From 9ef3fa52d049d5c9ffebcbcbd9d2dd7598fd6685 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield Date: Mon, 12 Sep 2022 15:34:59 -0400 Subject: containerd: improve reproducibility We get the following QA warning on build: WARNING: containerd-opencontainers-v1.6.8+gitAUTOINC+579a6380ec-r0 do_package_qa: QA Issue: File /usr/bin/containerd-shim-runc-v2 in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd-ctr in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd-shim-runc-v1 in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd-shim in package containerd-opencontainers contains reference to TMPDIR [buildpaths] This is the first step in fixing the QA warning, by dropping our debug patch, passing -trimpath and not defining GO_DEBUG. This leaves a final reference similar to: path _/opt/poky/build/tmp/work/core2-64-poky-linux/containerd-opencontainers/v1.6.8+gitAUTOINC+579a6380ec-r0/git/src/import/cmd/ctr That is being stored in the .rodata of the binaries. Signed-off-by: Bruce Ashfield --- .../0001-Add-build-option-GODEBUG-1.patch | 32 ---------------------- ...uild-don-t-use-gcflags-to-define-trimpath.patch | 30 ++++++++++++++++++++ .../containerd/containerd-opencontainers_git.bb | 6 ++-- 3 files changed, 33 insertions(+), 35 deletions(-) delete mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch create mode 100644 recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch deleted file mode 100644 index 8b43c8a0..00000000 --- a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 84874e47aa2025b8e73df0286c44f3b8a1d9fdb2 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia -Date: Mon, 2 Sep 2019 16:20:07 +0800 -Subject: [PATCH] Add build option "GODEBUG=1" - -Make will generate GDB friendly binary with this build option. - -Signed-off-by: Hui Zhu - -Upstream-Status: Backport [c5a0c7f491b435e4eb45972903b00e2d8ed46495] - -Partly backport and refresh to v1.2.7 -Signed-off-by: Hongxu Jia ---- - src/import/Makefile | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -Index: git/src/import/Makefile -=================================================================== ---- git.orig/src/import/Makefile 2020-10-12 08:09:41.638977052 -0700 -+++ git/src/import/Makefile 2020-10-12 08:10:49.783074373 -0700 -@@ -72,6 +72,10 @@ - COMMANDS=ctr containerd containerd-stress - MANPAGES=ctr.8 containerd.8 containerd-config.8 containerd-config.toml.5 - -+ifndef GODEBUG -+ EXTRA_LDFLAGS += -s -w -+endif -+ - ifdef BUILDTAGS - GO_BUILDTAGS = ${BUILDTAGS} - endif diff --git a/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch new file mode 100644 index 00000000..f1dea5a4 --- /dev/null +++ b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch @@ -0,0 +1,30 @@ +From 9174091fa1624dbb09ce812792a4102dff693541 Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield +Date: Mon, 12 Sep 2022 15:40:08 -0400 +Subject: [PATCH] build: don't use gcflags to define trimpath + +We can pass trimpath in via environment variables. The gcflags +definition of trimpath is for older go versions and is using the +complete path for trimming. If the variable is captured in the +resulting binary, we have a reproducibility and QA issue. + +Signed-off-by: Bruce Ashfield +--- + Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git git.orig/src/import/Makefile git.orig/src/import/Makefile +index 4a6c13042..debb57925 100644 +--- git.orig/src/import/Makefile ++++ git.orig/src/import/Makefile +@@ -130,7 +130,6 @@ TESTFLAGS_RACE= + # See Golang issue re: '-trimpath': https://github.com/golang/go/issues/13809 + GO_GCFLAGS=$(shell \ + set -- ${GOPATHS}; \ +- echo "-gcflags=-trimpath=$${1}/src"; \ + ) + + BINARIES=$(addprefix bin/,$(COMMANDS)) +-- +2.19.1 + diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index af91a22b..edc3a5cb 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb @@ -7,8 +7,8 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and SRCREV = "579a6380ec93ab92a6e7f26167fe4f18dfcf2a4b" SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https \ - file://0001-Add-build-option-GODEBUG-1.patch \ file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \ + file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ " # Apache-2.0 for containerd @@ -18,7 +18,7 @@ LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d CONTAINERD_VERSION = "v1.6.8" CVE_VERSION = "1.6.8" -EXTRA_OEMAKE += "GODEBUG=1" +# EXTRA_OEMAKE += "GODEBUG=1" PROVIDES += "virtual/containerd" RPROVIDES:${PN} = "virtual-containerd" @@ -84,7 +84,7 @@ do_compile() { # cannot find package runtime/cgo (using -importcfg) # ... recipe-sysroot-native/usr/lib/aarch64-poky-linux/go/pkg/tool/linux_amd64/link: # cannot open file : open : no such file or directory - export GO_BUILD_FLAGS="-a -pkgdir dontusecurrentpkgs" + export GO_BUILD_FLAGS="-trimpath -a -pkgdir dontusecurrentpkgs" export GO111MODULE=off cd ${S}/src/import -- cgit v1.2.3-54-g00ecf