From 356962b13835f3b8a44740d06e4f412c16ede708 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Fri, 5 Dec 2025 18:08:45 +0100 Subject: [PATCH] feat: use pebblegozstd tags everywhere MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The apm-server binary is built as a static Go binary with CGO disabled, so it relies on the pure Go zstd implementation. However, our test suite runs with CGO enabled (required for the race detector), which means it previously exercised a different code path. To align the test builds with the production binary, we now compile the tests with the pebblegozstd build tag. This forces Pebble to use the Go ZSTD library in both environments. The same tag also affects the FIPS build, which previously depended on the C-based zstd library due to Microsoft’s Go fork requiring CGO. Switching to the Go implementation brings the FIPS build in line with the standard binary and enhances security by eliminating the C-based zstd dependency. --- .github/workflows/ci.yml | 8 +++++--- Makefile | 10 +++++----- NOTICE-fips.txt | 37 ------------------------------------- 3 files changed, 10 insertions(+), 45 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d0efc8b282..a9d05d648f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,7 +61,7 @@ jobs: key: go-${{ hashFiles('go.mod') }} restore-keys: | go- - - run: go test -v -race ./... + - run: make test test-integration-server-internal: runs-on: ubuntu-latest @@ -105,10 +105,11 @@ jobs: restore-keys: | go- - env: + GOTAGS: "requirefips" GOFIPS140: "latest" # TODO: disable X25519MLKEM768 until upstream go issue is fixed https://github.com/golang/go/issues/74630#issuecomment-3224191006 GODEBUG: "fips140=only,tlsmlkem=0" - run: go test -v -race -tags=requirefips ./... + run: make test system-test: runs-on: ubuntu-latest @@ -162,7 +163,8 @@ jobs: make apm-server & wait - env: - GOTESTFLAGS: "-v -tags=requirefips" + GOTESTFLAGS: "-v" + GOTAGS: "requirefips" GOFIPS140: "latest" # TODO: disable X25519MLKEM768 until upstream go issue is fixed https://github.com/golang/go/issues/74630#issuecomment-3224191006 GODEBUG: "fips140=only,tlsmlkem=0" diff --git a/Makefile b/Makefile index 1d44922fac..d37e755684 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,7 @@ $(APM_SERVER_BINARIES): .PHONY: apm-server-build apm-server-build: env CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0 \ - go build -o "build/apm-server-$(GOOS)-$(GOARCH)$(SUFFIX)$(EXTENSION)" -trimpath $(GOFLAGS) -tags=grpcnotrace,$(GOTAGS) $(GOMODFLAG) -ldflags "$(LDFLAGS)" $(PKG) + go build -o "build/apm-server-$(GOOS)-$(GOARCH)$(SUFFIX)$(EXTENSION)" -trimpath $(GOFLAGS) -tags=grpcnotrace,pebblegozstd,$(GOTAGS) $(GOMODFLAG) -ldflags "$(LDFLAGS)" $(PKG) build/apm-server-linux-% build/apm-server-fips-linux-%: GOOS=linux build/apm-server-darwin-%: GOOS=darwin @@ -125,13 +125,13 @@ apm-server apm-server-oss apm-server-fips apm-server-fips-msft: .PHONY: test test: - @go test $(GOMODFLAG) $(GOTESTFLAGS) -race ./... + @go test $(GOMODFLAG) $(GOTESTFLAGS) -tags=grpcnotrace,pebblegozstd,$(GOTAGS) -race ./... .PHONY: system-test system-test: # CGO is disabled when building APM Server binary, so the race detector in this case # would only work on the parts that don't involve APM Server binary. - @(cd systemtest; go test $(GOMODFLAG) $(GOTESTFLAGS) -race -timeout=20m ./...) + @(cd systemtest; go test $(GOMODFLAG) $(GOTESTFLAGS) -tags=grpcnotrace,pebblegozstd,$(GOTAGS) -race -timeout=20m ./...) .PHONY: clean: @@ -278,10 +278,10 @@ gofmt: add-headers ############################################################################## MODULE_DEPS=$(sort $(shell \ - CGO_ENABLED=0 go list -deps -tags=darwin,linux,windows -f "{{with .Module}}{{if not .Main}}{{.Path}}{{end}}{{end}}" ./x-pack/apm-server)) + CGO_ENABLED=0 go list -deps -tags=darwin,linux,windows,grpcnotrace,pebblegozstd -f "{{with .Module}}{{if not .Main}}{{.Path}}{{end}}{{end}}" ./x-pack/apm-server)) MODULE_DEPS_FIPS=$(sort $(shell \ - CGO_ENABLED=1 go list -deps -tags=linux,requirefips -f "{{with .Module}}{{if not .Main}}{{.Path}}{{end}}{{end}}" ./x-pack/apm-server)) + CGO_ENABLED=1 go list -deps -tags=linux,requirefips,grpcnotrace,pebblegozstd -f "{{with .Module}}{{if not .Main}}{{.Path}}{{end}}{{end}}" ./x-pack/apm-server)) notice: NOTICE.txt NOTICE-fips.txt NOTICE.txt build/dependencies-$(APM_SERVER_VERSION).csv: go.mod diff --git a/NOTICE-fips.txt b/NOTICE-fips.txt index 4c7acc397f..9f8dc0c59e 100644 --- a/NOTICE-fips.txt +++ b/NOTICE-fips.txt @@ -5526,43 +5526,6 @@ Contents of probable licence file $GOMODCACHE/gopkg.in/yaml.v2@v2.4.0/LICENSE: Indirect dependencies --------------------------------------------------------------------------------- -Dependency : github.com/DataDog/zstd -Version: v1.5.7 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!data!dog/zstd@v1.5.7/LICENSE: - -Simplified BSD License - -Copyright (c) 2016, Datadog -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of the copyright holder nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -------------------------------------------------------------------------------- Dependency : github.com/RaduBerinde/axisds Version: v0.0.0-20250419182453-5135a0650657