dist: Add debian packaging

Signed-off-by: Ryan Northey <ryan@synca.io>
envoyproxy · Sep 5, 2021 · 605cffe · 605cffe
1 parent 37620fa
commit 605cffe
Show file tree

Hide file tree

Showing 14 changed files with 531 additions and 4 deletions.
diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
@@ -203,7 +203,7 @@ stages:
         AZP_BRANCH: $(Build.SourceBranch)
 
 - stage: linux_x64
-  dependsOn: ["precheck"]
+  dependsOn: []  # "precheck"]
   # For post-submit builds, continue even if precheck fails
   condition: and(not(canceled()), or(succeeded(), eq(variables['PostSubmit'], true)))
   jobs:
@@ -215,9 +215,42 @@ stages:
     - template: bazel.yml
       parameters:
         ciTarget: bazel.release
+  - job: package
+    dependsOn: []
+    timeoutInMinutes: 120
+    pool:
+      vmImage: "ubuntu-18.04"
+    steps:
+    - template: bazel.yml
+      parameters:
+        ciTarget: bazel.packaging
+  - job: verify
+    # possibly move this job to verify at the end.
+    dependsOn: ["package"]
+    timeoutInMinutes: 120
+    pool:
+      vmImage: "ubuntu-18.04"
+
+    steps:
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        buildType: current
+        artifactName: "bazel.packaging"
+        itemPattern: "bazel.packaging/source/exe/envoy/build.x64.tar.gz"
+        downloadType: single
+        targetPath: $(Build.StagingDirectory)
+    - script: ci/run_envoy_docker.sh 'ci/do_ci.sh verify_distro'
+      workingDirectory: $(Build.SourcesDirectory)
+      env:
+        AZP_BRANCH: $(Build.SourceBranch)
+        ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
+        BAZEL_REMOTE_CACHE: grpcs://remotebuildexecution.googleapis.com
+        BAZEL_REMOTE_INSTANCE: projects/envoy-ci/instances/default_instance
+        GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
+      displayName: "Verify packages"
 
 - stage: linux_arm64
-  dependsOn: ["precheck"]
+  dependsOn: []  # "precheck"]
   # For post-submit builds, continue even if precheck fails
   condition: and(not(canceled()), or(succeeded(), eq(variables['PostSubmit'], true)))
   jobs:
@@ -232,6 +265,40 @@ stages:
         rbe: false
         artifactSuffix: ".arm64"
         bazelBuildExtraOptions: "--sandbox_base=/tmp/sandbox_base"
+  - job: package
+    dependsOn: ["release"]
+    timeoutInMinutes: 120
+    pool: "arm-large"
+    steps:
+    - template: bazel.yml
+      parameters:
+        managedAgent: false
+        ciTarget: bazel.packaging
+        rbe: false
+        artifactSuffix: ".arm64"
+        bazelBuildExtraOptions: "--sandbox_base=/tmp/sandbox_base"
+  - job: verify
+    # possibly move this job to verify at the end.
+    dependsOn: ["package"]
+    timeoutInMinutes: 120
+    pool: "arm-large"
+    steps:
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        buildType: current
+        artifactName: "bazel.packaging.arm64"
+        itemPattern: "bazel.packaging.arm64/source/exe/envoy/build.arm64.tar.gz"
+        downloadType: single
+        targetPath: $(Build.StagingDirectory)
+    - script: ci/run_envoy_docker.sh 'ci/do_ci.sh verify_distro'
+      workingDirectory: $(Build.SourcesDirectory)
+      env:
+        AZP_BRANCH: $(Build.SourceBranch)
+        ENVOY_DOCKER_BUILD_DIR: $(Build.StagingDirectory)
+        BAZEL_REMOTE_CACHE: grpcs://remotebuildexecution.googleapis.com
+        BAZEL_REMOTE_INSTANCE: projects/envoy-ci/instances/default_instance
+        GCP_SERVICE_ACCOUNT_KEY: $(GcpServiceAccountKey)
+      displayName: "Verify packages"
 
 - stage: check
   dependsOn: ["linux_x64"]
@@ -263,6 +330,8 @@ stages:
     - template: bazel.yml
       parameters:
         ciTarget: $(CI_TARGET)
+    - script: echo "This step runs after the template's steps."
+      displayName: "Packaging the release..."
 
   - job: coverage
     displayName: "linux_x64"

diff --git a/ci/do_ci.sh b/ci/do_ci.sh
@@ -7,8 +7,9 @@ set -e
 
 build_setup_args=""
 if [[ "$1" == "format_pre" || "$1" == "fix_format" || "$1" == "check_format" || "$1" == "docs" ||  \
-          "$1" == "bazel.clang_tidy" || "$1" == "tooling" || "$1" == "deps" || "$1" == "verify_examples" || \
-          "$1" == "verify_build_examples" ]]; then
+          "$1" == "bazel.clang_tidy" || "$1" == "bazel.packaging" || "$1" == "tooling" \
+          || "$1" == "deps" || "$1" == "verify_examples" || "$1" == "verify_build_examples" \
+          || "$1" == "verify_distro" ]]; then
     build_setup_args="-nofetch"
 fi
 
@@ -214,6 +215,27 @@ if [[ "$CI_TARGET" == "bazel.release" ]]; then
   echo "bazel contrib release build..."
   bazel_contrib_binary_build release
 
+  exit 0
+elif [[ "$CI_TARGET" == "bazel.packaging" ]]; then
+  setup_clang_toolchain
+
+  gpg --import "${PWD}/snakeoil-maintainers.gpg"
+
+  echo "Building distro packages..."
+
+  BAZEL_BUILD_OPTIONS+=(
+      "--strategy=Genrule=sandboxed,local"
+      "--strategy=PackageTar=sandboxed,local")
+
+  bazel build "${BAZEL_BUILD_OPTIONS[@]}" -c opt //distribution:build
+
+  mkdir -p "${ENVOY_DELIVERY_DIR}/envoy"
+
+  if [[ "${ENVOY_BUILD_ARCH}" == "x86_64" ]]; then
+      cp -a bazel-bin/distribution/build.tar.gz "${ENVOY_DELIVERY_DIR}/envoy/build.x64.tar.gz"
+  else
+      cp -a bazel-bin/distribution/build.tar.gz "${ENVOY_DELIVERY_DIR}/envoy/build.arm64.tar.gz"
+  fi
   exit 0
 elif [[ "$CI_TARGET" == "bazel.release.server_only" ]]; then
   setup_clang_toolchain
@@ -499,6 +521,14 @@ elif [[ "$CI_TARGET" == "tooling" ]]; then
 elif [[ "$CI_TARGET" == "verify_examples" ]]; then
   run_ci_verify "*" "wasm-cc|win32-front-proxy"
   exit 0
+elif [[ "$CI_TARGET" == "verify_distro" ]]; then
+    if [[ "${ENVOY_BUILD_ARCH}" == "x86_64" ]]; then
+        export PACKAGE_BUILD=/build/bazel.packaging/source/exe/envoy/build.x64.tar.gz
+    else
+        export PACKAGE_BUILD=/build/bazel.packaging.arm64/source/exe/envoy/build.arm64.tar.gz
+    fi
+    bazel run "${BAZEL_BUILD_OPTIONS[@]}" //distribution:verify_packages "$PACKAGE_BUILD" --  -k "${PWD}/snakeoil-maintainers.public.gpg"
+    exit 0
 elif [[ "$CI_TARGET" == "verify_build_examples" ]]; then
   run_ci_verify wasm-cc
   exit 0

diff --git a/ci/run_envoy_docker.sh b/ci/run_envoy_docker.sh
@@ -44,6 +44,8 @@ else
     && useradd -o --uid $(id -u) --gid $(id -g) --no-create-home --home-dir /build envoybuild \
     && usermod -a -G pcap envoybuild \
     && chown envoybuild:envoygroup /build \
+    && apt update \
+    && apt install -y -qq --no-install-recommends devscripts \
     && sudo -EHs -u envoybuild bash -c 'cd /source && $*'")
 fi
 

