Unable to build 1.34.0 #39148
Description
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
[email protected] where the issue will be triaged appropriately.
Title: Unable to build 1.34.0 using official tools
Description:
I'm trying to build Envoy in FIPS mode using the envoyproxy/envoy-build-ubuntu image but since 1.34.0 upgrade, the build fails.
Repro steps and Config:
My Dockerfile:
ARG BRANCH
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG BUILD_TYPE=release
ARG EXPIRY=12w
# Hack - adding TARGETPLATFORM so regular build too. TARGETPLATFORM is present with buildx
ARG TARGETPLATFORM=linux/amd64
# Build enovy from source code
# Tag comes from https://github.com/envoyproxy/envoy/blob/v1.34.0/.github/config.yml
FROM envoyproxy/envoy-build-ubuntu:cb86d91cf406995012e330ab58830e6ee10240cb AS envoybuild
ARG HTTP_PROXY
ARG HTTPS_PROXY
ARG NO_PROXY
ARG BUILD_TYPE
ARG BRANCH
RUN git clone --single-branch --branch=${BRANCH} https://github.com/envoyproxy/envoy.git /source
RUN useradd -m -d /build -u 1000 -s /bin/bash envoy
ENV HOME=/build
RUN chown -R 1000:1000 /source/
USER 1000
RUN echo "build --define boringssl=fips" >> /source/user.bazelrc
WORKDIR /source
RUN ./ci/do_ci.sh release.server_only
Logs:
Build fails fairly shortly after start:
#5 [envoybuild 2/11] RUN git clone --single-branch --branch=v1.34.0 https://github.com/envoyproxy/envoy.git /source
#5 0.703 Cloning into '/source'...
#5 9.907 Note: switching to 'd7809ba2b07fd869d49bfb122b27f6a7977b4d94'.
#5 9.907
#5 9.907 You are in 'detached HEAD' state. You can look around, make experimental
#5 9.907 changes and commit them, and you can discard any commits you make in this
#5 9.907 state without impacting any branches by switching back to a branch.
#5 9.907
#5 9.907 If you want to create a new branch to retain commits you create, you may
#5 9.907 do so (now or later) by using -c with the switch command. Example:
#5 9.907
#5 9.907 git switch -c <new-branch-name>
#5 9.907
#5 9.907 Or undo this operation with:
#5 9.907
#5 9.907 git switch -
#5 9.907
#5 9.907 Turn off this advice by setting config variable advice.detachedHead to false
#5 9.907
#5 DONE 31.3s
#6 [envoybuild 3/11] RUN useradd -m -d /build -u 1000 -s /bin/bash envoy
#6 DONE 0.5s
#7 [envoybuild 4/11] RUN chown -R 1000:1000 /source/
#7 DONE 23.1s
#8 [envoybuild 5/11] RUN echo "build --define boringssl=fips" >> /source/user.bazelrc
#8 DONE 0.2s
#9 [envoybuild 6/11] WORKDIR /source
#9 DONE 0.0s
#10 [envoybuild 7/11] RUN ./ci/do_ci.sh release.server_only
#10 0.278 ENVOY_SRCDIR=/source
#10 0.278 ENVOY_BUILD_TARGET=//source/exe:envoy-static
#10 0.278 ENVOY_BUILD_ARCH=x86_64
#10 0.278 BUILD_DIR not set - defaulting to ~/.cache/envoy-bazel
#10 0.278 /build/.cache/envoy-bazel missing - Creating.
#10 0.281 Setting test_tmpdir to /build/.cache/envoy-bazel/tmp.
#10 0.294 building using 32 CPUs
#10 0.294 building for x86_64
#10 0.297 clang toolchain with libc++ configured: clang-libc++
#10 0.298 Building with:
#10 0.298 build options: --repository_cache=/build/.cache/envoy-bazel/repository_cache --experimental_repository_cache_hardlinks --verbose_failures --experimental_generate_json_trace_profile --test_tmpdir=/build/.cache/envoy-bazel/tmp --config=clang-libc++
#10 0.298 release options: --stripopt=--strip-all -c opt
#10 0.298 binary dir: /build/.cache/envoy-bazel/envoy/x64/bin
#10 0.300 2025/04/16 21:21:40 Downloading https://releases.bazel.build/7.6.0/release/bazel-7.6.0-linux-x86_64...
