From 4449ce84860ce11c96a42d0f16bd083d1975efdb Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 31 Mar 2022 17:30:35 -0700 Subject: [PATCH 1/9] Dockerfile: nit We do not use all the files from scripts, only seccomp.sh and lib.sh. This prevents unneeded rebuild of the image if e.g. scripts/release_build.sh has changed. Signed-off-by: Kir Kolyshkin (cherry picked from commit d542ad65ba3c3bb8487ffb074f113a5401993340) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0c6b15bedd0..c994ea706cf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,7 +54,7 @@ RUN cd /tmp \ # install libseccomp ARG LIBSECCOMP_VERSION -COPY script/* /tmp/script/ +COPY script/seccomp.sh script/lib.sh /tmp/script/ RUN mkdir -p /opt/libseccomp \ && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le s390x ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION From 028fc57aaa8ef6ff581b1b34fced45eee31d8495 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 1 Apr 2022 08:17:40 -0700 Subject: [PATCH 2/9] Dockerfile: rm dpkg --add-architecture lines Dockerfile used to install libseccomp-dev packages for different architectures. This is no longer true since commit f30244ee1b222, which changed to cross-compiling libseccomp (so we can get a static library to link against). Thus, adding extra architectures is no longer needed. Signed-off-by: Kir Kolyshkin (cherry picked from commit 476aa18abe91586daa2822b9e49f6d2fd5c2a198) --- Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c994ea706cf..9ed816deea5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,10 +9,6 @@ ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debi RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \ wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \ && echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \ - && dpkg --add-architecture armel \ - && dpkg --add-architecture armhf \ - && dpkg --add-architecture arm64 \ - && dpkg --add-architecture ppc64el \ && apt-get update \ && apt-get install -y --no-install-recommends \ build-essential \ From b99401136952eb53c6517e74f02b91af1ba24ccf Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 1 Apr 2022 14:24:57 -0700 Subject: [PATCH 3/9] Dockerfile: don't use crossbuild-essential-* All we need is gcc, libc-dev, and binutils. In addition to that, crossbuild-essential installs g++, libstdc++-dev, and a bunch of perl packages and libraries which we do not need. This should speed up image building, as well as make it smaller. Signed-off-by: Kir Kolyshkin (cherry picked from commit f0f1b5f9693b08e7c379db6214f29a74e204ff34) --- Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9ed816deea5..9b9502a8a45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,11 +13,11 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \ && apt-get install -y --no-install-recommends \ build-essential \ criu \ - crossbuild-essential-arm64 \ - crossbuild-essential-armel \ - crossbuild-essential-armhf \ - crossbuild-essential-ppc64el \ - crossbuild-essential-s390x \ + gcc-aarch64-linux-gnu libc-dev-arm64-cross \ + gcc-arm-linux-gnueabi libc-dev-armel-cross \ + gcc-arm-linux-gnueabihf libc-dev-armhf-cross \ + gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \ + gcc-s390x-linux-gnu libc-dev-s390x-cross \ curl \ gawk \ gcc \ From 120ec5bda318539d9364502e44c0813e13cfc425 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 31 Mar 2022 15:56:14 -0700 Subject: [PATCH 4/9] Makefile: add LDFLAGS_COMMON and LDFLAGS_STATIC LDFLAGS_COMMON are used from two places, so it makes sense to dedup. LDFLAGS_STATIC is a preparation for the next commit. Signed-off-by: Kir Kolyshkin (cherry picked from commit f2f6e59937486ee61b1ce6ac35caff37e76db177) --- Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 845eebf43c5..bcdf5471ec5 100644 --- a/Makefile +++ b/Makefile @@ -10,8 +10,10 @@ GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g") RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN)) PROJECT := github.com/opencontainers/runc BUILDTAGS ?= seccomp + COMMIT ?= $(shell git describe --dirty --long --always) VERSION := $(shell cat ./VERSION) +LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) ifeq ($(shell $(GO) env GOOS),linux) ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64)) @@ -21,9 +23,11 @@ ifeq ($(shell $(GO) env GOOS),linux) endif endif GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ - -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" + -ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)" + +LDFLAGS_STATIC := -extldflags -static GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ - -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" + -ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)" GPG_KEYID ?= asarai@suse.de From 2abca872b17eced4c3546b4feeaeae18aae151b9 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 31 Mar 2022 17:51:11 -0700 Subject: [PATCH 5/9] Makefile: fix GO_BUILDMODE setting 1. Set to empty value by default. 