[GR-34422] Use toolchains for musl cross-compilation and improve docs for building static native-images.

PullRequest: graal/10047

Author: Aleksandar Gradinac

docs/reference-manual/embedding/embed-languages.md

@@ -19,7 +19,7 @@ permalink: /reference-manual/embed-languages/
 * [Embed languages in Guest Languages](#embed-languages-in-guest-languages)
 * [Build a Shell for Many Languages](#build-a-shell-for-many-languages)
 * [Step Through with Execution Listeners](#step-through-with-execution-listeners)
-* [Configure Sandbox Resource Limits](#configure-sandbox-resource-limits)
+* [Enterprise Sandbox Resource Limits](#enterprise-sandbox-resource-limits)
 
 The GraalVM Polyglot API lets you embed and run code from guest languages in JVM-based host applications.
 
@@ -632,5 +632,5 @@ In this code:
 - The `context.eval()` call evaluates a specified snippet of guest language code.
 - The `listener.close()` closes a listener earlier, however execution listeners are automatically closed with the engine.
 
-<!-- Configure Sandbox Resource Limits -->
+<!-- Enterprise Sandbox Resource Limits -->
 {% include_relative sandbox-options.md %}

docs/reference-manual/native-image/CertificateManagement.md

@@ -6,60 +6,40 @@ permalink: /reference-manual/native-image/CertificateManagement/
 ---
 # Certificate Management in Native Image
 
-Native-image provides multiple ways to specify the certificate file used to
-define the default TrustStore. In the following sections we describe the
-available buildtime and runtime options. Note the default behavior for
-native-image is to capture and use the default TrustStore from the buildtime
-host environment.
+Native Image provides multiple ways to specify the certificate file used to define the default TrustStore.
+In the following sections we describe the available build-time and run-time options.
+Note: The default behavior for `native-image` is to capture and use the default TrustStore from the build-time host environment.
 
-## Buildtime Options
+## Build-time Options
 
-During the image building process, native-image captures the host environment's
-default TrustStore and embeds it into the native image. This TrustStore is
-by default created from the root certificate file provided within the JDK, but
-can be changed to use a different certificate file by setting the buildtime
-system property "javax.net.ssl.trustStore" (see [Properties](Properties.md) for
-how to do so).
+During the image building process, the `native-image` builder captures the host environment's default TrustStore and embeds it into the native executable.
+This TrustStore is by default created from the root certificate file provided within the JDK, but can be changed to use a different certificate file by setting the build-time system property `javax.net.ssl.trustStore` (see [Properties](Properties.md) for how to do it).
 
-Since the contents of the buildtime certificate file is embedded into the image
-executable, the file itself does not need to present in the target environment.
+Since the contents of the build-time certificate file is embedded into the native executable, the file itself does not need to be present in the target environment.
 
-## Runtime Options
+## Run-time Options
 
-The certificate file can also be changed dynamically at runtime via setting
-the "javax.net.ssl.trustStore\*" system properties.
+The certificate file can also be changed dynamically at run time via setting the `javax.net.ssl.trustStore\*` system properties.
 
-If any of the following system properties are set during image execution,
-native-image also requires "javax.net.ssl.trustStore" to be set and for it
-to point to an accessible certificate file:
-- javax.net.ssl.trustStore
-- javax.net.ssl.trustStoreType
-- javax.net.ssl.trustStoreProvider
-- javax.net.ssl.trustStorePassword
+If any of the following system properties are set during the image execution, `native-image` also requires `javax.net.ssl.trustStore` to be set, and for it to point to an accessible certificate file:
+- `javax.net.ssl.trustStore`
+- `javax.net.ssl.trustStoreType`
+- `javax.net.ssl.trustStoreProvider`
+- `javax.net.ssl.trustStorePassword`
 
-If any of these properties are set and "javax.net.ssl.trustStore" does not point
-to an accessible file, then an UnsupportedFeatureError will be thrown.
+If any of these properties are set and `javax.net.ssl.trustStore` does not point to an accessible file, then an `UnsupportedFeatureError` will be thrown.
 
