Merge pull request #411 from pjbgf/musl-free

Remove MUSL and enable threadless libgit2 support

Author: stefanprodan

Dockerfile

@@ -1,9 +1,9 @@
 ARG BASE_VARIANT=alpine
 ARG GO_VERSION=1.18
-ARG XX_VERSION=1.1.0
+ARG XX_VERSION=1.1.2
 
-ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2-all
-ARG LIBGIT2_TAG=v0.1.2
+ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2-only
+ARG LIBGIT2_TAG=v0.2.0
 
 FROM ${LIBGIT2_IMG}:${LIBGIT2_TAG} AS libgit2-libs
 
@@ -17,7 +17,7 @@ FROM gostable AS go-linux
 # These will be used at current arch to yield execute the cross compilations.
 FROM go-${TARGETOS} AS build-base
 
-RUN apk add --no-cache clang lld pkgconfig
+RUN apk add clang lld pkgconfig
 
 COPY --from=xx / /
 
@@ -37,23 +37,6 @@ COPY go.sum go.sum
 # Cache modules
 RUN go mod download
 
-# The musl-tool-chain layer is an adhoc solution
-# for the problem in which xx gets confused during compilation
-# and a) looks for gold linker and then b) cannot find musl's dynamic linker.
-FROM --platform=$BUILDPLATFORM alpine as musl-tool-chain
-
-COPY --from=xx / /
-
-RUN apk add bash curl tar
-
-WORKDIR /workspace
-COPY hack/download-musl.sh .
-
-ARG TARGETPLATFORM
-ARG TARGETARCH
-RUN ROOT_DIR="$(pwd)" TARGET_ARCH="$(xx-info alpine-arch)" ENV_FILE=true \
-        ./download-musl.sh
-
 # Build stage install per target platform
 # dependency and effectively cross compile the application.
 FROM build-go-mod as build
@@ -64,7 +47,7 @@ COPY --from=libgit2-libs /usr/local/ /usr/local/
 
 # Some dependencies have to installed
 # for the target platform: https://github.com/tonistiigi/xx#go--cgo
-RUN xx-apk add musl-dev gcc lld
+RUN xx-apk add musl-dev gcc clang lld
 
 WORKDIR /workspace
 
@@ -74,20 +57,14 @@ COPY controllers/ controllers/
 COPY pkg/ pkg/
 COPY internal/ internal/
 
-COPY --from=musl-tool-chain /workspace/build /workspace/build
-
 ARG TARGETPLATFORM
 ARG TARGETARCH
 ENV CGO_ENABLED=1
 
-# Performance related changes:
-# - Use read-only bind instead of copying go source files.
-# - Cache go packages.
-RUN export $(cat build/musl/$(xx-info alpine-arch).env | xargs) && \
-    export LIBRARY_PATH="/usr/local/$(xx-info triple):/usr/local/$(xx-info triple)/lib64" && \
-    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig:/usr/local/$(xx-info triple)/lib64/pkgconfig" && \
-    export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libssh2 openssl libgit2) -static" && \
-    GOARCH=$TARGETARCH go build  \
+RUN export LIBRARY_PATH="/usr/local/$(xx-info triple)" && \
+    export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig" && \
+    export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static -fuse-ld=lld" && \
+    xx-go build  \
         -ldflags "-s -w" \
         -tags 'netgo,osusergo,static_build' \
         -o /image-automation-controller -trimpath main.go;

Makefile

@@ -7,8 +7,8 @@ TAG ?= latest
 CRD_OPTIONS ?= crd:crdVersions=v1
 
 # Base image used to build the Go binary
-LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2-all
-LIBGIT2_TAG ?= v0.1.2
+LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2-only
+LIBGIT2_TAG ?= v0.2.0
 
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.
@@ -42,37 +42,20 @@ LIBGIT2_PATH := $(BUILD_DIR)/libgit2/$(LIBGIT2_TAG)
 LIBGIT2_LIB_PATH := $(LIBGIT2_PATH)/lib
 LIBGIT2_LIB64_PATH := $(LIBGIT2_PATH)/lib64
 LIBGIT2 := $(LIBGIT2_LIB_PATH)/libgit2.a
-MUSL-CC =
 
 export CGO_ENABLED=1
 export PKG_CONFIG_PATH=$(LIBGIT2_LIB_PATH)/pkgconfig
 export LIBRARY_PATH=$(LIBGIT2_LIB_PATH)
 export CGO_CFLAGS=-I$(LIBGIT2_PATH)/include -I$(LIBGIT2_PATH)/include/openssl
-
+export CGO_LDFLAGS=$(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) pkg-config --libs --static --cflags libgit2 2>/dev/null)
 
