Merge pull request #10 from pjbgf/static

Author: hiddeco

.gitignore

@@ -1 +1,2 @@
 build/
+vendor/

Dockerfile

@@ -1,3 +1,4 @@
 FROM scratch
 
-COPY ./hack/Makefile Makefile
+COPY ./hack/Makefile /Makefile
+COPY ./hack/static.sh /static.sh

Dockerfile.test

@@ -1,53 +1,126 @@
 # This Dockerfile tests the hack/Makefile output against git2go.
-ARG BASE_VARIANT=bullseye
+ARG BASE_VARIANT=alpine
 ARG GO_VERSION=1.17.6
 ARG XX_VERSION=1.1.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} as gostable
+FROM golang:${GO_VERSION}-${BASE_VARIANT} as gostable
 
 FROM gostable AS go-linux
 
-FROM go-${TARGETOS} AS build-base-bullseye
+FROM --platform=$BUILDPLATFORM ${BASE_VARIANT} AS build-deps
+
+RUN apk add --no-cache \
+        bash \
+        curl \
+        build-base \
+        linux-headers \
+        perl \
+        cmake \
+        pkgconfig \
+        gcc \
+        musl-dev \
+        clang \
+        lld
 
 COPY --from=xx / /
 
-# Align golang base image with bookworm. 
-# TODO: Replace this with a golang bookworm variant, once it is released.
-RUN echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list \
-	&& echo "deb-src http://deb.debian.org/debian bookworm main" /etc/apt/sources.list.d/bookworm.list \
-	&& xx-apt update \
-	&& xx-apt -t bookworm upgrade -y
+ARG TARGETPLATFORM
 
-COPY ./hack/Makefile /libgit2/Makefile
+RUN xx-apk add --no-cache \
+        xx-c-essentials 
 
-RUN make -C /libgit2/ cmake
+RUN xx-apk add --no-cache \
+        xx-cxx-essentials 
 
 ARG TARGETPLATFORM
-RUN make -C /libgit2/ dependencies
+RUN xx-apk add --no-cache \
+        build-base \
+        pkgconfig \
+        gcc \
+        musl-dev \
+        clang \
+        lld \
+        llvm \
+        linux-headers
 
-FROM build-base-${BASE_VARIANT} as libgit2-bullseye
+WORKDIR /build
+COPY hack/static.sh .
 
 ARG TARGETPLATFORM
-RUN FLAGS=$(xx-clang --print-cmake-defines) make -C /libgit2/ libgit2
+ENV CC=xx-clang
+ENV CXX=xx-clang++
+
+RUN CHOST=$(xx-clang --print-target-triple) \
+    ./static.sh build_libz
+
+RUN CHOST=$(xx-clang --print-target-triple) \
+    ./static.sh build_openssl
+
+RUN export LIBRARY_PATH="/usr/local/$(xx-info triple)/lib:/usr/local/$(xx-info triple)/lib64:${LIBRARY_PATH}" && \
+    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig:/usr/local/$(xx-info triple)/lib64/pkgconfig" && \
+    export OPENSSL_ROOT_DIR="/usr/local/$(xx-info triple)" && \
+    export OPENSSL_CRYPTO_LIBRARY="/usr/local/$(xx-info triple)/lib64" && \
+    export OPENSSL_INCLUDE_DIR="/usr/local/$(xx-info triple)/include/openssl"
+
+RUN ./static.sh build_libssh2
+RUN ./static.sh build_libgit2
+
+
+FROM go-${TARGETOS} AS build
+
+# Copy cross-compilation tools
+COPY --from=xx / /
+# Copy compiled libraries
+COPY --from=build-deps /usr/local/ /usr/local/
 
-FROM libgit2-${BASE_VARIANT} as test-bullseye
+RUN apk add clang lld pkgconfig
 
-# Cache clone
-ARG GIT2GO_TAG
-RUN git config --global advice.detachedHead false \
-    && git clone --depth=1 --branch=${GIT2GO_TAG} https://github.com/libgit2/git2go /git2go \
-    && cd /git2go \
-    && go mod tidy
+WORKDIR /root/smoketest
+COPY tests/smoketest/go.mod .
+COPY tests/smoketest/go.sum .
+RUN go mod download
 
-# Set workdir
-WORKDIR /git2go
+COPY tests/smoketest/main.go .
 
-# Run tests
 ARG TARGETPLATFORM
-ARG CACHE_BUST
-RUN set -eux; \
-    echo "=> Dynamic test at $CACHE_BUST for $TARGETPLATFORM" \
-    && CGO_ENABLED=1 xx-go run script/check-MakeGitError-thread-lock.go \
-    && CGO_ENABLED=1 xx-go test ./...
+# Some dependencies have to installed 
+# for the target platform: https://github.com/tonistiigi/xx#go--cgo
+RUN xx-apk add --no-cache \
+        musl-dev \
+        gcc
+
+ENV CGO_ENABLED=1
+RUN export LIBRARY_PATH="/usr/local/$(xx-info triple)/lib:/usr/local/$(xx-info triple)/lib64:${LIBRARY_PATH}" && \
+    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig:/usr/local/$(xx-info triple)/lib64/pkgconfig" && \
+	export FLAGS="$(pkg-config --static --libs --cflags libssh2 openssl libgit2)" && \
+    CGO_LDFLAGS="${FLAGS} -static" \
+	xx-go build \
+        -ldflags "-s -w" \
+        -tags 'netgo,osusergo,static_build' \
+        -o static-test-runner -trimpath main.go;
+
+# Ensure that the generated binary is valid for the target platform
+RUN xx-verify --static static-test-runner
+
+# This can be deployed into a gcr.io/distroless/static, however
+# the alpine has been chosen so it can run the static application
+# using the `RUN` statement.
+FROM ${BASE_VARIANT}
+
+WORKDIR /root/smoketest
+COPY tests/smoketest/keys /root/smoketest/keys
+COPY --from=build \
+    /root/smoketest/static-test-runner .
+
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# To do docker run instead, replace the RUN statement with:
+# ENTRYPOINT [ "/root/smoketest/static-test-runner" ]
+
+# The approach below was preferred as it provides a way to 
+# assert the functionality across the supported architectures 
+# without any extra steps.
+
+RUN /root/smoketest/static-test-runner

Makefile

@@ -5,8 +5,6 @@ STATIC_TEST_TAG := test
 PLATFORMS ?= linux/amd64,linux/arm/v7,linux/arm64
 BUILD_ARGS ?=
 
-GIT2GO_TAG ?= v31.6.1
-
 .PHONY: build
 build:
 	docker buildx build \
@@ -20,18 +18,18 @@ test:
 	docker buildx build \
 		--platform=$(PLATFORMS) \
 		--tag $(IMG):$(TAG) \
-		--build-arg IMG=$(IMG) \
-		--build-arg TAG=$(TAG) \
-		--build-arg GIT2GO_TAG=$(GIT2GO_TAG) \
-		--build-arg CACHE_BUST="$(shell date --rfc-3339=ns --utc)" \
-		--file Dockerfile.test .
+		--file Dockerfile.test \
+		$(BUILD_ARGS) .
 
 .PHONY: builder
 builder:
+# create local builder
 	docker buildx create --name local-builder \
 		--platform $(PLATFORMS) \
 		--driver-opt network=host \
 		--driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=1073741274 \
 		--driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=5000000000000 \
 		--buildkitd-flags '--allow-insecure-entitlement security.insecure' \
 		--use
+# install qemu emulators
+	docker run -it --rm --privileged tonistiigi/binfmt --install all

README.md

@@ -1,7 +1,12 @@
 # golang-with-libgit2
 
-This repository contains a `Dockerfile` which `Makefile` content can be used to build the [libgit2][] dependency
-chain for **AMD64, ARM64 and ARMv7** binaries of Go projects that depend on [git2go][]. 
+This repository contains a `Dockerfile` with two files: `Makefile` and `static.sh`. 
+Both of which can be used to build the [libgit2][] dependency chain for **AMD64, ARM64 and ARMv7** binaries 
+of Go projects that depend on [git2go][]. 
+
+The `Makefile` is useful for development environments and will leverage OS specific packages to build `libgit2`.
+The `static.sh` will build all `libgit2` dependencies from source using `musl` toolchain. This enables for a full
+static binary with the freedom of configuring each of the dependencies in chain.
 
 ### :warning: **Public usage discouraged**
 
@@ -42,86 +47,20 @@ while testing these against the git2go code before releasing the image.
   - [ ] [libgit2/git2go#836](https://github.com/libgit2/git2go/issues/836)
   - [ ] [libgit2/git2go#837](https://github.com/libgit2/git2go/issues/837)
 
-## Usage
-
-To make use of the image published by the `Dockerfile`, copy over the `Makefile` from the image as a prerequisite to
-your Go build. Once copied over to the image, the set of targets can be used to compile `libgit2` for the
-`$BUILDPLATFORM` and/or `$TARGETPLATFORM` (see [example](#Dockerfile-example)).
-
-### Runtime dependencies
-
-The following dependencies should be present in the image running the application:
-
-- `libc6`
-- `ca-certificates`
-- `zlib1g/bookworm`
-- `libssl1.1/bookworm`
-- `libssh2-1/bookworm`
-
-**Note:** at present, all dependencies suffixed with `bookworm` must be installed from Debian's `bookworm` release,
-[due to a misconfiguration in `libssh2-1` in earlier versions][libssh2-1-misconfiguration].
-
-### `Dockerfile` example
-
-```Dockerfile
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
-FROM fluxcd/golang-with-libgit2 as libgit2
-
-FROM --platform=$BUILDPLATFORM golang:1.17.6-bullseye as build
-
-# Copy the build utiltiies
-COPY --from=xx / /
-COPY --from=libgit2 /Makefile /libgit2/
-
-# Install the libgit2 build dependencies
-RUN make -C /libgit2 cmake
-
-ARG TARGETPLATFORM
-RUN make -C /libgit2 dependencies
-
-# Compile and install libgit2
-RUN FLAGS=$(xx-clang --print-cmake-defines) make -C /libgit2 libgit2 \
-    && mkdir -p /libgit2/lib/ \
-    && cp -d /usr/lib/$(xx-info triple)/libgit2.so* /libgit2/lib/
+---
+**NOTE**
 
-# Configure workspace
-WORKDIR /workspace
+The issues above do not affect libgit2 built with `static.sh` as all its
+dependencies have been configured to be optimal for its use, as the first supported version of libgit2 is `1.3.0`.
 
-# Copy modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
+---
 
-# Cache modules
-RUN go mod download
-
-# Copy source code
-COPY main.go main.go
-
-# Build the binary
-ENV CGO_ENABLED=1
-ARG TARGETPLATFORM
-RUN xx-go build -o app \
-    main.go
-
-FROM debian:bookworm-slim as controller
-
-# Install runtime dependencies
-RUN apt update \
-    && apt install -y zlib1g/bookworm libssl1.1 libssh2-1 \
-    && apt install -y ca-certificates \
-    && apt clean \
-    && apt autoremove --purge -y \
-    && rm -rf /var/lib/apt/lists/*
-
-# Copy libgit2.so*
-COPY --from=build /libgit2/lib/ /usr/local/lib/
-RUN ldconfig
+## Usage
 
-# Copy over binary from build
-COPY --from=build /workspace/app /usr/local/bin/
+The [Dockerfile.test](./Dockerfile.test) file provides a working example on how to statically build a golang application that has a dependency to libgit2 and git2go.
 
-ENTRYPOINT [ "app" ]
-```
+The example will statically build all dependencies based on the versions specified on `static.sh`.
+Then statically build the golang application and deploy it into an image based off `gcr.io/distroless/static`.
 
 ## Contributing
 
@@ -162,6 +101,34 @@ In case changes happen to the `Dockerfile` while the `libgit2` version does not
 be suffixed with `-<seq num in range>`. For example, `libgit2-1.1.1-2` for the **third** container image
 with the same version.
 
+### Debugging cross-compilation
+
+Below are a few tips on how to overcome cross-compilation issues:
+
+1) Ensure all qemu emulators are installed:
+```sh
+docker run -it --rm --privileged tonistiigi/binfmt --install all
+```
+
+2) Check that the generated libraries are aligned with the target architecture:
+
+Leveraging `readelf` from `binutils` (i.e. `apk add binutils`), check the target machine
+architecture:
+
+```sh
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libcrypto.a | grep Machine |sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libgit2.a | grep Machine | sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libssh2.a | grep Machine | sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libssl.a | grep Machine | sort -u
+  Machine:                           AArch64
+$ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libz.a | grep Machine | sort -u
+  Machine:                           AArch64
+```
+
+
 [xx]: https://github.com/tonistiigi/xx
 [Go container image]: https://hub.docker.com/_/golang
 [libgit2]: https://github.com/libgit2/libgit2

hack/Makefile

@@ -26,7 +26,7 @@ CMAKE_VERSION ?= 3.21.3
 # Libgit2 version to be compiled and installed.
 LIBGIT2_VERSION ?= 1.1.1
 # In some scenarios libgit2 needs to be checked out to a specific commit.
-# This takes presidence over LIBGIT_VERSION if defined.
+# This takes precedence over LIBGIT_VERSION if defined.
 # Ref: https://github.com/libgit2/git2go/issues/834
 LIBGIT2_REVISION ?=