Use Docker to build Linux binaries statically

[ariya]

To ensure a consistent build for the static binaries for Linux, we shall use Docker and build PhantomJS inside the container.

[ariya]

For @zackw branch on this attempt: https://github.com/zackw/phantomjs/tree/docker

[ariya]

Another reference is from @bprodoehl: https://github.com/bprodoehl/phantomjs/commits/master

[bprodoehl]

This is a fantastic idea. Glad to see it embraced here!

[ariya]

For an alternative approach that I've been using extensively for many projects of mine, see my previous blog post: http://ariya.ofilabs.com/2014/12/docker-and-phoenix-how-to-make-your-continuous-integration-more-awesome.html.

Instead of a Dockerfile we are building, first we can construct a customized base image. Looking at the work from @zackw and @bprodoehl above, this customized base image can be based on Ubuntu 14.04 with additional packages, both for the usual building (e.g. build-essential meta-package) as well as the libraries needed by PhantomJS 2 (e.g. zlib, Freetype, etc).

Here's my attempt at producing the said customized base image: https://bitbucket.org/ariya/erik (it's named after Erik, the phantom character in Phantom of the Opera). I registered this as an automated build at Docker Hub (see https://hub.docker.com/r/ariya/erik) and hence this can be pulled by the usual Docker command, e.g.

$ docker run ariya/erik sh -c "gcc --version"
gcc (Ubuntu 4.8.4-2ubuntu1~14.04) 4.8.4
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

(To be continued)

[zackw]

FYI, the Docker scripts in my branch do indeed construct a customized base image which could be reused for many builds. They also have a custom entry point that runs the build, which may or may not be a good idea; I'm not super familiar with Docker.

I'm not going to be working on this any more until after Jan 10, because I'll be traveling and won't have the use of my Linux desktop.

[ariya]

@zackw The difference in the variant that I proposed above is that the customized base image is created once (even better, by Docker Hub so we don't need to waste our own CPU cycles and such) and it will be reused by any numbers of Linux static binary builds. Given that we may only need to update the system dependencies once a while, I believe we don't need to incur that time building all those libraries statically.

[ariya]

On the subject of the customized base image, I agree with the sentiment from @zackw that downloading source packages without a follow-up of package verification is rather risky (especially via http). An alternative that we can consider is using Debian's original source package. We can use apt-get source and get the benefit of built-in signature verification mechanism.

The drawback of using this apt-get source approach, which we may or may not be able to live with, is that the source package might be outdated. For example, Ubuntu 14.04 has the source package of libxml2 2.9.1 while the upstream project already released version 2.9.3.

My pragmatic view on this subject leans towards Debian source package. What do you think @zackw?

[ariya]

Here's my progress so far. I have the following file deploy/docker-build.sh in the source tree:

SOURCE_PATH=/src
BUILD_PATH=$HOME/build

echo "Recreating build directory $BUILD_PATH"
rm -rf $BUILD_PATH && mkdir -p $BUILD_PATH
echo

echo "Transferring the source: $SOURCE_PATH -> $BUILD_PATH"
cd $BUILD_PATH && cp -rp $SOURCE_PATH . && cd src
echo

echo "Executing make..."
python build.py --confirm --git-clean-qtbase --git-clean-qtwebkit
echo

And then I run

docker run -v $PWD:/src ariya/erik sh -c "/src/deploy/docker-build.sh"

That docker-build.sh does an explicity copy to its own working directory, $BUILD_PATH. It may not be unnecessary but this way I can experiment with things without clobbering the original source (since it's mapped as /src).

So far I got Qt Base built, however I stumbled upon the following error:

Encountered 5 configuration warning(s):

 ! QtQuick module not found, QML APIs will not be built
 ! Qt not configured to use system libjpeg, QImageDecoder will decode JPEG images
 ! Qt not configured to use system libpng, QImageDecoder will decode PNG images
 ! Missing GStreamer or QtMultimedia, disabling HTML5 media element support
 ! QtWebKitQml will not be build. It is not supported with static linking

The WebKit build was disabled for the following reasons: 
    * ICU is required.

It seems that some configuration script could not discover the ICU libraries on the system. I need to dig deeper but if you have an idea @bprodoehl or @zackw, let me know.

[zackw]

My pragmatic view on this subject leans towards Debian source package. What do you think @zackw?

In principle I prefer this - it's faster, it's signed, and it leverages a bunch of their infrastructure - but it does have two drawbacks: we have less control over exactly which version of each library we get, and it may be harder to persuade qmake to link the right set of things statically.

Maybe let's try to do it using Debian source packages (and a baseline of Debian 'stable'/'squeeze') and see how that goes?

It seems that some configuration script could not discover the ICU libraries on the system.

I hit the same problem. The issue is fundamentally that if you link ICU statically, you have to add -ldl to the link line, and the qmake fragments that are testing for ICU don't know to do this. I was able to fix this in qtbase (vitallium/qtbase@e48d070) and I tried to fix this in qtwebkit (vitallium/qtwebkit@5765f14) but it didn't work, and I have reached the limit of my (quite limited) understanding of qmake.

[ariya]

It turns out that the failing ICU detection is due to the use of pkg-config. Since the customized base image has its own built libicu, it should be detected directly instead of via pkg-config. The fix is rather easy, one line in that deploy/docker-build.sh file needs to look like this instead:

python build.py --confirm --qt-config="-no-pkg-config" --git-clean-qtbase --git-clean-qtwebkit

Now, on to building QtWebKit...

[ariya]

Now that I got QtBase, QtWebKit, and PhantomJS all built properly, the linker fails rather miserably:

g++ -Wl,-O1 -Wl,-rpath-link,/root/build/src/src/qt/qtbase/lib -o ../bin/phantomjs phantom.o callback.o webpage.o webserver.o main.o utils.o networkreplyproxy.o networkreplytracker.o networkaccessmanager.o cookiejar.o filesystem.o system.o env.o terminal.o encoding.o config.o childprocess.o repl.o crashdump.o mongoose.o linenoise.o utf8.o qcommandline.o phantomjs_plugin_import.o qrc_phantomjs.o qrc_ghostdriver.o moc_phantom.o moc_callback.o moc_webpage.o moc_webserver.o moc_networkreplyproxy.o moc_networkreplytracker.o moc_networkaccessmanager.o moc_cookiejar.o moc_filesystem.o moc_system.o moc_env.o moc_terminal.o moc_config.o moc_childprocess.o moc_repl.o moc_qcommandline.o   -L/root/build/src/src/qt/qtbase/lib -lQt5WebKitWidgets -Wl,-whole-archive -Wl,-no-whole-archive -L/root/build/src/src/qt/qtwebkit/Source/WebKit/ -Wl,-whole-archive -Wl,-no-whole-archive -L/root/build/src/src/qt/qtwebkit/Source/WebCore/ -Wl,-whole-archive -Wl,-no-whole-archive -L/root/build/src/src/qt/qtwebkit/Source/ThirdParty/leveldb/ -Wl,-whole-archive -Wl,-no-whole-archive -L/root/build/src/src/qt/qtwebkit/Source/JavaScriptCore/ -Wl,-whole-archive -Wl,-no-whole-archive -L/root/build/src/src/qt/qtwebkit/Source/WTF/ -lQt5PrintSupport -Wl,-whole-archive -Wl,-no-whole-archive -Wl,-whole-archive -Wl,-no-whole-archive -Wl,-whole-archive -Wl,-no-whole-archive -Wl,-whole-archive -Wl,-no-whole-archive -Wl,-whole-archive -Wl,-no-whole-archive -lQt5Widgets -lQt5WebKit -Wl,-whole-archive -lWebKit1 -Wl,-no-whole-archive -Wl,-whole-archive -lWebCore -Wl,-no-whole-archive -lz -Wl,-whole-archive -lleveldb -Wl,-no-whole-archive -Wl,-whole-archive -lJavaScriptCore -Wl,-no-whole-archive -Wl,-whole-archive -lWTF -Wl,-no-whole-archive -lQt5Sql -L/root/build/src/src/qt/qtbase/plugins/platforms -lqphantom -lQt5PlatformSupport -lfontconfig -lfreetype -L/root/build/src/src/qt/qtbase/plugins/imageformats -lqico -lQt5Gui -lqtharfbuzzng -L/root/build/src/src/qt/qtbase/plugins/bearer -lqgenericbearer -lQt5Network -lssl -lcrypto -lQt5Core -licui18n -licuuc -licudata -lqtpcre -lm -ldl -lrt -lpthread 
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib/libfontconfig.a(fcxml.o): In function `FcConfigMessage':
/src/fontconfig-2.11.1/src/fcxml.c:555: undefined reference to `xmlSAX2GetLineNumber'
/src/fontconfig-2.11.1/src/fcxml.c:558: undefined reference to `xmlSAX2GetLineNumber'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib/libfontconfig.a(fcxml.o): In function `IA__FcConfigParseAndLoad':
/src/fontconfig-2.11.1/src/fcxml.c:3142: undefined reference to `xmlCreatePushParserCtxt'
/src/fontconfig-2.11.1/src/fcxml.c:3181: undefined reference to `xmlParseChunk'
/src/fontconfig-2.11.1/src/fcxml.c:3195: undefined reference to `xmlFreeParserCtxt'
/src/fontconfig-2.11.1/src/fcxml.c:3187: undefined reference to `xmlCtxtGetLastError'
collect2: error: ld returned 1 exit status

