Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Append -static-libgcc on Linux #215

Merged
merged 7 commits into from
Mar 30, 2022
Merged

Append -static-libgcc on Linux #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6e40c72
Append -static-libgcc on Linux
dio Mar 30, 2022
e7b28ba
Test on CI
dio Mar 30, 2022
43e579f
Newline
dio Mar 30, 2022
9628084
Add ref
dio Mar 30, 2022
79f05d2
Add comment
dio Mar 30, 2022
8ba6ee7
Fix
dio Mar 30, 2022
eeb02cb
Update to use gcr.io/distroless/cc-debian11
dio Mar 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions .github/workflows/commit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ jobs:
- "ubuntu-20.04"
mode:
- "default"
# On CI, by default, we use libc++.
- "clang"
- "clang-fips"
steps:
Expand Down Expand Up @@ -103,12 +104,18 @@ jobs:
# This downloads the required clang tooling when it is not downloaded yet.
run: |
make clang.bazelrc
echo "BAZEL_FLAGS=--config=clang" >> $GITHUB_ENV
echo "BAZEL_FLAGS=--config=libc++" >> $GITHUB_ENV

# Set BAZEL_FLAGS to FIPS mode only when it is required.
- name: Setup FIPS mode
if: matrix.mode == 'clang-fips'
run: echo "BAZEL_FLAGS=--config=clang --define=boringssl=fips" >> $GITHUB_ENV
run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV

- name: Run all tests
run: make test

# Make sure we have static binary on Linux
- name: Require static binary
if: runner.os == 'Linux' && matrix.mode == 'clang'
run: |
make requirestatic
23 changes: 21 additions & 2 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ jobs:
- "ubuntu-20.04"
mode:
- "default"
# By default we use libc++.
- "clang"
- "clang-fips"
steps:
Expand Down Expand Up @@ -65,16 +66,34 @@ jobs:
# This downloads the required clang tooling when it is not downloaded yet.
run: |
make clang.bazelrc
echo "BAZEL_FLAGS=--config=clang" >> $GITHUB_ENV
echo "BAZEL_FLAGS=--config=libc++" >> $GITHUB_ENV

# Set BAZEL_FLAGS to FIPS mode only when it is required.
- name: Setup FIPS mode
if: matrix.mode == 'clang-fips'
run: echo "BAZEL_FLAGS=--config=clang --define=boringssl=fips" >> $GITHUB_ENV
run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV

- name: Create artifacts # We strip the "v"-prefix from the current tag.
run: VERSION=${GITHUB_REF#refs/tags/v} MODE=${{ matrix.mode }} make dist

- name: Require static binary
if: runner.os == 'Linux' && matrix.mode == 'clang'
run: |
make requirestatic

- name: Login to GitHub Container Registry
if: runner.os == 'Linux' && matrix.mode == 'clang'
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.PAT }}
Copy link
Collaborator Author

@dio dio Mar 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@incfly to make it work, we need your help to add this PAT to the secrets of this repo (make sure that PAT is allowed to push stuff to the registry). Thanks!

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool. I created this secret using my personal access token for now, GH_REGISTRY_TOKEN_INCFLY. I name it this way to make it clear the relationship.
tried with following and works.

echo $ TOKEN | docker login -u incfly --passworld-stdin
docker push ghcr.io/istio-ecosystem/authservice/authservice:0.5.0-9-g45535d3

image

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops. I forgot Approving the PR makes the PR merge automatically. let me send a fix to update the variable name used here.


- name: Build and push image
if: runner.os == 'Linux' && matrix.mode == 'clang'
run: |
make image push

- name: Upload artifacts
uses: actions/upload-artifact@v2
with:
Expand Down
6 changes: 4 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
# Copyright Istio Authors
# Licensed under the Apache License, Version 2.0 (the "License")

