Provide official debian and RPM packages

[codefromthecrypt]

Title: Provide official debian and RPM packages

Description:
Right now, everything on the website mentioning "getenvoy" can be removed without breaking people.. except debian and RPM packages.

Can you please host official debian and RPM packages? Seems they can be built from the same binaries used to make docker images similar to #16830

Once this is done, hopefully there's no need for confusion anymore as getenvoy's build and packaging pipeline can quietly turn off.

Relevant Links:
#16830

[codefromthecrypt]

cc @phlax I did a recursive grep and basically this is the last thing people can't do properly upstream.

[phlax]

im very +1 to this - and ultimately would like to create a "request to package" with debian - it really feels like envoy would be incredibly useful to end users to just be able to apt-get install (or rh equiv)

in the interim i would be very happy to create the packaging for us to host these ourselves

...and the necessary deb repo

[phlax]

im wondering about using bazel for this - looks like a reasonable approach - although at least for debian its not clear if source packages are supoorted

in terms of prior art - tetrate's packaging is here https://github.com/tetratelabs/getenvoy-package/blob/master/envoy_pkg/packages/getenvoy_package.bzl

[snowp]

I think in the past there has been some resistance towards hosting/distributing binaries (c.f. #9006 (comment)), but we could always revisit that decision.

@envoyproxy/maintainers for visibility

[phlax]

I think in the past there has been some resistance towards hosting/distributing binaries (c.f. #9006 (comment)), but we could always revisit that decision.

i think that because getenvoy are no longer going to host binaries this role is shifting to CNCF

[snowp]

Talked offline, seems like we've got resources allocated for this so no more complaints from me :)

[jpeach]

FYI https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987544

[cjonesdialpad]

Can we please get an update on this?

[phlax]

weird i thought i commented earlier - seems not

we currently publish debs to our release page

when i find some time i will add an apt repo to make those available via apt install

there are no current plans to publish rpms

[phlax]

as commented previously, these are statically compiled binaries - the same binaries that are available in the docker container and for direct download from the release page, just with deb packaging

[sivatarunp]

Why cant we use these packages from the github releases?
https://github.com/envoyproxy/envoy/releases/download/v1.30.1/envoy-1.30.1-linux-x86_64 ?

[phlax]

Why cant we use these packages from the github releases?

you can - but you cant install them with dpkg/apt

[codefromthecrypt]

@phlax maybe this issue can be closed with docs

• no plans to publish deb or rpm from canonical repos
• platforms supported on release page
• how to install deb from release page
• rpm will not be released

reason is that this issue will continue to accumulate comments otherwise and I dont see any resolution besides what has been commented.

what do you think?

[sivatarunp]

@phlax There are lot of dependency issues rising when we use the releases binary. wrt gnu library for various linux versions

./envoy: /lib64/libm.so.6: version `GLIBC_2.27' not found (required by ./envoy)
./envoy: /lib64/libm.so.6: version `GLIBC_2.29' not found (required by ./envoy)
./envoy: /lib64/libpthread.so.0: version `GLIBC_2.30' not found (required by ./envoy)
./envoy: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by ./envoy)

[phlax]

@codefromthecrypt would be happy to review a docs PR

this bit is incorrect tho

no plans to publish deb or rpm from canonical repos

there is a plan to publish a deb/apt repo, its just not that high priority right now

[phlax]

@sivatarunp you need to use a sufficiently new enough distro that has a compatible glibc

[codefromthecrypt]

there is a plan to publish a deb/apt repo, its just not that high priority right now

@phlax so I guess we should keep this open then, as I don't expect much value in creating another issue as "official" sort of means canonical. Thanks for the input!

[phlax]

headsup that apt.envoyproxy.io is now live

we dont have rpm support atm, but if that was of interest to anyone i would be happy to assist/review

[matihost]

headsup that apt.envoyproxy.io is now live

please add support to the latest Ubuntu LTS (noble)

[phlax]

the main reason for not adding more distro/versions is that it takes quite a lot of CI time to test

that said i have a vague plan to only test the earliest supported version of each distro as this would still test the deb publishing architecture and would catch incompatible glibc versions

in the meantime @matihost you can almost certainly just use the latest ubuntu that we do currently support - atm, its the same statically compiled binaries in each

[GhostLyrics]

hey @phlax!

Which strategy did you have in mind for packages in the repo?

• one version of the binary in the repo or
• all versions (including historical ones that aren't latest)

I ask because this makes a difference for people who pin and request to install specific versions via configuration management (e.g. Ansible).

[phlax]

Which strategy did you have in mind for packages in the repo?

im not sure im following exactly

we dont keep any binaries in the (Envoy) repo - the binaries are produced as part of the release process, the apt repo requests a list of supported versions from Envoy main and then constructs the apt repo from that by pulling in the released packages

... i have a vague plan ...

as part of our normal push/pr CI we build and test the deb packages - atm we do it for all of the supported distros - this suggestion was more about just testing the earliest version of each distro rather than all (atm that would be bullseye and focal)

[GhostLyrics]

When maintaining a package repository for a Debian-like, you can generally use two approaches:

1. Only the latest version of a package stays in the repository. Debian itself does this. If other versions of a package are available, it will be because a user has configured multiple sources (e.g. a higher version of the same package may come in via the Debian Security repo)
2. All historical versions of a package stay available. Old ones are not purged when publishing a new one, allowing to request e.g. envoy=1.2.3 during installation and getting exactly that one, despite it not being the latest. (e.g. GitLab does this, see below)

apt-cache policy gitlab-ee
gitlab-ee:
  Installed: (none)
  Candidate: 17.3.2-ee.0
  Version table:
     17.3.2-ee.0 500
        500 https://packages.gitlab.com/gitlab/gitlab-ee/debian bullseye/main arm64 Packages
     17.3.1-ee.0 500
        500 https://packages.gitlab.com/gitlab/gitlab-ee/debian bullseye/main arm64 Packages
     17.3.0-ee.0 500
        500 https://packages.gitlab.com/gitlab/gitlab-ee/debian bullseye/main arm64 Packages
     17.2.5-ee.0 500
        500 https://packages.gitlab.com/gitlab/gitlab-ee/debian bullseye/main arm64 Packages
...

Given these, I was wondering what you had in mind for the envoy repo.

[phlax]

ah - i see - i did ponder this, but didnt come to any firm conclusion

atm - there is no cycling of old versions - all are present - see these:

• https://apt.envoyproxy.io/pool/main/e/envoy/
• https://apt.envoyproxy.io/pool/main/e/envoy-1.28/

relatedly im wondering whether to keep no longer supported branches around - ie whether to delete 1.28 when it goes EOL (in ~4 weeks)

open to suggestions on this - even better PRs (repo is here for ref https://github.com/envoyproxy/apt)

[matihost]

in the meantime @matihost you can almost certainly just use the latest ubuntu that we do currently support - atm, its the same statically compiled binaries in each

Yes, i can confirm that envoy package from jammy works on Ubuntu noble (24.04).

[psvmcc]

Hi, maybe use single repo like vector did? Without building for each distro, only for package system.

[phlax]

... use single repo ...

not sure tbh

firstly i dont want to add a script-from-interwebs-that-needs-root.sh

then also i think the debian/ubuntu versions are significant - the currently statically compiled bin doesnt work with pre-bookworm (iirc) - so we do want to make these distro versions explicit

[GhostLyrics]

the currently statically compiled bin doesnt work with pre-bookworm
so we do want to make these distro versions explicit

In this case you already have exactly what's recommended.

---

I would, however, strongly advise against unpublishing packages. With a single exception - the content of the package being so broken that it doesn't start or destroys data - you should not unpublish software releases. In any other cases a SemVer patch-level release or similar should suffice.
Unpublishing often leads to immense breakage amongst your users.

For example:

• if someone installs a specific version in their CI → you just broke their builds
• if someone asks for a specific version in their configuration management (e.g. Ansible, Puppet) → you just broke their playbook

I strongly recommend to only ever unpublish if that specific release actively harms its users. If you are pressed for disk space, consider unpublishing things that are older than 3 years, but I hesitate to even suggest that.

