Provide a container for building Envoy on Oracle Linux 8.

Also add instructions about how to run an Oracle Linux 8 Envoy binary on
a CentOS 7 host.

Author: michaelfinch

azure-pipelines.yml

@@ -12,6 +12,9 @@ jobs:
       centos:
         OS_DISTRO: centos
         PUSH_GCR_IMAGE: false
+      oraclelinux:
+        OS_DISTRO: oraclelinux
+        PUSH_GCR_IMAGE: false
   dependsOn: []
   timeoutInMinutes: 120
   pool:

build_container/CENTOS7_BUILD_STATUS.md

@@ -1,5 +1,35 @@
 You are strongly encouraged to test the produced Envoy binary on CentOS 7 yourselves to ensure that it satisfies your required functionality and operates as expected.
 
+## Version 1.25.x
+If you need to run this version of Envoy on CentOS 7, your best bet is to use an Envoy binary built on Oracle Linux 8 and an updated version of glibc. CentOS 7 only comes with glibc 2.17, but the Envoy binary built on Oracle Linux 8 depends on a newer version of glibc, so you have to install a newer version on your system. Be careful not to override the existing version of glibc. Here are the rough instructions for accomplishing this:
+1. Use the Oracle Linux 8 image in this repo to build envoy.
+2. Copy the resulting Envoy binary to a CentOS 7 host.
+3. Install glibc 2.28 on the CentOS 7 host. This is the only version of glibc that has been tested with Envoy 1.25.x on CentOS 7.
+    1. One option is to compile it from source.
+    ```
+    wget https://ftp.gnu.org/gnu/glibc/glibc-2.28.tar.gz
+    tar zxvf glibc-2.28.tar.gz
+    cd glibc-2.28
+    mkdir build
+    cd build
+    ../configure --prefix=/opt/glibc-2.28
+    make -j4
+    sudo make install
+    ```
+    2. Another option is to download a pre-built RPM and extract it to a specific directory.
+    ```
+    mkdir /opt/glibc-2.28
+    cd /opt/glibc-2.28
+    wget https://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/glibc-2.28-155.el8.x86_64.rpm
+    rpm2cpio glibc-2.28-155.el8.x86_64.rpm | cpio -idmv
+    rm glibc-2.28-155.el8.x86_64.rpm
+    ```
+4. Use [patchelf](https://github.com/NixOS/patchelf) to patch the Oracle Linux 8 Envoy binary to use the updated version of glibc ld-linux for its interpreter and set the rpath to include the libs from glibc. This allows you to start the binary using a newer glibc version that includes the features required by the Oracle Linux 8 binary. Without this, it will run the system ld-linux which is from glibc 2.17 on CentOS 7.
+```
+patchelf --set-interpreter '/opt/glibc-2.28/lib64/ld-linux-x86-64.so.2' --set-rpath '/opt/glibc-2.28/lib64/' ${path_to_envoy_binary}
+```
+5. You should now be able to run the Envoy binary on your CentOS 7 host.
+
 ## Version 1.21.x
 Envoy version 1.21 onwards cannot currently be compiled on CentOS 7.
 
@@ -48,4 +78,4 @@ Further investigation is needed to resolve this problem. Contributions are welco
 Envoy version 1.20 can be compiled on CentOS 7 using `clang and libc++`, but not `clang and libstdc++`, which throws an ambiguous function error. For more detail on this issue and a proposed fix see [here](https://github.com/envoyproxy/envoy/issues/19978).
 
 ## Version 1.19.x
-Envoy version 1.19 can be built using either `clang and libc++` or `clang and libstdc++` on CentOS 7.
+Envoy version 1.19 can be built using either `clang and libc++` or `clang and libstdc++` on CentOS 7.

build_container/Dockerfile-oraclelinux

@@ -0,0 +1,12 @@
+FROM oraclelinux:8 as base
+
+COPY ./build_container_common.sh /
+COPY ./build_container_centos.sh /
+
+ENV PATH /opt/rh/rh-git218/root/usr/bin:/opt/rh/devtoolset-7/root/usr/bin:/opt/llvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+RUN mkdir /etc/sudoers.d
+RUN echo "Defaults    secure_path = $PATH" > /etc/sudoers.d/path
+
+RUN ./build_container_oraclelinux.sh
+ENV LC_ALL en_US.UTF-8

build_container/build_container_oraclelinux.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+set -e
+ARCH="$(uname -m)"
+
+yum-config-manager --enable ol8_codeready_builder
+yum update -y
+
+yum install -y \
+  binutils \
+  cmake \
+  gcc \
+  git \
+  glibc-langpack-en \
+  glibc-locale-source \
+  glibc-static \
+  libstdc++-static \
+  ncurses-compat-libs \
+  ninja-build \
+  perl \
+  python3 \
+  tcpdump \
+  unzip \
+  wget \
+  xz \
+  sudo
+
+# set locale
+localedef -c -f UTF-8 -i en_US en_US.UTF-8
+export LC_ALL=en_US.UTF-8
+
+# For LLVM to pick right libstdc++
+ln -s /opt/rh/devtoolset-9/root/usr/lib/gcc/x86_64-redhat-linux/9 /usr/lib/gcc/x86_64-redhat-linux
+
+LLVM_VERSION=15.0.0
+
+case $ARCH in
+    'x86_64' )
+        LLVM_DISTRO="x86_64-linux-gnu-rhel-8.4"
+        LLVM_SHA256SUM="20b17fabc97b93791098e771adf18013c50eae2e45407f8bfa772883b6027d30"
+        ;;
+    'aarch64' )
+        LLVM_DISTRO="aarch64-linux-gnu"
+        LLVM_SHA256SUM="527ed550784681f95ec7a1be8fbf5a24bd03d7da9bf31afb6523996f45670be3"
+        ;;
+esac
+
+# httpd24 is equired by rh-git218
+echo "/opt/rh/httpd24/root/usr/lib64" > /etc/ld.so.conf.d/httpd24.conf
+ldconfig
+
+# Setup tcpdump for non-root.
+groupadd -r pcap
+chgrp pcap /usr/sbin/tcpdump
+chmod 750 /usr/sbin/tcpdump
+setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
+
+source ./build_container_common.sh
+
+# compile proper version of gn, compatible with Oracle Linux's GLIBC version and
+# envoy wasm/v8 dependency
+# can be removed when the dependency will be updated
+git clone https://gn.googlesource.com/gn
+pushd gn
+# 45aa842fb41d79e149b46fac8ad71728856e15b9 is a hash of the version
+# before https://gn.googlesource.com/gn/+/46b572ce4ceedfe57f4f84051bd7da624c98bf01
+# as this commit expects envoy to rely on newer version of wasm/v8 with the fix
+# from https://github.com/v8/v8/commit/eac21d572e92a82f5656379bc90f8ecf1ff884fc
+# (versions 9.5.164 - 9.6.152)
+git checkout 45aa842fb41d79e149b46fac8ad71728856e15b9
+python3 build/gen.py
+ninja -C out
+mv -f out/gn /usr/local/bin/gn
+chmod +x /usr/local/bin/gn
+popd
+
+yum clean all