Append -static-libgcc on Linux (#215)

* Append -static-libgcc on Linux Signed-off-by: Dhi Aurrahman <[email protected]> * Test on CI Signed-off-by: Dhi Aurrahman <[email protected]> * Newline Signed-off-by: Dhi Aurrahman <[email protected]> * Add ref Signed-off-by: Dhi Aurrahman <[email protected]> * Add comment Signed-off-by: Dhi Aurrahman <[email protected]> * Fix Signed-off-by: Dhi Aurrahman <[email protected]> * Update to use gcr.io/distroless/cc-debian11 Signed-off-by: Dhi Aurrahman <[email protected]>
istio-ecosystem · Mar 30, 2022 · f78db6a · f78db6a
1 parent 771d406
commit f78db6a
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 8 deletions.
diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml
@@ -60,6 +60,7 @@ jobs:
           - "ubuntu-20.04"
         mode:
           - "default"
+          # On CI, by default, we use libc++.
           - "clang"
           - "clang-fips"
     steps:
@@ -103,12 +104,18 @@ jobs:
         # This downloads the required clang tooling when it is not downloaded yet.
         run: |
           make clang.bazelrc
-          echo "BAZEL_FLAGS=--config=clang" >> $GITHUB_ENV
+          echo "BAZEL_FLAGS=--config=libc++" >> $GITHUB_ENV
 
       # Set BAZEL_FLAGS to FIPS mode only when it is required.
       - name: Setup FIPS mode
         if: matrix.mode == 'clang-fips'
-        run: echo "BAZEL_FLAGS=--config=clang --define=boringssl=fips" >> $GITHUB_ENV
+        run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV
 
       - name: Run all tests
         run: make test
+
+      # Make sure we have static binary on Linux
+      - name: Require static binary
+        if: runner.os == 'Linux' && matrix.mode == 'clang'
+        run: |
+          make requirestatic
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -22,6 +22,7 @@ jobs:
           - "ubuntu-20.04"
         mode:
           - "default"
+          # By default we use libc++.
           - "clang"
           - "clang-fips"
     steps:
@@ -65,16 +66,34 @@ jobs:
         # This downloads the required clang tooling when it is not downloaded yet.
         run: |
           make clang.bazelrc
-          echo "BAZEL_FLAGS=--config=clang" >> $GITHUB_ENV
+          echo "BAZEL_FLAGS=--config=libc++" >> $GITHUB_ENV
 
       # Set BAZEL_FLAGS to FIPS mode only when it is required.
       - name: Setup FIPS mode
         if: matrix.mode == 'clang-fips'
-        run: echo "BAZEL_FLAGS=--config=clang --define=boringssl=fips" >> $GITHUB_ENV
+        run: echo "BAZEL_FLAGS=--config=libc++ --define=boringssl=fips" >> $GITHUB_ENV
 
       - name: Create artifacts # We strip the "v"-prefix from the current tag.
         run: VERSION=${GITHUB_REF#refs/tags/v} MODE=${{ matrix.mode }} make dist
 
+      - name: Require static binary
+        if: runner.os == 'Linux' && matrix.mode == 'clang'
+        run: |
+          make requirestatic
+
+      - name: Login to GitHub Container Registry
+        if: runner.os == 'Linux' && matrix.mode == 'clang'
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.PAT }}
+
+      - name: Build and push image
+        if: runner.os == 'Linux' && matrix.mode == 'clang'
+        run: |
+          make image push
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v2
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,10 @@
 # Copyright Istio Authors
 # Licensed under the Apache License, Version 2.0 (the "License")
 