-Note that this behavior is different than OpenJDK. When the
-"javax.net.ssl.trustStore" system property is unset/invalid, OpenJDK will
-fallback to using a certificate file shipped within the JDK; however, such
-files will not be present alongside the image executable and hence cannot be
-used as a fallback.
+Note that this behavior is different than OpenJDK.
+When the `javax.net.ssl.trustStore` system property is unset or invalid, OpenJDK will fallback to using a certificate file shipped within the JDK.
+However, such files will not be present alongside the image executable and hence cannot be used as a fallback.
 
-During the execution, it also possible to dynamically change the
-"javax.net.ssl.trustStore\*" properties and for the default TrustStore to be
-updated accordingly.
+During the execution, it also possible to dynamically change the `javax.net.ssl.trustStore\*` properties and for the default TrustStore to be updated accordingly.
 
-Finally, whenever all of the "javax.net.ssl.trustStore\*" system properties
-listed above are unset, the default TrustStore will be the one captured during
-buildtime, as described in the [prior section](#buildtime-options).
+Finally, whenever all of the `javax.net.ssl.trustStore\*` system properties listed above are unset, the default TrustStore will be the one captured during the build time, as described in the [prior section](#build-time-options).
 
 ## Untrusted Certificates
 
-During the image building process, a list of untrusted certificates is loaded
-from the file <java.home>/lib/security/blacklisted.certs. This file is used
-when validating certificates at both buildtime and runtime.  In other words,
-when a new certificate file is specified at runtime via setting the
-"javax.net.ssl.trustStore\*" system properties, the new certificates will still
-be checked against the <java.home>/lib/security/blacklisted.certs loaded at
-image buildtime.
+During the image building process, a list of untrusted certificates is loaded from the file `<java.home>/lib/security/blacklisted.certs`.
+This file is used when validating certificates at both build time and run time.
+In other words, when a new certificate file is specified at run time via setting the `javax.net.ssl.trustStore\*` system properties, the new certificates will still be checked against the `<java.home>/lib/security/blacklisted.certs` loaded at
+image build time.

docs/reference-manual/native-image/Reflection.md

@@ -4,6 +4,12 @@ toc_group: native-image
 link_title: Reflection on Native Image
 permalink: /reference-manual/native-image/Reflection/
 ---
+
+* [Automatic Detection](#automatic-detection)
+* [Manual Configuration](#manual-configuration)
+* [Conditional Configuration](#conditional-configuration)
+* [Configuration with Features](#configuration-with-features)
+
 # Reflection Use in Native Images
 
 Java reflection support (the `java.lang.reflect.*` API) enables Java code to examine its own classes, methods, fields and their properties at run time.
@@ -128,7 +134,9 @@ Also, `-H:ReflectionConfigurationResources` can be specified to load one or seve
 
 ### Conditional Configuration
 
-With conditional configuraiton, a class configuration entry is applied only if a provided `condition` is satisfied. The only currently supported condition is `typeReachable`, which enables the configuration entry if the specified type is reachable through other code. For example, to support reflective access to `sun.misc.Unsafe.theUnsafe` only when `io.netty.util.internal.PlatformDependent0` is reachable, the configuration should look like:
+With conditional configuration, a class configuration entry is applied only if a provided `condition` is satisfied.
+The only currently supported condition is `typeReachable`, which enables the configuration entry if the specified type is reachable through other code.
+For example, to support reflective access to `sun.misc.Unsafe.theUnsafe` only when `io.netty.util.internal.PlatformDependent0` is reachable, the configuration should look like:
 
 ```json
 {
@@ -140,11 +148,14 @@ With conditional configuraiton, a class configuration entry is applied only if a
 }
 ```
 
-Conditional configuration is the *preferred* way to specify reflection configuration: if code doing a reflective access is not reachable, it is unnecessary to include its corresponding reflection entry. The consistent usage of `condition` results in *smaller binaries* and *better build times* as the image builder can selectively include reflectively accessed code.
+Conditional configuration is the **preferred** way to specify reflection configuration: if code doing a reflective access is not reachable, it is unnecessary to include its corresponding reflection entry.
+The consistent usage of `condition` results in *smaller binaries* and *better build times* as the image builder can selectively include reflectively accessed code.
 
