Static build with musl and alpline linux headers.

staex-io · May 11, 2024 · 565a73b · 565a73b
1 parent 96f108f
commit 565a73b
Show file tree

Hide file tree

Showing 12 changed files with 116 additions and 111 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cijail"
-version = "0.6.3"
+version = "0.6.4"
 edition = "2021"
 publish = false
 

diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -1,7 +1,14 @@
-FROM rust:1.76.0-bullseye
+FROM alpine:latest AS alpine
+
+RUN apk add linux-headers
+
+FROM rust:1.76.0
 # NB: We need debian stable to have the oldest possible glibc
 # otherwise cijail may not work on old distributions.
 
+# Get proper linux headers for libseccomp.
+COPY --from=alpine /usr/include /usr/include/alpine
+
 RUN apt-get -qq update \
     && apt-get -qq install --no-install-recommends \
     pre-commit \
@@ -15,9 +22,11 @@ RUN apt-get -qq update \
     dnsutils \
     bind9-utils \
     docker.io \
+    musl-tools \
+    gperf \
     && rm -rf /var/lib/apt/lists/*
 
-RUN pip3 install --quiet --no-cache-dir --no-input lcov_cobertura==2.0.*
+RUN pip3 install --quiet --no-cache-dir --no-input --break-system-packages lcov_cobertura==2.0.*
 
 ENV CARGO_HOME=/usr/local/cargo \
     RUSTUP_HOME=/usr/local/rustup \
@@ -38,9 +47,11 @@ RUN cargo install --quiet cargo-deny
 RUN curl --location --silent --fail --output /usr/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.8.0/shfmt_v3.8.0_linux_amd64 && \
     chmod +x /usr/bin/shfmt
 
-COPY cijail-glibc-2.31.tar.gz /tmp/cijail-glibc-2.31.tar.gz
+COPY build-dependencies.sh /tmp/build-dependencies.sh
+RUN /tmp/build-dependencies.sh
 
-RUN tar -C /usr/local -xvf /tmp/cijail-glibc-2.31.tar.gz
+COPY cijail.tar.gz /tmp/cijail.tar.gz
+RUN tar -C /usr/local -xvf /tmp/cijail.tar.gz
 
 LABEL org.opencontainers.image.source=https://github.com/staex-io/cijail
 LABEL org.opencontainers.image.description="CI image"

diff --git a/ci/Makefile b/ci/Makefile
@@ -2,5 +2,6 @@ CI := ghcr.io/staex-io/cijail-ci:latest
 
 .PHONY: ci
 ci:
-	docker build --tag $(CI) -f Dockerfile ../packages/cijail-glibc-2.31
+	@cp build-dependencies.sh ../packages/
+	docker build --tag $(CI) -f Dockerfile ../packages
 	docker push $(CI)
diff --git a/ci/binaries.sh b/ci/binaries.sh
@@ -2,21 +2,20 @@
 
 set -ex
 rust_flags="-Ccodegen-units=1 -Cstrip=symbols -Copt-level=3 -Cincremental=false -Clto=yes -Cembed-bitcode=yes"
-target=x86_64-unknown-linux-gnu
+target=x86_64-unknown-linux-musl
 export LIBSECCOMP_LINK_TYPE=static
-export LIBSECCOMP_LIB_PATH=/usr/lib/x86_64-linux-gnu
+export LIBSECCOMP_LIB_PATH=/opt/libseccomp/lib
 export OPENSSL_STATIC=1
-export OPENSSL_DIR=/usr
-export OPENSSL_LIB_DIR=/usr/lib/x86_64-linux-gnu
+export OPENSSL_DIR=/opt/openssl
+export OPENSSL_LIB_DIR=/opt/openssl/lib64
 export OPENSSL_NO_VENDOR=1
-glibc_version="$(getconf GNU_LIBC_VERSION | sed 's/ /-/g')"
 env RUSTFLAGS="$rust_flags" \
     cargo build \
     --quiet \
     --release \
     --target "$target" \
     --no-default-features
 for name in cijail cijail-proxy; do
-    mkdir -p binaries/"$glibc_version"
-    mv target/"$target"/release/$name binaries/"$glibc_version"
+    mkdir -p binaries
+    mv target/"$target"/release/$name binaries
 done
diff --git a/ci/build-dependencies.sh b/ci/build-dependencies.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+cleanup() {
+    rm -rf "$workdir"
+}
+
+build_libseccomp() {
+    git clone \
+        --depth=1 \
+        --branch v$libseccomp_version \
+        https://github.com/seccomp/libseccomp \
+        "$workdir"/libseccomp
+    cd "$workdir"/libseccomp
+    # https://git.alpinelinux.org/aports/tree/main/libseccomp?id=bdeb5ac39445d803f7d97bb9b3cf9171d9a35f52
+    sed -i '/\#include <sys\/prctl.h>/d' src/system.c
+    grep prctl src/system.c || true
+    autoreconf -vif
+    ./configure \
+        --prefix=/opt/libseccomp \
+        --disable-shared \
+        --enable-static \
+        CC=musl-gcc \
+        LD=musl-gcc \
+        CPPFLAGS=-I/usr/include/alpine
+    make -j"$(nproc)"
+    make install
+}
+
+build_openssl() {
+    git clone \
+        --depth=1 \
+        --branch openssl-$openssl_version \
+        https://github.com/openssl/openssl \
+        "$workdir"/openssl
+    cd "$workdir"/openssl
+    openssl_dir=/usr/local/cijail/ssl
+    ./Configure \
+        --prefix=/opt/openssl \
+        --openssldir="$openssl_dir" \
+        -static
+    make -j"$(nproc)"
+    make install_sw install_ssldirs
+    cp /etc/ssl/certs/ca-certificates.crt "$openssl_dir"/certs/
+}
+
+libseccomp_version=2.5.5
+openssl_version=3.3.0
+set -ex
+trap cleanup EXIT
+workdir="$(mktemp -d)"
+build_libseccomp
+build_openssl
diff --git a/ci/containers.sh b/ci/containers.sh
@@ -7,15 +7,10 @@ cleanup() {
 
 build_docker_image() {
     mkdir "$workdir"/tar
-    tar -C "$workdir"/tar -xf "$root"/packages/cijail-glibc-2.31/cijail-glibc-2.31.tar.gz
-    cp "$root"/ci/docker.sh "$workdir"
+    tar -C "$workdir"/tar -xf "$root"/packages/cijail.tar.gz
     cat >"$workdir"/Dockerfile <<EOF
-FROM debian:bullseye AS builder
-COPY tar /usr/local
-COPY docker.sh /tmp/docker.sh
-RUN /tmp/docker.sh
 FROM scratch
-COPY --from=builder /usr/local /
+COPY tar /
 LABEL org.opencontainers.image.source=https://github.com/staex-io/cijail
 LABEL org.opencontainers.image.description="Cijail image"
 LABEL org.opencontainers.image.version=$cijail_version

diff --git a/ci/docker.sh b/ci/docker.sh
diff --git a/ci/packages.sh b/ci/packages.sh
@@ -11,25 +11,19 @@ workdir="$(mktemp -d)"
 tarfiles="$(mktemp)"
 root="$PWD"
 mkdir -p "$root"/packages
-for dir in "$root"/binaries/glibc-*; do
-    glibc_version="$(basename "$dir")"
-    rm -rf "$workdir"
-    mkdir -p "$workdir"
-    for name in cijail cijail-proxy; do
-        install -m755 -D "$dir"/$name "$workdir"/bin/$name
+for name in cijail cijail-proxy; do
+    install -m755 -D "$root"/binaries/$name "$workdir"/bin/$name
+    for file in openssl.cnf certs/ca-certificates.crt; do
+        install -m644 -D /usr/local/cijail/ssl/$file "$workdir"/cijail/ssl/$file
     done
-    install -m644 -D "$root"/LICENSE "$workdir"/share/cijail/LICENSE
-    cd "$workdir"
-    find . -type f -print0 >"$tarfiles"
-    tar_filename="$root"/packages/cijail-"$glibc_version"/cijail-"$glibc_version".tar.gz
-    mkdir -p "$(dirname "$tar_filename")"
-    tar -cz --null --files-from "$tarfiles" -f "$tar_filename"
-    cd "$dir"
 done
-
-for dir in "$root"/packages/*; do
-    cd "$dir"
-    for file in *.tar.gz; do
-        sha256sum "$file" >"$file"-sha256sum.txt
-    done
+install -m644 -D "$root"/LICENSE "$workdir"/share/cijail/LICENSE
+cd "$workdir"
+find . -type f -print0 >"$tarfiles"
+tar_filename="$root"/packages/cijail.tar.gz
+mkdir -p "$(dirname "$tar_filename")"
+tar -cz --null --files-from "$tarfiles" -f "$tar_filename"
+cd "$root"/packages
+for file in *.tar.gz; do
+    sha256sum "$file" >"$file"-sha256sum.txt
 done