mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-02 11:53:27 +00:00
62b0017f86
Attempts to update `envoy` have not been successful. Nobody with enough Bazel skills has step up to untangle the build issues with the latest version.
189 lines
5.4 KiB
Nix
189 lines
5.4 KiB
Nix
{ lib
|
|
, bazel_5
|
|
, bazel-gazelle
|
|
, buildBazelPackage
|
|
, fetchFromGitHub
|
|
, stdenv
|
|
, cmake
|
|
, gn
|
|
, go
|
|
, jdk
|
|
, ninja
|
|
, patchelf
|
|
, python3
|
|
, linuxHeaders
|
|
, nixosTests
|
|
|
|
# v8 (upstream default), wavm, wamr, wasmtime, disabled
|
|
, wasmRuntime ? "wamr"
|
|
}:
|
|
|
|
let
|
|
srcVer = {
|
|
# We need the commit hash, since Bazel stamps the build with it.
|
|
# However, the version string is more useful for end-users.
|
|
# These are contained in a attrset of their own to make it obvious that
|
|
# people should update both.
|
|
version = "1.25.1";
|
|
rev = "bae2e9d642a6a8ae6c5d3810f77f3e888f0d97da";
|
|
};
|
|
in
|
|
buildBazelPackage rec {
|
|
pname = "envoy";
|
|
inherit (srcVer) version;
|
|
bazel = bazel_5;
|
|
src = fetchFromGitHub {
|
|
owner = "envoyproxy";
|
|
repo = "envoy";
|
|
inherit (srcVer) rev;
|
|
sha256 = "sha256-qA3+bta2vXGtAYX3mg+CmSIEitk4576JQB/QLPsj9Vc=";
|
|
|
|
postFetch = ''
|
|
chmod -R +w $out
|
|
rm $out/.bazelversion
|
|
echo ${srcVer.rev} > $out/SOURCE_VERSION
|
|
'';
|
|
};
|
|
|
|
postPatch = ''
|
|
sed -i 's,#!/usr/bin/env python3,#!${python3}/bin/python,' bazel/foreign_cc/luajit.patch
|
|
sed -i '/javabase=/d' .bazelrc
|
|
sed -i '/"-Werror"/d' bazel/envoy_internal.bzl
|
|
|
|
cp ${./protobuf.patch} bazel/protobuf.patch
|
|
'';
|
|
|
|
patches = [
|
|
# use system Python, not bazel-fetched binary Python
|
|
./0001-nixpkgs-use-system-Python.patch
|
|
|
|
# use system Go, not bazel-fetched binary Go
|
|
./0002-nixpkgs-use-system-Go.patch
|
|
];
|
|
|
|
nativeBuildInputs = [
|
|
cmake
|
|
python3
|
|
gn
|
|
go
|
|
jdk
|
|
ninja
|
|
patchelf
|
|
];
|
|
|
|
buildInputs = [
|
|
linuxHeaders
|
|
];
|
|
|
|
# external/com_github_grpc_grpc/src/core/ext/transport/binder/transport/binder_transport.cc:756:29: error: format not a string literal and no format arguments [-Werror=format-security]
|
|
hardeningDisable = [ "format" ];
|
|
|
|
fetchAttrs = {
|
|
sha256 = {
|
|
x86_64-linux = "sha256-H2s8sTbmKF+yRfSzLsZAT2ckFuunFwh/FMSKj+GYyPM=";
|
|
aarch64-linux = "sha256-1/z7sZYMiuB4Re2itDZydsFVEel2NOYmi6vRmBGVO/4=";
|
|
}.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
|
|
dontUseCmakeConfigure = true;
|
|
dontUseGnConfigure = true;
|
|
preInstall = ''
|
|
# Strip out the path to the build location (by deleting the comment line).
|
|
find $bazelOut/external -name requirements.bzl | while read requirements; do
|
|
sed -i '/# Generated from /d' "$requirements"
|
|
done
|
|
|
|
# Remove references to paths in the Nix store.
|
|
sed -i \
|
|
-e 's,${python3},__NIXPYTHON__,' \
|
|
-e 's,${stdenv.shellPackage},__NIXSHELL__,' \
|
|
$bazelOut/external/com_github_luajit_luajit/build.py \
|
|
$bazelOut/external/local_config_sh/BUILD \
|
|
$bazelOut/external/base_pip3/BUILD.bazel
|
|
|
|
rm -r $bazelOut/external/go_sdk
|
|
rm -r $bazelOut/external/local_jdk
|
|
rm -r $bazelOut/external/bazel_gazelle_go_repository_tools/bin
|
|
|
|
# Remove Unix timestamps from go cache.
|
|
rm -rf $bazelOut/external/bazel_gazelle_go_repository_cache/{gocache,pkg/mod/cache,pkg/sumdb}
|
|
'';
|
|
};
|
|
buildAttrs = {
|
|
dontUseCmakeConfigure = true;
|
|
dontUseGnConfigure = true;
|
|
dontUseNinjaInstall = true;
|
|
preConfigure = ''
|
|
# Make executables work, for the most part.
|
|
find $bazelOut/external -type f -executable | while read execbin; do
|
|
file "$execbin" | grep -q ': ELF .*, dynamically linked,' || continue
|
|
patchelf \
|
|
--set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
|
|
"$execbin"
|
|
done
|
|
|
|
ln -s ${bazel-gazelle}/bin $bazelOut/external/bazel_gazelle_go_repository_tools/bin
|
|
|
|
sed -i 's,#!/usr/bin/env bash,#!${stdenv.shell},' $bazelOut/external/rules_foreign_cc/foreign_cc/private/framework/toolchains/linux_commands.bzl
|
|
|
|
# Add paths to Nix store back.
|
|
sed -i \
|
|
-e 's,__NIXPYTHON__,${python3},' \
|
|
-e 's,__NIXSHELL__,${stdenv.shellPackage},' \
|
|
$bazelOut/external/com_github_luajit_luajit/build.py \
|
|
$bazelOut/external/local_config_sh/BUILD \
|
|
$bazelOut/external/base_pip3/BUILD.bazel
|
|
'';
|
|
installPhase = ''
|
|
install -Dm0755 bazel-bin/source/exe/envoy-static $out/bin/envoy
|
|
'';
|
|
};
|
|
|
|
removeRulesCC = false;
|
|
removeLocalConfigCc = true;
|
|
removeLocal = false;
|
|
bazelTargets = [ "//source/exe:envoy-static" ];
|
|
bazelBuildFlags = [
|
|
"-c opt"
|
|
"--spawn_strategy=standalone"
|
|
"--noexperimental_strict_action_env"
|
|
"--cxxopt=-Wno-error"
|
|
"--linkopt=-Wl,-z,noexecstack"
|
|
|
|
# Force use of system Java.
|
|
"--extra_toolchains=@local_jdk//:all"
|
|
"--java_runtime_version=local_jdk"
|
|
"--tool_java_runtime_version=local_jdk"
|
|
|
|
"--define=wasm=${wasmRuntime}"
|
|
] ++ (lib.optionals stdenv.isAarch64 [
|
|
# external/com_github_google_tcmalloc/tcmalloc/internal/percpu_tcmalloc.h:611:9: error: expected ':' or '::' before '[' token
|
|
# 611 | : [end_ptr] "=&r"(end_ptr), [cpu_id] "=&r"(cpu_id),
|
|
# | ^
|
|
"--define=tcmalloc=disabled"
|
|
]);
|
|
bazelFetchFlags = [
|
|
"--define=wasm=${wasmRuntime}"
|
|
];
|
|
|
|
passthru.tests = {
|
|
envoy = nixosTests.envoy;
|
|
# tested as a core component of Pomerium
|
|
pomerium = nixosTests.pomerium;
|
|
};
|
|
|
|
meta = with lib; {
|
|
homepage = "https://envoyproxy.io";
|
|
description = "Cloud-native edge and service proxy";
|
|
license = licenses.asl20;
|
|
maintainers = with maintainers; [ lukegb ];
|
|
platforms = [ "x86_64-linux" "aarch64-linux" ];
|
|
knownVulnerabilities = [
|
|
"CVE-2023-27487"
|
|
"CVE-2023-27488"
|
|
"CVE-2023-27491"
|
|
"CVE-2023-27492"
|
|
"CVE-2023-27493"
|
|
"CVE-2023-27496"
|
|
];
|
|
};
|
|
}
|