2. Assume Linux (remove GOOS check, since we do not support other OSes). 3. Instead of using a "not-supported" list, use a "supported" list (as Go release notes usually say which platforms are supported). As of today, -buildmode=pie is supported for: * linux/386, linux/amd64, linux/arm, linux/arm64, and linux/ppc64le (since Go 1.6, see https://tip.golang.org/doc/go1.6#compiler) * linux/s390x (since Go 1.7, which adds the initial port) * linux/riscv64 (since Go 1.16, see https://tip.golang.org/doc/go1.16#riscv) NOTE this does not mean we support these architectures; it is merely a way to see if -buildmode=pie can be used. Signed-off-by: Kir Kolyshkin (cherry picked from commit ab5c60d02fcd9a4b7e870bcd631c3673e5b7dd2a) --- Makefile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index bcdf5471ec5..19d3c4ca868 100644 --- a/Makefile +++ b/Makefile @@ -15,11 +15,11 @@ COMMIT ?= $(shell git describe --dirty --long --always) VERSION := $(shell cat ./VERSION) LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) -ifeq ($(shell $(GO) env GOOS),linux) - ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64)) - ifeq (,$(findstring -race,$(EXTRA_FLAGS))) - GO_BUILDMODE := "-buildmode=pie" - endif +GO_BUILDMODE := +# Enable dynamic PIE executables on supported platforms. +ifneq (,$(filter $(shell $(GO) env GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x)) + ifeq (,$(findstring -race,$(EXTRA_FLAGS))) + GO_BUILDMODE := "-buildmode=pie" endif endif GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ From 923ae4da8c648e593d7d35f46949d9e75adcfb01 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 31 Mar 2022 18:27:40 -0700 Subject: [PATCH 6/9] Makefile: add support for static PIE Signed-off-by: Kir Kolyshkin (cherry picked from commit 21e32d47d38ffe35972f845146c576461f6fb5a0) --- Makefile | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 19d3c4ca868..3bcb4f02381 100644 --- a/Makefile +++ b/Makefile @@ -15,18 +15,33 @@ COMMIT ?= $(shell git describe --dirty --long --always) VERSION := $(shell cat ./VERSION) LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) +GOARCH := $(shell $(GO) env GOARCH) + GO_BUILDMODE := # Enable dynamic PIE executables on supported platforms. -ifneq (,$(filter $(shell $(GO) env GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x)) +ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x)) ifeq (,$(findstring -race,$(EXTRA_FLAGS))) GO_BUILDMODE := "-buildmode=pie" endif endif -GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ +GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \ + $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ -ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)" +GO_BUILDMODE_STATIC := LDFLAGS_STATIC := -extldflags -static -GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ +# Enable static PIE executables on supported platforms. +# This (among the other things) requires libc support (rcrt1.o), which seems +# to be available only for arm64 and amd64 (Debian Bullseye). +ifneq (,$(filter $(GOARCH),arm64 amd64)) + ifeq (,$(findstring -race,$(EXTRA_FLAGS))) + GO_BUILDMODE_STATIC := -buildmode=pie + LDFLAGS_STATIC := -linkmode external -extldflags --static-pie + endif +endif +# Enable static PIE binaries on supported platforms. +GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(GO_BUILDMODE_STATIC) \ + $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ -ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)" GPG_KEYID ?= asarai@suse.de From ed47e31a059982b2e34199e4ecac9328e0d148f8 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 31 Mar 2022 18:32:36 -0700 Subject: [PATCH 7/9] Makefile: set CGO_ENABLED=1 when needed It doesn't matter whether static or dynamic linking is used, runc always needs libcontainer/nsenter, which is written in C and thus requires cgo. Same is true for libcontainer/integration. In addition, contrib/pkg/seccompagent also needs cgo (if seccomp build tag is set), as it need to be linked against libseccomp C library. By default, cgo is disabled when cross-compiling, meaning that CGO_ENABLED=1 has to be set explicitly in such cases. In all other cases (e.g. other contrib binaries) we do not need cgo. Remove CGO_ENABLED=1 from GO_BUILD_STATIC (as it does not have anything to do with static linking), and add it to all targets that require it. Signed-off-by: Kir Kolyshkin (cherry picked from commit dafcacb5225a0668c06fbd0a6e002da1ef2f7d69) --- .github/workflows/test.yml | 3 +-- Makefile | 11 ++++++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5b8356a7f33..c93167e94a1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -124,5 +124,4 @@ jobs: go-version: 1.x # Latest stable - name: unit test - # cgo is disabled by default when cross-compiling - run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 CGO_CFLAGS=-fno-stack-protector localunittest + run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest diff --git a/Makefile b/Makefile index 3bcb4f02381..f0bc4b203eb 100644 --- a/Makefile +++ b/Makefile @@ -40,12 +40,21 @@ ifneq (,$(filter $(GOARCH),arm64 amd64)) endif endif # Enable static PIE binaries on supported platforms. -GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(GO_BUILDMODE_STATIC) \ +GO_BUILD_STATIC := $(GO) build -trimpath $(GO_BUILDMODE_STATIC) \ $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ -ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)" GPG_KEYID ?