Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k3s/1.32.0.1 package update #39284

Merged
merged 6 commits into from
Jan 24, 2025
Merged

k3s/1.32.0.1 package update #39284

merged 6 commits into from
Jan 24, 2025

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 10, 2025

@wolfi-bot
k3s/1.32.0.1 package update
4022a84 
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. auto-approver-bot/initial-checks-failed labels Jan 10, 2025
@imjasonh imjasonh self-assigned this Jan 13, 2025
@debasishbsws
Copy link
Member

debasishbsws commented Jan 21, 2025
edited
Loading

The test is failing on the following command:

strings $(which k3s) | grep -q "libseccomp"

Previously, this command produced the following output:

$ strings $(which k3s) | grep "libseccomp"
2025/01/21 17:11:29 INFO dep    github.com/seccomp/libseccomp-golang    v0.10.0    h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=
github.com/seccomp/libseccomp-golang.init
github.com/seccomp/libseccomp-golang._Cfunc_get_major_version
github.com/seccomp/libseccomp-golang._Cfunc_get_micro_version
github.com/seccomp/libseccomp-golang._Cfunc_get_minor_version
github.com/seccomp/libseccomp-golang._Cfunc_seccomp_api_get
github.com/seccomp/libseccomp-golang.init.0
github.com/seccomp/libseccomp-golang.getAPI
/var/cache/melange/gomodcache/github.com/seccomp/libseccomp-golang@v0.10.0/seccomp_internal.go
/var/cache/melange/gomodcache/github.com/seccomp/libseccomp-golang@v0.10.0/seccomp.go
dep    github.com/seccomp/libseccomp-golang    v0.10.0    h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=

Currently, we're setting STATIC_BUILD=true before running ./scripts/build, which should configure everything as per the script. However, it seems like the new version isn't building with the required libseccomp bindings.

...
if [ -n "${DEBUG}" ]; then
  GCFLAGS="-N -l"
else
  LDFLAGS="-w -s"
fi

STATIC="
    -extldflags '-static -lm -ldl -lz -lpthread'
"
TAGS="ctrd apparmor seccomp netcgo osusergo providerless urfave_cli_no_docs"
RUNC_TAGS="apparmor seccomp"
RUNC_STATIC="static"

if [ ${OS} = windows ]; then
    TAGS="ctrd netcgo osusergo providerless"
fi

if [ "$SELINUX" = "true" ]; then
    TAGS="$TAGS selinux"
    RUNC_TAGS="$RUNC_TAGS selinux"
fi

if [ "$STATIC_BUILD" != "true" ]; then
    STATIC="
"
    RUNC_STATIC=""
else
    TAGS="static_build libsqlite3 $TAGS"
fi

if [ -n "${GOCOVER}" ]; then
    BLDFLAGS="-cover"
    TAGS="cover $TAGS"
fi

mkdir -p bin
...

@imjasonh
check for seccomp go flag
21b1dc4 
Signed-off-by: Jason Hall <jason@chainguard.dev>
joshrwolf
joshrwolf requested changes Jan 24, 2025
View reviewed changes
Copy link
Member

@joshrwolf joshrwolf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced this bump didn't decouple libseccomp as a dependency, so simply checking the go build tags fixes the test, but we might just be able to remove the test entirely OR we're no longer building with libseccomp-static

checking this out now...

joshrwolf
joshrwolf approved these changes Jan 24, 2025
View reviewed changes
Copy link
Member

@joshrwolf joshrwolf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright looks like the upstream binary no longer includes libseccomp, so I think these new tests are good and at least protect us from messing up the build flags!

@joshrwolf joshrwolf merged commit dbdbb84 into main Jan 24, 2025
15 checks passed
@joshrwolf joshrwolf deleted the wolfictl-3be59e4e-326c-4c1f-8b20-f373f22f78df branch January 24, 2025 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshrwolf joshrwolf joshrwolf approved these changes

Assignees

@imjasonh imjasonh

Labels
auto-approver-bot/initial-checks-failed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-version-update request for a newer version of a package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@debasishbsws @joshrwolf @imjasonh @wolfi-bot @Dentrax