Statically build libgit2 and its dependencies using musl toolchain.

This removes the dependency to glibc and allows the project to be less dependent to configurations picked by official OS packages.

Signed-off-by: Paulo Gomes <[email protected]>

Author: Paulo Gomes

.gitignore

@@ -1 +1,2 @@
 build/
+vendor/

Dockerfile

@@ -1,3 +1,4 @@
 FROM scratch
 
-COPY ./hack/Makefile Makefile
+COPY ./hack/Makefile /Makefile
+COPY ./hack/static.sh /static.sh

Dockerfile.test

@@ -1,53 +1,126 @@
 # This Dockerfile tests the hack/Makefile output against git2go.
-ARG BASE_VARIANT=bullseye
+ARG BASE_VARIANT=alpine
 ARG GO_VERSION=1.17.6
 ARG XX_VERSION=1.1.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} as gostable
+FROM golang:${GO_VERSION}-${BASE_VARIANT} as gostable
 
 FROM gostable AS go-linux
 
-FROM go-${TARGETOS} AS build-base-bullseye
+FROM --platform=$BUILDPLATFORM ${BASE_VARIANT} AS build-deps
+
+RUN apk add --no-cache \
+        bash \
+        curl \
+        build-base \
+        linux-headers \
+        perl \
+        cmake \
+        pkgconfig \
+        gcc \
+        musl-dev \
+        clang \
+        lld
 
 COPY --from=xx / /
 
-# Align golang base image with bookworm. 
-# TODO: Replace this with a golang bookworm variant, once it is released.
-RUN echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list \
-	&& echo "deb-src http://deb.debian.org/debian bookworm main" /etc/apt/sources.list.d/bookworm.list \
-	&& xx-apt update \
-	&& xx-apt -t bookworm upgrade -y
+ARG TARGETPLATFORM
 
-COPY ./hack/Makefile /libgit2/Makefile
+RUN xx-apk add --no-cache \
+        xx-c-essentials 
 
-RUN make -C /libgit2/ cmake
+RUN xx-apk add --no-cache \
+        xx-cxx-essentials 
 
 ARG TARGETPLATFORM
-RUN make -C /libgit2/ dependencies
+RUN xx-apk add --no-cache \
+        build-base \
+        pkgconfig \
+        gcc \
+        musl-dev \
+        clang \
+        lld \
+        llvm \
+        linux-headers
 
-FROM build-base-${BASE_VARIANT} as libgit2-bullseye
+WORKDIR /build
+COPY hack/static.sh .
 
 ARG TARGETPLATFORM
-RUN FLAGS=$(xx-clang --print-cmake-defines) make -C /libgit2/ libgit2
+ENV CC=xx-clang
+ENV CXX=xx-clang++
+
+RUN CHOST=$(xx-clang --print-target-triple) \
+    ./static.sh build_libz
+
+RUN CHOST=$(xx-clang --print-target-triple) \
+    ./static.sh build_openssl
+
+RUN export LIBRARY_PATH="/usr/local/$(xx-info triple)/lib:/usr/local/$(xx-info triple)/lib64:${LIBRARY_PATH}" && \
+    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig:/usr/local/$(xx-info triple)/lib64/pkgconfig" && \
+    export OPENSSL_ROOT_DIR="/usr/local/$(xx-info triple)" && \
+    export OPENSSL_CRYPTO_LIBRARY="/usr/local/$(xx-info triple)/lib64" && \
+    export OPENSSL_INCLUDE_DIR="/usr/local/$(xx-info triple)/include/openssl"
+
+RUN ./static.sh build_libssh2
+RUN ./static.sh build_libgit2
+
+
+FROM go-${TARGETOS} AS build
+
+# Copy cross-compilation tools
+COPY --from=xx / /
+# Copy compiled libraries
+COPY --from=build-deps /usr/local/ /usr/local/
 
-FROM libgit2-${BASE_VARIANT} as test-bullseye
+RUN apk add clang lld pkgconfig
 
-# Cache clone
-ARG GIT2GO_TAG
-RUN git config --global advice.detachedHead false \
-    && git clone --depth=1 --branch=${GIT2GO_TAG} https://github.com/libgit2/git2go /git2go \
-    && cd /git2go \
-    && go mod tidy
+WORKDIR /root/smoketest
+COPY tests/smoketest/go.mod .
+COPY tests/smoketest/go.sum .
+RUN go mod download
 
-# Set workdir
-WORKDIR /git2go
+COPY tests/smoketest/main.go .
 
