Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: Produce static binaries #2057

Merged
merged 3 commits into from
Dec 13, 2022
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions .checksec-expected.json → .checksec/amd64-gnu.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
{
"canary": "yes",
"fortify_source": "no",
"nx": "yes",
"pie": "yes",
"relro": "full",
"rpath": "no",
"runpath": "no",
"symbols": "no"
"runpath": "no"
}
8 changes: 8 additions & 0 deletions .checksec/amd64-musl.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"canary": "yes",
"nx": "yes",
"pie": "yes",
"relro": "full",
"rpath": "no",
"runpath": "no"
}
8 changes: 8 additions & 0 deletions .checksec/arm-gnu.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"canary": "yes",
"nx": "yes",
"pie": "yes",
"relro": "full",
"rpath": "no",
"runpath": "no"
}
8 changes: 8 additions & 0 deletions .checksec/arm-musl.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"canary": "yes",
"nx": "yes",
"pie": "no",
"relro": "partial",
"rpath": "no",
"runpath": "no"
}
8 changes: 8 additions & 0 deletions .checksec/arm64-gnu.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"canary": "yes",
"nx": "yes",
"pie": "yes",
"relro": "full",
"rpath": "no",
"runpath": "no"
}
8 changes: 8 additions & 0 deletions .checksec/arm64-musl.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"canary": "yes",
"nx": "yes",
"pie": "no",
"relro": "partial",
"rpath": "no",
"runpath": "no"
}
2 changes: 1 addition & 1 deletion .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "linkerd2-proxy",
"image": "ghcr.io/linkerd/dev:v37",
"image": "ghcr.io/linkerd/dev:v38",
"extensions": [
"DavidAnson.vscode-markdownlint",
"kokakiwi.vscode-just",
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/list-changed-crates/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ghcr.io/linkerd/dev:v37-rust
FROM ghcr.io/linkerd/dev:v38-rust
RUN apt-get update && apt-get install -y --no-install-recommends jq \
&& rm -rf /var/lib/apt/lists/*
COPY entrypoint.sh /
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ jobs:
runs-on: ubuntu-20.04
timeout-minutes: 10
steps:
- uses: linkerd/dev/actions/setup-tools@v37
- uses: linkerd/dev/actions/setup-tools@v38
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just action-lint

devcontainer-versions:
runs-on: ubuntu-latest
steps:
- uses: linkerd/dev/actions/setup-tools@v37
- uses: linkerd/dev/actions/setup-tools@v38
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just action-dev-check
2 changes: 1 addition & 1 deletion .github/workflows/beta.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ permissions:
jobs:
build:
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
timeout-minutes: 20
continue-on-error: true
steps:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
check-all:
timeout-minutes: 20
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-each.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
needs: list-changed-crates
timeout-minutes: 20
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
strategy:
matrix:
crate: ${{ fromJson(needs.list-changed-crates.outputs.crates) }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 30
container:
image: docker://ghcr.io/linkerd/dev:v37-rust
image: docker://ghcr.io/linkerd/dev:v38-rust
options: --security-opt seccomp=unconfined # 🤷
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
deprecated:
timeout-minutes: 20
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 20
env:
DOCKER_BUILDKIT: "1"
steps:
- uses: extractions/setup-just@95b912dc5d3ed106a72907f2f9b91e76d60bdb76
- uses: linkerd/dev/actions/setup-tools@v38
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just docker
2 changes: 1 addition & 1 deletion .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
test:
timeout-minutes: 20
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
clippy:
timeout-minutes: 10
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand All @@ -30,15 +30,15 @@ jobs:
fmt:
timeout-minutes: 10
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just check-fmt

docs:
timeout-minutes: 10
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ permissions:
jobs:
build:
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
timeout-minutes: 20
continue-on-error: true
steps:
Expand Down
32 changes: 6 additions & 26 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,40 +52,20 @@ jobs:
strategy:
matrix:
arch: [amd64, arm64, arm]
libc: [gnu, musl]

# If we're not actually building on a release tag, don't short-circuit on
# errors. This helps us know whether a failure is platform-specific.
continue-on-error: ${{ !needs.meta.outputs.publish }}
name: Package (${{ matrix.arch }})
runs-on: ubuntu-latest
timeout-minutes: 40
container: docker://ghcr.io/linkerd/dev:v37-rust
container: docker://ghcr.io/linkerd/dev:v38-rust-musl
steps:
- if: matrix.arch == 'arm64'
run: |
rustup target add aarch64-unknown-linux-gnu
apt-get update
apt-get install -y --no-install-recommends \
binutils-aarch64-linux-gnu \
g++-aarch64-linux-gnu \
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross
echo CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc >> "$GITHUB_ENV"

- if: matrix.arch == 'arm'
run: |
rustup target add armv7-unknown-linux-gnueabihf
apt-get update
apt-get install -y --no-install-recommends \
binutils-arm-linux-gnueabihf \
g++-arm-linux-gnueabihf \
gcc-arm-linux-gnueabihf \
libc6-dev-armhf-cross
echo CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_LINKER=arm-linux-gnueabihf-gcc >> "$GITHUB_ENV"

- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
- name: Run just package
run: just profile=release package_arch=${{ matrix.arch }} package_version=${{ needs.meta.outputs.version }} package
- run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} rustup
- run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} profile=release build
- run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} profile=release package_version=${{ needs.meta.outputs.version }} package
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
with:
name: ${{ matrix.arch }}-artifacts
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/shellcheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ jobs:
timeout-minutes: 5
runs-on: ubuntu-latest
steps:
- uses: linkerd/dev/actions/setup-tools@v37
- uses: linkerd/dev/actions/setup-tools@v38
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just sh-lint
4 changes: 2 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
meshtls:
timeout-minutes: 10
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand All @@ -42,7 +42,7 @@ jobs:
unit:
timeout-minutes: 10
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: just fetch
Expand Down
20 changes: 2 additions & 18 deletions .github/workflows/toolchain.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ permissions:
jobs:
devcontainer:
runs-on: ubuntu-latest
container: ghcr.io/linkerd/dev:v37-rust
container: ghcr.io/linkerd/dev:v38-rust
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: |
Expand All @@ -24,26 +24,10 @@ jobs:
exit 1
fi

dockerfiles:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- run: |
VERSION="$(cat rust-toolchain)"
ex=0
while IFS= read -r file ; do
versions=$(sed -nE 's/^ARG RUST_VERSION=([^ ]+)/\1/p' "$file")
for mismatch in $(echo "$versions" | grep -vF "$VERSION" || true) ; do
echo "::error file=$file::$file uses incorrect rust version(s): $mismatch"
ex=$((ex + 1))
done
done < <(find . -name Dockerfile)
exit $ex

workflows:
runs-on: ubuntu-latest
steps:
- uses: linkerd/dev/actions/setup-tools@v37
- uses: linkerd/dev/actions/setup-tools@v38
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- shell: bash
run: |
Expand Down
2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ members = [
"linkerd/transport-metrics",
"linkerd2-proxy",
"opencensus-proto",
"tools"
"tools",
]

# Debug symbols end up chewing up several GB of disk space, so better to just
Expand Down
49 changes: 19 additions & 30 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,50 +16,39 @@
#
# :; docker buildx build . --load

ARG RUST_VERSION=1.64.0
ARG RUST_IMAGE=rust:${RUST_VERSION}-bullseye
ARG RUST_IMAGE=ghcr.io/linkerd/dev:v38-rust

# Use an arbitrary ~recent edge release image to get the proxy
# identity-initializing and linkerd-await wrappers.
ARG RUNTIME_IMAGE=ghcr.io/linkerd/proxy:edge-22.2.1
ARG RUNTIME_IMAGE=ghcr.io/linkerd/proxy:edge-22.12.1

# Build the proxy, leveraging (new, experimental) cache mounting.
#
# See: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---mounttypecache
FROM $RUST_IMAGE as build
FROM --platform=$BUILDPLATFORM $RUST_IMAGE as build

# When set, causes the proxy to be compiled in development mode.
ARG PROXY_UNOPTIMIZED

# Controls what features are enabled in the proxy.
ARG PROXY_FEATURES="multicore,meshtls-rustls"

RUN --mount=type=cache,target=/var/lib/apt/lists \
--mount=type=cache,target=/var/tmp \
apt update && apt install -y time

RUN --mount=type=cache,target=/var/lib/apt/lists \
--mount=type=cache,target=/var/tmp \
if $(echo "$PROXY_FEATURES" | grep "meshtls-boring" >/dev/null); then \
apt install -y cmake clang golang ; \
fi
ARG PROXY_FEATURES=""
RUN apt-get update && \
apt-get install -y time && \
if [[ "$PROXY_FEATURES" =~ .*meshtls-boring.* ]] ; then \
apt-get install -y golang ; \
fi && \
rm -rf /var/lib/apt/lists/*

WORKDIR /usr/src/linkerd2-proxy
COPY . .
RUN --mount=type=cache,target=target \
--mount=type=cache,from=rust:1.64.0-bullseye,source=/usr/local/cargo,target=/usr/local/cargo \
mkdir -p /out && \
if [ -n "$PROXY_UNOPTIMIZED" ]; then \
(cd linkerd2-proxy && /usr/bin/time -v cargo build --locked --no-default-features --features="$PROXY_FEATURES") && \
mv target/debug/linkerd2-proxy /out/linkerd2-proxy ; \
else \
(cd linkerd2-proxy && /usr/bin/time -v cargo build --locked --no-default-features --features="$PROXY_FEATURES" --release) && \
mv target/release/linkerd2-proxy /out/linkerd2-proxy ; \
fi
RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
just fetch
ARG TARGETARCH="amd64"
ARG PROFILE="release"
RUN --mount=type=cache,id=target,target=target \
--mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
just arch=$TARGETARCH features=$PROXY_FEATURES profile=$PROFILE build && \
bin=$(just --evaluate profile="$PROFILE" _target_bin) ; \
mkdir -p /out && mv $bin /out/linkerd2-proxy

## Install the proxy binary into the base runtime image.
FROM $RUNTIME_IMAGE as runtime

WORKDIR /linkerd
COPY --from=build /out/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy
ENV LINKERD2_PROXY_LOG=warn,linkerd=info
Expand Down
Loading