Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

script/release.sh: make builds reproducible #3099

Merged
merged 2 commits into from
Jul 29, 2021
Merged

script/release.sh: make builds reproducible #3099

merged 2 commits into from
Jul 29, 2021

Conversation

kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Jul 19, 2021
edited

Carries #3054 (thanks to @kailun-qin).

What it takes is add an empty buildid, which, together with previously
added strip invocation, results in reproducible build!

NB: earlier versions of this patch also added the following:

  1. non-random libseccomp install $prefix;
  2. objcopy --enable-deterministic-archives $prefix/lib/libseccomp.a
    to strip ar dates and UIDs/GIDs;
  3. -B=0x00 to EXTRA_LDFLAGS to have non-variable NT_GNU_BUILD_ID.

Apparently, all this is not needed with strip in place.

Fixes: #2947.
Closes: #3054.

1.0 backport: #3142

@kolyshkin kolyshkin requested a review from cyphar July 19, 2021 21:29
@kolyshkin kolyshkin mentioned this pull request Jul 19, 2021
Closed
@kolyshkin
Copy link
Contributor Author

CI failure in centos 7 is a glitch (hope we'll merge #3088 soon and see less of those failures). CI restarted.

not ok 17 checkpoint --pre-dump and restore
# (from function `fail' in file tests/integration/helpers.bash, line 276,
#  from function `runc_run_with_pipes' in file tests/integration/checkpoint.bats, line 73,
#  in test file tests/integration/checkpoint.bats, line 166)
#   `runc_run_with_pipes test_busybox' failed
# runc spec (status=0):
# 
# runc run -d test_busybox (status: 1):
# time="2021-07-19T21:40:40Z" level=error msg="unable to start container process: error during container init: error setting cgroup config for procHooks process: Unit runc-test_busybox.scope is not loaded."
# runc run failed

@AkihiroSuda AkihiroSuda added this to the 1.1.0 milestone Jul 20, 2021
kailun-qin and others added 2 commits July 27, 2021 13:58
@kailun-qin @kolyshkin
makefile: update ldflags and add strip for static builds
61e201a 
This patch
* drops the default `-w` flag for `make static`, which helps with
  debugging the static runc binary;
* adds `EXTRA_LDFLAGS="-w -s"` to `script/release.sh` to disable DWARF
  generation and symbol table for the release runc binary;
* adds strip in `script/release.sh` for a further size-optimized release
  runc binary.

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
@kolyshkin
script/release.sh: make builds reproducible
18f434e 
What it takes is add an empty buildid, which, together with previously
added strip invocation, results in reproducible build!

NB: earlier versions of this patch also added the following:

1. non-random libseccomp install $prefix;

2. "objcopy --enable-deterministic-archives $prefix/lib/libseccomp.a"
   to strip ar dates and UIDs/GIDs;

3. "-B=0x00" to EXTRA_LDFLAGS to have non-variable NT_GNU_BUILD_ID.

Apparently, all this is not needed with strip.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin mentioned this pull request Jul 27, 2021
Closed
cyphar
cyphar approved these changes Jul 29, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. :D

@cyphar
Copy link
Member

cyphar commented Jul 29, 2021

This might be nice to backport to 1.0.x if we plan to do another release, just to make sure all future releases are reproducible.

@cyphar cyphar closed this in d962bb0 Jul 29, 2021
@cyphar cyphar merged commit d962bb0 into opencontainers:master Jul 29, 2021
@cyphar cyphar added the backport/todo/1.0 A PR in main branch which needs to be backported to release-1.0 label Jul 29, 2021
@kolyshkin kolyshkin mentioned this pull request Aug 10, 2021
Merged
@kolyshkin
Copy link
Contributor Author

This might be nice to backport to 1.0.x if we plan to do another release, just to make sure all future releases are reproducible.

Done: #3142

@kolyshkin kolyshkin mentioned this pull request Aug 12, 2021
Closed
@kolyshkin kolyshkin added backport/done/1.0 A PR in main branch which was backported to release-1.0 and removed backport/todo/1.0 A PR in main branch which needs to be backported to release-1.0 labels Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
backport/done/1.0 A PR in main branch which was backported to release-1.0
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.

release builds no longer reproducible
4 participants
@kolyshkin @cyphar @AkihiroSuda @kailun-qin