[Buildroot] [RFC PATCH v1 0/2] Bump sysdig and falco libs

[Buildroot] [RFC PATCH v1 0/2] Bump sysdig and falco libs

[Francis Laniel]

Hi.


With this contribution, I bumped sysdig and falcosecurity-libs.
Sadly, I am not fully satisfied with the result, hence the fact I marked it as
RFC because I would like to get your feedback to make it better.

First of all, sysdig builds and runs:
Welcome to Buildroot
buildroot login: root
# sysdig --version
sysdig version 0.31.4
# sysdig | head
scap: loading out-of-tree module taints kernel.
scap: driver loading, scap
scap: adding new consumer (____ptrval____)
scap: initializing ring buffer for CPU 0
scap: CPU buffer initialized, size=8388608
26 15:12:28.226519423 0 sysdig (108) > switch next=0 pgft_maj=10 pgft_min=1348 vm_size=47288 vm_rss=19408 vm_swap=0
27 15:12:28.227409149 0 <NA> (0) > switch next=13 pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0
...

Nonetheless, I had to increase the minimal size of the image as libsinsp.a is
quite big:
# du -sh /sysdig/libsinsp.a
152.7M  /sysdig/libsinsp.a
I am not forcefully sure where this library is used, I will investigate and
maybe we can run everything without it.

Secondly, I had to tweak heavily the libscap CMakeLists.txt to install several
shared libraries.
Indeed, the libraries are compiled as static, but the sysdig binary is not
static, so it needs plenty of shared libraries to be run from the image.
I am not really sure what is the best solution here (either compiling sysdig as
static or not), but in any case my patch for CMakeLists.txt is not really clean.

Finally, I had to modify the magical number in falcosecurity-libs.mk for
API_VERSION and SCHEMA_VERSION.
While this is not really a big pain, I am wondering if this is not possible to
read the corresponding values from the corresponding files (i.e. API_VERSION and
SCHEMA_VERSION).
So, for future update we would not need to take care of it ourselves.

Francis Laniel (2):
  package/sysdig: bump to version 0.31.4
  package/falcosecurity-libs: bump to version 0.10.5

 .../0002-cmake-Install-shared-libraries.patch | 61 +++++++++++++++++++
 .../falcosecurity-libs.hash                   |  2 +-
 .../falcosecurity-libs/falcosecurity-libs.mk  | 12 ++--
 ...BUNDLED_DEPS-before-getting-nlohmann.patch | 52 ----------------
 package/sysdig/sysdig.hash                    |  2 +-
 package/sysdig/sysdig.mk                      |  8 ++-
 6 files changed, 77 insertions(+), 60 deletions(-)
 create mode 100644 package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
 delete mode 100644 package/sysdig/0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch


Best regards and thank you in advance for your advises.
--
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [RFC PATCH v1 1/2] package/sysdig: bump to version 0.31.4

[Francis Laniel]

- Remove upstream patch as it is no more needed.

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
---
 ...BUNDLED_DEPS-before-getting-nlohmann.patch | 52 -------------------
 package/sysdig/sysdig.hash                    |  2 +-
 package/sysdig/sysdig.mk                      |  8 ++-
 3 files changed, 8 insertions(+), 54 deletions(-)
 delete mode 100644 package/sysdig/0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch

diff --git a/package/sysdig/0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch b/package/sysdig/0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch
deleted file mode 100644
index 3521bd3f8d..0000000000
--- a/package/sysdig/0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 0dbebd008c04d266dc41c4bec8280a0744fd5130 Mon Sep 17 00:00:00 2001
-From: Francis Laniel <flaniel@linux.microsoft.com>
-Date: Wed, 13 Apr 2022 18:01:11 +0100
-Subject: [PATCH] cmake: Check USE_BUNDLED_DEPS before getting
- nlohmann-json.
-
-Upstream: https://github.com/draios/sysdig/pull/1869
-Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
----
- cmake/modules/nlohmann-json.cmake | 29 +++++++++++++++++++----------
- 1 file changed, 19 insertions(+), 10 deletions(-)
-
-diff --git a/cmake/modules/nlohmann-json.cmake b/cmake/modules/nlohmann-json.cmake
-index bb1279d7..feb0f071 100644
---- a/cmake/modules/nlohmann-json.cmake
-+++ b/cmake/modules/nlohmann-json.cmake
-@@ -16,13 +16,22 @@
- # limitations under the License.
- #
- 
--set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
--message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
--set(NJSON_INCLUDE_DIR "${NJSON_SRC}/single_include")
--ExternalProject_Add(
--  njson
--  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
--  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
--  CONFIGURE_COMMAND ""
--  BUILD_COMMAND ""
--  INSTALL_COMMAND "")
-+if(NOT USE_BUNDLED_DEPS)
-+  find_path(NJSON_INCLUDE_DIR NAMES nlohmann/json.hpp)
-+  if(NJSON_INCLUDE_DIR)
-+    message(STATUS "Found njson: include: ${NJSON_INCLUDE_DIR}")
-+  else()
-+    message(FATAL_ERROR "Couldn't find system njson")
-+  endif()
-+else()
-+  set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-+  message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
-+  set(NJSON_INCLUDE_DIR "${NJSON_SRC}/single_include")
-+  ExternalProject_Add(
-+    njson
-+    URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-+    URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-+    CONFIGURE_COMMAND ""
-+    BUILD_COMMAND ""
-+    INSTALL_COMMAND "")
-+endif()
--- 
-2.25.1
-
diff --git a/package/sysdig/sysdig.hash b/package/sysdig/sysdig.hash
index cda3de5e7c..902f6f2b82 100644
--- a/package/sysdig/sysdig.hash
+++ b/package/sysdig/sysdig.hash
@@ -1,3 +1,3 @@
 # sha256 locally computed
-sha256  6b96797859002ab69a2bed4fdba1c7fe8064ecf8661621ae7d8fbf8599ffa636  sysdig-0.29.3.tar.gz
+sha256  b8f43326506f85e99a3455f51b75ee79bf4db9dc12908ef43af672166274a795  sysdig-0.31.4.tar.gz
 sha256  a88fbf820b38b1c7fabc6efe291b8259e02ae21326f56fe31c6c9adf374b2702  COPYING
diff --git a/package/sysdig/sysdig.mk b/package/sysdig/sysdig.mk
index bafe534a16..aabd274557 100644
--- a/package/sysdig/sysdig.mk
+++ b/package/sysdig/sysdig.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SYSDIG_VERSION = 0.29.3
+SYSDIG_VERSION = 0.31.4
 SYSDIG_SITE = $(call github,draios,sysdig,$(SYSDIG_VERSION))
 SYSDIG_LICENSE = Apache-2.0
 SYSDIG_LICENSE_FILES = COPYING
@@ -26,11 +26,17 @@ SYSDIG_DEPENDENCIES = \
 # grpc_cpp_plugin is needed to build falcosecurity libs, so we give the host
 # one there.
 SYSDIG_CONF_OPTS += -DFALCOSECURITY_LIBS_SOURCE_DIR=$(FALCOSECURITY_LIBS_SRCDIR) \
+	-DDRIVER_SOURCE_DIR=$(FALCOSECURITY_LIBS_SRCDIR)/driver \
 	-DBUILD_DRIVER=OFF \
 	-DGRPC_CPP_PLUGIN=$(HOST_DIR)/bin/grpc_cpp_plugin \
 	-DDRIVER_NAME=$(FALCOSECURITY_LIBS_DRIVER_NAME) \
 	-DENABLE_DKMS=OFF \
 	-DUSE_BUNDLED_DEPS=OFF \
+	-DUSE_BUNDLED_TBB=OFF \
+	-DUSE_BUNDLED_B64=OFF \
+	-DUSE_BUNDLED_JSONCPP=OFF \
+	-DUSE_BUNDLED_VALIJSON=OFF \
+	-DUSE_BUNDLED_RE2=OFF \
 	-DWITH_CHISEL=ON \
 	-DVALIJSON_INCLUDE=$(BUILD_DIR)/valijson-0.6/include/valijson \
 	-DSYSDIG_VERSION=$(SYSDIG_VERSION)
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [RFC PATCH v1 2/2] package/falcosecurity-libs: bump to version 0.10.5

[Francis Laniel]

Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
---
 .../0002-cmake-Install-shared-libraries.patch | 61 +++++++++++++++++++
 .../falcosecurity-libs.hash                   |  2 +-
 .../falcosecurity-libs/falcosecurity-libs.mk  | 12 ++--
 3 files changed, 69 insertions(+), 6 deletions(-)
 create mode 100644 package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch

diff --git a/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch b/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
new file mode 100644
index 0000000000..38a8bdd4f4
--- /dev/null
+++ b/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
@@ -0,0 +1,61 @@
+From b6d847fe8aa0513c6d19bd8187133699b9c4efd3 Mon Sep 17 00:00:00 2001
+From: Francis Laniel <flaniel@linux.microsoft.com>
+Date: Fri, 28 Apr 2023 15:14:27 +0100
+Subject: [PATCH] cmake: Install shared libraries.
+
+This is needed as sysdig is compiled as a non static binary which relies on
+these libraries.
+
+Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
+---
+ cmake/modules/libelf.cmake       |  2 +-
+ userspace/libscap/CMakeLists.txt | 16 +++++++++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/cmake/modules/libelf.cmake b/cmake/modules/libelf.cmake
+index 8ca2f4f7..73d13d26 100644
+--- a/cmake/modules/libelf.cmake
++++ b/cmake/modules/libelf.cmake
+@@ -10,7 +10,7 @@ if(LIBELF_INCLUDE)
+     add_custom_target(libelf)
+ elseif(NOT USE_BUNDLED_LIBELF)
+     find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
+-    find_library(LIBELF_LIB NAMES libelf.a libelf.so)
++    find_library(LIBELF_LIB NAMES libelf.so)
+     if(LIBELF_LIB)
+         message(STATUS "Found LIBELF: include: ${LIBELF_INCLUDE}, lib: ${LIBELF_LIB}")
+     else()
+diff --git a/userspace/libscap/CMakeLists.txt b/userspace/libscap/CMakeLists.txt
+index ae4760df..59378fea 100644
+--- a/userspace/libscap/CMakeLists.txt
++++ b/userspace/libscap/CMakeLists.txt
+@@ -70,7 +70,7 @@ endif()
+ 
+ include_directories(${CMAKE_CURRENT_SOURCE_DIR})
+ 
+-add_library(scap STATIC
++add_library(scap SHARED
+ 	${targetfiles})
+ 
+ if (CMAKE_SYSTEM_NAME MATCHES "SunOS")
+@@ -212,3 +212,17 @@ if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux
+ 		target_link_libraries(scap scap_engine_gvisor)
+ 	endif()
+ endif()
++
++install(TARGETS scap)
++install(TARGETS scap_engine_udig)
++install(TARGETS scap_engine_savefile)
++install(TARGETS scap_engine_bpf)
++install(TARGETS scap_engine_noop)
++install(TARGETS scap_engine_source_plugin)
++install(TARGETS scap_engine_kmod)
++install(TARGETS scap_engine_nodriver)
++install(TARGETS scap_event_schema)
++install(TARGETS scap_platform)
++install(TARGETS scap_engine_util)
++install(TARGETS scap_error)
++install(TARGETS driver_event_schema)
+-- 
+2.34.1
+
diff --git a/package/falcosecurity-libs/falcosecurity-libs.hash b/package/falcosecurity-libs/falcosecurity-libs.hash
index 2e239ca2fe..ef805cbcf6 100644
--- a/package/falcosecurity-libs/falcosecurity-libs.hash
+++ b/package/falcosecurity-libs/falcosecurity-libs.hash
@@ -1,5 +1,5 @@
 # sha256 locally computed
-sha256  80903bc57b7f9c5f24298ecf1531cf66ef571681b4bd1e05f6e4db704ffb380b  falcosecurity-libs-e5c53d648f3c4694385bbe488e7d47eaa36c229a.tar.gz
+sha256  2a4b37c08bec4ba81326314831f341385aff267062e8d4483437958689662936  falcosecurity-libs-0.10.5.tar.gz
 sha256  21ec9433a87459b3477faf542bacec419dc03af841309eac35edeffe481cf10b  COPYING
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  driver/GPL2.txt
 sha256  f17d3f2c2d565a74a7d5bf96f880c43701e141897e8dff0c8aa13e5d07aaf226  driver/MIT.txt
diff --git a/package/falcosecurity-libs/falcosecurity-libs.mk b/package/falcosecurity-libs/falcosecurity-libs.mk
index 92d5c61832..acd46cf7a5 100644
--- a/package/falcosecurity-libs/falcosecurity-libs.mk
+++ b/package/falcosecurity-libs/falcosecurity-libs.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FALCOSECURITY_LIBS_VERSION = e5c53d648f3c4694385bbe488e7d47eaa36c229a
+FALCOSECURITY_LIBS_VERSION = 0.10.5
 FALCOSECURITY_LIBS_SITE = $(call github,falcosecurity,libs,$(FALCOSECURITY_LIBS_VERSION))
 FALCOSECURITY_LIBS_LICENSE = Apache-2.0 (userspace), MIT or GPL-2.0 (driver)
 FALCOSECURITY_LIBS_LICENSE_FILES = COPYING driver/MIT.txt driver/GPL2.txt
@@ -57,17 +57,19 @@ endef
 # For the others, it was taken by inspecting
 # falcosecurity-libs/*/CMakeLists.txt, which normally creates these
 # files, but doesn't work well with the kernel-module infrastructure.
+# The magical number for API_VERSION and SCHEMA_VERSION are taken from
+# corresponding files.
 define FALCOSECURITY_LIBS_MODULE_GEN_MAKEFILE
 	$(INSTALL) -m 0644 $(@D)/driver/Makefile.in $(@D)/driver/Makefile
 	$(SED) 's/@KBUILD_FLAGS@//;' $(@D)/driver/Makefile
 	$(SED) 's/@DRIVER_NAME@/$(FALCOSECURITY_LIBS_DRIVER_NAME)/;' $(@D)/driver/Makefile
 