-# Run tests
 ARG TARGETPLATFORM
-ARG CACHE_BUST
-RUN set -eux; \
-    echo "=> Dynamic test at $CACHE_BUST for $TARGETPLATFORM" \
-    && CGO_ENABLED=1 xx-go run script/check-MakeGitError-thread-lock.go \
-    && CGO_ENABLED=1 xx-go test ./...
+# Some dependencies have to installed 
+# for the target platform: https://github.com/tonistiigi/xx#go--cgo
+RUN xx-apk add --no-cache \
+        musl-dev \
+        gcc
+
+ENV CGO_ENABLED=1
+RUN export LIBRARY_PATH="/usr/local/$(xx-info triple)/lib:/usr/local/$(xx-info triple)/lib64:${LIBRARY_PATH}" && \
+    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig:/usr/local/$(xx-info triple)/lib64/pkgconfig" && \
+	export FLAGS="$(pkg-config --static --libs --cflags libssh2 openssl libgit2)" && \
+    CGO_LDFLAGS="${FLAGS} -static" \
+	xx-go build \
+        -ldflags "-s -w" \
+        -tags 'netgo,osusergo,static_build' \
+        -o static-test-runner -trimpath main.go;
+
+# Ensure that the generated binary is valid for the target platform
+RUN xx-verify --static static-test-runner
+
+# This can be deployed into a gcr.io/distroless/static, however
+# the alpine has been chosen so it can run the static application
+# using the `RUN` statement.
+FROM ${BASE_VARIANT}
+
+WORKDIR /root/smoketest
+COPY tests/smoketest/keys /root/smoketest/keys
+COPY --from=build \
+    /root/smoketest/static-test-runner .
+
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# To do docker run instead, replace the RUN statement with:
+# ENTRYPOINT [ "/root/smoketest/static-test-runner" ]
+
+# The approach below was preferred as it provides a way to 
+# assert the functionality across the supported architectures 
+# without any extra steps.
+
+RUN /root/smoketest/static-test-runner

Makefile

@@ -5,8 +5,6 @@ STATIC_TEST_TAG := test
 PLATFORMS ?= linux/amd64,linux/arm/v7,linux/arm64
 BUILD_ARGS ?=
 
-GIT2GO_TAG ?= v31.6.1
-
 .PHONY: build
 build:
 	docker buildx build \
@@ -20,18 +18,18 @@ test:
 	docker buildx build \
 		--platform=$(PLATFORMS) \
 		--tag $(IMG):$(TAG) \
-		--build-arg IMG=$(IMG) \
-		--build-arg TAG=$(TAG) \
-		--build-arg GIT2GO_TAG=$(GIT2GO_TAG) \
-		--build-arg CACHE_BUST="$(shell date --rfc-3339=ns --utc)" \
-		--file Dockerfile.test .
+		--file Dockerfile.test \
+		$(BUILD_ARGS) .
 
 .PHONY: builder
 builder:
+# create local builder
 	docker buildx create --name local-builder \
 		--platform $(PLATFORMS) \
 		--driver-opt network=host \
 		--driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=1073741274 \
 		--driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=5000000000000 \
 		--buildkitd-flags '--allow-insecure-entitlement security.insecure' \
 		--use
+# install qemu emulators
+	docker run -it --rm --privileged tonistiigi/binfmt --install all

README.md

@@ -1,7 +1,12 @@
 # golang-with-libgit2
 
-This repository contains a `Dockerfile` which `Makefile` content can be used to build the [libgit2][] dependency
-chain for **AMD64, ARM64 and ARMv7** binaries of Go projects that depend on [git2go][]. 
+This repository contains a `Dockerfile` with two files: `Makefile` and `static.sh`. 
+Both of which can be used to build the [libgit2][] dependency chain for **AMD64, ARM64 and ARMv7** binaries 
+of Go projects that depend on [git2go][]. 
+
+The `Makefile` is useful for development environments and will leverage OS specific packages to build `libgit2`.
+The `static.sh` will build all `libgit2` dependencies from source using `musl` toolchain. This enables for a full
+static binary with the freedom of configuring each of the dependencies in chain.
 