#10 0.855 Extracting Bazel installation...
#10 2.203 Starting local Bazel server and connecting to it...
#10 3.664 Computing main repo mapping:
#10 4.666 Computing main repo mapping:
#10 5.666 Computing main repo mapping:
#10 6.667 Computing main repo mapping:
#10 8.069 Computing main repo mapping:
#10 9.668 Computing main repo mapping:
#10 15.17 Computing main repo mapping:
#10 16.25 Computing main repo mapping:
#10 17.67 Computing main repo mapping:
#10 19.48 Computing main repo mapping:
#10 20.67 Computing main repo mapping:
#10 22.02 Computing main repo mapping:
#10 22.61 Loading:
#10 22.61 Loading: 2 packages loaded
#10 22.76 Analyzing: target //distribution/binary:release (3 packages loaded, 0 targets configured)
#10 22.78 Analyzing: target //distribution/binary:release (3 packages loaded, 0 targets configured)
#10 22.78
#10 23.84 Analyzing: target //distribution/binary:release (129 packages loaded, 18 targets configured)
#10 23.84
#10 24.91 Analyzing: target //distribution/binary:release (129 packages loaded, 18 targets configured)
#10 24.91
#10 25.63 DEBUG: Rule 'rules_buf_toolchains' indicated that a canonical reproducible form can be obtained by modifying arguments sha256 = "736e74d1697dcf253bc60b2f0fb4389c39dbc7be68472a7d564a953df8b19d12"
#10 25.63 DEBUG: Repository rules_buf_toolchains instantiated at:
#10 25.63 /source/WORKSPACE:29:25: in <toplevel>
#10 25.63 /source/bazel/dependency_imports.bzl:74:25: in envoy_dependency_imports
#10 25.63 /build/.cache/envoy-bazel/bazel_root/base/external/rules_buf/buf/internal/toolchain.bzl:197:26: in rules_buf_toolchains
#10 25.63 Repository rule buf_download_releases defined at:
#10 25.63 /build/.cache/envoy-bazel/bazel_root/base/external/rules_buf/buf/internal/toolchain.bzl:170:40: in <toplevel>
#10 25.97 Analyzing: target //distribution/binary:release (160 packages loaded, 1953 targets configured)
#10 25.97
#10 26.97 Analyzing: target //distribution/binary:release (679 packages loaded, 6593 targets configured)
#10 26.97
#10 27.97 Analyzing: target //distribution/binary:release (972 packages loaded, 17169 targets configured)
#10 27.97
#10 27.98 DEBUG: /build/.cache/envoy-bazel/bazel_root/base/external/com_google_protobuf/protobuf.bzl:654:10: The py_proto_library macro is deprecated and will be removed in the 30.x release. switch to the rule defined by rules_python or the one in bazel/py_proto_library.bzl.
