[meta-virtualization] [PATCH V2 2/2] runc: add PACKAGECONFIG to allow building as static or not

Stefan Agner stefan at agner.ch
Mon Sep 9 03:34:04 PDT 2019


On 2019-09-09 12:14, ChenQi wrote:
> On 09/09/2019 05:35 PM, Stefan Agner wrote:
>> Hi Chen,
>>
>> On 2019-08-07 03:14, Chen Qi wrote:
>>> Add a new PACKAGECONFIG, static, which when enabled will build
>>> runc as static. Default to enable it.
>>>
>>> We need this because we should allow users to build runc as not
>>> static so that when docker's cgroup driver is set to systemd,
>>> we don't get error.
>> Do you happen to know why we use statically linked runc by default? It
>> seems that distros nowadays use statically linked version of it.
>>
>> To some degree it seems that we overturn a distro decision here
>> (DISABLE_STATIC).
>>
>> --
>> Stefan
>>
> 
> Please refer to
> https://lists.yoctoproject.org/pipermail/meta-virtualization/2019-August/004338.html
> 

Thanks for the link!

> runc is one of those things that may need to be static in some configurations.
> Since it has security impact, updating runc (and the libc) should be done in
> paralell and this can cause problems otherwise.

Hm, I don't completely get that argument, as in OE we normally do full
image updates. So libc will be updated with runc anyways.

Also that argument you can make for every component, not sure why runc
is that special.

> 
> Now, that doesn't mean it HAS to be static, but it should be a configuration and
> may be wise to have as the default to be static.

...

> So PACKAGECONFIG is the right answer here.  I'm not sure what the right default
> for the recipe is.... but in the end the users configuration and distro can and
> should be able to select what they want.

IMHO, default should be dynamically linked since this is the default in
OE in general. Also since OE images are commonly updated as a whole and
in embedded we often care more about space saving.

Anyways, good there is a package config now, and now that I know the
reasons it is compiled statically by default I can safely flip that
switch for our distro.

