[bp/1.37] Don't use sysroot when building using non-hermetic toolchain (#43681)

[krinkinmu]

Commit Message:

Currently, even when using non-hermetic toolchain we in a few places use
Envoy sysroot. Depending on the environment you use when building it can
cause linking issues.

The problem is that sysroot contains a libc library, while libc++ comes
with the toolchain. If libc++ coming with the toolchain was built
against a different version of libc than the one we have in Envoy
sysroot, libc++ may contain references to the symbols that do not exist
in the libc that we have in Envoy sysroot - that results in linking
failures.

In practice it affects systems that use libc version much newere than
what we have in Envoy sysroot. The newer version of libc exposes more
functions and libc++, when linked againt it, takes advantage of those
newer symbols. As a result, when you combine libc++ linked against a
newer version of libc and older version of libc you get linking issues
due to a bunch of undefined symbols that libc++ uses.

Envoy sysroot currently supports libc version 2.31 (the default) and
2.28 (which seem to only exist for Istio, because Istio intentionally
wants to use as old version of libc as practical, because it needs to
distribute Envoy binaries that will run outside of container
environments and using a very old version of libc makes it easier).

glibc 2.31 is 6 years old at this point, so many distribution (both
popular like Ubuntu and more rare like Azure Linux) moved on to newer
versions of glibc.

There are a few ways we can handle this situation:

1. We can add more sysroot versions with newer versions of libc - given
   that we don't test non-hermetic toolchain builts and different versions
   of sysroot on CI, I think it's better to not place the burden of
   supporting different sysroots on the community.
2. We can add libc++ to the sysroot - I didn't test it, but I'd imagine
   it's possible to make it work, but because hermetic toolchain already
   comes with libc++ linked against an old enough version of libc to not
   cause problems, that will introduce some duplication (both sysroot and
   toolchain will have a version of libc++ libraries)
3. We can say that non-hermetic builds for Envoy just aren't supported
   at all - that's undesirable, because LLVM toolchains on GitHub are only
   available for a few operating systems (Ubuntu, RedHat) and if you're not
   using any of those, you are out of luck.
4. When not using hermetic toolchain, just don't provide sysroot and let
   the host toolchain figure out how and where to find the libraries in the
   host.

The option 4 makes most sense to me, so this PR implements that, but we
can discuss other options as well.

Additional Description:

This PR includes 3 PRs from the main branch:

• Don't use sysroot when building using non-hermetic toolchain #43681
• Declare BAZEL_USE_HOST_SYSROOT environment variable in the envoy repo… #43731
• Enforce that BAZEL_USE_HOST_SYSROOT can only be True or False #43800

Those were supposed to be a single PR originally, but I made a mistake of not pushing all the local changes and, in the end, had to send another PR. And I also had to address a deps check failure, so in the end I had 3 PRs.

Risk Level: low
Testing: Tested FIPS and non-FIPS build with and without hermetic toolchain.
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves persistent linking issues encountered when building Envoy with non-hermetic toolchains. Previously, the use of Envoy's hermetic sysroot, which contains an older libc, could conflict with newer libc++ versions from the host toolchain, leading to undefined symbol errors. The changes introduce a configurable option to bypass Envoy's hermetic sysroot and instead leverage the host system's libc, thereby ensuring compatibility and enabling successful builds in diverse environments without requiring updates to Envoy's sysroot.

Highlights

• Resolved non-hermetic build linking issues: Addressed problems arising from libc version mismatches when using non-hermetic toolchains with Envoy's hermetic sysroot, which could lead to linking failures due to undefined symbols.
• Introduced host sysroot option: Implemented a mechanism to allow builds to use the host system's libc instead of Envoy's hermetic sysroot, controlled by the BAZEL_USE_HOST_SYSROOT environment variable.
• Conditional sysroot application: Modified build scripts and Bazel configurations to dynamically include or exclude the --sysroot flag based on whether a hermetic or host sysroot is desired, ensuring compatibility across different build environments.

Changelog

• bazel/external/fips_build.bzl
  • Updated build commands (BUILD_COMMAND, NINJA_BUILD_COMMAND) to use a new SYSROOT_FLAG variable, which is conditionally set based on whether a sysroot is provided.
  • Modified _create_build_config, _create_boringssl_fips_build_command, and _create_ninja_build_command functions to accept a hermetic_sysroot boolean parameter.
  • Expanded the boringssl_fips_build_command and ninja_build_command functions to generate configurations for both hermetic and non-hermetic sysroot scenarios.
• bazel/repo.bzl
  • Introduced BAZEL_USE_HOST_SYSROOT environment variable to determine if the host's sysroot should be used.
  • Added a bool_flag named use_local_sysroot_flag and two config_setting rules (use_local_sysroot, use_hermetic_sysroot) to Bazel, allowing conditional compilation based on sysroot choice.
  • Updated the compiler.bzl file generation to include the USE_LOCAL_SYSROOT variable.
  • Added BAZEL_USE_HOST_SYSROOT to the list of environment variables passed to the _envoy_repo rule.
• bazel/toolchains.bzl
  • Imported the USE_LOCAL_SYSROOT variable from compiler.bzl.
  • Modified the llvm_toolchain definition to conditionally set the sysroot attribute to an empty dictionary if USE_LOCAL_SYSROOT is true, effectively disabling the hermetic sysroot.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #43768 was opened by krinkinmu.

see: more, trace.

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to disable the hermetic sysroot when using a non-hermetic toolchain, to avoid linking issues, controlled by the BAZEL_USE_HOST_SYSROOT environment variable. However, it also introduces potential Starlark injection vulnerabilities in bazel/repo.bzl by directly formatting unsanitized environment variables into generated Bazel files, which could allow an attacker with control over the build environment to execute arbitrary code on the build machine.

[gemini-code-assist]

The environment variable BAZEL_USE_HOST_SYSROOT is read and directly formatted into the generated compiler.bzl and BUILD files without any sanitization or validation. This allows an attacker who can control the environment variables of the build process to inject arbitrary Starlark code into these files. Since these files are loaded and executed by Bazel, this can lead to arbitrary command execution on the build machine (e.g., by injecting a genrule with a malicious command).

To remediate this, ensure the input is validated to be a boolean value before using it in the template.

Suggested change

	local_sysroot = repository_ctx.os.environ.get("BAZEL_USE_HOST_SYSROOT", "False")
	local_sysroot = "True" if repository_ctx.os.environ.get("BAZEL_USE_HOST_SYSROOT", "False").lower() == "true" else "False"

[phlax]

lgtm, thanks @krinkinmu

[phlax]

please rebase when you land to keep the commits separate so its clear what was backported