build: support native architecture builds on ARM hosts (#8547)

Allows make-deb.sh to produce either amd64 or arm64 debian packages.
Adds plumbing to the build scripts upstream of that one (namely container-build.sh
and the Containerfile) to plumb the architecture through.

Author: sheurich

.dockerignore

@@ -8,3 +8,4 @@ test/certs/webpki
 test/certs/.softhsm-tokens
 .git
 .gocache
+.github

.gitignore

@@ -3,6 +3,8 @@
 *.a
 *.so
 *.pyc
+boulder-*.deb
+boulder-*.tar.gz
 
 # Folders
 _obj

Containerfile

@@ -6,6 +6,7 @@ FROM docker.io/ubuntu:24.04 AS builder
 ARG COMMIT_ID
 ARG COMMIT_TIMESTAMP
 ARG GO_VERSION
+ARG TARGETPLATFORM
 ARG VERSION
 
 ENV DEBIAN_FRONTEND=noninteractive
@@ -14,7 +15,12 @@ RUN apt-get --assume-yes --no-install-recommends --update install \
     ca-certificates curl gcc git gnupg2 libc6-dev
 
 COPY tools/fetch-and-verify-go.sh /tmp
-RUN /tmp/fetch-and-verify-go.sh ${GO_VERSION}
+RUN case "${TARGETPLATFORM}" in \
+        "linux/amd64"|"") PLATFORM="linux-amd64" ;; \
+        "linux/arm64") PLATFORM="linux-arm64" ;; \
+        *) echo "Unsupported platform: ${TARGETPLATFORM}" && exit 1 ;; \
+    esac && \
+    /tmp/fetch-and-verify-go.sh ${GO_VERSION} ${PLATFORM}
 RUN tar -C /opt -xzf go.tar.gz
 ENV PATH="/opt/go/bin:${PATH}"
 

tools/container-build.sh

@@ -7,25 +7,34 @@
 
 set -ex
 
-# Without this, `go install` produces:
-# # runtime/cgo
-# gcc: error: unrecognized command-line option '-m64'
-if [ "$(uname -m)" = "arm64" ]; then
-  export DOCKER_DEFAULT_PLATFORM=linux/amd64
-fi
-
 if [ -z "${GO_VERSION}" ] ; then
   echo "GO_VERSION not set"
   exit 1
 fi
 
-ARCH="$(uname -m)"
+# Determine what architecture to build for
+if [ -n "${DOCKER_DEFAULT_PLATFORM:-}" ]; then
+    PLATFORM="${DOCKER_DEFAULT_PLATFORM}"
+else
+    case "$(uname -m)" in
+        x86_64)          PLATFORM="linux/amd64" ;;
+        aarch64|arm64)   PLATFORM="linux/arm64" ;;
+        *) echo "Unsupported architecture: $(uname -m)" && exit 1 ;;
+    esac
+fi
+
+case "${PLATFORM}" in
+    linux/amd64) ARCH="amd64" ;;
+    linux/arm64) ARCH="arm64" ;;
+    *) echo "Unsupported platform: ${PLATFORM}" && exit 1 ;;
+esac
 COMMIT_ID="$(git rev-parse --short=8 HEAD)"
 COMMIT_TIMESTAMP="$(git show -s --format=%ct HEAD)"
 COMMIT_DATE_ISO8601="$(TZ=UTC0 git show -s --format=%cd --date=format:%Y-%m-%dT%H:%M:%SZ HEAD)"
 VERSION="${GO_VERSION}.${COMMIT_TIMESTAMP}"
 
 docker buildx build \
+    --platform "$PLATFORM" \
     --file Containerfile \
     --build-arg "COMMIT_ID=${COMMIT_ID}" \
     --build-arg "COMMIT_TIMESTAMP=${COMMIT_TIMESTAMP}" \
@@ -40,6 +49,7 @@ docker buildx build \
 docker run boulder tar -C /opt/boulder --mtime="@${COMMIT_TIMESTAMP}" --owner=0 --group=0 --numeric-owner --sort=name -cp . | gzip -n > "./boulder-${VERSION}-${COMMIT_ID}.${ARCH}.tar.gz"
 # Produces e.g. boulder-1.25.0.1754519595-591c0545.x86_64.deb
 docker run -v .:/boulderrepo \
+  -e "ARCH=${ARCH}" \
   -e "COMMIT_ID=${COMMIT_ID}" \
   -e "VERSION=${VERSION}" \
   -e "SOURCE_DATE_EPOCH=${COMMIT_TIMESTAMP}" \

tools/make-deb.sh

@@ -10,6 +10,10 @@
 set -eu
 cd "$(realpath -- "$(dirname -- "$0")")/.."
 
+if [ -z "${ARCH:-}" ]; then echo "ARCH not set"; exit 1; fi
+if [ -z "${VERSION:-}" ]; then echo "VERSION not set"; exit 1; fi
+if [ -z "${COMMIT_ID:-}" ]; then echo "COMMIT_ID not set"; exit 1; fi
+
 BUILD="$(mktemp -d)"
 
 mkdir -p "${BUILD}/opt"
@@ -21,7 +25,7 @@ Package: boulder
 Version: 1:${VERSION}
 License: Mozilla Public License v2.0
 Vendor: ISRG
-Architecture: amd64
+Architecture: ${ARCH}
 Maintainer: Community
 Section: default
 Priority: extra
@@ -33,4 +37,4 @@ EOF
 find "${BUILD}" ! -type l -exec touch -d "@${SOURCE_DATE_EPOCH}" {} \;
 find "${BUILD}" -type l -exec touch -h -d "@${SOURCE_DATE_EPOCH}" {} \;
 
-dpkg-deb -Zgzip -b "${BUILD}" "boulder-${VERSION}-${COMMIT_ID}.x86_64.deb"
+dpkg-deb -Zgzip -b "${BUILD}" "boulder-${VERSION}-${COMMIT_ID}.${ARCH}.deb"