Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing build id, Generating build-id links failed #367

Closed
seemethere opened this issue Dec 7, 2017 · 6 comments
Closed

Missing build id, Generating build-id links failed #367

seemethere opened this issue Dec 7, 2017 · 6 comments

Comments

@seemethere
Copy link

seemethere commented Dec 7, 2017

Overview

I'm experiencing a consistent issue with the latest rpm version 4.14.0 with the output:

error: Missing build-id in /root/rpmbuild/BUILDROOT/docker-ce-17.12.0.ce-0.1.rc1.fc27.x86_64/usr/bin/docker-containerd-shim
error: Generating build-id links failed
    Missing build-id in /root/rpmbuild/BUILDROOT/docker-ce-17.12.0.ce-0.1.rc1.fc27.x86_64/usr/bin/docker-containerd-shim
    Generating build-id links failed

This is not experienced in rpm version 4.13.0.2.

I believe it may have something to do with either of these commits:

Steps to reproduce:

git clone -b 17.12 [email protected]:docker/docker-ce
make -C components/packaging/rpm VERSION=$(cat VERSION) fedora-27

Link to spec file: https://github.com/docker/docker-ce/blob/17.12/components/packaging/rpm/fedora-27/docker-ce.spec

@rpm-maint
Copy link

rpm-maint commented Dec 7, 2017 via email

@seemethere
Copy link
Author

seemethere commented Dec 7, 2017

@mark it's the only reference I could find to the error message, and it was included in 14.4.0 which is where we first experienced the issue.

So I think the problem lies with docker-containerd-shim being compiled with CGO_ENABLED=0.

When compiled without CGO the binary does not have a build-id but is still considered an executable.

Our current workaround is to set:

%global _missing_build_ids_terminate_build 0

@kolyshkin
Copy link
Contributor

Here is a simple reproducer for the case, on a clean fresh Fedora 27 install:

# Name this gotst.spec
Name:		gotst
Version:	1.0
Release:	1%{?dist}
Summary:	Go binary to demonstrate build-id problem

Group:		Applications
License:	GPL

BuildRequires:	golang

%description
Lalala.


%prep
%setup -Tc

cat > gotst.go << EOF
package main
import "fmt"

func main() {
	fmt.Println("Hello, world!")
}
EOF

%build
go build -v -o gotst .

%install
install -d %{buildroot}/%{_bindir}
install gotst %{buildroot}/%{_bindir}

%files
%{_bindir}/gotst

%changelog
* Fri Dec  8 2017 Kir Kolyshkin <kolyshkin@gmail.com> - 1.0-1
- created

Save the above file to gotst.spec and run the following:

dnf -y install golang rpm-build
rpmbuild -bb gotst.spec

The error you'll see is
*** ERROR: No build ID note found in /root/rpmbuild/BUILDROOT/gotst-1.0-1.fc27.x86_64/usr/bin/gotst

Can you please suggest how to use go build to build a binary which can be packaged for Fedora 27?

Some analysis:

  • go build adds its own build-id into the binary, named .note.go.build-id.
  • Fedora 27 rpm wants to have .note.gnu.build-id which is not created as no GNU tools are used to create the binary

Here's how I checked the resulting binary:

# cat > gotst.go << EOF
package main
import "fmt"

func main() {
fmt.Println("Hello, world!")
}
EOF

# go build -o gotst gotst.go

# eu-readelf -n gotst

Note section [20] '.note.go.buildid' of 56 bytes at offset 0xfc8:
  Owner          Data size  Type
  Go                    40  BUILDID

@kolyshkin
Copy link
Contributor

OK one way is to use gccgo instead of go build, and the other way is to add -ldflags=-linkmode=external flag to go build.

Still, by default (i.e. using go build) it doesn't do that and it's a problem.

@pmatilai
Copy link
Member

I looked a bit into this yesterday, just to see what sort of effort we'd be talking about to have rpm understand the buildid from go (as opposed to gnu):

  • The go-buildid appears to be ASCII SHA1(based on its length), this would require modifications to debugedit and librpmbuild side as both assume the digest is stored in binary format
  • There's partial support for the Go buildid in elfutils, added via https://bugzilla.redhat.com/show_bug.cgi?id=1295951 (which is what you see with eu-readelf) but as noted in the bug, more is needed. For example dwelf_elf_gnu_build_id() only knows about GNU buildid as the name implies and there's no Go buildid counterpart.

