From dda0ff8b31b88a7adcb8899bf39ee2e71c919561 Mon Sep 17 00:00:00 2001 From: Matt Witherspoon <32485495+spoonincode@users.noreply.github.com> Date: Sun, 24 Sep 2023 22:00:25 -0400 Subject: [PATCH 1/5] reproducible pinned builds --- .github/workflows/pinned_build.yaml | 51 --------- README.md | 21 +--- scripts/install_deps.sh | 26 ----- scripts/pinned_build.sh | 166 ---------------------------- scripts/pinned_toolchain.cmake | 19 ---- tools/Dockerfile.reproducible | 105 ++++++++++++++++++ tools/tweak-deb.sh | 37 +++++++ 7 files changed, 148 insertions(+), 277 deletions(-) delete mode 100644 .github/workflows/pinned_build.yaml delete mode 100755 scripts/install_deps.sh delete mode 100755 scripts/pinned_build.sh delete mode 100644 scripts/pinned_toolchain.cmake create mode 100644 tools/Dockerfile.reproducible create mode 100755 tools/tweak-deb.sh diff --git a/.github/workflows/pinned_build.yaml b/.github/workflows/pinned_build.yaml deleted file mode 100644 index 54b87ee93e..0000000000 --- a/.github/workflows/pinned_build.yaml +++ /dev/null @@ -1,51 +0,0 @@ -name: "Pinned Build" - -on: - workflow_dispatch: - -permissions: - packages: read - contents: read - -defaults: - run: - shell: bash - -jobs: - Build: - name: Build - strategy: - fail-fast: false - matrix: - platform: [ubuntu20, ubuntu22] - runs-on: ["self-hosted", "enf-x86-beefy-long"] - container: ${{ matrix.platform == 'ubuntu20' && 'ubuntu:focal' || 'ubuntu:jammy' }} - steps: - - name: Update and Install git - run: | - apt-get update - apt-get install -y git - git --version - - name: Clone leap - uses: actions/checkout@v3 - with: - submodules: recursive - - name: Install dependencies - run: | - # https://github.com/actions/runner/issues/2033 - chown -R $(id -u):$(id -g) $PWD - ./scripts/install_deps.sh - - name: Build Pinned Build - env: - LEAP_PINNED_INSTALL_PREFIX: /usr - run: | - ./scripts/pinned_build.sh deps build "$(nproc)" - - name: Upload package - uses: actions/upload-artifact@v3 - with: - name: leap-${{matrix.platform}}-pinned-amd64 - path: build/leap_*.deb - - name: Run Parallel Tests - run: | - cd build - ctest --output-on-failure -j $(nproc) -LE "(nonparallelizable_tests|long_running_tests)" --timeout 420 diff --git a/README.md b/README.md index a34e91893f..e95a82f731 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ git submodule update --init --recursive Select build instructions below for a [pinned build](#pinned-build) (preferred) or an [unpinned build](#unpinned-build). > ℹ️ **Pinned vs. Unpinned Build** ℹ️ -We have two types of builds for Leap: "pinned" and "unpinned." The only difference is that pinned builds use specific versions for some dependencies hand-picked by the Leap engineers - they are "pinned" to those versions. In contrast, unpinned builds use the default dependency versions available on the build system at the time. We recommend performing a "pinned" build to ensure the compiler remains the same between builds of different Leap versions. Leap requires these versions to remain the same, otherwise