From de8d58491de9d6fc5dc7ccc1bca0acb532d01c50 Mon Sep 17 00:00:00 2001 From: Lizan Zhou Date: Thu, 7 May 2020 17:37:21 -0700 Subject: [PATCH 1/5] backport: various build fixes for 1.14.x (#11056) Commit Message: Cherry-picks: dc197e5b0c4e95493c1b026c34bbb3f168a79fbf 53065633219c8d1b473469e487943985e75dc48e bc2d1d383b87e26e1a6ac8042a1dc880b00624a3 df0c09754c622c40a2de6ec0de0ed5b70d116c8b Risk Level: Low Testing: CI Docs Changes: Release Notes: Part of #10741 Signed-off-by: Lizan Zhou Co-authored-by: Matt Klein Co-authored-by: Stephan Zuercher --- .azure-pipelines/bazel.yml | 3 ++ .azure-pipelines/cleanup.sh | 9 ++++ .azure-pipelines/pipelines.yml | 7 ++- VERSION | 2 +- ...ockerfile-envoy-image => Dockerfile-envoy} | 0 ci/docker_build.sh | 9 ---- ci/docker_ci.sh | 52 +++++++++++++++++++ ci/docker_push.sh | 32 ------------ ci/docker_tag.sh | 25 --------- ci/mac_ci_steps.sh | 4 +- 10 files changed, 70 insertions(+), 73 deletions(-) create mode 100755 .azure-pipelines/cleanup.sh rename ci/{Dockerfile-envoy-image => Dockerfile-envoy} (100%) delete mode 100755 ci/docker_build.sh create mode 100755 ci/docker_ci.sh delete mode 100755 ci/docker_push.sh delete mode 100755 ci/docker_tag.sh diff --git a/.azure-pipelines/bazel.yml b/.azure-pipelines/bazel.yml index bba3dcd3ada2f..e0b05ad07a983 100644 --- a/.azure-pipelines/bazel.yml +++ b/.azure-pipelines/bazel.yml @@ -10,6 +10,9 @@ steps: key: '"${{ parameters.ciTarget }}" | ./WORKSPACE | **/*.bzl' path: $(Build.StagingDirectory)/repository_cache + - bash: .azure-pipelines/cleanup.sh + displayName: "Removing tools from agent" + - bash: | echo "disk space at beginning of build:" df -h diff --git a/.azure-pipelines/cleanup.sh b/.azure-pipelines/cleanup.sh new file mode 100755 index 0000000000000..72a9bbf9fa185 --- /dev/null +++ b/.azure-pipelines/cleanup.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +# Temporary script to remove tools from Azure pipelines agent to create more disk space room. +sudo apt-get -y update +sudo apt-get purge -y 'ghc-*' 'zulu-*-azure-jdk' 'libllvm*' 'mysql-*' 'dotnet-*' 'cpp-*' + +dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -rn diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml index 69338021a0850..fa34a3190fc2a 100644 --- a/.azure-pipelines/pipelines.yml +++ b/.azure-pipelines/pipelines.yml @@ -2,6 +2,7 @@ trigger: branches: include: - "master" + - "release/v*" tags: include: - "v*" @@ -92,13 +93,11 @@ jobs: - bash: | set -e tar zxf $(Build.StagingDirectory)/bazel.release/envoy_binary.tar.gz - ci/docker_build.sh - ci/docker_push.sh - ci/docker_tag.sh + ci/docker_ci.sh workingDirectory: $(Build.SourcesDirectory) env: AZP_BRANCH: $(Build.SourceBranch) - CIRCLE_SHA1: $(Build.SourceVersion) + AZP_SHA1: $(Build.SourceVersion) DOCKERHUB_USERNAME: $(DockerUsername) DOCKERHUB_PASSWORD: $(DockerPassword) diff --git a/VERSION b/VERSION index 63e799cf451bc..33539c3c1623c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.14.1 +1.14.2-dev diff --git a/ci/Dockerfile-envoy-image b/ci/Dockerfile-envoy similarity index 100% rename from ci/Dockerfile-envoy-image rename to ci/Dockerfile-envoy diff --git a/ci/docker_build.sh b/ci/docker_build.sh deleted file mode 100755 index 84b4056a7d4ee..0000000000000 --- a/ci/docker_build.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -set -ex - -DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}" - -docker build -f ci/Dockerfile-envoy-image -t "${DOCKER_IMAGE_PREFIX}-dev:${CIRCLE_SHA1}" . -docker build -f ci/Dockerfile-envoy-alpine -t "${DOCKER_IMAGE_PREFIX}-alpine-dev:${CIRCLE_SHA1}" . -docker build -f ci/Dockerfile-envoy-alpine-debug -t "${DOCKER_IMAGE_PREFIX}-alpine-debug-dev:${CIRCLE_SHA1}" . diff --git a/ci/docker_ci.sh b/ci/docker_ci.sh new file mode 100755 index 0000000000000..d4594df2ffca5 --- /dev/null +++ b/ci/docker_ci.