Build with Nix #29
Build with Nix #29
Conversation
Currently, only running different versions of OpenSSL is implemented as PoC to see if it would work. You can either build it or run it directly with: ``` $ nix run '.?submodules=1#openssl_316' list-libs # uses OpenSSL 3.1.6 $ nix run '.?submodules=1#openssl_322' list-libs # uses OpenSSL 3.2.2 $ nix run '.?submodules=1' list-libs # uses OpenSSL 3.3.1 ``` Adding new versions is possible, check `packages` part of `flake.nix`. To see the supported versions run: ``` $ nix flake show ```
|
Oh and one more thing. Can you make the version of the library propagate as an environment variable to the build and run environment? Then in the Makefile we can pass it on as a define to the compiler and thus get it in the shim code so that we can do ifdefs based on it. |
Yes. Both should be somewhat simple and straightforward. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #29 +/- ##
============================================
- Coverage 69.74% 67.49% -2.26%
- Complexity 430 436 +6
============================================
Files 55 55
Lines 3064 3064
Branches 377 377
============================================
- Hits 2137 2068 -69
- Misses 753 827 +74
+ Partials 174 169 -5 ☔ View full report in Codecov by Sentry. |
In order to prevent problems with dynamic linking of OpenSSL, LibreSSL and BoringSSL -- that all have libcrypto.so -- we link statically into the providers.
| '' | ||
| cp $dev/lib/pkgconfig/libcrypto.pc $dev/lib/pkgconfig/libresslcrypto.pc | ||
| sed --in-place --expression 's/-lcrypto/-lresslcrypto/' $dev/lib/pkgconfig/libresslcrypto.pc | ||
| ln -s $out/lib/libcrypto.so $out/lib/libresslcrypto.so |
There was a problem hiding this comment.
patchelf necessary here. The library knows its soname, see:
readelf -d libresslcrypto.so | grep SONAME
Will print out libcrypto.so which is wrong.
flake.nix
Outdated
| # devLibPath = pkgs.lib.makeLibraryPath [ pkgs.libressl.dev ]; | ||
| # libressl = pkgs.libressl.overrideAttrs (_old: { | ||
| # fixupPhase = '' | ||
| # cp ${devLibPath}/openssl.pc ${devLibPath}/libressl.pc | ||
| # ''; | ||
| # }); |
There was a problem hiding this comment.
This can be removed right?
| # devLibPath = pkgs.lib.makeLibraryPath [ pkgs.libressl.dev ]; | |
| # libressl = pkgs.libressl.overrideAttrs (_old: { | |
| # fixupPhase = '' | |
| # cp ${devLibPath}/openssl.pc ${devLibPath}/libressl.pc | |
| # ''; | |
| # }); |
There was a problem hiding this comment.
As said below, there is still work to be done. Cleaning up and polishing is still down the pipeline.
| makeWrapper \ | ||
| ${jdk17_headless}/bin/java $out/bin/${pname} \ | ||
| --add-flags "-jar $out/build/libs/${pname}.jar" \ | ||
| --set LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:$LD_LIBRARY_PATH |
There was a problem hiding this comment.
Messing with LD_LIBRARY_PATH should not be necessary if statically linked shims are to be used.
There was a problem hiding this comment.
Yes, this is still a WIP.
|
|
||
| boringssl.o: boringssl.c | ||
| $(CC) -I$(PROJECT_ROOT_PATH)/ext/boringssl/include/ $(CFLAGS) -c $< | ||
| NIX_CFLAGS_COMPILE= $(CC) -I$(BORINGSSL_CFLAGS) $(CFLAGS) -c $< |
There was a problem hiding this comment.
Ideally, this Makefile will still remain useful to a user that does not use nix. Can we keep that? Or back it up somewhere? Essentially I would like to keep a simple Makefile somewhere for someone that has the libraries installed system-wide (or locally) and just wants to build them.
The use case is also testing custom versions of the libraries and not having to fuff with nix.
There was a problem hiding this comment.
By custom I mean when someone is actively working on them/patching them.
Building with Nix is one way of allowing multiple versions of tested libs to be running at the same time. Currently, few versions of OpenSSL are possible, check the commit message for more details.
More work is needed before merging this.