-If a `condition` is omitted, the element is always included. When the same `condition` is used for two distinct elements in two configuration entries, both elements will be included when the condition is satisfied. When a configuration entry should be enabled if one of several types are reachable, it is necessary to add two configuration entries: one entry for each condition.
+If a `condition` is omitted, the element is always included.
+When the same `condition` is used for two distinct elements in two configuration entries, both elements will be included when the condition is satisfied.
+When a configuration entry should be enabled if one of several types are reachable, it is necessary to add two configuration entries: one entry for each condition.
 
-When used with [assisted configuration](BuildConfiguration.md#assisted-configuration-of-native-image-builds), conditional entries of existing configuration will not be fused with agent-collected entries as agent-collected entries.
+When used with [assisted configuration](BuildConfiguration.md#assisted-configuration-of-native-image-builds), conditional entries of existing configuration will not be fused with agent-collected entries.
 
 ### Configuration with Features
 
@@ -173,4 +184,6 @@ Reflection can be used without restrictions during a native image generation, fo
 At this point, code can collect information about methods and fields and store them in their own data structures, which are then reflection-free at run time.
 
 ### Unsafe Accesses
-The `Unsafe` class, although its use is discouraged, provides direct access to the memory of Java objects. The `Unsafe.objectFieldOffset()` method provides the offset of a field within a Java object. Note that the offsets that are queried during native image generation can be different from the offsets at run time.
+The `Unsafe` class, although its use is discouraged, provides direct access to the memory of Java objects.
+The `Unsafe.objectFieldOffset()` method provides the offset of a field within a Java object.
+Note that the offsets that are queried during native image generation can be different from the offsets at run time.

docs/reference-manual/native-image/StaticImages.md

@@ -4,58 +4,76 @@ toc_group: native-image
 link_title: Static Native Images
 permalink: /reference-manual/native-image/StaticImages/
 ---
-# Static Native Images
+# Static and Mostly Static Images
 
-Static native images are statically linked binaries which can be used without any additional library dependencies.
-This makes them suitable for use in a Docker container.
+With GraalVM Native Image you can create static or mostly static images, depending on the purposes.
+
+**Static native images** are statically linked binaries which can be used without any additional library dependencies.
+This makes them easier to distribute and to deploy on slim or distroless container images.
+They are created by statically linking against [musl-libc](https://musl.libc.org/), a lightweight, fast and simple `libc` implementation.
+
+**Mostly static native images** statically link against all libraries except `libc`.
+This approach is ideal for deploying such native images on distroless container images.
+Note that it currently only works when linking against `glibc`.
 
 ## Prerequisites
- - Right now, this only works on Linux AMD64 on Java 11.
- - You will need `gcc`, `make`, and `configure`.
- - Create a directory that will hold the libraries you build. You will refer to this directory as `${RESULT_DIR}`.
- - Download the latest `musl` release [here](https://musl.libc.org/). This document will use `musl-1.2.0`.
- - Download the latest `zlib` release [here](https://zlib.net/). This document will use `zlib-1.2.11`.
 
- ## Build a Static Native Image
+- Linux AMD64 operating system
+- GraalVM distribution for Java 11 with [Native Image support](README.md#install-native-image)
+- A 64-bit `musl` toolchain, `make`, and `configure`
+- The latest `zlib` library
 
-If you have `musl-gcc` on the path, you can build a native image statically linked against `muslc` with the following options: `--static --libc=musl`.
-To verify that `musl-gcc` is on the path, run `musl-gcc -v`.
+## Preparation
 
-To build a static native image, use:
-```shell
-native-image --static --libc=musl [other arguments] Class
-```
+You should get the `musl` toolchain first, and then compile and install `zlib` into the toolchain.
+
+1. Download the `musl` toolchain from [musl.cc](musl.cc). [This one](http://musl.cc/x86_64-linux-musl-native.tgz) is recommended. Extract the toolchain to a directory of your choice. This directory will be referred as `$TOOLCHAIN_DIR`.
+2. Download the latest `zlib` library sources from [here](https://zlib.net/) and extract them. This guide uses `zlib-1.2.11`.
+3. Set the following environment variable:
+    ```bash
+    CC=$TOOLCHAIN_DIR/bin/gcc
+    ```
+4. Change into the `zlib` directory, and then run the following commands to compile and install `zlib` into the toolchain:
+    ```bash
+    ./configure --prefix=$TOOLCHAIN_DIR --static
+    make
+    make install
+    ```
+
+## Build Static Native Image
 
-## Build a Mostly Static Native Image
+1. First, ensure `$TOOLCHAIN_DIR/bin` is present on your `PATH` variable.
+    To verify this, run:
+    ```bash
+    x86_64-linux-musl-gcc
+    ```
+    You should get a similar output printed:
+    ```bash
+    x86_64-linux-musl-gcc: fatal error: no input files
+    compilation terminated.
+    ```
 
-As of GraalVM version 20.2, you can build a “mostly static” native image which link statically everything except `libc`. Native images built this way are convenient to run in Docker containers, for example, based on
-[distroless minimal Linux, glibc-based systems](https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md).
+2. Build a static native image by using this command:
+    ```shell
+    native-image --static --libc=musl [other arguments] Class
+    ```
 
-To build a mostly-static native image native image, use:
+## Build Mostly Static Native Image
+
+As of GraalVM version 20.2, you can build a “mostly static” native image which statically links everything except `libc`.
+Statically linking all your libraries except `glibc` ensures your application has all the libraries it needs to run on any Linux `glibc`-based distribution.
+
+To build a mostly-static native image native image, use this command:
 ```shell
 native-image -H:+StaticExecutableWithDynamicLibC [other arguments] Class
 ```
 
-#### Building musl
- - Extract the musl release `tarball` and `cd` into the extracted directory.
- - Run `./configure --disable-shared --prefix=${RESULT_DIR}`.
- - Run `make`.
- - Run `make install`.
-Other than building `musl` libraries, the build also creates a `gcc` wrapper called `musl-gcc` in the `${RESULT_DIR}/bin` directory.
-You should now put this wrapper on your `PATH` by running `export PATH=$PATH:${RESULT_DIR}/bin`.
-
-#### Building zlib
- - Extract the zlib release `tarball` and `cd` into the extracted directory.
- - You need to compile zlib and link it against musl so set `CC` to `musl-gcc`: `export CC=musl-gcc`.
- - Run `./configure --static --prefix=${RESULT_DIR}`.
- - Run `make`.
- - Run `make install`.
-
-#### Getting libstdc++
-`libstdc++` is obtained by building gcc. There are multiple approaches to obtaining it:
- 1. Build gcc with `musl-gcc`.
- 2. Use `libstdc++.a` from your distribution. If you choose this path, check the [FAQs](https://www.musl-libc.org/faq.html) page, "How do I use the musl-gcc wrapper?":
-  >  The existing libstdc++ is actually compatible with musl in most cases and could be used by copying it into the musl library path, but the C++ header files are usually not compatible.
-  > Since you do not need C++ header files, this approach should work. If you run into issues, make sure they are not caused by your ditribution's `libstdc++.a`.
- 3. Take `libstdc++.a` from Alpine.
-In each case, `libstdc++.a` must be placed in `${RESULT_DIR}/lib`.
+> Note: This currently only works for `glibc`.
+
+## Frequently Asked Questions
+
+### What is the recommended base Docker image for deploying a static or mostly static native image?
+
+A fully static native image gives you the most flexibility to choose a base image - it can run on anything including a `FROM scratch` image.
+A mostly static native image requires a container image that provides `glibc`, but has no additional requirements.
+In both cases, choosing the base image mostly depends on what your particular native image needs without having to worry about run-time library dependencies.

substratevm/ci_includes/gate.hocon

@@ -28,17 +28,19 @@ builds += [
   ${labsjdk-ce-11} ${svm-common-linux-gate} ${linux-deploy} {
     name: "gate-svm-build-ce-11"
     downloads: {
-      "MUSL_LIBS": {
-        "name": "musl-libs",
+      "MUSL_TOOLCHAIN": {
+        "name": "musl-toolchain",
         "version": "1.0",
         "platformspecific": true
       }
     }
     environment : {
-      PATH : "$MUSL_LIBS/bin:$PATH"
+      # Note that we must add the toolchain to the end of the PATH so that the system gcc still remains the first choice
+      # for building the rest of GraalVM. The musl toolchain also provides a gcc executable that would shadow the system one
+      # if it were added at the start of the PATH.
+      PATH : "$PATH:$MUSL_TOOLCHAIN/bin"
     }
     run: [
-      ["$MUSL_LIBS/fix_paths.sh"]
       ${svm-cmd-gate} ["build,helloworld,test,nativeimagehelp,muslcbuild"]
     ]
   }

substratevm/mx.substratevm/mx_substratevm.py

@@ -116,16 +116,6 @@ def svmbuild_dir(suite=None):
     return join(suite.dir, 'svmbuild')
 
 
-def is_musl_gcc_wrapper_on_path():
-    mx.logv('Probing if musl-gcc exists on path.')
-    throwaway_capture = mx.LinesOutputCapture()
-    try:
-        ret_code = mx.run(['musl-gcc', '-v'], nonZeroIsFatal=False, out=throwaway_capture, err=throwaway_capture)
-        return ret_code == 0
-    except OSError as _:
-        return False
-
-
 def is_musl_supported():
     jdk = mx.get_jdk(tag='default')
     if mx.is_linux() and mx.get_arch() == "amd64" and mx.get_jdk(tag='default').javaCompliance == '11':
@@ -243,10 +233,7 @@ def vm_executable_path(executable, config=None):
 
 def run_musl_basic_tests():
     if is_musl_supported():
-        if is_musl_gcc_wrapper_on_path():
-            helloworld(['--output-path', svmbuild_dir(), '--static', '--libc=musl'])
-        else:
-            mx.abort('Attempted to run musl tests without a musl-gcc wrapper.')
+        helloworld(['--output-path', svmbuild_dir(), '--static', '--libc=musl'])
 
 
 @contextmanager
@@ -1578,7 +1565,5 @@ def javac_image(args):
     doc_string = "Runs a musl based Hello World static native-image with custom build arguments."
     @mx.command(suite.name, command_name='muslhelloworld', usage_msg='[options]', doc_function=lambda: doc_string)
     def musl_helloworld(args, config=None):
-        if not is_musl_gcc_wrapper_on_path():
-            mx.abort('musl-gcc wrapper not detected on path. Cannot run musl helloworld. Please consult substratevm/StaticImages.md')
         final_args = ['--static', '--libc=musl'] + args
         run_helloworld_command(final_args, config, 'muslhelloworld')

substratevm/src/com.oracle.svm.core.posix/src/com/oracle/svm/core/posix/linux/libc/MuslLibC.java

@@ -49,7 +49,7 @@ public List<String> getAdditionalQueryCodeCompilerOptions() {
 
     @Override
     public String getTargetCompiler() {
-        return "musl-gcc";
+        return "x86_64-linux-musl-gcc";
     }
 
     @Override