Migrate to Enterprise Linux 8 (#65)

Images: * Fix building OpenSSL * Install CMake, Git and ccache from distribution - ccache is from epel, and needs to be installed after it * Document EL8 migration * fix pushing images by getting the labels right * use multiple targets rather than env vars in makefile CI: * enable multi-arch docker * don’t truncate docker logs * parallelize GHA CI * drop schedule * merge edge & pr jobs * upload artifacts rather than publish to ghcr --------- Co-authored-by: Hongli Lai <[email protected]>
phusion · Jul 18, 2024 · 6de0615 · 6de0615
1 parent 05f458d
commit 6de0615
Show file tree

Hide file tree

Showing 5 changed files with 153 additions and 173 deletions.
diff --git a/.github/workflows/dockerimage-ci.yml b/.github/workflows/dockerimage-ci.yml
@@ -3,8 +3,6 @@ name: Docker Image CI
 on:
   create:
   workflow_dispatch:
-  schedule:
-    - cron: '15 05 * * 1' # Late night for the Americas, early morning for Europe
   pull_request:
     paths-ignore:
       - '**.md'
@@ -24,8 +22,8 @@ jobs:
     name: Code checks
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - uses: ludeeus/action-shellcheck@94e0aab03ca135d11a35e5bfc14e6746dc56e7e9
+      - uses: actions/checkout@v4
+      - uses: ludeeus/action-shellcheck@2.0.0
         env:
           SHELLCHECK_OPTS: -x
       - name: Install eclint
@@ -35,68 +33,84 @@ jobs:
 
   build_pr:
     name: "Test Build Docker images"
-    if: github.event_name == 'pull_request' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || ( github.event_name != 'create' && github.event_name != 'pull_request' && github.event_name != 'schedule' )
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+          - 'amd64'
+          - 'arm64'
+    env:
+      OWNER: '${{ github.repository_owner }}'
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set lower case repository owner name
-      run: |
-        echo "OWNER_LC=${OWNER,,}" >>"$GITHUB_ENV"
-      env:
-        OWNER: '${{ github.repository_owner }}'
-    - name: Build the Docker images
-      run: make DISABLE_OPTIMIZATIONS=1 "OWNER=$OWNER_LC"
-
-  build_edge:
-    name: "Build edge Docker images"
-    if: github.event_name != 'create' && github.event_name != 'pull_request' && github.event_name != 'schedule'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set lower case repository owner name
-      run: |
-        echo "OWNER_LC=${OWNER,,}" >>"$GITHUB_ENV"
-      env:
-        OWNER: '${{ github.repository_owner }}'
+      run: echo "OWNER_LC=${OWNER,,}" >> "$GITHUB_ENV"
     - name: Log in to the Container registry
-      uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Enable docker multiarch
+      uses: docker/setup-qemu-action@v3
+    - name: Fix docker logs
+      uses: docker/setup-buildx-action@v3
+      with:
+        driver-opts: |
+          env.BUILDKIT_STEP_LOG_MAX_SIZE=-1
+          env.BUILDKIT_STEP_LOG_MAX_SPEED=-1
+          default-load=true
     - name: Build the Docker images
-      run: make "OWNER=$OWNER_LC" VERSION=edge
-    - name: Push the Docker images
-      run: docker push "ghcr.io/$OWNER_LC/holy-build-box:edge"
+      run: make DISABLE_OPTIMIZATIONS=1 "OWNER=$OWNER_LC" build_${{matrix.arch}}
+    - name: Export image
+      run: make "OWNER=$OWNER_LC" export_${{matrix.arch}}
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: docker_image_${{matrix.arch}}
+        path: hbb_*.tar
 
   build_release:
     name: "Build release Docker images"
     if: github.event_name == 'create' && github.event.ref_type == 'tag'
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+          - 'amd64'
+          - 'arm64'
+    env:
+      TAG: ${{ github.event.ref }}
+      OWNER: '${{ github.repository_owner }}'
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set lower case repository owner name
+      run: echo "OWNER_LC=${OWNER,,}" >> "$GITHUB_ENV"
+    - name: Check versions match (Makefile & git-tag)
       run: |
-        echo "OWNER_LC=${OWNER,,}" >>"$GITHUB_ENV"
-      env:
-        OWNER: '${{ github.repository_owner }}'
-    - name: Check tag
-      run: |
-        VERSION1=$(grep '^VERSION = ' Makefile | sed 's|.*= *||')
-        VERSION2=$(sed 's|^rel-||' <<< "$TAG")
-        if [[ "$VERSION1" != "$VERSION2" ]]; then
-          echo "ERROR: version in Makefile ($VERSION1) doesn't match Git tag ($VERSION2)"
+        MAKEFILE_VERSION=$(grep '^VERSION = ' Makefile | sed 's|.*= *||')
+        GIT_TAG_VERSION=$(sed 's|^rel-||' <<< "$TAG")
+        if [[ "MAKEFILE_$VERSION" != "$GIT_TAG_VERSION" ]]; then
+          echo "ERROR: version in Makefile ($MAKEFILE_VERSION) doesn't match Git tag ($GIT_TAG_VERSION)"
           exit 1
         fi
-      env:
-        TAG: ${{ github.event.ref }}
     - name: Log in to the Container registry
-      uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+      uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Enable docker multiarch
+      uses: docker/setup-qemu-action@v3
+    - name: Fix docker logs
+      uses: docker/setup-buildx-action@v3
+      with:
+        driver-opts: |
+          env.BUILDKIT_STEP_LOG_MAX_SIZE=-1
+          env.BUILDKIT_STEP_LOG_MAX_SPEED=-1
+          default-load=true
     - name: Build the Docker images
-      run: make build "OWNER=$OWNER_LC"
+      run: make "OWNER=$OWNER_LC" build_${{matrix.arch}}
     - name: Tag and push the Docker images
-      run: make release "OWNER=$OWNER_LC"
+      run: make "OWNER=$OWNER_LC" release
diff --git a/Changelog.md b/Changelog.md
@@ -1,3 +1,19 @@
+## Version 4.0.0 (not yet released)
+
+ * Moves to Enterprise Linux 8 now that CentOS 7 is EOL. This makes binaries compatible with Linux distributions that have glibc >= 2.28. This means compatibility with Linux distributions released around 2020, such as:
+
+    - Ubuntu 20.04
+    - Debian 10
+
+ * Upgrades tools and libraries:
+
+    - zlib 1.2.12 -> 1.3.1
+    - libcurl 7.81.0 -> 8.7.1
+    - SQLite 3.37.2 -> 3.45.3
+    - OpenSSL 1.1.1m -> 3.3.0
+
+   Note: we now use CMake, Git and ccache from Enterprise Linux 8's repositories. We no longer install our own versions.
+
 ## Version 3.0.5 (release date 2022-04-12)
 
  * Upgrades zlib 1.2.11 -> 1.2.12. Fixes [CVE-2018-25032](https://github.com/advisories/GHSA-jc36-42cf-vqwj), closes #55.

diff --git a/Makefile b/Makefile
@@ -1,46 +1,69 @@
-VERSION = 3.0.7
+VERSION = 4.0.0
 ifneq ($VERSION, edge)
 MAJOR_VERSION := $(shell awk -v OFS=. -F. '{print $$1,$$2}' <<< $(VERSION))
 endif
+ifeq ($(GITHUB_ACTIONS),true)
+IMG_REPO = ghcr.io
+else
+IMG_REPO = docker.io
+endif
 OWNER = phusion
 DISABLE_OPTIMIZATIONS = 0
-IMAGE = $(OWNER)/holy-build-box
+IMAGE = $(IMG_REPO)/$(OWNER)/holy-build-box
+
+.PHONY: build_amd64 test_amd64 tags_amd64 push_amd64 build_arm64 test_arm64 tags_arm64 push_arm64 export_amd64 export_arm64 release
 
-.PHONY: build test tags push release
+build_amd64:
+	docker buildx build --load --platform "linux/amd64" --rm -t $(IMAGE):$(VERSION)-amd64 --pull --build-arg DISABLE_OPTIMIZATIONS=$(DISABLE_OPTIMIZATIONS) .
 
-build:
-	docker buildx build --platform "linux/amd64" --rm -t $(IMAGE)-amd64:$(VERSION) -f Dockerfile --pull --build-arg DISABLE_OPTIMIZATIONS=$(DISABLE_OPTIMIZATIONS) .
-	docker buildx build --platform "linux/arm64" --rm -t $(IMAGE)-arm64:$(VERSION) -f Dockerfile --pull --build-arg DISABLE_OPTIMIZATIONS=$(DISABLE_OPTIMIZATIONS) .
+build_arm64:
+	docker buildx build --load --platform "linux/arm64" --rm -t $(IMAGE):$(VERSION)-arm64 --pull --build-arg DISABLE_OPTIMIZATIONS=$(DISABLE_OPTIMIZATIONS) .
 
-test:
+test_amd64:
 	docker run -it --platform "linux/amd64" --rm -e SKIP_FINALIZE=1 -e DISABLE_OPTIMIZATIONS=1 -v $$(pwd)/image:/hbb_build:ro rockylinux:8 bash /hbb_build/build.sh
+
+test_arm64:
 	docker run -it --platform "linux/arm64" --rm -e SKIP_FINALIZE=1 -e DISABLE_OPTIMIZATIONS=1 -v $$(pwd)/image:/hbb_build:ro rockylinux:8 bash /hbb_build/build.sh
 
-tags:
+tags_amd64:
 ifdef MAJOR_VERSION
-	docker tag $(IMAGE):$(VERSION)-arm64 $(IMAGE):$(MAJOR_VERSION)-arm64
 	docker tag $(IMAGE):$(VERSION)-amd64 $(IMAGE):$(MAJOR_VERSION)-amd64
-	docker tag $(IMAGE):$(VERSION)-arm64 $(IMAGE):latest-arm64
 	docker tag $(IMAGE):$(VERSION)-amd64 $(IMAGE):latest-amd64
 endif
 
-push: tags
+tags_arm64:
+ifdef MAJOR_VERSION
+	docker tag $(IMAGE):$(VERSION)-arm64 $(IMAGE):$(MAJOR_VERSION)-arm64
+	docker tag $(IMAGE):$(VERSION)-arm64 $(IMAGE):latest-arm64
+endif
+
+push_amd64: tags_amd64
 	docker push $(IMAGE):$(VERSION)-amd64
-	docker push $(IMAGE):$(VERSION)-arm64
 ifdef MAJOR_VERSION
 	docker push $(IMAGE):$(MAJOR_VERSION)-amd64
-	docker push $(IMAGE):$(MAJOR_VERSION)-arm64
 	docker push $(IMAGE):latest-amd64
+endif
+
+push_arm64: tags_arm64
+	docker push $(IMAGE):$(VERSION)-arm64
+ifdef MAJOR_VERSION
+	docker push $(IMAGE):$(MAJOR_VERSION)-arm64
 	docker push $(IMAGE):latest-arm64
 endif
 
-release: push
+export_amd64: tags_amd64
+	docker save -o hbb_amd64.tar $(IMAGE):$(VERSION)-amd64
+
+export_arm64: tags_arm64
+	docker save -o hbb_arm64.tar $(IMAGE):$(VERSION)-arm64
+
+release: push_amd64 push_arm64
 	docker manifest create $(IMAGE):$(VERSION) $(IMAGE):$(VERSION)-amd64 $(IMAGE):$(VERSION)-arm64
+	docker manifest push $(IMAGE):$(VERSION)
 ifdef MAJOR_VERSION
 	docker manifest create $(IMAGE):$(MAJOR_VERSION) $(IMAGE):$(MAJOR_VERSION)-amd64 $(IMAGE):$(MAJOR_VERSION)-arm64
 	docker manifest create $(IMAGE):latest $(IMAGE):latest-amd64 $(IMAGE):latest-arm64
 	docker manifest push $(IMAGE):$(MAJOR_VERSION)
-endif
-	docker manifest push $(IMAGE):$(VERSION)
 	docker manifest push $(IMAGE):latest
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
+endif
diff --git a/README.md b/README.md
@@ -83,28 +83,28 @@ Holy Build Box partially solves problem #1 and #3 by providing static versions o
 
 ### Isolated build environment based on Docker and CentOS 7
 
-The Holy Build Box environment is built on CentOS 7. This allows it to produce binaries that work on pretty much any amd64 or arm64 Linux distribution released since 2015. The only currently-prominent Linux distribution that the produced binaries may not run on, is Alpine Linux. [See the FAQ entry.](#which-linux-distributions-do-binaries-compiled-with-holy-build-box-support)
+The Holy Build Box environment is built on Enterprise Linux 8. This allows it to produce binaries that work on pretty much any amd64 or arm64 Linux distribution released since 2020. The only currently-prominent Linux distribution that the produced binaries may not run on, is Alpine Linux. [See the FAQ entry.](#which-linux-distributions-do-binaries-compiled-with-holy-build-box-support)
 
-The environment is bare-bones with almost nothing installed. Besides the basics, only a compiler toolchain is provided. The toolchain is more recent than the one provided by CentOS 7.
+The environment is bare-bones with almost nothing installed. Besides the basics, only a compiler toolchain is provided. The toolchain is more recent than the one provided by Enterprise Linux 8.
 
- * GCC 9.3.1 (C and C++ support; in particular, C++14 is supported)
+ * GCC 9.2.1 (C and C++ support; in particular, C++14 is supported)
  * GNU make
- * autoconf 2.69
- * automake 1.13.4
- * libtool 2.4.2
- * pkg-config 0.29.2
- * ccache 3.7.12
- * CMake 3.19.3
- * Python 2.7.5 (+ setuptools and pip)
+ * autoconf
+ * automake
+ * libtool
+ * pkg-config
+ * ccache
+ * CMake
+ * Python 2.7 (+ setuptools and pip)
 
 ### Included static libraries
 
 Holy Build Box also includes static versions of certain libraries. These libraries are more recent than the ones shipped with CentOS 7.
 
- * zlib 1.2.11
- * OpenSSL 1.1.1i
- * curl and libcurl 7.74.0
- * SQLite 2020-3340000
+ * zlib 1.3.1
+ * OpenSSL 3.3.0
+ * curl and libcurl 8.7.1
+ * SQLite 2024-3450300
 
 These libraries are provided in multiple variants, each compiled with different compilation flags. The different variants will be covered with in [Tutorial 5: Using library variants](TUTORIAL-5-LIBRARY-VARIANTS.md) and in the [Library variants](LIBRARY-VARIANTS.md) guide.
 
@@ -213,12 +213,11 @@ macOS is not supported. Windows is not supported. Other Unices are not supported
 
 ### Which Linux distributions do binaries compiled with Holy Build Box support?
 
-Binaries work on pretty much any glibc-2.17-or-later-based amd64 or arm64 Linux distribution released since approx 2015. A non-exhaustive list:
+Binaries work on pretty much any glibc-2.28-or-later-based amd64 or arm64 Linux distribution released since approx 2015. A non-exhaustive list:
 
- * Debian >= 8
- * Ubuntu >= 14.06
- * Red Hat Enterprise Linux >= 7
- * CentOS >= 7
+ * Debian >= 10
+ * Ubuntu >= 20.04
+ * Red Hat Enterprise Linux >= 8
 
 Note the mention "glibc-based". Binaries may not be compatible with Linux distributions not based on glibc. For example, early versions of Alpine Linux were based on uclibc, which was not compatible with glibc at all. Later versions of Alpine Linux are based on musl, which is *somewhat* compatible with glibc. So produced binaries may or may not run on later versions of Alpine Linux.