diff --git a/pkgs/by-name/en/envoy/0001-nixpkgs-use-system-Python.patch b/pkgs/by-name/en/envoy/0001-nixpkgs-use-system-Python.patch index e9cb4d5526e9d..da29f34774c93 100644 --- a/pkgs/by-name/en/envoy/0001-nixpkgs-use-system-Python.patch +++ b/pkgs/by-name/en/envoy/0001-nixpkgs-use-system-Python.patch @@ -5,18 +5,15 @@ Subject: [PATCH] nixpkgs: use system Python Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- - bazel/python_dependencies.bzl | 11 ++++------- + bazel/python_dependencies.bzl | 9 ++++----- bazel/repositories_extra.bzl | 17 +---------------- - 2 files changed, 5 insertions(+), 23 deletions(-) + 2 files changed, 5 insertions(+), 21 deletions(-) diff --git a/bazel/python_dependencies.bzl b/bazel/python_dependencies.bzl -index 9f2b336b1a36ca0d2f04a40ac1809b30ff21df27..53a2c93c59492a12ef4a6ecfc0c8a679f0df73f7 100644 +index 9867dc3a46dbe780eb3c02bad8f6a22a2c7fd97e..ff8685e0e437aee447218e912f1cf3e494755cf4 100644 --- a/bazel/python_dependencies.bzl +++ b/bazel/python_dependencies.bzl -@@ -1,28 +1,25 @@ - load("@com_google_protobuf//bazel:system_python.bzl", "system_python") --load("@envoy_toolshed//:packages.bzl", "load_packages") --load("@python3_12//:defs.bzl", "interpreter") +@@ -3,25 +3,24 @@ load("@envoy_toolshed//:packages.bzl", "load_packages") load("@rules_python//python:pip.bzl", "pip_parse") def envoy_python_dependencies(): @@ -28,30 +25,30 @@ index 9f2b336b1a36ca0d2f04a40ac1809b30ff21df27..53a2c93c59492a12ef4a6ecfc0c8a679 + ) pip_parse( name = "base_pip3", -- python_interpreter_target = interpreter, +- python_interpreter_target = "@python3_12_host//:python", requirements_lock = "@envoy//tools/base:requirements.txt", extra_pip_args = ["--require-hashes"], ) pip_parse( name = "dev_pip3", -- python_interpreter_target = interpreter, +- python_interpreter_target = "@python3_12_host//:python", requirements_lock = "@envoy//tools/dev:requirements.txt", extra_pip_args = ["--require-hashes"], ) pip_parse( name = "fuzzing_pip3", -- python_interpreter_target = interpreter, +- python_interpreter_target = "@python3_12_host//:python", requirements_lock = "@rules_fuzzing//fuzzing:requirements.txt", extra_pip_args = ["--require-hashes"], ) diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl -index b92dd461ba7037d2f1c079f283ff2c466686f7a4..cef32b3140588cb7668d47d0c08528f131184fe4 100644 +index 7a9d3bbb53b567a8f398abaefe5ff044056d4d21..a5b75718de667883824e4320e2d563830b02f5d2 100644 --- a/bazel/repositories_extra.bzl +++ b/bazel/repositories_extra.bzl -@@ -2,19 +2,11 @@ load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies") - load("@bazel_features//:deps.bzl", "bazel_features_deps") +@@ -3,19 +3,11 @@ load("@bazel_features//:deps.bzl", "bazel_features_deps") + load("@com_google_protobuf//bazel/private:proto_bazel_features.bzl", "proto_bazel_features") load("@emsdk//:deps.bzl", emsdk_deps = "deps") load("@proxy_wasm_cpp_host//bazel/cargo/wasmtime/remote:crates.bzl", "crate_repositories") -load("@rules_python//python:repositories.bzl", "py_repositories", "python_register_toolchains") @@ -71,7 +68,7 @@ index b92dd461ba7037d2f1c079f283ff2c466686f7a4..cef32b3140588cb7668d47d0c08528f1 ignore_root_user_error = False): bazel_features_deps() emsdk_deps() -@@ -22,11 +14,4 @@ def envoy_dependencies_extra( +@@ -23,13 +15,6 @@ def envoy_dependencies_extra( crate_repositories() py_repositories() @@ -83,3 +80,5 @@ index b92dd461ba7037d2f1c079f283ff2c466686f7a4..cef32b3140588cb7668d47d0c08528f1 - ) - aspect_bazel_lib_dependencies() + + if not native.existing_rule("proto_bazel_features"): diff --git a/pkgs/by-name/en/envoy/0004-nixpkgs-patch-boringssl-for-gcc14.patch b/pkgs/by-name/en/envoy/0004-nixpkgs-patch-boringssl-for-gcc14.patch index 4c31f1e8a90ca..157ad5287120b 100644 --- a/pkgs/by-name/en/envoy/0004-nixpkgs-patch-boringssl-for-gcc14.patch +++ b/pkgs/by-name/en/envoy/0004-nixpkgs-patch-boringssl-for-gcc14.patch @@ -42,10 +42,10 @@ index 0000000000000000000000000000000000000000..8dcad4cc11f691eec93efa29075c1d35 + // FIPS functions. + diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl -index 5cb573770f0aeac7b42d803673c8c520b5e35131..e864ef24db4bf837ef50d90c8eca316eba939d74 100644 +index cd15ec36f45f5958f4e65d314af78a0ef7c5dc78..935bf8a1ced67c094e4e900ba84bf39033bd3bbb 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl -@@ -264,6 +264,7 @@ def _boringssl(): +@@ -263,6 +263,7 @@ def _boringssl(): patch_args = ["-p1"], patches = [ "@envoy//bazel:boringssl_static.patch", diff --git a/pkgs/by-name/en/envoy/0005-deps-Bump-rules_rust-0.54.1-37056.patch b/pkgs/by-name/en/envoy/0005-deps-Bump-rules_rust-0.54.1-37056.patch deleted file mode 100644 index 5537128a45829..0000000000000 --- a/pkgs/by-name/en/envoy/0005-deps-Bump-rules_rust-0.54.1-37056.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "dependency-envoy[bot]" - <148525496+dependency-envoy[bot]@users.noreply.github.com> -Date: Fri, 8 Nov 2024 21:09:22 +0000 -Subject: [PATCH] deps: Bump `rules_rust` -> 0.54.1 (#37056) - -Fix #37054 - -Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com> -Signed-off-by: Ryan Northey ---- - bazel/repository_locations.bzl | 10 ++++++--- - .../dynamic_modules/sdk/rust/Cargo.Bazel.lock | 21 +++++++++++-------- - 2 files changed, 19 insertions(+), 12 deletions(-) - -diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl -index 85a125d44ece6c655f94aab3d986d96ab837897f..cfe7d145b59b691f6455b58b1baaae48276b7e9f 100644 ---- a/bazel/repository_locations.bzl -+++ b/bazel/repository_locations.bzl -@@ -1465,12 +1465,16 @@ REPOSITORY_LOCATIONS_SPEC = dict( - license = "Emscripten SDK", - license_url = "https://github.com/emscripten-core/emsdk/blob/{version}/LICENSE", - ), -+ # After updating you may need to run: -+ # -+ # CARGO_BAZEL_REPIN=1 bazel sync --only=crate_index -+ # - rules_rust = dict( - project_name = "Bazel rust rules", - project_desc = "Bazel rust rules (used by Wasm)", - project_url = "https://github.com/bazelbuild/rules_rust", -- version = "0.51.0", -- sha256 = "042acfb73469b2d1848fe148d81c3422c61ea47a9e1900f1c9ec36f51e8e7193", -+ version = "0.54.1", -+ sha256 = "af4f56caae50a99a68bfce39b141b509dd68548c8204b98ab7a1cafc94d5bb02", - # Note: rules_rust should point to the releases, not archive to avoid the hassle of bootstrapping in crate_universe. - # This is described in https://bazelbuild.github.io/rules_rust/crate_universe.html#setup, otherwise bootstrap - # is required which in turn requires a system CC toolchains, not the bazel controlled ones. -@@ -1482,7 +1486,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( - ], - implied_untracked_deps = ["rules_cc"], - extensions = ["envoy.wasm.runtime.wasmtime"], -- release_date = "2024-09-19", -+ release_date = "2024-11-07", - cpe = "N/A", - license = "Apache-2.0", - license_url = "https://github.com/bazelbuild/rules_rust/blob/{version}/LICENSE.txt", -diff --git a/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock b/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock -index fa6012f406464428b37d548eecd6cec3fdaf901b..6af752304b65af39aa621fa201a8c0108931dad0 100644 ---- a/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock -+++ b/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock -@@ -1,5 +1,5 @@ - { -- "checksum": "96b309ddded40cf6f46a62829d15a02d7253b4cc94af2ac1890e492f9c07e93f", -+ "checksum": "b550022ca979d6b55c6dbee950bbf18368e4b8da16973c4e88e292b4d6f28e81", - "crates": { - "aho-corasick 1.1.3": { - "name": "aho-corasick", -@@ -2149,9 +2149,6 @@ - "aarch64-apple-ios-sim": [ - "aarch64-apple-ios-sim" - ], -- "aarch64-fuchsia": [ -- "aarch64-fuchsia" -- ], - "aarch64-linux-android": [ - "aarch64-linux-android" - ], -@@ -2159,6 +2156,9 @@ - "aarch64-pc-windows-msvc": [ - "aarch64-pc-windows-msvc" - ], -+ "aarch64-unknown-fuchsia": [ -+ "aarch64-unknown-fuchsia" -+ ], - "aarch64-unknown-linux-gnu": [ - "aarch64-unknown-linux-gnu" - ], -@@ -2197,8 +2197,8 @@ - "aarch64-apple-darwin", - "aarch64-apple-ios", - "aarch64-apple-ios-sim", -- "aarch64-fuchsia", - "aarch64-linux-android", -+ "aarch64-unknown-fuchsia", - "aarch64-unknown-linux-gnu", - "aarch64-unknown-nixos-gnu", - "aarch64-unknown-nto-qnx710", -@@ -2213,9 +2213,9 @@ - "s390x-unknown-linux-gnu", - "x86_64-apple-darwin", - "x86_64-apple-ios", -- "x86_64-fuchsia", - "x86_64-linux-android", - "x86_64-unknown-freebsd", -+ "x86_64-unknown-fuchsia", - "x86_64-unknown-linux-gnu", - "x86_64-unknown-nixos-gnu" - ], -@@ -2264,15 +2264,15 @@ - "wasm32-wasi": [ - "wasm32-wasi" - ], -+ "wasm32-wasip1": [ -+ "wasm32-wasip1" -+ ], - "x86_64-apple-darwin": [ - "x86_64-apple-darwin" - ], - "x86_64-apple-ios": [ - "x86_64-apple-ios" - ], -- "x86_64-fuchsia": [ -- "x86_64-fuchsia" -- ], - "x86_64-linux-android": [ - "x86_64-linux-android" - ], -@@ -2283,6 +2283,9 @@ - "x86_64-unknown-freebsd": [ - "x86_64-unknown-freebsd" - ], -+ "x86_64-unknown-fuchsia": [ -+ "x86_64-unknown-fuchsia" -+ ], - "x86_64-unknown-linux-gnu": [ - "x86_64-unknown-linux-gnu" - ], diff --git a/pkgs/by-name/en/envoy/0006-gcc-warnings.patch b/pkgs/by-name/en/envoy/0006-gcc-warnings.patch deleted file mode 100644 index a0c7dd94a2633..0000000000000 --- a/pkgs/by-name/en/envoy/0006-gcc-warnings.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 448e4e14f4f188687580362a861ae4a0dbb5b1fb Mon Sep 17 00:00:00 2001 -From: "Krinkin, Mike" -Date: Sat, 16 Nov 2024 00:40:40 +0000 -Subject: [PATCH] [contrib] Disable GCC warnings and broken features (#37131) - -Currently contrib does not build with GCC because of various false -positive compiler warnings turned to errors and a GCC compiler bug. - -Let's first start with the bug, in GCC apparently -using -gsplit-dwarf (debug fission) and -fdebug-types-section (used to -optimize the size of debug inforamtion), when used together, can