Provide a container for building Envoy on Oracle Linux 8.

Also add instructions about how to run an Oracle Linux 8 Envoy binary on a CentOS 7 host.
envoyproxy · Mar 16, 2023 · c123b29 · c123b29
1 parent b0452fc
commit c123b29
Show file tree

Hide file tree

Showing 4 changed files with 123 additions and 1 deletion.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -12,6 +12,9 @@ jobs:
  centos:
  OS_DISTRO: centos
  PUSH_GCR_IMAGE: false
+ oraclelinux:
+ OS_DISTRO: oraclelinux
+ PUSH_GCR_IMAGE: false
  dependsOn: []
  timeoutInMinutes: 120
  pool:

diff --git a/build_container/CENTOS7_BUILD_STATUS.md b/build_container/CENTOS7_BUILD_STATUS.md
@@ -1,5 +1,35 @@
 You are strongly encouraged to test the produced Envoy binary on CentOS 7 yourselves to ensure that it satisfies your required functionality and operates as expected.
 
+## Version 1.25.x
+If you need to run this version of Envoy on CentOS 7, your best bet is to use an Envoy binary built on Oracle Linux 8 and an updated version of glibc. CentOS 7 only comes with glibc 2.17, but the Envoy binary built on Oracle Linux 8 depends on a newer version of glibc, so you have to install a newer version on your system. Be careful not to override the existing version of glibc. Here are the rough instructions for accomplishing this:
+1. Use the Oracle Linux 8 image in this repo to build envoy.
+2. Copy the resulting Envoy binary to a CentOS 7 host.
+3. Install glibc 2.28 on the CentOS 7 host. This is the only version of glibc that has been tested with Envoy 1.25.x on CentOS 7.
+ 1. One option is to compile it from source.
+ ```
+ wget https://ftp.gnu.org/gnu/glibc/glibc-2.28.tar.gz
+ tar zxvf glibc-2.28.tar.gz
+ cd glibc-2.28
+ mkdir build
+ cd build
+ ../configure --prefix=/opt/glibc-2.28
+ make -j4
+ sudo make install
+ ```
+ 2. Another option is to download a pre-built RPM and extract it to a specific directory.
+ ```
+ mkdir /opt/glibc-2.28
+ cd /opt/glibc-2.28
+ wget https://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/glibc-2.28-155.el8.x86_64.rpm
+ rpm2cpio glibc-2.28-155.el8.x86_64.rpm | cpio -idmv
+ rm glibc-2.28-155.el8.x86_64.rpm
+ ```
+4. Use [patchelf](https://github.com/NixOS/patchelf) to patch the Oracle Linux 8 Envoy binary to use the updated version of glibc ld-linux for its interpreter and set the rpath to include the libs from glibc. This allows you to start the binary using a newer glibc version that includes the features required by the Oracle Linux 8 binary. Without this, it will run the system ld-linux which is from glibc 2.17 on CentOS 7.
+```
+patchelf --set-interpreter '/opt/glibc-2.28/lib64/ld-linux-x86-64.so.2' --set-rpath '/opt/glibc-2.28/lib64/' ${path_to_envoy_binary}
+```
+5. You should now be able to run the Envoy binary on your CentOS 7 host.
+
 ## Version 1.21.x
 Envoy version 1.21 onwards cannot currently be compiled on CentOS 7.
 
@@ -48,4 +78,4 @@ Further investigation is needed to resolve this problem. Contributions are welco
 Envoy version 1.20 can be compiled on CentOS 7 using `clang and libc++`, but not `clang and libstdc++`, which throws an ambiguous function error. For more detail on this issue and a proposed fix see [here](https://github.com/envoyproxy/envoy/issues/19978).
 
 ## Version 1.19.x
-Envoy version 1.19 can be built using either `clang and libc++` or `clang and libstdc++` on CentOS 7.
+Envoy version 1.19 can be built using either `clang and libc++` or `clang and libstdc++` on CentOS 7.
diff --git a/build_container/Dockerfile-oraclelinux b/build_container/Dockerfile-oraclelinux
@@ -0,0 +1,12 @@
+FROM oraclelinux:8 as base
+
+COPY ./build_container_common.sh /
+COPY ./build_container_centos.sh /
+
+ENV PATH /opt/rh/rh-git218/root/usr/bin:/opt/rh/devtoolset-7/root/usr/bin:/opt/llvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+RUN mkdir /etc/sudoers.d
+RUN echo "Defaults secure_path = $PATH" > /etc/sudoers.d/path
+
+RUN ./build_container_oraclelinux.sh
+ENV LC_ALL en_US.UTF-8
diff --git a/build_container/build_container_oraclelinux.sh b/build_container/build_container_oraclelinux.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+set -e
+ARCH="$(uname -m)"
+
+yum-config-manager --enable ol8_codeready_builder
+yum update -y
+
+yum install -y \
+ binutils \
+ cmake \
+ gcc \
+ git \
+ glibc-langpack-en \
+ glibc-locale-source \
+ glibc-static \
+ libstdc++-static \
+ ncurses-compat-libs \
+ ninja-build \
+ perl \
+ python3 \
+ tcpdump \
+ unzip \
+ wget \
+ xz \
+ sudo
+
+# set locale
+localedef -c -f UTF-8 -i en_US en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+
+# For LLVM to pick right libstdc++
+ln -s /opt/rh/devtoolset-9/root/usr/lib/gcc/x86_64-redhat-linux/9 /usr/lib/gcc/x86_64-redhat-linux
+
+LLVM_VERSION=15.0.0
+
+case $ARCH in
+ 'x86_64' )
+ LLVM_DISTRO="x86_64-linux-gnu-rhel-8.4"
+ LLVM_SHA256SUM="20b17fabc97b93791098e771adf18013c50eae2e45407f8bfa772883b6027d30"
+ ;;
+ 'aarch64' )
+ LLVM_DISTRO="aarch64-linux-gnu"
+ LLVM_SHA256SUM="527ed550784681f95ec7a1be8fbf5a24bd03d7da9bf31afb6523996f45670be3"
+ ;;
+esac
+
+# httpd24 is equired by rh-git218
+echo "/opt/rh/httpd24/root/usr/lib64" > /etc/ld.so.conf.d/httpd24.conf
+ldconfig
+
+# Setup tcpdump for non-root.
+groupadd -r pcap
+chgrp pcap /usr/sbin/tcpdump
+chmod 750 /usr/sbin/tcpdump
+setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
+
+source ./build_container_common.sh
+
+# compile proper version of gn, compatible with Oracle Linux's GLIBC version and
+# envoy wasm/v8 dependency
+# can be removed when the dependency will be updated
+git clone https://gn.googlesource.com/gn
+pushd gn
+# 45aa842fb41d79e149b46fac8ad71728856e15b9 is a hash of the version
+# before https://gn.googlesource.com/gn/+/46b572ce4ceedfe57f4f84051bd7da624c98bf01
+# as this commit expects envoy to rely on newer version of wasm/v8 with the fix
+# from https://github.com/v8/v8/commit/eac21d572e92a82f5656379bc90f8ecf1ff884fc
+# (versions 9.5.164 - 9.6.152)
+git checkout 45aa842fb41d79e149b46fac8ad71728856e15b9
+python3 build/gen.py
+ninja -C out
+mv -f out/gn /usr/local/bin/gn
+chmod +x /usr/local/bin/gn
+popd
+
+yum clean all