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +# Do not ever set -x here, it is a security hazard as it will place the credentials below in the +# CI logs. +set -e + +# This prefix is altered for the private security images on setec builds. +DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}" + +# Test the docker build in all cases, but use a local tag that we will overwrite before push in the +# cases where we do push. +for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do + docker build -f ci/Dockerfile-envoy"${BUILD_TYPE}" -t "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" . +done + +MASTER_BRANCH="refs/heads/master" +RELEASE_BRANCH_REGEX="^refs/heads/release/v.*" +RELEASE_TAG_REGEX="^refs/tags/v.*" + +# Only push images for master builds, release branch builds, and tag builds. +if [[ "${AZP_BRANCH}" != "${MASTER_BRANCH}" ]] && \ + ! [[ "${AZP_BRANCH}" =~ ${RELEASE_BRANCH_REGEX} ]] && \ + ! [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then + echo 'Ignoring non-master branch or tag for docker push.' + exit 0 +fi + +# For master builds and release branch builds use the dev repo. Otherwise we assume it's a tag and +# we push to the primary repo. +if [[ "${AZP_BRANCH}" == "${MASTER_BRANCH}" ]] || \ + [[ "${AZP_BRANCH}" =~ ${RELEASE_BRANCH_REGEX} ]]; then + IMAGE_POSTFIX="-dev" + IMAGE_NAME="$AZP_SHA1" +else + IMAGE_POSTFIX="" + IMAGE_NAME="${AZP_BRANCH/refs\/tags\//}" +fi + +docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD" + +for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do + docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${IMAGE_NAME}" + docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${IMAGE_NAME}" + + # Only push latest on master builds. + if [[ "${AZP_BRANCH}" == "${MASTER_BRANCH}" ]]; then + docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest" + docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest" + fi +done + + diff --git a/ci/docker_push.sh b/ci/docker_push.sh deleted file mode 100755 index fa621a663b802..0000000000000 --- a/ci/docker_push.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -# Do not ever set -x here, it is a security hazard as it will place the credentials below in the -# CircleCI logs. -set -e - -if [[ -n "$CIRCLE_PULL_REQUEST" ]]; then - echo 'Ignoring PR branch for docker push.' - exit 0 -fi - -DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}" - -# push the envoy image on tags or merge to master -if [[ "${AZP_BRANCH}" == 'refs/heads/master' ]] || [[ "${AZP_BRANCH}" =~ ^refs/heads/release/v.* ]]; then - docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD" - - for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do - docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}-dev:${CIRCLE_SHA1}" - if [[ "$AZP_BRANCH" == 'refs/heads/master' ]]; then - docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}-dev:${CIRCLE_SHA1}" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}-dev:latest" - docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}-dev:latest" - fi - done - - # This script tests the docker examples. - # TODO(mattklein123): This almost always times out on CircleCI. Do not run for now until we - # have a better CI setup. - #./ci/verify_examples.sh -else - echo 'Ignoring non-master branch for docker push.' -fi diff --git a/ci/docker_tag.sh b/ci/docker_tag.sh deleted file mode 100755 index f3a4a205ae625..0000000000000 --- a/ci/docker_tag.