diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml index 7cd45db..04efe07 100644 --- a/.gitea/workflows/release.yaml +++ b/.gitea/workflows/release.yaml @@ -90,7 +90,8 @@ jobs: cpio gzip genisoimage isolinux syslinux syslinux-common \ syslinux-utils xorriso xz-utils wget squashfs-tools \ dosfstools e2fsprogs fdisk parted libarchive-tools \ - grub-common grub-efi-amd64-bin grub-pc-bin kpartx busybox-static + grub-common grub-efi-amd64-bin grub-pc-bin kpartx \ + busybox-static iptables nftables - name: Build kernel + ISO + disk-image run: | make kernel diff --git a/build/Dockerfile.builder b/build/Dockerfile.builder index 12541ce..0ab60b8 100644 --- a/build/Dockerfile.builder +++ b/build/Dockerfile.builder @@ -30,6 +30,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libarchive-tools \ libelf-dev \ libssl-dev \ + nftables \ make \ parted \ squashfs-tools \ diff --git a/build/scripts/inject-kubesolo.sh b/build/scripts/inject-kubesolo.sh index a86929f..19d8fda 100755 --- a/build/scripts/inject-kubesolo.sh +++ b/build/scripts/inject-kubesolo.sh @@ -397,7 +397,13 @@ if [ -f /usr/sbin/xtables-nft-multi ]; then ln -sf xtables-nft-multi "$ROOTFS/usr/sbin/$cmd" done - # Copy required shared libraries (architecture-aware paths) + # Copy required shared libraries (architecture-aware paths). + # We deliberately bundle the *full* glibc family from the build host — + # not just libc.so.6 — so dynamically-linked binaries we ship (nft, + # xtables-nft-multi, etc.) load a consistent set of libraries. Mixing + # glibc components across versions causes __stack_chk_guard mismatches + # ("stack smashing detected" aborts) when stack frames cross between + # functions linked against different libcs. mkdir -p "$ROOTFS/usr/lib/$LIB_ARCH" "$ROOTFS/lib/$LIB_ARCH" [ "$INJECT_ARCH" != "arm64" ] && mkdir -p "$ROOTFS/lib64" for lib in \ @@ -405,6 +411,13 @@ if [ -f /usr/sbin/xtables-nft-multi ]; then "/lib/$LIB_ARCH/libmnl.so.0"* \ "/lib/$LIB_ARCH/libnftnl.so.11"* \ "/lib/$LIB_ARCH/libc.so.6" \ + "/lib/$LIB_ARCH/libpthread.so.0" \ + "/lib/$LIB_ARCH/libdl.so.2" \ + "/lib/$LIB_ARCH/libm.so.6" \ + "/lib/$LIB_ARCH/libresolv.so.2" \ + "/lib/$LIB_ARCH/librt.so.1" \ + "/lib/$LIB_ARCH/libanl.so.1" \ + "/lib/$LIB_ARCH/libgcc_s.so.1" \ "$LD_SO"; do [ -e "$lib" ] && cp -aL "$lib" "$ROOTFS${lib}" 2>/dev/null || true done @@ -541,6 +554,54 @@ nameserver 1.1.1.1 EOF fi +# --- Resolve dual-glibc ambiguity (ARM64) --- +# piCore64's rootfs ships glibc at /lib/libc.so.6, and we've copied the +# build host's glibc to /lib/$LIB_ARCH/libc.so.6. Two libc.so.6 in the +# dynamic linker's search path can lead to a process loading both — one +# directly, one transitively — and "stack smashing detected" aborts when +# stack frames cross between them (each libc has its own +# __stack_chk_guard). Remove piCore's copies so resolution is unambiguous +# and write a proper /etc/ld.so.conf + cache pointing at our copies. +if [ "$INJECT_ARCH" = "arm64" ] && [ -d "$ROOTFS/lib/$LIB_ARCH" ]; then + echo " Pruning duplicate glibc components in $ROOTFS/lib/..." + for lib in \ + libc.so.6 \ + libpthread.so.0 \ + libdl.so.2 \ + libm.so.6 \ + libresolv.so.2 \ + librt.so.1 \ + libanl.so.1 \ + libgcc_s.so.1; do + # Only delete piCore's copy when our version exists; otherwise + # we'd leave the binary unable to find any libc at all. + if [ -e "$ROOTFS/lib/$lib" ] && [ -e "$ROOTFS/lib/$LIB_ARCH/$lib" ]; then + rm -f "$ROOTFS/lib/$lib" + fi + done + + # ld.so.conf gives our $LIB_ARCH paths precedence over piCore's /lib + # (defaults vary by glibc version; this makes the order explicit). + cat > "$ROOTFS/etc/ld.so.conf" </dev/null 2>&1; then + ldconfig -r "$ROOTFS" 2>/dev/null && \ + echo " Generated /etc/ld.so.cache via ldconfig" || \ + echo " WARN: ldconfig failed; falling back to default search order" + else + echo " WARN: ldconfig not on builder; cache not generated" + fi +fi + # --- Summary --- echo "" echo "==> Injection complete. Rootfs contents:"