sgerrand / docker-glibc-builder Goto Github PK

A glibc binary package builder in Docker

Shell 60.91% Dockerfile 39.09%

glibc docker-glibc-builder hacktoberfest hacktoberfest-accepted

docker-glibc-builder's Introduction

docker-glibc-builder

A glibc binary package builder in Docker. Produces a glibc binary package that can be imported into a rootfs to run applications dynamically linked against glibc.

Usage

Build a glibc package based on version 2.39 with a prefix of /usr/glibc-compat:

docker run --rm --env STDOUT=1 sgerrand/glibc-builder 2.39 /usr/glibc-compat > glibc-bin.tar.gz

You can also keep the container around and copy out the resulting file:

docker run --name glibc-binary sgerrand/glibc-builder 2.39 /usr/glibc-compat
docker cp glibc-binary:/glibc-bin-2.39.tar.gz ./
docker rm glibc-binary

docker-glibc-builder's People

Contributors

Stargazers

Watchers

Forkers

njohns-grovo a75c6 aniketb1985 redshelled particle-iot orctom mgansler balena-io-experimental alanyih owlab-exp moggen sonecabr solidnerd akutz subinghong yangxuan8282 pipill nathane2005 plsamuel stevenaldinger alesasnouski codehz kopiro pikeszfish cyberdem0n jlesage mischnic gounthar starstruck0207 rijalati givimad cyounkins barryearles dayedepps satoshiportal shizonic ikaruswill hifiidev adamjm davidpesticcio foxromeo rjerk czhfe jojo921 jcxldn gravitational fr0ster celsosantos overhacked jvasileff chungjon davidholiday trxcllnt fouadsemaan ljfranklin jhamohneesh odidev alfonmga wwwwg adam-james-v pman0214 prantlf fangtangjing langerma myonlycat fixedbit meto4d cxiaolng bluepeople1 atthisaccount jaapterwoerds shism2 huangylqf raohuaming chainbase-labs chunhui2001 razer2015 tekintian imagegenius lolverae hanez drsensor locnnil mattclegg redstonewizard08 day112 cobliteam rory-z superbigfu b01 valentin-nasta mvkvl lucaslml0 harryzcy rafex ruaue opagolu-ebay

docker-glibc-builder's Issues

Release v2.36

The GNU C Library released version 2.36 on 2 August 2022. Update the relevant files and create a binary release for this version.

symbol not found error

Any idea why Im seeing these errors ? This is happening with all dynamic libs.

bash-4.3# ldd /usr/glibc-compat/lib/libc-2.23.so
    /usr/glibc-compat/lib/ld-linux-x86-64.so.2 (0x559ec0a0d000)
    ld-linux-x86-64.so.2 => /usr/glibc-compat/lib/ld-linux-x86-64.so.2 (0x7ffb6f7a3000)
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: unsupported relocation type 37
Error relocating /usr/glibc-compat/lib/libc-2.23.so: _res: symbol not found
Error relocating /usr/glibc-compat/lib/libc-2.23.so: __ctype32_tolower: symbol not found
Error relocating /usr/glibc-compat/lib/libc-2.23.so: __ctype_tolower: symbol not found
Error relocating /usr/glibc-compat/lib/libc-2.23.so: __ctype_toupper: symbol not found
Error relocating /usr/glibc-compat/lib/libc-2.23.so: __ctype_b: symbol not found
Error relocating /usr/glibc-compat/lib/libc-2.23.so: __ctype32_b: symbol not found
Error relocating /usr/glibc-compat/lib/libc-2.23.so: __ctype32_toupper: symbol not found

Enable Multi-arch by docker buildx

Hi, All
Now, the buildx is tool which used for build multi-arch images tools. And it is very easy to use. Could we modify some script for building multi-arch images?

GLibc 2.24 has been released

https://www.sourceware.org/ml/libc-alpha/2016-08/msg00212.html

Update to Glibc 2.25

https://www.gnu.org/software/libc/

Enable multi stage builds

Any plan to use multistage builds, I personally use it:

ARG ENVIRONMENT

ARG ALPINE_VERSION

FROM alpine:${ALPINE_VERSION} AS glibc-base
ARG GLIBC_VERSION
ARG GLIBC_URL=https://ftp.gnu.org/gnu/glibc/glibc-${GLIBC_VERSION}.tar.gz
ARG CHECKSUM=881ca905e6b5eec724de7948f14d66a07d97bdee8013e1b2a7d021ff5d540522
ARG GLIBC_ASC_URL=https://ftp.gnu.org/gnu/glibc/glibc-${GLIBC_VERSION}.tar.gz.sig
ARG GPG_KEY_URL=https://ftp.gnu.org/gnu/gnu-keyring.gpg
RUN apk add --no-cache curl gnupg && \
    curl -sSL ${GLIBC_URL} -o $(basename ${GLIBC_URL}) && \
    curl -o $(basename ${GLIBC_ASC_URL}) ${GLIBC_ASC_URL} && \
    curl -fsSL ${GPG_KEY_URL} | gpg --import && \
    gpg --batch --verify $(basename ${GLIBC_ASC_URL}) $(basename ${GLIBC_URL}) && \
    echo "${CHECKSUM}  $(basename ${GLIBC_URL})" | sha256sum -c && \
    tar xzf $(basename ${GLIBC_URL})

FROM ubuntu:16.04 as glibc-compiler
ARG GLIBC_VERSION
ARG GLIBC_RELEASE
ARG PREFIX_DIR=/usr/glibc-compat
RUN apt-get update && \
    apt-get install -y build-essential openssl gawk bison
COPY --from=glibc-base /glibc-${GLIBC_VERSION} /glibc/
WORKDIR /glibc-build
RUN /glibc/configure \
    --prefix=${PREFIX_DIR} \
    --libdir=${PREFIX_DIR}/lib \
    --libexecdir=${PREFIX_DIR}/lib \
    --enable-multi-arch \
    --enable-stack-protector=strong && \
    make && \
    make install && \
    tar --hard-dereference -zcf /glibc-bin-${GLIBC_VERSION}.tar.gz ${PREFIX_DIR} && \
    sha512sum /glibc-bin-${GLIBC_VERSION}.tar.gz > /glibc-bin-${GLIBC_VERSION}.sha512sum

FROM alpine:${ALPINE_VERSION} AS glibc-alpine-builder
ARG MAINTAINER
ARG GLIBC_VERSION
ARG GLIBC_RELEASE
RUN apk --no-cache add alpine-sdk coreutils cmake libc6-compat && \
    adduser -G abuild -g "Alpine Package Builder" -s /bin/ash -D builder && \
    echo "builder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
    mkdir /packages && \
    chown builder:abuild /packages
USER builder
RUN mkdir /home/builder/package/
WORKDIR /home/builder/package/
COPY --from=glibc-compiler /glibc-bin-${GLIBC_VERSION}.tar.gz .
COPY --from=glibc-compiler /glibc-bin-${GLIBC_VERSION}.sha512sum .
COPY APKBUILD .
COPY glibc-bin.trigger .
COPY ld.so.conf .
COPY nsswitch.conf .
ENV REPODEST /packages
ENV ABUILD_KEY_DIR /home/builder/.abuild
RUN mkdir -p ${ABUILD_KEY_DIR} && \
    openssl genrsa -out ${ABUILD_KEY_DIR}/${MAINTAINER}-key.pem 2048 && \
    sudo openssl rsa -in ${ABUILD_KEY_DIR}/${MAINTAINER}-key.pem -pubout -out /etc/apk/keys/${MAINTAINER}.rsa.pub && \
    echo "PACKAGER_PRIVKEY=\"${ABUILD_KEY_DIR}/${MAINTAINER}-key.pem\"" > ${ABUILD_KEY_DIR}/abuild.conf && \
    sed -i "s/<\${GLIBC_VERSION}-checksum>/$(cat glibc-bin-${GLIBC_VERSION}.sha512sum | awk '{print $1}')/" APKBUILD && \
    abuild -r

FROM alpine:${ALPINE_VERSION}
ARG GLIBC_VERSION
ARG GLIBC_RELEASE
ARG BUILD_DATE
ARG GIT_SHA
ARG GIT_TAG
COPY --from=glibc-alpine-builder /packages/builder/x86_64/glibc-${GLIBC_VERSION}-${GLIBC_RELEASE}.apk /tmp/
COPY --from=glibc-alpine-builder /packages/builder/x86_64/glibc-bin-${GLIBC_VERSION}-${GLIBC_RELEASE}.apk /tmp/
COPY --from=glibc-alpine-builder /packages/builder/x86_64/glibc-i18n-${GLIBC_VERSION}-${GLIBC_RELEASE}.apk /tmp/
RUN apk upgrade --no-cache && \
    apk add --no-cache libstdc++ curl && \
    apk add --allow-untrusted /tmp/*.apk && \
    rm -rf /tmp/*.apk && \
    ( /usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 C.UTF-8 || true ) && \
    echo "export LANG=C.UTF-8" > /etc/profile.d/locale.sh && \
    /usr/glibc-compat/sbin/ldconfig /lib /usr/glibc-compat/lib

Create release using tags

Pushing a git tag to GitHub should:

trigger a build in CircleCI
produce a binary glibc artifact
create a release in GitHub for that tag; and
upload the binary to that release

Possibility of signing images?

Thank you for your work on this. It's pretty much the basis for any and every Alpine Linux container image that requires glibc :)

Would it be possible to get the resulting artifacts/packages signed in any way? What I usually see in a lot of Dockerfiles is

apk add --allow-untrusted <some-apk>

That really doesn't fit with my understanding of chain of trust, especially when it comes to something as vital as a C runtime library.

When will 1.37 be released ？

ld.so.conf: No such file or directory

/glibc-build/elf/ldconfig: Warning: ignoring configuration file that cannot be opened: /usr/glibc-compat/etc/ld.so.conf: No such file or directory
make[1]: Leaving directory '/glibc-2.23'
tar: Removing leading / from member names

Glibc needs ld.so.conf in the install destdir.

mkdir -p $prefix/etc
touch $prefix/etc/ld.so.conf

Create releases from tags

Releases are currently manually created from git tags. The most laborious part of this is adding the artifacts from the CircleCI build to the release. This can be improved through automation!

Use CircleCI and tcnksm/ghr to create GitHub releases from git tags.

LICENSE is missing in repo.

Hi @sgerrand I'd like fork the and consider multi arch builds.

I've noticed there's no LICENSE in the repo, I know this might be an annoying issue, but according to github No License, means on legal terms we cannot share and contribute.

Thanks

Use enable-stack-protector

The following is available since glibc 2.25:

* Most of glibc can now be built with the stack smashing protector enabled.
  It is recommended to build glibc with --enable-stack-protector=strong.
  Implemented by Nick Alcock (Oracle).

I would like to suggest that https://github.com/sgerrand/docker-glibc-builder/blob/master/builder is updated to include this parameter when running configure.

Build binary using CircleCI

The glibc binary should be built using CircleCI.

What are the actual steps to install the output tar.gz file into the OS?

Title