Check on GLIBC requirements

.github/workflows/commit.yaml

@@ -23,7 +23,7 @@ jobs:
   check:
     name: check
     timeout-minutes: 90 # instead of 360 by default.
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     steps:
       - name: Cancel when duplicated
         uses: styfle/[email protected]
@@ -57,7 +57,7 @@ jobs:
       matrix:
         os:
           - "macos-11"
-          - "ubuntu-20.04"
+          - "ubuntu-18.04"
         mode:
           - "default"
           # On CI, by default, we use libc++.
@@ -119,3 +119,10 @@ jobs:
         if: runner.os == 'Linux' && matrix.mode == 'clang'
         run: |
           make requirestatic
+
+      # Upload the binary as an artifact.
+      - uses: actions/upload-artifact@v3
+        if: runner.os == 'Linux' && matrix.mode == 'clang'
+        with:
+          name: auth_server
+          path: bazel-bin/src/main/auth_server.stripped

.github/workflows/release.yaml

@@ -19,7 +19,7 @@ jobs:
       matrix:
         os:
           - "macos-11"
-          - "ubuntu-20.04"
+          - "ubuntu-18.04"
         mode:
           - "default"
           # By default we use libc++.
@@ -102,7 +102,7 @@ jobs:
 
   release:
     name: release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-18.04
     needs: dist
     timeout-minutes: 90 # instead of 360 by default.
     steps:

Makefile

@@ -202,7 +202,7 @@ endef
 
 # Install clang from https://github.com/llvm/llvm-project. We don't support win32 yet as this script
 # will fail.
-clang-os                          = $(if $(findstring $(goos),darwin),apple-darwin,linux-gnu-ubuntu-20.04)
+clang-os                          = $(if $(findstring $(goos),darwin),apple-darwin,linux-gnu-ubuntu-16.04)
 clang-download-archive-url-prefix = https://$(subst llvmorg/clang+llvm@,releases/download/llvmorg-,$($(notdir $1)@v))
 $(clang):
 	@mkdir -p $(dir $@)

Tools.mk

@@ -1,5 +1,5 @@
 bazelisk@v     := github.com/bazelbuild/[email protected]
-buildifier@v   := github.com/bazelbuild/buildtools/buildifier@4.2.5
+buildifier@v   := github.com/bazelbuild/buildtools/buildifier@5.0.1
 clang@v        := github.com/llvm/llvm-project/llvmorg/[email protected]
 clang-format@v := github.com/angular/[email protected]
 envsubst@v     := github.com/a8m/envsubst/cmd/[email protected]

go.mod

@@ -0,0 +1,5 @@
+module github.com/istio-ecosystem/authservice
+
+go 1.17
+
+require github.com/hashicorp/go-version v1.4.0

go.sum

@@ -0,0 +1,2 @@
+github.com/hashicorp/go-version v1.4.0 h1:aAQzgqIrRKRa7w75CKpbBxYsmUoPjzVm1W59ca1L0J4=
+github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=

test/exe/require_glibc.go

@@ -0,0 +1,68 @@
+// This script checks (via objdump) whether the ELF file is linked to a newer GLIBC version than the
+// one required by the runtime environment constraint (currently it is 2.27).
+//
+// To use: go run test/exe/require_glibc.go <path-to-an-elf-binary>
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+
+	version "github.com/hashicorp/go-version"
+)
+
+const glibCPrefix = "GLIBC_"
+const requiredGlibCVersion = "2.27" // This is chosen arbitrarily, but older than the one in ubi8.
+
+var glibCPrefixLength = len(glibCPrefix)
+var requiredGlibC, _ = version.NewVersion(requiredGlibCVersion)
+
+func main() {
+	args := os.Args[1:]
+	if len(args) < 1 {
+		log.Fatal("Usage: go run test/exe/require_glibc.go <path-to-an-elf-binary>")
+	}
+
+	// Check for dynamic symbols: Reference: https://man7.org/linux/man-pages/man1/objdump.1.html.
+	cmd := exec.Command("objdump", "-T", args[0])
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	err := cmd.Run()
+	if err != nil {
+		log.Fatal("Failed to check GLIBC version:", err)
+	}
+	// The following scans the objdump output for the GLIBC version.
+	//
+	// The objdump output is in the form similar to:
+	// 0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 __libc_start_main
+	// 0000000000000000  w   DF *UND*  0000000000000000  GLIBC_2.2.5 __cxa_finalize
+	// 0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 ceilf
+	// 0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 frexp
+	// ...
+	scanner := bufio.NewScanner(strings.NewReader(out.String()))
+	for scanner.Scan() {
+		entry := scanner.Text()
+		if strings.Contains(entry, glibCPrefix) {
+			line := bufio.NewScanner(strings.NewReader(entry[strings.Index(entry, glibCPrefix)+glibCPrefixLength:]))
+			// Here we have "line" value something like: "2.2.5 __libc_start_main" or "2.3   __ctype_b_loc".
+			line.Split(bufio.ScanWords)
+			for line.Scan() {
+				v, err := version.NewVersion(line.Text())
+				if err != nil {
+					// This is improbable, but when it is failed, we surely want to fail the test, since
+					// by then the objdump has bugs.
+					log.Fatal("Failed to parse GLIBC version:", err)
+				}
+				// We require the linked GLIBC is NOT newer than the one required by the runtime environment.
+				if requiredGlibC.LessThan(v) {
+					log.Fatal("Linked to a newer GLIBC: ", line.Text())
+				}
+				break
+			}
+		}
+	}
+}

test/exe/require_static.sh

@@ -25,3 +25,6 @@ elif [[ "${DYNLIBS}" =~ libstdc\+\+ || "${DYNLIBS}" =~ libgcc ]]; then
   echo "${DYNLIBS}"
   exit 1
 fi
+
+# Check for GLIBC dynamic symbols in the binary, see if it matches the version we expect.
+go run test/exe/require_glibc.go $1