Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Replace RHEL 7 with CBL-Mariner #1373

Merged
merged 12 commits into from
Mar 28, 2024
Merged

Replace RHEL 7 with CBL-Mariner #1373

merged 12 commits into from
Mar 28, 2024

Conversation

BillyONeal
Copy link
Member

@BillyONeal BillyONeal commented Mar 26, 2024
edited
Loading

Demonstration Build: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=9306853&view=results

We are being obligated to change our build environment for official releases to move away from RHEL 7.

  • RHEL 7 goes out of support entirely in June
  • RHEL 7 does not work with several of the centralized development tools to which '1 Engineering System' wants to be able to subject our official builds

This change replaces use of RHEL 7 with CBL-Mariner 2.0 ( https://github.com/microsoft/AzureLinux ), with a few dependent libraries from extremely old Ubuntu 16.04. This enables use of modern build tools and a modern host OS, consuming as little as possible from the ancient universe we must maintain to keep Linux binaries working for most of our customers.

This infrastructure is largely walking in the footsteps of the .NET team, see their write-ups https://github.com/dotnet/dotnet-buildtools-prereqs-docker and https://github.com/dotnet/runtime/blob/main/docs/workflow/building/coreclr/linux-instructions.md . However, we are not using their from-source clang implementation, instead using the gcc that comes with cbl-mariner.

The contents of the new Dockerfile are largely based on https://github.com/dotnet/arcade/blob/main/eng/common/cross/build-rootfs.sh , and the toolchain is largely based on https://github.com/dotnet/arcade/blob/main/eng/common/cross/toolchain.cmake .

I validated that the dependencies of vcpkg are the same before and after. From within the container:

root [ /build ]# curl -L -o before https://github.com/microsoft/vcpkg-tool/releases/download/2024-03-14/vcpkg-glibc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 7005k  100 7005k    0     0  8620k      0 --:--:-- --:--:-- --:--:-- 47.5M
root [ /build ]# ldd before
ldd: warning: you do not have execution permission for `./before'
        linux-vdso.so.1 (0x00007ffd9155b000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007faae0975000)
        libm.so.6 => /lib/libm.so.6 (0x00007faae088f000)
        libc.so.6 => /lib/libc.so.6 (0x00007faae068d000)
        /lib64/ld-linux-x86-64.so.2 (0x00007faae097f000)
root [ /build ]# ldd vcpkg
        linux-vdso.so.1 (0x00007ffe62b71000)
        libm.so.6 => /lib/libm.so.6 (0x00007fe75e236000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007fe75e231000)
        libc.so.6 => /lib/libc.so.6 (0x00007fe75e02f000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe75e996000)
root [ /build ]#

This also uses docker a bit better than before. Rather than minting a whole new container image containing the sources, now we just mount the sources in the right place.

This makes all infrastructure changes necessary to onboard 1ES Pipeline Templates.

BillyONeal added 11 commits March 25, 2024 18:16
@BillyONeal
Remove RHEL from official builds.
80163b5 
RHEL 7 is going out of support entirely in June. Additionally, we are being required by internal partners to turn on a bunch of build system validation incapable of running on extremely old RHEL 7.

This change replaces use of RHEL 7 with CBL-Mariner 2.0 ( https://github.com/microsoft/AzureLinux ), with a few dependent libraries from extremely old Ubuntu 16.04. This enables use of modern build tools and a modern host OS, consuming as little as possible from the ancient universe we must maintain to keep Linux binaries working for most of our customers.

This infrastructure is largely walking in the footsteps of the .NET team, see their write-ups https://github.com/dotnet/dotnet-buildtools-prereqs-docker and https://github.com/dotnet/runtime/blob/main/docs/workflow/building/coreclr/linux-instructions.md . However, we are not using their from-source clang implementation, instead using the gcc that comes with cbl-mariner.

The contents of the new Dockerfile are largely based on https://github.com/dotnet/arcade/blob/main/eng/common/cross/build-rootfs.sh , and the toolchain is largely based on https://github.com/dotnet/arcade/blob/main/eng/common/cross/toolchain.cmake .

I validated that the dependencies of vcpkg are the same before and after. From within the container:

```console
root [ /build ]# curl -L -o before https://github.com/microsoft/vcpkg-tool/releases/download/2024-03-14/vcpkg-glibc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 7005k  100 7005k    0     0  8620k      0 --:--:-- --:--:-- --:--:-- 47.5M
root [ /build ]# ldd before
ldd: warning: you do not have execution permission for `./before'
        linux-vdso.so.1 (0x00007ffd9155b000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007faae0975000)
        libm.so.6 => /lib/libm.so.6 (0x00007faae088f000)
        libc.so.6 => /lib/libc.so.6 (0x00007faae068d000)
        /lib64/ld-linux-x86-64.so.2 (0x00007faae097f000)
root [ /build ]# ldd vcpkg
        linux-vdso.so.1 (0x00007ffe62b71000)
        libm.so.6 => /lib/libm.so.6 (0x00007fe75e236000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007fe75e231000)
        libc.so.6 => /lib/libc.so.6 (0x00007fe75e02f000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe75e996000)
root [ /build ]#
```

This also uses docker a bit better than before. Rather than minting a whole new container image containing the sources, now we just mount the sources in the right place.
@BillyONeal
WIP bindings
594d7ba
@BillyONeal
wip
2e0a02f
@BillyONeal
wip
4581a67
@BillyONeal
Remove no longer used managed image json files.
3cd359b
@BillyONeal
Remove RHEL references.
6377422
@BillyONeal
Name the managed identity.
d67ffa4
@BillyONeal
Supply VCPKG_VERSION from the pipeline rather than asking git to do it.
07373ce
@BillyONeal
Don't upload temporary build bits.
c5675bf
@BillyONeal
Add mkdir p
7bdf375
@BillyONeal
Reduce the using supplied SHA message to 'status'
7fb3830
@BillyONeal BillyONeal mentioned this pull request Mar 26, 2024
Merged
ras0219-msft
ras0219-msft approved these changes Mar 26, 2024
View reviewed changes
azure-pipelines/vcpkg-linux/Dockerfile Outdated
Comment on lines 33 to 37
# 3. Verify keyrings
pushd ubuntu-keyring-2021.03.26 && \
gpg --keyring /dimitri_john_ledkov.gpg --output SHA512SUMS.txt --decrypt SHA512SUMS.txt.asc && \
rm /dimitri_john_ledkov.gpg && \
sha512sum -c SHA512SUMS.txt && \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems way excessive since we're SHA256-pinning the download above. Can we remove this and avoid checking in the .asc file?

azure-pipelines/vcpkg-linux/Dockerfile
# https://github.com/dotnet/runtime/blob/main/docs/workflow/building/coreclr/linux-instructions.md
FROM mcr.microsoft.com/cbl-mariner/base/core:2.0

RUN tdnf install -y \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[suggestion, not required]

When using apt, best practices are usually to:

  1. Fetch new indexes
  2. Install packages
  3. Delete cached indexes

This is all done in a single RUN step to minimize the size of the produced image.

Is something similar we should be doing for tdnf?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yum (and dnf (and tdnf)), to my understanding, does not have separate fetch indexes / install commands

@BillyONeal BillyONeal merged commit c729404 into microsoft:main Mar 28, 2024
5 checks passed
@BillyONeal BillyONeal deleted the remove-rhel branch March 28, 2024 01:30
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ras0219-msft ras0219-msft ras0219-msft approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BillyONeal @ras0219-msft