[meta-virtualization] [PATCH V2 2/2] runc: add PACKAGECONFIG to allow building as static or not

Stefan Agner stefan at agner.ch
Mon Sep 9 12:59:06 PDT 2019 

On 2019-09-09 19:24, Bruce Ashfield wrote:
> On Mon, Sep 9, 2019 at 6:34 AM Stefan Agner <stefan at agner.ch> wrote:
>>
>> On 2019-09-09 12:14, ChenQi wrote:
>> > On 09/09/2019 05:35 PM, Stefan Agner wrote:
>> >> Hi Chen,
>> >>
>> >> On 2019-08-07 03:14, Chen Qi wrote:
>> >>> Add a new PACKAGECONFIG, static, which when enabled will build
>> >>> runc as static. Default to enable it.
>> >>>
>> >>> We need this because we should allow users to build runc as not
>> >>> static so that when docker's cgroup driver is set to systemd,
>> >>> we don't get error.
>> >> Do you happen to know why we use statically linked runc by default? It
>> >> seems that distros nowadays use statically linked version of it.
>> >>
>> >> To some degree it seems that we overturn a distro decision here
>> >> (DISABLE_STATIC).
>> >>
>> >> --
>> >> Stefan
>> >>
>> >
>> > Please refer to
>> > https://lists.yoctoproject.org/pipermail/meta-virtualization/2019-August/004338.html
>> >
>>
>> Thanks for the link!
>>
>> > runc is one of those things that may need to be static in some configurations.
>> > Since it has security impact, updating runc (and the libc) should be done in
>> > paralell and this can cause problems otherwise.
>>
>> Hm, I don't completely get that argument, as in OE we normally do full
>> image updates. So libc will be updated with runc anyways.
> 
> Some do .. many don't in the container based systems. In fact, for my
> meta-virt use cases, there's *never* a full image update.
> 
>>
>> Also that argument you can make for every component, not sure why runc
>> is that special.
> 
> runc is very much plumbing in a lot of the setups that I know about.
> It is used in some small systems (more 'small' in terms of
> functionality and runtime complexity, not disk space) for starting
> very early (but yet containerized) processes. And for the
> container-in-container use cases, it is used as a shared runtime (bind
> mounted, etc), which allows it to be atomically updated for a system
> .. etc, etc.

Ok, that of course is a good reason to use a statically linked binary.


Thanks for elaborating.