= asarai@suse.de +# Some targets need cgo, which is disabled by default when cross compiling. +# Enable cgo explicitly for those. +# Both runc and libcontainer/integration need libcontainer/nsenter. +runc static localunittest: export CGO_ENABLED=1 +# seccompagent needs libseccomp (when seccomp build tag is set). +ifneq (,$(filter $(BUILDTAGS),seccomp)) +seccompagent: export CGO_ENABLED=1 +endif + .DEFAULT: runc runc: From 9164fe17a774d802c6ced945a86e9ad82ac3b4bb Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 28 Apr 2022 16:49:46 +0900 Subject: [PATCH 8/9] libct/seccomp: add riscv64 Co-authored-by: Kir Kolyshkin Signed-off-by: Akihiro Suda Signed-off-by: Kir Kolyshkin (cherry picked from commit 1d7b297128d0d8914290b458333984625c4d1180) --- libcontainer/seccomp/config.go | 1 + libcontainer/seccomp/patchbpf/enosys_linux.go | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go index 98e08e8f0b6..2b15576ac90 100644 --- a/libcontainer/seccomp/config.go +++ b/libcontainer/seccomp/config.go @@ -66,6 +66,7 @@ var archs = map[string]string{ "SCMP_ARCH_PPC": "ppc", "SCMP_ARCH_PPC64": "ppc64", "SCMP_ARCH_PPC64LE": "ppc64le", + "SCMP_ARCH_RISCV64": "riscv64", "SCMP_ARCH_S390": "s390", "SCMP_ARCH_S390X": "s390x", } diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go index 7d4ec6a42e5..6376512b086 100644 --- a/libcontainer/seccomp/patchbpf/enosys_linux.go +++ b/libcontainer/seccomp/patchbpf/enosys_linux.go @@ -48,6 +48,13 @@ const uintptr_t C_FILTER_FLAG_LOG = SECCOMP_FILTER_FLAG_LOG; #endif const uintptr_t C_FILTER_FLAG_NEW_LISTENER = SECCOMP_FILTER_FLAG_NEW_LISTENER; +#ifndef AUDIT_ARCH_RISCV64 +#ifndef EM_RISCV +#define EM_RISCV 243 +#endif +#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + // We use the AUDIT_ARCH_* values because those are the ones used by the kernel // and SCMP_ARCH_* sometimes has fake values (such as SCMP_ARCH_X32). But we // use so we get libseccomp's fallback definitions of AUDIT_ARCH_*. @@ -67,6 +74,7 @@ const uint32_t C_AUDIT_ARCH_PPC64 = AUDIT_ARCH_PPC64; const uint32_t C_AUDIT_ARCH_PPC64LE = AUDIT_ARCH_PPC64LE; const uint32_t C_AUDIT_ARCH_S390 = AUDIT_ARCH_S390; const uint32_t C_AUDIT_ARCH_S390X = AUDIT_ARCH_S390X; +const uint32_t C_AUDIT_ARCH_RISCV64 = AUDIT_ARCH_RISCV64; */ import "C" @@ -202,6 +210,8 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) { return nativeArch(C.C_AUDIT_ARCH_S390), nil case libseccomp.ArchS390X: return nativeArch(C.C_AUDIT_ARCH_S390X), nil + case libseccomp.ArchRISCV64: + return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil default: return invalidArch, fmt.Errorf("unknown architecture: %v", arch) } From 0d93d7d13f0e5e017e3692a354215955de45faf7 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 1 Apr 2022 14:28:38 -0700 Subject: [PATCH 9/9] release: add riscv64 binary Signed-off-by: Kir Kolyshkin (cherry picked from commit a14cc4059dfaec80537964bfad577fd5e102c947) --- Dockerfile | 3 ++- Makefile | 2 +- script/lib.sh | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9b9502a8a45..8c4138b6dae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \ gcc-arm-linux-gnueabihf libc-dev-armhf-cross \ gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \ gcc-s390x-linux-gnu libc-dev-s390x-cross \ + gcc-riscv64-linux-gnu libc-dev-riscv64-cross \ curl \ gawk \ gcc \ @@ -52,7 +53,7 @@ RUN cd /tmp \ ARG LIBSECCOMP_VERSION COPY script/seccomp.sh script/lib.sh /tmp/script/ RUN mkdir -p /opt/libseccomp \ - && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le s390x + && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le riscv64 s390x ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION ENV LD_LIBRARY_PATH=/opt/libseccomp/lib ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig diff --git a/Makefile b/Makefile index f0bc4b203eb..e3af9bc13cc 100644 --- a/Makefile +++ b/Makefile @@ -68,7 +68,7 @@ recvtty sd-helper seccompagent: static: $(GO_BUILD_STATIC) -o runc . -releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x" +releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x" releaseall: release release: runcimage diff --git a/script/lib.sh b/script/lib.sh index 9afa0b4cba1..9fee8e29f38 100644 --- a/script/lib.sh +++ b/script/lib.sh @@ -23,6 +23,9 @@ function set_cross_vars() { ppc64le) HOST=powerpc64le-linux-gnu ;; + riscv64) + HOST=riscv64-linux-gnu + ;; s390x) HOST=s390x-linux-gnu ;;