[work in progress] build manylinux2014_aarch64 wheels

Testing at this stage

.zuul.d/jobs.yaml

@@ -2,7 +2,7 @@
     name: pyca-cryptography-base
     abstract: true
     description: Run pyca/cryptography unit testing
-    run: .zuul.playbooks/playbooks/main.yaml
+    run: .zuul.playbooks/playbooks/tox/main.yaml
 
 - job:
     name: pyca-cryptography-ubuntu-focal-py38-arm64
@@ -31,3 +31,8 @@
     nodeset: centos-8-arm64
     vars:
       tox_envlist: py27
+
+- job:
+    name: pyca-cryptography-build-wheel
+    nodeset: ubuntu-bionic-arm64
+    run: .zuul.playbooks/playbooks/wheel/main.yaml

.zuul.d/project.yaml

@@ -1,6 +1,7 @@
 - project:
     check:
       jobs:
+        - pyca-cryptography-build-wheel
         - pyca-cryptography-ubuntu-focal-py38-arm64
         - pyca-cryptography-ubuntu-bionic-py36-arm64
         - pyca-cryptography-centos-8-py36-arm64

.zuul.playbooks/playbooks/wheel/main.yaml

@@ -0,0 +1,6 @@
+- hosts: all
+  tasks:
+
+    - name: Build wheel
+      include_role:
+        name: build-wheel-manylinux

.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst

@@ -0,0 +1,4 @@
+Build manylinux wheel for a project
+===================================
+
+Blah

.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh

@@ -0,0 +1,48 @@
+#!/bin/bash -ex
+# Compile wheels
+
+cd /io
+mkdir wheelhouse.final
+
+PYBINS="/opt/python/cp35-cp35m/bin"
+
+for PYBIN in $PYBINS; do
+
+    "${PYBIN}"/python -m virtualenv .venv
+
+    .venv/bin/pip install cffi six ipaddress "enum34; python_version < '3'"
+
+    REGEX="cp3([0-9])*"
+    if [[ "${PYBIN}" =~ $REGEX ]]; then
+        PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
+    fi
+
+    LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
+           CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
+           .venv/bin/python setup.py bdist_wheel $PY_LIMITED_API
+
+    auditwheel repair --plat manylinux2014_aarch64 dist/cryptography*.whl -w wheelhouse/
+
+    # Sanity checks
+
+    # no execstack (comes from prelink, which was never supported) on aarch64
+
+    #unzip wheelhouse/*.whl -d execstack.check
+    #
+    #results=$(execstack execstack.check/cryptography/hazmat/bindings/*.so)
+    #count=$(echo "$results" | grep -c '^X' || true)
+    #if [ "$count" -ne 0 ]; then
+    #    exit 1
+    #else
+    #    exit 0
+    #fi
+
+    .venv/bin/pip install cyrptography --no-index -f wheelhouse/
+
+    .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+
+    mv wheelhouse/* wheelhouse.final
+
+    rm -rf .venv execstack.check dist wheelhouse
+
+done

.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml

@@ -0,0 +1,117 @@
+- name: Install jq
+  package:
+    name: jq
+    state: present
+  become: yes
+
+- name: Run ensure-docker
+  include_role:
+    name: ensure-docker
+
+- name: HACK for linaro MTU
+  shell: |
+      jq --arg mtu 1400 '. + {mtu: $mtu|tonumber}' /etc/docker/daemon.json > /etc/docker/daemon.json.new
+      cat /etc/docker/daemon.json.new
+      mv /etc/docker/daemon.json.new /etc/docker/daemon.json
+      service docker restart
+  become: yes
+
+- name: Pull manylinux container
+  command: >-
+    docker pull iwienand/pyca-cryptography-manylinux2014_aarch64
+  become: yes
+
+- name: Ensure pip installed
+  include_role:
+    name: ensure-pip
+
+# TODO(ianw) : move this into a common role
+- name: Install required packages
+  package:
+    name:
+      - build-essential
+      - libssl-dev
+      - libffi-dev
+      - python3-dev
+  become: yes
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+
+# Build from sdist to avoid PEP517 issues
+- name: Create sdist
+  command: |
+    python3 setup.py sdist
+  args:
+    chdir: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}'
+
+- name: Find output file
+  find:
+    paths: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/dist'
+    file_type: file
+    patterns: "*.tar.gz"
+  register: _sdist
+
+- assert:
+    that:
+      - _sdist.matched == 1
+
+- name: Create a build directory for sdist extract
+  file:
+    path: '{{ ansible_user_dir }}/build'
+    state: directory
+
+- name: Create build repo from sdist
+  unarchive:
+    src: '{{ _sdist.files[0].path }}'
+    dest: '{{ ansible_user_dir }}/build'
+    remote_src: yes
+
+- name: Find cryptography from sdist build dir
+  set_fact:
+    _build_dir: "{{ ansible_user_dir }}/build/{{ _sdist.files[0].path | basename | replace('.tar.gz', '') }}"
+
+- name: Show _build_dir
+  debug:
+    var: _build_dir
+
+- name: Install build script
+  copy:
+    src: build-wheels.sh
+    dest: '{{ _build_dir }}'
+    mode: 0755
+
+- name: Run build
+  command: >-
+    docker run --rm -e PLAT=manylinux2014_aarch64 -v {{ _build_dir }}:/io iwienand/pyca-cryptography-manylinux2014_aarch64  /io/build-wheels.sh
+  become: yes
+
+- name: Copy sdist
+  synchronize:
+    src: '{{ _sdist.files[0].path }}'
+    dest: '{{ zuul.executor.log_root }}'
+    mode: pull
+
+- name: Return wheelhouse artifact
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: '{{ _sdist.files[0].path | basename }}'
+            url: 'sdist/{{ _sdist.files[0].path }}'
+            metadata:
+              type: sdist
+
+- name: Copy wheels
+  synchronize:
+    src: '{{ _build_dir }}/wheelhouse.final/'
+    dest: '{{ zuul.executor.log_root }}/wheelhouse'
+    mode: pull
+
+- name: Return wheelhouse artifact
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: "Wheelhouse"
+            url: "wheelhouse"
+            metadata:
+              type: wheelhouse