Restructure the build so a minimal initial build is then used for the final build (with docs)

This reduces pressure on the system JDK and ensures the JDK being built can do a full build
This commit is contained in:
Andrew Hughes 2021-10-03 23:20:13 +01:00
parent 83375279df
commit ad715cbd7d

View File

@ -198,12 +198,12 @@
%global static_libs_target %{nil} %global static_libs_target %{nil}
%endif %endif
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
%global debug_symbols internal
# unlike portables,the rpms have to use static_libs_target very dynamically # unlike portables,the rpms have to use static_libs_target very dynamically
%if %{bootstrap_build} %global bootstrap_targets images
%global release_targets bootcycle-images docs-zip
%else
%global release_targets images docs-zip %global release_targets images docs-zip
%endif
# No docs nor bootcycle for debug builds # No docs nor bootcycle for debug builds
%global debug_targets images %global debug_targets images
@ -343,7 +343,7 @@
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7 %global buildver 7
%global rpmrelease 7 %global rpmrelease 8
#%%global tagsuffix %%{nil} #%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
@ -1756,44 +1756,28 @@ EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
export EXTRA_CFLAGS EXTRA_ASFLAGS export EXTRA_CFLAGS EXTRA_ASFLAGS
for suffix in %{build_loop} ; do function buildjdk() {
if [ "x$suffix" = "x" ] ; then local outputdir=${1}
debugbuild=release local buildjdk=${2}
debug_symbols=internal local maketargets="${3}"
else local debuglevel=${4}
# change --something to something local link_opt=${5}
debugbuild=`echo $suffix | sed "s/-//g"`
debug_symbols=internal
fi
for loop in %{main_suffix} %{staticlibs_loop} ; do local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
if test "x${loop}" = "x%{main_suffix}" ; then echo "Using output directory: ${outputdir}";
# Copy the source tree so we can remove all in-tree libraries echo "Checking build JDK ${buildjdk} is operational..."
cp -a %{top_level_dir_name} %{top_level_dir_name_backup} ${buildjdk}/bin/java -version
# Remove all libraries that are linked echo "Using make targets: ${maketargets}"
sh %{SOURCE12} %{top_level_dir_name} full echo "Using debuglevel: ${debuglevel}"
# Variable used by configure and hs_err hook on build failures echo "Using link_opt: ${link_opt}"
link_opt="system" echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
else
# Variable used by configure and hs_err hook on build failures
link_opt="bundled"
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
fi
top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} mkdir -p ${outputdir}
top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} pushd ${outputdir}
mkdir -p ${top_dir_abs_build_path}
pushd ${top_dir_abs_build_path}
bash ${top_dir_abs_src_path}/configure \ bash ${top_dir_abs_src_path}/configure \
%ifnarch %{jit_arches} %ifnarch %{jit_arches}
--with-jvm-variants=zero \ --with-jvm-variants=zero \
%endif %endif
@ -1808,9 +1792,9 @@ bash ${top_dir_abs_src_path}/configure \
--with-vendor-url="%{oj_vendor_url}" \ --with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ --with-boot-jdk=${buildjdk} \
--with-debug-level=$debugbuild \ --with-debug-level=${debuglevel} \
--with-native-debug-symbols=$debug_symbols \ --with-native-debug-symbols="%{debug_symbols}" \
--enable-sysconf-nss \ --enable-sysconf-nss \
--enable-unlimited-crypto \ --enable-unlimited-crypto \
--with-zlib=system \ --with-zlib=system \
@ -1829,54 +1813,102 @@ bash ${top_dir_abs_src_path}/configure \
--with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \
--disable-warnings-as-errors --disable-warnings-as-errors
make \ cat spec.gmk
make \
JAVAC_FLAGS=-g \ JAVAC_FLAGS=-g \
LOG=trace \ LOG=trace \
WARNINGS_ARE_ERRORS="-Wno-error" \ WARNINGS_ARE_ERRORS="-Wno-error" \
CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
$maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
popd popd
}
# Restore original source tree if we modified it by removing full in-tree sources function installjdk() {
if [ -d %{top_level_dir_name_backup} ] ; then local imagepath=${1}
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
}
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
debugbuild=release
else
# change --something to something
debugbuild=`echo $suffix | sed "s/-//g"`
fi
systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
for loop in %{main_suffix} %{staticlibs_loop} ; do
builddir=%{buildoutputdir -- ${suffix}${loop}}
bootbuilddir=boot${builddir}
if test "x${loop}" = "x%{main_suffix}" ; then
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries
link_opt="system"
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
%if %{bootstrap_build}
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
rm -rf ${bootbuilddir}
%else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
%endif
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name} rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name}
fi else
# Use bundled libraries for building statically
link_opt="bundled"
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
# Always just do the one build for the static libraries
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
done # end of main / staticlibs loop done # end of main / staticlibs loop
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} # Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
# the build (erroneously) removes read permissions from some jars installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
# Use system-wide tzdata
rm $JAVA_HOME/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${JAVA_HOME}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
# build cycles # build cycles
done # end of release / debug cycle loop done # end of release / debug cycle loop
@ -2405,6 +2437,10 @@ end
%endif %endif
%changelog %changelog
* Sun Oct 03 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-8
- Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
* Sun Sep 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-7 * Sun Sep 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-7
- Add patch to login to the NSS software token when in FIPS mode. - Add patch to login to the NSS software token when in FIPS mode.
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.