1543790 – ipvsadm: Does not use Fedora build flags

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1543790 - ipvsadm: Does not use Fedora build flags

Summary: ipvsadm: Does not use Fedora build flags

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ipvsadm
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Ryan O'Hara
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Fedora28BuildFlags
TreeView+	depends on / blocked

Reported:	2018-02-09 10:35 UTC by Florian Weimer
Modified:	2018-02-28 11:23 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipvsadm-1.29-8.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-28 11:23:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Florian Weimer 2018-02-09 10:35:23 UTC

/usr/sbin/ipvsadm in ipvsadm-1.29-5.fc28 is built without the Fedora build flags, as defined in redhat-rpm-config.  CFLAGS and LDFLAGS injection is not performed.

More information about the build flags provided by redhat-rpm-config is available here:

https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md

Comment 1 Fedora End Of Life 2018-02-20 15:31:08 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 2 Ryan O'Hara 2018-02-23 16:23:27 UTC

Since ipvsadm does not use autoconf, I went ahead and put %set_build_flags in the %build section, per instructions in the link provided above. This did not work, caused build to fail. Have not been able to find documentation on this macro.

Comment 3 Florian Weimer 2018-02-23 16:31:42 UTC

(In reply to Ryan O'Hara from comment #2)
> Since ipvsadm does not use autoconf, I went ahead and put %set_build_flags
> in the %build section, per instructions in the link provided above. This did
> not work, caused build to fail. Have not been able to find documentation on
> this macro.

When talking about build failures, please be more specific.  Do you have a link to a scratch build?  You do not a fairly recent Fedora 28 or rawhide installation inside the buildroot.

The macro is documented in the file I linked to in comment 0.

Please let me know if you have further questions.

Comment 5 Ryan O'Hara 2018-02-26 17:04:47 UTC

Fixed in rawhide and F28.

Comment 6 Florian Weimer 2018-02-26 19:04:15 UTC

Sorry, according to the ipvsadm-1.29-7.fc28 build log, LDFLAGS still aren't being used:

gcc -Wall -Wunused -Wstrict-prototypes -g -o ipvsadm ipvsadm.o config_stream.o dynamic_array.o libipvs/libipvs.a -lpopt -lnl-genl-3 -lnl-3

Comment 7 Ryan O'Hara 2018-02-26 19:32:05 UTC

Right. I forgot to add the patch that adds LDFLAGS to the Makefile. I'll try to add this soon.

Comment 8 Ryan O'Hara 2018-02-27 15:13:43 UTC

I have a patch that adds LDFLAGS to both the top-level Makefile and libipvs/Makefile, but that has caused some problems. The libipvs code is compiled with -fPIC (set in CFLAGS of libipvs/Makefile), but the ipvsadm utility itself is not. We end up with this:

/usr/bin/ld: ipvsadm.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: config_stream.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: dynamic_array.o: relocation R_X86_64_32 against symbol `strdup@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output

It was my understanding that, by default, all builds were hardened and it was also my understanding that this was defined in redhat-hardened-cc1. I'm not seeing any indication that redhat-hardened-cc1 rules are being used. Is that normal or am I missing something? Thoughts?

Comment 9 Florian Weimer 2018-02-27 15:28:20 UTC

(In reply to Ryan O'Hara from comment #8)
> I have a patch that adds LDFLAGS to both the top-level Makefile and
> libipvs/Makefile, but that has caused some problems. The libipvs code is
> compiled with -fPIC (set in CFLAGS of libipvs/Makefile), but the ipvsadm
> utility itself is not. We end up with this:
> 
> /usr/bin/ld: ipvsadm.o: relocation R_X86_64_32 against `.rodata' can not be
> used when making a shared object; recompile with -fPIC
> /usr/bin/ld: config_stream.o: relocation R_X86_64_32 against `.rodata' can
> not be used when making a shared object; recompile with -fPIC
> /usr/bin/ld: dynamic_array.o: relocation R_X86_64_32 against symbol
> `strdup@@GLIBC_2.2.5' can not be used when making a shared object; recompile
> with -fPIC
> /usr/bin/ld: final link failed: Nonrepresentable section on output

This means that these object files were not built as PIE (or PIC).

> It was my understanding that, by default, all builds were hardened and it
> was also my understanding that this was defined in redhat-hardened-cc1. I'm
> not seeing any indication that redhat-hardened-cc1 rules are being used. Is
> that normal or am I missing something? Thoughts?

With a successful CFLAGs injection, the -specs=…/redhat-hardened-cc1 option ensures that PIE is used for the build, unless -fpic or -fPIC is specified as well, in which case PIC is used.  This almost always does the right thing, producing code which is position-independent and optimized for PIE relocation if possible.

I do not know what is going wrong in your case.  Maybe you can post a link to a scratch build in Koji?  Then I can look at the RPM spec file, and also which flags, exactly, were used to build dynamic_array.o etc.

Comment 10 Ryan O'Hara 2018-02-27 16:01:00 UTC

(In reply to Florian Weimer from comment #9)
> With a successful CFLAGs injection, the -specs=…/redhat-hardened-cc1 option
> ensures that PIE is used for the build, unless -fpic or -fPIC is specified
> as well, in which case PIC is used.  This almost always does the right
> thing, producing code which is position-independent and optimized for PIE
> relocation if possible.

Right. I think I found the problem. The Makefile in ipvsadm is setting CFLAGS directly, not appending, so the CFLAGS set as environment variable is not being used. I thought upstream had fixed this years ago but I must be mistaken.

> I do not know what is going wrong in your case.  Maybe you can post a link
> to a scratch build in Koji?  Then I can look at the RPM spec file, and also
> which flags, exactly, were used to build dynamic_array.o etc.

I was just doing a local 'fedpkg mockbuild' and have not done a commit yet because I wanted to make sure it worked this time. If this CFLAGS change does not work as I hope, I will do a quick scratch build from srpm and provide a link. Thanks.

Comment 11 Ryan O'Hara 2018-02-27 18:19:45 UTC

Fixed (again) in F28 and rawhide. The F28 build can be found here:

https://koji.fedoraproject.org/koji/taskinfo?taskID=25350348

AFAICT the build.log looks correct, with proper LDFLAGS and CFLAGS. Feel free to verify.

Comment 12 Florian Weimer 2018-02-28 11:23:09 UTC

Thanks, I can confirm that is fixed!

Note You need to log in before you can comment on or make changes to this bug.