talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

envoy: 1.32.3 -> 1.33.0 (#374003)

Browse Source
This commit is contained in:
Paul Meyer 2025-01-17 11:46:57 +01:00 committed by GitHub
commit 041c867bad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 59 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkgs/by-name/en/envoy/0001-nixpkgs-use-system-Python.patch
View File

@ -5,18 +5,15 @@ Subject: [PATCH] nixpkgs: use system Python
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
---
bazel/python_dependencies.bzl | 11 ++++-------
bazel/python_dependencies.bzl | 9 ++++-----
bazel/repositories_extra.bzl | 17 +----------------
2 files changed, 5 insertions(+), 23 deletions(-)
2 files changed, 5 insertions(+), 21 deletions(-)
diff --git a/bazel/python_dependencies.bzl b/bazel/python_dependencies.bzl
index 9f2b336b1a36ca0d2f04a40ac1809b30ff21df27..53a2c93c59492a12ef4a6ecfc0c8a679f0df73f7 100644
index 9867dc3a46dbe780eb3c02bad8f6a22a2c7fd97e..ff8685e0e437aee447218e912f1cf3e494755cf4 100644
--- a/bazel/python_dependencies.bzl
+++ b/bazel/python_dependencies.bzl
@@ -1,28 +1,25 @@
load("@com_google_protobuf//bazel:system_python.bzl", "system_python")
-load("@envoy_toolshed//:packages.bzl", "load_packages")
-load("@python3_12//:defs.bzl", "interpreter")
@@ -3,25 +3,24 @@ load("@envoy_toolshed//:packages.bzl", "load_packages")
load("@rules_python//python:pip.bzl", "pip_parse")
def envoy_python_dependencies():
@ -28,30 +25,30 @@ index 9f2b336b1a36ca0d2f04a40ac1809b30ff21df27..53a2c93c59492a12ef4a6ecfc0c8a679
+ )
pip_parse(
name = "base_pip3",
- python_interpreter_target = interpreter,
- python_interpreter_target = "@python3_12_host//:python",
requirements_lock = "@envoy//tools/base:requirements.txt",
extra_pip_args = ["--require-hashes"],
)
pip_parse(
name = "dev_pip3",
- python_interpreter_target = interpreter,
- python_interpreter_target = "@python3_12_host//:python",
requirements_lock = "@envoy//tools/dev:requirements.txt",
extra_pip_args = ["--require-hashes"],
)
pip_parse(
name = "fuzzing_pip3",
- python_interpreter_target = interpreter,
- python_interpreter_target = "@python3_12_host//:python",
requirements_lock = "@rules_fuzzing//fuzzing:requirements.txt",
extra_pip_args = ["--require-hashes"],
)
diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl
index b92dd461ba7037d2f1c079f283ff2c466686f7a4..cef32b3140588cb7668d47d0c08528f131184fe4 100644
index 7a9d3bbb53b567a8f398abaefe5ff044056d4d21..a5b75718de667883824e4320e2d563830b02f5d2 100644
--- a/bazel/repositories_extra.bzl
+++ b/bazel/repositories_extra.bzl
@@ -2,19 +2,11 @@ load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies")
load("@bazel_features//:deps.bzl", "bazel_features_deps")
@@ -3,19 +3,11 @@ load("@bazel_features//:deps.bzl", "bazel_features_deps")
load("@com_google_protobuf//bazel/private:proto_bazel_features.bzl", "proto_bazel_features")
load("@emsdk//:deps.bzl", emsdk_deps = "deps")
load("@proxy_wasm_cpp_host//bazel/cargo/wasmtime/remote:crates.bzl", "crate_repositories")
-load("@rules_python//python:repositories.bzl", "py_repositories", "python_register_toolchains")
@ -71,7 +68,7 @@ index b92dd461ba7037d2f1c079f283ff2c466686f7a4..cef32b3140588cb7668d47d0c08528f1
ignore_root_user_error = False):
bazel_features_deps()
emsdk_deps()
@@ -22,11 +14,4 @@ def envoy_dependencies_extra(
@@ -23,13 +15,6 @@ def envoy_dependencies_extra(
crate_repositories()
py_repositories()
@ -83,3 +80,5 @@ index b92dd461ba7037d2f1c079f283ff2c466686f7a4..cef32b3140588cb7668d47d0c08528f1
- )
-
aspect_bazel_lib_dependencies()
if not native.existing_rule("proto_bazel_features"):

