Fix istio proxy build after moving Envoy to hermteic toolchain#6726
Conversation
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
do-not-merge/work-in-progress
|
😊 Welcome @krinkinmu! This is either your first contribution to the Istio proxy repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
the
size/M
|
/test all |
howardjohn
left a comment
howardjohn
left a comment
There was a problem hiding this comment.
Does this mean you can finally just run bazel build and it works??? amazing!!
Almost, but there are corner cases. E.g., llvm tools themselves are not built statically, so they still depend on some external libraries, but at the very least installing clang should not be necessary. And we still need to figure out if we want to go this way or rely on a local toolchain. |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
|
@krinkinmu can you update your PR base on envoyproxy/envoy#42572? |
|
@zirain will do that later today |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
|
Interesting... It works locally, but not on CI. I need to dig a bit more. |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
|
At least it's building now... |
|
@zirain it looks like it builds. I'd need to double check what it's actually building and that the version of GLIBC it needs is indeed 2.28, but on the surface it looks ok. |
|
Aha... I missed something in the configuration apparently - it didn't really use the hermetic sysroot and instead used host GLIBC, which is ok when building insider a container, but not what we actually wanted. |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
|
I tested it locally and it builds using the right sysroot with glibc 2.28 |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
|
Regarding libncurses problem - we discussed in Slack a bit and it seems to be preferable to just ignore it for now. The issue only affects those who build proxy outside of the container and for folks advanced enough to go that path it shouldn't be too difficult to go through a few additional hoops to install libncurses5 if it's not available. Eventually we will move to a newer version of clang and newer versions shouldn't have that problem anymore, so eventually we wouldn't need to worry about it at all. |
|
/test release-test-arm64 |
3 similar comments
|
/test release-test-arm64 |
|
/test release-test-arm64 |
|
/test release-test-arm64 |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test release-test-arm64 |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test release-test-arm64 |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test release-test-arm64 |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test release-test-arm64 |
Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
|
/test all |
istio-testing
removed
the
do-not-merge/work-in-progress
|
/test release-test |
|
/retest |
zirain
left a comment
zirain
left a comment
There was a problem hiding this comment.
Thanks for taking this forward.
this's fine for most of the cases. it would be better if you can add a hint(use clang-19+ when you're building proxy outside of devcontainer) in README. |
|
/retest |
I'm an Envoy maintainer and have made contributions in proxy repository and telemetry related changes in other repos: * istio/proxy#6726 - fix proxy build after Envoy move to hermetic toolchain (including debugging the OOM issue in our CI that broke tests) * istio/proxy#6793 (plus there are a few in flight PRs) * designed telemetry changes for ambient multi-network (see https://docs.google.com/document/d/1gyDsViXTHlozTbHFuggNmYFrL6P3om4ZvTMdy_-Ul74/edit?usp=sharing) There are a few other contributions in Istio that I made (particularly in ambient multi-cluster), but they are not directly related to telemetry. Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
* Add krinkinmu as a telemetry maintainer I'm an Envoy maintainer and have made contributions in proxy repository and telemetry related changes in other repos: * istio/proxy#6726 - fix proxy build after Envoy move to hermetic toolchain (including debugging the OOM issue in our CI that broke tests) * istio/proxy#6793 (plus there are a few in flight PRs) * designed telemetry changes for ambient multi-network (see https://docs.google.com/document/d/1gyDsViXTHlozTbHFuggNmYFrL6P3om4ZvTMdy_-Ul74/edit?usp=sharing) There are a few other contributions in Istio that I made (particularly in ambient multi-cluster), but they are not directly related to telemetry. Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> * Fix test Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com> --------- Signed-off-by: Mikhail Krinkin <mkrinkin@microsoft.com>
9 participants
What this PR does / why we need it:
It makes changes to the Istio proxy Bazel configs to migrate to using Envoy's hermetic LLVM toolchain for builds. The "hermetic" here means that as part of the build process Bazel will download the LLVM toolchain, including compiler, linker and libraries, and will use them to build.
One thing worth calling out specifically, is that Envoy will also download a sysroot that packages glibc vers 2.28, which is, I think, the same version of glibc that we are currently using, so we still should be able to run the resulting Envoy binary outside of the container environment on old OSes.
NOTE: llvm toolchain itself is not statically built, unfortunately, and not all required libraries come with the toolchain. One library specifically that I noticed might cause problems is libncurses. Clang in the hermetic llvm toolchain is built against libncurses version 5, while some major distributions (i.e., Ubuntu) moved towards version 6.
It does not matter when building inside a container - we use a pretty old base image that should have the required version of the libncurses library, however building things outside the container may require jumping through a few hoops to install the right libraries if the hermetic toolchain is used.
I don't think there is a sensible way to workaround this issue in the hermetic toolchain itself (I wish LLVM folks just released a static version of the toolchain, but alas they don't do that). So IMO the best path forward would be to just allow easy switching between hermetic toolchain and host toolchain, which this PR does not implement yet. However, if we ok in principle with this approach, I can probably add support for that.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer: