Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add go buildinfo to velero to check toolchain version used. #8398

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelogs/unreleased/8398-kaovilai
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add go buildinfo to velero to identify toolchain used to build velero
6 changes: 6 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
module github.com/vmware-tanzu/velero

// Do not pin patch version here. Leave patch at X.Y.0
// Unset GOTOOLCHAIN to assume GOTOOLCHAIN=local where go cli version in path is used.
// Use env GOTOOLCHAIN=auto to allow go to decide whichever is newer from go.mod or cli in path.
// or GOTOOLCHAIN=goX.Y.Z to use a specific toolchain version
// See: https://go.dev/doc/toolchain#select and https://github.com/vmware-tanzu/velero/issues/8397
// To bump minor version, run `go get [email protected] toolchain@none` (ie. `go get [email protected] toolchain@none`)
go 1.22.0

require (
Expand Down
19 changes: 18 additions & 1 deletion pkg/buildinfo/buildinfo.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,18 @@
// worrying about introducing circular dependencies.
package buildinfo

import "fmt"
import (
"fmt"
"runtime/debug"
)

var (
// Version is the current version of Velero, set by the go linker's -X flag at build time.
Version string

// goVersion is the version of Go that was used to build Velero
goBuildInfo *debug.BuildInfo
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this necessary?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be able to tell which golang version was used to build the code which can have implications around CVEs verification. ie someone built from a certain velero branch but used a different golang version. ie. #8397

Copy link
Member Author

@kaovilai kaovilai Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@reasonerjt just found
https://github.com/docker/cli/blob/6c76914532de7a39a202b3ef22519da319558560/cli/command/system/version.go#L93 have this :D

Just worth noting that it is a pattern out there that build includes both commit AND golang version that built it.

❯ docker version
Client: Docker Engine - Community
 Version:           27.1.1
 API version:       1.41 (downgraded from 1.46)
+Go version:        go1.22.5
 Git commit:        63125853e3
 Built:             Fri Jul 19 17:35:01 2024
 OS/Arch:           darwin/arm64
 Context:           default

Server: linux/arm64/rhcos-4.17
 Podman Engine:
  Version:          5.2.3
  APIVersion:       5.2.3
  Arch:             arm64
  BuildTime:        2024-10-07T07:47:17Z
  Experimental:     false
  GitCommit:        
+ GoVersion:        go1.22.5 (Red Hat 1.22.5-1.el9)
  KernelVersion:    5.14.0-427.40.1.el9_4.aarch64
  MinAPIVersion:    4.0.0
  Os:               linux
 Conmon:
  Version:          conmon version 2.1.12, commit: 9b3f2e7d010b1b512d88609d3a7b9a913bbaf1e0
  Package:          conmon-2.1.12-4.rhaos4.17.el9.aarch64
 OCI Runtime (crun):
  Version:          crun version 1.17
commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
rundir: /run/crun
spec: 1.0.0
 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  Package:          crun-1.17-1.rhaos4.17.el9.aarch64
 Engine:
  Version:          5.2.3
  API version:      1.41 (minimum version 1.24)
+ Go version:       go1.22.5 (Red Hat 1.22.5-1.el9)
  Git commit:       
  Built:            Mon Oct  7 07:47:17 2024
  OS/Arch:          linux/arm64
  Experimental:     false

Leaving this closed for now.


// GitSHA is the actual commit that is being built, set by the go linker's -X flag at build time.
GitSHA string

Expand All @@ -44,3 +50,14 @@
}
return GitSHA
}

func GoVersion() string {
if goBuildInfo == nil {
var ok bool
goBuildInfo, ok = debug.ReadBuildInfo()
if !ok {
return "cannot read Go BuildInfo"
}

Check warning on line 60 in pkg/buildinfo/buildinfo.go

View check run for this annotation

Codecov / codecov/patch

pkg/buildinfo/buildinfo.go#L54-L60

Added lines #L54 - L60 were not covered by tests
}
return goBuildInfo.GoVersion

Check warning on line 62 in pkg/buildinfo/buildinfo.go

View check run for this annotation

Codecov / codecov/patch

pkg/buildinfo/buildinfo.go#L62

Added line #L62 was not covered by tests
}
1 change: 1 addition & 0 deletions pkg/cmd/cli/version/version.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ func printVersion(w io.Writer, clientOnly bool, kbClient kbclient.Client, server
fmt.Fprintln(w, "Client:")
fmt.Fprintf(w, "\tVersion: %s\n", buildinfo.Version)
fmt.Fprintf(w, "\tGit commit: %s\n", buildinfo.FormattedGitSHA())
fmt.Fprintf(w, "\tGo version: %s\n", buildinfo.GoVersion())
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this clear enough that it is not user's local go? do we want to say Built by Go Version instead?


if clientOnly {
return
Expand Down
2 changes: 1 addition & 1 deletion pkg/cmd/cli/version/version_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func TestPrintVersion(t *testing.T) {
buildinfo.GitSHA = "somegitsha"
buildinfo.GitTreeState = "dirty"

clientVersion := fmt.Sprintf("Client:\n\tVersion: %s\n\tGit commit: %s\n", buildinfo.Version, buildinfo.FormattedGitSHA())
clientVersion := fmt.Sprintf("Client:\n\tVersion: %s\n\tGit commit: %s\n\tGo version: %s\n", buildinfo.Version, buildinfo.FormattedGitSHA(), buildinfo.GoVersion())

tests := []struct {
name string
Expand Down
2 changes: 1 addition & 1 deletion pkg/cmd/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@

logger.Infof("setting log-level to %s", strings.ToUpper(logLevel.String()))

logger.Infof("Starting Velero server %s (%s)", buildinfo.Version, buildinfo.FormattedGitSHA())
logger.Infof("Starting Velero server %s (%s) go-version: %s", buildinfo.Version, buildinfo.FormattedGitSHA(), buildinfo.GoVersion())

Check warning on line 112 in pkg/cmd/server/server.go

View check run for this annotation

Codecov / codecov/patch

pkg/cmd/server/server.go#L112

Added line #L112 was not covered by tests
if len(features.All()) > 0 {
logger.Infof("%d feature flags enabled %s", len(features.All()), features.All())
} else {
Expand Down
Loading