4
pkgs/by-name/en/envoy/0004-nixpkgs-patch-boringssl-for-gcc14.patch
View File

@ -42,10 +42,10 @@ index 0000000000000000000000000000000000000000..8dcad4cc11f691eec93efa29075c1d35
+ // FIPS functions.
+
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
index 5cb573770f0aeac7b42d803673c8c520b5e35131..e864ef24db4bf837ef50d90c8eca316eba939d74 100644
index cd15ec36f45f5958f4e65d314af78a0ef7c5dc78..935bf8a1ced67c094e4e900ba84bf39033bd3bbb 100644
--- a/bazel/repositories.bzl
+++ b/bazel/repositories.bzl
@@ -264,6 +264,7 @@ def _boringssl():
@@ -263,6 +263,7 @@ def _boringssl():
patch_args = ["-p1"],
patches = [
"@envoy//bazel:boringssl_static.patch",

128
pkgs/by-name/en/envoy/0005-deps-Bump-rules_rust-0.54.1-37056.patch
View File

@ -1,128 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "dependency-envoy[bot]"
<148525496+dependency-envoy[bot]@users.noreply.github.com>
Date: Fri, 8 Nov 2024 21:09:22 +0000
Subject: [PATCH] deps: Bump `rules_rust` -> 0.54.1 (#37056)
Fix #37054
Signed-off-by: dependency-envoy[bot] <148525496+dependency-envoy[bot]@users.noreply.github.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
---
bazel/repository_locations.bzl | 10 ++++++---
.../dynamic_modules/sdk/rust/Cargo.Bazel.lock | 21 +++++++++++--------
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
index 85a125d44ece6c655f94aab3d986d96ab837897f..cfe7d145b59b691f6455b58b1baaae48276b7e9f 100644
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@@ -1465,12 +1465,16 @@ REPOSITORY_LOCATIONS_SPEC = dict(
license = "Emscripten SDK",
license_url = "https://github.com/emscripten-core/emsdk/blob/{version}/LICENSE",
),
+ # After updating you may need to run:
+ #
+ # CARGO_BAZEL_REPIN=1 bazel sync --only=crate_index
+ #
rules_rust = dict(
project_name = "Bazel rust rules",
project_desc = "Bazel rust rules (used by Wasm)",
project_url = "https://github.com/bazelbuild/rules_rust",
- version = "0.51.0",
- sha256 = "042acfb73469b2d1848fe148d81c3422c61ea47a9e1900f1c9ec36f51e8e7193",
+ version = "0.54.1",
+ sha256 = "af4f56caae50a99a68bfce39b141b509dd68548c8204b98ab7a1cafc94d5bb02",
# Note: rules_rust should point to the releases, not archive to avoid the hassle of bootstrapping in crate_universe.
# This is described in https://bazelbuild.github.io/rules_rust/crate_universe.html#setup, otherwise bootstrap
# is required which in turn requires a system CC toolchains, not the bazel controlled ones.
@@ -1482,7 +1486,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
],
implied_untracked_deps = ["rules_cc"],
extensions = ["envoy.wasm.runtime.wasmtime"],
- release_date = "2024-09-19",
+ release_date = "2024-11-07",
cpe = "N/A",
license = "Apache-2.0",
license_url = "https://github.com/bazelbuild/rules_rust/blob/{version}/LICENSE.txt",
diff --git a/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock b/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock
index fa6012f406464428b37d548eecd6cec3fdaf901b..6af752304b65af39aa621fa201a8c0108931dad0 100644
--- a/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock
+++ b/source/extensions/dynamic_modules/sdk/rust/Cargo.Bazel.lock
@@ -1,5 +1,5 @@
{
- "checksum": "96b309ddded40cf6f46a62829d15a02d7253b4cc94af2ac1890e492f9c07e93f",
+ "checksum": "b550022ca979d6b55c6dbee950bbf18368e4b8da16973c4e88e292b4d6f28e81",
"crates": {
"aho-corasick 1.1.3": {
"name": "aho-corasick",
@@ -2149,9 +2149,6 @@
"aarch64-apple-ios-sim": [
"aarch64-apple-ios-sim"
],
- "aarch64-fuchsia": [
- "aarch64-fuchsia"
- ],
"aarch64-linux-android": [
"aarch64-linux-android"
],
@@ -2159,6 +2156,9 @@
"aarch64-pc-windows-msvc": [
"aarch64-pc-windows-msvc"
],
+ "aarch64-unknown-fuchsia": [
+ "aarch64-unknown-fuchsia"
+ ],
"aarch64-unknown-linux-gnu": [
"aarch64-unknown-linux-gnu"
],
@@ -2197,8 +2197,8 @@
"aarch64-apple-darwin",
"aarch64-apple-ios",
"aarch64-apple-ios-sim",
- "aarch64-fuchsia",
"aarch64-linux-android",
+ "aarch64-unknown-fuchsia",
"aarch64-unknown-linux-gnu",
"aarch64-unknown-nixos-gnu",
"aarch64-unknown-nto-qnx710",
@@ -2213,9 +2213,9 @@
"s390x-unknown-linux-gnu",
"x86_64-apple-darwin",
"x86_64-apple-ios",
- "x86_64-fuchsia",
"x86_64-linux-android",
"x86_64-unknown-freebsd",
+ "x86_64-unknown-fuchsia",
"x86_64-unknown-linux-gnu",
"x86_64-unknown-nixos-gnu"
],
@@ -2264,15 +2264,15 @@
"wasm32-wasi": [
"wasm32-wasi"
],
+ "wasm32-wasip1": [
+ "wasm32-wasip1"
+ ],
"x86_64-apple-darwin": [
"x86_64-apple-darwin"
],
"x86_64-apple-ios": [
"x86_64-apple-ios"
],
- "x86_64-fuchsia": [
- "x86_64-fuchsia"
- ],
"x86_64-linux-android": [
"x86_64-linux-android"
],
@@ -2283,6 +2283,9 @@
"x86_64-unknown-freebsd": [
"x86_64-unknown-freebsd"
],
+ "x86_64-unknown-fuchsia": [
+ "x86_64-unknown-fuchsia"
+ ],
"x86_64-unknown-linux-gnu": [
"x86_64-unknown-linux-gnu"
],

