1#!/bin/bash
2# Copyright (C) 2017 SUSE LLC.
3# Copyright (C) 2017-2021 Open Containers Authors
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -e
18
19## --->
20# Project-specific options and functions. In *theory* you shouldn't need to
21# touch anything else in this script in order to use this elsewhere.
22: "${LIBSECCOMP_VERSION:=2.5.4}"
23project="runc"
24root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
25
26# shellcheck source=./script/lib.sh
27source "$root/script/lib.sh"
28
29# This function takes an output path as an argument, where the built
30# (preferably static) binary should be placed.
31# Parameters:
32# $1 -- destination directory to place build artefacts to.
33# $2 -- native architecture (a .suffix for a native binary file name).
34# $@ -- additional architectures to cross-build for.
35function build_project() {
36 local builddir
37 builddir="$(dirname "$1")"
38 shift
39 local native_arch="$1"
40 shift
41 local arches=("$@")
42
43 # Assume that if /opt/libseccomp exists, then we are run
44 # via Dockerfile, and seccomp is already built.
45 local seccompdir=/opt/libseccomp temp_dir
46 if [ ! -d "$seccompdir" ]; then
47 temp_dir="$(mktemp -d)"
48 seccompdir="$temp_dir"
49 # Download and build libseccomp.
50 "$root/script/seccomp.sh" "$LIBSECCOMP_VERSION" "$seccompdir" "${arches[@]}"
51 fi
52
53 # For reproducible builds, add these to EXTRA_LDFLAGS:
54 # -w to disable DWARF generation;
55 # -s to disable symbol table;
56 # -buildid= to remove variable build id.
57 local ldflags="-w -s -buildid="
58 # Add -a to go build flags to make sure it links against
59 # the provided libseccomp, not the system one (otherwise
60 # it can reuse cached pkg-config results).
61 local make_args=(COMMIT_NO= EXTRA_FLAGS="-a" EXTRA_LDFLAGS="${ldflags}" static)
62
63 # Build natively.
64 make -C "$root" \
65 PKG_CONFIG_PATH="$seccompdir/lib/pkgconfig" \
66 "${make_args[@]}"
67 strip "$root/$project"
68 # Sanity check: make sure libseccomp version is as expected.
69 local ver
70 ver=$("$root/$project" --version | awk '$1 == "libseccomp:" {print $2}')
71 if [ "$ver" != "$LIBSECCOMP_VERSION" ]; then
72 echo >&2 "libseccomp version mismatch: want $LIBSECCOMP_VERSION, got $ver"
73 exit 1
74 fi
75
76 mv "$root/$project" "$builddir/$project.$native_arch"
77
78 # Cross-build for for other architectures.
79 local arch
80 for arch in "${arches[@]}"; do
81 set_cross_vars "$arch"
82 make -C "$root" \
83 PKG_CONFIG_PATH="$seccompdir/$arch/lib/pkgconfig" \
84 "${make_args[@]}"
85 "$STRIP" "$root/$project"
86 mv "$root/$project" "$builddir/$project.$arch"
87 done
88
89 # Copy libseccomp source tarball.
90 cp "$seccompdir"/src/* "$builddir"
91
92 # Clean up.
93 if [ -n "$tempdir" ]; then
94 rm -rf "$tempdir"
95 fi
96}
97
98# End of the easy-to-configure portion.
99## <---
100
101# Print usage information.
102function usage() {
103 echo "usage: release_build.sh [-a <cross-arch>]... [-c <commit-ish>] [-H <hashcmd>]" >&2
104 echo " [-r <release-dir>] [-v <version>]" >&2
105 exit 1
106}
107
108# Log something to stderr.
109function log() {
110 echo "[*] $*" >&2
111}
112
113# Log something to stderr and then exit with 0.
114function bail() {
115 log "$@"
116 exit 0
117}
118
119# When creating releases we need to build static binaries, an archive of the
120# current commit, and generate detached signatures for both.
121commit="HEAD"
122version=""
123releasedir=""
124hashcmd=""
125declare -a add_arches
126
127while getopts "a:c:H:hr:v:" opt; do
128 case "$opt" in
129 a)
130 add_arches+=("$OPTARG")
131 ;;
132 c)
133 commit="$OPTARG"
134 ;;
135 H)
136 hashcmd="$OPTARG"
137 ;;
138 h)
139 usage
140 ;;
141 r)
142 releasedir="$OPTARG"
143 ;;
144 v)
145 version="$OPTARG"
146 ;;
147 :)
148 echo "Missing argument: -$OPTARG" >&2
149 usage
150 ;;
151 \?)
152 echo "Invalid option: -$OPTARG" >&2
153 usage
154 ;;
155 esac
156done
157
158version="${version:-$(<"$root/VERSION")}"
159releasedir="${releasedir:-release/$version}"
160hashcmd="${hashcmd:-sha256sum}"
161native_arch="$(go env GOARCH || echo "amd64")"
162# Suffixes of files to checksum/sign.
163suffixes=("$native_arch" "${add_arches[@]}" tar.xz)
164
165log "creating $project release in '$releasedir'"
166log " version: $version"
167log " commit: $commit"
168log " hash: $hashcmd"
169
170# Make explicit what we're doing.
171set -x
172
173# Make the release directory.
174rm -rf "$releasedir" && mkdir -p "$releasedir"
175
176# Build project.
177build_project "$releasedir/$project" "$native_arch" "${add_arches[@]}"
178
179# Generate new archive.
180git archive --format=tar --prefix="$project-$version/" "$commit" | xz >"$releasedir/$project.tar.xz"
181
182# Generate sha256 checksums for binaries and libseccomp tarball.
183(
184 cd "$releasedir"
185 # Add $project. prefix to all suffixes.
186 "$hashcmd" "${suffixes[@]/#/$project.}" >"$project.$hashcmd"
187)
View as plain text