source: trunk/misc/build_helpers/build-manylinux-wheels.sh

Last change on this file was b24e36b, checked in by Jean-Paul Calderone <exarkun@…>, at 2017-03-01T13:19:45Z

Fetch dependencies outside the container

Disable networking for the container.

The container images run very old, vulnerability-filled software.
(The former is intentional, the latter is somewhat difficult to avoid.)

This allows the containers to do the wheel builds without talking to the
network. This reduces the attack surface somewhat.

  • Property mode set to 100755
File size: 2.2 KB
Line 
1#!/bin/bash -ex
2
3# This runs in the container to actually build the wheels.
4BUILDER="/io/misc/build_helpers/_build-wheels.sh"
5
6# Create a scratch path where a bunch of intermediate build state can be
7# dumped.
8BASE="$(mktemp -d)"
9
10# Put a virtualenv in there
11ENV="${BASE}/env"
12virtualenv "${ENV}"
13
14# Create a directory where we can dump wheels that the build depends on.
15WHEELHOUSE="${BASE}/wheelhouse"
16mkdir -p "${WHEELHOUSE}"
17
18# Helpers to run programs from the virtualenv - instead of "activating" it and
19# changing what "pip" and "python" mean for everything in the script.
20PYTHON="${ENV}/bin/python"
21PIP="${ENV}/bin/pip"
22
23
24# Get a new, good version of pip (who knows what version came with the
25# virtualenv on the system?)
26"${PIP}" install --upgrade pip
27
28# Dump the requirements into a pip-readable format.
29"${PYTHON}" setup.py egg_info
30
31# Get wheels for all of the requirements and dump them into the directory we
32# created for that purpose.
33"${PIP}" wheel \
34         --requirement pycryptopp.egg-info/requires.txt \
35         --wheel-dir "${WHEELHOUSE}"
36
37# This image can build x86_64 (64 bit) manylinux wheels.
38DOCKER_IMAGE="quay.io/pypa/manylinux1_x86_64"
39docker pull "${DOCKER_IMAGE}"
40
41# Build all the x86_64 bit wheels.  Give this image access to our working
42# directory (the root of the pycryptopp source tree).  Also give it access to
43# the wheelhouse we populated with our requirements above.  Also give it no
44# network access at all.  The image is (intentionally) full of super old
45# software that's riddled with vulnerabilities.  Cutting it off from the
46# network limits the attack surface to something a bit less terrifying.
47docker run \
48       --rm \
49       --network none \
50       --volume "${PWD}:/io" \
51       --volume "${WHEELHOUSE}:/io/wheelhouse" \
52       "${DOCKER_IMAGE}" \
53       "${BUILDER}"
54
55# As above, but for the i686 (32 bit) builds.
56DOCKER_IMAGE="quay.io/pypa/manylinux1_i686"
57docker pull "${DOCKER_IMAGE}"
58docker run \
59       --rm \
60       --network none \
61       --volume "${PWD}:/io" \
62       --volume "${WHEELHOUSE}:/io/wheelhouse" \
63       "${DOCKER_IMAGE}" \
64       linux32 "${BUILDER}"
65
66# Get the pycryptopp wheels from the place they were dumped.
67mkdir -p wheelhouse
68cp -v "${WHEELHOUSE}"/pycryptopp-*.whl wheelhouse/
69sha256sum wheelhouse/*.whl
Note: See TracBrowser for help on using the repository browser.