127
pkgs/by-name/en/envoy/0006-gcc-warnings.patch
View File

@ -1,127 +0,0 @@
From 448e4e14f4f188687580362a861ae4a0dbb5b1fb Mon Sep 17 00:00:00 2001
From: "Krinkin, Mike" <krinkin.m.u@gmail.com>
Date: Sat, 16 Nov 2024 00:40:40 +0000
Subject: [PATCH] [contrib] Disable GCC warnings and broken features (#37131)
Currently contrib does not build with GCC because of various false
positive compiler warnings turned to errors and a GCC compiler bug.
Let's first start with the bug, in GCC apparently
using -gsplit-dwarf (debug fission) and -fdebug-types-section (used to
optimize the size of debug inforamtion), when used together, can result
in a linker failure.
Refer to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110885 for the GCC
bug report of this issue. When it comes to Envoy, optimized builds with
GCC are affected on at least GCC 11 (used by --config=docker-gcc) and
GCC 12 (and I'm pretty sure the bug isn't fixed in any newer versions
either, though I didn't check each version).
Given that we cannot have both debug fission and a debug types section,
we decided to abandon the debug types sections and keep the fission.
That being said, apparently both of those options are unmaintained in
GCC which poses a question of long term viability of using those or GCC.
Other changes in this commit disable GCC compiler errors for various
warnings that happen when building contrib. I checked those warnings and
didn't find any true
positive.
And additionally, for warnings that exists in both Clang and GCC, Clang
warnings don't trigger, so Clang also disagrees with GCC here.
Additionally missing-requires warning is new and does not exist in GCC
11, but exists in later versions of GCC, so to avoid breaking on this
warning for future versions of GCC I disabled it, but also tell GCC to
not complain if it sees a flag related to an unknwon diagnostic.
This is the last change required to make GCC contrib builds work (you
can find more context and discussions in
https://github.com/envoyproxy/envoy/issues/31807)
Risk Level: Low
Testing: building with --config=gcc and --config=docker-gcc
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
Fixes #31807
Signed-off-by: Mikhail Krinkin <krinkin.m.u@gmail.com>
---
.bazelrc | 18 +++++++++++++++++-
bazel/envoy_internal.bzl | 16 +++++++++++++++-
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/.bazelrc b/.bazelrc
index e0e4899cecf1..7df94c77944c 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -57,9 +57,9 @@ test --experimental_ui_max_stdouterr_bytes=11712829 #default 1048576
# Allow tags to influence execution requirements
common --experimental_allow_tags_propagation
+build:linux --copt=-fdebug-types-section
# Enable position independent code (this is the default on macOS and Windows)
# (Workaround for https://github.com/bazelbuild/rules_foreign_cc/issues/421)
-build:linux --copt=-fdebug-types-section
build:linux --copt=-fPIC
build:linux --copt=-Wno-deprecated-declarations
build:linux --cxxopt=-std=c++20 --host_cxxopt=-std=c++20
@@ -95,6 +95,21 @@ build:gcc --linkopt=-fuse-ld=gold --host_linkopt=-fuse-ld=gold
build:gcc --test_env=HEAPCHECK=
build:gcc --action_env=BAZEL_COMPILER=gcc
