feat: switch release runner to ubuntu-22.04 and build LLVM with FFI disabled

swananan · swananan · commit deab10405547 · 2025-10-15T08:05:31.000+08:00
diff --git a/.github/workflows/base-image.yml b/.github/workflows/base-image.yml
@@ -0,0 +1,53 @@
+name: Build Base Image
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - Dockerfile
+      - .github/workflows/base-image.yml
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/swananan/ghostscope-build
+          tags: |
+            type=raw,value=ubuntu20.04-llvm18.1.8
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,43 +8,57 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
     - uses: actions/checkout@v4
 
-    - name: Install LLVM 18 and dependencies
+    - name: Select base image (GHCR or local fallback)
       run: |
-        wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
-        sudo add-apt-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-18 main"
-        sudo apt-get update
-        sudo apt-get install -y \
-          llvm-18 llvm-18-dev llvm-18-runtime \
-          clang-18 libclang-18-dev \
-          libpolly-18-dev \
-          libzstd-dev zlib1g-dev libtinfo-dev libxml2-dev
-
-    - name: Install Rust
-      uses: dtolnay/rust-toolchain@stable
-
-    - name: Set LLVM environment
+        set -euo pipefail
+        IMAGE="ghcr.io/swananan/ghostscope-build:ubuntu20.04-llvm18.1.8"
+        if docker pull "$IMAGE" >/dev/null 2>&1; then
+          echo "Using GHCR base image: $IMAGE"
+          echo "BASE_IMAGE=$IMAGE" >> "$GITHUB_ENV"
+          echo "BASE_IMAGE_FROM=ghcr" >> "$GITHUB_ENV"
+        else
+          echo "GHCR image not found; will build local image."
+          echo "BASE_IMAGE=ghostscope-build" >> "$GITHUB_ENV"
+          echo "BASE_IMAGE_FROM=local" >> "$GITHUB_ENV"
+        fi
+
+    - name: Build container image (Ubuntu 20.04)
+      if: ${{ env.BASE_IMAGE_FROM == 'local' }}
+      run: docker build -t ghostscope-build -f Dockerfile .
+
+    - name: Verify LLVM in container (no libffi)
       run: |
-        echo "LLVM_SYS_181_PREFIX=/usr/lib/llvm-18" >> $GITHUB_ENV
-        echo "/usr/lib/llvm-18/bin" >> $GITHUB_PATH
+        docker run --rm \
+          -v "${{ github.workspace }}:/workspace" \
+          -w /workspace \
+          "${BASE_IMAGE}" bash -lc '
+            echo "llvm-config version:" && llvm-config --version && \
+            echo "Checking libLLVM for libffi dependency (should be none)..." && \
+            (ldd "$(llvm-config --libdir)"/libLLVM* | grep -i ffi && exit 1 || echo "OK: no libffi referenced")
+          '
 
-    - name: Verify LLVM installation
+    - name: Build release inside container
       run: |
-        llvm-config-18 --version
-        llvm-config-18 --prefix
+        docker run --rm \
+          -v "${{ github.workspace }}:/workspace" \
+          -w /workspace \
+          "${BASE_IMAGE}" \
+          bash -lc 'export LLVM_SYS_181_PREFIX=/opt/llvm-18; export LLVM_CONFIG_PATH=/opt/llvm-18/bin/llvm-config; export RUSTFLAGS="-C link-arg=-Wl,--as-needed"; rustup show; llvm-config --version; echo "llvm-config system-libs:"; llvm-config --system-libs; cargo clean; cargo build --release'
 
-    - name: Build release
-      run: cargo build --release
+    - name: glibc version in container
+      run: |
+        docker run --rm -w /workspace \
+          -v "${{ github.workspace }}:/workspace" \
+          "${BASE_IMAGE}" bash -lc 'ldd --version | head -1'
 
     - name: Check glibc dependency
       run: |
-        echo "=== glibc version on build system ==="
-        ldd --version | head -1
-        echo "=== Required glibc versions ==="
+        echo "=== Required glibc versions (from binary) ==="
         objdump -T ./target/release/ghostscope | grep GLIBC | sed 's/.*GLIBC_\([.0-9]*\).*/\1/g' | sort -Vu
         echo "=== Binary info ==="
         file ./target/release/ghostscope
diff --git a/Dockerfile b/Dockerfile
@@ -3,35 +3,102 @@ FROM ubuntu:20.04
 # Avoid interactive prompts during package installation
 ENV DEBIAN_FRONTEND=noninteractive
 
