Skip to content

Comments

linuxPackages.opensnitch-ebpf: remove linux.dev references#391352

Merged
K900 merged 1 commit intoNixOS:masterfrom
eclairevoyant:os-ebpf-closure
Jun 8, 2025
Merged

linuxPackages.opensnitch-ebpf: remove linux.dev references#391352
K900 merged 1 commit intoNixOS:masterfrom
eclairevoyant:os-ebpf-closure

Conversation

@eclairevoyant
Copy link
Contributor

@eclairevoyant eclairevoyant commented Mar 19, 2025
edited
Loading

Fixes #391351 (closure size bloated from 643 KiB to 2.48 GiB)

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels Mar 19, 2025
@nix-owners nix-owners bot requested a review from onny March 19, 2025 18:40
@JohnRTitor JohnRTitor requested a review from K900 March 19, 2025 19:00
@K900
Copy link
Contributor

K900 commented Mar 20, 2025

Is there really no better way to avoid the reference?

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented Mar 20, 2025

If you have any suggestions, I'm open to them.

@K900
Copy link
Contributor

K900 commented Mar 20, 2025

Well do you know why the reference is there in the first place?

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented Mar 20, 2025

Not really, this is as much as I could tell:

$ rg -uuu /nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev /nix/store/x8307bqr07qzqvdnfh8zfsm910yf9g0f-opensnitch_ebpf-1.6.7-6.13.7/etc/opensnitchd/opensnitch*.o 
/nix/store/x8307bqr07qzqvdnfh8zfsm910yf9g0f-opensnitch_ebpf-1.6.7-6.13.7/etc/opensnitchd/opensnitch-dns.o: binary file matches (found "\0" byte around offset 7)

/nix/store/x8307bqr07qzqvdnfh8zfsm910yf9g0f-opensnitch_ebpf-1.6.7-6.13.7/etc/opensnitchd/opensnitch-procs.o: binary file matches (found "\0" byte around offset 7)

/nix/store/x8307bqr07qzqvdnfh8zfsm910yf9g0f-opensnitch_ebpf-1.6.7-6.13.7/etc/opensnitchd/opensnitch.o: binary file matches (found "\0" byte around offset 7)

$ strings /nix/store/x8307bqr07qzqvdnfh8zfsm910yf9g0f-opensnitch_ebpf-1.6.7-6.13.7/etc/opensnitchd/opensnitch*.o | rg /nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/asm-generic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/asm-generic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/linux
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/arch/x86/include/asm
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/asm-generic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/asm-generic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/linux
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/net
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/arch/x86/include/asm
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux/atomic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux/sched
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/vdso
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/net/netns
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux/netfilter
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux/device
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/arch/x86/include/asm/fpu
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/linux/hdlc
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/asm-generic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/asm-generic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/uapi/linux
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/arch/x86/include/asm
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux/sched
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/linux/atomic
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/include/vdso
/nix/store/4mgx6rlcnvmzmy44dd9dhgqjg2m79ws2-linux-6.13.7-dev/lib/modules/6.13.7/source/arch/x86/include/asm/fpu

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented Apr 9, 2025

Any thoughts?

onny
onny reviewed Apr 28, 2025
View reviewed changes
@eclairevoyant eclairevoyant force-pushed the os-ebpf-closure branch 2 times, most recently from edf4e33 to 14308db Compare May 12, 2025 17:30
@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented May 21, 2025

@onny @K900 any further feedback?

@K900
Copy link
Contributor

K900 commented May 21, 2025
edited
Loading

We should really figure out why it's leaking there before we just nukeReferences it and hope for the best.

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented May 22, 2025

Okay, and that's just what you said 2 months ago, so how do you propose doing so? I'm not a C programmer, I gave a best effort
to at least list out what those references are.

By the way, I just want to remind that this is a 4000x closure size decrease over a dependency on some header files that I hope you can agree would never make sense to be there at runtime.

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented May 22, 2025
edited
Loading

Also it's a fairly small codebase: https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog

If you know what you're looking for (which I don't) it's probably easy to find. All I noticed were the extra includes in the Makefile which haven't changed in 2 years.

@K900
Copy link
Contributor

K900 commented May 22, 2025

It's just debug info. You can remove it with llvm-strip.

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented May 26, 2025

Why wouldn't fixupPhase take care of this? And why llvm strip specifically?

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented May 26, 2025

Anyway, review addressed, seems to work.

@eclairevoyant
Copy link
Contributor Author

eclairevoyant commented Jun 8, 2025

@K900 any remaining feedback?

@K900
Copy link
Contributor

K900 commented Jun 8, 2025

Sorry, thought I merged this.

@K900 K900 merged commit dbcc20e into NixOS:master Jun 8, 2025
16 of 17 checks passed
@eclairevoyant eclairevoyant deleted the os-ebpf-closure branch June 8, 2025 11:59
@Gliczy Gliczy mentioned this pull request Jun 18, 2025
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@onny onny onny left review comments

@K900 K900 Awaiting requested review from K900

Assignees

No one assigned

Labels

10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

linuxPackages.opensnitch-ebpf: depends on linux.dev (closure size)

3 participants

@eclairevoyant @K900 @onny