--
Stefan

> 
>>
>> >
>> > Now, that doesn't mean it HAS to be static, but it should be a configuration and
>> > may be wise to have as the default to be static.
>>
>> ...
>>
>> > So PACKAGECONFIG is the right answer here.  I'm not sure what the right default
>> > for the recipe is.... but in the end the users configuration and distro can and
>> > should be able to select what they want.
>>
>> IMHO, default should be dynamically linked since this is the default in
>> OE in general. Also since OE images are commonly updated as a whole and
>> in embedded we often care more about space saving.
>>
>> Anyways, good there is a package config now, and now that I know the
>> reasons it is compiled statically by default I can safely flip that
>> switch for our distro.
> 
> Indeed. That's why I wanted it to be a packageconfig, everyone can
> chose what best suits their distro.
> 
> Cheers,
> 
> Bruce
> 
>>
>> --
>> Stefan
>>
>>
>> > Best Regards,
>> > Chen Qi
>> >
>> >>> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>> >>> ---
>> >>>   ...-GOBUILDFLAGS-for-runc-and-remove-re.patch | 35 +++++++++++++++++++
>> >>>   ...ld-drop-recvtty-and-use-GOBUILDFLAGS.patch | 22 ------------
>> >>>   recipes-containers/runc/runc-docker_git.bb    |  2 +-
>> >>>   .../runc/runc-opencontainers_git.bb           |  1 +
>> >>>   recipes-containers/runc/runc.inc              | 10 ++++--
>> >>>   5 files changed, 45 insertions(+), 25 deletions(-)
>> >>>   create mode 100644
>> >>> recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>> >>>   delete mode 100644
>> >>> recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>> >>>
>> >>> diff --git
>> >>> a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>> >>> b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>> >>> new file mode 100644
>> >>> index 0000000..94cbb4c
>> >>> --- /dev/null
>> >>> +++
>> >>> b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>> >>> @@ -0,0 +1,35 @@
>> >>> +From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001
>> >>> +From: Chen Qi <Qi.Chen at windriver.com>
>> >>> +Date: Tue, 6 Aug 2019 19:01:45 +0800
>> >>> +Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove recvtty
>> >>> + from static
>> >>> +
>> >>> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>> >>> +---
>> >>> + Makefile | 3 +--
>> >>> + 1 file changed, 1 insertion(+), 2 deletions(-)
>> >>> +
>> >>> +diff --git a/Makefile b/Makefile
>> >>> +index 0f26a1c8..a0c6b40b 100644
>> >>> +--- a/src/import/Makefile
>> >>> ++++ b/src/import/Makefile
>> >>> +@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null)
>> >>> + .DEFAULT: runc
>> >>> +
>> >>> + runc: $(SOURCES)
>> >>> +-  $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X
>> >>> main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)"
>> >>> -tags "$(BUILDTAGS)" -o runc .
>> >>> ++  $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X
>> >>> main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)"
>> >>> -tags "$(BUILDTAGS)" -o runc .
>> >>> +
>> >>> + all: runc recvtty
>> >>> +
>> >>> +@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES)
>> >>> +
>> >>> + static: $(SOURCES)
>> >>> +   CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>> >>> $(EXTRA_LDFLAGS)" -o runc .
>> >>> +-  CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>> >>> $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
>> >>> +
>> >>> + release:
>> >>> +   script/release.sh -r release/$(VERSION) -v $(VERSION)
>> >>> +--
>> >>> +2.17.1
>> >>> +
>> >>> diff --git
>> >>> a/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>> >>> b/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>> >>> deleted file mode 100644
>> >>> index 9ba9957..0000000
>> >>> ---
>> >>> a/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch
>> >>> +++ /dev/null
>> >>> @@ -1,22 +0,0 @@
>> >>> -From a9a2b9e72027d0b2357f6dfe8b154762aaa8dd02 Mon Sep 17 00:00:00 2001
>> >>> -From: Bruce Ashfield <bruce.ashfield at windriver.com>
>> >>> -Date: Thu, 19 Apr 2018 16:39:41 -0400
>> >>> -Subject: [PATCH] build: drop recvtty and use GOBUILDFLAGS
>> >>> -
>> >>> -Signed-off-by: Bruce Ashfield <bruce.ashfield at windriver.com>
>> >>> ----
>> >>> - Makefile | 3 +--
>> >>> - 1 file changed, 1 insertion(+), 2 deletions(-)
>> >>> -
>> >>> -Index: git/src/import/Makefile
>> >>> -===================================================================
>> >>> ---- git.orig/src/import/Makefile
>> >>> -+++ git/src/import/Makefile
>> >>> -@@ -41,7 +41,6 @@
>> >>> -
>> >>> - static: $(SOURCES)
>> >>> -   CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>> >>> $(EXTRA_LDFLAGS)" -o runc .
>> >>> --  CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo
>> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags
>> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION}
>> >>> $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty
>> >>> -
>> >>> - release:
>> >>> -   script/release.sh -r release/$(VERSION) -v $(VERSION)
>> >>> diff --git a/recipes-containers/runc/runc-docker_git.bb
>> >>> b/recipes-containers/runc/runc-docker_git.bb
>> >>> index 2bf6222..c9f460b 100644
>> >>> --- a/recipes-containers/runc/runc-docker_git.bb
>> >>> +++ b/recipes-containers/runc/runc-docker_git.bb
>> >>> @@ -5,7 +5,7 @@ include runc.inc
>> >>>   SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f"
>> >>>   SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
>> >>>              file://0001-runc-Add-console-socket-dev-null.patch \
>> >>> -           file://0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch \
>> >>> +
>> >>> file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch
>> >>> \
>> >>>              file://0001-runc-docker-SIGUSR1-daemonize.patch \
>> >>>             "
>> >>>   diff --git a/recipes-containers/runc/runc-opencontainers_git.bb
>> >>> b/recipes-containers/runc/runc-opencontainers_git.bb
>> >>> index 76ab794..361bc94 100644
>> >>> --- a/recipes-containers/runc/runc-opencontainers_git.bb
>> >>> +++ b/recipes-containers/runc/runc-opencontainers_git.bb
>> >>> @@ -3,5 +3,6 @@ include runc.inc
>> >>>   SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388"
>> >>>   SRC_URI = " \
>> >>>       git://github.com/opencontainers/runc;branch=master \
>> >>> +    file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \
>> >>>       "
>> >>>   RUNC_VERSION = "1.0.0-rc8"
>> >>> diff --git a/recipes-containers/runc/runc.inc b/recipes-containers/runc/runc.inc
>> >>> index 46fd09d..41ea41b 100644
>> >>> --- a/recipes-containers/runc/runc.inc
>> >>> +++ b/recipes-containers/runc/runc.inc
>> >>> @@ -14,8 +14,10 @@ inherit go
>> >>>   inherit goarch
>> >>>   inherit pkgconfig
>> >>>   -PACKAGECONFIG ??= ""
>> >>> +PACKAGECONFIG ??= "static"
>> >>>   PACKAGECONFIG[seccomp] = "seccomp,,libseccomp"
>> >>> +# This PACKAGECONFIG serves the purpose of whether building runc as
>> >>> static or not
>> >>> +PACKAGECONFIG[static] = ""
>> >>>     PROVIDES += "virtual/runc"
>> >>>   RPROVIDES_${PN} = "virtual/runc"
>> >>> @@ -54,7 +56,11 @@ do_compile() {
>> >>>     export CFLAGS=""
>> >>>     export LDFLAGS=""
>> >>>   - oe_runmake static
>> >>> +   if ${@bb.utils.contains('PACKAGECONFIG', 'static', 'true', 'false', d)}; then
>> >>> +           oe_runmake static
>> >>> +   else
>> >>> +           oe_runmake runc
>> >>> +   fi
>> >>>   }
>> >>>     do_install() {
>> >>> -- 2.17.1
>> --
>> _______________________________________________
>> meta-virtualization mailing list
>> meta-virtualization at yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/meta-virtualization

More information about the meta-virtualization mailing list