-
-
Save jeesmon/00f479a896548aadc0b32ae184890b4e to your computer and use it in GitHub Desktop.
| #!/bin/bash -ex | |
| # yum install -y docker git patch jq | |
| # systemctl start docker | |
| # docker info | |
| ISTIO_VERSION=${ISTIO_VERSION:-1.19.3} | |
| MAJOR_ISTIO_VERSION=$(cut -f1-2 -d. <<< ${ISTIO_VERSION}) | |
| # Need a custom build-tools-proxy image for 1.18.3+ | |
| # https://istio.slack.com/archives/C6FCV6WN4/p1696463622534729 | |
| # https://github.com/istio/tools/pull/2566 | |
| git clone https://github.com/istio/tools.git --depth 1 | |
| cd tools | |
| git fetch --tags | |
| git checkout "${ISTIO_VERSION}" | |
| # Patch tools | |
| sed -i'' \ | |
| -e 's/FROM ubuntu:xenial AS clang_context_amd64/FROM ubuntu:jammy AS clang_context_amd64/' \ | |
| -e 's/FROM ubuntu:xenial AS build_env_proxy_amd64/FROM ubuntu:jammy AS build_env_proxy_amd64/' \ | |
| -e 's/ENV UBUNTU_RELEASE_CODE_NAME=xenial/ENV UBUNTU_RELEASE_CODE_NAME=jammy/' \ | |
| -e 's/ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \ | |
| -e 's/ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \ | |
| -e 's/python \\/#python \\/' \ | |
| docker/build-tools/Dockerfile | |
| # Build tools | |
| cd docker/build-tools/ | |
| DRY_RUN=true ./build-and-push.sh | |
| cd ../../.. | |
| git clone https://github.com/istio/proxy.git --depth 1 | |
| pushd proxy | |
| git fetch --tags | |
| git checkout "${ISTIO_VERSION}" | |
| export GOOS=linux | |
| # Patch Makefile for BAZEL_BIN_PATH in 1.19.3 | |
| # https://github.com/istio/proxy/pull/5087 | |
| sed -i '/exportcache:/i \ | |
| exportcache: BAZEL_BIN_PATH ?= $(shell bazel info $(BAZEL_BUILD_ARGS) $(BAZEL_CONFIG_CURRENT) bazel-bin)' \ | |
| Makefile.core.mk | |
| # Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2 | |
| echo "build --define boringssl=fips" >> .bazelrc | |
| IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BUILD_WITH_CONTAINER=1 BAZEL_BUILD_ARGS=--config=release TARGET_OS=linux make build_wasm build build_envoy exportcache | |
| popd | |
| git clone https://github.com/istio/istio.git --depth 1 | |
| pushd istio | |
| git fetch --tags | |
| git checkout "${ISTIO_VERSION}" | |
| # Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket | |
| # https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106 | |
| # Populate the git version for istio/proxy (i.e. Envoy) | |
| # PROXY_REPO_SHA="${PROXY_REPO_SHA:-$(grep PROXY_REPO_SHA istio.deps -A 4 | grep lastStableSHA | cut -f 4 -d '"')}" | |
| PROXY_REPO_SHA=$(jq -r '.[] | select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps) | |
| # Copy locally built binaries | |
| mkdir -p out/linux_amd64/release | |
| cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA} | |
| cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy | |
| # Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md | |
| sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk | |
| # Envoy built with BoringSSL requires libc++ installed in the docker image | |
| # Patch pilot/docker/Dockerfile.proxyv2 to install libc++ | |
| cat > Dockerfile.proxyv2.patch << EOF | |
| RUN apt-get update \ | |
| && apt-get upgrade -y \ | |
| && apt-get install -y libc++1 \ | |
| && apt-get autoremove -y \ | |
| && apt-get clean \ | |
| && rm -rf /tmp/* /var/tmp/* \ | |
| && rm -rf /var/lib/apt/lists/* | |
| EOF | |
| sed -i'' '/FROM ${BASE_DISTRIBUTION/r Dockerfile.proxyv2.patch' pilot/docker/Dockerfile.proxyv2 | |
| rm Dockerfile.proxyv2.patch | |
| # Build pilot and proxy | |
| TARGET_OS=linux make docker.pilot docker.proxyv2 | |
| # Confirm version | |
| docker run --rm --entrypoint="" localhost:5000/proxyv2 envoy --version | |
| docker run --rm --entrypoint="" localhost:5000/proxyv2 pilot-agent version | |
| docker run --rm --entrypoint="" localhost:5000/pilot pilot-discovery version | |
| # docker tag localhost:5000/proxyv2 quay.io/jeesmon/proxyv2:${ISTIO_VERSION} | |
| # docker tag localhost:5000/pilot:latest quay.io/jeesmon/pilot:${ISTIO_VERSION} | |
| # docker login quay.io | |
| # docker push quay.io/jeesmon/proxyv2:${ISTIO_VERSION} | |
| # docker push quay.io/jeesmon/pilot:${ISTIO_VERSION} | |
@sspaeth-r7 & whoever is facing the checksum issue : istio/istio#49561
Edit: Looks like @sspaeth-r7 was the one to report the issue in the istio slack :)
@vinodshoreline not sure if you managed to figure out the issue, but I found for the 1.20.2 tag the tools dockerfile had changed and the sed lines in the script were doing nothing so it was still using bionic which does not have libncurses6 available and it, at some point, became required by the envoy fips build.
Make the changes from this PR and it should build.
Hey folks. I am wondering if anyone has tried converting this script to work for
arm64?I know the Envoy docs say:
Currently, this option is only available on Linux-x86_64.But if you look at this issue and this PR, it seems
arm64support has been added.
@teddy-wahle / anyone else: did you ever have any luck with building Istio for ARM? I see you have a fork for it which is basically the same thing I tried and unfortunately I received a strange error:
gcc: error: unrecognized command-line option '-m64'
I'm currently trying to build with a couple architecture variables set but not sure it'll make a difference.
For anyone else who may be trying to solve the above issue, it looks like setting DOCKER_ARCHITECTURES=linux/arm64 before make build docker.pilot docker.proxyv2 did the trick:
DOCKER_ARCHITECTURES=linux/arm64 <other_vars> make build docker.pilot docker.proxyv2
@stanpalatnik are you able to build 1.20.3? We're getting a checksum mismatch error on that version using the same build script that works fine for 1.20.2.