Change build image to Debian Buster as reasonable glibc base (2.28)

Update README with note on that matter
2022-06-07 01:44:23 +01:00 · 2022-06-07 01:44:23 +01:00 · cfa0866972
commit cfa0866972
parent 4ba5d1ac21
4 changed files with 76 additions and 11 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,16 @@
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+tab_width = 4
+trim_trailing_whitespace = true
+
+[*.{md, yaml, yml}]
+indent_size = 2
+tab_width = 2
+
+[*.md]
+max_line_length = 80
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -8,7 +8,7 @@ variables:
  GIT_DEPTH: "1"

 .build-job: &build-job
-  image: docker.io/library/debian:bullseye
+  image: docker.io/library/debian:buster
  needs: [ ]
  before_script:
    - apt -qq update
--- a/README.md
+++ b/README.md
@ -6,7 +6,8 @@ Build scripts for HAProxy with QUIC

 ## Quickstart

-**NOTE FOR QUIC:** docker and docker-compose require explicit UDP protocol port mapping, otherwise they assume only-TCP. See below.
+**NOTE FOR QUIC:** docker and docker-compose require explicit UDP protocol port
+mapping, otherwise they assume only-TCP. See below.

 ```shell
 docker run -it \
@ -17,10 +18,13 @@ docker run -it \
    registry.gitlab.com/mangadex-pub/haproxy:2.6-bullseye
 ```

-Here's a sample configuration (requires you to figure out the certificate) to test HTTP/3.0 support. The first connection should be over HTTP/1.1 or HTTP/2, and
+Here's a sample configuration (requires you to figure out the certificate) to
+test HTTP/3.0 support. The first connection should be over HTTP/1.1 or HTTP/2,
+and
 after a few refreshes it should be over HTTP/3.

-See [Announcing HAProxy 2.6](https://www.haproxy.com/blog/announcing-haproxy-2-6/) for more info.
+See [Announcing HAProxy 2.6](https://www.haproxy.com/blog/announcing-haproxy-2-6/)
+for more info.

 ```haproxy
 ...
@ -34,7 +38,8 @@ frontend https

 ## Build it

-You will need the following dependencies (Debian/Ubuntu packages given as example):
+You will need the following dependencies (Debian/Ubuntu packages given as
+example):

 - Development tools (`build-essential`)
 - curl and ssl support for it (`curl` and `ca-certificates`)
@ -45,14 +50,44 @@ You will need the following dependencies (Debian/Ubuntu packages given as exampl

 Then just run `make` and the build should pass.

-First, `deps/quictls/quictls-dist.tar.gz` should be expanded so it matches the host's
+First, `deps/quictls/quictls-dist.tar.gz` should be expanded so it matches the
+host's
 `/opt/quictls` when expanding, as it is where HAProxy will look for OpenSSL.

 And finally `haproxy/haproxy-dist.tar.gz` can be expanded anywhere.

+## Compatibility of binaries
+
+You may acquire binaries for non-docker usage in 2 ways:
+
+- We distribute binary tarballs for this repo in
+  the [project's packages](https://gitlab.com/mangadex-pub/haproxy/-/packages)
+- You can build it locally, which results in `deps/quictls/quictls-dist.tar.gz`
+  and `haproxy/haproxy-dist.tar.gz`
+
+Please note that neither QuicTLS/OpenSSL nor HAProxy are fully statically
+compiled. They are still linking to glibc. You see that
+with `readelf -d /path/to/binary`.
+
+As a result, you may be unable to run a binary linked using a more recent glibc.
+
+Our CI uses the most recent Debian Buster image for compilation. You can find
+out the exact libc version this links against with `ldd --version` like so:
+
+```shell
+$ docker run -it debian:buster ldd --version | head -n1
+ldd (Debian GLIBC 2.28-10+deb10u1) 2.28
+```
+
+Particular care should thus be put in what host you use for compilation.
+
+Similarly, if you generally enjoy running abandonware you will not be able to
+use any of our non-docker artifacts.
+
 ## Should I use this repo?

 This is an:
+
 - unofficial build of HAProxy
 - which enables an experimental feature of HAProxy
 - which relies on an unofficial build of OpenSSL
@ -60,14 +95,24 @@ This is an:

 Generally speaking, you shouldn't.

-That said, please PR improvements back if you do. We'll be using it ourselves too.
+That said, please PR improvements back if you do. We'll be using it ourselves
+too.

 ## What's in there

 First, we want to statically build things where possible, which is done for:
+
 - LUA
 - PCRE2
- QuicTLS
+- QuicTLS (*partially*, still links to host glibc)

-Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS build, which
+Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS
+build, which
 it will look for at the `/opt/quictls` prefix.
+
+## Notes
+
+Since we're building our own binaries, we also increase MAX_SESS_STKCTR to 5
+instead of the default of 3. If you don't know what that is, it's irrelevant to
+you. You can read some
+more [here](https://github.com/haproxy/haproxy/issues/1565).
--- a/haproxy/Makefile
+++ b/haproxy/Makefile
@ -10,10 +10,13 @@ DEP_ROOT_LUA = ../deps/lua
 DEP_ROOT_PCRE2 = ../deps/pcre2
 DEP_ROOT_QUICTLS = ../deps/quictls

+BUILD_VERSION_REPOSHA = $(shell git rev-parse --short HEAD)
+
 HAPROXY_MAKE_ARGS := DEBUG="-DDEBUG_STRICT -DDEBUG_MEMORY_POOLS" \
+					 DEFINE="-DMAX_SESS_STKCTR=5" \
                     LDFLAGS="-Wl,-rpath,/opt/quictls/lib" \
                     TARGET="linux-glibc" \
-                     EXTRAVERSION="+mangadex" \
+                     EXTRAVERSION="+mangadex/$(BUILD_VERSION_REPOSHA)" \
                     VERDATE="$$(date -u -I'minutes')" \
                     USE_DL=1 \
                     USE_GETADDRINFO=1 \
@ -45,6 +48,7 @@ $(HAPROXY_BUILDIR):
 	git -C "$(HAPROXY_BUILDIR)" checkout "master"

 build: $(HAPROXY_BUILDIR)
+	make -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" clean
 	make -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(HAPROXY_MAKE_ARGS) opts
 	make -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(HAPROXY_MAKE_ARGS)