<personal, subjective opinion here> It's really not your responsibility whether envoy users use a version that no longer officially receives any support. It's theirs - as long as you have documented what is supported at this moment and what isn't. </end of opinion>

[phlax]

I would, however, strongly advise against unpublishing packages. With a single exception - the content of the package being so broken that it doesn't start or destroys data - you should not unpublish software releases. In any other cases a SemVer patch-level release or similar should suffice.
Unpublishing often leads to immense breakage amongst your users.

in general i would agree - however - in this case my concern is that once these minor branches - eg 1.28 - go EOL they are no longer supported with patch updates

this usually means there are known/published vulnerabilities with these versions so im not entirely clear whether we want to distribute vulnerable warez

... only ever unpublish if that specific release actively harms its users ...

well, that is arguably the case

[GhostLyrics]

I see that you're trying to mix your security strategy into your availability here. I'm a bit conflicted about that, but if you insist there's also an already working example of solving that. Debian and Ubuntu do that for their outdated releases by moving them from the regular repository into a dedicated archival one (see example).

Both use slightly different terminology, like this:

- deb http://deb.debian.org/debian CODENAME main
+ deb http://archive.debian.org/debian CODENAME main

- deb http://archive.ubuntu.com/ubuntu/ CODENAME main
+ deb http://old-releases.ubuntu.com/ubuntu/ CODENAME main

That repository (likely) has less bandwidth and is not enabled by default anywhere. Users that manually choose to use it know they are getting outdated things and unsupported things but they know the releases stay there for archival reasons.

I you'd like to make things very explicit you could use unsupported-apt.envoyproxy.io or outdated-apt.envoyproxy.io, for example. Not as pretty as archive but certainly makes it very clear what you're getting.

[phlax]

yeah - i considered adding a unsupported apt repo/s

it would need to live under apt.envoyproxy.io tho as adding dns and/or maintaining a separate site would be non-trivial

im open to PRs to address this - the current setup wont delete anything as it stands

[GhostLyrics]

the current setup wont delete anything as it stands

Glad to hear it!

---

If you don't want to use a subdomain for the archive repo, you could use the components field of the spec.

cat debian.sources

Types: deb
# http://snapshot.debian.org/archive/debian/20240722T000000Z
URIs: http://deb.debian.org/debian
Suites: bookworm bookworm-updates
Components: main <================================================= this
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

If users then want to activate it, they would change:

...
- deb[signed-by=/etc/apt/keyrings/envoy-keyring.gpg] https://apt.envoyproxy.io bookworm main
+ deb[signed-by=/etc/apt/keyrings/envoy-keyring.gpg] https://apt.envoyproxy.io bookworm main unsupported 
...

It would require some more configuration of your aptly repo.

[phlax]

would it not be possible to just add a directory unsupported and move everything under that - so users do

deb[signed-by=/etc/apt/keyrings/envoy-keyring.gpg] `https://apt.envoyproxy.io/unsupported bookworm main 

it might require some path mangling to work - not sure if it would at all

trying to think of a setup that requires minimal maintenance/complexity

i like the idea that users have to add unsupported somewhere to continue using the repo for old versions tho

[GhostLyrics]

would it not be possible to just add a directory unsupported and move everything under that

This has the same effect as what I suggested but it's less clean.

trying to think of a setup that requires minimal maintenance/complexity

If you tell me what you think will bring a maintenance burden, it's easier for me to suggest things. Specifically I think you could:

• publish to both repositories
• unpublish what you no longer want from the regular one

Is this super clean? No, because you'll also have supported packages in unsupported for some time, but the only manual task left here would be periodically unpublishing releases you no longer want from the main one.

[phlax]

by low maintenance im meaning

• doesnt require any intervention - ie automated
• doesnt add a lot of CI time - fs sizes are an issue here

tbh - the complexity issue is probs just as important, if not more

not really seeing why using a subdir is "less clean" - mho is that its more explicit - but as said above - open to PRs

on that note - we should probably be having conversations like this in the apt repo itself so future selves can see them

[phlax]

envoyproxy/apt#23