search

istio / ztunnel

The `ztunnel` component of ambient mesh
Apache License 2.0
295 stars 98 forks source link

Enable building on arm64 #35

Closed howardjohn closed 1 year ago

howardjohn commented 1 year ago

Currently, the build fails since we use the FIPS boringssl which only works on amd64.

Even with the FIPS disabled though, still getting issues around poly_rq_mul.S that we will need to resolve

ilrudie commented 1 year ago

I have an M2 Mac and could work on this

thesurlydev commented 1 year ago

Isn't this a dupe of #1 ?

ilrudie commented 1 year ago

Could be. I have an intel mac I can try to confirm if its MacOS or M1/ARM that's the issue.

ilrudie commented 1 year ago

ARM could also be for something like graviton support not just m1/macos as well

stevenctl commented 1 year ago

Allow developers using arm machines to contribute. May also be required in some production environments.

howardjohn commented 1 year ago

https://github.com/istio/ztunnel/pull/139

yuval-k commented 1 year ago

we can also consider an approach similar to github.com/cloudflare/quiche, where we embed boring in this crate, so we don't need to set env vars for dependant crates (so that users won't need to remove the env vars manually, as specified in the readme) https://github.com/cloudflare/quiche/blob/master/quiche/src/build.rs

bleggett commented 1 year ago

@yuval-k Thx for the hint - quiche's strategy unfortunately doesn't work with boring 2.1.0 - only with 2.0.0, due to changes in build.rs for boring-sys which seem to break the ability to conditionally vendor binaries: https://github.com/cloudflare/boring/blob/master/boring-sys/build.rs#L330

Additionally, the build.rs mechanism boring-sys is using to auto-build boringssl doesn't seem to work if you install boring-sys as a normal Cargo dep - only as a Gitref dep.

Seems as if realistically we either

Neither option is particularly compelling.

Third option is we write a build.sh wrapper, I guess.

bleggett commented 1 year ago

Adding this as a ref - https://github.com/cloudflare/boring/pull/97

A clang environmental dep in our build-tools might be a reasonable workaround once that is in upstream - our current build-tools image is too new for clang-7, which is what the pinned version of boringssl that boring-sys tries to autobuild (when installed as a Gitref dep via cargo) currently requires.

When that merges we should be good with

  1. Installing clang-12 in our build-tools image - clang 12 is available for both arm64 and amd64 in our current build image distro, at least.

  2. Adding boring-sys as a Gitref patch dep in cargo.toml:

    [patch.crates-io]
boring-sys = { git = "https://github.com/cloudflare/boring", tag = "v2.1.0"  }

  3. Letting boring-sys build the fips/non-fips binaries itself, respecting the host arch.

EDIT: Oh right, that's what this is: https://github.com/istio/ztunnel/blob/master/vendor/boringssl-fips/linux_x86_64/Dockerfile.v1 - because the Ubuntu clang is v12, but the minor version is different, so it's not a blessed FIPS version.