-FROM gcr.io/distroless/cc:nonroot
+FROM gcr.io/distroless/cc-debian11:nonroot
 
 COPY ./build_release/auth_server /app/auth_server
-USER nonroot:nonroot
+# We can't use nonroot:nonroot here since in K8s:
+# https://github.com/kubernetes/kubernetes/blob/98eff192802a87c613091223f774a6c789543e74/pkg/kubelet/kuberuntime/security_context_others.go#L49.
+USER 65532:65532
 ENTRYPOINT ["/app/auth_server"]
diff --git a/Makefile b/Makefile
@@ -102,10 +102,11 @@ docs: $(protodoc) ## Build docs
 	@$(protodoc) --directories=config=message --title="Configuration Options" --output="docs/README.md"
 	@grep -v '(validate.required)' docs/README.md > /tmp/README.md && mv /tmp/README.md docs/README.md
 
+PACKAGING ?= Dockerfile
 image: $(stripped_binary) ## Build the docker image
 	@mkdir -p build_release
 	@cp -f $(stripped_binary) build_release/$(binary_name)
-	@docker build . -t $(IMAGE)
+	@docker build . -t $(IMAGE) -f $(PACKAGING)
 
 push: image ## Push docker image to registry
 	@docker push $(IMAGE)
@@ -172,6 +173,10 @@ dep-graph.dot:
 clang.bazelrc: bazel/clang.bazelrc.tmpl $(llvm-config) $(envsubst)
 	@$(envsubst) < $< > $@
 
+# This builds the stripped binary, and checks if the binary is statically linked.
+requirestatic: $(stripped_binary)
+	@test/exe/require_static.sh $(stripped_binary)
+
 # Catch all rules for Go-based tools.
 $(go_tools_dir)/%:
 	@printf "$(ansi_format_dark)" tools "installing $($(notdir $@)@v)..."

diff --git a/bazel/bazel.bzl b/bazel/bazel.bzl
@@ -2,13 +2,17 @@
 
 load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library", "cc_test")
 
+# envoy_stdlib_deps appends "-static-libgcc" on Linux.
+load("@envoy//bazel:envoy_internal.bzl", "envoy_stdlib_deps")
+
 _DEFAULT_COPTS = ["-Wall", "-Wextra"]
 
 def authsvc_cc_library(name, deps = [], srcs = [], hdrs = [], copts = [], defines = [], includes = [], textual_hdrs = [], visibility = None):
     cc_library(name = name, deps = deps, srcs = srcs, hdrs = hdrs, copts = _DEFAULT_COPTS + copts, defines = defines, includes = includes, textual_hdrs = textual_hdrs, visibility = visibility)
 
+# By default, we always do linkstatic: https://docs.bazel.build/versions/main/be/c-cpp.html#cc_binary.linkstatic.
 def authsvc_cc_binary(name, deps = [], srcs = [], copts = [], defines = []):
-    cc_binary(name = name, deps = deps, srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines)
+    cc_binary(name = name, deps = deps + envoy_stdlib_deps(), srcs = srcs, copts = _DEFAULT_COPTS + copts, defines = defines)
 
 def authsvc_cc_test(name, deps = [], srcs = [], data = []):
     cc_test(

diff --git a/test/exe/require_static.sh b/test/exe/require_static.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# Copied from https://github.com/envoyproxy/envoy/blob/a12869fa9e9add4301a700978d5489e6a0cc0526/test/exe/envoy_static_test.sh.
+
+if [[ $(uname) == "Darwin" ]]; then
+  echo "macOS doesn't support statically linked binaries, skipping."
+  exit 0
+fi
+
+# We can't rely on the exit code alone, since ldd fails for statically linked binaries.
+DYNLIBS=$(ldd "$1" 2>&1) || {
+  if [[ ! "${DYNLIBS}" =~ 'not a dynamic executable' ]]; then
+      echo "${DYNLIBS}"
+      exit 1
+  fi
+}
+
+if [[ "${DYNLIBS}" =~ libc\+\+ ]]; then
+  echo "libc++ is dynamically linked:"
+  echo "${DYNLIBS}"
+  exit 1
+elif [[ "${DYNLIBS}" =~ libstdc\+\+ || "${DYNLIBS}" =~ libgcc ]]; then
+  echo "libstdc++ and/or libgcc are dynamically linked:"
+  echo "${DYNLIBS}"
+  exit 1
+fi