For now I think we just need to state that only GNU toolchain buildids are supported, for others there's the simple workaround of disabling buildid requirement in the package that you're already using.
If/when elfutils adds full support for other variants we can reconsider it in rpm, but I'll leave that up to Mark who's the maintainer of both elfutils and debugedit/buildid stuff in rpm.

paulkatsoulakis pushed a commit to paulkatsoulakis/go.d.plugin that referenced this issue Aug 16, 2019
thaJeztah added a commit to thaJeztah/docker-ce-packaging that referenced this issue Mar 23, 2021
…arning

I noticed this warning during a build in CI:

    warning: Missing build-id in /root/rpmbuild/BUILDROOT/docker-ce-cli-0.0.0.20210311145359.d3c36a2-0.el8.x86_64/usr/libexec/docker/cli-plugins/docker-buildx

And looks looks like we had that issue before at some point; rpm-software-management/rpm#367 (comment)

From that thread:

> OK one way is to use gccgo instead of go build, and the other way is to add -ldflags=-linkmode=external flag to go build.
>
> Still, by default (i.e. using go build) it doesn't do that and it's a problem.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
HuaxinLu pushed a commit to HuaxinLu/libcap that referenced this issue Sep 13, 2021
I've been looking at reasons packagers are not building the Go binaries
and found this with respect to RPMs:

  rpm-software-management/rpm#367

There has been no easy way to inject the otherwise unneeded workaround:
-ldflags=-linkmode=external for building (which, strangely, generates
some sort of warning and gratuitously links glibc to an otherwise
static build), but seems to work.

Until RPM supports Go's native '.note.go.buildid', and RPM requires
'.note.gnu.build-id' on binaries, I guess this can work around it:

   GO_BUILD_FLAGS='-ldflags=-linkmode=external'

