- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429

This also includes some various improvements to the packaging of runc,
containerd and docker-runc.

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=53

runc.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Aug  2 13:51:43 UTC 2017 - asarai@suse.com
+
+- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429
+- Cleanup seccomp builds similar to bsc#1028638
+- Remove the usage of 'cp -r' to reduce noise in the build logs.
+
 -------------------------------------------------------------------
 Thu Jul  6 17:14:17 UTC 2017 - thipp@suse.de
 

runc.spec

@@ -18,6 +18,20 @@
 
 %define go_tool go
 %define _version 1.0.0rc3+r133
+%define project github.com/opencontainers/runc
+
+# enable libseccomp for sle >= sle12sp2
+%if 0%{?sle_version} >= 120200
+%define with_libseccomp 1
+%endif
+# enable libseccomp for leap >= 42.2
+%if 0%{?leap_version} >= 420200
+%define with_libseccomp 1
+%endif
+# enable libseccomp for Factory
+%if 0%{?suse_version} > 1320
+%define with_libseccomp 1
+%endif
 
 Name:           runc
 Version:        1.0.0~rc3+r133
@@ -32,8 +46,7 @@ BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 BuildRequires:  libapparmor-devel
 BuildRequires:  golang(API) = 1.7
-# Seccomp isn't supported on aarch64.
+%if 0%{?with_libseccomp}
-%ifnarch aarch64
 BuildRequires:  libseccomp-devel
 %endif
 BuildRequires:  libselinux-devel
@@ -53,9 +66,8 @@ Group:          System/Management
 BuildRequires:  golang(API) = 1.7
 Requires:       go-go-md2man
 Requires:       libapparmor-devel
-# Seccomp isn't supported on aarch64.
+%if 0%{?with_libseccomp}
-%ifnarch aarch64
+BuildRequires:  libseccomp-devel
-Requires:       libseccomp-devel
 %endif
 Requires:       libselinux-devel
 Recommends:     criu
@@ -71,51 +83,66 @@ Test package for runc. It contains the source code and the tests.
 # Do not use symlinks. If you want to run the unit tests for this package at
 # some point during the build and you need to directly use go list directly it
 # will get confused by symlinks.
-export GOPATH=${HOME}/go:${HOME}/go/src/github.com/opencontainers/runc/Godeps/_workspace
+export GOPATH=${HOME}/go:${HOME}/go/src/%project/Godeps/_workspace
-mkdir -pv $HOME/go/src/github.com/opencontainers/runc
+mkdir -pv $HOME/go/src/%project
-rm -rf $HOME/go/src/github.com/opencontainers/runc/*
+rm -rf $HOME/go/src/%project/*
-cp -avr * $HOME/go/src/github.com/opencontainers/runc
+cp -av * $HOME/go/src/%project
 
-export BUILDFLAGS="-gccgoflags=-Wl,--add-needed -Wl,--no-as-needed -static-libgo -ldl -lselinux -lapparmor"
 # Build all features.
 export BUILDTAGS="apparmor selinux"
+export BUILDFLAGS="-gccgoflags=-Wl,--add-needed -Wl,--no-as-needed -static-libgo -ldl -lselinux -lapparmor"
 
-# Seccomp isn't supported on aarch64.
+# Additionally enable seccomp.
-%ifnarch aarch64
+%if 0%{?with_libseccomp}
 export BUILDTAGS="$BUILDTAGS seccomp"
 export BUILDFLAGS="$BUILDFLAGS -lseccomp"
 %endif
 
+(cat <<EOF
+export GOPATH="$GOPATH"
+export BUILDTAGS="$BUILDTAGS"
+export BUILDFLAGS="$BUILDFLAGS"
+EOF
+) >./.runc_build_env
+source ./.runc_build_env
+
 # Build runc.
-%go_tool build "$BUILDFLAGS" -tags "$BUILDTAGS" -x -o %{name}-%{version} github.com/opencontainers/%{name}
+%go_tool build -buildmode=pie "$BUILDFLAGS" -tags "$BUILDTAGS" -x -o %{name}-%{version} %{project}
 
 # Build man pages, this can only be done on arches where we can build go-md2man.
 man/md2man-all.sh
 
 %check
-export GOPATH=$HOME/go/src/github.com/opencontainers/runc/Godeps/_workspace:$GOPATH
+source ./.runc_build_env
-cd $HOME/go/src/github.com/opencontainers/runc
+cd $HOME/go/src/%project
+
 PKG_LIST=$(go list ./... \
-		| grep -v 'github.com/opencontainers/runc/libcontainer/cgroups/fs$' \
+		| grep -v '%{project}/libcontainer/cgroups/fs$' \
-		| grep -v 'github.com/opencontainers/runc/libcontainer$' \
+		| grep -v '%{project}/libcontainer$' \
-		| grep -v 'github.com/opencontainers/runc/libcontainer/integration$' \
+		| grep -v '%{project}/libcontainer/integration$' \
-		| grep -v 'github.com/opencontainers/runc/libcontainer/nsenter$' \
+		| grep -v '%{project}/libcontainer/nsenter$' \
-		| grep -v 'github.com/opencontainers/runc/libcontainer/user$' \
+		| grep -v '%{project}/libcontainer/user$' \
-		| grep -v 'github.com/opencontainers/runc/libcontainer/xattr$')
+		| grep -v '%{project}/libcontainer/xattr$' \
-go test -timeout 3m -tags "$BUILDTAGS" -v $PKG_LIST
+%if ! 0%{?with_libseccomp}
+		| grep -v '%{project}/libcontainer/seccomp$' \
+		| grep -v 'github.com/seccomp/libseccomp-golang$' \
+%endif
+		)
+%go_tool test -buildmode=pie "$BUILDFLAGS" -tags "$BUILDTAGS" -timeout 3m -v $PKG_LIST
 
 %install
+source ./.runc_build_env
+
+# We install to /usr/sbin/runc as per upstream.
 install -D -m755 %{name}-%{version} %{buildroot}%{_sbindir}/%{name}
-install -d -m755 %{buildroot}/usr/src/runc/
+install -d -m755 %{buildroot}/usr/src/%{name}/
-cp -avr $HOME/go/src/github.com/opencontainers/runc/* %{buildroot}/usr/src/runc/
+cp -av $HOME/go/src/%{project}/* %{buildroot}/usr/src/%{name}/
-
-# symlink runc as docker-runc. bsc#1015661
-install -d -m755 %{buildroot}/%{_bindir}
 
+# Man pages.
 install -d -m755 %{buildroot}%{_mandir}/man8
 install -m644 man/man8/runc*.8 %{buildroot}%{_mandir}/man8
 
-%fdupes %{buildroot}/%{_prefix}
+%fdupes %{buildroot}
 
 %post
 
@@ -123,7 +150,6 @@ install -m644 man/man8/runc*.8 %{buildroot}%{_mandir}/man8
 %defattr(-,root,root)
 %doc README.md LICENSE
 %{_sbindir}/%{name}
-
 %{_mandir}/man8/runc*.8.gz
 
 %files test