Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set buildmode to pie and drop pie and debuginfo patches for kubernetes #1103

Merged
merged 1 commit into from
Sep 15, 2020
Merged

Set buildmode to pie and drop pie and debuginfo patches for kubernetes #1103

merged 1 commit into from
Sep 15, 2020

Conversation

bnrjee
Copy link
Contributor

@bnrjee bnrjee commented Sep 2, 2020
edited
Loading

Issue number:
#1102

Description of changes:
Removed the patches 0002-do-not-omit-debug-info.patch and 0003-enable-PIE-for-platform-binaries.patch and exported GOLDFLAGS as "-buildmode=pie" in the spec files of the different kubernetes versions. Also renumbered the bottlerocket patches that were created for kubernetes.

Testing done:
1>Built bottlerocket successfully.
2>Verified using checksec that the kubelet binaries are all still built as PIE.
3>Made sure that this goldflag along with the SOURCE_DATE_EPOCH flag can build reproducible binaries for upstream kubernetes.
4>Created an AMI and ran busybox pod with it.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bnrjee bnrjee changed the title Myfeature Zero out buildid to create reproducible builds of kubernetes targets Sep 2, 2020
@bnrjee bnrjee force-pushed the myfeature branch 2 times, most recently from b743dd7 to e1315ea Compare September 3, 2020 13:45
@bcressey
Copy link
Contributor

bcressey commented Sep 4, 2020

Can you verify using checksec that the kubelet binaries are all still built as PIE?

You can extract the RPMs in build/rpm and check the binaries using a command like this:

rpm2cpio bottlerocket-x86_64-kubelet-1.15-*.x86_64.rpm | cpio -idmv
checksec -f x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet
rm -r x86_64-bottlerocket-linux-gnu

(This needs to be integrated as check during package builds, but hasn't been automated yet.)

@bnrjee
Copy link
Contributor Author

bnrjee commented Sep 4, 2020

Can you verify using checksec that the kubelet binaries are all still built as PIE?

It says PIE enabled for all 3 versions of kubernetes. Please find the output below.

[ec2-user@ip-172-31-13-77 test]$ ls
bottlerocket-x86_64-kubelet-1.15-1.15.12-1.x86_64.rpm  checksec.sh  x86_64-bottlerocket-linux-gnu
[ec2-user@ip-172-31-13-77 test]$ sh checksec.sh --file x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet

[ec2-user@ip-172-31-13-77 test]$ ls
bottlerocket-x86_64-kubelet-1.16-1.16.13-1.x86_64.rpm  checksec.sh  x86_64-bottlerocket-linux-gnu
[ec2-user@ip-172-31-13-77 test]$ sh checksec.sh --file x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet

[ec2-user@ip-172-31-13-77 test]$ ls
bottlerocket-x86_64-kubelet-1.17-1.17.9-1.x86_64.rpm  checksec.sh  x86_64-bottlerocket-linux-gnu
[ec2-user@ip-172-31-13-77 test]$ sh checksec.sh --file x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kubelet

@bcressey
Copy link
Contributor

bcressey commented Sep 6, 2020

Can you update the title, description, and testing done? LGTM otherwise.

@bnrjee bnrjee changed the title Zero out buildid to create reproducible builds of kubernetes targets Set GOLDFLAGS to "-buildmode=pie" for kubernetes to create reproducible builds and remove 0002-do-not-omit-debug-info.patch and 0003-enable-PIE-for-platform-binaries.patch patches Sep 8, 2020
@bnrjee bnrjee force-pushed the myfeature branch 2 times, most recently from 23f3f95 to 622966c Compare September 10, 2020 16:52
@bnrjee bnrjee changed the title Set GOLDFLAGS to "-buildmode=pie" for kubernetes to create reproducible builds and remove 0002-do-not-omit-debug-info.patch and 0003-enable-PIE-for-platform-binaries.patch patches Set buildmode to pie and drop pie and debuginfo patches for kubernetes Sep 10, 2020
@bcressey bcressey merged commit 04d2e71 into bottlerocket-os:develop Sep 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamieand jamieand jamieand approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bnrjee @bcressey @jamieand