its state might need to be recovered from a portable snapshot or the chain needs to be replayed. +We have two types of builds for Leap: "pinned" and "unpinned." A pinned build is a reproducible build with the build environment and dependency versions fixed by the development team. In contrast, unpinned builds use the dependency versions provided by the build platform. Unpinned builds tend to be quicker because the pinned build environment must be built from scratch. Pinned builds, in addition to being reproducible, ensure the compiler remains the same between builds of different Leap major versions. Leap requires the compiler version to remain the same, otherwise its state might need to be recovered from a portable snapshot or the chain needs to be replayed. > ⚠️ **A Warning On Parallel Compilation Jobs (`-j` flag)** ⚠️ When building C/C++ software, often the build is performed in parallel via a command such as `make -j "$(nproc)"` which uses all available CPU threads. However, be aware that some compilation units (`*.cpp` files) in Leap will consume nearly 4GB of memory. Failures due to memory exhaustion will typically, but not always, manifest as compiler crashes. Using all available CPU threads may also prevent you from doing other things on your computer during compilation. For these reasons, consider reducing this value. @@ -101,24 +101,15 @@ When building C/C++ software, often the build is performed in parallel via a com > 🐋 **Docker and `sudo`** 🐋 If you are in an Ubuntu docker container, omit `sudo` from all commands because you run as `root` by default. Most other docker containers also exclude `sudo`, especially Debian-family containers. If your shell prompt is a hash tag (`#`), omit `sudo`. -#### Pinned Build -Make sure you are in the root of the `leap` repo, then run the `install_depts.sh` script to install dependencies: +#### Pinned Reproducible Build +The pinned reproducible build requires Docker. Make sure you are in the root of the `leap` repo and then run ```bash -sudo scripts/install_deps.sh +DOCKER_BUILDKIT=1 docker build -f tools/Dockerfile.reproducible -o . . ``` - -Next, run the pinned build script. You have to give it three arguments in the following order: -1. A temporary folder, for all dependencies that need to be built from source. -1. A build folder, where the binaries you need to install will be built to. -1. The number of jobs or CPU cores/threads to use (note the [jobs flag](#step-3---build) warning above). - -> 🔒 You do not need to run this script with `sudo` or as root. - -For example, the following command runs the `pinned_build.sh` script, specifies a `deps` and `build` folder in the root of the Leap repo for the first two arguments, then builds the packages using all of your computer's CPU threads: +This command will take a substantial amount of time because a toolchain is built from scratch. Upon completion, the current directory will contain a built `.deb` and `.tar.gz` (you can change the `-o .