tools/7z: Allow building on alpine

[oliv3r]

When using alpine as host, things start to fail. Lets pull in the upstream alpine patches to make things work. This should not affect other hosts.

Note, that Alpine has the '_GNU_SOURCE' define in the APKBUILD file, but here we add this flag to the needed fix flags patch, which does similar things too.

[Ansuel]

@oliv3r did you actually manage to build a full image? For me it was a total fail

[oliv3r]

Hey @Ansuel

It was the only way, as otherwise I was getting cpu_type_t or some such errors. So why did I go down this lane?

For some reason, my build environment was borked, spanning a faked process, consuming 100% and causing my build to be single threaded, taking 30 minutes. On top of that, the resulting image failed to actually work, when starting init, I was getting 'attempted to kill init' panic. Which was super weird. The kernel booted fine in itself (which is where I do most of my work).

Having tried many things (pulling newer openwrtorg docker containers, make distclean, manually rm -rf everything) something must have been kept somehere, causing this error.

So I figured, Lets try building with an alpine container.

Alpine docker container

FROM docker.io/alpine:latest

ENV GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
WORKDIR /workdir

RUN apk add --no-cache \
    'argp-standalone' \
    'asciidoc' \
    'bash' \
    'bc' \
    'binutils' \
    'bzip2' \
    'cdrkit' \
    'coreutils' \
    'diffutils' \
    'elfutils-dev' \
    'findutils' \
    'flex' \
    'g++' \
    'gawk' \
    'gcc' \
    'gettext' \
    'git' \
    'grep' \
    'gzip' \
    'intltool' \
    'libxslt' \
    'linux-headers' \
    'make' \
    'musl-fts-dev' \
    'musl-libintl' \
    'musl-obstack-dev' \
    'ncurses-dev' \
    'openssl-dev' \
    'patch' \
    'perl' \
    'python3-dev' \
    'rsync' \
    'tar' \
    'unzip' \
    'util-linux' \
    'wget' \
    'zlib-dev' \
  && \
  ln -s '/usr/lib/libncurses.so' '/usr/lib/libtinfo.so' && \
  addgroup 'buildbot' && \
  adduser -s '/bin/bash' -G 'buildbot' -D 'buildbot'

USER buildbot

And a new git worktree (ergo, all any any files will be gone).
docker run --rm -it -v $(pwd):/workdir openwrt:dev make -j10 V=sc
is how i do my build (technically i start it with bash, and keep it open)

Without that 7z patch, 7zip refuses to build, for the same reasons that the alpine guys have added these patches.

It might not work on non-musl distro's of course (debian) which would suck :(

Also, since I'm on the realtec target, 7z is a hard dependency, as some images use it.
Btw, why can we not just use the hosts 7z package ... Guess that's a more fundamental openwrt choice I suppose :)

[hauke]

Did you test that it still works fine on systems with glibc?

[oliv3r]

Did you test that it still works fine on systems with glibc?

It seemed to work; but probably not then :) though the changes don't see to invasive? But yeah, we'd have to look at that.

But for whatever reason that I still don't understand (related to faked) I can't build glibc based systems reliably :S

[neheb]

make tools/7z/{clean,refresh}

[oliv3r]

So it's failing for me too; however, only because it cannot download the actual source code; which doesn't seem to relate to my changes?

fail log

/workdir/scripts/download.pl "/workdir/dl" "7z2201-src.tar.xz" "393098730c70042392af808917e765945dc2437dee7aae3cfcc4966eb920fbc5" "" "https://7-zip.org/a/"    
+ wget --tries=5 --timeout=20 --output-document=- https://7-zip.org/a/7z2201-src.tar.xz
--2023-02-20 13:04:55--  https://7-zip.org/a/7z2201-src.tar.xz
Resolving 7-zip.org (7-zip.org)... 49.12.202.237
Connecting to 7-zip.org (7-zip.org)|49.12.202.237|:443... connected.
ERROR: The certificate of '7-zip.org' is not trusted.
ERROR: The certificate of '7-zip.org' doesn't have a known issuer.
Download failed.
+ wget --tries=5 --timeout=20 --output-document=- https://sources.cdn.openwrt.org/7z2201-src.tar.xz
--2023-02-20 13:04:55--  https://sources.cdn.openwrt.org/7z2201-src.tar.xz
Resolving sources.cdn.openwrt.org (sources.cdn.openwrt.org)... 151.101.130.132, 151.101.66.132, 151.101.2.132, ...
Connecting to sources.cdn.openwrt.org (sources.cdn.openwrt.org)|151.101.130.132|:443... connected.
ERROR: The certificate of 'sources.cdn.openwrt.org' is not trusted.
ERROR: The certificate of 'sources.cdn.openwrt.org' doesn't have a known issuer.
Download failed.
+ wget --tries=5 --timeout=20 --output-document=- https://sources.openwrt.org/7z2201-src.tar.xz
--2023-02-20 13:04:55--  https://sources.openwrt.org/7z2201-src.tar.xz
Resolving sources.openwrt.org (sources.openwrt.org)... 148.251.151.136, 2a01:4f8:210:5087::2
Connecting to sources.openwrt.org (sources.openwrt.org)|148.251.151.136|:443... connected.
ERROR: The certificate of 'sources.openwrt.org' is not trusted.
ERROR: The certificate of 'sources.openwrt.org' doesn't have a known issuer.
Download failed.
+ wget --tries=5 --timeout=20 --output-document=- https://mirror2.openwrt.org/sources/7z2201-src.tar.xz
--2023-02-20 13:04:55--  https://mirror2.openwrt.org/sources/7z2201-src.tar.xz
Resolving mirror2.openwrt.org (mirror2.openwrt.org)... 46.4.11.11, 2a01:4f8:221:3d45::2
Connecting to mirror2.openwrt.org (mirror2.openwrt.org)|46.4.11.11|:443... connected.
ERROR: The certificate of 'mirror2.openwrt.org' is not trusted.
ERROR: The certificate of 'mirror2.openwrt.org' doesn't have a known issuer.
Download failed.
No more mirrors to try - giving up.

I used the following debian container

Docker debian

FROM docker.io/debian:stable-slim

ENV GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
WORKDIR /workdir

RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests --yes \
    'build-essential' \
    'ca-certificates' \
    'clang' \
    'flex' \
    'bison' \
    'g++' \
    'gawk' \
    'gcc-multilib' \
    'gettext' \
    'git' \
    'libncurses5-dev' \
    'libssl-dev' \
    'python3-distutils' \
    'rsync' \
    'unzip' \
    'zlib1g-dev' \
    'file' \
    'wget' \
  && \
  rm -f -r '/var/lib/apt/' && \
  rm -f -r '/var/cache/apt/' && \
  useradd -m -s '/bin/bash' -U 'buildbot'

USER buildbot

[Entropy512]

@oliv3r By any chance, are you on a corporate network with a MITM proxy/firewall such as a Fortigate?

If so, you'll likely find that Docker containers need your company's private CA certs injected into them or they'll do exactly this because they're choking on the Fortigate (or similar MITM monitoring proxy). I have yet to find any way to automagically have Docker containers use the host CA cert store.

[oliv3r]

@oliv3r By any chance, are you on a corporate network with a MITM proxy/firewall such as a Fortigate?

If so, you'll likely find that Docker containers need your company's private CA certs injected into them or they'll do exactly this because they're choking on the Fortigate (or similar MITM monitoring proxy). I have yet to find any way to automagically have Docker containers use the host CA cert store.

Huh what? nah, this is a plain old ISP fiber connection, with a very open ISP (Can even run mail servers on port 25) without any firewall. Besides, I've been building openwrt and deps for months now, and it worked a few days ago on my alpine container. I'll try again though :)

edit: So it's much more logical then that, I didn't have ca-certificates installed :) now I get @Ansuel 's build failure and can troubleshoot that.

[oliv3r]

@Ansuel how was it exploding for you? With the previously linked debian container (its updated with ca-certificates) :p it works 'just fine'?

touch /workdir/build_dir/host/7z-22.01/.built
install -d -m0755 /workdir/staging_dir/host/bin
install -m0755 /workdir/build_dir/host/7z-22.01/CPP/7zip/Bundles/Alone7z/_o/7zr /workdir/staging_dir/host/bin/7zr
mkdir -p /workdir/staging_dir/host/stamp
touch /workdir/build_dir/host/7z-22.01/.built
touch /workdir/staging_dir/host/stamp/.7z_installed
make[2]: Leaving directory '/workdir/tools/7z'
time: tools/7z/compile#19.22#4.20#23.58
make[1]: Leaving directory '/workdir'

@neheb so it took me a while to figure out that this 'quiltifies' the patch :p First it was just erroring out, with some quilt error, so I went through the quilt dance, just to find out it's not perfectly quilt formatted. Quilt needs to be improved a bit and be less 'special snowflake' and more like 'this is what diff generates and be happy with some of it' :p (though I understand some of the reasons ...).

@hauke as per log, builds just fine, seems to run just fine as well.

[oliv3r]

@Ansuel @hauke I just did a clean rebulid of the debian container, including a clean worktree, so basically, starting from 100% scratch. The tree I used is my own, which includes all the realtek changes, but rebased ontop of master.

Works fine, no problems (except for those pesky faked that keep ruining my day by taking hours :p)

[oliv3r]

@Ansuel @hauke ping :)

[hauke]

This change will deactivate the pthread_attr_setaffinity_np feature also on glibc builds.

I do not think this call is important.

[oliv3r]

but that's then still a performance aspect only? @hauke Do you happen to know a nice define we can throw in there? Something that would always be set on glibc?

Thinking a bit more about it, the impact should be tiny. It only affects the host. The CI is unlikely to use it, as those are restricted often on resources anyway. The scripts don't specify multiple thread usage, and we're talking about image generation, which is 4 - 16MiB files. So IF multi-threaded operation is requested, we miss out the option to set the affinity (which I'm not even sure how we'd do it from the openwrt build system.

Rectifying it can be easily done with a define (once someone has shared one :D but I'm not gonna try to find out, as the impact is likely negligible for our workloads I believe.

[oliv3r]

@hauke @Ansuel ping? Any thoughts/changes?