diff --git a/distribution/BUILD b/distribution/BUILD
@@ -0,0 +1,31 @@
+load("//bazel:envoy_build_system.bzl", "envoy_package")
+load(":packages.bzl", "envoy_pkg_distros")
+load("@envoy_repo//:version.bzl", "VERSION")
+
+envoy_package()
+
+MAINTAINER = "Envoy maintainers <envoy-maintainers@googlegroups.com>"
+
+genrule(
+    name = "envoy-bin",
+    srcs = ["//source/exe:envoy-static.stripped"],
+    outs = ["envoy"],
+    cmd = "cp -L $< $@",
+)
+
+envoy_pkg_distros(version = VERSION, maintainer = MAINTAINER)
+
+sh_binary(
+    name = "verify_packages",
+    data = [
+        "//tools/distribution:verify",
+        ":distros.yaml",
+        "//tools/distribution:distrotest.sh",
+    ],
+    srcs = [":verification.sh"],
+    args = [
+        "$(location //tools/distribution:verify)",
+        "$(location //tools/distribution:distrotest.sh)",
+        "$(location :distros.yaml)",
+    ],
+)
diff --git a/distribution/debian/BUILD b/distribution/debian/BUILD
@@ -0,0 +1,8 @@
+load("//bazel:envoy_build_system.bzl", "envoy_package")
+
+envoy_package()
+
+exports_files([
+    "copyright",
+    "preinst",
+])
diff --git a/distribution/debian/copyright b/distribution/debian/copyright
@@ -0,0 +1,8 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: Envoy
+Source: <https://github.com/envoyproxy/envoy>
+
+Files: *
+Copyright: Copyright 2016-2018 Envoy Project Authors
+License: Apache
+/usr/share/common-licenses/Apache-2.0
diff --git a/distribution/debian/packages.bzl b/distribution/debian/packages.bzl
@@ -0,0 +1,110 @@
+load("@rules_pkg//:pkg.bzl", "pkg_deb", "pkg_tar")
+
+GLIBC_MIN_VERSION = "2.27"
+
+def envoy_pkg_deb(name = "envoy", version = None, data = ":deb-data.tar.xz", maintainer = None, **kwargs):
+    arch = select({
+        "//bazel:x86": "amd64",
+        "//conditions:default": "arm64",
+    })
+    pkg_deb(
+        name = "%s.deb" % name,
+        architecture = arch,
+        data = data,
+        depends = [
+            "libc6 (>= %s)" % GLIBC_MIN_VERSION,
+        ],
+        description = "Envoy built for Debian/Ubuntu",
+        distribution = "buster bullseye impish hirstute",
+        homepage = "https://www.envoyproxy.io/",
+        maintainer = maintainer,
+        package = name,
+        version = version,
+        # d = "%s_%s_%s.changes" % (name, version, arch),
+        changes = "%s_%s.changes" % (name, version),
+        preinst = "//distribution/debian:preinst",
+        **kwargs,
+    )
+
+def envoy_deb_data(bin_src = None, suffix = ""):
+    remap_paths = {}
+    if suffix:
+        remap_paths["/envoy.%s" % suffix] =  "/envoy"
+        suffix = "-%s" % suffix
+
+    pkg_tar(
+        name = "bin%s" % suffix,
+        extension = "tar",
+        package_dir = "/usr/bin",
+        srcs = [bin_src],
+        mode = "0755",
+        remap_paths = remap_paths,
+    )
+
+    pkg_tar(
+        name = "deb-data%s" % suffix,
+        extension = "tar.xz",
+        deps = [
+            ":config.tar",
+            ":bin%s.tar" % suffix,
+            ":copyright.tar",
+        ],
+    )
+
+def envoy_pkg_debs(version = None, release_version = None, envoy_bin = None, maintainer = None):
+    pkg_tar(
+        name = "copyright",
+        extension = "tar",
+        srcs = ["//distribution/debian:copyright"],
+        package_dir = "/usr/share/doc/envoy",
+    )
+
+    # generate deb data for base and dbg builds
+    envoy_deb_data(bin_src = envoy_bin)
+
+    # generate packages for this patch version
+    envoy_pkg_deb(version = version, maintainer = maintainer)
+
+    # generate packages for this minor version
+    envoy_pkg_deb(
+        name = "envoy-%s" % release_version,
+        version = version,
+        conflicts = ["envoy"],
+        provides = ["envoy"],
+        maintainer = maintainer)
+
+    debs = (
+        "envoy.deb",
+        "envoy-%s.deb" % release_version)
+
+    changes = (
+        "envoy_%s.changes" % version,
+        "envoy-%s_%s.changes" % (release_version, version))
+
+    # package all debs and changes files
+    pkg_tar(
+        name = "base_debs",
+        extension = "tar",
+        package_dir = "deb",
+        srcs = [":%s" % deb for deb in debs + changes],
+    )
+
+    # select(arch) cant be used in the changes filepath so mangle it here
+    arch = select({
+        "//bazel:x86": "amd64",
+        "//conditions:default": "arm64",
+    })
+
+    deb_mangle_cmd = "rm -rf /tmp/debs && mkdir -p /tmp/debs && tar xf $< -C /tmp/debs "
+    for change in changes:
+        change_root = ".".join(change.split(".")[:-1])
+        deb_mangle_cmd += "&& mv /tmp/debs/deb/%s /tmp/debs/deb/%s_" % (change, change_root)
+        deb_mangle_cmd += arch + ".changes"
+    deb_mangle_cmd += "&& tar cf $@ -C /tmp/debs ."
+
+    native.genrule(
+        name = "debs",
+        srcs = [":base_debs"],
+        outs = [":debs.tar"],
+        cmd = deb_mangle_cmd,
+    )
diff --git a/distribution/debian/postinst b/distribution/debian/postinst
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+# postinst script for envoy
+
+set -e
+
+if [ "$1" != "configure" ]; then
+    exit 0
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/distribution/debian/preinst b/distribution/debian/preinst
@@ -0,0 +1,53 @@
+#! /bin/sh
+
+# preinst script for envoy
+
+set -e
+
+addenvoyuser() {
+    if ! getent group envoy >/dev/null; then
+        addgroup --system envoy >/dev/null
+    fi
+
+    if ! getent passwd envoy >/dev/null; then
+        adduser \
+          --system \
+          --disabled-login \
+          --ingroup envoy \
+          --no-create-home \
+          --home /nonexistent \
+          --gecos "envoy user" \
+          --shell /bin/false \
+          envoy  >/dev/null
+
+    fi
+}
+
+
+case "$1" in
+
+    install)
+        addenvoyuser
+        cat <<BANNER
+
+Envoy installed!!!
+
+BANNER
+        ;;
+
+    upgrade)
+        addenvoyuser
+        ;;
+
+    abort-upgrade)
+        ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 0
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0