diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix index 9bcf573d06c4..b9342ccd4fac 100644 --- a/pkgs/servers/http/envoy/default.nix +++ b/pkgs/servers/http/envoy/default.nix @@ -1,14 +1,14 @@ { lib -, bazel_4 +, bazel_5 , buildBazelPackage , fetchFromGitHub -, fetchpatch , stdenv , cmake , gn , go , jdk , ninja +, patchelf , python3 , linuxHeaders , nixosTests @@ -23,19 +23,19 @@ let # However, the version string is more useful for end-users. # These are contained in a attrset of their own to make it obvious that # people should update both. - version = "1.21.5"; - rev = "0512f18b764828497febd0f6dcecc1861003d614"; + version = "1.23.1"; + rev = "edd69583372955fdfa0b8ca3820dd7312c094e46"; }; in buildBazelPackage rec { pname = "envoy"; inherit (srcVer) version; - bazel = bazel_4; + bazel = bazel_5; src = fetchFromGitHub { owner = "envoyproxy"; repo = "envoy"; inherit (srcVer) rev; - sha256 = "sha256-VWcfdoZ1wGkxaf0PZwfiSFg8D/QDIZs4u/iLUnsbjMo="; + sha256 = "sha256:157dbmp479xv5507n48yibvlgi2ac0l3sl9rzm28cm9lhzwva3k0"; postFetch = '' chmod -R +w $out @@ -48,26 +48,21 @@ buildBazelPackage rec { postPatch = '' sed -i 's,#!/usr/bin/env python3,#!${python3}/bin/python,' bazel/foreign_cc/luajit.patch sed -i '/javabase=/d' .bazelrc - # Patch paths to build tools, and disable gold because it just segfaults. - substituteInPlace bazel/external/wee8.genrule_cmd \ - --replace '"''$$gn"' '"''$$(command -v gn)"' \ - --replace '"''$$ninja"' '"''$$(command -v ninja)"' \ - --replace '"''$$WEE8_BUILD_ARGS"' '"''$$WEE8_BUILD_ARGS use_gold=false"' + + # Use system Python. + sed -i -e '/python_interpreter_target =/d' -e '/@python3_10/d' bazel/python_dependencies.bzl ''; patches = [ - # make linux/tcp.h relative. drop when upgrading to >1.21 - (fetchpatch { - url = "https://github.com/envoyproxy/envoy/commit/68448aae7a78a3123097b6ea96016b270457e7b8.patch"; - sha256 = "123kv3x37p8fgfp29jhw5xg5js5q5ipibs8hsm7gzfd5bcllnpfh"; - }) - # fix issues with brotli and GCC 11.2.0+ (-Werror=vla-parameter) ./bump-brotli.patch # fix linux-aarch64 WAMR builds # (upstream WAMR only detects aarch64 on Darwin, not Linux) ./fix-aarch64-wamr.patch + + # use system Python, not bazel-fetched binary Python + ./use-system-python.patch ]; nativeBuildInputs = [ @@ -77,6 +72,7 @@ buildBazelPackage rec { go jdk ninja + patchelf ]; buildInputs = [ @@ -85,8 +81,8 @@ buildBazelPackage rec { fetchAttrs = { sha256 = { - x86_64-linux = "sha256-bE28PBQjsOLkxjIoDk6HcELPP3XzvqKKVa7yUbXB1Qk="; - aarch64-linux = "sha256-Rf7kEBeH72vsvmzKy/7oKQf8cVNVzIcSuXMhrIhMFKM="; + x86_64-linux = "0y3gpvx148bnn6kljdvkg99m681vw39l0avrhvncbf62hvpifqkw"; + aarch64-linux = "0lln5mdlskahz5hb4w268ys2ksy3051drrwlhracmk4i7rpm7fq3"; }.${stdenv.system} or (throw "unsupported system ${stdenv.system}"); dontUseCmakeConfigure = true; dontUseGnConfigure = true; @@ -95,6 +91,12 @@ buildBazelPackage rec { find $bazelOut/external -name requirements.bzl | while read requirements; do sed -i '/# Generated from /d' "$requirements" done + find $bazelOut/external -type f -executable | while read execbin; do + file "$execbin" | grep -q ': ELF .*, dynamically linked,' || continue + patchelf \ + --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \ + "$execbin" + done # Remove references to paths in the Nix store. sed -i \ @@ -138,6 +140,12 @@ buildBazelPackage rec { "--cxxopt=-Wno-maybe-uninitialized" "--cxxopt=-Wno-uninitialized" "--cxxopt=-Wno-error=type-limits" + "--cxxopt=-Wno-error=range-loop-construct" + + # Force use of system Java. + "--extra_toolchains=@local_jdk//:all" + "--java_runtime_version=local_jdk" + "--tool_java_runtime_version=local_jdk" "--define=wasm=${wasmRuntime}" ]; diff --git a/pkgs/servers/http/envoy/use-system-python.patch b/pkgs/servers/http/envoy/use-system-python.patch new file mode 100644 index 000000000000..a2030cc75fd0 --- /dev/null +++ b/pkgs/servers/http/envoy/use-system-python.patch @@ -0,0 +1,58 @@ +diff --git a/bazel/python_dependencies.bzl b/bazel/python_dependencies.bzl +index d9dfb14a9b..b8e92452a7 100644 +--- a/bazel/python_dependencies.bzl ++++ b/bazel/python_dependencies.bzl +@@ -1,10 +1,8 @@ + load("@rules_python//python:pip.bzl", "pip_install", "pip_parse") +-load("@python3_10//:defs.bzl", "interpreter") + + def envoy_python_dependencies(): + pip_parse( + name = "base_pip3", +- python_interpreter_target = interpreter, + requirements_lock = "@envoy//tools/base:requirements.txt", + extra_pip_args = ["--require-hashes"], + ) +@@ -12,14 +10,12 @@ def envoy_python_dependencies(): + # These need to use `pip_install` + pip_install( + # Note: dev requirements do *not* check hashes +- python_interpreter_target = interpreter, + name = "dev_pip3", + requirements = "@envoy//tools/dev:requirements.txt", + ) + + pip_install( + name = "fuzzing_pip3", +- python_interpreter_target = interpreter, + requirements = "@rules_fuzzing//fuzzing:requirements.txt", + extra_pip_args = ["--require-hashes"], + ) +diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl +index 885b41dec6..ac5605eb30 100644 +--- a/bazel/repositories_extra.bzl ++++ b/bazel/repositories_extra.bzl +@@ -1,22 +1,12 @@ + load("@emsdk//:deps.bzl", emsdk_deps = "deps") +-load("@rules_python//python:repositories.bzl", "python_register_toolchains") + load("@proxy_wasm_cpp_host//bazel/cargo/wasmtime:crates.bzl", "wasmtime_fetch_remote_crates") + load("//bazel/external/cargo:crates.bzl", "raze_fetch_remote_crates") + load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies") + +-# Python version for `rules_python` +-PYTHON_VERSION = "3.10.2" +- + # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies(). +-def envoy_dependencies_extra(python_version = PYTHON_VERSION): ++def envoy_dependencies_extra(): + emsdk_deps() + raze_fetch_remote_crates() + wasmtime_fetch_remote_crates() + +- # Registers underscored Python minor version - eg `python3_10` +- python_register_toolchains( +- name = "python%s" % ("_".join(python_version.split(".")[:-1])), +- python_version = python_version, +- ) +- + aspect_bazel_lib_dependencies()