-amd64=-common)/include \
 		-I /usr/src/linux-headers-$(KVER)/include \
+		-I /usr/src/linux-headers-$(KVER)/arch/x86/include/generated \
+		$(EXTRA_BPF_INCLUDES) \
 		-I include/ \
 		-I ../.. \
 		$< > .tmp.ll

src/glb-director-xdp/bpf/glb_encap.c

@@ -52,7 +52,12 @@ typedef struct {
 
 /* xdpcap integration */
 #include "xdpcap_hook.h"
-struct bpf_map_def SEC("maps") xdpcap_hook = XDPCAP_HOOK();
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(key_size, sizeof(int));
+	__uint(value_size, sizeof(int));
+	__uint(max_entries, 5);
+} xdpcap_hook SEC(".maps");
 
 typedef struct glb_bind {
 	uint32_t ipv4;
@@ -61,11 +66,11 @@ typedef struct glb_bind {
 	uint16_t port;
 } __attribute__((__packed__)) glb_bind_t;
 
-struct bpf_map_def SEC("maps") config_bits = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = 6, // maximum size stored
-	.max_entries = 5,
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(key_size, sizeof(uint32_t));
+	__uint(value_size, 6); // maximum size stored
+	__uint(max_entries, 5);
 
 	/*
 	0: 6 byes of gateway dst MAC
@@ -74,36 +79,36 @@ struct bpf_map_def SEC("maps") config_bits = {
 	3: 4 bytes of glb_director_hash_fields
 	4: 4 bytes of glb_director_hash_fields (alt)
 	*/
-};
-
-struct bpf_map_def SEC("maps") glb_binds = {
-	.type = BPF_MAP_TYPE_HASH,
-	.key_size = sizeof(struct glb_bind),
-	.value_size = sizeof(uint32_t),
-	.max_entries = BPF_MAX_BINDS,
-};
-
-struct bpf_map_def SEC("maps") glb_tables = {
-	.type = BPF_MAP_TYPE_ARRAY_OF_MAPS,
-	.key_size = sizeof(uint32_t),
-	.max_entries = 4096,
-};
-
-struct bpf_map_def SEC("maps") glb_table_secrets = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(uint32_t),
+} config_bits SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(key_size, sizeof(struct glb_bind));
+	__uint(value_size, sizeof(uint32_t));
+	__uint(max_entries, BPF_MAX_BINDS);
+} glb_binds SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
+	__uint(key_size, sizeof(uint32_t));
+	__uint(max_entries, 4096);
+} glb_tables SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(key_size, sizeof(uint32_t));
 #define GLB_FMT_SECURE_KEY_BYTES 16
-	.value_size = GLB_FMT_SECURE_KEY_BYTES,
-	.max_entries = 4096,
-};
-
-struct bpf_map_def SEC("maps") glb_global_packet_counters = {
-	.type = BPF_MAP_TYPE_PERCPU_ARRAY,
-	.key_size = sizeof(uint32_t),
-	.value_size = sizeof(struct glb_global_stats),
+	__uint(value_size, GLB_FMT_SECURE_KEY_BYTES);
+	__uint(max_entries, 4096);
+} glb_table_secrets SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+	__uint(key_size, sizeof(uint32_t));
+	__uint(value_size, sizeof(struct glb_global_stats));
 	/* we don't actually need an array, but PERCPU_* only has multi-element types */
-	.max_entries = 1,
-};
+	__uint(max_entries, 1);
+} glb_global_packet_counters SEC(".maps");
 
 static __always_inline uint16_t compute_ipv4_checksum(void *iph) {
 	uint16_t *iph16 = (uint16_t *)iph;

src/glb-director-xdp/bpf/tailcall.c

@@ -19,12 +19,12 @@
 
 #define ROOT_ARRAY_SIZE 3
 
-struct bpf_map_def SEC("maps") root_array = {
-  .type = BPF_MAP_TYPE_PROG_ARRAY,
-  .key_size = sizeof(__u32),
-  .value_size = sizeof(__u32),
-  .max_entries = ROOT_ARRAY_SIZE,
-};
+struct {
+  __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+  __uint(key_size, sizeof(__u32));
+  __uint(value_size, sizeof(__u32));
+  __uint(max_entries, ROOT_ARRAY_SIZE);
+} root_array SEC(".maps");
 
 SEC("xdp-root")
 int xdp_root(struct xdp_md *ctx) {

src/glb-director-xdp/bpf/xdpcap_hook.h

@@ -38,7 +38,16 @@
  * Create a bpf map suitable for use as an xdpcap hook point.
  *
  * For example:
- *   struct bpf_map_def xdpcap_hook = XDPCAP_HOOK();
+ *   struct {
+ *       __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+ *       __uint(key_size, sizeof(int));
+ *       __uint(value_size, sizeof(int));
+ *       __uint(max_entries, 5);
+ *   } xdpcap_hook SEC(".maps");
+ *
+ * The legacy XDPCAP_HOOK() initializer macro is kept for source compat with
+ * older callers but new code should declare the map directly using the BTF
+ * style above (libbpf 1.0+ rejects the legacy "maps" section).
  */
 #define XDPCAP_HOOK() { \
 	.type = BPF_MAP_TYPE_PROG_ARRAY, \