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -# Do not ever set -x here, it is a security hazard as it will place the credentials below in the -# CircleCI logs. -set -e - -DOCKER_IMAGE_PREFIX="${DOCKER_IMAGE_PREFIX:-envoyproxy/envoy}" - -if [[ "${AZP_BRANCH}" =~ ^refs/tags/v.* ]]; then - CIRCLE_TAG="${AZP_BRANCH/refs\/tags\//}" -fi - -if [[ -n "$CIRCLE_TAG" ]]; then - docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD" - - for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do - docker pull "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}"-dev:"$CIRCLE_SHA1" - docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}"-dev:"$CIRCLE_SHA1" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}":"$CIRCLE_TAG" - docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}":"$CIRCLE_TAG" - docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}"-dev:"$CIRCLE_SHA1" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}":latest - docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}":latest - done -else - echo 'Ignoring non-tag event for docker tag.' -fi diff --git a/ci/mac_ci_steps.sh b/ci/mac_ci_steps.sh index 552f9d7957ad4..41e01d0fd134f 100755 --- a/ci/mac_ci_steps.sh +++ b/ci/mac_ci_steps.sh @@ -26,10 +26,10 @@ BAZEL_BUILD_OPTIONS="--curses=no --show_task_finish --verbose_failures \ if [[ $# -gt 0 ]]; then TEST_TARGETS=$* else - TEST_TARGETS=//test/... + TEST_TARGETS=//test/integration/... fi -if [[ "$TEST_TARGETS" == "//test/..." ]]; then +if [[ "$TEST_TARGETS" == "//test/..." || "$TEST_TARGETS" == "//test/integration/..." ]]; then bazel build ${BAZEL_BUILD_OPTIONS} //source/exe:envoy-static fi bazel test ${BAZEL_BUILD_OPTIONS} ${TEST_TARGETS} From ef90e9a2e67b7cd0e06bc717ea378cf8472bb8d7 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Sat, 6 Jun 2020 03:14:12 -0700 Subject: [PATCH 2/5] ci: fix mac bazelisk (#11444) (#11484) Signed-off-by: Lizan Zhou Signed-off-by: Piotr Sikora --- ci/mac_ci_setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/mac_ci_setup.sh b/ci/mac_ci_setup.sh index b58c3a3eeed44..832aecaf869b1 100755 --- a/ci/mac_ci_setup.sh +++ b/ci/mac_ci_setup.sh @@ -38,7 +38,8 @@ fi # Required as bazel and a foreign bazelisk are installed in the latest macos vm image, we have # to unlink/overwrite them to install bazelisk echo "Installing bazelbuild/tap/bazelisk" -brew install --force bazelbuild/tap/bazelisk +brew tap bazelbuild/tap +brew reinstall --force bazelbuild/tap/bazelisk if ! brew link --overwrite bazelbuild/tap/bazelisk; then echo "Failed to install and link bazelbuild/tap/bazelisk" exit 1 From 20dfb38063d5e0489a885bd9366999311b69d914 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Sat, 6 Jun 2020 08:22:00 -0700 Subject: [PATCH 3/5] Push vX.Y-latest when a release is cut (#11405) (#11463) Enables users of tagged releases to stay on the latest release of a major/minor combination Resolves https://github.com/envoyproxy/envoy/issues/11091 Signed-off-by: Sunjay Bhatia Signed-off-by: Piotr Sikora --- ci/docker_ci.sh | 7 +++++++ docs/root/install/building.rst | 6 +----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ci/docker_ci.sh b/ci/docker_ci.sh index d4594df2ffca5..fb2d575bd31db 100755 --- a/ci/docker_ci.sh +++ b/ci/docker_ci.sh @@ -47,6 +47,13 @@ for BUILD_TYPE in "" "-alpine" "-alpine-debug"; do docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest" docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:latest" fi + + # Push vX.Y-latest to tag the latest image in a release line + if [[ "${AZP_BRANCH}" =~ ${RELEASE_TAG_REGEX} ]]; then + RELEASE_LINE=$(echo "$IMAGE_NAME" | sed -E 's/(v[0-9]+\.[0-9]+)\.