release: build riscv64 binary, build static PIE if supported #3446
Conversation
kolyshkin
requested review from
cyphar,
thaJeztah and
AkihiroSuda
and removed request for
thaJeztah
|
@cyphar @thaJeztah PTAL 🙏🏻 |
seccomp stuffs has to be updated too. |
Slightly confused now; can these be merged independently, or should they be merged in a specific order? 😅 |
In arbitrary order, but merging one will need rebasing another one. |
|
Let me try to pick your changes @AkihiroSuda |
|
Picked the libseccomp-golang bump commit from #3463 PTAL @AkihiroSuda @thaJeztah |
|
Needs rebase |
|
Rebased; PTAL @AkihiroSuda @thaJeztah @mrunalp |
There was a problem hiding this comment.
This seems needed as well
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
index dfb8a0a8..d1ee0c2b 100644
--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
@@ -67,6 +67,7 @@ const uint32_t C_AUDIT_ARCH_PPC64 = AUDIT_ARCH_PPC64;
const uint32_t C_AUDIT_ARCH_PPC64LE = AUDIT_ARCH_PPC64LE;
const uint32_t C_AUDIT_ARCH_S390 = AUDIT_ARCH_S390;
const uint32_t C_AUDIT_ARCH_S390X = AUDIT_ARCH_S390X;
+const uint32_t C_AUDIT_ARCH_RISCV64 = AUDIT_ARCH_RISCV64;
*/
import "C"
@@ -197,6 +198,8 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
return nativeArch(C.C_AUDIT_ARCH_S390), nil
case libseccomp.ArchS390X:
return nativeArch(C.C_AUDIT_ARCH_S390X), nil
+ case libseccomp.ArchRISCV64:
+ return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil
default:
return invalidArch, fmt.Errorf("unknown architecture: %v", arch)
}
|
@kolyshkin Could you update the PR? ↑ |
Alas this breaks the compilation on centos 7; I have added a workaround. |
We do not use all the files from scripts, only seccomp.sh and lib.sh. This prevents unneeded rebuild of the image if e.g. scripts/release_build.sh has changed. Signed-off-by: Kir Kolyshkin <[email protected]>
Dockerfile used to install libseccomp-dev packages for different architectures. This is no longer true since commit f30244e, which changed to cross-compiling libseccomp (so we can get a static library to link against). Thus, adding extra architectures is no longer needed. Signed-off-by: Kir Kolyshkin <[email protected]>
All we need is gcc, libc-dev, and binutils. In addition to that, crossbuild-essential installs g++, libstdc++-dev, and a bunch of perl packages and libraries which we do not need. This should speed up image building, as well as make it smaller. Signed-off-by: Kir Kolyshkin <[email protected]>
LDFLAGS_COMMON are used from two places, so it makes sense to dedup. LDFLAGS_STATIC is a preparation for the next commit. Signed-off-by: Kir Kolyshkin <[email protected]>
1. Set to empty value by default. 2. Assume Linux (remove GOOS check, since we do not support other OSes). 3. Instead of using a "not-supported" list, use a "supported" list (as Go release notes usually say which platforms are supported). As of today, -buildmode=pie is supported for: * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler) * linux/s390x (since Go 1.7, which adds the initial port) * linux/riscv64 (since Go 1.16, see https://tip.golang.org/doc/go1.16#riscv) NOTE this does not mean we support these architectures; it is merely a way to see if -buildmode=pie can be used. Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
It doesn't matter whether static or dynamic linking is used, runc always needs libcontainer/nsenter, which is written in C and thus requires cgo. Same is true for libcontainer/integration. In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build tag is set), as it need to be linked against libseccomp C library. By default, cgo is disabled when cross-compiling, meaning that CGO_ENABLED=1 has to be set explicitly in such cases. In all other cases (e.g. other contrib binaries) we do not need cgo. Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything to do with static linking), and add it to all targets that require it. Signed-off-by: Kir Kolyshkin <[email protected]>
Co-authored-by: Kir Kolyshkin <[email protected]> Signed-off-by: Akihiro Suda <[email protected]> Signed-off-by: Kir Kolyshkin <[email protected]>
Signed-off-by: Kir Kolyshkin <[email protected]>
|
Do we need another check from @crazy-max on this PR? (#3463 (comment)) |
| endif | ||
| GO_BUILDMODE := | ||
| # Enable dynamic PIE executables on supported platforms. | ||
| ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x)) |
There was a problem hiding this comment.
afaik -buildmode=pie is not supported only on windows arm64 and linux mips*, ppc64be. should work on riscv64. see https://github.com/golang/go/blob/4aa1efed4853ea067d665a952eee77c52faac774/src/cmd/internal/sys/supported.go#L125-L131
There was a problem hiding this comment.
So, this is a list of supported platforms. Meaning, we do enable -buildmode=pie for riscv64.
There was a problem hiding this comment.
See commit description at ab5c60d
There was a problem hiding this comment.
@crazy-max PTAL ^^^
|
Is there any particular reason that this hasn't been made available in a 1.x release yet? Trying to get k3s running on riscv64 and this looks like one of the last blockers. |
This will be in v1.2. |
This is a new feature, and we don't want to backport new features into an old release unless it's absolutely necessary. If you need a binary, you can get one from any recent PR "Actions" tab. In there, click on "validate" in the left column, scroll all the way down to see "Artifacts", and in the zip will you will find a binary. |
lifubang
added
the
backport/1.1-done
This can be split into a few groups:
See individual commits for details.