I am suspicious of the interplay between Fontconfig 2.11.1 and libxml2 2.9.3. Will keep digging.

[ariya]

Without custom built Fontconfig, I finally got PhantomJS compiled and linked!

ldd phantomjs   
    linux-vdso.so.1 =>  (0x00007fffcc9c5000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe98eb27000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fe98e91f000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe98e700000)
    libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fe98e3fc000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fe98e0f6000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fe98dedf000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe98db1a000)
    /lib64/ld-linux-x86-64.so.2 (0x0000561405eb5000)

[ariya]

File size information:

# ls -l bin/phantomjs
-rwxr-xr-x 1 root root 88799525 Dec 24 04:48 bin/phantomjs
# strip bin/phantomjs
# ls -l bin/phantomjs
-rwxr-xr-x 1 root root 76760872 Dec 24 20:57 bin/phantomjs

[ariya]

Quick test on CentOS indicates that this can run only on CentOS >= 7.

CentOS 6:

# cat /etc/redhat-release
CentOS release 6.7 (Final)
# ldd phantomjs
./phantomjs: /lib64/libc.so.6: version `GLIBC_2.15' not found (required by ./phantomjs)
./phantomjs: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ./phantomjs)
    linux-vdso.so.1 =>  (0x00007ffcbed83000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007feb6dd90000)
    librt.so.1 => /lib64/librt.so.1 (0x00007feb6db88000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007feb6d96a000)
    libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007feb6d664000)
    libm.so.6 => /lib64/libm.so.6 (0x00007feb6d3e0000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007feb6d1c9000)
    libc.so.6 => /lib64/libc.so.6 (0x00007feb6ce35000)
    /lib64/ld-linux-x86-64.so.2 (0x000055c206482000)

CentOS 7

# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core) 
# ldd phantomjs
    linux-vdso.so.1 =>  (0x00007ffe8373a000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fa77e7a2000)
    librt.so.1 => /lib64/librt.so.1 (0x00007fa77e59a000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa77e37d000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fa77e075000)
    libm.so.6 => /lib64/libm.so.6 (0x00007fa77dd73000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fa77db5c000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fa77d79b000)
    /lib64/ld-linux-x86-64.so.2 (0x000056125dbb9000)