result -in a linker failure. - -Refer to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110885 for the GCC -bug report of this issue. When it comes to Envoy, optimized builds with -GCC are affected on at least GCC 11 (used by --config=docker-gcc) and -GCC 12 (and I'm pretty sure the bug isn't fixed in any newer versions -either, though I didn't check each version). - -Given that we cannot have both debug fission and a debug types section, -we decided to abandon the debug types sections and keep the fission. - -That being said, apparently both of those options are unmaintained in -GCC which poses a question of long term viability of using those or GCC. - -Other changes in this commit disable GCC compiler errors for various -warnings that happen when building contrib. I checked those warnings and -didn't find any true -positive. - -And additionally, for warnings that exists in both Clang and GCC, Clang -warnings don't trigger, so Clang also disagrees with GCC here. - -Additionally missing-requires warning is new and does not exist in GCC -11, but exists in later versions of GCC, so to avoid breaking on this -warning for future versions of GCC I disabled it, but also tell GCC to -not complain if it sees a flag related to an unknwon diagnostic. - -This is the last change required to make GCC contrib builds work (you -can find more context and discussions in -https://github.com/envoyproxy/envoy/issues/31807) - -Risk Level: Low -Testing: building with --config=gcc and --config=docker-gcc -Docs Changes: N/A -Release Notes: N/A -Platform Specific Features: N/A -Fixes #31807 - -Signed-off-by: Mikhail Krinkin ---- - .bazelrc | 18 +++++++++++++++++- - bazel/envoy_internal.bzl | 16 +++++++++++++++- - 2 files changed, 32 insertions(+), 2 deletions(-) - -diff --git a/.bazelrc b/.bazelrc -index e0e4899cecf1..7df94c77944c 100644 ---- a/.bazelrc -+++ b/.bazelrc -@@ -57,9 +57,9 @@ test --experimental_ui_max_stdouterr_bytes=11712829 #default 1048576 - # Allow tags to influence execution requirements - common --experimental_allow_tags_propagation - -+build:linux --copt=-fdebug-types-section - # Enable position independent code (this is the default on macOS and Windows) - # (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421) --build:linux --copt=-fdebug-types-section - build:linux --copt=-fPIC - build:linux --copt=-Wno-deprecated-declarations - build:linux --cxxopt=-std=c++20 --host_cxxopt=-std=c++20 -@@ -95,6 +95,21 @@ build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold - build:gcc --test_env=HEAPCHECK= - build:gcc --action_env=BAZEL_COMPILER=gcc - build:gcc --action_env=CC=gcc --action_env=CXX=g++ -+# This is to work around a bug in GCC that makes debug-types-section -+# option not play well with fission: -+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110885 -+build:gcc --copt=-fno-debug-types-section -+# These trigger errors in multiple places both in Envoy dependecies -+# and in Envoy code itself when using GCC. -+# And in all cases the reports appear to be clear false positives. -+build:gcc --copt=-Wno-error=restrict -+build:gcc --copt=-Wno-error=uninitialized -+build:gcc --cxxopt=-Wno-missing-requires -+# We need this because -Wno-missing-requires options is rather new -+# in GCC, so flags -Wno-missing-requires exists in GCC 12, but does -+# not in GCC 11 and GCC 11 is what is used in docker-gcc -+# configuration currently -+build:gcc --cxxopt=-Wno-unknown-warning - - # Clang-tidy - # TODO(phlax): enable this, its throwing some errors as well as finding more issues -@@ -375,6 +390,7 @@ build:docker-clang-libc++ --config=docker-sandbox - build:docker-clang-libc++ --config=rbe-toolchain-clang-libc++ - - build:docker-gcc --config=docker-sandbox -+build:docker-gcc --config=gcc - build:docker-gcc --config=rbe-toolchain-gcc - - build:docker-asan --config=docker-sandbox -diff --git a/bazel/envoy_internal.bzl b/bazel/envoy_internal.bzl -index 015659851c1b..27ecaa0bbf47 100644 ---- a/bazel/envoy_internal.bzl -+++ b/bazel/envoy_internal.bzl -@@ -68,7 +68,21 @@ def envoy_copts(repository, test = False): - "-Wc++2a-extensions", - "-Wrange-loop-analysis", - ], -- repository + "//bazel:gcc_build": ["-Wno-maybe-uninitialized"], -+ repository + "//bazel:gcc_build": [ -+ "-Wno-maybe-uninitialized", -+ # GCC implementation of this warning is too noisy. -+ # -+ # It generates warnings even in cases where there is no ambiguity -+ # between the overloaded version of a method and the hidden version -+ # from the base class. E.g., when the two have different number of -+ # arguments or incompatible types and therefore a wrong function -+ # cannot be called by mistake without triggering a compiler error. -+ # -+ # As a safeguard, this warning is only disabled for GCC builds, so -+ # if Clang catches a problem in the code we would get a warning -+ # anyways. -+ "-Wno-error=overloaded-virtual", -+ ], - # Allow 'nodiscard' function results values to be discarded for test code only - # TODO(envoyproxy/windows-dev): Replace /Zc:preprocessor with /experimental:preprocessor - # for msvc versions between 15.8 through 16.4.x. see diff --git a/pkgs/by-name/en/envoy/0007-protobuf-remove-Werror.patch b/pkgs/by-name/en/envoy/0007-protobuf-remove-Werror.patch deleted file mode 100644 index 196a499ec6510..0000000000000 --- a/pkgs/by-name/en/envoy/0007-protobuf-remove-Werror.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -Naur a/bazel/protobuf.patch b/bazel/protobuf.patch ---- a/bazel/protobuf.patch 2025-01-06 23:00:26.683972526 +0100 -+++ b/bazel/protobuf.patch 2025-01-07 00:53:33.997482569 +0100 -@@ -149,3 +149,15 @@ - #if PROTOBUF_ENABLE_DEBUG_LOGGING_MAY_LEAK_PII - #define PROTOBUF_DEBUG true - #else -+diff -Naur a/build_defs/cpp_opts.bzl b/build_defs/cpp_opts.bzl -+--- a/build_defs/cpp_opts.bzl 2025-01-06 23:02:56.356552216 +0100 -++++ b/build_defs/cpp_opts.bzl 2025-01-07 00:23:30.534047300 +0100 -+@@ -22,7 +22,7 @@ -+ "-Woverloaded-virtual", -+ "-Wno-sign-compare", -+ "-Wno-nonnull", -+- "-Werror", -++ "-Wno-maybe-uninitialized", -+ ], -+ }) -+ diff --git a/pkgs/by-name/en/envoy/package.nix b/pkgs/by-name/en/envoy/package.nix index 823e2c180b41d..757343e39f2d8 100644 --- a/pkgs/by-name/en/envoy/package.nix +++ b/pkgs/by-name/en/envoy/package.nix @@ -19,6 +19,10 @@ python3, linuxHeaders, nixosTests, + runCommandLocal, + gnutar, + gnugrep, + envoy, # v8 (upstream default), wavm, wamr, wasmtime, disabled wasmRuntime ? "wamr", @@ -30,16 +34,16 @@ let # However, the version string is more useful