Skip to content

script/release.sh: make builds reproducible #3099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cyphar merged 2 commits into from
Jul 29, 2021
Merged

script/release.sh: make builds reproducible #3099

cyphar merged 2 commits into from
Jul 29, 2021

Conversation

@kolyshkin
Copy link
Contributor

@kolyshkin kolyshkin commented Jul 19, 2021
edited
Loading

Carries #3054 (thanks to @kailun-qin).

What it takes is add an empty buildid, which, together with previously
added strip invocation, results in reproducible build!

NB: earlier versions of this patch also added the following:

  1. non-random libseccomp install $prefix;
  2. objcopy --enable-deterministic-archives $prefix/lib/libseccomp.a
    to strip ar dates and UIDs/GIDs;
  3. -B=0x00 to EXTRA_LDFLAGS to have non-variable NT_GNU_BUILD_ID.

Apparently, all this is not needed with strip in place.

Fixes: #2947.
Closes: #3054.

1.0 backport: #3142

@kolyshkin kolyshkin requested a review from cyphar July 19, 2021 21:29
@kolyshkin kolyshkin mentioned this pull request Jul 19, 2021
Closed
@kolyshkin
Copy link
Contributor Author

kolyshkin commented Jul 19, 2021

CI failure in centos 7 is a glitch (hope we'll merge #3088 soon and see less of those failures). CI restarted.

not ok 17 checkpoint --pre-dump and restore
# (from function `fail' in file tests/integration/helpers.bash, line 276,
#  from function `runc_run_with_pipes' in file tests/integration/checkpoint.bats, line 73,
#  in test file tests/integration/checkpoint.bats, line 166)
#   `runc_run_with_pipes test_busybox' failed
# runc spec (status=0):
# 
# runc run -d test_busybox (status: 1):
# time="2021-07-19T21:40:40Z" level=error msg="unable to start container process: error during container init: error setting cgroup config for procHooks process: Unit runc-test_busybox.scope is not loaded."
# runc run failed

@kolyshkin kolyshkin force-pushed the reproducible-build branch from a351a3c to b1f95ae Compare July 20, 2021 01:25
@AkihiroSuda AkihiroSuda added this to the 1.1.0 milestone Jul 20, 2021
kailun-qin and others added 2 commits July 27, 2021 13:58
@kailun-qin @kolyshkin
makefile: update ldflags and add strip for static builds
61e201a 
This patch
* drops the default `-w` flag for `make static`, which helps with
  debugging the static runc binary;
* adds `EXTRA_LDFLAGS="-w -s"` to `script/release.sh` to disable DWARF
  generation and symbol table for the release runc binary;
* adds strip in `script/release.sh` for a further size-optimized release
  runc binary.

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
@kolyshkin
script/release.sh: make builds reproducible
18f434e 
What it takes is add an empty buildid, which, together with previously
added strip invocation, results in reproducible build!

NB: earlier versions of this patch also added the following:

1. non-random libseccomp install $prefix;

2. "objcopy --enable-deterministic-archives $prefix/lib/libseccomp.a"
   to strip ar dates and UIDs/GIDs;

3. "-B=0x00" to EXTRA_LDFLAGS to have non-variable NT_GNU_BUILD_ID.

Apparently, all this is not needed with strip.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin force-pushed the reproducible-build branch from b1f95ae to 18f434e Compare July 27, 2021 20:58
@kolyshkin kolyshkin mentioned this pull request Jul 27, 2021
Closed
cyphar
cyphar approved these changes Jul 29, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. :D

@cyphar
Copy link
Member

cyphar commented Jul 29, 2021

This might be nice to backport to 1.0.x if we plan to do another release, just to make sure all future releases are reproducible.

@cyphar cyphar closed this in d962bb0 Jul 29, 2021
@cyphar cyphar merged commit d962bb0 into opencontainers:master Jul 29, 2021
@cyphar cyphar added the backport/1.0-todo A PR in main branch which needs to be backported to release-1.0 label Jul 29, 2021
@kolyshkin kolyshkin mentioned this pull request Aug 10, 2021
Merged
@kolyshkin
Copy link
Contributor Author

kolyshkin commented Aug 10, 2021

This might be nice to backport to 1.0.x if we plan to do another release, just to make sure all future releases are reproducible.

Done: #3142

@kolyshkin kolyshkin mentioned this pull request Aug 12, 2021
Closed
@kolyshkin kolyshkin added backport/1.0-done A PR in main branch which has been backported to release-1.0 and removed backport/1.0-todo A PR in main branch which needs to be backported to release-1.0 labels Nov 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.0-done A PR in main branch which has been backported to release-1.0

Projects

None yet

Milestone

1.1.0

Development

Successfully merging this pull request may close these issues.

release builds no longer reproducible

4 participants

@kolyshkin @cyphar @AkihiroSuda @kailun-qin