containerd: improve reproducibility

We get the following QA warning on build: WARNING: containerd-opencontainers-v1.6.8+gitAUTOINC+579a6380ec-r0 do_package_qa: QA Issue: File /usr/bin/containerd-shim-runc-v2 in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd-ctr in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd-shim-runc-v1 in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd in package containerd-opencontainers contains reference to TMPDIR File /usr/bin/containerd-shim in package containerd-opencontainers contains reference to TMPDIR [buildpaths] This is the first step in fixing the QA warning, by dropping our debug patch, passing -trimpath and not defining GO_DEBUG. This leaves a final reference similar to: path _/opt/poky/build/tmp/work/core2-64-poky-linux/containerd-opencontainers/v1.6.8+gitAUTOINC+579a6380ec-r0/git/src/import/cmd/ctr That is being stored in the .rodata of the binaries. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
2025-07-19 12:50:22 +02:00 · 2022-09-12 15:34:59 -04:00 · 2022-09-12 15:34:59 -04:00 · 9ef3fa52d0
commit 9ef3fa52d0
parent 08a59b4d93
3 changed files with 33 additions and 35 deletions
--- a/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
+++ b/recipes-containers/containerd/containerd-opencontainers/0001-Add-build-option-GODEBUG-1.patch
@ -1,32 +0,0 @@
-From 84874e47aa2025b8e73df0286c44f3b8a1d9fdb2 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Mon, 2 Sep 2019 16:20:07 +0800
-Subject: [PATCH] Add build option "GODEBUG=1"
-
-Make will generate GDB friendly binary with this build option.
-
-Signed-off-by: Hui Zhu <teawater@hyper.sh>
-
-Upstream-Status: Backport [c5a0c7f491b435e4eb45972903b00e2d8ed46495]
-
-Partly backport and refresh to v1.2.7
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- src/import/Makefile | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-Index: git/src/import/Makefile
-===================================================================
--- git.orig/src/import/Makefile	2020-10-12 08:09:41.638977052 -0700
-+++ git/src/import/Makefile	2020-10-12 08:10:49.783074373 -0700
-@@ -72,6 +72,10 @@
- COMMANDS=ctr containerd containerd-stress
- MANPAGES=ctr.8 containerd.8 containerd-config.8 containerd-config.toml.5
- 
-+ifndef GODEBUG
-+   EXTRA_LDFLAGS += -s -w
-+endif
-+
- ifdef BUILDTAGS
-     GO_BUILDTAGS = ${BUILDTAGS}
- endif
--- a/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
+++ b/recipes-containers/containerd/containerd-opencontainers/0001-build-don-t-use-gcflags-to-define-trimpath.patch
@ -0,0 +1,30 @@
+From 9174091fa1624dbb09ce812792a4102dff693541 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@gmail.com>
+Date: Mon, 12 Sep 2022 15:40:08 -0400
+Subject: [PATCH] build: don't use gcflags to define trimpath
+
+We can pass trimpath in via environment variables. The gcflags
+definition of trimpath is for older go versions and is using the
+complete path for trimming. If the variable is captured in the
+resulting binary, we have a reproducibility and QA issue.
+
+Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
+---
+ Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git git.orig/src/import/Makefile git.orig/src/import/Makefile
+index 4a6c13042..debb57925 100644
+--- git.orig/src/import/Makefile
+++ git.orig/src/import/Makefile
+@@ -130,7 +130,6 @@ TESTFLAGS_RACE=
+ # See Golang issue re: '-trimpath': https://github.com/golang/go/issues/13809
+ GO_GCFLAGS=$(shell				\
+ 	set -- ${GOPATHS};			\
+-	echo "-gcflags=-trimpath=$${1}/src";	\
+ 	)
+ 
+ BINARIES=$(addprefix bin/,$(COMMANDS))
+-- 
+2.19.1
+
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@ -7,8 +7,8 @@ DESCRIPTION = "containerd is a daemon to control runC, built for performance and

 SRCREV = "579a6380ec93ab92a6e7f26167fe4f18dfcf2a4b"
 SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=https \
-           file://0001-Add-build-option-GODEBUG-1.patch \
           file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
+           file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
          "

 # Apache-2.0 for containerd
@ -18,7 +18,7 @@ LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=1269f40c0d099c21a871163984590d
 CONTAINERD_VERSION = "v1.6.8"
 CVE_VERSION = "1.6.8"

-EXTRA_OEMAKE += "GODEBUG=1"
+# EXTRA_OEMAKE += "GODEBUG=1"

 PROVIDES += "virtual/containerd"
 RPROVIDES:${PN} = "virtual-containerd"
@ -84,7 +84,7 @@ do_compile() {
    # cannot find package runtime/cgo (using -importcfg)
    #        ... recipe-sysroot-native/usr/lib/aarch64-poky-linux/go/pkg/tool/linux_amd64/link:
    #        cannot open file : open : no such file or directory
-    export GO_BUILD_FLAGS="-a -pkgdir dontusecurrentpkgs"
+    export GO_BUILD_FLAGS="-trimpath -a -pkgdir dontusecurrentpkgs"
    export GO111MODULE=off

    cd ${S}/src/import