Add multi-architecture (amd64 & arm64) builds #8389
Conversation
- Added TARGETPLATFORM argument to Containerfile for architecture-specific builds. - Updated container-build.sh to detect architecture and set appropriate platform. - Modified make-deb.sh to dynamically set the architecture in the .deb package.
|
This PR introduces a breaking change in artifact naming that we should discuss: Current Change:
The Question:Should we maintain backward compatibility by keeping Considerations:Arguments for standardized naming (
Arguments for backward compatibility (
Potential Impact:
Implementation Options:
What's your preference? Will any existing systems be impacted by this naming change? |
There was a problem hiding this comment.
This looks great to me.
I slightly favour moving to standardized naming (amd64). We'll probably need to change a few things internally, but just a few. I think that's worth it.
Between this and #8386, whichever merges last should be modified to (ideally) handle uploading both architectures' images when tagging a release, or at least make sure builds are in amd64 as a temporary quick fix.
tools/container-build.sh
Outdated
| --tag "boulder:${VERSION}-${ARCH}" \ | ||
| --tag "boulder:${VERSION}" \ | ||
| --tag "boulder:${COMMIT_ID}" \ | ||
| --tag boulder \ |
There was a problem hiding this comment.
I didn't give a ton of thought to these tags when we first wrote container-build.sh. Looking at them now it seems that there will be collisions if we start uploading multiple architectures from this script. For instance, for any given version boulder:${VERSION} could be one arch or another.
Probably a single --tag "boulder:${VERSION}-${ARCH}" would suffice and keep things simple. What do you think @jprenken ?
@sheurich I see that you repeat the string "boulder:${VERSION}-${ARCH}" here and on the two docker run commands below. Let's put that into a single TAG env var and use that in each location for consistency.
There was a problem hiding this comment.
Updated this. A follow-on step involving docker buildx imagetools create -t letsencrypt/boulder:${VERSION} letsencrypt/boulder:${VERSION}-amd64 letsencrypt/boulder:${VERSION}-arm64 will be needed to glue the images into a single multi-arch.
tools/make-deb.sh
Outdated
| # Determine architecture - use ARCH env var if set, otherwise detect from uname | ||
| if [ -n "${ARCH:-}" ]; then | ||
| DEB_ARCH="${ARCH}" | ||
| else | ||
| case "$(uname -m)" in | ||
| "x86_64") DEB_ARCH="amd64" ;; | ||
| "aarch64"|"arm64") DEB_ARCH="arm64" ;; | ||
| *) echo "Unsupported architecture: $(uname -m)" && exit 1 ;; | ||
| esac | ||
| fi | ||
|
|
There was a problem hiding this comment.
make-deb.sh is a transitional tool to keep building .debs until we transition to running containers.
I think it's okay to assume $ARCH will always be set, because the only place we call it from is container-build.sh, which sets it.
#8386 just merged, so if possible, let's get that into this PR. Sorry about the hassle! |
|
@jprenken et al I think this last set of changes should address the feedback and adds full multi-arch image builds in ghcr.io. |
|
The comments in the try-release and release workflows indicate a single Go version is used for release and multiple versions are possible for try-release. Is this still correct? I would like to externalize the GO_VERSION to simplify the workflows. If both release and try-release will only need one version, either:
If one or both of the workflows depend on having multiple versions:
The release workflow can enforce a single version by choosing only the first entry if desired. |
This improves the local development experience by providing stable, predictable tags to use for testing, without affecting the architecture-specific tags required by the CI/release process.
Summary
This PR modifies the Boulder build system to support both amd64 and arm64 architectures while defaulting to building only the current host architecture. This enables efficient local development and provides parallel multi-architecture CI builds.
Changes Made
tools/container-build.shuname -mDOCKER_DEFAULT_PLATFORMenvironment variable for manual overridesContainerfileTARGETPLATFORMbuild arg to pass correct platform tofetch-and-verify-go.shlinux/amd64andlinux/arm64platformstools/make-deb.shamd64/arm64for.debpackagesGitHub Actions Workflow Changes
This PR also implements the multi-architecture support in the CI/CD pipelines:
release.yml:build-artifacts,create-release, andpush-images.amd64andarm64architectures on corresponding runners.push-imagesjob now pushes multi-platform container images toghcr.iowith a manifest list.try-release.yml:amd64andarm64architectures..dockerignoreand.gitignore:.githubdirectory in docker builds and build artifacts from git.Testing
GO_VERSION=1.24.6 ./tools/container-build.shDOCKER_DEFAULT_PLATFORM=linux/amd64 GO_VERSION=1.24.6 ./tools/container-build.sh.amd64.tar.gz/.arm64.tar.gzand.amd64.deb/.arm64.debfilesUsage Examples
This change implements the parallel multi-architecture CI builds described above, while improving local development efficiency.
Fixes #8388