build: use libpathrs by default#5103
Conversation
d8dd6b0 to
11671a9
Compare
2e26652 to
c21dc79
Compare
This comment was marked as resolved.
This comment was marked as resolved.
af83d54 to
d25c6d6
Compare
rata
left a comment
There was a problem hiding this comment.
This mostly LGTM. I like that it is basically contained on the CI/release files. Ping me when you want another review.
I left some comments. I think I'd nto try to figure out the "correct" location for a library on each distro, if something like /usr/local works on all. I'd let the right destdir to when we have an OBS package for each distro or so. But I feel usr/local probably doesn't work?
Left some other comments too, mostly nits.
d25c6d6 to
dbdd4c2
Compare
Ever since v0.6.0 of github.com/cyphar/filepath-securejoin, pathrs-lite has been able to transparently switch to using libpathrs as the backend for safe path resolution (at compile-time, using a build tag). Note that because build-tags apply globally, this allows for us to easily opt pure-Go dependencies into all using libpathrs as well for our binaries. In a future patch this will likely be enabled by default, but document that this is an option for downstreams that want to opt-in to using libpathrs. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This includes a few fixes for 32-bit builds. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
pathrs-lite supports transparently switching to libpathrs.so as the backend with the "libpathrs" build tag. In order to make this work properly with our CI and release build scripts, we we need to have a similar setup as with we do with libseccomp. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
libpathrs will be opt-out in a future patch so we need to test with it in our CI. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
libpathrs has better hardening against certain attacks (most notably on older kernels) so we should use it by default. This opens the door to us using cyphar.com/go-pathrs in the future in order to remove some of our internal/pathrs wrappers (that reimplement bits of libpathrs). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
We do plan to make libpathrs required in the future, but in the meantime we should test both with and without libpathrs in our CI to catch regressions for users that will not use libpathrs initially. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
b87e9c2 to
0e1fe36
Compare
|
I believe this constitutes a breaking change when building
|
|
@lifubang install automatically? That seems wrong, we don't do that with seccomp either, right? |
The key difference here is that libseccomp is widely available in the default package repositories of most Linux distributions, making it straightforward for users to install via standard package managers. However, libpathrs has not yet been included in these distribution repositories, meaning users cannot easily install it through common package management commands. This distinction justifies the need for automated installation support for libpathrs . While seccomp relies on existing distribution packages (and our documentation already covers its installation), libpathrs requires a more proactive approach to ensure users can build runc without manual, error-prone steps to locate and compile the dependency. Automating this process would address the accessibility gap and maintain consistency with the default-enabled build tag for libpathrs . |
| local tar="libpathrs-${ver}.tar.xz" | ||
|
|
||
| # Download, check, and extract. | ||
| wget "https://github.com/cyphar/libpathrs/releases/download/v${ver}/${tar}"{,.asc} |
There was a problem hiding this comment.
Once we suggest users to use ./script/build-libpathrs.sh to build libpathrs in the future, could you also download these files to a temporary directory—outside the runc source code directory?
|
I'm fine with adding some more details to the README, but I'm really not in favour of installing libpathrs automatically as part of our build process. For one thing, it violates user expectations and would break within a fair few build systems (which disable network access to avoid build scripts downloading stuff from the internet). At the moment libpathrs is only packaged for openSUSE but once runc has a soft requirement on it (in 1.5.0) every distribution will fairly create packages for it (it is a fairly low-dependency Rust project -- Debian already has all of the necessary dependencies packaged so even they shouldn't have too much trouble packaging it) and so the problem will resolve itself quite quickly IMHO. If we really want to provide a simple way to install libpathrs ourselves, (as discussed earlier in this thread) I plan to get OBS package builds for most distributions working soon and so we could point people to that repo until their distro provides packages for libpathrs. Either solution is better than running |
|
If |
|
@lifubang What if we move libpathrs to EXTRABUILDTAGS? |
|
It's not perfect, not sure I like it now that I think about it more... The other option is to do the filter-out makefile thing. I think I've seen it in some PR already? IMHO, having to specify seccomp doesn't seem too bad, though. |
|
@kolyshkin suggested making modifying build-tags easier above, I opened #5165 to track that. I think putting it in |
|
I was able to use the script added in this PR and build runc for cri-o: cri-o/cri-o#9813 |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
Draft until these PRs / issues are resolved and libpathrs has a new release:
pathrs-litesupports transparently switching tolibpathrs.soas a backendwith the
libpathrsbuild tag. In order to permit us to eventually requirelibpathrs.so(and get rid of some of the duplicated wrappers ininternal/pathrs), we need to makelibpathrsopt-out for at least onerelease before making it mandatory.
Signed-off-by: Aleksa Sarai cyphar@cyphar.com