From cfa0866972dc12aaf9700f22fc6f30c4d8976589 Mon Sep 17 00:00:00 2001
From: Tristan <tristan@mangadex.org>
Date: Tue, 7 Jun 2022 01:44:23 +0100
Subject: [PATCH] Change build image to Debian Buster as reasonable glibc base
 (2.28)

Update README with note on that matter
---
 .editorconfig    | 16 ++++++++++++
 .gitlab-ci.yml   |  2 +-
 README.md        | 63 +++++++++++++++++++++++++++++++++++++++++-------
 haproxy/Makefile |  6 ++++-
 4 files changed, 76 insertions(+), 11 deletions(-)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..da13a9e
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,16 @@
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+tab_width = 4
+trim_trailing_whitespace = true
+
+[*.{md, yaml, yml}]
+indent_size = 2
+tab_width = 2
+
+[*.md]
+max_line_length = 80
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2d71411..bc5bda8 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,7 +8,7 @@ variables:
   GIT_DEPTH: "1"
 
 .build-job: &build-job
-  image: docker.io/library/debian:bullseye
+  image: docker.io/library/debian:buster
   needs: [ ]
   before_script:
     - apt -qq update
diff --git a/README.md b/README.md
index f429819..dbe30b8 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,8 @@ Build scripts for HAProxy with QUIC
 
 ## Quickstart
 
-**NOTE FOR QUIC:** docker and docker-compose require explicit UDP protocol port mapping, otherwise they assume only-TCP. See below.
+**NOTE FOR QUIC:** docker and docker-compose require explicit UDP protocol port
+mapping, otherwise they assume only-TCP. See below.
 
 ```shell
 docker run -it \
@@ -17,24 +18,28 @@ docker run -it \
     registry.gitlab.com/mangadex-pub/haproxy:2.6-bullseye
 ```
 
-Here's a sample configuration (requires you to figure out the certificate) to test HTTP/3.0 support. The first connection should be over HTTP/1.1 or HTTP/2, and
+Here's a sample configuration (requires you to figure out the certificate) to
+test HTTP/3.0 support. The first connection should be over HTTP/1.1 or HTTP/2,
+and
 after a few refreshes it should be over HTTP/3.
 
-See [Announcing HAProxy 2.6](https://www.haproxy.com/blog/announcing-haproxy-2-6/) for more info.
+See [Announcing HAProxy 2.6](https://www.haproxy.com/blog/announcing-haproxy-2-6/)
+for more info.
 
 ```haproxy
 ...
 frontend https
     bind       :443 ssl crt /usr/local/etc/haproxy/cert.pem alpn h2,http/1.1
     bind quic4@:443 ssl crt /usr/local/etc/haproxy/cert.pem alpn h3
-    
+
     http-after-response set-header alt-svc 'h3=":443"; ma=86400'
     http-request return status 200 content-type text/plain lf-string "Connected via %HV"
 ```
 
 ## Build it
 
-You will need the following dependencies (Debian/Ubuntu packages given as example):
+You will need the following dependencies (Debian/Ubuntu packages given as
+example):
 
 - Development tools (`build-essential`)
 - curl and ssl support for it (`curl` and `ca-certificates`)
@@ -45,14 +50,44 @@ You will need the following dependencies (Debian/Ubuntu packages given as exampl
 
 Then just run `make` and the build should pass.
 
-First, `deps/quictls/quictls-dist.tar.gz` should be expanded so it matches the host's
+First, `deps/quictls/quictls-dist.tar.gz` should be expanded so it matches the
+host's
 `/opt/quictls` when expanding, as it is where HAProxy will look for OpenSSL.
 
 And finally `haproxy/haproxy-dist.tar.gz` can be expanded anywhere.
 
+## Compatibility of binaries
+
+You may acquire binaries for non-docker usage in 2 ways:
+
+- We distribute binary tarballs for this repo in
+  the [project's packages](https://gitlab.com/mangadex-pub/haproxy/-/packages)
+- You can build it locally, which results in `deps/quictls/quictls-dist.tar.gz`
+  and `haproxy/haproxy-dist.tar.gz`
+
+Please note that neither QuicTLS/OpenSSL nor HAProxy are fully statically
+compiled. They are still linking to glibc. You see that
+with `readelf -d /path/to/binary`.
+
+As a result, you may be unable to run a binary linked using a more recent glibc.
+
+Our CI uses the most recent Debian Buster image for compilation. You can find
+out the exact libc version this links against with `ldd --version` like so:
+
+```shell
+$ docker run -it debian:buster ldd --version | head -n1
+ldd (Debian GLIBC 2.28-10+deb10u1) 2.28
+```
+
+Particular care should thus be put in what host you use for compilation.
+
+Similarly, if you generally enjoy running abandonware you will not be able to
+use any of our non-docker artifacts.
+
 ## Should I use this repo?
 
 This is an:
+
 - unofficial build of HAProxy
 - which enables an experimental feature of HAProxy
 - which relies on an unofficial build of OpenSSL
@@ -60,14 +95,24 @@ This is an:
 
 Generally speaking, you shouldn't.
 
-That said, please PR improvements back if you do. We'll be using it ourselves too.
+That said, please PR improvements back if you do. We'll be using it ourselves
+too.
 
 ## What's in there
 
 First, we want to statically build things where possible, which is done for:
+
 - LUA
 - PCRE2
-- QuicTLS
+- QuicTLS (*partially*, still links to host glibc)
 
-Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS build, which
+Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS
+build, which
 it will look for at the `/opt/quictls` prefix.
+
+## Notes
+
+Since we're building our own binaries, we also increase MAX_SESS_STKCTR to 5
+instead of the default of 3. If you don't know what that is, it's irrelevant to
+you. You can read some
+more [here](https://github.com/haproxy/haproxy/issues/1565).
diff --git a/haproxy/Makefile b/haproxy/Makefile
index d122381..7683965 100644
--- a/haproxy/Makefile
+++ b/haproxy/Makefile
@@ -10,10 +10,13 @@ DEP_ROOT_LUA = ../deps/lua
 DEP_ROOT_PCRE2 = ../deps/pcre2
 DEP_ROOT_QUICTLS = ../deps/quictls
 
+BUILD_VERSION_REPOSHA = $(shell git rev-parse --short HEAD)
+
 HAPROXY_MAKE_ARGS := DEBUG="-DDEBUG_STRICT -DDEBUG_MEMORY_POOLS" \
+					 DEFINE="-DMAX_SESS_STKCTR=5" \
                      LDFLAGS="-Wl,-rpath,/opt/quictls/lib" \
                      TARGET="linux-glibc" \
-                     EXTRAVERSION="+mangadex" \
+                     EXTRAVERSION="+mangadex/$(BUILD_VERSION_REPOSHA)" \
                      VERDATE="$$(date -u -I'minutes')" \
                      USE_DL=1 \
                      USE_GETADDRINFO=1 \
@@ -45,6 +48,7 @@ $(HAPROXY_BUILDIR):
 	git -C "$(HAPROXY_BUILDIR)" checkout "master"
 
 build: $(HAPROXY_BUILDIR)
+	make -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" clean
 	make -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(HAPROXY_MAKE_ARGS) opts
 	make -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(HAPROXY_MAKE_ARGS)