 # The pkg-config command will yield warning messages until libgit2 is downloaded.
 ifeq ($(shell uname -s),Darwin)
-export CGO_LDFLAGS=$(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) pkg-config --libs --static --cflags libssh2 openssl libgit2 2>/dev/null)
 GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build'
-else
-export PKG_CONFIG_PATH:=$(PKG_CONFIG_PATH):$(LIBGIT2_LIB64_PATH)/pkgconfig
-export LIBRARY_PATH:=$(LIBRARY_PATH):$(LIBGIT2_LIB64_PATH)
-export CGO_LDFLAGS=$(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) pkg-config --libs --static --cflags libssh2 openssl libgit2 2>/dev/null)
 endif
 
 ifeq ($(shell uname -s),Linux)
-ifeq ($(shell uname -m),x86_64)
-# Linux x86_64 seem to be able to cope with the static libraries
-# by having only musl-dev installed, without the need of using musl toolchain.
 	GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build'
-else
-	MUSL-PREFIX=$(BUILD_DIR)/musl/$(shell uname -m)-linux-musl-native/bin/$(shell uname -m)-linux-musl
-	MUSL-CC=$(MUSL-PREFIX)-gcc
-	export CC=$(MUSL-PREFIX)-gcc
-	export CXX=$(MUSL-PREFIX)-g++
-	export AR=$(MUSL-PREFIX)-ar
-	GO_STATIC_FLAGS=-ldflags "-s -w -extldflags \"-static\"" -tags 'netgo,osusergo,static_build'
-endif
 endif
 
 # API (doc) generation utilities
@@ -213,16 +196,11 @@ controller-gen: ## Download controller-gen locally if necessary.
 libgit2: $(LIBGIT2)  ## Detect or download libgit2 library
 
 COSIGN = $(GOBIN)/cosign
-$(LIBGIT2): $(MUSL-CC)
+$(LIBGIT2):
 	$(call go-install-tool,$(COSIGN),github.com/sigstore/cosign/cmd/cosign@latest)
 
 	IMG=$(LIBGIT2_IMG) TAG=$(LIBGIT2_TAG) PATH=$(PATH):$(GOBIN) ./hack/install-libraries.sh
 
-$(MUSL-CC):
-ifneq ($(shell uname -s),Darwin)
-	./hack/download-musl.sh
-endif
-
 # Find or download gen-crd-api-reference-docs
 GEN_CRD_API_REFERENCE_DOCS = $(GOBIN)/gen-crd-api-reference-docs
 .PHONY: gen-crd-api-reference-docs

controllers/suite_test.go

@@ -24,6 +24,7 @@ import (
 	"testing"
 	"time"
 
+	git2go "github.com/libgit2/git2go/v33"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -53,6 +54,8 @@ func init() {
 }
 
 func TestMain(m *testing.M) {
+	mustHaveNoThreadSupport()
+
 	utilruntime.Must(imagev1_reflect.AddToScheme(scheme.Scheme))
 	utilruntime.Must(sourcev1.AddToScheme(scheme.Scheme))
 	utilruntime.Must(imagev1.AddToScheme(scheme.Scheme))
@@ -90,3 +93,22 @@ func TestMain(m *testing.M) {
 
 	os.Exit(code)
 }
+
+// This provides a regression assurance for image-automation-controller/#339.
+// Validates that:
+// - libgit2 was built with no support for threads.
+// - git2go accepts libgit2 built with no support for threads.
+//
+// The logic below does the validation of the former, whilst
+// referring to git2go forces its init() execution, which is
+// where any validation to that effect resides.
+//
+// git2go does not support threadless libgit2 by default,
+// hence a fork is being used which disables such validation.
+//
+// TODO: extract logic into pkg.
+func mustHaveNoThreadSupport() {
+	if git2go.Features()&git2go.FeatureThreads != 0 {
+		panic("libgit2 must not be build with thread support")
+	}
+}

go.mod

@@ -4,6 +4,16 @@ go 1.18
 
 replace github.com/fluxcd/image-automation-controller/api => ./api
 
+// A temporary fork of git2go was created to enable use
+// of libgit2 without thread support to fix:
+// fluxcd/image-automation-controller/#339.
+//
+// This can be removed once libgit2/git2go#918 is merged.
+//
+// The fork automatically releases new patches based on upstream:
+// https://github.com/pjbgf/git2go/commit/d72e39cdc20f7fe014ba73072b01ba7b569e9253
+replace github.com/libgit2/git2go/v33 => github.com/pjbgf/git2go/v33 v33.0.9-nothread-check
+
 require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/ProtonMail/go-crypto v0.0.0-20220714114130-e85cedf506cd

go.sum

@@ -449,8 +449,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/libgit2/git2go/v33 v33.0.9 h1:4ch2DJed6IhJO28BEohkUoGvxLsRzUjxljoNFJ6/O78=
-github.com/libgit2/git2go/v33 v33.0.9/go.mod h1:KdpqkU+6+++4oHna/MIOgx4GCQ92IPCdpVRMRI80J+4=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -536,6 +534,8 @@ github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FI
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pjbgf/git2go/v33 v33.0.9-nothread-check h1:gSK7FaLECIM3VSuBOAsVZQtWd+51iTB5lv9RyxhOYMk=
+github.com/pjbgf/git2go/v33 v33.0.9-nothread-check/go.mod h1:KdpqkU+6+++4oHna/MIOgx4GCQ92IPCdpVRMRI80J+4=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

hack/download-musl.sh

@@ -136,11 +136,11 @@ install_libraries(){
         fi
     fi
 
-    FILE_NAME="linux-$(uname -m)-all-libs.tar.gz"
-    DIR="libgit2-linux-all-libs"
+    FILE_NAME="linux-$(uname -m)-libgit2-only.tar.gz"
+    DIR="linux-libgit2-only"
     if [[ $OSTYPE == 'darwin'* ]]; then
-        FILE_NAME="darwin-all-libs.tar.gz"
-        DIR="darwin-all-libs"
+        FILE_NAME="darwin-libgit2-only.tar.gz"
+        DIR="darwin-libgit2-only"
     fi
 
     download_files "${FILE_NAME}"

hack/install-libraries.sh

@@ -16,7 +16,7 @@
 
 set -euxo pipefail
 
-LIBGIT2_TAG="${LIBGIT2_TAG:-v0.1.2}"
+LIBGIT2_TAG="${LIBGIT2_TAG:-v0.2.0}"
 GOPATH="${GOPATH:-/root/go}"
 GO_SRC="${GOPATH}/src"
 PROJECT_PATH="github.com/fluxcd/image-automation-controller"
@@ -28,9 +28,9 @@ export TARGET_DIR="$(/bin/pwd)/build/libgit2/${LIBGIT2_TAG}"
 # For most cases, libgit2 will already be present.
 # The exception being at the oss-fuzz integration.
 if [ ! -d "${TARGET_DIR}" ]; then
-    curl -o output.tar.gz -LO "https://github.com/fluxcd/golang-with-libgit2/releases/download/${LIBGIT2_TAG}/linux-$(uname -m)-all-libs.tar.gz"
+    curl -o output.tar.gz -LO "https://github.com/fluxcd/golang-with-libgit2/releases/download/${LIBGIT2_TAG}/linux-$(uname -m)-libgit2-only.tar.gz"
 
-    DIR=libgit2-linux-all-libs
+    DIR=linux-libgit2-only
     NEW_DIR="$(/bin/pwd)/build/libgit2/${LIBGIT2_TAG}"
     INSTALLED_DIR="/home/runner/work/golang-with-libgit2/golang-with-libgit2/build/${DIR}"
 
@@ -77,7 +77,6 @@ SOURCE_VER=$(go list -m github.com/fluxcd/source-controller/api | awk '{print $2
 REFLECTOR_VER=$(go list -m github.com/fluxcd/image-reflector-controller/api | awk '{print $2}')
 
 go mod download
-go mod tidy -go=1.18
 go get -d github.com/fluxcd/image-automation-controller
 go get -d github.com/AdaLogics/go-fuzz-headers
 
@@ -103,9 +102,7 @@ function go_compile(){
         go-fuzz -tags gofuzz -func="${function}" -o "${fuzzer}.a" .
         ${CXX} ${CXXFLAGS} ${LIB_FUZZING_ENGINE} -o "${OUT}/${fuzzer}" \
             "${fuzzer}.a" \
-            "${TARGET_DIR}/lib/libgit2.a" "${TARGET_DIR}/lib/libssh2.a" \
-            "${TARGET_DIR}/lib/libz.a" "${TARGET_DIR}/lib64/libssl.a" \
-            "${TARGET_DIR}/lib64/libcrypto.a" \
+            "${TARGET_DIR}/lib/libgit2.a" \
             -fsanitize="${SANITIZER}"
     fi
 }