Envoy commit integration (#1467)

ebyerly · phlax · web-flow · commit d1fdc2171fc0 · 2026-01-02T12:22:20.000-05:00
Move Envoy commit integration up to envoyproxy/envoy@e593c78 phlax@ has been making significant contributions to Envoy's CI process. What did we need to do to update Nighthawk's CI? Explicitly set config=gcc or config=clang for all tasks Bind mount spare disks - the runners have ~100GB hard drives but default to storing Bazel caches in /tmp with caps Update Bazel config name references - remote-envoy-engflow and bes-envoy-engflow no longer exist Incorporate RBE - a huge win! Nighthawk's CI process is down to ~30 minutes for build and test. Update our Envoy integration tooling to also copy over .github/config.yml and ci/envoy_build_sha.sh Statically link libatomic instead of relying on dynamic linking. Use Bazel's .stripped output instead of stripping inside the Docker container build process. Add the Docker container builder user to the docker group. Replace rsync with cp and find|rm. --------- Signed-off-by: Elizabeth Byerly <ebyerly@google.com> Co-authored-by: Ryan Northey <ryan@synca.io>
diff --git a/.bazelrc b/.bazelrc
diff --git a/.github/config.yml b/.github/config.yml
diff --git a/.github/workflows/_ci.yml b/.github/workflows/_ci.yml
@@ -15,6 +15,7 @@ on:
         type: string
         default: >-
           --config=remote-ci
+          --config=rbe
       docker-in-docker:
         description: "Enable Docker in Docker"
         required: false
@@ -37,17 +38,34 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v6.0.1
+    - name: Set gcc
+      run: |
+        if [[ "${{ inputs.task }}" == *"gcc"* ]]; then
+          echo "build --config=gcc" >> repo.bazelrc
+        else
+          echo "common --config=clang" >> repo.bazelrc
+        fi
     - name: Configure repo Bazel settings
       run: |
-        echo "build:remote-envoy-engflow --config=bes-envoy-engflow" > repo.bazelrc
+        echo "common --jobs=200" >> repo.bazelrc
+        echo "build --config=bes" >> repo.bazelrc
+    - name: Bind mount spare disk for build artifacts
+      uses: envoyproxy/toolshed/gh-actions/bind-mounts@actions-v0.3.35
+      with:
+        mounts: |
+          - src: /mnt/envoy-docker-build
+            target: /tmp/envoy-docker-build
+            chown: runner:runner
+          - src: /mnt/bazel-shared
+            target: /tmp/bazel-shared
+            chown: runner:runner
     - name: Run CI script
       run: |
         ./ci/run_envoy_docker.sh './ci/do_ci.sh ${{ inputs.task }}'
       env:
         GITHUB_TOKEN: ${{ github.token }}
         BAZEL_BUILD_EXTRA_OPTIONS: >-
           ${{ inputs.bazel-extra }}
-          --config=remote-envoy-engflow
         GH_BRANCH: ${{ github.ref }}
         GH_SHA1: ${{ github.sha }}
         ENVOY_DOCKER_IN_DOCKER: ${{ inputs.docker-in-docker && '1' || '' }}
diff --git a/BUILD b/BUILD
@@ -13,18 +13,18 @@ envoy_package()
 filegroup(
     name = "nighthawk",
     srcs = [
-        ":nighthawk_adaptive_load_client",
-        ":nighthawk_client",
-        ":nighthawk_output_transform",
-        ":nighthawk_service",
-        ":nighthawk_test_server",
+        ":nighthawk_adaptive_load_client.stripped",
+        ":nighthawk_client.stripped",
+        ":nighthawk_output_transform.stripped",
+        ":nighthawk_service.stripped",
+        ":nighthawk_test_server.stripped",
     ],
 )
 
 envoy_cc_binary(
     name = "nighthawk_adaptive_load_client",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
@@ -36,7 +36,7 @@ envoy_cc_binary(
 envoy_cc_binary(
     name = "nighthawk_client",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
@@ -50,7 +50,7 @@ envoy_cc_binary(
 envoy_cc_binary(
     name = "nighthawk_client_testonly",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
@@ -64,7 +64,7 @@ envoy_cc_binary(
 envoy_cc_binary(
     name = "nighthawk_test_server",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
@@ -79,7 +79,7 @@ envoy_cc_binary(
 envoy_cc_binary(
     name = "nighthawk_service",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
@@ -91,7 +91,7 @@ envoy_cc_binary(
 envoy_cc_binary(
     name = "nighthawk_output_transform",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
diff --git a/WORKSPACE b/WORKSPACE
@@ -17,10 +17,6 @@ load("@envoy//bazel:api_repositories.bzl", "envoy_api_dependencies")
 
 envoy_api_dependencies()
 
-load("@envoy//bazel:repo.bzl", "envoy_repo")
-
-envoy_repo()
-
 load("@envoy//bazel:repositories.bzl", "envoy_dependencies")
 
 envoy_dependencies()
@@ -41,6 +37,18 @@ load("@envoy//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
 
+load("@envoy//bazel:repo.bzl", "envoy_repo")
+
+envoy_repo()
+
+load("@envoy//bazel:toolchains.bzl", "envoy_toolchains")
+
+envoy_toolchains()
+
+load("@envoy//bazel:dependency_imports_extra.bzl", "envoy_dependency_imports_extra")
+
+envoy_dependency_imports_extra()
+
 load("//bazel:python_dependencies.bzl", "nighthawk_python_dependencies")
 
 nighthawk_python_dependencies()
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -1,7 +1,7 @@
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
-ENVOY_COMMIT = "ee9df7b308de9f7e998619d1c86bc87b9058d0c9"
-ENVOY_SHA = "583d91fb5c87e1c92b1a75ad1e259fe9e1164515cd714e887eed01c6cb5ec953"
+ENVOY_COMMIT = "e593c7820b15aab315ddc2b615bd639012288469"
+ENVOY_SHA = "6f5614477880fc392844e2b63efb9b55774e908e1bc5f18e6ee57068f76addf8"
 
 HDR_HISTOGRAM_C_VERSION = "0.11.8"  # June 18th, 2025
 HDR_HISTOGRAM_C_SHA = "bb95351a6a8b242dc9be1f28562761a84d4cf0a874ffc90a9b630770a6468e94"
@@ -48,7 +48,7 @@ cc_library(
         "-Wno-implicit-function-declaration",
         "-Wno-error",
     ],
-    deps = ["@envoy//bazel/foreign_cc:zlib",],
+    deps = ["@zlib",],
     visibility = ["//visibility:public"],
 )
   """,
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
@@ -310,6 +310,8 @@ export BAZEL_TEST_OPTIONS="${BAZEL_BUILD_OPTIONS} \
 --test_env=UBSAN_OPTIONS=print_stacktrace=1 \
 --cache_test_results=no --test_output=errors ${BAZEL_EXTRA_TEST_OPTIONS}"
 
+export CARGO_BAZEL_REPIN=true
+
 case "$1" in
     build)
         setup_clang_toolchain
diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml
@@ -1,6 +1,6 @@
 x-envoy-build-base: &envoy-build-base
   image: >-
-    ${ENVOY_BUILD_IMAGE:-docker.io/envoyproxy/envoy-build-ubuntu:4ce0cb04f941fb89d475597a640176ae64070bb1@sha256:de54e91a8d27623ffbd3fb9bd1aba8241567e41c0fb82b167128e3629c2ede18}
+    ${ENVOY_BUILD_IMAGE:?ERROR: ENVOY_BUILD_IMAGE is not set! either set it in your environment or use ci/run_envoy_docker.sh to set it}
   cpus: ${ENVOY_DOCKER_CPUS:-0}
   user: root:root
   working_dir: ${ENVOY_DOCKER_SOURCE_DIR:-/source}
@@ -81,26 +81,40 @@ x-envoy-build-base: &envoy-build-base
   - "/bin/bash"
   - "-c"
   - |
-    groupadd --gid ${DOCKER_GID:-${USER_GID:-$(id -g)}} -f envoygroup
-    useradd -o \
-        --uid ${USER_UID:-$(id -u)} \
-        --gid ${DOCKER_GID:-${USER_GID:-$(id -g)}} \
-        --no-create-home \
-        -s /bin/bash \
-        --home-dir /build envoybuild
-    usermod -a -G pcap envoybuild
-    chown envoybuild:envoygroup /build
+    set -e
+
+    if [[ -n "${USER_GID:-}" ]]; then
+        groupmod -g "$USER_GID" envoybuild >/dev/null
+    fi
+    if [[ -n "${USER_UID:-}" ]]; then
+        usermod -u "$USER_UID" envoybuild >/dev/null
+    fi
+    usermod -d /build envoybuild >/dev/null
+    if [[ -f /.build-id ]]; then
+        build_id="$(cat /.build-id)"
+        echo "Envoy build image: $${build_id}"
+    fi
+    chown envoybuild:envoybuild /build
     chown envoybuild /proc/self/fd/2 2>/dev/null || true
     [[ -e /entrypoint-extra.sh ]] && /entrypoint-extra.sh
+
+    if [ -S /var/run/docker.sock ]; then
+        DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)
+        if ! getent group "$DOCKER_GID" >/dev/null; then
+            groupadd -g "$DOCKER_GID" docker_sock
+        fi
+        usermod -a -G "$(getent group "$DOCKER_GID" | cut -d: -f1)" envoybuild
+    fi
+
     sudo -EHs -u envoybuild bash -c 'cd ${ENVOY_DOCKER_SOURCE_DIR:-/source} && exec ${DOCKER_COMMAND:-bash}'
 
 services:
   envoy-build:
     <<: *envoy-build-base
     volumes:
-    - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build
-    - ${SOURCE_DIR:-..}:/source
-    - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared}
+    - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build${MOUNT_ACCESS_MODE:-}
+    - ${SOURCE_DIR:-..}:/source${MOUNT_ACCESS_MODE:-}
+    - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared}${MOUNT_ACCESS_MODE:-}
 
   envoy-build-gpg:
     <<: *envoy-build-base
@@ -117,4 +131,4 @@ services:
     - ${ENVOY_DOCKER_BUILD_DIR:-/tmp/envoy-docker-build}:/build
     - ${SOURCE_DIR:-..}:/source
     - /var/run/docker.sock:/var/run/docker.sock
-    - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared}
+    - ${SHARED_TMP_DIR:-/tmp/bazel-shared}:${SHARED_TMP_DIR:-/tmp/bazel-shared}    - ${ENVOY_ENTRYPOINT_EXTRA:-./docker-entrypoint-extra.sh}:/entrypoint-extra.sh
diff --git a/ci/docker/benchmark_build.sh b/ci/docker/benchmark_build.sh
@@ -22,7 +22,8 @@ TMP_DIR="$(mktemp -d ${WORKSPACE}/tmp-docker-build-context-XXXXXXXX)"
 echo "Preparing docker build context in ${TMP_DIR}"
 cp -r "${WORKSPACE}/ci/docker/" "${TMP_DIR}/"
 # Exclude any venv files since they aren't necessary and docker can't handle symlinks.
-rsync -a --exclude='*.venv/' "${BAZEL_BIN}/benchmarks" "${TMP_DIR}"
+cp -r "${BAZEL_BIN}/benchmarks" "${TMP_DIR}"
+find "${TMP_DIR}/benchmarks" -name "*.venv" -type d -exec rm -rf {} +
 
 cd "${TMP_DIR}"
 echo "running docker build ... "
diff --git a/ci/docker/docker_build.sh b/ci/docker/docker_build.sh
@@ -23,12 +23,11 @@ echo "Preparing docker build context in ${TMP_DIR}"
 cp -r "${WORKSPACE}/ci/docker/" "${TMP_DIR}/"
 
