-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build non-static binaries with PIE buildmode #102323
Conversation
@saschagrunert: GitHub didn't allow me to request PR reviews from the following users: abhay-krishna. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@saschagrunert: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Have we investigated fully e.g.:
I'm still not clear on if we think this will realistically defend against anything or check a compliance checkbox. If it's only the latter then I think the GOFLAGS support and custom builds should cover that angle. Edit: unless it proves to have no negative impacts then 🤷♂️ but I haven't seen that addressed. |
Binary size comparisonOnly a few binaries are build with PIE if we run
If we compare their binary sizes, then we indeed encounter a difference:
Platform supportWe have PIE mode since:
Depending on how the compiler behaves and the output of |
The issue (#90311) has some context about this. This comment from @tabbysable and the following comments provide some insights why this would be useful: #90311 (comment) From @saschagrunert's table above, the binary size increase is about 10-20% depending on the binary. This might sound like a lot, but most of the binaries are somewhat small. I don't have experience with this concrete topic, so I can't weigh is it worth or not, but in my opinion, I don't really see this as a problem. |
I wouldn't call > 100mb small and I'm not sure many other people would either? Most of our binaries are sadly over 100mb easily. They're not all in the table above. We can ignore the gen* as we don't distribute those. Making kubelet ~27% larger is not great :( |
This broke the cross build |
/test pull-kubernetes-cross |
/test pull-kubernetes-e2e-kind-ipv6 |
de6e41a
to
06b80e8
Compare
We now add the `-buildmode pie` flag when building non-static binaries, which enables the ASLR security mechanism. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
/test pull-kubernetes-cross |
The new kube-cross version makes |
It seems that wasn't the case. https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/102323/pull-kubernetes-cross/1397898981865951232 As an aside: I wonder how long the project should keep building for relatively obsolete platforms like i386 ... Still disappointed to see kubelet get bigger again but oh well. https://groups.google.com/g/golang-nuts/c/cXhRsmNsMwo/m/VUZlLqo9AwAJ seems pretty clear that there's at least some benefit to programs using CGO (like kubelet to an extent, indirectly). I also asked the GKE security team for more background on this since there's been pretty limited discussion on github and I've already poked sig-security, they had a similar response to the effect of roughly "it's probably relatively minor / theoretical but perhaps useful with CGO". in either case, the build script changes look acceptable purely from a code POV without respect to "should we PIE or not" and PIE seems at least potentially useful for these non-static binaries. /approve and since cross is green again: |
Referring to: #102323 (comment) |
@kubernetes/release-engineering @kubernetes/sig-security-pr-reviews please take a look for lgtm |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, justaugustus, saschagrunert, xmudrii The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-e2e-kind-ipv6 |
/test pull-kubernetes-unit |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
We now add the
-buildmode pie
flag when building non-static binaries, which enables the ASLR security mechanism.Which issue(s) this PR fixes:
Fixes #90311
Special notes for your reviewer:
Supersedes #94448
For example, we now build the
kubelet
asLSB pie executable
:We do not apply the change to statically linked binaries, because if we add the
pie
buildmode to them we would result in gaining a dynamically linked binary without choosing an external linker. Ref: golang/go#40719Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/area release-eng
/sig release
/priority important-soon
/cc @kubernetes/release-managers @abhay-krishna