Merge pull request #121 from self-five/qemu

Use QEMU and "arch-test" to avoid bad binaries in the future
tianon · Dec 20, 2022 · bb69d2a · bb69d2a
2 parents 50e26df + 8eb1914
commit bb69d2a
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 51 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,6 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+      - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends binfmt-support qemu-user-static
       - run: ./build.sh
       - run: ./test.sh gosu-amd64
       - run: ./test.sh gosu-i386

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,37 @@
-FROM golang:1.18.2-alpine3.14
+FROM golang:1.18.2-bullseye
 
-RUN apk add --no-cache file
+RUN set -eux; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		arch-test \
+		file \
+		patch \
+	; \
+	rm -rf /var/lib/apt/lists/*
+
+# https://github.com/golang/go/issues/56426
+RUN set -eux; \
+	wget -O /tmp/go-mips.patch 'https://github.com/golang/go/commit/2c7c98c3ad719aa9d6d2594827a6894ff9950042.patch'; \
+	patch --strip=1 --directory=/usr/local/go --input=/tmp/go-mips.patch
+
+# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it
+ENV BUILD_FLAGS="-v -ldflags '-d -w'"
+
+RUN set -eux; \
+	{ \
+		echo '#!/usr/bin/env bash'; \
+		echo 'set -Eeuo pipefail -x'; \
+		echo 'eval "go build $BUILD_FLAGS -o /go/bin/gosu-$ARCH"'; \
+		echo 'file "/go/bin/gosu-$ARCH"'; \
+		echo 'if arch-test "$ARCH"; then'; \
+# there's a fun QEMU + Go 1.18+ bug that causes our binaries (especially on ARM arches) to hang indefinitely *sometimes*, hence the "timeout" and looping here
+		echo '  try() { for (( i = 0; i < 30; i++ )); do if timeout 1s "$@"; then return 0; fi; done; return 1; }'; \
+		echo '  try "/go/bin/gosu-$ARCH" --version'; \
+		echo '  try "/go/bin/gosu-$ARCH" nobody id'; \
+		echo '  try "/go/bin/gosu-$ARCH" nobody ls -l /proc/self/fd'; \
+		echo 'fi'; \
+	} > /usr/local/bin/gosu-build-and-test.sh; \
+	chmod +x /usr/local/bin/gosu-build-and-test.sh
 
 # disable CGO for ALL THE THINGS (to help ensure no libc)
 ENV CGO_ENABLED 0
@@ -12,57 +43,18 @@ RUN set -eux; \
 	go mod download; \
 	go mod verify
 
-# note: we cannot add "-s" here because then "govulncheck" does not work (see SECURITY.md); the ~0.2MiB increase (as of 2022-12-16, Go 1.18) is worth it
-ENV BUILD_FLAGS="-v -ldflags '-d -w'"
-
 COPY *.go ./
 
 # gosu-$(dpkg --print-architecture)
-RUN set -eux; \
-	eval "GOARCH=amd64 go build $BUILD_FLAGS -o /go/bin/gosu-amd64"; \
-	file /go/bin/gosu-amd64; \
-	/go/bin/gosu-amd64 --version; \
-	/go/bin/gosu-amd64 nobody id; \
-	/go/bin/gosu-amd64 nobody ls -l /proc/self/fd
-
-RUN set -eux; \
-	eval "GOARCH=386 go build $BUILD_FLAGS -o /go/bin/gosu-i386"; \
-	file /go/bin/gosu-i386; \
-	/go/bin/gosu-i386 --version; \
-	/go/bin/gosu-i386 nobody id; \
-	/go/bin/gosu-i386 nobody ls -l /proc/self/fd
-
-RUN set -eux; \
-	eval "GOARCH=arm GOARM=5 go build $BUILD_FLAGS -o /go/bin/gosu-armel"; \
-	file /go/bin/gosu-armel
-
-RUN set -eux; \
-	eval "GOARCH=arm GOARM=6 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \
-	file /go/bin/gosu-armhf
-
-# boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...)
-#RUN set -eux; \
-#	eval "GOARCH=arm GOARM=7 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \
-#	file /go/bin/gosu-armhf
-
-RUN set -eux; \
-	eval "GOARCH=arm64 go build $BUILD_FLAGS -o /go/bin/gosu-arm64"; \
-	file /go/bin/gosu-arm64
-
-RUN set -eux; \
-	eval "GOARCH=mips64le go build $BUILD_FLAGS -o /go/bin/gosu-mips64el"; \
-	file /go/bin/gosu-mips64el
-
-RUN set -eux; \
-	eval "GOARCH=ppc64le go build $BUILD_FLAGS -o /go/bin/gosu-ppc64el"; \
-	file /go/bin/gosu-ppc64el
-
-RUN set -eux; \
-	eval "GOARCH=riscv64 go build $BUILD_FLAGS -o /go/bin/gosu-riscv64"; \
-	file /go/bin/gosu-riscv64
-
-RUN set -eux; \
-	eval "GOARCH=s390x go build $BUILD_FLAGS -o /go/bin/gosu-s390x"; \
-	file /go/bin/gosu-s390x
+RUN ARCH=amd64    GOARCH=amd64       gosu-build-and-test.sh
+RUN ARCH=i386     GOARCH=386         gosu-build-and-test.sh
+RUN ARCH=armel    GOARCH=arm GOARM=5 gosu-build-and-test.sh
+RUN ARCH=armhf    GOARCH=arm GOARM=6 gosu-build-and-test.sh
+#RUN ARCH=armhf    GOARCH=arm GOARM=7 gosu-build-and-test.sh # boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...)
+RUN ARCH=arm64    GOARCH=arm64       gosu-build-and-test.sh
+RUN ARCH=mips64el GOARCH=mips64le    gosu-build-and-test.sh
+RUN ARCH=ppc64el  GOARCH=ppc64le     gosu-build-and-test.sh
+RUN ARCH=riscv64  GOARCH=riscv64     gosu-build-and-test.sh
+RUN ARCH=s390x    GOARCH=s390x       gosu-build-and-test.sh
 
 RUN set -eux; ls -lAFh /go/bin/gosu-*; file /go/bin/gosu-*