Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

[Question] libseccomp runtime dependency #4537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sipasing opened this issue Nov 18, 2024 Discussed in #4536 · 1 comment
Closed

[Question] libseccomp runtime dependency #4537

sipasing opened this issue Nov 18, 2024 Discussed in #4536 · 1 comment

Comments

@sipasing
Copy link

Noob question, I see "Static Linking notices" on the releases page stating that libseccomp is a build-time dependency of runc, meaning that libseccomp-devel package should be installed on the system during runc build.

But what about runtime dependency ? I notice in Openela repo, runc spec having both a buildtime (BuildRequires tag) and a runtime (Requires tag) dependency on libseccomp. Can someone point me to the docs or explain why a runtime dependency for libseccomp is present.

Also Ques2) diving into build time dependency, how does this static linking take place ? Is there a library in libseccomp-devel package that runc is supposed to link against ?
@cyphar
Copy link
Member

cyphar commented Nov 23, 2024
edited
Loading

(This probably would've been better left as a discussion thread, but I'll answer here anyway.)

The binaries we build and ship on the releases page are statically linked, in order to make sure they work on any Linux system. There is no runtime dependency on libseccomp for those binaries because libseccomp is already embedded inside the binary.

However, distributions usually prefer shared linking (aka dynamic linking) where the binary has a reference to libseccomp.so that the link loader will load when the binary is executed. They usually prefer this because it (in theory) allows you to update the shared library with patches without having to rebuild every dependency, and improves memory usage and disk space for very commonly used libraries. In that case, you need to have libseccomp.so installed at runtime, and this is a general property of shared libraries. You can see the list of shared libraries a dynamically linked binary depends on using ldd:

ldd examples 
% ldd /usr/bin/runc
        linux-vdso.so.1 (0x00007faf37e3a000)
        libseccomp.so.2 => /lib64/libseccomp.so.2 (0x00007faf37dfd000)
        libc.so.6 => /lib64/libc.so.6 (0x00007faf36e00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007faf37e3c000)
% ldd /opt/google/chrome/chrome
        linux-vdso.so.1 (0x00007f850b226000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f850b204000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f850b1ff000)
        libgobject-2.0.so.0 => /lib64/libgobject-2.0.so.0 (0x00007f850b19d000)
        libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x00007f84fbeb2000)
        libnss3.so => /lib64/libnss3.so (0x00007f84fbd71000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007f850b166000)
        libsmime3.so => /lib64/libsmime3.so (0x00007f850b139000)
        libnspr4.so => /lib64/libnspr4.so (0x00007f850b0f7000)
        libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007f84fbd1e000)
        libatk-1.0.so.0 => /lib64/libatk-1.0.so.0 (0x00007f850b0cc000)
        libatk-bridge-2.0.so.0 => /lib64/libatk-bridge-2.0.so.0 (0x00007f84fbcdf000)
        libcups.so.2 => /lib64/libcups.so.2 (0x00007f84fbc28000)
        libgio-2.0.so.0 => /lib64/libgio-2.0.so.0 (0x00007f84fba35000)
        libdrm.so.2 => /lib64/libdrm.so.2 (0x00007f84fba1d000)
        libexpat.so.1 => /lib64/libexpat.so.1 (0x00007f84fb9f1000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f84fb906000)
        libX11.so.6 => /lib64/libX11.so.6 (0x00007f84fb7bf000)
        libXcomposite.so.1 => /lib64/libXcomposite.so.1 (0x00007f84fb7ba000)
        libXdamage.so.1 => /lib64/libXdamage.so.1 (0x00007f84fb7b5000)
        libXext.so.6 => /lib64/libXext.so.6 (0x00007f84fb7a0000)
        libXfixes.so.3 => /lib64/libXfixes.so.3 (0x00007f84fb798000)
        libXrandr.so.2 => /lib64/libXrandr.so.2 (0x00007f84fb78b000)
        libgbm.so.1 => /lib64/libgbm.so.1 (0x00007f84fb767000)
        libxcb.so.1 => /lib64/libxcb.so.1 (0x00007f84fb73b000)
        libxkbcommon.so.0 => /lib64/libxkbcommon.so.0 (0x00007f84fb6f1000)
        libpango-1.0.so.0 => /lib64/libpango-1.0.so.0 (0x00007f84fb686000)
        libcairo.so.2 => /lib64/libcairo.so.2 (0x00007f84fb548000)
        libudev.so.1 => /lib64/libudev.so.1 (0x00007f84fb501000)
        libasound.so.2 => /lib64/libasound.so.2 (0x00007f84fb3f4000)
        libatspi.so.0 => /lib64/libatspi.so.0 (0x00007f84fb3b8000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f84fb38a000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f84fb000000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f850b228000)
        libffi.so.8 => /lib64/libffi.so.8 (0x00007f84fb37f000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f84fb2d2000)
        libplc4.so => /lib64/libplc4.so (0x00007f84fb2cb000)
        libplds4.so => /lib64/libplds4.so (0x00007f84fb2c6000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007f84faf16000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f84fb272000)
        libavahi-common.so.3 => /lib64/libavahi-common.so.3 (0x00007f84fb261000)
        libavahi-client.so.3 => /lib64/libavahi-client.so.3 (0x00007f84fb24e000)
        libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007f84fac00000)
        libz.so.1 => /usr/lib64/zlib-ng-compat/libz.so.1 (0x00007f84fb22c000)
        libgmodule-2.0.so.0 => /lib64/libgmodule-2.0.so.0 (0x00007f84fb225000)
        libmount.so.1 => /lib64/libmount.so.1 (0x00007f84faec9000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f84fae9a000)
        libXrender.so.1 => /lib64/libXrender.so.1 (0x00007f84fb216000)
        libgallium-24.2.7.so => /lib64/libgallium-24.2.7.so (0x00007f84f8400000)
        libwayland-server.so.0 => /lib64/libwayland-server.so.0 (0x00007f84fae84000)
        libxcb-randr.so.0 => /lib64/libxcb-randr.so.0 (0x00007f84fae72000)
        libXau.so.6 => /lib64/libXau.so.6 (0x00007f84fae6d000)
        libfribidi.so.0 => /lib64/libfribidi.so.0 (0x00007f84fae4d000)
        libthai.so.0 => /lib64/libthai.so.0 (0x00007f84fae41000)
        libharfbuzz.so.0 => /lib64/libharfbuzz.so.0 (0x00007f84f82e1000)
        libpng16.so.16 => /lib64/glibc-hwcaps/x86-64-v3/libpng16.so.16.44.0 (0x00007f84fabb2000)
        libfontconfig.so.1 => /lib64/libfontconfig.so.1 (0x00007f84fab63000)
        libfreetype.so.6 => /lib64/libfreetype.so.6 (0x00007f84f8223000)
        libxcb-render.so.0 => /lib64/libxcb-render.so.0 (0x00007f84fae32000)
        libxcb-shm.so.0 => /lib64/libxcb-shm.so.0 (0x00007f84fae2d000)
        libpixman-1.so.0 => /lib64/libpixman-1.so.0 (0x00007f84f81ab000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007f84fae21000)
        libXi.so.6 => /lib64/libXi.so.6 (0x00007f84f8197000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f84f80c8000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f84f80b0000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f84fab5d000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f84f80a1000)
        libjitterentropy.so.3 => /lib64/libjitterentropy.so.3 (0x00007f84f8097000)
        libp11-kit.so.0 => /lib64/libp11-kit.so.0 (0x00007f84f7f0f000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007f84f7eed000)
        libunistring.so.5 => /lib64/libunistring.so.5 (0x00007f84f7d04000)
        libtasn1.so.6 => /lib64/libtasn1.so.6 (0x00007f84f7ced000)
        libhogweed.so.6 => /lib64/glibc-hwcaps/x86-64-v3/libhogweed.so.6.9 (0x00007f84f7ca2000)
        libnettle.so.8 => /lib64/glibc-hwcaps/x86-64-v3/libnettle.so.8.9 (0x00007f84f7c49000)
        libgmp.so.10 => /lib64/libgmp.so.10 (0x00007f84f7ba2000)
        libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f84f7b66000)
        libglapi.so.0 => /lib64/libglapi.so.0 (0x00007f84f7b32000)
        libLLVM.so.19.1 => /lib64/libLLVM.so.19.1 (0x00007f84f0200000)
        libX11-xcb.so.1 => /lib64/libX11-xcb.so.1 (0x00007f84f7b2d000)
        libxcb-dri3.so.0 => /lib64/libxcb-dri3.so.0 (0x00007f84f7b26000)
        libxcb-present.so.0 => /lib64/libxcb-present.so.0 (0x00007f84f7b20000)
        libxcb-xfixes.so.0 => /lib64/libxcb-xfixes.so.0 (0x00007f84f7b16000)
        libxcb-sync.so.1 => /lib64/libxcb-sync.so.1 (0x00007f84f7b0d000)
        libxshmfence.so.1 => /lib64/libxshmfence.so.1 (0x00007f84f7b08000)
        libdrm_radeon.so.1 => /lib64/libdrm_radeon.so.1 (0x00007f84f7af8000)
        libelf.so.1 => /lib64/libelf.so.1 (0x00007f84f7adc000)
        libdrm_amdgpu.so.1 => /lib64/libdrm_amdgpu.so.1 (0x00007f84f7acf000)
        libdrm_intel.so.1 => /lib64/libdrm_intel.so.1 (0x00007f84f7aa9000)
        libxcb-dri2.so.0 => /lib64/libxcb-dri2.so.0 (0x00007f84f7aa2000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f84efe00000)
        libdatrie.so.1 => /lib64/libdatrie.so.1 (0x00007f84f7a97000)
        libgraphite2.so.3 => /lib64/libgraphite2.so.3 (0x00007f84f7a76000)
        libbz2.so.1 => /lib64/glibc-hwcaps/x86-64-v3/libbz2.so.1.0.6 (0x00007f84f7a5d000)
        libbrotlidec.so.1 => /lib64/glibc-hwcaps/x86-64-v3/libbrotlidec.so.1.1.0 (0x00007f84f7a4f000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f84f7a48000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f84f7a34000)
        libcrypto.so.3 => /lib64/glibc-hwcaps/x86-64-v3/libcrypto.so.3.2.3 (0x00007f84ef800000)
        libeconf.so.0 => /lib64/libeconf.so.0 (0x00007f84f7a25000)
        libedit.so.0 => /lib64/libedit.so.0 (0x00007f84f79e9000)
        libzstd.so.1 => /lib64/glibc-hwcaps/x86-64-v3/libzstd.so.1.5.6 (0x00007f84f014b000)
        libxml2.so.2 => /lib64/libxml2.so.2 (0x00007f84ef68d000)
        libpciaccess.so.0 => /lib64/libpciaccess.so.0 (0x00007f84f79db000)
        libbrotlicommon.so.1 => /lib64/glibc-hwcaps/x86-64-v3/libbrotlicommon.so.1.1.0 (0x00007f84f79b8000)
        libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007f84f010f000)
        liblzma.so.5 => /lib64/glibc-hwcaps/x86-64-v3/liblzma.so.5.6.3 (0x00007f84f00d4000)

It is a little odd that they need to put an explicit Requires for libseccomp though -- rpm will automatically find all dynamic library dependencies and generate Requires automatically. This is how the openSUSE runc specfile works. I guess the specfile comes from RHEL, where they have a different policy on defining Requires.

How does this static linking take place ? Is there a library in libseccomp-devel package that runc is supposed to link against ?

Dynamic linking is done against libseccomp.so, static linking is done against libseccomp.a. Your distribution might not provide libseccomp.a (for instance, openSUSE only ships the .so for libseccomp).

For runc in particular, we build our own copy of libseccomp (see scripts/release_build.sh) and then do some hacks (see the static-bin rule in Makefile -- it's mainly -extldflags -static and -tags "netgo osusergo") to force Go to produce a static binary. Except in very specific circumstances, normally Go produces dynamically linked binaries.

@opencontainers opencontainers locked and limited conversation to collaborators Nov 23, 2024
@cyphar cyphar converted this issue into discussion #4540 Nov 23, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cyphar @sipasing