--
Stefan


> Best Regards,
> Chen Qi
> 
>>> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>>> ---
>>>   ...-GOBUILDFLAGS-for-runc-and-remove-re.patch | 35 +++++++++++++++++++
>>>   ...ld-drop-recvtty-and-use-GOBUILDFLAGS.patch | 22 ------------
>>>   recipes-containers/runc/runc-docker_git.bb    |  2 +-
>>>   .../runc/runc-opencontainers_git.bb           |  1 +
>>>   recipes-containers/runc/runc.inc              | 10 ++++--
>>>   5 files changed, 45 insertions(+), 25 deletions(-)
>>>   create mode 100644
>>> recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>>>   delete mode 100644
>>> recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>>>
>>> diff --git
>>> a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>>> b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>>> new file mode 100644
>>> index 0000000..94cbb4c
>>> --- /dev/null
>>> +++
>>> b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>>> @@ -0,0 +1,35 @@
>>> +From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001
>>> +From: Chen Qi <Qi.Chen at windriver.com>
>>> +Date: Tue, 6 Aug 2019 19:01:45 +0800
>>> +Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
>>> + from static
>>> +
>>> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>>> +---
>>> + Makefile | 3 +--
>>> + 1 file changed, 1 insertion(+), 2 deletions(-)
>>> +
>>> +diff --git a/Makefile b/Makefile
>>> +index 0f26a1c8..a0c6b40b 100644
>>> +--- a/src/import/Makefile
>>> ++++ b/src/import/Makefile
>>> +@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null)
>>> + .DEFAULT: runc
>>> +
>>> + runc: $(SOURCES)
>>> +-	$(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X
>>> main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)"
>>> -tags "$(BUILDTAGS)" -o runc .
>>> ++	$(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X
>>> main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)"
>>> -tags "$(BUILDTAGS)" -o runc .
>>> +
>>> + all: runc recvtty
>>> +
>>> +@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES)
>>> +
>>> + static: $(SOURCES)
>>> + 	CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>>> $(EXTRA_LDFLAGS)" -o runc .
>>> +-	CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>>> $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
>>> +
>>> + release:
>>> + 	script/release.sh -r release/$(VERSION) -v $(VERSION)
>>> +--
>>> +2.17.1
>>> +
>>> diff --git
>>> a/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>>> b/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>>> deleted file mode 100644
>>> index 9ba9957..0000000
>>> ---
>>> a/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>>> +++ /dev/null
>>> @@ -1,22 +0,0 @@
>>> -From a9a2b9e72027d0b2357f6dfe8b154762aaa8dd02 Mon Sep 17 00:00:00 2001
>>> -From: Bruce Ashfield <bruce.ashfield at windriver.com>
>>> -Date: Thu, 19 Apr 2018 16:39:41 -0400
>>> -Subject: [PATCH] build: drop recvtty and use GOBUILDFLAGS
>>> -
>>> -Signed-off-by: Bruce Ashfield <bruce.ashfield at windriver.com>
>>> ----
>>> - Makefile | 3 +--
>>> - 1 file changed, 1 insertion(+), 2 deletions(-)
>>> -
>>> -Index: git/src/import/Makefile
>>> -===================================================================
>>> ---- git.orig/src/import/Makefile
>>> -+++ git/src/import/Makefile
>>> -@@ -41,7 +41,6 @@
>>> -
>>> - static: $(SOURCES)
>>> - 	CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>>> $(EXTRA_LDFLAGS)" -o runc .
>>> --	CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>>> $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
>>> -
>>> - release:
>>> - 	script/release.sh -r release/$(VERSION) -v $(VERSION)
>>> diff --git a/recipes-containers/runc/runc-docker_git.bb
>>> b/recipes-containers/runc/runc-docker_git.bb
>>> index 2bf6222..c9f460b 100644
>>> --- a/recipes-containers/runc/runc-docker_git.bb
>>> +++ b/recipes-containers/runc/runc-docker_git.bb
>>> @@ -5,7 +5,7 @@ include runc.inc
>>>   SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f"
>>>   SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
>>>              file://0001-runc-Add-console-socket-dev-null.patch \
>>> -           file://0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch \
>>> +
>>> file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>>> \
>>>              file://0001-runc-docker-SIGUSR1-daemonize.patch \
>>>             "
>>>   diff --git a/recipes-containers/runc/runc-opencontainers_git.bb
>>> b/recipes-containers/runc/runc-opencontainers_git.bb
>>> index 76ab794..361bc94 100644
>>> --- a/recipes-containers/runc/runc-opencontainers_git.bb
>>> +++ b/recipes-containers/runc/runc-opencontainers_git.bb
>>> @@ -3,5 +3,6 @@ include runc.inc
>>>   SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388"
>>>   SRC_URI = " \
>>>       git://github.com/opencontainers/runc;branch=master \
>>> +    file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
>>>       "
>>>   RUNC_VERSION = "1.0.0-rc8"
>>> diff --git a/recipes-containers/runc/runc.inc b/recipes-containers/runc/runc.inc
>>> index 46fd09d..41ea41b 100644
>>> --- a/recipes-containers/runc/runc.inc
>>> +++ b/recipes-containers/runc/runc.inc
>>> @@ -14,8 +14,10 @@ inherit go
>>>   inherit goarch
>>>   inherit pkgconfig
>>>   -PACKAGECONFIG ??= ""
>>> +PACKAGECONFIG ??= "static"
>>>   PACKAGECONFIG[seccomp] = "seccomp,,libseccomp"
>>> +# This PACKAGECONFIG serves the purpose of whether building runc as
>>> static or not
>>> +PACKAGECONFIG[static] = ""
>>>     PROVIDES += "virtual/runc"
>>>   RPROVIDES_${PN} = "virtual/runc"
>>> @@ -54,7 +56,11 @@ do_compile() {
>>>   	export CFLAGS=""
>>>   	export LDFLAGS=""
>>>   -	oe_runmake static
>>> +	if ${@bb.utils.contains('PACKAGECONFIG', 'static', 'true', 'false', d)}; then
>>> +		oe_runmake static
>>> +	else
>>> +		oe_runmake runc
>>> +	fi
>>>   }
>>>     do_install() {
>>> -- 2.17.1


More information about the meta-virtualization mailing list