Signed-off-by: Andrew G. Morgan <[email protected]>
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this issue Jan 2, 2022
- Update from 2.50 to 2.61
- Update of rootfile
- Changelog
  Release notes for 2.61
    Better error handling of the numerical arguments for capsh and setcap.
        Reported by meitingli with some bug de-duping help from Artem S. Tashkinov (Bugs 214909, 214911)
    Fix executable mode for all of the .so files. There were two situations where this was failing (with a hard to debug SIGSEGV inside libc). Bugs reported by Sam James. Both the same solution related to stack alignment and use of SSE instructions:
        glibc and the 32-bit x86 mode (Gentoo bug 820071)
        musl runtime library for 64-bit x86 code (Bug 215009)
    Added an example of a shared library object with its own file capability.
        It demonstrates how to give a shared library a file capability and offer it as a linkable privileged API service to an otherwise unprivileged binary.
    Fix the top-level include for Make.Rules in the contrib/sucap example application
    Add support for running constructors at libcap.so start up time when running as stand alone binary.
        This enables the binary executable to print out some dynamically generated content when given the --summary argument.
  Release notes for 2.60
    Some build, code linting fixes, the addition of the cap_fill_flag() API and a memory latency optimization contributed by Google (Bugs: 214579 214601 214599)
    General improvement in thread safety for libcap and cap package (Bug: 214715)
    Minor API change replacing libcap:cap_launch_*() void returning functions with int + errno status returns.
        This should be backwardly compatible for code.
    Added a cap_iab_dup(), and (*cap.IAB).Dup() to API.
        Fixed (*cap.IAB).Fill() which was previously malfunctioning for certain Inh and Amb copies.
    New features for capsh
        --quiet can be used to suppress the start up check that the local libcap is modern enough to name all of the capabilities known to the hosting kernel
        Added -+ and =+ arguments. These are fork+exec equivalents to -- and == respectively (that use the cap_launch API).
  Release notes for 2.59
    libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NULL value for cap_t or cap_iab_t. Restore the more tolerant error return behavior last seen with libcap-2.54. (Bug 214525)
    More make -j13 fixes (missing dependency for make -C progs sudotest).
    Various minor documentation fixes.
  Release notes for 2.58
    Fixed a potential libcap memory leak by adding a destructor (Bug 214373 reported by yan12125)
    Major improvement is that there is a path for Linux-PAM compliant applications to support setting Ambient vector Capabilities via pam_cap.so now (Bug 214377)
        In addition to the bug, related discussion is in two Github issues: shadow-maint/shadow#408 (comment) and rra/pam-krb5#21
    Added support for RPM builds that generate the build-id that RPM expects (see rpm-software-management/rpm#367 for discussion)
    Minor contrib/sucap/su.c cleanups
    Clean up kdebug build rules
    More documentation cleanup
  Release notes for 2.57
    capsh enhancements:
        --mode makes a guess at the libcap mode of the current process (Bug 214319)
        --strict makes capsh less permissive and expects the user to perform more deliberate capability transactions
            useful for learning all the steps; and helps this article be more pedagogical.
    Build system fixes
        Preserve $(WARNINGS) (Fix from David Seifert)
        Don't ever build test binaries unless make test etc is invoked (speeds builds on slower systems)
        Support make -j12 for all, test and sudotest targets
    getcap -r / now generates readable output (Bug 214317)
    Some documentation cleanup: more consistency.
  Release notes for 2.56
    Canonicalize the Makefile use (in collaboration with David Seifert)
        In the process fixed a bug in pam_cap/test_pam_cap (reported by David Seifert, Bug 214257)
    Doc fixes for cap_iab.3
    Added color support to captree, which helped make the following fix generate readable output:
        Fixed captree to not display duplicate copies of sub-trees if also exploring their ancestor (Bug 214269)
    Fixed contrib/sucap/su to correctly handle the Inheritable flag.
  Release notes for 2.55
    Two rounds of fixes for the results of some static analysis performed by Zoltan Fridrich
    Removed a clang compilation warning about memory allocation by rewriting the way cap_free() and the various libcap memory allocation mechanisms work. (Bug 214183)
        This generated a few broken builds until it was fixed.
    Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
    Added libcap cap_proc_root() API function (to reach parity with the Go cap package).
        This is only potentially useful with the recently added cap_iab_get_pid() function
    Revamped what the GOLANG=yes builds install - used to install local copies of cap and psx, but these were effectively useless because of the Go module support in recent Go releases in favor of user controller GOPATH.
        Now make GOLANG=yes only installs the captree utility
        Added some features to captree and created a small article on it
        Added a man page for the captree utility
    Some small changes to the tests to account for the idiosyncrasies of some new testing environments I've accumulated.
        Included adding --has-b support to capsh
  Release notes for 2.54
    Fix for a corner case infinite loop handling long strings (patch provided by Samanta Navarro)
    Fixes to not ignore allocation failures (patch provided by Samanta Navarro)
    Evolving work from Samanta Navarro, found and fixed a memory leak in cap_iab_get_proc()
    More robust discovery of the name of the dynamic loader of the build target (patch provided by Arnout Vandecappelle)
    Revamped the Go capability comparison API for *cap.Set and *cap.IAB: (x).Cf(), and added cap.IABGetPID()
    Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.
    Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree.
        Extended getpcaps to support the --iab command line argument, which outputs a PID's IAB tuple too (if non-default).
    Install *.so files as executable now that they are executable as binaries
        A feature of 2.52 but not extended to install rules at that time.
    Absorbed a lot of wisdom from a number of downstream package workarounds including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs 214023#c16, 214085)
        Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers that feel strongly about not letting this be dynamically discovered at build time.
    Fixed a compiler warnings from the GitHub build tester (Bug 214143)
  Release notes for 2.53
    The (C) cap_launch functionality was previously broken when launches failed (found and fixed by Samanta Navarro)
        Added a test case for this too.
    Lots of tyops fixed in code and documentation (also by Samanta Navarro)
    Support distributions that aggressively link shared objects (reported by David Runge; Bug 214023)
        These distributions failed to observe a runnable pam_cap.so and various make options failed.
    Support clang builds (again). (Reported by Johan Herland 214047)
        This used to work, but by accident. It broke with the advent of a runnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to validate it still works at release time.
    Minor documentation updates including one for Slavi Marinov who was trying to get cap.LaunchFunc() to work.
        Worked up a couple of example modifications to goapps/web to demonstrate a different user per web query and enabling a custom chroot per web query.
  Release notes for 2.52
    Revived -std=c89 compilation for make all etc. (Bug 213541 reported by Byron Stanoszek.)
    The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries!
        The support is used to display some description information.
        To activate it, these binaries need to be installed executable (chmod +x ...)
        We also provided a write-up of how to enable this sort of feature in other .so files here.
    The module pam_cap.so now contains support for a default=<IAB> module argument. (Bug 213611).
    Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions.
    Added capsh --current support.
    Minor documentation updates.
    Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
        This is primarily to demonstrate that such a thing is possible, and to validate that the pam_cap.so module is capable of adding any IAB tuple of inheritables per group or user.
        At this time, it relies on features only present in this version of libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.
  Release notes for 2.51
    Fix capsh installation (Bug 213261 - reported by Jan Palus)
    Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request hidden in StackExchange)
    Unified libcap/cap (Go) and libcap (C) default generation of external format binary data (Bug 213375 - addressing an issue raised by Mike Schilling)
        This standard binary format should be forwards/backwards compatible with earlier libcap2 builds and libcap/cap packages
    API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one capability flag to another.
        This can be used to raise all the Permitted capabilities in a Set with one API call.
    In tree build/run/test of Go packages now uses Go module vendoring (Bug 212453).
        This is with an eye to the imminent golang change removing support for GOPATH based building.
    Minor compilation warning fixes

Signed-off-by: Adolf Belka <[email protected]>
Reviewed-by: Michael Tremer <[email protected]>
@pprindeville
Copy link

Running into this issue on my fork of containerd-packaging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants