Check that compiled binaries are static + fix static compilation #344

Closed

quentin wants to merge 3 commits from bug/check_static into main

quentin commented

2022-07-23 15:15:02 +00:00

Owner

The problem

linux/arm + linux/arm64 binaries were dynamically compiled instead of statically compiled.
It is due to this commit b54a938724
that change the override from the garage crate to the garage_rpc crate.
The change was targeted at the GIT_VERSION variable but impacted the nix hardening configuration too.
After the patch, the PIE feature was not anymore deactivated during the linking of the garage binary,
which lead to a conflict: static pie is not supported on arm/arm64 and thus lead the compiler to ignore the static parameter in favor of the pie parameter.
We did not notice this bug until it was reported recently because we don't ensure that compiled binaries are static.

The fix

I rewrote the overrides to deactivate again the PIE hardening.
I also added a check to ensure that the compiled binary is static
- Example of a failed build due to a dynamic binary -> https://drone.deuxfleurs.fr/Deuxfleurs/garage/2299/3/3
- Example of a successful build once my patch has been applied -> https://drone.deuxfleurs.fr/Deuxfleurs/garage/2310/3/3
I have refactored the shell.nix file to be both simpler and more idiomatic. Now you can spawn a specific shell with:
- nix-shell -A rust to have a compilation shell
- nix-shell -A integration to have a shell with all binaries required by the "smoke test"
- nix-shell -A release to have a shell with kaniko and bash functions dedicated to binary/container publishing

Out of scope

Running functional+smoke tests with qemu-user is outside of this PR scope.

Note

We can not use ldd as it does not work with cross compiled binaries. file seems to work as intended.

## The problem linux/arm + linux/arm64 binaries were dynamically compiled instead of statically compiled. It is due to this commit https://git.deuxfleurs.fr/Deuxfleurs/garage/commit/b54a938724e5551f6436f551cafec3d1324a6260 that change the override from the `garage` crate to the `garage_rpc` crate. The change was targeted at the GIT_VERSION variable but impacted the nix hardening configuration too. After the patch, the PIE feature was not anymore deactivated during the linking of the `garage` binary, which lead to a conflict: static pie is not supported on arm/arm64 and thus lead the compiler to ignore the static parameter in favor of the pie parameter. We did not notice this bug until it was reported recently because we don't ensure that compiled binaries are static. ## The fix - I rewrote the overrides to deactivate again the PIE hardening. - I also added a check to ensure that the compiled binary is static - Example of a failed build due to a dynamic binary -> https://drone.deuxfleurs.fr/Deuxfleurs/garage/2299/3/3 - Example of a successful build once my patch has been applied -> https://drone.deuxfleurs.fr/Deuxfleurs/garage/2310/3/3 - I have refactored the `shell.nix` file to be both simpler and more idiomatic. Now you can spawn a specific shell with: - `nix-shell -A rust` to have a compilation shell - `nix-shell -A integration` to have a shell with all binaries required by the "smoke test" - `nix-shell -A release` to have a shell with kaniko and bash functions dedicated to binary/container publishing ## Out of scope Running functional+smoke tests with qemu-user is outside of this PR scope. ## Note We can not use `ldd` as it does not work with cross compiled binaries. `file` seems to work as intended.

quentin added 3 commits 2022-07-23 15:15:10 +00:00