-# Install build dependencies
+# Base build/runtime dependencies
 RUN apt-get update && apt-get install -y \
-    wget \
+    ca-certificates \
     curl \
+    wget \
     git \
+    xz-utils \
+    tar \
+    pkg-config \
     build-essential \
-    software-properties-common \
-    gnupg \
-    lsb-release \
+    ninja-build \
+    python3 \
+    libzstd-dev zlib1g-dev libxml2-dev libffi-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Install LLVM 18
-RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - \
-    && add-apt-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-18 main" \
-    && apt-get update \
-    && apt-get install -y \
-        llvm-18 llvm-18-dev llvm-18-runtime \
-        clang-18 libclang-18-dev \
-        libpolly-18-dev \
-        libzstd-dev zlib1g-dev libtinfo-dev libxml2-dev \
-    && rm -rf /var/lib/apt/lists/*
+# Install a modern CMake (>=3.20) from official binary tarball to avoid slow APT mirrors
+ARG CMAKE_VER=3.29.6
+RUN set -eux; \
+    url1="https://cmake.org/files/v${CMAKE_VER%.*}/cmake-${CMAKE_VER}-linux-x86_64.tar.gz"; \
+    url2="https://github.com/Kitware/CMake/releases/download/v${CMAKE_VER}/cmake-${CMAKE_VER}-linux-x86_64.tar.gz"; \
+    echo "Downloading CMake ${CMAKE_VER}..."; \
+    ( \
+      curl -fL --retry 5 --retry-delay 3 --retry-all-errors -o /tmp/cmake.tar.gz "$url1" \
+      || wget -O /tmp/cmake.tar.gz --tries=5 --waitretry=3 --retry-connrefused "$url1" \
+      || curl -fL --retry 5 --retry-delay 3 --retry-all-errors -o /tmp/cmake.tar.gz "$url2" \
+      || wget -O /tmp/cmake.tar.gz --tries=5 --waitretry=3 --retry-connrefused "$url2" \
+    ); \
+    tar -C /opt -xzf /tmp/cmake.tar.gz; \
+    cmake_dir=$(tar -tzf /tmp/cmake.tar.gz | head -1 | cut -f1 -d'/'); \
+    mv "/opt/${cmake_dir}" /opt/cmake; \
+    ln -s /opt/cmake/bin/* /usr/local/bin/; \
+    cmake --version; \
+    rm -f /tmp/cmake.tar.gz
+
+# Build and install LLVM 18.1.x from source with FFI disabled
+# This removes the runtime dependency on libffi while keeping needed targets.
+ARG LLVM_VER=18.1.8
+RUN set -eux; \
+    base_url="https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}"; \
+    tar_xz="llvm-project-${LLVM_VER}.src.tar.xz"; \
+    alt_url="https://codeload.github.com/llvm/llvm-project/tar.xz/refs/tags/llvmorg-${LLVM_VER}"; \
+    echo "Downloading LLVM ${LLVM_VER} source tarball..."; \
+    ( \
+      curl -fL --retry 5 --retry-delay 3 --retry-all-errors -o /tmp/llvm.tar.xz "$base_url/$tar_xz" \
+      || wget -O /tmp/llvm.tar.xz --tries=5 --waitretry=3 --retry-connrefused "$base_url/$tar_xz" \
+      || curl -fL --retry 5 --retry-delay 3 --retry-all-errors -o /tmp/llvm.tar.xz "$alt_url" \
+      || wget -O /tmp/llvm.tar.xz --tries=5 --waitretry=3 --retry-connrefused "$alt_url" \
+    ); \
+    test -s /tmp/llvm.tar.xz; \
+    mkdir -p /tmp/llvm && tar -C /tmp/llvm --strip-components=1 -xf /tmp/llvm.tar.xz; \
+    cmake -G Ninja -S /tmp/llvm/llvm -B /tmp/llvm-build \
+      -DCMAKE_BUILD_TYPE=Release \
+      -DLLVM_ENABLE_PROJECTS=clang \
+      -DLLVM_TARGETS_TO_BUILD="BPF;X86" \
+      -DLLVM_BUILD_LLVM_DYLIB=ON \
+      -DLLVM_LINK_LLVM_DYLIB=ON \
+      -DLLVM_ENABLE_FFI=OFF \
+      -DLLVM_ENABLE_TERMINFO=OFF \
+      -DLLVM_ENABLE_ZLIB=ON \
+      -DLLVM_ENABLE_ZSTD=ON \
+      -DCMAKE_INSTALL_PREFIX=/opt/llvm-18; \
+    ninja -C /tmp/llvm-build install; \
+    # Wrap llvm-config to filter out any stray -lffi from system-libs output
+    if [ -x /opt/llvm-18/bin/llvm-config ]; then \
+      mv /opt/llvm-18/bin/llvm-config /opt/llvm-18/bin/llvm-config.real; \
+      cat > /opt/llvm-18/bin/llvm-config <<'WRAP' ; \
+#!/bin/sh
+REAL="/opt/llvm-18/bin/llvm-config.real"
+# Capture stdout+stderr and original exit status
+OUT="$($REAL "$@" 2>&1)"; RC=$?
+if [ $RC -ne 0 ]; then
+  printf '%s\n' "$OUT" >&2
+  exit $RC
+fi
+# Filter only library flag queries; pass-through otherwise
+case " $* " in
+  *" --system-libs "*|*" --libs "*|*" --ldflags "*)
+    printf '%s\n' "$OUT" | sed -E 's/(^|[[:space:]])-lffi([[:space:]]|$)/\1\2/g'
+    ;;
+  *)
+    printf '%s\n' "$OUT"
+    ;;
+esac
+exit 0
+WRAP
+      chmod +x /opt/llvm-18/bin/llvm-config; \
+    fi; \
+    rm -rf /tmp/llvm /tmp/llvm-build /tmp/llvm.tar.xz
 
 # Install Rust (version specified in rust-toolchain.toml will be used)
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain none
 ENV PATH="/root/.cargo/bin:$PATH"
 
-# Set LLVM environment variable
-ENV LLVM_SYS_181_PREFIX=/usr/lib/llvm-18
-ENV PATH="/usr/lib/llvm-18/bin:$PATH"
+# Expose LLVM to llvm-sys/inkwell
+ENV LLVM_SYS_181_PREFIX=/opt/llvm-18
+ENV PATH="/opt/llvm-18/bin:$PATH"
 
 # Set working directory
 WORKDIR /workspace
