From 0153c15fa207a6cd1b883886b8a8436327e170db Mon Sep 17 00:00:00 2001 From: istio-testing Date: Wed, 3 Dec 2025 03:00:59 +0000 Subject: [PATCH 1/9] Automator: update envoy@ in istio/proxy@master --- WORKSPACE | 6 +++--- envoy.bazelrc | 18 +++++++----------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index 5668d248e92..064ba47048a 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz` # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed. # -# Commit date: 2025-12-02 -ENVOY_SHA = "44b00e0264cfcdbbc593998a407b3f957ec28c77" +# Commit date: 2025-12-03 +ENVOY_SHA = "1caf0d7396786bac7f4fcf7b9d291ed761191b68" -ENVOY_SHA256 = "1c8bc33cf9b758604042212d69d8bc37f41991facc43ed139d070b6b94aeddb0" +ENVOY_SHA256 = "10df99872f4f4c24c456970fdbedae1a25ecf2de4d4db57a34cd271f46fc7ac0" ENVOY_ORG = "envoyproxy" diff --git a/envoy.bazelrc b/envoy.bazelrc index bced9359e23..65d2fc272e7 100644 --- a/envoy.bazelrc +++ b/envoy.bazelrc @@ -45,12 +45,6 @@ build --incompatible_merge_fixed_and_default_shell_env # A workaround for slow ICU download. build --http_timeout_scaling=6.0 -# Pass CC, CXX and LLVM_CONFIG variables from the environment. -# We assume they have stable values, so this won't cause action cache misses. -build --action_env=CC --host_action_env=CC -build --action_env=CXX --host_action_env=CXX -build --action_env=LLVM_CONFIG --host_action_env=LLVM_CONFIG - # Allow stamped caches to bust when local filesystem changes. # Requires setting `BAZEL_VOLATILE_DIRTY` in the env. build --action_env=BAZEL_VOLATILE_DIRTY --host_action_env=BAZEL_VOLATILE_DIRTY @@ -99,13 +93,14 @@ build:linux --cxxopt=-fsized-deallocation --host_cxxopt=-fsized-deallocation build:linux --conlyopt=-fexceptions build:linux --fission=dbg,opt build:linux --features=per_object_debug_info -build:linux --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold # macOS build:macos --action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin build:macos --host_action_env=PATH=/opt/homebrew/bin:/opt/local/bin:/usr/local/bin:/usr/bin:/bin build:macos --define tcmalloc=disabled build:macos --cxxopt=-Wno-nullability-completeness +build:macos --@toolchains_llvm//toolchain/config:compiler-rt=false +build:macos --@toolchains_llvm//toolchain/config:libunwind=false ############################################################################# @@ -114,15 +109,14 @@ build:macos --cxxopt=-Wno-nullability-completeness # Common flags for Clang (shared between all clang variants) common:clang-common --linkopt=-fuse-ld=lld -common:clang-common --action_env=BAZEL_COMPILER=clang -common:clang-common --action_env=LDFLAGS="-fuse-ld=lld" -common:clang-common --action_env=CC=clang --host_action_env=CC=clang -common:clang-common --action_env=CXX=clang++ --host_action_env=CXX=clang++ +common:clang-common --@toolchains_llvm//toolchain/config:compiler-rt=false +common:clang-common --@toolchains_llvm//toolchain/config:libunwind=false # Clang with libc++ (default) common:clang --config=clang-common common:clang --config=libc++ common:clang --host_platform=@clang_platform +common:clang --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 # Clang installed to non-standard location (ie not /opt/llvm/) common:clang-local --config=clang-common @@ -147,6 +141,8 @@ build:gcc --cxxopt=-Wno-dangling-reference build:gcc --cxxopt=-Wno-nonnull-compare build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold build:gcc --host_platform=@envoy//bazel/rbe/toolchains:rbe_linux_gcc_platform +build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold +build:gcc --action_env=BAZEL_LINKOPTS=-lm:-fuse-ld=gold # libc++ - default for clang common:libc++ --action_env=CXXFLAGS=-stdlib=libc++ From c0ab6af01b30980146bc10ee3e9a909ca745bfbb Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 3 Dec 2025 15:06:05 +0800 Subject: [PATCH 2/9] fix envoy build --- .bazelrc | 3 ++- WORKSPACE | 4 ---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.bazelrc b/.bazelrc index 2c12247f25f..4d23f64d40f 100644 --- a/.bazelrc +++ b/.bazelrc @@ -14,7 +14,8 @@ build:remote --remote_timeout=7200 # ======================================== # Enable libc++ and C++20 by default. -build:linux --config=clang-local +build --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm +build:linux --config=clang # put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb build:linux --action_env=PATH=/usr/lib/llvm/bin:/usr/local/bin:/bin:/usr/bin diff --git a/WORKSPACE b/WORKSPACE index 064ba47048a..054b78f2620 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -70,10 +70,6 @@ load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies") envoy_python_dependencies() -load("@base_pip3//:requirements.bzl", "install_deps") - -install_deps() - load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports") envoy_dependency_imports() From e63f48eeb2f59bb937cd1739782aaafca9631431 Mon Sep 17 00:00:00 2001 From: zirain Date: Wed, 3 Dec 2025 18:50:11 +0800 Subject: [PATCH 3/9] register llvm tool --- .bazelrc | 6 +++--- WORKSPACE | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.bazelrc b/.bazelrc index 4d23f64d40f..ccd1bd8d78d 100644 --- a/.bazelrc +++ b/.bazelrc @@ -14,7 +14,7 @@ build:remote --remote_timeout=7200 # ======================================== # Enable libc++ and C++20 by default. -build --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm +# build --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm build:linux --config=clang # put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb @@ -51,8 +51,8 @@ build:debug -c dbg build --cxxopt -Wformat build --cxxopt -Wformat-security -build:clang --host_action_env=CC= -build:clang --host_action_env=CXX= +# build:clang --host_action_env=CC= +# build:clang --host_action_env=CXX= # CI sanitizer configuration # diff --git a/WORKSPACE b/WORKSPACE index 054b78f2620..f574e1465a7 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -81,3 +81,8 @@ envoy_repo() load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") envoy_toolchains() + +load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains") + +llvm_register_toolchains() + From 45a103c691db0a170c279f5786212e10ab1bb19f Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 5 Dec 2025 13:48:31 +0800 Subject: [PATCH 4/9] fix --- .bazelrc | 2 +- WORKSPACE | 30 ++++++++++++++++++++++++------ envoy.bazelrc | 3 +++ 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/.bazelrc b/.bazelrc index ccd1bd8d78d..db7a98f986e 100644 --- a/.bazelrc +++ b/.bazelrc @@ -14,7 +14,7 @@ build:remote --remote_timeout=7200 # ======================================== # Enable libc++ and C++20 by default. -# build --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm +build --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm build:linux --config=clang # put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb diff --git a/WORKSPACE b/WORKSPACE index f574e1465a7..f78cd83e68c 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz` # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed. # -# Commit date: 2025-12-03 -ENVOY_SHA = "1caf0d7396786bac7f4fcf7b9d291ed761191b68" +# Commit date: 2025-12-05 +ENVOY_SHA = "df7ddf53f997efd9e080f5940bd996ee9827405b" -ENVOY_SHA256 = "10df99872f4f4c24c456970fdbedae1a25ecf2de4d4db57a34cd271f46fc7ac0" +ENVOY_SHA256 = "481954044392c767e58b5971f3f0e53baa1707b62f20fca63794fefd279b9c90" ENVOY_ORG = "envoyproxy" @@ -78,11 +78,29 @@ load("@envoy//bazel:repo.bzl", "envoy_repo") envoy_repo() -load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") -envoy_toolchains() +# this's workaround for use local LLVM toolchain +load("@envoy_repo//:compiler.bzl", "LLVM_PATH") +load("@envoy_toolshed//repository:utils.bzl", "arch_alias") +load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain") + +register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain") + +arch_alias( + name = "clang_platform", + aliases = { + "amd64": "@envoy//bazel/platforms/rbe:linux_x64", + "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64", + }, +) + +llvm_toolchain( + name = "llvm_toolchain", + cxx_standard = {"": "c++20"}, + llvm_version = "18.1.8", + toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {}, +) load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains") llvm_register_toolchains() - diff --git a/envoy.bazelrc b/envoy.bazelrc index 65d2fc272e7..4fa35b1474a 100644 --- a/envoy.bazelrc +++ b/envoy.bazelrc @@ -391,6 +391,9 @@ build:remote --strategy=Javac=remote,sandboxed,local build:remote --strategy=Closure=remote,sandboxed,local build:remote --strategy=Genrule=remote,sandboxed,local build:remote --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1 +# This flag may be more generally useful - it sets foreign_cc builds -jauto. +# It is only set here because if it were the default it risks OOMing on local builds. +build:remote --@envoy//bazel/foreign_cc:parallel_builds ## RBE (Engflow Envoy) From e968ff39b7faa8b6adb36761a30090b079fee2ef Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 5 Dec 2025 17:38:24 +0800 Subject: [PATCH 5/9] fix