On 2019-09-09 19:24, Bruce Ashfield wrote: > On Mon, Sep 9, 2019 at 6:34 AM Stefan Agner <[email protected]> wrote: >> >> On 2019-09-09 12:14, ChenQi wrote: >> > On 09/09/2019 05:35 PM, Stefan Agner wrote: >> >> Hi Chen, >> >> >> >> On 2019-08-07 03:14, Chen Qi wrote: >> >>> Add a new PACKAGECONFIG, static, which when enabled will build >> >>> runc as static. Default to enable it. >> >>> >> >>> We need this because we should allow users to build runc as not >> >>> static so that when docker's cgroup driver is set to systemd, >> >>> we don't get error. >> >> Do you happen to know why we use statically linked runc by default? It >> >> seems that distros nowadays use statically linked version of it. >> >> >> >> To some degree it seems that we overturn a distro decision here >> >> (DISABLE_STATIC). >> >> >> >> -- >> >> Stefan >> >> >> > >> > Please refer to >> > https://lists.yoctoproject.org/pipermail/meta-virtualization/2019-August/004338.html >> > >> >> Thanks for the link! >> >> > runc is one of those things that may need to be static in some >> > configurations. >> > Since it has security impact, updating runc (and the libc) should be done >> > in >> > paralell and this can cause problems otherwise. >> >> Hm, I don't completely get that argument, as in OE we normally do full >> image updates. So libc will be updated with runc anyways. > > Some do .. many don't in the container based systems. In fact, for my > meta-virt use cases, there's *never* a full image update. > >> >> Also that argument you can make for every component, not sure why runc >> is that special. > > runc is very much plumbing in a lot of the setups that I know about. > It is used in some small systems (more 'small' in terms of > functionality and runtime complexity, not disk space) for starting > very early (but yet containerized) processes. And for the > container-in-container use cases, it is used as a shared runtime (bind > mounted, etc), which allows it to be atomically updated for a system > .. etc, etc.
Ok, that of course is a good reason to use a statically linked binary. Thanks for elaborating. -- Stefan > >> >> > >> > Now, that doesn't mean it HAS to be static, but it should be a >> > configuration and >> > may be wise to have as the default to be static. >> >> ... >> >> > So PACKAGECONFIG is the right answer here. I'm not sure what the right >> > default >> > for the recipe is.... but in the end the users configuration and distro >> > can and >> > should be able to select what they want. >> >> IMHO, default should be dynamically linked since this is the default in >> OE in general. Also since OE images are commonly updated as a whole and >> in embedded we often care more about space saving. >> >> Anyways, good there is a package config now, and now that I know the >> reasons it is compiled statically by default I can safely flip that >> switch for our distro. > > Indeed. That's why I wanted it to be a packageconfig, everyone can > chose what best suits their distro. > > Cheers, > > Bruce > >> >> -- >> Stefan >> >> >> > Best Regards, >> > Chen Qi >> > >> >>> Signed-off-by: Chen Qi <[email protected]> >> >>> --- >> >>> ...-GOBUILDFLAGS-for-runc-and-remove-re.patch | 35 +++++++++++++++++++ >> >>> ...ld-drop-recvtty-and-use-GOBUILDFLAGS.patch | 22 ------------ >> >>> recipes-containers/runc/runc-docker_git.bb | 2 +- >> >>> .../runc/runc-opencontainers_git.bb | 1 + >> >>> recipes-containers/runc/runc.inc | 10 ++++-- >> >>> 5 files changed, 45 insertions(+), 25 deletions(-) >> >>> create mode 100644 >> >>> recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch >> >>> delete mode 100644 >> >>> recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch >> >>> >> >>> diff --git >> >>> a/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch >> >>> b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch >> >>> new file mode 100644 >> >>> index 0000000..94cbb4c >> >>> --- /dev/null >> >>> +++ >> >>> b/recipes-containers/runc/files/0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch >> >>> @@ -0,0 +1,35 @@ >> >>> +From d2c47a973f354ffd505bb4e809c59e57b543726d Mon Sep 17 00:00:00 2001 >> >>> +From: Chen Qi <[email protected]> >> >>> +Date: Tue, 6 Aug 2019 19:01:45 +0800 >> >>> +Subject: [PATCH] Makefile: respect GOBUILDFLAGS for runc and remove >> >>> recvtty >> >>> + from static >> >>> + >> >>> +Signed-off-by: Chen Qi <[email protected]> >> >>> +--- >> >>> + Makefile | 3 +-- >> >>> + 1 file changed, 1 insertion(+), 2 deletions(-) >> >>> + >> >>> +diff --git a/Makefile b/Makefile >> >>> +index 0f26a1c8..a0c6b40b 100644 >> >>> +--- a/src/import/Makefile >> >>> ++++ b/src/import/Makefile >> >>> +@@ -30,7 +30,7 @@ SHELL := $(shell command -v bash 2>/dev/null) >> >>> + .DEFAULT: runc >> >>> + >> >>> + runc: $(SOURCES) >> >>> +- $(GO) build -buildmode=pie $(EXTRA_FLAGS) -ldflags "-X >> >>> main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" >> >>> -tags "$(BUILDTAGS)" -o runc . >> >>> ++ $(GO) build $(GOBUILDFLAGS) $(EXTRA_FLAGS) -ldflags "-X >> >>> main.gitCommit=${COMMIT} -X main.version=${VERSION} $(EXTRA_LDFLAGS)" >> >>> -tags "$(BUILDTAGS)" -o runc . >> >>> + >> >>> + all: runc recvtty >> >>> + >> >>> +@@ -41,7 +41,6 @@ contrib/cmd/recvtty/recvtty: $(SOURCES) >> >>> + >> >>> + static: $(SOURCES) >> >>> + CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo >> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags >> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} >> >>> $(EXTRA_LDFLAGS)" -o runc . >> >>> +- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo >> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags >> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} >> >>> $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty >> >>> + >> >>> + release: >> >>> + script/release.sh -r release/$(VERSION) -v $(VERSION) >> >>> +-- >> >>> +2.17.1 >> >>> + >> >>> diff --git >> >>> a/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch >> >>> b/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch >> >>> deleted file mode 100644 >> >>> index 9ba9957..0000000 >> >>> --- >> >>> a/recipes-containers/runc/runc-docker/0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch >> >>> +++ /dev/null >> >>> @@ -1,22 +0,0 @@ >> >>> -From a9a2b9e72027d0b2357f6dfe8b154762aaa8dd02 Mon Sep 17 00:00:00 2001 >> >>> -From: Bruce Ashfield <[email protected]> >> >>> -Date: Thu, 19 Apr 2018 16:39:41 -0400 >> >>> -Subject: [PATCH] build: drop recvtty and use GOBUILDFLAGS >> >>> - >> >>> -Signed-off-by: Bruce Ashfield <[email protected]> >> >>> ---- >> >>> - Makefile | 3 +-- >> >>> - 1 file changed, 1 insertion(+), 2 deletions(-) >> >>> - >> >>> -Index: git/src/import/Makefile >> >>> -=================================================================== >> >>> ---- git.orig/src/import/Makefile >> >>> -+++ git/src/import/Makefile >> >>> -@@ -41,7 +41,6 @@ >> >>> - >> >>> - static: $(SOURCES) >> >>> - CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo >> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags >> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} >> >>> $(EXTRA_LDFLAGS)" -o runc . >> >>> -- CGO_ENABLED=1 $(GO) build $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo >> >>> osusergo static_build" -installsuffix netgo -ldflags "-w -extldflags >> >>> -static -X main.gitCommit=${COMMIT} -X main.version=${VERSION} >> >>> $(EXTRA_LDFLAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty >> >>> - >> >>> - release: >> >>> - script/release.sh -r release/$(VERSION) -v $(VERSION) >> >>> diff --git a/recipes-containers/runc/runc-docker_git.bb >> >>> b/recipes-containers/runc/runc-docker_git.bb >> >>> index 2bf6222..c9f460b 100644 >> >>> --- a/recipes-containers/runc/runc-docker_git.bb >> >>> +++ b/recipes-containers/runc/runc-docker_git.bb >> >>> @@ -5,7 +5,7 @@ include runc.inc >> >>> SRCREV_runc-docker = "425e105d5a03fabd737a126ad93d62a9eeede87f" >> >>> SRC_URI = >> >>> "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \ >> >>> file://0001-runc-Add-console-socket-dev-null.patch \ >> >>> - file://0001-build-drop-recvtty-and-use-GOBUILDFLAGS.patch \ >> >>> + >> >>> file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch >> >>> \ >> >>> file://0001-runc-docker-SIGUSR1-daemonize.patch \ >> >>> " >> >>> diff --git a/recipes-containers/runc/runc-opencontainers_git.bb >> >>> b/recipes-containers/runc/runc-opencontainers_git.bb >> >>> index 76ab794..361bc94 100644 >> >>> --- a/recipes-containers/runc/runc-opencontainers_git.bb >> >>> +++ b/recipes-containers/runc/runc-opencontainers_git.bb >> >>> @@ -3,5 +3,6 @@ include runc.inc >> >>> SRCREV = "652297c7c7e6c94e8d064ad5916c32891a6fd388" >> >>> SRC_URI = " \ >> >>> git://github.com/opencontainers/runc;branch=master \ >> >>> + >> >>> file://0001-Makefile-respect-GOBUILDFLAGS-for-runc-and-remove-re.patch \ >> >>> " >> >>> RUNC_VERSION = "1.0.0-rc8" >> >>> diff --git a/recipes-containers/runc/runc.inc >> >>> b/recipes-containers/runc/runc.inc >> >>> index 46fd09d..41ea41b 100644 >> >>> --- a/recipes-containers/runc/runc.inc >> >>> +++ b/recipes-containers/runc/runc.inc >> >>> @@ -14,8 +14,10 @@ inherit go >> >>> inherit goarch >> >>> inherit pkgconfig >> >>> -PACKAGECONFIG ??= "" >> >>> +PACKAGECONFIG ??= "static" >> >>> PACKAGECONFIG[seccomp] = "seccomp,,libseccomp" >> >>> +# This PACKAGECONFIG serves the purpose of whether building runc as >> >>> static or not >> >>> +PACKAGECONFIG[static] = "" >> >>> PROVIDES += "virtual/runc" >> >>> RPROVIDES_${PN} = "virtual/runc" >> >>> @@ -54,7 +56,11 @@ do_compile() { >> >>> export CFLAGS="" >> >>> export LDFLAGS="" >> >>> - oe_runmake static >> >>> + if ${@bb.utils.contains('PACKAGECONFIG', 'static', 'true', 'false', >> >>> d)}; then >> >>> + oe_runmake static >> >>> + else >> >>> + oe_runmake runc >> >>> + fi >> >>> } >> >>> do_install() { >> >>> -- 2.17.1 >> -- >> _______________________________________________ >> meta-virtualization mailing list >> [email protected] >> https://lists.yoctoproject.org/listinfo/meta-virtualization -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