[0-9]+/\1-latest/') + docker tag "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}:local" "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${RELEASE_LINE}" + docker push "${DOCKER_IMAGE_PREFIX}${BUILD_TYPE}${IMAGE_POSTFIX}:${RELEASE_LINE}" + fi done diff --git a/docs/root/install/building.rst b/docs/root/install/building.rst index 9541bc6316bda..a475a6958607a 100644 --- a/docs/root/install/building.rst +++ b/docs/root/install/building.rst @@ -41,13 +41,9 @@ be found in the following repositories: * `envoyproxy/envoy-alpine-debug `_: Release binary with debug symbols on top of a **glibc** alpine base. -In the above repositories, the *latest* tag points to the latest official release. - .. note:: - The above repositories used to contain the dev images described below. They remain to avoid - breaking existing users. New dev images are added to the repositories described in the following - section. + In the above repositories, we tag a *vX.Y-latest* image for each security/stable release line. On every master commit we additionally create a set of development Docker images. These images can be found in the following repositories: From d4c0a82caf5fa1bb44759008e8d38310e9793c2e Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Sat, 6 Jun 2020 13:31:53 -0700 Subject: [PATCH 4/5] build: bump nghttp2 to 1.41.0. (#11412) (#11470) See release notes at https://github.com/nghttp2/nghttp2/releases/tag/v1.41.0. This addresses https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr. Signed-off-by: Harvey Tuch Signed-off-by: Piotr Sikora --- bazel/foreign_cc/BUILD | 4 ++-- bazel/repository_locations.bzl | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD index 24910612adf22..3104e4f1101d1 100644 --- a/bazel/foreign_cc/BUILD +++ b/bazel/foreign_cc/BUILD @@ -190,8 +190,8 @@ envoy_cmake_external( defines = ["NGHTTP2_STATICLIB"], lib_source = "@com_github_nghttp2_nghttp2//:all", static_libraries = select({ - "//bazel:windows_x86_64": ["nghttp2_static.lib"], - "//conditions:default": ["libnghttp2_static.a"], + "//bazel:windows_x86_64": ["nghttp2.lib"], + "//conditions:default": ["libnghttp2.a"], }), ) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index d89b139ee5f8a..3f24f410b0f30 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -126,9 +126,9 @@ REPOSITORY_LOCATIONS = dict( urls = ["https://github.com/moonjit/moonjit/archive/2.2.0.tar.gz"], ), com_github_nghttp2_nghttp2 = dict( - sha256 = "eb9d9046495a49dd40c7ef5d6c9907b51e5a6b320ea6e2add11eb8b52c982c47", - strip_prefix = "nghttp2-1.40.0", - urls = ["https://github.com/nghttp2/nghttp2/releases/download/v1.40.0/nghttp2-1.40.0.tar.gz"], + sha256 = "eacc6f0f8543583ecd659faf0a3f906ed03826f1d4157b536b4b385fe47c5bb8", + strip_prefix = "nghttp2-1.41.0", + urls = ["https://github.com/nghttp2/nghttp2/releases/download/v1.41.0/nghttp2-1.41.0.tar.gz"], ), io_opentracing_cpp = dict( sha256 = "015c4187f7a6426a2b5196f0ccd982aa87f010cf61f507ae3ce5c90523f92301", From 1a0363c885c2dbb1e48b03847dbd706d1ba43eba Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Mon, 8 Jun 2020 13:15:11 -0700 Subject: [PATCH 5/5] docs: 1.14.2 release notes. (#11491) Signed-off-by: Piotr Sikora --- VERSION | 2 +- docs/root/intro/version_history.rst | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 33539c3c1623c..a4cc55716f5d9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.14.2-dev +1.14.2 diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst index c67693bd7fe79..b9eb04b2cb493 100644 --- a/docs/root/intro/version_history.rst +++ b/docs/root/intro/version_history.rst @@ -1,6 +1,10 @@ Version history --------------- +1.14.2 (June 8, 2020) +===================== +* http: fixed CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters. + 1.14.1 (April 8, 2020) ====================== * request_id_extension: fixed static initialization for noop request id extension.