lint --- .bazelrc | 2 +- WORKSPACE | 51 +++++++++++++++++++++++++++------------------------ 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/.bazelrc b/.bazelrc index db7a98f986e..5f99f4d2f90 100644 --- a/.bazelrc +++ b/.bazelrc @@ -59,7 +59,7 @@ build --cxxopt -Wformat-security build:clang-asan-ci --config=asan build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/x86_64-unknown-linux-gnu' build:clang-asan-ci --linkopt='-Wl,-rpath,/usr/lib/llvm/lib/x86_64-unknown-linux-gnu' -build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/clang/14.0.0/lib/x86_64-unknown-linux-gnu' +build:clang-asan-ci --linkopt='-L/usr/lib/llvm/lib/clang/18/lib/x86_64-unknown-linux-gnu' build:clang-tsan-ci --config=tsan build:clang-tsan-ci --linkopt=-L/opt/libcxx_tsan/lib diff --git a/WORKSPACE b/WORKSPACE index f78cd83e68c..f928d977bdb 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -78,29 +78,32 @@ load("@envoy//bazel:repo.bzl", "envoy_repo") envoy_repo() +load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") -# this's workaround for use local LLVM toolchain -load("@envoy_repo//:compiler.bzl", "LLVM_PATH") -load("@envoy_toolshed//repository:utils.bzl", "arch_alias") -load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain") - -register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain") - -arch_alias( - name = "clang_platform", - aliases = { - "amd64": "@envoy//bazel/platforms/rbe:linux_x64", - "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64", - }, -) - -llvm_toolchain( - name = "llvm_toolchain", - cxx_standard = {"": "c++20"}, - llvm_version = "18.1.8", - toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {}, -) - -load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains") +envoy_toolchains() -llvm_register_toolchains() +# this's workaround for use local LLVM toolchain +# load("@envoy_repo//:compiler.bzl", "LLVM_PATH") +# load("@envoy_toolshed//repository:utils.bzl", "arch_alias") +# load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain") + +# register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain") + +# arch_alias( +# name = "clang_platform", +# aliases = { +# "amd64": "@envoy//bazel/platforms/rbe:linux_x64", +# "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64", +# }, +# ) + +# llvm_toolchain( +# name = "llvm_toolchain", +# cxx_standard = {"": "c++20"}, +# llvm_version = "18.1.8", +# toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {}, +# ) + +# load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains") + +# llvm_register_toolchains() From 6c982d9e3479bf100b5651201d37a3a007577c47 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 5 Dec 2025 18:30:00 +0800 Subject: [PATCH 6/9] revert --- WORKSPACE | 56 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index f928d977bdb..1e7e0fb5958 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -78,32 +78,36 @@ load("@envoy//bazel:repo.bzl", "envoy_repo") envoy_repo() -load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") +# load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") -envoy_toolchains() +# envoy_toolchains() # this's workaround for use local LLVM toolchain -# load("@envoy_repo//:compiler.bzl", "LLVM_PATH") -# load("@envoy_toolshed//repository:utils.bzl", "arch_alias") -# load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain") - -# register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain") - -# arch_alias( -# name = "clang_platform", -# aliases = { -# "amd64": "@envoy//bazel/platforms/rbe:linux_x64", -# "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64", -# }, -# ) - -# llvm_toolchain( -# name = "llvm_toolchain", -# cxx_standard = {"": "c++20"}, -# llvm_version = "18.1.8", -# toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {}, -# ) - -# load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains") - -# llvm_register_toolchains() +load("@envoy_repo//:compiler.bzl", "LLVM_PATH") +load("@envoy_toolshed//repository:utils.bzl", "arch_alias") +load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain") + +register_toolchains("@envoy//bazel/rbe/toolchains/configs/linux/gcc/config:cc-toolchain") + +arch_alias( + name = "clang_platform", + aliases = { + "amd64": "@envoy//bazel/platforms/rbe:linux_x64", + "aarch64": "@envoy//bazel/platforms/rbe:linux_arm64", + }, +) + +llvm_toolchain( + name = "llvm_toolchain", + cxx_standard = {"": "c++20"}, + llvm_version = "18.1.8", + # sysroot = { + # "linux-x86_64": "@sysroot_linux_amd64//:sysroot", + # "linux-aarch64": "@sysroot_linux_arm64//:sysroot", + # }, + toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {}, +) + +load("@llvm_toolchain//:toolchains.bzl", "llvm_register_toolchains") + +llvm_register_toolchains() From 6efa653a8e8ca5390f0dd382c141ab0c367cbc27 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 12 Dec 2025 12:29:55 +0800 Subject: [PATCH 7/9] update --- .devcontainer/devcontainer.json | 8 ++++---- WORKSPACE | 20 +++++++------------- 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b58643373a6..76d4cd7646c 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,10 +8,10 @@ "CARGO_HOME": "/home/.cargo", "RUSTUP_HOME": "/home/.rustup" }, - "features": { - "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, - "ghcr.io/mpriscella/features/kind:1": {} - }, + // "features": { + // "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, + // "ghcr.io/mpriscella/features/kind:1": {} + // }, "customizations": { "vscode": { "extensions": [ diff --git a/WORKSPACE b/WORKSPACE index 1e7e0fb5958..440cf8245fc 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -22,10 +22,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") # 1. Determine SHA256 `wget https://github.com/envoyproxy/envoy/archive/$COMMIT.tar.gz && sha256sum $COMMIT.tar.gz` # 2. Update .bazelversion, envoy.bazelrc and .bazelrc if needed. # -# Commit date: 2025-12-05 -ENVOY_SHA = "df7ddf53f997efd9e080f5940bd996ee9827405b" +# Commit date: 2025-12-12 +ENVOY_SHA = "1f29f29b6ff37aa7cb87135cc28bc058a623b629" -ENVOY_SHA256 = "481954044392c767e58b5971f3f0e53baa1707b62f20fca63794fefd279b9c90" +ENVOY_SHA256 = "cc634a5541c5b39ebd1b9d3538f4c8f897cab77ac04033ebd361d72e2f35021a" ENVOY_ORG = "envoyproxy" @@ -64,7 +64,10 @@ envoy_bazel_dependencies() load("@envoy//bazel:repositories_extra.bzl", "envoy_dependencies_extra") -envoy_dependencies_extra(ignore_root_user_error = True) +envoy_dependencies_extra( + glibc_version = "2.28", + ignore_root_user_error = True, +) load("@envoy//bazel:python_dependencies.bzl", "envoy_python_dependencies") @@ -78,11 +81,6 @@ load("@envoy//bazel:repo.bzl", "envoy_repo") envoy_repo() -# load("@envoy//bazel:toolchains.bzl", "envoy_toolchains") - -# envoy_toolchains() - -# this's workaround for use local LLVM toolchain load("@envoy_repo//:compiler.bzl", "LLVM_PATH") load("@envoy_toolshed//repository:utils.bzl", "arch_alias") load("@toolchains_llvm//toolchain:rules.bzl", "llvm_toolchain") @@ -101,10 +99,6 @@ llvm_toolchain( name = "llvm_toolchain", cxx_standard = {"": "c++20"}, llvm_version = "18.1.8", - # sysroot = { - # "linux-x86_64": "@sysroot_linux_amd64//:sysroot", - # "linux-aarch64": "@sysroot_linux_arm64//:sysroot", - # }, toolchain_roots = {"": LLVM_PATH} if LLVM_PATH else {}, ) From 91d76deadf6ea44537c0fab62b6a68abd58832b6 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 12 Dec 2025 12:40:59 +0800 Subject: [PATCH 8/9] revert --- .devcontainer/devcontainer.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 76d4cd7646c..b58643373a6 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,10 +8,10 @@ "CARGO_HOME": "/home/.cargo", "RUSTUP_HOME": "/home/.rustup" }, - // "features": { - // "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, - // "ghcr.io/mpriscella/features/kind:1": {} - // }, + "features": { + "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}, + "ghcr.io/mpriscella/features/kind:1": {} + }, "customizations": { "vscode": { "extensions": [ From bbd23534b38c57f972d9a065f7e0e2cda83191a3 Mon Sep 17 00:00:00 2001 From: zirain Date: Fri, 12 Dec 2025 12:58:01 +0800 Subject: [PATCH 9/9] update --- .bazelrc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.bazelrc b/.bazelrc index 5f99f4d2f90..ccd1bbaad29 100644 --- a/.bazelrc +++ b/.bazelrc @@ -18,7 +18,7 @@ build --repo_env=BAZEL_LLVM_PATH=/usr/lib/llvm build:linux --config=clang # put /usr/local/bin before /usr/bin to avoid picking up wrong python3.6 when building envoy.tls.key_providers.cryptomb -build:linux --action_env=PATH=/usr/lib/llvm/bin:/usr/local/bin:/bin:/usr/bin +build:linux --action_env=PATH=/usr/local/bin:/bin:/usr/bin # Need for CI image to pickup docker-credential-gcloud, PATH is fixed in rbe-toolchain-* configs. build:remote-ci --action_env=PATH=/usr/local/google-cloud-sdk/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/llvm/bin @@ -51,9 +51,6 @@ build:debug -c dbg build --cxxopt -Wformat build --cxxopt -Wformat-security -# build:clang --host_action_env=CC= -# build:clang --host_action_env=CXX= - # CI sanitizer configuration # build:clang-asan-ci --config=asan