Build manylinux wheels with Zuul

This adds the Zuul playbooks and role to build manylinux wheels for aarch64 and x86_64 (while aarch64 is the primary goal; it's good for the overall code to keep it flexible). It first builds an sdist from the checkout and then builds the wheels in the appropriate containers. Note this adds the jobs in the gate pipeline, which currently responds to Pull Requests, and the release pipeline, which responds to pushes to refs/tags/.* (see [1]). Note for results of jobs run against tags you will need to find the job directly from https://zuul.opendev.org/t/pyca/builds because there is nowhere to report the results as such (it could be configured to send an email). The wheels are published to the wheelhouse/ directory in the Zuul logs, which is also listed as an artifact on the build results page. [1] https://review.opendev.org/748323
pyca · Aug 27, 2020 · d968c3e · d968c3e
1 parent 0b24359
commit d968c3e
Show file tree

Hide file tree

Showing 7 changed files with 245 additions and 1 deletion.
diff --git a/.zuul.d/jobs.yaml b/.zuul.d/jobs.yaml
@@ -2,7 +2,7 @@
     name: pyca-cryptography-base
     abstract: true
     description: Run pyca/cryptography unit testing
-    run: .zuul.playbooks/playbooks/main.yaml
+    run: .zuul.playbooks/playbooks/tox/main.yaml
 
 - job:
     name: pyca-cryptography-ubuntu-focal-py38-arm64
@@ -31,3 +31,38 @@
     nodeset: centos-8-arm64
     vars:
       tox_envlist: py27
+
+- job:
+    name: pyca-cryptography-build-wheel
+    abstract: true
+    run: .zuul.playbooks/playbooks/wheel/main.yaml
+
+- job:
+    name: pyca-cryptography-build-wheel-arm64
+    parent: pyca-cryptography-build-wheel
+    nodeset: ubuntu-bionic-arm64
+    vars:
+      wheel_builds:
+        - platform: manylinux2014_aarch64
+          image: pyca/cryptography-manylinux2014_aarch64
+          pythons:
+            - cp35-cp35m
+
+- job:
+    name: pyca-cryptography-build-wheel-x86_64
+    parent: pyca-cryptography-build-wheel
+    nodeset: ubuntu-bionic
+    vars:
+      wheel_builds:
+        - platform: manylinux1_x86_64
+          image: pyca/cryptography-manylinux1:x86_64
+          pythons:
+            - cp27-cp27m
+            - cp27-cp27mu
+            - cp35-cp35m
+        - platform: manylinux2010_x86_64
+          image: pyca/cryptography-manylinux2010:x86_64
+          pythons:
+            - cp27-cp27m
+            - cp27-cp27mu
+            - cp35-cp35m
diff --git a/.zuul.d/project.yaml b/.zuul.d/project.yaml
@@ -1,7 +1,13 @@
 - project:
     check:
       jobs:
+        - pyca-cryptography-build-wheel-arm64
+        - pyca-cryptography-build-wheel-x86_64
         - pyca-cryptography-ubuntu-focal-py38-arm64
         - pyca-cryptography-ubuntu-bionic-py36-arm64
         - pyca-cryptography-centos-8-py36-arm64
         - pyca-cryptography-centos-8-py27-arm64
+    release:
+      jobs:
+        - pyca-cryptography-build-wheel-arm64
+        - pyca-cryptography-build-wheel-x86_64
diff --git a/.zuul.playbooks/playbooks/main.yaml → .zuul.playbooks/playbooks/tox/main.yaml b/.zuul.playbooks/playbooks/main.yaml → .zuul.playbooks/playbooks/tox/main.yaml
diff --git a/.zuul.playbooks/playbooks/wheel/main.yaml b/.zuul.playbooks/playbooks/wheel/main.yaml
@@ -0,0 +1,6 @@
+- hosts: all
+  tasks:
+
+    - name: Build wheel
+      include_role:
+        name: build-wheel-manylinux
diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/README.rst
@@ -0,0 +1 @@
+Build manylinux wheels for cryptography
diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh
@@ -0,0 +1,51 @@
+#!/bin/bash -ex
+
+# Compile wheels
+cd /io
+
+mkdir -p wheelhouse.final
+
+for P in ${PYTHONS}; do
+
+    PYBIN=/opt/python/${P}/bin
+
+    "${PYBIN}"/python -m virtualenv .venv
+
+    .venv/bin/pip install cffi six ipaddress "enum34; python_version < '3'"
+
+    REGEX="cp3([0-9])*"
+    if [[ "${PYBIN}" =~ $REGEX ]]; then
+        PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
+    fi
+
+    LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
+           CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
+           .venv/bin/python setup.py bdist_wheel $PY_LIMITED_API
+
+    auditwheel repair --plat ${PLAT} -w wheelhouse/ dist/cryptography*.whl
+
+    # Sanity checks
+    # NOTE(ianw) : no execstack on aarch64, comes from
+    # prelink, which was never supported.  CentOS 8 does
+    # have it separate, skip for now.
+    if [[ "${PLAT}" != "manylinux2014_aarch64" ]]; then
+        for f in wheelhouse/*.whl; do
+            unzip $f -d execstack.check
+
+            results=$(execstack execstack.check/cryptography/hazmat/bindings/*.so)
+            count=$(echo "$results" | grep -c '^X' || true)
+            if [ "$count" -ne 0 ]; then
+                exit 1
+            fi
+            rm -rf execstack.check
+        done
+    fi
+
+    .venv/bin/pip install cryptography --no-index -f wheelhouse/
+    .venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
+
+    # Cleanup
+    mv wheelhouse/* wheelhouse.final
+    rm -rf .venv dist wheelhouse
+
+done
diff --git a/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml b/.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml
@@ -0,0 +1,145 @@
+# Wheel builds is a list of dicts, with keys
+#
+#  platform: the manylinux platform name
+#  image: the docker image to build in
+#  pythons: list of pythons in the image to build wheels for
+- name: Sanity check build list
+  assert:
+    that: wheel_builds is defined
+
+- name: Ensure pip installed
+  include_role:
+    name: ensure-pip
+
+- name: Run ensure-docker
+  include_role:
+    name: ensure-docker
+
+- name: Workaround Linaro aarch64 cloud MTU issues
+  # NOTE(ianw) : Docker default networking, the Linaro NAT setup and
+  # *insert random things here* cause PMTU issues, resulting in hung
+  # connections, particularly to fastly CDN (particularly annoying
+  # because pypi and pythonhosted live behind that).  Can remove after
+  # upstream changes merge, or we otherwise find a solution in the
+  # upstream cloud.
+  #  https://review.opendev.org/747062
+  #  https://review.opendev.org/746833
+  #  https://review.opendev.org/747064
+  when: ansible_architecture == 'aarch64'
+  block:
+    - name: Install jq
+      package:
+        name: jq
+        state: present
+      become: yes
+
+    - name: Reset docker MTU
+      shell: |
+          jq --arg mtu 1400 '. + {mtu: $mtu|tonumber}' /etc/docker/daemon.json > /etc/docker/daemon.json.new
+          cat /etc/docker/daemon.json.new
+          mv /etc/docker/daemon.json.new /etc/docker/daemon.json
+          service docker restart
+      become: yes
+
+# We build an sdist of the checkout, and then build wheels from the
+# sdist.  This ensures that nothing is left out of the sdist.
+- name: Install sdist required packages
+  package:
+    name:
+      - build-essential
+      - libssl-dev
+      - libffi-dev
+      - python3-dev
+  become: yes
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+
+- name: Create sdist
+  command: |
+    python3 setup.py sdist
+  args:
+    chdir: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}'
+
+- name: Find output file
+  find:
+    paths: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/dist'
+    file_type: file
+    patterns: "*.tar.gz"
+  register: _sdist
+
+- assert:
+    that:
+      - _sdist.matched == 1
+
+- name: Create a build area
+  file:
+    path: '{{ ansible_user_dir }}/build'
+    state: directory
+
+- name: Create build area from sdist
+  unarchive:
+    src: '{{ _sdist.files[0].path }}'
+    dest: '{{ ansible_user_dir }}/build'
+    remote_src: yes
+
+- name: Find cryptography subdir from sdist build dir
+  set_fact:
+    _build_dir: "{{ ansible_user_dir }}/build/{{ _sdist.files[0].path | basename | replace('.tar.gz', '') }}"
+
+- name: Show _build_dir
+  debug:
+    var: _build_dir
+
+- name: Install build script
+  copy:
+    src: build-wheels.sh
+    dest: '{{ _build_dir }}'
+    mode: 0755
+
+- name: Pre-pull containers
+  command: >-
+    docker pull {{ item.image }}
+  become: yes
+  loop: '{{ wheel_builds }}'
+
+- name: Run builds
+  command: |
+    docker run --rm \
+      -e PLAT={{ item.platform }} \
+      -e PYTHONS="{{ item.pythons | join(' ') }}" \
+      -v {{ _build_dir }}:/io \
+      {{ item.image }} \
+      /io/build-wheels.sh
+  become: yes
+  loop: '{{ wheel_builds }}'
+
+- name: Copy sdist to output
+  synchronize:
+    src: '{{ _sdist.files[0].path }}'
+    dest: '{{ zuul.executor.log_root }}'
+    mode: pull
+
+- name: Return sdist artifact
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: '{{ _sdist.files[0].path | basename }}'
+            url: 'sdist/{{ _sdist.files[0].path }}'
+            metadata:
+              type: sdist
+
+- name: Copy wheels to output
+  synchronize:
+    src: '{{ _build_dir }}/wheelhouse.final/'
+    dest: '{{ zuul.executor.log_root }}/wheelhouse'
+    mode: pull
+
+- name: Return wheelhouse artifact
+  zuul_return:
+    data:
+      zuul:
+        artifacts:
+          - name: "Wheelhouse"
+            url: "wheelhouse"
+            metadata:
+              type: wheelhouse