Makefile,cmd/tidb-server: add tidb-server FIPS build target #47949
Conversation
ti-chi-bot
bot
added
release-note-none
|
Hi @tiancaiamao. Thanks for your PR. PRs from untrusted users cannot be marked as trusted with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #47949 +/- ##
================================================
+ Coverage 71.3984% 73.4729% +2.0745%
================================================
Files 1403 1430 +27
Lines 406971 420028 +13057
================================================
+ Hits 290571 308607 +18036
+ Misses 96445 92575 -3870
+ Partials 19955 18846 -1109
Flags with carried forward coverage won't be shown. Click here to find out more.
|
ti-chi-bot
bot
added
size/M
|
@tiancaiamao does it need some special steps to build or test in make tasks which will run in CI jobs? |
No, currently CI is not affected. If TLS is not used, this binary can be used just as a normal tidb binary. But if TLS connection is used, or we want to add test cases in that situration, we need to adjust the CI pipeline. @wuhuizuo |
|
Do we need to add the release note? |
| import "github.com/pingcap/tidb/pkg/parser/mysql" | ||
|
|
||
| func init() { | ||
| mysql.TiDBReleaseVersion += "-fips" |
There was a problem hiding this comment.
where is this variable used?
There was a problem hiding this comment.
When output TiDB information, for example, use './bin/tidb-server -V '
There was a problem hiding this comment.
./bin/tidb-server -V
Release Version: v7.6.0-alpha-4-g31ea0f1009-dirty-fips
...
@CabinfeverB
There was a problem hiding this comment.
https://github.com/tiancaiamao/tidb/blob/server-fips/cmd/tidb-server/main.go#L877C18-L877C18
Used by './bin/tidb-server -V' to print the version information @coderplay
Makefile
Outdated
| @@ -163,6 +163,14 @@ else | |||
| CGO_ENABLED=1 $(GOBUILD) $(RACE_FLAG) -ldflags '$(LDFLAGS) $(CHECK_FLAG)' -o '$(TARGET)' ./cmd/tidb-server | |||
| endif | |||
|
|
|||
| server_fips: | |||
There was a problem hiding this comment.
How about enable FIPS build by an env variable? So that we do not need to add new targes "server_fips", "br_fips", "build_tools_fips", "build_dumpling_fips", etc.
ifeq ($(ENABLE_FIPS),1)
GOBUILD := GOEXPERIMENT=boringcrypto CGO_ENABLED=1 $(GO) build $(BUILD_FLAG) -tags codes
else
GOBUILD := $(GO) build $(BUILD_FLAG) -tags codes
endif➜ make server
CGO_ENABLED=1 GO111MODULE=on go build -tags codes -ldflags '-X "github.com/pingcap/tidb/parser/mysql.TiDBReleaseVersion=v6.5.5-dirty" -X "github.com/pingcap/tidb/util/versioninfo.TiDBBuildTS=2023-11-10 08:24:28" -X "github.com/pingcap/tidb/util/versioninfo.TiDBGitHash=71bcc44f77a37cfb0a6dc3660e092c78c1e46acb" -X "github.com/pingcap/tidb/util/versioninfo.TiDBGitBranch=HEAD" -X "github.com/pingcap/tidb/util/versioninfo.TiDBEdition=Community" ' -o bin/tidb-server ./tidb-server
➜ make server ENABLE_FIPS=1
CGO_ENABLED=1 GOEXPERIMENT=boringcrypto CGO_ENABLED=1 GO111MODULE=on go build -tags codes -ldflags '-X "github.com/pingcap/tidb/parser/mysql.TiDBReleaseVersion=v6.5.5-dirty" -X "github.com/pingcap/tidb/util/versioninfo.TiDBBuildTS=2023-11-10 08:24:47" -X "github.com/pingcap/tidb/util/versioninfo.TiDBGitHash=71bcc44f77a37cfb0a6dc3660e092c78c1e46acb" -X "github.com/pingcap/tidb/util/versioninfo.TiDBGitBranch=HEAD" -X "github.com/pingcap/tidb/util/versioninfo.TiDBEdition=Community" ' -o bin/tidb-server ./tidb-server
ti-chi-bot
bot
added
approved
needs-1-more-lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CabinfeverB, overvenus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
[LGTM Timeline notifier]Timeline:
|
overvenus
added
the
needs-cherry-pick-release-6.5
|
In response to a cherrypick label: new pull request created to branch |
Signed-off-by: ti-chi-bot <[email protected]>
What problem does this PR solve?
Issue Number: close #47948
Problem Summary:
What is changed and how it works?
After googling, this blog post is what I found the most useful information on FIPS support of golang application.
According to it, if we use the boringssl way, there are only two changes needed:
For the configuration part, we can just
import _ "crypto/tls/fipsonly"and use conditional build tag.FYI: how envoy implement FIPS is another good material and worth reading.
Check List
Tests
Check the boringcrypto linked via cgo, some function names like:
I also add "-fips" to the tidb server version information:
Side effects
Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.