build:gcc --action_env=CC=gcc --action_env=CXX=g++
+# This is to work around a bug in GCC that makes debug-types-section
+# option not play well with fission:
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110885
+build:gcc --copt=-fno-debug-types-section
+# These trigger errors in multiple places both in Envoy dependecies
+# and in Envoy code itself when using GCC.
+# And in all cases the reports appear to be clear false positives.
+build:gcc --copt=-Wno-error=restrict
+build:gcc --copt=-Wno-error=uninitialized
+build:gcc --cxxopt=-Wno-missing-requires
+# We need this because -Wno-missing-requires options is rather new
+# in GCC, so flags -Wno-missing-requires exists in GCC 12, but does
+# not in GCC 11 and GCC 11 is what is used in docker-gcc
+# configuration currently
+build:gcc --cxxopt=-Wno-unknown-warning
# Clang-tidy
# TODO(phlax): enable this, its throwing some errors as well as finding more issues
@@ -375,6 +390,7 @@ build:docker-clang-libc++ --config=docker-sandbox
build:docker-clang-libc++ --config=rbe-toolchain-clang-libc++
build:docker-gcc --config=docker-sandbox
+build:docker-gcc --config=gcc
build:docker-gcc --config=rbe-toolchain-gcc
build:docker-asan --config=docker-sandbox
diff --git a/bazel/envoy_internal.bzl b/bazel/envoy_internal.bzl
index 015659851c1b..27ecaa0bbf47 100644
--- a/bazel/envoy_internal.bzl
+++ b/bazel/envoy_internal.bzl
@@ -68,7 +68,21 @@ def envoy_copts(repository, test = False):
"-Wc++2a-extensions",
"-Wrange-loop-analysis",
],
- repository + "//bazel:gcc_build": ["-Wno-maybe-uninitialized"],
+ repository + "//bazel:gcc_build": [
+ "-Wno-maybe-uninitialized",
+ # GCC implementation of this warning is too noisy.
+ #
+ # It generates warnings even in cases where there is no ambiguity
+ # between the overloaded version of a method and the hidden version
+ # from the base class. E.g., when the two have different number of
+ # arguments or incompatible types and therefore a wrong function
+ # cannot be called by mistake without triggering a compiler error.
+ #
+ # As a safeguard, this warning is only disabled for GCC builds, so
+ # if Clang catches a problem in the code we would get a warning
+ # anyways.
+ "-Wno-error=overloaded-virtual",
+ ],
# Allow 'nodiscard' function results values to be discarded for test code only
# TODO(envoyproxy/windows-dev): Replace /Zc:preprocessor with /experimental:preprocessor
# for msvc versions between 15.8 through 16.4.x. see

19
pkgs/by-name/en/envoy/0007-protobuf-remove-Werror.patch
View File

@ -1,19 +0,0 @@
diff -Naur a/bazel/protobuf.patch b/bazel/protobuf.patch
--- a/bazel/protobuf.patch 2025-01-06 23:00:26.683972526 +0100
+++ b/bazel/protobuf.patch 2025-01-07 00:53:33.997482569 +0100
@@ -149,3 +149,15 @@
#if PROTOBUF_ENABLE_DEBUG_LOGGING_MAY_LEAK_PII
#define PROTOBUF_DEBUG true
#else
+diff -Naur a/build_defs/cpp_opts.bzl b/build_defs/cpp_opts.bzl
+--- a/build_defs/cpp_opts.bzl 2025-01-06 23:02:56.356552216 +0100
++++ b/build_defs/cpp_opts.bzl 2025-01-07 00:23:30.534047300 +0100
+@@ -22,7 +22,7 @@
+ "-Woverloaded-virtual",
+ "-Wno-sign-compare",
+ "-Wno-nonnull",
+- "-Werror",
++ "-Wno-maybe-uninitialized",
+ ],
+ })
+

