Author: Matti Picus <[email protected]>
Branch:
Changeset: r1100:ad3301acbb64
Date: 2019-11-03 15:05 -0500
http://bitbucket.org/pypy/buildbot/changeset/ad3301acbb64/
Log: use the libffi and openssl from pyca/cryptography to avoid bugs in
centos6
diff --git a/docker/Dockerfile b/docker/Dockerfile
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -2,7 +2,7 @@
# -t is the name of the image
# -f is this file
# the . is a random directory
-# docker build -t buildslave -f docker/Dockerfile .
+# docker build -t buildslave -f docker/Dockerfile docker
#
# To create the buildslave configuration, call
# docker run --rm --user $UID -v<abspath/to/builder/dir>:/build_dir> \
@@ -29,26 +29,39 @@
#
FROM centos:centos6
+WORKDIR /root
RUN yum -y update
RUN yum install -y wget bzip2-devel zlib-devel glibc-devel libX11-devel \
- libXt-devel patch expat-devel libXft-devel openssl-devel tk-devel
gdbm-devel \
- perl xz-devel libffi-devel ncurses-devel sqlite-devel
-RUN yum install -y centos-release-scl
+ libXt-devel patch expat-devel libXft-devel tk-devel gdbm-devel \
+ perl xz-devel ncurses-devel sqlite-devel prelink
+# get the gcc-8 devtools and pypy
RUN wget
https://github.com/squeaky-pl/centos-devtools/releases/download/8.2-s1/gcc-8.2.0-binutils-2.32-x86_64.tar.bz2
-O - | tar -C / -xj
RUN wget
https://bitbucket.org/squeaky/portable-pypy/downloads/pypy-7.0.0-linux_x86_64-portable.tar.bz2
-O - | tar -C /opt -xj
RUN ln -s /opt/pypy-7.0.0-linux_x86_64-portable/bin/pypy /usr/local/bin/pypy
+ENV PATH=/opt/devtools-8.2/bin:$PATH
+
+# Taken from pyca/infra/cryptography-manylinux
+# centos6 libffi is buggy, download and use a newer one
+# also use the version of openssl that latests pyca/cryptography uses
+ADD install_libffi.sh /root/install_libffi.sh
+ADD install_openssl.sh /root/install_openssl.sh
+RUN sh install_libffi.sh manylinux2010 2>&1 | tee /root/install_libffi.log
+RUN sh install_openssl.sh manylinux2010 2>&1 | tee /root/install_openssl.log
+
+RUN yum install -y centos-release-scl
RUN yum install -y python27 python27-python-virtualenv
-#yuck
+# build a python 2.7 virtualenv, use the scl-installed version of python2.7
+# since centos6 itself has python2.6
ENV LD_LIBRARY_PATH=/opt/rh/python27/root/usr/lib64
RUN /opt/rh/python27/root/usr/bin/python -mvirtualenv /python27_virt
ENV PATH=/python27_virt/bin:$PATH
-ENV PATH=/opt/devtools-8.2/bin:$PATH
RUN pip install --upgrade pip setuptools
RUN pip install buildbot-slave pytest hypothesis cffi vmprof mercurial
+ENV PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig
CMD if [ -e /build_dir/buildbot.tac ]; then \
buildslave start --nodaemon /build_dir; \
diff --git a/docker/install_libffi.sh b/docker/install_libffi.sh
new file mode 100755
--- /dev/null
+++ b/docker/install_libffi.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -xe
+
+LIBFFI_SHA256="d06ebb8e1d9a22d19e38d63fdb83954253f39bedc5d46232a05645685722ca37"
+LIBFFI_VERSION="3.2.1"
+
+function check_sha256sum {
+ local fname=$1
+ local sha256=$2
+ echo "${sha256} ${fname}" > "${fname}.sha256"
+ sha256sum -c "${fname}.sha256"
+ rm "${fname}.sha256"
+}
+
+curl -#O
"https://mirrors.ocf.berkeley.edu/debian/pool/main/libf/libffi/libffi_${LIBFFI_VERSION}.orig.tar.gz";
+check_sha256sum "libffi_${LIBFFI_VERSION}.orig.tar.gz" ${LIBFFI_SHA256}
+tar zxf libffi*.orig.tar.gz
+PATH=/opt/perl/bin:$PATH
+pushd libffi*
+if [ "$1" == "manylinux1" ]; then
+ STACK_PROTECTOR_FLAGS="-fstack-protector --param=ssp-buffer-size=4"
+else
+ STACK_PROTECTOR_FLAGS="-fstack-protector-strong"
+fi
+./configure --prefix=/usr/local CFLAGS="-g -O2 $STACK_PROTECTOR_FLAGS -Wformat
-Werror=format-security"
+make install
+popd
+rm -rf libffi*
diff --git a/docker/install_openssl.sh b/docker/install_openssl.sh
new file mode 100755
--- /dev/null
+++ b/docker/install_openssl.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -xe
+
+OPENSSL_URL="https://www.openssl.org/source/";
+OPENSSL_NAME="openssl-1.1.1d"
+OPENSSL_SHA256="1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2"
+
+function check_sha256sum {
+ local fname=$1
+ local sha256=$2
+ echo "${sha256} ${fname}" > "${fname}.sha256"
+ sha256sum -c "${fname}.sha256"
+ rm "${fname}.sha256"
+}
+
+curl -#O "${OPENSSL_URL}/${OPENSSL_NAME}.tar.gz"
+check_sha256sum ${OPENSSL_NAME}.tar.gz ${OPENSSL_SHA256}
+tar zxf ${OPENSSL_NAME}.tar.gz
+PATH=/opt/perl/bin:$PATH
+pushd ${OPENSSL_NAME}
+./config no-comp enable-ec_nistp_64_gcc_128 no-shared no-dynamic-engine
--prefix=/usr/local --openssldir=/usr/local
+make depend
+make -j4
+# avoid installing the docs
+# https://github.com/openssl/openssl/issues/6685#issuecomment-403838728
+make install_sw install_ssldirs
+popd
+rm -rf openssl*
_______________________________________________
pypy-commit mailing list
[email protected]
https://mail.python.org/mailman/listinfo/pypy-commit
