Files
runc/script/release.sh
T
Kir Kolyshkin f95063ede4 Dockerfile: fix for seccomp
Commit f30244ee1b broke the scenario of using Dockefile for
anything but making a release. This happened because it installed
native libseccomp build to a temporary directory, and so linking against
libseccomp required setting a few environment variables.

Let's fix this, and simplify libseccomp installation. Instead of using
temporary directories, let's install native libseccomp to a specified
directory, all the cross-builds to its subdirectories, and set
PKG_CONFIG_PATH and LD_LIBRARY_PATH in Dockerfile so that the built
library will found by pkg-config and the dynamic linker (without setting
LD_LIBRARY_PATH, ld picks up distro-provided libseccomp.so).

While at it, fix some bugs introduced by the abovementioned commit.

This fixes building runc in  make targets like shell, dbuild,
integration, unittest -- i.e. those that depend on runcimage.

Fixes: f30244ee1b
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-10-01 10:20:56 -07:00

207 lines
5.5 KiB
Bash
Executable File

#!/bin/bash
# Copyright (C) 2017 SUSE LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
## --->
# Project-specific options and functions. In *theory* you shouldn't need to
# touch anything else in this script in order to use this elsewhere.
: "${LIBSECCOMP_VERSION:=2.5.2}"
project="runc"
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
# shellcheck source=./script/lib.sh
source "$root/script/lib.sh"
# This function takes an output path as an argument, where the built
# (preferably static) binary should be placed.
# Parameters:
# $1 -- destination directory to place build artefacts to.
# $2 -- native architecture (a .suffix for a native binary file name).
# $@ -- additional architectures to cross-build for.
function build_project() {
local builddir
builddir="$(dirname "$1")"
shift
local native_arch="$1"
shift
local arches=("$@")
# Assume that if /opt/libseccomp exists, then we are run
# via Dockerfile, and seccomp is already built.
local seccompdir=/opt/libseccomp temp_dir
if [ ! -d "$seccompdir" ]; then
temp_dir="$(mktemp -d)"
seccompdir="$temp_dir"
# Download and build libseccomp.
"$root/script/seccomp.sh" "$LIBSECCOMP_VERSION" "$seccompdir" "${arches[@]}"
fi
# For reproducible builds, add these to EXTRA_LDFLAGS:
# -w to disable DWARF generation;
# -s to disable symbol table;
# -buildid= to remove variable build id.
local ldflags="-w -s -buildid="
# Add -a to go build flags to make sure it links against
# the provided libseccomp, not the system one (otherwise
# it can reuse cached pkg-config results).
local make_args=(COMMIT_NO= EXTRA_FLAGS="-a" EXTRA_LDFLAGS="${ldflags}" static)
# Build natively.
make -C "$root" \
PKG_CONFIG_PATH="$seccompdir/lib/pkgconfig" \
"${make_args[@]}"
strip "$root/$project"
# Sanity check: make sure libseccomp version is as expected.
local ver
ver=$("$root/$project" --version | awk '$1 == "libseccomp:" {print $2}')
if [ "$ver" != "$LIBSECCOMP_VERSION" ]; then
echo >&2 "libseccomp version mismatch: want $LIBSECCOMP_VERSION, got $ver"
exit 1
fi
mv "$root/$project" "$builddir/$project.$native_arch"
# Cross-build for for other architectures.
local arch
for arch in "${arches[@]}"; do
set_cross_vars "$arch"
make -C "$root" \
PKG_CONFIG_PATH="$seccompdir/$arch/lib/pkgconfig" \
"${make_args[@]}"
"$STRIP" "$root/$project"
mv "$root/$project" "$builddir/$project.$arch"
done
# Copy libseccomp source tarball.
cp "$seccompdir"/src/* "$builddir"
# Clean up.
if [ -n "$tempdir" ]; then
rm -rf "$tempdir"
fi
}
# End of the easy-to-configure portion.
## <---
# Print usage information.
function usage() {
echo "usage: release.sh [-S <gpg-key-id>] [-c <commit-ish>] [-r <release-dir>] [-v <version>] [-a <cross-arch>]" >&2
exit 1
}
# Log something to stderr.
function log() {
echo "[*] $*" >&2
}
# Log something to stderr and then exit with 0.
function bail() {
log "$@"
exit 0
}
# Conduct a sanity-check to make sure that GPG provided with the given
# arguments can sign something. Inability to sign things is not a fatal error.
function gpg_cansign() {
gpg "$@" --clear-sign </dev/null >/dev/null
}
# When creating releases we need to build static binaries, an archive of the
# current commit, and generate detached signatures for both.
keyid=""
commit="HEAD"
version=""
releasedir=""
hashcmd=""
declare -a add_arches
while getopts "S:c:r:v:h:a:" opt; do
case "$opt" in
S)
keyid="$OPTARG"
;;
c)
commit="$OPTARG"
;;
r)
releasedir="$OPTARG"
;;
v)
version="$OPTARG"
;;
h)
hashcmd="$OPTARG"
;;
a)
add_arches+=("$OPTARG")
;;
:)
echo "Missing argument: -$OPTARG" >&2
usage
;;
\?)
echo "Invalid option: -$OPTARG" >&2
usage
;;
esac
done
version="${version:-$(<"$root/VERSION")}"
releasedir="${releasedir:-release/$version}"
hashcmd="${hashcmd:-sha256sum}"
native_arch="$(go env GOARCH || echo "amd64")"
# Suffixes of files to checksum/sign.
suffixes=("$native_arch" "${add_arches[@]}" tar.xz)
log "creating $project release in '$releasedir'"
log " version: $version"
log " commit: $commit"
log " key: ${keyid:-DEFAULT}"
log " hash: $hashcmd"
# Make explicit what we're doing.
set -x
# Make the release directory.
rm -rf "$releasedir" && mkdir -p "$releasedir"
# Build project.
build_project "$releasedir/$project" "$native_arch" "${add_arches[@]}"
# Generate new archive.
git archive --format=tar --prefix="$project-$version/" "$commit" | xz >"$releasedir/$project.tar.xz"
# Generate sha256 checksums for binaries and libseccomp tarball.
(
cd "$releasedir"
# Add $project. prefix to all suffixes.
"$hashcmd" "${suffixes[@]/#/$project.}" >"$project.$hashcmd"
)
# Set up the gpgflags.
gpgflags=()
[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
# Sign everything.
for sfx in "${suffixes[@]}"; do
gpg "${gpgflags[@]}" --detach-sign --armor "$releasedir/$project.$sfx"
done
gpg "${gpgflags[@]}" --clear-sign --armor \
--output "$releasedir/$project.$hashcmd"{.tmp,} &&
mv "$releasedir/$project.$hashcmd"{.tmp,}