71
pkgs/by-name/en/envoy/package.nix
View File

@ -19,6 +19,10 @@
python3,
linuxHeaders,
nixosTests,
runCommandLocal,
gnutar,
gnugrep,
envoy,
# v8 (upstream default), wavm, wamr, wasmtime, disabled
wasmRuntime ? "wamr",
@ -30,16 +34,16 @@ let
# However, the version string is more useful for end-users.
# These are contained in a attrset of their own to make it obvious that
# people should update both.
version = "1.32.3";
rev = "58bd599ebd5918d4d005de60954fcd2cb00abd95";
hash = "sha256-5HpxcsAPoyVOJ3Aem+ZjSLa8Zu6s76iCMiWJbp8RjHc=";
version = "1.33.0";
rev = "b0f43d67aa25c1b03c97186a200cc187f4c22db3";
hash = "sha256-zqekRpOlaA2IrwwFUEwASa1uokET98h5sr7EwzWgcbU=";
};
# these need to be updated for any changes to fetchAttrs
depsHash =
{
x86_64-linux = "sha256-YFXNatolLM9DdwkMnc9SWsa6Z6/aGzqLmo/zKE7OFy0=";
aarch64-linux = "sha256-AjG1OBjPjiSwWCmIJgHevSQHx8+rzRgmLsw3JwwD0hk=";
x86_64-linux = "sha256-4CQkHlXbDpRiqzeyserVf9PpLx3ME7TtZ2H88ggog6U=";
aarch64-linux = "sha256-FxkfBWiG0NIInl28w+l4YvaV2VFuCtjn5VBAKvJoxM8=";
}
.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
@ -64,27 +68,6 @@ buildBazelPackage rec {
# use system C/C++ tools
./0003-nixpkgs-use-system-C-C-toolchains.patch
# patch boringssl to work with GCC 14
# vendored patch from https://boringssl.googlesource.com/boringssl/+/c70190368c7040c37c1d655f0690bcde2b109a0d
./0004-nixpkgs-patch-boringssl-for-gcc14.patch
# update rust rules to work with rustc v1.83
# cherry-pick of https://github.com/envoyproxy/envoy/commit/019f589da2cc8da7673edd077478a100b4d99436
# drop with v1.33.x
./0005-deps-Bump-rules_rust-0.54.1-37056.patch
# patch gcc flags to work with GCC 14
# (silences erroneus -Werror=maybe-uninitialized and others)
# cherry-pick of https://github.com/envoyproxy/envoy/commit/448e4e14f4f188687580362a861ae4a0dbb5b1fb
# drop with v1.33.x
./0006-gcc-warnings.patch
# Remove "-Werror" from protobuf build
# This is fixed in protobuf v28 and later:
# https://github.com/protocolbuffers/protobuf/commit/f5a1b178ad52c3e64da40caceaa4ca9e51045cb4
# drop with v1.33.x
./0007-protobuf-remove-Werror.patch
];
postPatch = ''
chmod -R +w .
@ -152,7 +135,9 @@ buildBazelPackage rec {
-e 's,${stdenv.shellPackage},__NIXSHELL__,' \
$bazelOut/external/com_github_luajit_luajit/build.py \
$bazelOut/external/local_config_sh/BUILD \
$bazelOut/external/*_pip3/BUILD.bazel
$bazelOut/external/*_pip3/BUILD.bazel \
$bazelOut/external/rules_rust/util/process_wrapper/private/process_wrapper.sh \
$bazelOut/external/rules_rust/crate_universe/src/metadata/cargo_tree_rustc_wrapper.sh
rm -r $bazelOut/external/go_sdk
rm -r $bazelOut/external/local_jdk
@ -263,6 +248,38 @@ buildBazelPackage rec {
envoy = nixosTests.envoy;
# tested as a core component of Pomerium
pomerium = nixosTests.pomerium;
deps-store-free =
runCommandLocal "${envoy.name}-deps-store-free-test"
{
nativeBuildInputs = [
gnutar
gnugrep
];
}
''
touch $out
tar -xf ${envoy.deps}
grep -r /nix/store external && status=$? || status=$?
case $status in
1)
echo "No match found."
;;
0)
echo
echo "Error: Found references to /nix/store in envoy.deps derivation"
echo "This is a reproducibility issue, as the hash of the fixed-output derivation"
echo "will change in case the store path of the input changes."
echo
echo "Replace the store path in fetcherAttrs.preInstall."
exit 1
;;
*)
echo "An unexpected error occurred."
exit $status
;;
esac
'';
};
meta = with lib; {