for end-users. # These are contained in a attrset of their own to make it obvious that # people should update both. - version = "1.32.3"; - rev = "58bd599ebd5918d4d005de60954fcd2cb00abd95"; - hash = "sha256-5HpxcsAPoyVOJ3Aem+ZjSLa8Zu6s76iCMiWJbp8RjHc="; + version = "1.33.0"; + rev = "b0f43d67aa25c1b03c97186a200cc187f4c22db3"; + hash = "sha256-zqekRpOlaA2IrwwFUEwASa1uokET98h5sr7EwzWgcbU="; }; # these need to be updated for any changes to fetchAttrs depsHash = { - x86_64-linux = "sha256-YFXNatolLM9DdwkMnc9SWsa6Z6/aGzqLmo/zKE7OFy0="; - aarch64-linux = "sha256-AjG1OBjPjiSwWCmIJgHevSQHx8+rzRgmLsw3JwwD0hk="; + x86_64-linux = "sha256-4CQkHlXbDpRiqzeyserVf9PpLx3ME7TtZ2H88ggog6U="; + aarch64-linux = "sha256-FxkfBWiG0NIInl28w+l4YvaV2VFuCtjn5VBAKvJoxM8="; } .${stdenv.system} or (throw "unsupported system ${stdenv.system}"); @@ -64,27 +68,6 @@ buildBazelPackage rec { # use system C/C++ tools ./0003-nixpkgs-use-system-C-C-toolchains.patch - - # patch boringssl to work with GCC 14 - # vendored patch from https://boringssl.googlesource.com/boringssl/+/c70190368c7040c37c1d655f0690bcde2b109a0d - ./0004-nixpkgs-patch-boringssl-for-gcc14.patch - - # update rust rules to work with rustc v1.83 - # cherry-pick of https://github.com/envoyproxy/envoy/commit/019f589da2cc8da7673edd077478a100b4d99436 - # drop with v1.33.x - ./0005-deps-Bump-rules_rust-0.54.1-37056.patch - - # patch gcc flags to work with GCC 14 - # (silences erroneus -Werror=maybe-uninitialized and others) - # cherry-pick of https://github.com/envoyproxy/envoy/commit/448e4e14f4f188687580362a861ae4a0dbb5b1fb - # drop with v1.33.x - ./0006-gcc-warnings.patch - - # Remove "-Werror" from protobuf build - # This is fixed in protobuf v28 and later: - # https://github.com/protocolbuffers/protobuf/commit/f5a1b178ad52c3e64da40caceaa4ca9e51045cb4 - # drop with v1.33.x - ./0007-protobuf-remove-Werror.patch ]; postPatch = '' chmod -R +w . @@ -152,7 +135,9 @@ buildBazelPackage rec { -e 's,${stdenv.shellPackage},__NIXSHELL__,' \ $bazelOut/external/com_github_luajit_luajit/build.py \ $bazelOut/external/local_config_sh/BUILD \ - $bazelOut/external/*_pip3/BUILD.bazel + $bazelOut/external/*_pip3/BUILD.bazel \ + $bazelOut/external/rules_rust/util/process_wrapper/private/process_wrapper.sh \ + $bazelOut/external/rules_rust/crate_universe/src/metadata/cargo_tree_rustc_wrapper.sh rm -r $bazelOut/external/go_sdk rm -r $bazelOut/external/local_jdk @@ -263,6 +248,38 @@ buildBazelPackage rec { envoy = nixosTests.envoy; # tested as a core component of Pomerium pomerium = nixosTests.pomerium; + + deps-store-free = + runCommandLocal "${envoy.name}-deps-store-free-test" + { + nativeBuildInputs = [ + gnutar + gnugrep + ]; + } + '' + touch $out + tar -xf ${envoy.deps} + grep -r /nix/store external && status=$? || status=$? + case $status in + 1) + echo "No match found." + ;; + 0) + echo + echo "Error: Found references to /nix/store in envoy.deps derivation" + echo "This is a reproducibility issue, as the hash of the fixed-output derivation" + echo "will change in case the store path of the input changes." + echo + echo "Replace the store path in fetcherAttrs.preInstall." + exit 1 + ;; + *) + echo "An unexpected error occurred." + exit $status + ;; + esac + ''; }; meta = with lib; {