` argument to place the output in a different directory). If needing to reduce the number of parallel jobs as warned above, run the command as, ```bash -scripts/pinned_build.sh deps build "$(nproc)" +DOCKER_BUILDKIT=1 docker build --build-arg LEAP_BUILD_JOBS=4 -f tools/Dockerfile.reproducible -o . . ``` -Now you can optionally [test](#step-4---test) your build, or [install](#step-5---install) the `*.deb` binary packages, which will be in the root of your build directory. #### Unpinned Build The following instructions are valid for this branch. Other release branches may have different requirements, so ensure you follow the directions in the branch or release you intend to build. If you are in an Ubuntu docker container, omit `sudo` because you run as `root` by default. diff --git a/scripts/install_deps.sh b/scripts/install_deps.sh deleted file mode 100755 index cfe2a5cacd..0000000000 --- a/scripts/install_deps.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -apt-get update -apt-get update --fix-missing -export DEBIAN_FRONTEND='noninteractive' -export TZ='Etc/UTC' -apt-get install -y \ - build-essential \ - bzip2 \ - cmake \ - curl \ - file \ - git \ - libbz2-dev \ - libcurl4-openssl-dev \ - libgmp-dev \ - libncurses5 \ - libtinfo-dev \ - libzstd-dev \ - python3 \ - python3-numpy \ - time \ - tzdata \ - unzip \ - wget \ - zip \ - zlib1g-dev diff --git a/scripts/pinned_build.sh b/scripts/pinned_build.sh deleted file mode 100755 index ebf37d29d7..0000000000 --- a/scripts/pinned_build.sh +++ /dev/null @@ -1,166 +0,0 @@ -#!/bin/bash -set -eo pipefail - -echo "Leap Pinned Build" - -if [[ "$(uname)" == "Linux" ]]; then - if [[ -e /etc/os-release ]]; then - # obtain NAME and other information - . /etc/os-release - if [[ "${NAME}" != "Ubuntu" ]]; then - echo "Currently only supporting Ubuntu based builds. Proceed at your own risk." - fi - else - echo "Currently only supporting Ubuntu based builds. /etc/os-release not found. Your Linux distribution is not supported. Proceed at your own risk." - fi -else - echo "Currently only supporting Ubuntu based builds. Your architecture is not supported. Proceed at your own risk." -fi - -if [ $# -eq 0 ] || [ -z "$1" ]; then - echo "Please supply a directory for the build dependencies to be placed and a directory for leap build and a value for the number of jobs to use for building." - echo "The binary packages will be created and placed into the leap build directory." - echo "./pinned_build.sh <1-100>" - exit 255 -fi - -export CORE_SYM='EOS' -# CMAKE_C_COMPILER requires absolute path -DEP_DIR="$(realpath "$1")" -LEAP_DIR="$2" -JOBS="$3" -CLANG_VER=11.0.1 -LLVM_VER=11.0.1 -SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]:-$0}"; )" &> /dev/null && pwd 2> /dev/null; )"; -START_DIR="$(pwd)" - - -pushdir() { - DIR="$1" - mkdir -p "${DIR}" - pushd "${DIR}" &> /dev/null -} - -popdir() { - EXPECTED="$1" - D="$(popd)" - popd &> /dev/null - echo "${D}" - D="$(eval echo "$D" | head -n1 | cut -d " " -f1)" - - # -ef compares absolute paths - if ! [[ "${D}" -ef "${EXPECTED}" ]]; then - echo "Directory