libct/dmz: Reduce the binary size using nolibc

[rata]

Linux repo has under tools/include/nolibc very simple include files that we can use to generate very small binaries that don't depend on libc.

To make things even better, since Linux 6.6 it supports all the architectures we support in runc, which is just beautiful.

The runc-dmz binary on x86_64 before this patch (on my debian host) was taking 636K, with this patch it takes only 8K.

---

Please review this table of arches with special attention.

Here is a list of arches we currently produce a binary for (took the list from here https://github.com/opencontainers/runc/releases/tag/v1.1.9), I tried to map them to the equivalent arch in nolibc, to make sure we still support all arches. Please review this

• amd64: yes, nolibc's arch-x86_64.h
• armel (aarch64): yes, nolibc's arch-arm.h/arch-aarch64.h
• armf: yes, nolibc's arch-arm.h
• ppc64le: yes, nolibc's arch-powerpc.h
• riscv64: yes, nolibc's arch-riscv.h
• s390x: yes, nolibc's arch-s390.h

If some arch is not supported, we should fallback to use stdlib for that arch. But I think all of them are supported.

What golang seems to support and nolibc doesn't is MIPS (mips, mipsle, mipsle64, mips64). So we might want to do the fallback anyways? :-( Yes, arch-mips.h is supported, but it seems not all those variants. It seems runc doesn't compile for mips, as shown here

cc @cyphar @lifubang

[cyphar]

Oops, misclicked. I'll review this tomorrow.

[fuweid]

Does it have license issue?
Not expert . Just thinking about how it lives with Apache 2.0.

[rata]

It says it can be MIT, which should be compatible with Apache-2.

See here: https://law.stackexchange.com/questions/6081/can-i-bundle-mit-licensed-components-in-a-apache-2-0-licensed-project

Am I missing something?

[fuweid]

Yes. I think we can just keep MIT and remove the LGPL-2.1. Just remove the confusion

[rata]

Idem as the other comment. I think I prefer to keep it if we can keep it. Otherwise, updating to a newer version of nolibc in the future would be more painful (or we need to make a script that nolibc, removes this, maybe something else, etc.).

I think there is value in the simplicity of just a simple c&p, no patches added.

[cyphar]

We cannot remove license headers. The code is dual-licensed but you need to keep the original copyright headers verbatim.

[fuweid]

@cyphar thanks for the comment!

[rata]

I think it is okay to include this file is GPLv2, but if someone can confirm it will be great.

Otherwise, we can remove it? We are not using this makefile anyways.

[AkihiroSuda]

Should be removed to avoid confusion (If we are going to merge this PR)

[rata]

I think I prefer to keep it if we can keep it. Otherwise, updating to a newer version of nolibc in the future would be more painful (or we need to make a script that takes that, removes this, maybe something else, etc.).

I think there is value in the simplicity of just a simple c&p.

[AkihiroSuda]

I think there is value in the simplicity of just a simple c&p.

The problem is that this is legally less simple.
It is not obvious (for non-maintainers) that the GPL-2.0 code is actually not linked with runc.

[rata]

Fixed, then! :)

[AkihiroSuda]

Alternative:

• libct/dmz: Reduce the binary size by removing libc dependency #4026

[eiffel-fl]

This nolibc is really interesting :D!
I have a comment on the xstat.h file:

[eiffel-fl]

I get your explanation regarding the problem.
But why do you have to include this file for dmz?
I mean, dmz only calls execve() which directly calls the syscall.
Moreover, statx() is defned in the nolibc.

[rata]

Because on centos-7, the <linux/stat.h> header doesn't include the struct statx that nolibc uses in sys.h, where execve() is defined.

[eiffel-fl]

I got it! Thank you!
So, the upstream patch would be about using the nolibc stat.h in sys.h rather than linux/stat.h?
In any case, please send it!

[rata]

Yes, that is the idea. But keeping nolibc unmodified here is way simpler that carrying out our patches to it. So, the xstat.h in runc seems way better than patching nolibc IMHO :)

[eiffel-fl]

Sure!
Once your patch would be accepted upstream, you could update the code here but at the moment this is fine.

[AkihiroSuda]

Please remove GPL-2.0 code
https://github.com/opencontainers/runc/pull/4024/files#r1337136436

[rata]

@AkihiroSuda sure, changed it. Removed that and put a note on the README about it. PTAL

[AkihiroSuda]

Could you add comments to explain these flags?
Why do we still need lgcc?

[rata]

I've added a comment to explain that, it is what it is suggested in nolibc/nolibc.h: https://github.com/opencontainers/runc/pull/4024/files#diff-bc183fb7b7c25ee341d9ef03b3bcb444301270a7ef72291bc025d96f1d7046f1R66-R68

It works without -lgcc, but in nolib.h they put it and the gcc manpage says that you need to add that if you use notstdlib to make sure the linking won't fail.

[lifubang]

@rata I think the source code of nolibc should not be part of runc, because we don't know nolibc's version, and very difficult to update its version. Maybe we can use git submodule or add a configure script to copy it from torvalds/linux?

[rata]

@lifubang I don't know a decent way to do that. Submodules seems painful, as we can't add a sub-folder (and adding the whole linux repo seems crazy), the configure script you mention seems complex too... I don't think we will need to update this often, if at all.

Would it be okay to add the script if we happen to update this often?

[lifubang]

the configure script you mention seems complex too

How about https://git-scm.com/docs/git-archive ?

<path>
Without an optional path parameter, all files and subdirectories of the current working directory are included in the archive. If one or more paths are specified, only these are included.

[lifubang]

Or https://www.git-scm.com/docs/git-sparse-checkout ?
If these are very complex, I think we can hear other people's opinion.

[rata]

@lifubang hmmm, git-archive is to create an archive like tar/zip/gzip. Am I missing something? We don't want that here.

IMHO trying to use submodules with sparse checkout is not worth it at this point. Not sure if it is possible (I'm not familiar with sparse checkout), but IMHO it doesn't seem worth the effort now. We can definitely change it if we do need to update this more than once per year.

[cyphar]

It seems very unlikely we will need to update this at all, let alone frequently -- given how minimal runc-dmz is and the fact that syscall numbers are fixed per-architecture. Once it works, it should just continue to work without any changes needed.

The alternatives (submodules and subtree merges) have their own issues. If you use submodules, nolibc will not be included in git archive which will mean our release tarballs won't compile and we will need to separately ship nolibc.tar (or do some hacks to add it to the release tarball). subtrees mean our git history will be needlessly polluted with stuff from Linux upstream that we don't care about. AFAIK git sparse-checkout doesn't help here either. The simplest solution is to just copy-paste the code. If we end up needing to update this often, we can reconsider our options (as @rata suggested).

[cyphar]

LGTM.

[AkihiroSuda]

Any reason for not supporting MIPS64? (Is it still alive?)

[rata]

Runc currently doesn't support mips:

runc/cc_platform.mk

Lines 17 to 53 in 1a8b558

	else ifeq ($(GOARCH),386)
	# Always use the 64-bit compiler to build the 386 binary, which works for
	# the more common cross-build method for x86 (namely, the equivalent of
	# dpkg --add-architecture).
	ifdef IS_SUSE
	# There is no x86_64-suse-linux-gcc, so use the native one.
	HOST :=
	CPU_TYPE := i586
	else
	HOST := x86_64-$(PLATFORM)-
	CPU_TYPE := i686
	endif
	CFLAGS := -m32 -march=$(CPU_TYPE) $(CFLAGS)
	else ifeq ($(GOARCH),amd64)
	ifdef IS_SUSE
	# There is no x86_64-suse-linux-gcc, so use the native one.
	HOST :=
	else
	HOST := x86_64-$(PLATFORM)-
	endif
	else ifeq ($(GOARCH),arm64)
	HOST := aarch64-$(PLATFORM)-
	else ifeq ($(GOARCH),arm)
	# HOST already configured by release_build.sh in this case.
	else ifeq ($(GOARCH),armel)
	HOST := arm-$(PLATFORM)eabi-
	else ifeq ($(GOARCH),armhf)
	HOST := arm-$(PLATFORM)eabihf-
	else ifeq ($(GOARCH),ppc64le)
	HOST := powerpc64le-$(PLATFORM)-
	else ifeq ($(GOARCH),riscv64)
	HOST := riscv64-$(PLATFORM)-
	else ifeq ($(GOARCH),s390x)
	HOST := s390x-$(PLATFORM)-
	else
	$(error Unsupported GOARCH $(GOARCH))
	endif

In a quick git blame on the linux kernel, I didn't find why

[rata]

@cyphar cool! I guess you checked the arches (what I said in the PR description) and looks good? :)

[cyphar]

Yeah, it supports all of the architectures we do releases for. If we want to add MIPS64 releases in the future we can cross that bridge when we get to it (or someone complains).

[rata]

Thanks, SGTM

[eiffel-fl]

Awesome contribution 🎉 🎉 🎉!

[lifubang]

Awesome contribution

Yes, exactly, I get a 4.8K runc-dmz in my machine.