Re-add `tini-static` package (#2283)

* Re-add tini-static package * Switch docker-init to tini-static * Enable static-pie support in glibc * Build tini-static as a static-PIE * Make moby-engine depend on docker-init * Fix up toolchain package lists to match new glibc version * RELRO,NOW is already set in default LDFLAGS
2022-03-02 20:50:31 +00:00 · 2022-03-02 20:50:31 +00:00 · cdf471d927
--- a/SPECS/glibc/glibc.spec
+++ b/SPECS/glibc/glibc.spec
@ -7,7 +7,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.34
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -41,7 +41,10 @@ Patch11:        CVE-2018-20796.nopatch
 #Patch16:        CVE-2020-27618.patch
 Patch17:        glibc-2.34_pthread_cond_wait.patch

-BuildRequires:  perl(File::Find)
+BuildRequires:  bison
+BuildRequires:  kernel-headers
+BuildRequires:  gettext
+BuildRequires:  texinfo

 Requires:       filesystem

@ -153,6 +156,7 @@ cd %{_builddir}/%{name}-build
        --disable-werror \
        --enable-kernel=3.2 \
        --enable-bind-now \
+        --enable-static-pie \
        --disable-experimental-malloc \
 %ifarch x86_64
        --enable-cet \
@ -308,6 +312,10 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %defattr(-,root,root)

 %changelog
+* Wed Mar 02 2022 Andy Caldwell <andycaldwell@microsoft.com> - 2.34-3
+- Add support for building `-static-pie` binaries against `glibc`
+- Add additional BuildRequires
+
 * Thu Nov 04 2021 Pawel Winogrodzki <pawel.winogrodzki@microsoft.com> - 2.34-2
 - Adding missing BR on "perl(File::Find)".
 - Fixing licensing information.
--- a/SPECS/moby-engine/moby-engine.spec
+++ b/SPECS/moby-engine/moby-engine.spec
@ -4,15 +4,13 @@
 Summary: The open-source application container engine
 Name:    %{upstream_name}-engine
 Version: 20.10.12
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
 Vendor: Microsoft Corporation
 Distribution: Mariner

-# Note that docker-init is provided by Tini
-
 Source0: https://github.com/moby/moby/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # docker-proxy binary comes from libnetwork
 # - The libnetwork version (more accurately commit hash) 
@ -44,12 +42,12 @@ BuildRequires: git
 Requires: audit
 Requires: /bin/sh
 Requires: device-mapper-libs >= 1.02.90-1
+Requires: docker-init
 Requires: iptables
 Requires: libcgroup
 Requires: libseccomp >= 2.3
 Requires: moby-containerd >= 1.2
 Requires: tar
-Requires: tini
 Requires: xz

 Conflicts: docker
@ -127,7 +125,10 @@ fi
 %{_unitdir}/*

 %changelog
-* Fri Feb 4 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 20.10.12-1
+* Wed Mar 02 2022 Andy Caldwell <andycaldwell@microsoft.com> - 20.10.12-2
+- Relax dependency from `tini` to `docker-init`
+
+* Fri Feb 04 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 20.10.12-1
 - Update to version 20.10.12
 - Use code from upstream instead of Azure fork.

--- a/SPECS/tini/tini.spec
+++ b/SPECS/tini/tini.spec
@ -1,19 +1,22 @@
 Summary:        A tiny but valid init for containers
 Name:           tini
 Version:        0.19.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/krallin/tini
 Source0:        https://github.com/krallin/tini/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+BuildRequires:  binutils
 BuildRequires:  cmake
+BuildRequires:  diffutils
+BuildRequires:  file
 BuildRequires:  gcc
-BuildRequires:  glibc-devel
+BuildRequires:  glibc-devel >= 2.34-3
+BuildRequires:  kernel-headers
+BuildRequires:  make
 BuildRequires:  sed

-Provides:       docker-init = %{version}-%{release}
-
 %description
 Tini is the simplest init you could think of.

@ -21,10 +24,24 @@ All Tini does is spawn a single child (Tini is meant to be run in a container),
 and wait for it to exit all the while reaping zombies and performing signal
 forwarding.

+%package static
+Summary:        Standalone static build of tini
+# `docker-init` used to be provided by `tini` it's now provided by `tini-static`
+# `tini` and `tini-static` are co-installable so long as both are newer than
+# that change.
+Conflicts:      %{name} <= 0.19.0-6
+Provides:       docker-init = %{version}-%{release}
+
+%description static
+This package contains a standalone static build of tini, meant to be used
+inside a container.
+
 %prep
 %autosetup
 # Do not strip binaries
 sed -i CMakeLists.txt -e 's/ -Wl,-s//'
+# Enable static-pie (ASLR) support for tini-static
+sed -i CMakeLists.txt -e 's/ -static/ -static-pie/'

 %build
 mkdir build && cd build
@ -33,17 +50,25 @@ mkdir build && cd build

 %install
 %make_install -C build
-pushd %{buildroot}%{_bindir}
-rm -f tini-static
-ln -s tini docker-init
-popd
+# Ensure we're providing a static `docker-init`
+ln -s %{_bindir}/tini-static %{buildroot}%{_bindir}/docker-init

 %files
 %license LICENSE
 %doc README.md
-%{_bindir}/*
+%{_bindir}/tini
+
+%files static
+%license LICENSE
+%doc README.md
+%{_bindir}/tini-static
+%{_bindir}/docker-init

 %changelog
+* Mon Feb 21 2022 Andy Caldwell <andycaldwell@microsoft.com> - 0.19.0-7
+- Re-enable `tini-static` package
+- Enable binary hardening flag (`-static-pie`)
+
 * Mon Feb 07 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 0.19.0-6
 - Makes moby-engine spec relying on tini to provide docker-init