FROM gcr.io/distroless/cc:nonroot
FROM gcr.io/distroless/cc-debian11:nonroot

COPY ./build_release/auth_server /app/auth_server
USER nonroot:nonroot
# We can't use nonroot:nonroot here since in K8s:
# https://github.com/kubernetes/kubernetes/blob/98eff192802a87c613091223f774a6c789543e74/pkg/kubelet/kuberuntime/security_context_others.go#L49.
USER 65532:65532
ENTRYPOINT ["/app/auth_server"]
7 changes: 6 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,11 @@ docs: $(protodoc) ## Build docs
@$(protodoc) --directories=config=message --title="Configuration Options" --output="docs/README.md"
@grep -v '(validate.required)' docs/README.md > /tmp/README.md && mv /tmp/README.md docs/README.md

PACKAGING ?= Dockerfile
image: $(stripped_binary) ## Build the docker image
@mkdir -p build_release
@cp -f $(stripped_binary) build_release/$(binary_name)
@docker build . -t $(IMAGE)
@docker build . -t $(IMAGE) -f $(PACKAGING)

push: image ## Push docker image to registry
@docker push $(IMAGE)
Expand Down Expand Up @@ -172,6 +173,10 @@ dep-graph.dot:
clang.bazelrc: bazel/clang.bazelrc.tmpl $(llvm-config) $(envsubst)
@$(envsubst) < $< > $@

# This builds the stripped binary, and checks if the binary is statically linked.
requirestatic: $(stripped_binary)
@test/exe/require_static.sh $(stripped_binary)

# Catch all rules for Go-based tools.
$(go_tools_dir)/%:
@printf "$(ansi_format_dark)" tools "installing $($(notdir $@)@v)..."
Expand Down
6 changes: 5 additions & 1 deletion bazel/bazel.bzl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@

load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library", "cc_test")

# envoy_stdlib_deps appends "-static-libgcc" on Linux.
load("@envoy//bazel:envoy_internal.bzl", "envoy_stdlib_deps")

_DEFAULT_COPTS = ["-Wall", "-Wextra"]

def authsvc_cc_library(name, deps = [], srcs = [], hdrs = [], copts = [], defines = [], includes = [], textual_hdrs = [], visibility = None):
cc_library(name = name, deps = deps, srcs = srcs, hdrs = hdrs, copts = _DEFAULT_COPTS + copts, defines = defines, includes = includes, textual_hdrs = textual_hdrs, visibility = visibility)

# By default, we always do linkstatic: https://docs.bazel.build/versions/main/be/c-cpp.html#cc_binary.linkstatic.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am bit confused for the comment here. trying to understand.

bazel for cc by default always use static link. but for libgcc there might be an option (therefore we see the glibc.so errors before).
adding envoy_stdlib_deps ensures we cover that. because by adding this, we will have -static-libgcc to the compilation. this means even compiling using gcc we can ensure a static binary.

is that correct?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, seems like to force linking libgcc statically you need to ask for -static-libgcc. I haven't tried to do fully_static_link though since it will do static linking for glibc as well which is not recommended.

def authsvc_cc_binary(name, deps = [], srcs = [], copts = [], defines = []):
cc_binary(name = name, deps = deps, srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines)
cc_binary(name = name, deps = deps + envoy_stdlib_deps(), srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines)

def authsvc_cc_test(name, deps = [], srcs = [], data = []):
cc_test(
Expand Down
26 changes: 26 additions & 0 deletions test/exe/require_static.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/bin/bash

# Copied from https://github.com/envoyproxy/envoy/blob/a12869fa9e9add4301a700978d5489e6a0cc0526/test/exe/envoy_static_test.sh.
incfly marked this conversation as resolved.
Show resolved Hide resolved

if [[ $(uname) == "Darwin" ]]; then
echo "macOS doesn't support statically linked binaries, skipping."
exit 0
fi

# We can't rely on the exit code alone, since ldd fails for statically linked binaries.
DYNLIBS=$(ldd "$1" 2>&1) || {
if [[ ! "${DYNLIBS}" =~ 'not a dynamic executable' ]]; then
echo "${DYNLIBS}"
exit 1
fi
}

if [[ "${DYNLIBS}" =~ libc\+\+ ]]; then
echo "libc++ is dynamically linked:"
echo "${DYNLIBS}"
exit 1
elif [[ "${DYNLIBS}" =~ libstdc\+\+ || "${DYNLIBS}" =~ libgcc ]]; then
echo "libstdc++ and/or libgcc are dynamically linked:"
echo "${DYNLIBS}"
exit 1
fi