*: add cross-build, CI job, update to libseccomp 2.5.2 #3197
Conversation
kolyshkin
force-pushed
the
release-arm64
branch
3 times, most recently
from
d452794
to
b5301ec
Compare
kolyshkin
force-pushed
the
release-arm64
branch
2 times, most recently
from
16cf452
to
feb385f
Compare
kolyshkin
force-pushed
the
release-arm64
branch
5 times, most recently
from
59b302e
to
f1be556
Compare
|
OK I made it working... ...alas not for opensuse (or Fedora, for that matter). Problem is, only Debian (and Ubuntu, to some extent) provide good cross-compilation support. For opensuse in particular, this is nicely summarized by this statement (from https://software.opensuse.org/package/cross-aarch64-gcc11):
It's the same for Fedora (from
Ubuntu seems to fully support at least arm64 (as shown by validate/release CI job in this PR), but does not support some other architectures (so we have to use Docker for validate/cross CI job). To sum it up -- building runc.amd64 it's ready and working (in fact you can download it from this PR's CI -- go to Checks tab, choose validate, and scroll down looking for Artifacts, in there you can find a zip with the binaries), but only for Ubuntu/Debian. We can change the release process to use the binaries built in CI, but it's a big change. @cyphar @AkihiroSuda WDYT? |
|
@kolyshkin Since we only have one dependency (libseccomp) which we build ourselves, I think it might be possible for us to do it -- we should only require an architecture-appropriate compiler and glibc. But if that isn't possible (or is too fragile / annoying) we can switch to building cross-architecture binaries in CI. The only issue is that I wouldn't be able to automatically sign them as part of the release (I can obviously manually sign them afterwards but it'll be a bit more manual work than the release process currently uses). I wonder if we could just script the whole release process with the GitHub API (push the tag, wait for the CI to build the cross-arch artefacts, download, sign, then upload to the release). Then again, how much time would we be saving over the manual method? 😅 |
SGTM, but I don't think signing has to be automated. If we want to sign the binary on GHA, at least we will have to create a new GPG key, because I don't want you to leak your existing GPG key to GHA secrets 😄 |
kolyshkin
force-pushed
the
release-arm64
branch
from
f1be556
to
3508727
Compare
which, sadly, neither Fedora nor openSUSE has -- they only provide gcc and binutils. aarch64-glibc is available for both Debian and Ubuntu, though. Automating the release process in CI seems like a bigger project that I can take on at the moment. If anyone can help that'd be awesome. This PR can go through, though, once I'll add an option to |
Haha, I meant to say that we have a hypothetical "release.sh" script I run locally which:
For what it's worth we probably should have a shared runc maintainers key (or maybe a |
Damn. Yeah guess we'll need to figure out some other solution for signing -- but this PR should be enough for the moment (I can manually add the artefacts for the next few releases until we have a better release script). |
kolyshkin
force-pushed
the
release-arm64
branch
from
3508727
to
fe73ef9
Compare
|
This is no longer a draft and ready to go in. Used by CI, and can be used locally as well ( |
kolyshkin
changed the title
You and me both 😆 We already have a Debian-based image that can be used for testing and cross-compilation. It's easy to reuse it for building release binaries... let me see... |
(with nothing but deep respect for y'all's work) this is hilarious. 😄 |
kolyshkin
force-pushed
the
release-arm64
branch
from
0fbf1d6
to
831957a
Compare
kolyshkin
changed the title
kolyshkin
force-pushed
the
release-arm64
branch
4 times, most recently
from
a8deec7
to
eaec37f
Compare
|
OK, this is finally ready, you can use locally. It takes 5 minutes on CI (with cache, or 10 minutes without), and about 1 minute on my laptop (using podman, with all layers already cached). You can still use script/release.sh directly as before (or Overall I think this is a big ugly now, and can be simplified and improved (I am pretty sure @thaJeztah can think of some Dockerfile improvements, for one thing), but I've already spent much more than I wanted on it. |
|
Note that I have removed |
|
@cyphar @AkihiroSuda PTAL |
1. The seccompagent target it built in the same way as others in contrib, so there is no need to have a separate rule. 2. Mark seccompagent as phony, because it is (it rarely happens, but I actually just had an issue because this was absent). 3. Add seccompagent binary to clean target. Fixes: e21a9ee Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
There is no need to have a static version of recvtty and/or sd-helper binary. This speeds up script/release.sh a bit. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This implements cross-build for "make release", moving the build into a container. This way we can support arm, arm64, ppc, and whatnot. * script/seccomp.sh: separate out of script/release.sh, amend to support cross-compile and save needed environment variables to a file. * Dockerfile: add installing libseccomp from source, as this is needed for release builds. * script/release.sh: amend to support more architectures in addition to the native build. Additional arches can be added by specifying "-a <arch>" argument (can be specified multiple times), or "make RELEASE_ARGS="-a arm64" release" if called via make. All supported architectures can be enabled via "make releaseall". * Makefile: move "release" target to "localrelease", add "release" and "releaseall" targets to build via the Dockerfile. This is done because most distros (including Fedora and openSUSE) lack cross-glibc, which is needed to cross-compile libseccomp. * Makefile: remove 'cross' and 'localcross' targets, as this is now done by the release script. * .github/workflows/validate.yum: amend the release CI job to cross-build for supported architectures, remove cross job. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Release notes: https://github.com/seccomp/libseccomp/releases/tag/v2.5.2 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
force-pushed
the
release-arm64
branch
from
eaec37f
to
3c8db63
Compare
|
Addressed review comments from @cyphar; PTAL |
|
I removed |
This implements cross-build for
make release, moving the build into acontainer. This way we can support arm, arm64, ppc64, and whatnot.
script/seccomp.sh: separate out ofscript/release.sh, amend to supportcross-compile and save needed environment variables to a file.
Dockerfile: add installing libseccomp from source, as this is neededfor release builds.
script/release.sh: amend to support more architectures in addition tothe native build. Additional arches can be added by specifying
-a <arch>argument (can be specified multiple times), ormake RELEASE_ARGS="-a arm64 -a ppc64le" releaseif called viamake.Makefile: movereleasetarget tolocalrelease, addreleasetarget to build via the Dockerfile. This is done because most distros
(including Fedora and openSUSE) lack cross-glibc, which is needed to
cross-compile libseccomp.
Makefile: removecrossandlocalcrosstargets, as this is now doneby the release script.
.github/workflows/validate.yum: amend the release CI job to cross-buildfor supported architectures, remove
crossjob.