--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -1,12 +1,12 @@
 filesystem-1.1-8.cm2.aarch64.rpm
 kernel-headers-5.15.18.1-2.cm2.noarch.rpm
-glibc-2.34-2.cm2.aarch64.rpm
-glibc-devel-2.34-2.cm2.aarch64.rpm
-glibc-i18n-2.34-2.cm2.aarch64.rpm
-glibc-iconv-2.34-2.cm2.aarch64.rpm
-glibc-lang-2.34-2.cm2.aarch64.rpm
-glibc-nscd-2.34-2.cm2.aarch64.rpm
-glibc-tools-2.34-2.cm2.aarch64.rpm
+glibc-2.34-3.cm2.aarch64.rpm
+glibc-devel-2.34-3.cm2.aarch64.rpm
+glibc-i18n-2.34-3.cm2.aarch64.rpm
+glibc-iconv-2.34-3.cm2.aarch64.rpm
+glibc-lang-2.34-3.cm2.aarch64.rpm
+glibc-nscd-2.34-3.cm2.aarch64.rpm
+glibc-tools-2.34-3.cm2.aarch64.rpm
 zlib-1.2.11-5.cm2.aarch64.rpm
 zlib-devel-1.2.11-5.cm2.aarch64.rpm
 file-5.40-1.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -1,12 +1,12 @@
 filesystem-1.1-8.cm2.x86_64.rpm
 kernel-headers-5.15.18.1-2.cm2.noarch.rpm
-glibc-2.34-2.cm2.x86_64.rpm
-glibc-devel-2.34-2.cm2.x86_64.rpm
-glibc-i18n-2.34-2.cm2.x86_64.rpm
-glibc-iconv-2.34-2.cm2.x86_64.rpm
-glibc-lang-2.34-2.cm2.x86_64.rpm
-glibc-nscd-2.34-2.cm2.x86_64.rpm
-glibc-tools-2.34-2.cm2.x86_64.rpm
+glibc-2.34-3.cm2.x86_64.rpm
+glibc-devel-2.34-3.cm2.x86_64.rpm
+glibc-i18n-2.34-3.cm2.x86_64.rpm
+glibc-iconv-2.34-3.cm2.x86_64.rpm
+glibc-lang-2.34-3.cm2.x86_64.rpm
+glibc-nscd-2.34-3.cm2.x86_64.rpm
+glibc-tools-2.34-3.cm2.x86_64.rpm
 zlib-1.2.11-5.cm2.x86_64.rpm
 zlib-devel-1.2.11-5.cm2.x86_64.rpm
 file-5.40-1.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -99,13 +99,13 @@ glib-debuginfo-2.71.0-1.cm2.aarch64.rpm
 glib-devel-2.71.0-1.cm2.aarch64.rpm
 glib-doc-2.71.0-1.cm2.noarch.rpm
 glib-schemas-2.71.0-1.cm2.aarch64.rpm
-glibc-2.34-2.cm2.aarch64.rpm
-glibc-devel-2.34-2.cm2.aarch64.rpm
-glibc-i18n-2.34-2.cm2.aarch64.rpm
-glibc-iconv-2.34-2.cm2.aarch64.rpm
-glibc-lang-2.34-2.cm2.aarch64.rpm
-glibc-nscd-2.34-2.cm2.aarch64.rpm
-glibc-tools-2.34-2.cm2.aarch64.rpm
+glibc-2.34-3.cm2.aarch64.rpm
+glibc-devel-2.34-3.cm2.aarch64.rpm
+glibc-i18n-2.34-3.cm2.aarch64.rpm
+glibc-iconv-2.34-3.cm2.aarch64.rpm
+glibc-lang-2.34-3.cm2.aarch64.rpm
+glibc-nscd-2.34-3.cm2.aarch64.rpm
+glibc-tools-2.34-3.cm2.aarch64.rpm
 gmock-1.11.0-1.cm2.aarch64.rpm
 gmock-devel-1.11.0-1.cm2.aarch64.rpm
 gmp-6.2.1-2.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -99,13 +99,13 @@ glib-debuginfo-2.71.0-1.cm2.x86_64.rpm
 glib-devel-2.71.0-1.cm2.x86_64.rpm
 glib-doc-2.71.0-1.cm2.noarch.rpm
 glib-schemas-2.71.0-1.cm2.x86_64.rpm
-glibc-2.34-2.cm2.x86_64.rpm
-glibc-devel-2.34-2.cm2.x86_64.rpm
-glibc-i18n-2.34-2.cm2.x86_64.rpm
-glibc-iconv-2.34-2.cm2.x86_64.rpm
-glibc-lang-2.34-2.cm2.x86_64.rpm
-glibc-nscd-2.34-2.cm2.x86_64.rpm
-glibc-tools-2.34-2.cm2.x86_64.rpm
+glibc-2.34-3.cm2.x86_64.rpm
+glibc-devel-2.34-3.cm2.x86_64.rpm
+glibc-i18n-2.34-3.cm2.x86_64.rpm
+glibc-iconv-2.34-3.cm2.x86_64.rpm
+glibc-lang-2.34-3.cm2.x86_64.rpm
+glibc-nscd-2.34-3.cm2.x86_64.rpm
+glibc-tools-2.34-3.cm2.x86_64.rpm
 gmock-1.11.0-1.cm2.x86_64.rpm
 gmock-devel-1.11.0-1.cm2.x86_64.rpm
 gmp-6.2.1-2.cm2.x86_64.rpm