[lxc-devel] No libcap.a on Fedora and derived distros
Dwight Engen
dwight.engen at oracle.com
Thu Jun 19 13:00:16 UTC 2014
On Mon, 9 Jun 2014 18:51:53 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Mon, Jun 09, 2014 at 02:34:07PM -0400, Dwight Engen wrote:
> > > On Mon, 9 Jun 2014 14:14:31 -0400
> > > Stéphane Graber <stgraber at ubuntu.com> wrote:
> > >
> > > > On Mon, Jun 09, 2014 at 02:10:36PM -0400, Dwight Engen wrote:
> > > > > Hi,
> > > > >
> > > > > I ran into a bit of a problem building master:
> > > > > Fedora (and derived distro's such as CentOs, Oracle, RHEL)
> > > > > don't ship with a static lib for libcap, which is needed to
> > > > > build init.lxc.static (commit 2d4b3e3d). Apparently [1]
> > > > > Fedora doesn't intend to ship one, thus there isn't a
> > > > > libcap-static. Any ideas of how we want to proceed here? I
> > > > > guess we can just not build it and it won't be available on
> > > > > these distros?
> > > >
> > > > So I got into a similar problem with the Android port initially
> > > > though there I just changed the build process to retain the .a,
> > > > therefore fixing the issue.
> > > >
> > > > But while debugging that, I think Serge told me that he doesn't
> > > > really see why libcap is even required for the static init as
> > > > it doesn't actually do any capability operation itself.
> > > >
> > > > So maybe the right answer is to fix the code to no longer need
> > > > that dependency on libcap.a.
> > >
> > > Well I quickly tried manually linking it without -lcap and
> > > caps.o, but lxc_init.c does call lxc_caps_init() and
> > > lxc_caps_reset(), are you saying these calls are not needed?
> >
> > Serge? ^
>
> Right - it's init, imo it shouldn't be dropping caps...
So the following two patches remove that from lxc-init, since it wasn't
really working anyway: Since we were not dropping from the bounding set,
the child of lxc-init was gaining caps back anyway.
Unfortunately, this still doesn't make it so that I can link
init.lxc.static because it has an indirect undefined reference to cap.c
through log.c:lxc_unpriv(). Today, lxc-init only logs in the non-rootfs
case. I have a PoC that passes the log fd from lxc-execute to lxc-init
so it can call (a new routine) lxc_log_init_fd() and just continue to
log in both the have rootfs and not cases. Maybe we don't like
lxc-init having an open fd outside the container though?
This does make it so lxc-init wouldn't need to call any of the log.c
routines that have lxc_unpriv in them, but only solves the static link
if I add -flto so those routines don't get pulled in during the link.
The alternatives I've thought of are:
- Split out the lxc_unpriv routines from log.c. Seems ugly.
- Bundle what we need from libcap so we can compile it in static
- Just don't build init.lxc.static on platforms that don't have libcap.a
Thoughts?
More information about the lxc-devel
mailing list