#10 29.01 Analyzing: target //distribution/binary:release (1099 packages loaded, 26152 targets configured)
#10 29.01
#10 30.01 Analyzing: target //distribution/binary:release (1117 packages loaded, 42721 targets configured)
#10 30.01
#10 30.35 INFO: Repository com_github_intel_ipp_crypto_crypto_mb_fips instantiated at:
#10 30.35 /source/WORKSPACE:17:19: in <toplevel>
#10 30.35 /source/bazel/repositories.bzl:171:48: in envoy_dependencies
#10 30.35 /source/bazel/repositories.bzl:378:26: in _com_github_intel_ipp_crypto_crypto_mb_fips
#10 30.35 /source/bazel/repositories.bzl:55:23: in external_http_archive
#10 30.35 /build/.cache/envoy-bazel/bazel_root/base/external/envoy_api/bazel/envoy_http_archive.bzl:16:17: in envoy_http_archive
#10 30.35 Repository rule http_archive defined at:
#10 30.35 /build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/http.bzl:387:31: in <toplevel>
#10 30.36 ERROR: /build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/utils.bzl:202:22: An error occurred during the fetch of repository 'com_github_intel_ipp_crypto_crypto_mb_fips':
#10 30.36 Traceback (most recent call last):
#10 30.36 File "/build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/http.bzl", line 149, column 10, in _http_archive_impl
#10 30.36 patch(ctx)
#10 30.36 File "/build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 202, column 22, in patch
#10 30.36 ctx.patch(patchfile, strip)
#10 30.36 Error in patch: Error applying patch /source/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch: in patch applied to /build/.cache/envoy-bazel/bazel_root/base/external/com_github_intel_ipp_crypto_crypto_mb_fips/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c: could not apply patch due to CONTENT_DOES_NOT_MATCH_TARGET, error applying change near line 26
#10 30.77 ERROR: no such package '@@com_github_intel_ipp_crypto_crypto_mb_fips//': Error applying patch /source/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch: in patch applied to /build/.cache/envoy-bazel/bazel_root/base/external/com_github_intel_ipp_crypto_crypto_mb_fips/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c: could not apply patch due to CONTENT_DOES_NOT_MATCH_TARGET, error applying change near line 26
#10 30.78 ERROR: /source/contrib/cryptomb/private_key_providers/source/BUILD:17:12: //contrib/cryptomb/private_key_providers/source:ipp-crypto depends on @@com_github_intel_ipp_crypto_crypto_mb_fips//:all in repository @@com_github_intel_ipp_crypto_crypto_mb_fips which failed to fetch. no such package '@@com_github_intel_ipp_crypto_crypto_mb_fips//': Error applying patch /source/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch: in patch applied to /build/.cache/envoy-bazel/bazel_root/base/external/com_github_intel_ipp_crypto_crypto_mb_fips/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c: could not apply patch due to CONTENT_DOES_NOT_MATCH_TARGET, error applying change near line 26
#10 30.80 ERROR: Analysis of target '//distribution/binary:release' failed; build aborted: Analysis failed
#10 30.82 INFO: Elapsed time: 29.933s, Critical Path: 0.06s
#10 30.83 INFO: 1 process: 1 internal.
#10 30.83 ERROR: Build did NOT complete successfully
#10 30.83 FAILED:
#10 30.83
#10 ERROR: process "/bin/bash -ec ./ci/do_ci.sh release.server_only" did not complete successfully: exit code: 1
------
> [envoybuild 7/11] RUN ./ci/do_ci.sh release.server_only:
30.83
30.35 /build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/http.bzl:387:31: in <toplevel>
30.36 ERROR: /build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/utils.bzl:202:22: An error occurred during the fetch of repository 'com_github_intel_ipp_crypto_crypto_mb_fips':
30.36 Traceback (most recent call last):
30.36 File "/build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/http.bzl", line 149, column 10, in _http_archive_impl
30.36 patch(ctx)
30.36 File "/build/.cache/envoy-bazel/bazel_root/base/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 202, column 22, in patch
30.36 ctx.patch(patchfile, strip)
30.36 Error in patch: Error applying patch /source/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch: in patch applied to /build/.cache/envoy-bazel/bazel_root/base/external/com_github_intel_ipp_crypto_crypto_mb_fips/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c: could not apply patch due to CONTENT_DOES_NOT_MATCH_TARGET, error applying change near line 26
30.77 ERROR: no such package '@@com_github_intel_ipp_crypto_crypto_mb_fips//': Error applying patch /source/bazel/foreign_cc/ipp-crypto-bn2lebinpad.patch: in patch applied to /build/.cache/envoy-bazel/bazel_root/base/external/com_github_intel_ipp_crypto_crypto_mb_fips/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c: could not apply patch due to CONTENT_DOES_NOT_MATCH_TARGET, error applying change near line 26
------
envoy.Dockerfile:28
--------------------
26 | # RUN echo "build --disk_cache=/cache" >> /source/user.bazelrc
27 | WORKDIR /source
28 | >>> RUN ./ci/do_ci.sh release.server_only
29 |
30 | # Install zstd and extract the envoy from the release tarball
--------------------
ERROR: failed to solve: process "/bin/bash -ec ./ci/do_ci.sh release.server_only" did not complete successfully: exit code: 1