-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
*: add cross-build, CI job, update to libseccomp 2.5.2 #3197
Conversation
d452794
to
b5301ec
Compare
16cf452
to
feb385f
Compare
59b302e
to
f1be556
Compare
OK I made it working... ...alas not for opensuse (or Fedora, for that matter). Problem is, only Debian (and Ubuntu, to some extent) provide good cross-compilation support. For opensuse in particular, this is nicely summarized by this statement (from https://software.opensuse.org/package/cross-aarch64-gcc11):
It's the same for Fedora (from
Ubuntu seems to fully support at least arm64 (as shown by validate/release CI job in this PR), but does not support some other architectures (so we have to use Docker for validate/cross CI job). To sum it up -- building runc.amd64 it's ready and working (in fact you can download it from this PR's CI -- go to Checks tab, choose validate, and scroll down looking for Artifacts, in there you can find a zip with the binaries), but only for Ubuntu/Debian. We can change the release process to use the binaries built in CI, but it's a big change. @cyphar @AkihiroSuda WDYT? |
@kolyshkin Since we only have one dependency (libseccomp) which we build ourselves, I think it might be possible for us to do it -- we should only require an architecture-appropriate compiler and glibc. But if that isn't possible (or is too fragile / annoying) we can switch to building cross-architecture binaries in CI. The only issue is that I wouldn't be able to automatically sign them as part of the release (I can obviously manually sign them afterwards but it'll be a bit more manual work than the release process currently uses). I wonder if we could just script the whole release process with the GitHub API (push the tag, wait for the CI to build the cross-arch artefacts, download, sign, then upload to the release). Then again, how much time would we be saving over the manual method? 😅 |
SGTM, but I don't think signing has to be automated. If we want to sign the binary on GHA, at least we will have to create a new GPG key, because I don't want you to leak your existing GPG key to GHA secrets 😄 |
f1be556
to
3508727
Compare
which, sadly, neither Fedora nor openSUSE has -- they only provide gcc and binutils. aarch64-glibc is available for both Debian and Ubuntu, though. Automating the release process in CI seems like a bigger project that I can take on at the moment. If anyone can help that'd be awesome. This PR can go through, though, once I'll add an option to |
Haha, I meant to say that we have a hypothetical "release.sh" script I run locally which:
For what it's worth we probably should have a shared runc maintainers key (or maybe a |
Damn. Yeah guess we'll need to figure out some other solution for signing -- but this PR should be enough for the moment (I can manually add the artefacts for the next few releases until we have a better release script). |
3508727
to
fe73ef9
Compare
This is no longer a draft and ready to go in. Used by CI, and can be used locally as well ( |
You and me both 😆 We already have a Debian-based image that can be used for testing and cross-compilation. It's easy to reuse it for building release binaries... let me see... |
(with nothing but deep respect for y'all's work) this is hilarious. 😄 |
0fbf1d6
to
831957a
Compare
a8deec7
to
eaec37f
Compare
OK, this is finally ready, you can use
locally. It takes 5 minutes on CI (with cache, or 10 minutes without), and about 1 minute on my laptop (using podman, with all layers already cached). You can still use script/release.sh directly as before (or Overall I think this is a big ugly now, and can be simplified and improved (I am pretty sure @thaJeztah can think of some Dockerfile improvements, for one thing), but I've already spent much more than I wanted on it. |
Note that I have removed |
@cyphar @AkihiroSuda PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Now to automate the rest of the release process. (I'll work on that sometime soon. 😉)
1. The seccompagent target it built in the same way as others in contrib, so there is no need to have a separate rule. 2. Mark seccompagent as phony, because it is (it rarely happens, but I actually just had an issue because this was absent). 3. Add seccompagent binary to clean target. Fixes: e21a9ee Signed-off-by: Kir Kolyshkin <[email protected]>
There is no need to have a static version of recvtty and/or sd-helper binary. This speeds up script/release.sh a bit. Signed-off-by: Kir Kolyshkin <[email protected]>
This implements cross-build for "make release", moving the build into a container. This way we can support arm, arm64, ppc, and whatnot. * script/seccomp.sh: separate out of script/release.sh, amend to support cross-compile and save needed environment variables to a file. * Dockerfile: add installing libseccomp from source, as this is needed for release builds. * script/release.sh: amend to support more architectures in addition to the native build. Additional arches can be added by specifying "-a <arch>" argument (can be specified multiple times), or "make RELEASE_ARGS="-a arm64" release" if called via make. All supported architectures can be enabled via "make releaseall". * Makefile: move "release" target to "localrelease", add "release" and "releaseall" targets to build via the Dockerfile. This is done because most distros (including Fedora and openSUSE) lack cross-glibc, which is needed to cross-compile libseccomp. * Makefile: remove 'cross' and 'localcross' targets, as this is now done by the release script. * .github/workflows/validate.yum: amend the release CI job to cross-build for supported architectures, remove cross job. Signed-off-by: Kir Kolyshkin <[email protected]>
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.2 Signed-off-by: Kir Kolyshkin <[email protected]>
eaec37f
to
3c8db63
Compare
Addressed review comments from @cyphar; PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM -- thanks for working on this!
I removed |
This implements cross-build for
make release
, moving the build into acontainer. This way we can support arm, arm64, ppc64, and whatnot.
script/seccomp.sh
: separate out ofscript/release.sh
, amend to supportcross-compile and save needed environment variables to a file.
Dockerfile
: add installing libseccomp from source, as this is neededfor release builds.
script/release.sh
: amend to support more architectures in addition tothe native build. Additional arches can be added by specifying
-a <arch>
argument (can be specified multiple times), ormake RELEASE_ARGS="-a arm64 -a ppc64le" release
if called viamake
.Makefile
: moverelease
target tolocalrelease
, addrelease
target to build via the Dockerfile. This is done because most distros
(including Fedora and openSUSE) lack cross-glibc, which is needed to
cross-compile libseccomp.
Makefile
: removecross
andlocalcross
targets, as this is now doneby the release script.
.github/workflows/validate.yum
: amend the release CI job to cross-buildfor supported architectures, remove
cross
job.