[ariya]

Quick test on Debian gives a similar result, the executable is only usable for Debian >= 8.

jessie:

# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="https://bugs.debian.org/"
# ldd /src/phantomjs
    linux-vdso.so.1 (0x00007ffc8139f000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f96e6d24000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f96e6b1c000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f96e68fe000)
    libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f96e65f3000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f96e62f2000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f96e60db000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f96e5d32000)
    /lib64/ld-linux-x86-64.so.2 (0x000055f4dba00000)

wheezy:

# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"
ldd /src/phantomjs
/src/phantomjs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.15' not found (required by /src/phantomjs)
/src/phantomjs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found (required by /src/phantomjs)
    linux-vdso.so.1 =>  (0x00007ffe08b37000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc40f600000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc40f3f8000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc40f1db000)
    libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fc40eed4000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fc40ec52000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fc40ea3b000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc40e6b0000)
    /lib64/ld-linux-x86-64.so.2 (0x000055c93d4d5000)

[ariya]

In principle I prefer this - it's faster, it's signed, and it leverages a bunch of their infrastructure - but it does have two drawbacks: we have less control over exactly which version of each library we get, and it may be harder to persuade qmake to link the right set of things statically.

It may not be so bad. So far I have luck building everything using e.g. ICU 4.8.1.1, available as the source package for wheezy, instead of using the latest ICU 56.1. The problem with qmake might be overtaken by event, as the whole build process eventually completed and I got a usable executable.

[ariya]

BTW, another bonus of using apt-get source is getting the additional patches, including security-related ones (e.g. offending CAs removal).

[ariya]

I finally got something that works in most distribution! So far I've tested it on Fedora >= 22, CentOS 6.7 and 7.2, Debian 7 (wheezy) and 8 (jessie), as well as Ubuntu 12.04 LTS and 14.04 LTS.

The workflow is still similar, take a look at deploy/docker-build.sh at https://gist.github.com/ariya/82a8690a504780582611. From the main PhantomJS source tree, trigger the build:

docker run -v $PWD:/src debian:wheezy /src/deploy/docker-build.sh

The trick here is to base it off wheezy and only to custom compile only OpenSSL and ICU (both using the earlier proposed apt-get source).

I think it does make sense anyway to limit the rebuilt libraries. PhantomJS 1.x already requires Fontconfig (and thereby also FreeType) hence making it the same requirement in 2.1 should not cause a lot of grief. I can't imagine a usable basic system without zlib, libxml2, and friends. Meanwhile, the graphics system libraries (libpng, libjpeg, libwebp) are not being utilized since we configure Qt to use its own copy. Originally, I even tried to skip OpenSSL but the resulting executable has a problem on Fedora-based systems (likely due to build configuration differences). That leaves us with OpenSSL and ICU, but that seems to work quite well!

[ariya]

I just realize that this is so far only for producing 64-bit executable. I will give it a try with a 32-bit Docker image to see if the same workflow would work.

[Vanuan]

Awesome progress!
Can we get some beta via npm?

[ariya]

Can we get some beta via npm?

We don't really handle that npm module, please propose a concrete step that I could do. Otherwise, be patient and bear with us as I'm focusing on this task.

[Vanuan]

Ok, found this:

if ICU was built for static libraries only, then icu-config should output the arguments for static libs. There's no option to select static libraries if both are available.
http://stackoverflow.com/questions/6830560/icu-config-getting-static-library-flags

So, the solution is to apt-get remove shared versions of those libraries.

[ariya]

So, the solution is to apt-get remove shared versions of those libraries.

That is not necessary at all. Pay attention to my docker-build.sh as I've already linked before in #13822 (comment), particularly the way it invokes build.py.

[Vanuan]

@ariya
build.by options are the same. I used this file:
https://gist.githubusercontent.com/Vanuan/5300108d40af6a28ee57/raw/e62577a66fed738bd814604124cd5b2225ca4fe8/docker-build.sh

And here are results:
https://semaphoreci.com/vanuan/phantomjs/branches/master/builds/24

Resulting phantomjs binary is linked to shared ssl and icu.

[Vanuan]

Unfortunately, uninstalling openssl isn't possible, since a whole lot of packages depend on that.

I think openssl is somehow not installed in that debian docker image, so it builds against static version.

[Vanuan]

Ok, I removed openssl-dev package and it now links to a static version that is built in docker-build.sh.

sudo apt-get remove -y libssl-dev

Still having glibc problem:

./phantomjs: /lib64/libc.so.6: version `GLIBC_2.15' not found (required by ./phantomjs)
./phantomjs: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ./phantomjs)

@ariya could you remind what was a fix for this?

[piranna]

The linker takes precedence on the dynamic libraries, to force to use the
static ones you can be able to use the -static flag or add splicitly the
static libraries by using their path.
El 01/01/2016 21:16, "John Yani" notifications@github.com escribió:

Ok, I removed openssl-dev package and it now links to a static version
that is built in docker-build.sh.

sudo apt-get remove -y libssl-dev

Still having glibc problem:

./phantomjs: /lib64/libc.so.6: version GLIBC_2.15' not found (required by ./phantomjs) ./phantomjs: /lib64/libc.so.6: versionGLIBC_2.14' not found (required by ./phantomjs)

@ariya https://github.com/ariya could you remind what was a fix for
this?

—
Reply to this email directly or view it on GitHub
#13822 (comment).

[Vanuan]

Yeah, I know that, but I don't want to modify phantomjs sources since I'm not sure if @ariya would be fine with that approach.

[piranna]

Maybe there's already an option to generate an static build, or you could send a pull-request with it.

[Vanuan]

@piranna obviously, you didn't follow this issue: #12948

[Vanuan]

Ok, I did a little research. It seems like there's no way to install libc6 2.13 on Ubuntu 14.04. So using other distributions (or Docker images) is the only option to provide binaries for corresponding distributions.

[ariya]

I'm going to commit the Docker-based solution to master and then we will close this issue as largely the issue is resolved.

@Vanuan We need to continue your problem in a new spawn issue, otherwise it's just creating some additional confusion.

[ariya]

This is resolved now. For 32-bit build improvement, we track it at #13849.

[diwu1989]

Congrats, great way to start the new year, been waiting for a ready to go PhantomJS linux binary for a long time.

[Vanuan]

@diwu1989 there's no linux binary yet.

[mikesherov]

@Vanuan @ariya what blockers are left for there to be a Linux binary? I know medium has been waiting on a Linux binary to update their node-phantomjs to 2.0, which unblocks karma and a whole slew of test runners to be able to use 2.0, which kills the ES5 shim for a lot of folks who carry it around solely for its function.prototype.bind shim...

[Vanuan]

@mikesherov there are no blockers. You can build 64-bit Linux binary from master yourself. But that still wouldn't be "official". Unfortunately, there's no build machine to produce statically linked binaries for each commit. So that's it. We're just waiting for smb to provide CPU power for free.

[ariya]

32-bit build is still problematic, see #13849.
For the forthcoming release (version 2.1), follow #12970.

This issue should be resolved already, i.e. we have identified the optimal Docker workflow to build a static binary. If it's still necessary, please continue the discussion on a different place (e.g. one the above two issue), let's keep this issue to focus on the Docker methodology itself and other tangential topics.

[Nunna09]

Hi, Can someone help me how to run a phantomJS tests in docker...?

[Nunna09]

ERROR: 'phantomjs' executable needs to be in PATH.
getting the above error

Though the path is set in syetem env variable