Skip to content

Inherit LDFLAGS for TLS and RDMA modules#3344

Merged
zuiderkwast merged 1 commit into
valkey-io:unstablefrom
remicollet:issue-bindnow
Mar 11, 2026
Merged

Inherit LDFLAGS for TLS and RDMA modules#3344
zuiderkwast merged 1 commit into
valkey-io:unstablefrom
remicollet:issue-bindnow

Conversation

@remicollet

Copy link
Copy Markdown
Contributor

With current build system, LDFLAGS are not used for modules

This results in security options not applied

$ annocheck /usr/lib64/valkey/modules/rdma.so 
annocheck: Version 12.99.
Hardened: rdma.so: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
Hardened: rdma.so: Overall: FAIL.

With this patch

$ annocheck /usr/lib64/valkey/modules/rdma.so 
annocheck: Version 12.99.
Hardened: rdma.so: PASS.

@codecov

codecov Bot commented Mar 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.07%. Comparing base (6fee1aa) to head (0db1a79).
⚠️ Report is 7 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3344      +/-   ##
============================================
+ Coverage     75.05%   75.07%   +0.02%     
============================================
  Files           129      129              
  Lines         71633    71633              
============================================
+ Hits          53763    53781      +18     
+ Misses        17870    17852      -18     

see 20 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@enjoy-binbin enjoy-binbin left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, please sign the DCO

@remicollet

Copy link
Copy Markdown
Contributor Author

Thanks, please sign the DCO

Commit signed

Signed-off-by: Remi Collet <remi@remirepo.net>
Comment thread src/Makefile
# valkey-tls.so
$(TLS_MODULE_NAME): $(SERVER_NAME)
$(QUIET_CC)$(CC) -o $@ tls.c -shared -fPIC $(TLS_MODULE_CFLAGS) $(TLS_CLIENT_LIBS)
$(QUIET_CC)$(CC) $(LDFLAGS) -o $@ tls.c -shared -fPIC $(TLS_MODULE_CFLAGS) $(TLS_CLIENT_LIBS)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have a small question! is there a reason we used LDFLAGS and not FINAL_LDFLAGS?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have a small question! is there a reason we used LDFLAGS and not FINAL_LDFLAGS?

Sorry, I'm not an expert of the very strange valkey build system
I just want to point an issue and propose a minimal fix.

Only LDFLAGS and SERVER_LDFLAGS are documented in the headers

@zuiderkwast zuiderkwast Mar 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FINAL_LDFLAGS can include additional optimization and debug flags that are added from other variables:

FINAL_CFLAGS=$(STD) $(WARN) $(OPT) $(DEBUG) $(CFLAGS) $(SERVER_CFLAGS)
FINAL_LDFLAGS=$(LDFLAGS) $(OPT) $(SERVER_LDFLAGS) $(DEBUG)

For compiling, the flags are built up from FINAL_CLFLAGS with some extra defines:

TLS_MODULE_CFLAGS:=$(FINAL_CFLAGS)
...
TLS_MODULE_CFLAGS+=-DUSE_OPENSSL=$(BUILD_MODULE) $(OPENSSL_CFLAGS) -DBUILD_TLS_MODULE=$(BUILD_MODULE)

Maybe we should do the same for link flags, but I don't think any of the debug and optimization flags make any difference for linking, except the -flto flag for link-time-optimization, which needs to be used for compilation and linking to be effective. But the TLS module is built from a single .c file tls.c so there is no link-time-optimization across compilation units anyway.

Bottom line: AFAICT, it doesn't matter if we use LDFLAGS or FINAL_LDFLAGS.

@zuiderkwast zuiderkwast changed the title inherit LDFLAGS for modules Inherit LDFLAGS for TLS and RDMA modules Mar 11, 2026
@zuiderkwast zuiderkwast merged commit 8051de7 into valkey-io:unstable Mar 11, 2026
58 checks passed
@zuiderkwast

Copy link
Copy Markdown
Contributor

@remicollet Do you want this to be backported or is it enough that it will be in 9.1 and later?

@remicollet

Copy link
Copy Markdown
Contributor Author

@remicollet Do you want this to be backported or is it enough that it will be in 9.1 and later?

Nice to have in 9.0.x, but we can live without it (and apply it manually in Fedora RPM)

@remicollet remicollet deleted the issue-bindnow branch March 11, 2026 11:04
JimB123 pushed a commit that referenced this pull request Mar 19, 2026
With current Makefile, `LDFLAGS` are not used for modules.

This results in security options not applied.

```
$ annocheck /usr/lib64/valkey/modules/rdma.so 
annocheck: Version 12.99.
Hardened: rdma.so: FAIL: bind-now test because not linked with -Wl,-z,now 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
Hardened: rdma.so: Overall: FAIL.
```

With this patch

```
$ annocheck /usr/lib64/valkey/modules/rdma.so 
annocheck: Version 12.99.
Hardened: rdma.so: PASS.
```

Signed-off-by: Remi Collet <remi@remirepo.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants