-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better go pipelines #1086
Better go pipelines #1086
Conversation
Add microarchitecture level settings for AMD64 and ARM64. Set defaults to the current golang built-in upstream defaults. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Bump GOAMD64 from upstream default v1 to v2, which matches wolfi C binaries baseline ISA -march=x86-64-v2. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Roughly half of go packages pass in `-s -w` already. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Pass -trimpath that strips prefixes from source filenames embedeed in go binaries. This reduces binaries size, improves privacy, and improves reproducibility. Fixes 4b8ab55 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
58d90f8
to
ae14a2b
Compare
All builds in wolfi-dev/os are good for all packages using go/build or go/install pipelines. See test build-results in wolfi-dev/os#15071 and all the related mentioned pull requests. |
Melange Pull Request Template
Improve go pipelines:
This reduces go binaries size significantly, those that have not already employed the above techniques. Only about half of go packages do strip dwarf & symbols table.
Separately this reduces friction/differences when projects have optional cgo-dependent features, or when packages are rebuilt with go-fips toolchain.
Also test cases need adding.
Behavior Changes and remediation
"Binary cannot be executed" because VM doesn't expose x86-64-v2 CPU flags. Resolution option 1) ensure VMs expose that, note that most clouds now offer x86-64-v3 and x86-64-v4. And the rest of Wolfi has always required x86-64-v2 like any machine from this century. Resolution option 2) set
amd64: v1
Symbols table only needed back. Resolution: set
strip: "-w"
Symbols table & Debug symbols needed back. Resolution: set
strip: ""
Cgo based net or osuser is desired, instead of the go version. Resolution: set
toolchaintags: ""
Functional Changes
TODO:
Notes:
SCA Changes
Notes:
Linter
Notes:
Example of binary diff of caddy package:
Despite enabling CGO the binary remains the same size. The win here, is that this package can now be built as is with go-fips to gain FIPS version of the binary.
Next we look at calico:
Switching to these scheme of "cgo enabled, but unused, unless needed, with symbols stripped" halfs the compressed apk size. The new build settings for this binary are
Despite cgo being enabled.