Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FTBFS, possibly related to changes in libcap #6727

Closed
CameronNemo opened this issue Jan 18, 2020 · 7 comments · Fixed by #6730
Closed

FTBFS, possibly related to changes in libcap #6727

CameronNemo opened this issue Jan 18, 2020 · 7 comments · Fixed by #6730

Comments

@CameronNemo
Copy link

  • Distribution: Void
  • Distribution version: libcap 2.30.0
  • LXD version: 3.19

Issue description

In November, libcap implemented some changes to support shared capability state across threads. The release notes specifically mention Go. Oddly enough, LXD 3.18 did not seem to take issue with these changes. But on 3.19 I am seeing a build error.

libcap release notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap/releasenotesfor228pending

LXD build error:

cd /builddir/lxd-3.19/_build-lxd-xbps/src/github.com/lxc/lxd/lxd
pkg-config --cflags -- lxc libcap
pkg-config --libs -- lxc libcap
go build github.com/lxc/lxd/lxd: invalid flag in pkg-config --libs: -Wl,-wrap,pthread_create
@Foxboron
Copy link
Contributor

Experiencing the same issue on Arch Linux.

@Foxboron
Copy link
Contributor

Foxboron commented Jan 18, 2020
edited

Turns out this is a security measure in the cgo compiler. It operates with a whitelist where only some flags are allowed in LDFLAGS, CFLAGS and so on.

It seems like -Wl is not allowed by default, so the flag has to be whitelisted before compilation with CGO_LDFLAGS_ALLOW='-Wl,-wrap,pthread_create'. I don't think this is something that lxd should be whitelisting upstream, but something downstream should be acting upon. However it could be mentioned in the Makefile as the other flags are.

libcap recently included this flag, which is probably why this issue is only limited to distros shipping the newer versions of the library.

@grawlinson
Copy link

Hey @Foxboron, I ran into this issue while building 3.19 last night (I maintain my own pacman repository) so I’m interested in seeing this solved. Are you using the AUR package, or a private fork?

@Foxboron
Copy link
Contributor

@grawlinson I'm preparing lxd for inclusion into Arch Linux. Current packaging files can be found here; https://github.com/Foxboron/lxd-repo

@stgraber
Copy link
Member

Can one of you send a PR that tweaks our Makefile to export this?

Hopefully there's a way to just set the variable once in the Makefile and call it done :)
I'd do it but we haven't yet been hit by this on Ubuntu, so would be best if done with someone who can confirm the change works.

Foxboron added a commit to Foxboron/lxd that referenced this issue Jan 18, 2020
@Foxboron
[Makefiles] Whitelist ldflags in libcap pkgconfig
7e3df06 
libcap 1.29 was extended to support go, in turn adding some extensions
to the distributed pkgconfig files [1]. By default for security reasons,
the cgo compiler only allows -D, -I, and -l however allows us to extend
this by adding a regex filter to CGO_ALLOW_LDFLAGS [2].

It should be noted that libcap implement the same in their build systems
[3], but use a more relaxed ALLOW regex. Restrict ours as it probably
shouldn't be too wide.

Fixes: lxc#6727

[1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1
[2]: https://golang.org/cmd/cgo/
[3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec

Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron Foxboron mentioned this issue Jan 18, 2020
Merged
@Foxboron
Copy link
Contributor

Foxboron commented Jan 18, 2020
edited

@stgraber Pushed and added some documentation to the commit :)

EDIT: Beer and rebase when you accidentally push stuff isn't ideal 🙃

Foxboron added a commit to Foxboron/lxd that referenced this issue Jan 18, 2020
@Foxboron
[Makefiles] Whitelist ldflags in libcap pkgconfig
c8d6524 
libcap 1.29 was extended to support go, in turn adding some extensions
to the distributed pkgconfig files [1]. By default for security reasons,
the cgo compiler only allows -D, -I, and -l however allows us to extend
this by adding a regex filter to CGO_ALLOW_LDFLAGS [2].

It should be noted that libcap implement the same in their build systems
[3], but use a more relaxed ALLOW regex. Restrict ours as it probably
shouldn't be too wide.

Fixes: lxc#6727

[1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1
[2]: https://golang.org/cmd/cgo/
[3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec

Signed-off-by: Morten Linderud <morten@linderud.pw>
Foxboron added a commit to Foxboron/lxd that referenced this issue Jan 18, 2020
@Foxboron
[Makefiles] Whitelist ldflags in libcap pkgconfig
1e6e6a9 
libcap 1.29 was extended to support go, in turn adding some extensions
to the distributed pkgconfig files [1]. By default for security reasons,
the cgo compiler only allows -D, -I, and -l however allows us to extend
this by adding a regex filter to CGO_ALLOW_LDFLAGS [2].

It should be noted that libcap implement the same in their build systems
[3], but use a more relaxed ALLOW regex. Restrict ours as it probably
shouldn't be too wide.

Fixes: lxc#6727

[1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1
[2]: https://golang.org/cmd/cgo/
[3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec

Signed-off-by: Morten Linderud <morten@linderud.pw>
Foxboron added a commit to Foxboron/lxd that referenced this issue Jan 18, 2020
@Foxboron
[Makefiles] Whitelist ldflags in libcap pkgconfig
ee3a0d4 
libcap 1.29 was extended to support go, in turn adding some extensions
to the distributed pkgconfig files [1]. By default for security reasons,
the cgo compiler only allows -D, -I, and -l however allows us to extend
this by adding a regex filter to CGO_ALLOW_LDFLAGS [2].

It should be noted that libcap implement the same in their build systems
[3], but use a more relaxed ALLOW regex. Restrict ours as it probably
shouldn't be too wide.

Fixes: lxc#6727

[1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1
[2]: https://golang.org/cmd/cgo/
[3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec

Signed-off-by: Morten Linderud <morten@linderud.pw>
@Foxboron
Copy link
Contributor

I discovered that libcap has dropped the dependencies which would introduce the need for the ALLOW flag. I think they can be safely dropped these days, but might be worth to have them in case people encounter this.

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=f9d1c5ee19c96547fad2c807270e82abc9426ff8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Makefiles] Whitelist ldflags in libcap pkgconfig Foxboron/lxd
4 participants
@Foxboron @stgraber @CameronNemo @grawlinson