 for BINARY in "${BINARIES[@]}"; do
-    echo "Copy and strip ${BINARY}"
+    echo "Copy ${BINARY}"
     TARGET="${TMP_DIR}/${BINARY}"
     # Docker won't follow symlinks
-    cp "${BAZEL_BIN}/${BINARY}" "${TARGET}"
+    cp "${BAZEL_BIN}/${BINARY}.stripped" "${TARGET}"
     chmod +w "${TARGET}"
-    strip --strip-debug "${TARGET}"
 done
 
 cd "${TMP_DIR}"
diff --git a/ci/envoy_build_sha.sh b/ci/envoy_build_sha.sh
@@ -1,2 +1,46 @@
-ENVOY_BUILD_SHA=$(grep envoyproxy/envoy-build-ubuntu $(dirname $0)/../.bazelrc | sed -e 's#.*envoyproxy/envoy-build-ubuntu:\(.*\)#\1#' | uniq)
-[[ $(wc -l <<< "${ENVOY_BUILD_SHA}" | awk '{$1=$1};1') == 1 ]] || (echo ".bazelrc envoyproxy/envoy-build-ubuntu hashes are inconsistent!" && exit 1)
+#!/usr/bin/env bash
+
+CONFIG_FILE="$(realpath "$(dirname "${BASH_SOURCE[0]}")")/../.github/config.yml"
+
+# Parse values from .github/config.yml
+BUILD_REPO=$(awk '/^[ ]*repo: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA=$(awk '/^[ ]*sha: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA_CI=$(awk '/^[ ]*sha-ci: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA_DEVTOOLS=$(awk '/^[ ]*sha-devtools: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA_DOCKER=$(awk '/^[ ]*sha-docker: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA_GCC=$(awk '/^[ ]*sha-gcc: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA_MOBILE=$(awk '/^[ ]*sha-mobile: /{print $2}' "$CONFIG_FILE")
+BUILD_SHA_WORKER=$(awk '/^[ ]*sha-worker: /{print $2}' "$CONFIG_FILE")
+
+BUILD_TAG=$(awk '/^[ ]*tag: /{print $2}' "$CONFIG_FILE")
+
+
+case $ENVOY_BUILD_VARIANT in
+    ci)
+        BUILD_SHA="$BUILD_SHA_CI"
+        ;;
+    devtools)
+        BUILD_SHA="$BUILD_SHA_DEVTOOLS"
+        ;;
+    docker)
+        BUILD_SHA="$BUILD_SHA_DOCKER"
+        ;;
+    gcc)
+        BUILD_SHA="$BUILD_SHA_GCC"
+        ;;
+    mobile)
+        BUILD_SHA="$BUILD_SHA_MOBILE"
+        ;;
+    worker)
+        BUILD_SHA="$BUILD_SHA_WORKER"
+        ;;
+esac
+
+# shellcheck disable=SC2034
+BUILD_CONTAINER="${BUILD_REPO}@sha256:${BUILD_SHA}"
+
+
+if [[ -z "$BUILD_REPO" || -z "$BUILD_SHA" || -z "$BUILD_TAG" ]]; then
+    echo "Error: Missing repo, sha, or tag values in .github/config.yml"
+    exit 1
+fi
diff --git a/test/integration/BUILD b/test/integration/BUILD
@@ -33,7 +33,7 @@ py_library(
 envoy_cc_binary(
     name = "envoy-static-testonly",
     linkopts = [
-        "-latomic",
+        "-l:libatomic.a",
         "-lrt",
     ],
     repository = "@envoy",
diff --git a/tools/nighthawk_envoy_updater.py b/tools/nighthawk_envoy_updater.py
@@ -26,6 +26,8 @@
 # Files Nighthawk re-uses verbatim from its Envoy dependency.
 copied_files: list[str] = [
     ".bazelversion",
+    ".github/config.yml",
+    "ci/envoy_build_sha.sh"
     "ci/run_envoy_docker.sh",
 ]
 
