Adolfo Delorenzo
76ed2ffc14
Some checks failed
ARM64 Build / Build generic ARM64 disk image (push) Failing after 5s
CI / Go Tests (push) Successful in 1m49s
CI / Shellcheck (push) Successful in 56s
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Successful in 1m43s
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Successful in 1m54s
Second nft crash report from QEMU virt:
failed to set up pod masquerade
nft add table ip kubesolo-masq:
signal: aborted (output: *** stack smashing detected ***: terminated)
Root cause: two glibcs are visible to dynamically-linked binaries in the
rootfs. piCore64 ships glibc at /lib/libc.so.6; we copy the build host's
glibc (for the iptables-nft / nft / xtables-modules family) to
/lib/$LIB_ARCH/libc.so.6. The dynamic linker can resolve one binary's
NEEDED libc.so.6 to piCore's and another (via transitive load through
e.g. libnftables.so.1) to ours. Each libc has its own __stack_chk_guard
global; stack frames whose canary was written by code from libc-A and
checked by code from libc-B trip "stack smashing detected" → SIGABRT.
This didn't fire before nft was added because no host-installed dyn
binary actually got invoked before kubesolo crashed at first-boot
preflight.
Three layered fixes in inject-kubesolo.sh:
1. Bundle the full glibc family (was just libc.so.6 + ld). Now also
libpthread, libdl, libm, libresolv, librt, libanl, libgcc_s. Without
these, transitively-loaded host libs could pull them in from piCore's
/lib and re-introduce the split.
2. After bundling, delete piCore's duplicates from /lib/ where our copy
exists in /lib/$LIB_ARCH/. The dynamic linker's search now has
exactly one match per soname.
3. Write /etc/ld.so.conf giving /lib/$LIB_ARCH precedence over /lib, and
run `ldconfig -r "$ROOTFS"` to bake an explicit /etc/ld.so.cache.
The runtime linker uses the cache (when present) instead of falling
back to compiled-in default paths, making lookup order deterministic.
Also done (followups from previous commit):
- build/Dockerfile.builder gains nftables so docker-build picks up nft.
- .gitea/workflows/release.yaml's amd64 build job installs iptables +
nftables (previously only listed iptables-related libs but not the
CLIs themselves).
Verified by shellcheck. End-to-end QEMU verification on the Odroid next.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
75 lines
1.8 KiB
Ruby
75 lines
1.8 KiB
Ruby
FROM --platform=linux/amd64 ubuntu:24.04
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
# Install build tools + kernel build dependencies
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
bash \
|
|
bc \
|
|
bison \
|
|
build-essential \
|
|
ca-certificates \
|
|
cpio \
|
|
curl \
|
|
dosfstools \
|
|
dwarves \
|
|
e2fsprogs \
|
|
fdisk \
|
|
file \
|
|
flex \
|
|
genisoimage \
|
|
grub-common \
|
|
grub-efi-amd64-bin \
|
|
grub-efi-arm64-bin \
|
|
grub-pc-bin \
|
|
grub2-common \
|
|
gzip \
|
|
isolinux \
|
|
iptables \
|
|
kmod \
|
|
libarchive-tools \
|
|
libelf-dev \
|
|
libssl-dev \
|
|
nftables \
|
|
make \
|
|
parted \
|
|
squashfs-tools \
|
|
syslinux \
|
|
syslinux-common \
|
|
syslinux-utils \
|
|
apparmor \
|
|
apparmor-utils \
|
|
gcc-aarch64-linux-gnu \
|
|
binutils-aarch64-linux-gnu \
|
|
busybox-static \
|
|
git \
|
|
kpartx \
|
|
unzip \
|
|
wget \
|
|
xorriso \
|
|
xz-utils \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Install Go (for building cloud-init and update agent)
|
|
ARG GO_VERSION=1.25.5
|
|
RUN curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
|
|
| tar -C /usr/local -xzf -
|
|
ENV PATH="/usr/local/go/bin:${PATH}"
|
|
|
|
# Install oras (OCI artifact CLI) for push-oci-artifact.sh.
|
|
# Bump ORAS_VERSION when pushing breaks or when oras gains useful flags.
|
|
ARG ORAS_VERSION=1.2.3
|
|
RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \
|
|
| tar -C /usr/local/bin -xzf - oras \
|
|
&& chmod +x /usr/local/bin/oras
|
|
|
|
WORKDIR /build
|
|
COPY . /build
|
|
|
|
RUN chmod +x build/scripts/*.sh build/config/*.sh \
|
|
&& chmod +x hack/*.sh 2>/dev/null || true \
|
|
&& chmod +x test/qemu/*.sh test/integration/*.sh test/kernel/*.sh 2>/dev/null || true
|
|
|
|
ENTRYPOINT ["/usr/bin/make"]
|
|
CMD ["iso"]
|