is not where expected EXPECTED=${EXPECTED} at ${D}" - exit 1 - fi -} - -try(){ - "$@" - res=$? - if [[ ${res} -ne 0 ]]; then - exit 255 - fi -} - -install_clang() { - CLANG_DIR="$1" - if [ ! -d "${CLANG_DIR}" ]; then - echo "Installing Clang ${CLANG_VER} @ ${CLANG_DIR}" - mkdir -p "${CLANG_DIR}" - CLANG_FN="clang+llvm-${CLANG_VER}-x86_64-linux-gnu-ubuntu-16.04.tar.xz" - try wget -O "${CLANG_FN}" "https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VER}/${CLANG_FN}" - try tar -xvf "${CLANG_FN}" -C "${CLANG_DIR}" - pushdir "${CLANG_DIR}" - mv clang+*/* . - popdir "${DEP_DIR}" - rm "${CLANG_FN}" - fi - export PATH="${CLANG_DIR}/bin:$PATH" - export CLANG_DIR="${CLANG_DIR}" -} - -install_llvm() { - LLVM_DIR="$1" - if [ ! -d "${LLVM_DIR}" ]; then - echo "Installing LLVM ${LLVM_VER} @ ${LLVM_DIR}" - mkdir -p "${LLVM_DIR}" - try wget -O "llvm-${LLVM_VER}.src.tar.xz" "https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}/llvm-${LLVM_VER}.src.tar.xz" - try tar -xvf "llvm-${LLVM_VER}.src.tar.xz" - pushdir "${LLVM_DIR}.src" - pushdir build - try cmake -DCMAKE_TOOLCHAIN_FILE="${SCRIPT_DIR}/pinned_toolchain.cmake" -DCMAKE_INSTALL_PREFIX="${LLVM_DIR}" -DCMAKE_BUILD_TYPE=Release -DLLVM_TARGETS_TO_BUILD=host -DLLVM_BUILD_TOOLS=Off -DLLVM_ENABLE_RTTI=On -DLLVM_ENABLE_TERMINFO=Off -DCMAKE_EXE_LINKER_FLAGS=-pthread -DCMAKE_SHARED_LINKER_FLAGS=-pthread -DLLVM_ENABLE_PIC=NO .. - try make -j "${JOBS}" - try make -j "${JOBS}" install - popdir "${LLVM_DIR}.src" - popdir "${DEP_DIR}" - rm -rf "${LLVM_DIR}.src" - rm "llvm-${LLVM_VER}.src.tar.xz" - fi - export LLVM_DIR="${LLVM_DIR}" -} - -pushdir "${DEP_DIR}" - -install_clang "${DEP_DIR}/clang-${CLANG_VER}" -install_llvm "${DEP_DIR}/llvm-${LLVM_VER}" - -# go back to the directory where the script starts -popdir "${START_DIR}" - -pushdir "${LEAP_DIR}" - -# build Leap -echo "Building Leap ${SCRIPT_DIR}" -try cmake -DCMAKE_TOOLCHAIN_FILE="${SCRIPT_DIR}/pinned_toolchain.cmake" -DCMAKE_INSTALL_PREFIX=${LEAP_PINNED_INSTALL_PREFIX:-/usr/local} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH="${LLVM_DIR}/lib/cmake" "${SCRIPT_DIR}/.." - -try make -j "${JOBS}" -try cpack - -# art generated with DALL-E (https://openai.com/blog/dall-e), then fed through ASCIIart.club (https://asciiart.club) with permission -cat <<'TXT' # BASH interpolation must remain disabled for the ASCII art to print correctly - - ,▄▄A` - _╓▄██` - ╓▄▓▓▀▀` - ╓▓█▀╓▄▓ - ▓▌▓▓▓▀ - ,▄▓███▓H - _╨╫▀╚▀╠▌`╙¥, - ╓« _╟▄▄ `½, ╓▄▄╦▄≥_ - ╙▓╫╬▒R▀▀╙▀▀▓φ_ «_╙Y╥▄mmMM#╦▄,_ ,╓╦mM╩╨╙╙╙\`║═ - `` `▀▄__╫▓▓╨` _```"""*ⁿⁿ^`````Ω, `╟∩ - ╙▌▓▓"` ,«ñ` ╔╬▓▌⌂ ╔▌ - ╙█▌,,╔╗M╨,░ ` "╫▓m_ ╟H _ - _,,,,__,╠█▓▒` .╣▌µ _ _.╓╔▄▄▓█▓▓N_ ╙▀╩KKM╙╟▓N - ,▄▓█▓████▀▀▀╙▀╓╔φ»█▓▓Ñ╦«, :»»µ╦▓▓█▀└╙▀███▓╥__ _,╓▄▓▓▓M▓`, - __╓Φ▓█╫▓▓▓▓▓▓▓▓▓▓▓▓▓▀K▀▀███▓▓▓▓▓▓▀▀╙ `▀▀▀▓▄▄K╨╙└ `▀▌╙█▄*. - ,╓Φ▓▓▀▄▓▀` ╙▀╙ ╙▓╙╙▓▄* - .▄▓╫▀╦▄▀` ╙▓╙µ╙▀ - ▄▓▀╨▓▓╨_ `▀▄▄M - _█▌▄▌╙` `╙ - ╙└` - - - Ñ▓▓▓▓ ¢▄▄▄▄▄▄▄▄▄▄ , ,,,,,,,,,,,_ - _╫▓▓█▌ ╟▓████████▀ ╓╣▓▌_ ╠╫▓█▓▓▓▓█▓▓▓▓▄ - _▓▓▓█▌ ╟╫██▄,,,,_ æ▄███▓▄ ▐║████▀╨╨▀▓███▌ - :╫▓▓█▌ ╟╢████████▓ ,╬███████▓, ▐║████▓▄▄▓▓███▀ - :╫▓▓█▌_ _╟║███▀▀▀▀▀▀ ╓╫███╣╫╬███▓N_ j▐██▀▀▀▀▀▀▀▀▀` - ___________]╫▓▓█▓φ╓╓╓╓╓╓,__╟╣█▌▌,,,,,_ _╬▓████████████▓▄_ ▐M█▌ - _ _________]╫▌▓█████████▓▓▄╟╣████████▓▄╣██▓▀^ _ ╙▓██▓▓╗__M█▓ - ___ _ _ ▀╣▀╣╩╩╩╩╩╩╩▀▀▀▀╙▀▀▀▀▀▀▀▀▀▀▀▀▀▀` ╙▀▀▀▀╩═╩▀▀ - _ __ __ _____ ___ ____ _ __ _ ____ ___ - ____ ____ __ _ _ _ _ _ _ __ _ __ __ - __ _ ________ ___ ________ ___ _ _ _ _ - _ __ __ _ __ ____ _ _ ____ _ _ _ _ - _ _ _ ____ ____ _ _ _ __ _ _ _ __ - ---- -Leap has successfully built and constructed its packages. You should be able to -find the packages at: -TXT -echo "${LEAP_DIR}" -echo -echo 'Thank you, fam!!' -echo diff --git a/scripts/pinned_toolchain.cmake b/scripts/pinned_toolchain.cmake deleted file mode 100644 index ba791016ac..0000000000 --- a/scripts/pinned_toolchain.cmake +++ /dev/null @@ -1,19 +0,0 @@ -set(CLANG_DIR $ENV{CLANG_DIR}) -set(CMAKE_C_COMPILER_WORKS 1) -set(CMAKE_CXX_COMPILER_WORKS 1) -set(CMAKE_C_COMPILER ${CLANG_DIR}/bin/clang) -set(CMAKE_CXX_COMPILER ${CLANG_DIR}/bin/clang++) - -set(CMAKE_CXX_STANDARD_INCLUDE_DIRECTORIES ${CLANG_DIR}/include/c++/v1 /usr/local/include /usr/include) - -set(CMAKE_C_FLAGS_INIT "-D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie") -set(CMAKE_CXX_FLAGS_INIT "-nostdinc++ -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie") - -set(CMAKE_EXE_LINKER_FLAGS_INIT "-stdlib=libc++ -nostdlib++ -pie") -if(NOT APPLE) - string(APPEND CMAKE_EXE_LINKER_FLAGS_INIT " -Wl,-z,relro,-z,now") -endif() - -set(CMAKE_SHARED_LINKER_FLAGS_INIT "-stdlib=libc++ -nostdlib++") -set(CMAKE_MODULE_LINKER_FLAGS_INIT "-stdlib=libc++ -nostdlib++") -set(CMAKE_CXX_STANDARD_LIBRARIES "${CLANG_DIR}/lib/libc++.a ${CLANG_DIR}/lib/libc++abi.a") diff --git a/tools/Dockerfile.reproducible b/tools/Dockerfile.reproducible new file mode 100644 index 0000000000..266d9f5c70 --- /dev/null +++ b/tools/Dockerfile.reproducible @@ -0,0 +1,105 @@ +# syntax=docker/dockerfile:1 +# debian:buster on Sep 20 2023 +FROM debian@sha256:d774a984460a74973e6ce4d1f87ab90f2818e41fcdd4802bcbdc4e0b67f9dadf AS builder + +# If enabling the snapshot repo below, this ought to be after the base image time from above. +# date -u -d @1695620708 = Mon Sep 25 05:45:08 AM UTC 2023 +ENV SOURCE_DATE_EPOCH=1695620708 + +# The snapshot repo is currently disabled due to poor performance. Re-eval in the future. +# When the package repo is signed, a message in the payload indicates the time when the repo becomes stale. This protection +# nominally exists to ensure older versions of the package repo which may contain defective packages aren't served in the far +# future. But in our case, we want this pinned package repo at any future date. So [check-valid-until=no] to disable this check. +##RUN < /etc/apt/sources.list +##deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ)/ buster main +##deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ)/ buster/updates main +##EOS +##EOF + +RUN apt-get update && apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-get -y install build-essential \ + file \ + git \ + libcurl4-openssl-dev \ + libgmp-dev \ + ninja-build \ + python3 \ + zlib1g-dev \ + ; + +ARG _LEAP_CLANG_VERSION=17.0.1 +ARG _LEAP_LLVM_VERSION=11.1.0 +ARG _LEAP_CMAKE_VERSION=3.27.6 + +ADD https://github.com/llvm/llvm-project/releases/download/llvmorg-${_LEAP_CLANG_VERSION}/llvm-project-${_LEAP_CLANG_VERSION}.src.tar.xz \ + https://github.com/llvm/llvm-project/releases/download/llvmorg-${_LEAP_CLANG_VERSION}/llvm-project-${_LEAP_CLANG_VERSION}.src.tar.xz.sig \ + https://github.com/llvm/llvm-project/releases/download/llvmorg-${_LEAP_LLVM_VERSION}/llvm-project-${_LEAP_LLVM_VERSION}.src.tar.xz \ + https://github.com/llvm/llvm-project/releases/download/llvmorg-${_LEAP_LLVM_VERSION}/llvm-project-${_LEAP_LLVM_VERSION}.src.tar.xz.sig \ + https://github.com/Kitware/CMake/releases/download/v${_LEAP_CMAKE_VERSION}/cmake-${_LEAP_CMAKE_VERSION}.tar.gz \ + https://github.com/Kitware/CMake/releases/download/v${_LEAP_CMAKE_VERSION}/cmake-${_LEAP_CMAKE_VERSION}-SHA-256.txt \ + https://github.com/Kitware/CMake/releases/download/v${_LEAP_CMAKE_VERSION}/cmake-${_LEAP_CMAKE_VERSION}-SHA-256.txt.asc \ + / + +# CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA - Brad King (cmake) +# 474E22316ABF4785A88C6E8EA2C794A986419D8A - Tom Stellard (llvm) +# D574BD5D1D0E98895E3BF90044F2485E45D59042 - Tobias Hieta (llvm) + +RUN gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA \ + 474E22316ABF4785A88C6E8EA2C794A986419D8A \ + D574BD5D1D0E98895E3BF90044F2485E45D59042 + +RUN ls *.sig *.asc | xargs -n 1 gpg --verify && \ + sha256sum -c --ignore-missing cmake-*-SHA-256.txt + +RUN tar xf cmake-*.tar.gz && \ + cd cmake*[0-9] && \ + echo 'set(CMAKE_USE_OPENSSL OFF CACHE BOOL "" FORCE)' > leap-init.cmake && \ + ./bootstrap --parallel=$(nproc) --init=leap-init.cmake --generator=Ninja && \ + ninja install + +RUN tar xf llvm-project-${_LEAP_CLANG_VERSION}.src.tar.xz && \ + cmake -S llvm-project-${_LEAP_CLANG_VERSION}.src/llvm -B build-toolchain -GNinja -DLLVM_INCLUDE_DOCS=Off -DLLVM_TARGETS_TO_BUILD=host -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/pinnedtoolchain \ + -DCOMPILER_RT_BUILD_SANITIZERS=Off \ + -DLLVM_ENABLE_PROJECTS='lld;clang;clang-tools-extra' \ + -DLLVM_ENABLE_RUNTIMES='compiler-rt;libc;libcxx;libcxxabi;libunwind' && \ + cmake --build build-toolchain -t install + +COPY <<-"EOF" /pinnedtoolchain/pinnedtoolchain.cmake + set(CMAKE_C_COMPILER ${CMAKE_CURRENT_LIST_DIR}/bin/clang) + set(CMAKE_CXX_COMPILER ${CMAKE_CURRENT_LIST_DIR}/bin/clang++) + + set(CMAKE_CXX_STANDARD_INCLUDE_DIRECTORIES ${CMAKE_CURRENT_LIST_DIR}/include/c++/v1 ${CMAKE_CURRENT_LIST_DIR}/include/x86_64-unknown-linux-gnu/c++/v1 /usr/local/include /usr/include) + + set(CMAKE_C_FLAGS_INIT "-D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -pthread") + set(CMAKE_CXX_FLAGS_INIT "-nostdinc++ -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpie -pthread") + + set(CMAKE_EXE_LINKER_FLAGS_INIT "-stdlib=libc++ -nostdlib++ -pie -pthread -Wl,-z,relro,-z,now") + set(CMAKE_SHARED_LINKER_FLAGS_INIT "-stdlib=libc++ -nostdlib++") + set(CMAKE_MODULE_LINKER_FLAGS_INIT "-stdlib=libc++ -nostdlib++") + + set(CMAKE_CXX_STANDARD_LIBRARIES "${CMAKE_CURRENT_LIST_DIR}/lib/x86_64-unknown-linux-gnu/libc++.a ${CMAKE_CURRENT_LIST_DIR}/lib/x86_64-unknown-linux-gnu/libc++abi.a") + + set(CMAKE_SYSTEM_PREFIX_PATH "${CMAKE_CURRENT_LIST_DIR}/pinllvm") +EOF +ENV CMAKE_TOOLCHAIN_FILE=/pinnedtoolchain/pinnedtoolchain.cmake + +RUN tar xf llvm-project-${_LEAP_LLVM_VERSION}.src.tar.xz && \ + cmake -S llvm-project-${_LEAP_LLVM_VERSION}.src/llvm -B build-pinllvm -GNinja -DCMAKE_BUILD_TYPE=Release -DLLVM_TARGETS_TO_BUILD=host -DLLVM_BUILD_TOOLS=Off \ + -DLLVM_ENABLE_RTTI=On -DLLVM_ENABLE_TERMINFO=Off -DLLVM_ENABLE_PIC=Off \ + -DCMAKE_INSTALL_PREFIX=/pinnedtoolchain/pinllvm && \ + cmake --build build-pinllvm -t install + +RUN rm -rf llvm* build* cmake* + +FROM builder AS build + +ARG LEAP_BUILD_JOBS + +COPY / /src +RUN cmake -S src -B build -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Release -GNinja && \ + cmake --build build -t package -- ${LEAP_BUILD_JOBS:+-j$LEAP_BUILD_JOBS} && \ + src/tools/tweak-deb.sh build/leap_*.deb + +FROM scratch AS exporter +COPY --from=build /build/*.deb /build/*.tar.* / diff --git a/tools/tweak-deb.sh b/tools/tweak-deb.sh new file mode 100755 index 0000000000..e1dd6854c2 --- /dev/null +++ b/tools/tweak-deb.sh @@ -0,0 +1,37 @@ +#!/bin/bash +set -euo pipefail + +# Tweaks a couple aspects of the built .deb's control file: +# 1. Removes Installed-Size field; this isn't reproducible for some reason, possibly different filesystems +# reporting different sizes for directories? +# 2. Removes all but the first libc Depends rule as the rest are unnecessarily restrictive. The original was being +# generated as, +# libc6 (>= 2.27), libc6 (>> 2.28), libc6 (<< 2.29), libcurl4 (>= 7.16.2), libgcc1 (>= 1:3.3), libgmp10, zlib1g (>= 1:1.2.0) +# and the included sed rule within this script will reduce it to +# libc6 (>= 2.27), libcurl4 (>= 7.16.2), libgcc1 (>= 1:3.3), libgmp10, zlib1g (>= 1:1.2.0) +# This may need to be tweaked in the future further; clearly not ideal. + +WORKDIR="$(mktemp -d)" +trap 'rm -rf -- "${WORKDIR}"' EXIT + +if [ $# -lt 1 ]; then + echo "Must specify .deb file to tweak as argument to script" + exit 1 +fi + +if [ ! -f "$1" ]; then + echo "Argument passed is not a file" + exit 1 +fi + +DEB_PATH="$(realpath ${1})" +cd "${WORKDIR}" + +ar x "${DEB_PATH}" control.tar.gz +gzip -d control.tar.gz +tar xf control.tar ./control +tar --delete -f control.tar ./control +sed -i -E -e '/Installed-Size/d' -e 's/, libc6[^,]+//g' control +tar --update --mtime "@0" --owner=0 --group=0 --numeric-owner -f control.tar ./control +gzip -n control.tar +ar rD "${DEB_PATH}" control.tar.gz From cef0a4e255855def40435f0de97683c749d6bdfa Mon Sep 17 00:00:00 2001 From: Matt Witherspoon <32485495+spoonincode@users.noreply.github.com> Date: Tue, 3 Oct 2023 15:38:30 -0400 Subject: [PATCH 2/5] zstd will be needed during CI (to compress builddir before upload) --- tools/Dockerfile.reproducible | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/Dockerfile.reproducible b/tools/Dockerfile.reproducible index 266d9f5c70..bafb76eee9 100644 --- a/tools/Dockerfile.reproducible +++ b/tools/Dockerfile.reproducible @@ -25,6 +25,7 @@ RUN apt-get update && apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-g ninja-build \ python3 \ zlib1g-dev \ + zstd \ ; ARG _LEAP_CLANG_VERSION=17.0.1 From d015c626bee5acbefd27e9ce2db7d72ed672763b Mon Sep 17 00:00:00 2001 From: Matt Witherspoon <32485495+spoonincode@users.noreply.github.com> Date: Tue, 3 Oct 2023 15:39:07 -0400 Subject: [PATCH 3/5] rename Dockerfile.reproducible to reproducible.Dockerfile As needed by platform-cache-workflow change --- tools/{Dockerfile.reproducible => reproducible.Dockerfile} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tools/{Dockerfile.reproducible => reproducible.Dockerfile} (100%) diff --git a/tools/Dockerfile.reproducible b/tools/reproducible.Dockerfile similarity index 100% rename from tools/Dockerfile.reproducible rename to tools/reproducible.Dockerfile From 2930e56ae58474289bfa7082525cecf0f577ab40 Mon Sep 17 00:00:00 2001 From: Matt Witherspoon <32485495+spoonincode@users.noreply.github.com> Date: Tue, 3 Oct 2023 15:40:27 -0400 Subject: [PATCH 4/5] upgrade from clang 17.0.1 to 17.0.2 --- tools/reproducible.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/reproducible.Dockerfile b/tools/reproducible.Dockerfile index bafb76eee9..667913a892 100644 --- a/tools/reproducible.Dockerfile +++ b/tools/reproducible.Dockerfile @@ -28,7 +28,7 @@ RUN apt-get update && apt-get -y upgrade && DEBIAN_FRONTEND=noninteractive apt-g zstd \ ; -ARG _LEAP_CLANG_VERSION=17.0.1 +ARG _LEAP_CLANG_VERSION=17.0.2 ARG _LEAP_LLVM_VERSION=11.1.0 ARG _LEAP_CMAKE_VERSION=3.27.6 From a51ae8c40bdfb8bd2be6da3b37b2fb3cfdccc929 Mon Sep 17 00:00:00 2001 From: Matt Witherspoon <32485495+spoonincode@users.noreply.github.com> Date: Tue, 3 Oct 2023 23:58:27 -0400 Subject: [PATCH 5/5] rename reproducible.Dockerfile in the README too --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e95a82f731..c5fc400c57 100644 --- a/README.md +++ b/README.md @@ -104,11 +104,11 @@ If you are in an Ubuntu docker container, omit `sudo` from all commands because #### Pinned Reproducible Build The pinned reproducible build requires Docker. Make sure you are in the root of the `leap` repo and then run ```bash -DOCKER_BUILDKIT=1 docker build -f tools/Dockerfile.reproducible -o . . +DOCKER_BUILDKIT=1 docker build -f tools/reproducible.Dockerfile -o . . ``` This command will take a substantial amount of time because a toolchain is built from scratch. Upon completion, the current directory will contain a built `.deb` and `.tar.gz` (you can change the `-o .` argument to place the output in a different directory). If needing to reduce the number of parallel jobs as warned above, run the command as, ```bash -DOCKER_BUILDKIT=1 docker build --build-arg LEAP_BUILD_JOBS=4 -f tools/Dockerfile.reproducible -o . . +DOCKER_BUILDKIT=1 docker build --build-arg LEAP_BUILD_JOBS=4 -f tools/reproducible.Dockerfile -o . . ``` #### Unpinned Build