 ### :warning: **Public usage discouraged**
 
@@ -42,86 +47,20 @@ while testing these against the git2go code before releasing the image.
   - [ ] [libgit2/git2go#836](https://github.com/libgit2/git2go/issues/836)
   - [ ] [libgit2/git2go#837](https://github.com/libgit2/git2go/issues/837)
 
-## Usage
-
-To make use of the image published by the `Dockerfile`, copy over the `Makefile` from the image as a prerequisite to
-your Go build. Once copied over to the image, the set of targets can be used to compile `libgit2` for the
-`$BUILDPLATFORM` and/or `$TARGETPLATFORM` (see [example](#Dockerfile-example)).
-
-### Runtime dependencies
-
-The following dependencies should be present in the image running the application:
-
-- `libc6`
-- `ca-certificates`
-- `zlib1g/bookworm`
-- `libssl1.1/bookworm`
-- `libssh2-1/bookworm`
-
-**Note:** at present, all dependencies suffixed with `bookworm` must be installed from Debian's `bookworm` release,
-[due to a misconfiguration in `libssh2-1` in earlier versions][libssh2-1-misconfiguration].
-
-### `Dockerfile` example
-
-```Dockerfile
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
-FROM fluxcd/golang-with-libgit2 as libgit2
-
-FROM --platform=$BUILDPLATFORM golang:1.17.6-bullseye as build
-
-# Copy the build utiltiies
-COPY --from=xx / /
-COPY --from=libgit2 /Makefile /libgit2/
-
-# Install the libgit2 build dependencies
-RUN make -C /libgit2 cmake
-
-ARG TARGETPLATFORM
-RUN make -C /libgit2 dependencies
-
-# Compile and install libgit2
-RUN FLAGS=$(xx-clang --print-cmake-defines) make -C /libgit2 libgit2 \
-    && mkdir -p /libgit2/lib/ \
-    && cp -d /usr/lib/$(xx-info triple)/libgit2.so* /libgit2/lib/
+---
+**NOTE**
 
-# Configure workspace
-WORKDIR /workspace
+The issues above do not affect libgit2 built with `static.sh` as all its
+dependencies have been configured to be optimal for its use, as the first supported version of libgit2 is `1.3.0`.
 
-# Copy modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
+---
 
-# Cache modules
-RUN go mod download
-
-# Copy source code
-COPY main.go main.go
-
-# Build the binary
-ENV CGO_ENABLED=1
-ARG TARGETPLATFORM
-RUN xx-go build -o app \
-    main.go
-
-FROM debian:bookworm-slim as controller
-
-# Install runtime dependencies
-RUN apt update \
-    && apt install -y zlib1g/bookworm libssl1.1 libssh2-1 \
-    && apt install -y ca-certificates \
-    && apt clean \
-    && apt autoremove --purge -y \
-    && rm -rf /var/lib/apt/lists/*
-
-# Copy libgit2.so*
-COPY --from=build /libgit2/lib/ /usr/local/lib/
-RUN ldconfig
+## Usage
 
-# Copy over binary from build
-COPY --from=build /workspace/app /usr/local/bin/
+The [Dockerfile.test](./Dockerfile.test) file provides a working example on how to statically build a golang application that has a dependency to libgit2 and git2go.
 
-ENTRYPOINT [ "app" ]
-```
+The example will statically build all dependencies based on the versions specified on `static.sh`.
+Then statically build the golang application and deploy it into an image based off `gcr.io/distroless/static`.
 
 ## Contributing
 
@@ -162,6 +101,34 @@ In case changes happen to the `Dockerfile` while the `libgit2` version does not
 be suffixed with `-<seq num in range>`. For example, `libgit2-1.1.1-2` for the **third** container image
 with the same version.
 
+### Debugging cross-compilation
+
+Below are a few tips on how to overcome cross-compilation issues:
+
+1) Ensure all qemu emulators are installed:
+```sh
+docker run -it --rm --privileged tonistiigi/binfmt --install all
+```
+
+2) Check that the generated libraries are aligned with the target architecture:
+
+Leveraging `readelf` from `binutils` (i.e. `apk add binutils`), check the target machine
+architecture:
+
+```sh
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libcrypto.a | grep Machine |sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libgit2.a | grep Machine | sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libssh2.a | grep Machine | sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libssl.a | grep Machine | sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libz.a | grep Machine | sort -u
+  Machine:                           AArch64
+```
+
+
 [xx]: https://github.com/tonistiigi/xx
 [Go container image]: https://hub.docker.com/_/golang
 [libgit2]: https://github.com/libgit2/libgit2

hack/Makefile

@@ -26,7 +26,7 @@ CMAKE_VERSION ?= 3.21.3
 # Libgit2 version to be compiled and installed.
 LIBGIT2_VERSION ?= 1.1.1
 # In some scenarios libgit2 needs to be checked out to a specific commit.
-# This takes presidence over LIBGIT_VERSION if defined.
+# This takes precedence over LIBGIT_VERSION if defined.
 # Ref: https://github.com/libgit2/git2go/issues/834
 LIBGIT2_REVISION ?=