 	$(INSTALL) -m 0644 $(@D)/driver/driver_config.h.in $(@D)/driver/driver_config.h
-	$(SED) 's/\$${PPM_API_CURRENT_VERSION_MAJOR}/1/;' $(@D)/driver/driver_config.h
+	$(SED) 's/\$${PPM_API_CURRENT_VERSION_MAJOR}/3/;' $(@D)/driver/driver_config.h
 	$(SED) 's/\$${PPM_API_CURRENT_VERSION_MINOR}/0/;' $(@D)/driver/driver_config.h
-	$(SED) 's/\$${PPM_API_CURRENT_VERSION_PATCH}/0/;' $(@D)/driver/driver_config.h
-	$(SED) 's/\$${PPM_SCHEMA_CURRENT_VERSION_MAJOR}/1/;' $(@D)/driver/driver_config.h
-	$(SED) 's/\$${PPM_SCHEMA_CURRENT_VERSION_MINOR}/0/;' $(@D)/driver/driver_config.h
+	$(SED) 's/\$${PPM_API_CURRENT_VERSION_PATCH}/1/;' $(@D)/driver/driver_config.h
+	$(SED) 's/\$${PPM_SCHEMA_CURRENT_VERSION_MAJOR}/2/;' $(@D)/driver/driver_config.h
+	$(SED) 's/\$${PPM_SCHEMA_CURRENT_VERSION_MINOR}/2/;' $(@D)/driver/driver_config.h
 	$(SED) 's/\$${PPM_SCHEMA_CURRENT_VERSION_PATCH}/0/;' $(@D)/driver/driver_config.h
 	$(SED) 's/\$${DRIVER_VERSION}//;' $(@D)/driver/driver_config.h
 	$(SED) 's/\$${DRIVER_NAME}/$(FALCOSECURITY_LIBS_DRIVER_NAME)/;' $(@D)/driver/driver_config.h
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH v1 0/2] Bump sysdig and falco libs

[Francis Laniel]

Hi.

Le vendredi 28 avril 2023, 17:22:09 CEST Francis Laniel a écrit :
> Hi.
> 
> 
> With this contribution, I bumped sysdig and falcosecurity-libs.
> Sadly, I am not fully satisfied with the result, hence the fact I marked it
> as RFC because I would like to get your feedback to make it better.
> 
> First of all, sysdig builds and runs:
> Welcome to Buildroot
> buildroot login: root
> # sysdig --version
> sysdig version 0.31.4
> # sysdig | head
> scap: loading out-of-tree module taints kernel.
> scap: driver loading, scap
> scap: adding new consumer (____ptrval____)
> scap: initializing ring buffer for CPU 0
> scap: CPU buffer initialized, size=8388608
> 26 15:12:28.226519423 0 sysdig (108) > switch next=0 pgft_maj=10
> pgft_min=1348 vm_size=47288 vm_rss=19408 vm_swap=0 27 15:12:28.227409149 0
> <NA> (0) > switch next=13 pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0
> vm_swap=0 ...
> 
> Nonetheless, I had to increase the minimal size of the image as libsinsp.a
> is quite big:
> # du -sh /sysdig/libsinsp.a
> 152.7M  /sysdig/libsinsp.a
> I am not forcefully sure where this library is used, I will investigate and
> maybe we can run everything without it.
> 
> Secondly, I had to tweak heavily the libscap CMakeLists.txt to install
> several shared libraries.
> Indeed, the libraries are compiled as static, but the sysdig binary is not
> static, so it needs plenty of shared libraries to be run from the image.
> I am not really sure what is the best solution here (either compiling sysdig
> as static or not), but in any case my patch for CMakeLists.txt is not
> really clean.
> 
> Finally, I had to modify the magical number in falcosecurity-libs.mk for
> API_VERSION and SCHEMA_VERSION.
> While this is not really a big pain, I am wondering if this is not possible
> to read the corresponding values from the corresponding files (i.e.
> API_VERSION and SCHEMA_VERSION).
> So, for future update we would not need to take care of it ourselves.
> 
> Francis Laniel (2):
>   package/sysdig: bump to version 0.31.4
>   package/falcosecurity-libs: bump to version 0.10.5
> 
>  .../0002-cmake-Install-shared-libraries.patch | 61 +++++++++++++++++++
>  .../falcosecurity-libs.hash                   |  2 +-
>  .../falcosecurity-libs/falcosecurity-libs.mk  | 12 ++--
>  ...BUNDLED_DEPS-before-getting-nlohmann.patch | 52 ----------------
>  package/sysdig/sysdig.hash                    |  2 +-
>  package/sysdig/sysdig.mk                      |  8 ++-
>  6 files changed, 77 insertions(+), 60 deletions(-)
>  create mode 100644
> package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch delete
> mode 100644
> package/sysdig/0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.pa
> tch
> 
> 
> Best regards and thank you in advance for your advises.
> --
> 2.34.1


Can someone please share some feedback on this contribution?


Best regards and thank you in advance.


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH v1 1/2] package/sysdig: bump to version 0.31.4

[Thomas Petazzoni via buildroot]

Hello Francis (and perhaps Angelo who can help?),

On Fri, 28 Apr 2023 16:22:10 +0100
Francis Laniel <flaniel@linux.microsoft.com> wrote:

> - Remove upstream patch as it is no more needed.

Actually I had to remove it from current master, because sysdig was
bumped to 0.29.3 already, which includes the patch... and so the patch
in Buildroot doesn't apply anymore.

I tested your version bump, and it fails to build with:

CMake Error at /home/thomas/projets/buildroot/output/build/falcosecurity-libs-e5c53d648f3c4694385bbe488e7d47eaa36c229a/userspace/libscap/CMakeLists.txt:131 (add_subdirectory):
  The binary directory

    /home/thomas/projets/buildroot/output/build/sysdig-0.31.4/buildroot-build/driver

  is already used to build a source directory.  It cannot be used to build
  source directory

    /home/thomas/projets/buildroot/output/build/falcosecurity-libs-e5c53d648f3c4694385bbe488e7d47eaa36c229a/driver

  Specify a unique binary directory name.

during the configuration step of sysdig.

Configuration tested:

BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1"
BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SYSDIG=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_LUA_5_1=y
# BR2_TARGET_ROOTFS_TAR is not set

it would be good to have a runtime test for sysdig in support/testing/,
as it's not trivial to build, and the autobuilders never caught the
patching issue.

>  SYSDIG_CONF_OPTS += -DFALCOSECURITY_LIBS_SOURCE_DIR=$(FALCOSECURITY_LIBS_SRCDIR) \
> +	-DDRIVER_SOURCE_DIR=$(FALCOSECURITY_LIBS_SRCDIR)/driver \

So apparently something goes wrong with this. Perhaps because
falcosecurity-libs needs to be bumped first?

>  	-DVALIJSON_INCLUDE=$(BUILD_DIR)/valijson-0.6/include/valijson \

One thing that is a bit annoying with the packaging here is the fact
that sysdig needs to look into the source directory of
falcosecurity-libs and the source tree of valijson. Packages should
normally not need to access the source/build tree of other packages.
Not a strict requirement for this version bump, but would be good to
address on the long run.

By the way
-DVALIJSON_INCLUDE=$(BUILD_DIR)/valijson-0.6/include/valijson is truly
horrible, because if valijson gets updated to another version... like
it has:

VALIJSON_VERSION = 0.7

then this doesn't work anymore.

It needs to be VALIJSON_SRCDIR.

Curious that we can build sysdig today (I verified, it builds) with
this mistake. Probably means this option is irrelevant.

Could you have a look at all those issues?

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH v1 1/2] package/sysdig: bump to version 0.31.4

[Thomas Petazzoni via buildroot]

On Mon, 31 Jul 2023 22:18:43 +0200
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> By the way
> -DVALIJSON_INCLUDE=$(BUILD_DIR)/valijson-0.6/include/valijson is truly
> horrible, because if valijson gets updated to another version... like
> it has:
> 
> VALIJSON_VERSION = 0.7
> 
> then this doesn't work anymore.
> 
> It needs to be VALIJSON_SRCDIR.
> 
> Curious that we can build sysdig today (I verified, it builds) with
> this mistake. Probably means this option is irrelevant.

(1) There is no build dependency on valijson, so I don't see how it
    could be relevant anyway.

(2) There is no reference to VALIJSON_INCLUDE anywhere in the code
    base, as far as I can see

This really needs to be cleaned up. Very soon.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH v1 2/2] package/falcosecurity-libs: bump to version 0.10.5

[Thomas Petazzoni via buildroot]

Hello Francis,

On Fri, 28 Apr 2023 16:22:11 +0100
Francis Laniel <flaniel@linux.microsoft.com> wrote:

> diff --git a/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch b/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
> new file mode 100644
> index 0000000000..38a8bdd4f4
> --- /dev/null
> +++ b/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
> @@ -0,0 +1,61 @@
> +From b6d847fe8aa0513c6d19bd8187133699b9c4efd3 Mon Sep 17 00:00:00 2001
> +From: Francis Laniel <flaniel@linux.microsoft.com>
> +Date: Fri, 28 Apr 2023 15:14:27 +0100
> +Subject: [PATCH] cmake: Install shared libraries.
> +
> +This is needed as sysdig is compiled as a non static binary which relies on
> +these libraries.

Not clear. An executable can use a mix of shared and static libraries.

What is the upstream status of this? How is falcosecurity-libs supposed
to be used by sysdig according to upstream?

All patches now need to have an "Upstream: <link>" tag that indicates
where the patch has been submitted.

> +diff --git a/cmake/modules/libelf.cmake b/cmake/modules/libelf.cmake
> +index 8ca2f4f7..73d13d26 100644
> +--- a/cmake/modules/libelf.cmake
> ++++ b/cmake/modules/libelf.cmake
> +@@ -10,7 +10,7 @@ if(LIBELF_INCLUDE)
> +     add_custom_target(libelf)
> + elseif(NOT USE_BUNDLED_LIBELF)
> +     find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
> +-    find_library(LIBELF_LIB NAMES libelf.a libelf.so)
> ++    find_library(LIBELF_LIB NAMES libelf.so)

Is this really related?

> diff --git a/package/falcosecurity-libs/falcosecurity-libs.hash b/package/falcosecurity-libs/falcosecurity-libs.hash
> index 2e239ca2fe..ef805cbcf6 100644
> --- a/package/falcosecurity-libs/falcosecurity-libs.hash
> +++ b/package/falcosecurity-libs/falcosecurity-libs.hash
> @@ -1,5 +1,5 @@
>  # sha256 locally computed
> -sha256  80903bc57b7f9c5f24298ecf1531cf66ef571681b4bd1e05f6e4db704ffb380b  falcosecurity-libs-e5c53d648f3c4694385bbe488e7d47eaa36c229a.tar.gz
> +sha256  2a4b37c08bec4ba81326314831f341385aff267062e8d4483437958689662936  falcosecurity-libs-0.10.5.tar.gz
>  sha256  21ec9433a87459b3477faf542bacec419dc03af841309eac35edeffe481cf10b  COPYING
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  driver/GPL2.txt
>  sha256  f17d3f2c2d565a74a7d5bf96f880c43701e141897e8dff0c8aa13e5d07aaf226  driver/MIT.txt
> diff --git a/package/falcosecurity-libs/falcosecurity-libs.mk b/package/falcosecurity-libs/falcosecurity-libs.mk
> index 92d5c61832..acd46cf7a5 100644
> --- a/package/falcosecurity-libs/falcosecurity-libs.mk
> +++ b/package/falcosecurity-libs/falcosecurity-libs.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -FALCOSECURITY_LIBS_VERSION = e5c53d648f3c4694385bbe488e7d47eaa36c229a
> +FALCOSECURITY_LIBS_VERSION = 0.10.5
>  FALCOSECURITY_LIBS_SITE = $(call github,falcosecurity,libs,$(FALCOSECURITY_LIBS_VERSION))
>  FALCOSECURITY_LIBS_LICENSE = Apache-2.0 (userspace), MIT or GPL-2.0 (driver)
>  FALCOSECURITY_LIBS_LICENSE_FILES = COPYING driver/MIT.txt driver/GPL2.txt
> @@ -57,17 +57,19 @@ endef
>  # For the others, it was taken by inspecting
>  # falcosecurity-libs/*/CMakeLists.txt, which normally creates these
>  # files, but doesn't work well with the kernel-module infrastructure.
> +# The magical number for API_VERSION and SCHEMA_VERSION are taken from
> +# corresponding files.

Which corresponding files? :-)

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH v1 1/2] package/sysdig: bump to version 0.31.4

[Francis Laniel]

Hi.

Le lundi 31 juillet 2023, 22:18:43 CEST Thomas Petazzoni a écrit :
> Hello Francis (and perhaps Angelo who can help?),
> 
> On Fri, 28 Apr 2023 16:22:10 +0100
> 
> Francis Laniel <flaniel@linux.microsoft.com> wrote:
> > - Remove upstream patch as it is no more needed.
> 
> Actually I had to remove it from current master, because sysdig was
> bumped to 0.29.3 already, which includes the patch... and so the patch
> in Buildroot doesn't apply anymore.
> 
> I tested your version bump, and it fails to build with:
> 
> CMake Error at
> /home/thomas/projets/buildroot/output/build/falcosecurity-libs-e5c53d648f3c
> 4694385bbe488e7d47eaa36c229a/userspace/libscap/CMakeLists.txt:131
> (add_subdirectory): The binary directory
> 
>    
> /home/thomas/projets/buildroot/output/build/sysdig-0.31.4/buildroot-build/d
> river
> 
>   is already used to build a source directory.  It cannot be used to build
>   source directory
> 
>    
> /home/thomas/projets/buildroot/output/build/falcosecurity-libs-e5c53d648f3c
> 4694385bbe488e7d47eaa36c229a/driver
> 
>   Specify a unique binary directory name.
> 
> during the configuration step of sysdig.
> 
> Configuration tested:
> 
> BR2_arm=y
> BR2_cortex_a9=y
> BR2_ARM_ENABLE_VFP=y
> BR2_TOOLCHAIN_EXTERNAL=y
> BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
> BR2_INIT_NONE=y
> BR2_SYSTEM_BIN_SH_NONE=y
> BR2_LINUX_KERNEL=y
> BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1"
> BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
> # BR2_PACKAGE_BUSYBOX is not set
> BR2_PACKAGE_SYSDIG=y
> BR2_PACKAGE_LUA=y
> BR2_PACKAGE_LUA_5_1=y
> # BR2_TARGET_ROOTFS_TAR is not set

> it would be good to have a runtime test for sysdig in support/testing/,
> as it's not trivial to build, and the autobuilders never caught the
> patching issue.

Good idea! I will check how I can do that!

> >  SYSDIG_CONF_OPTS +=
> >  -DFALCOSECURITY_LIBS_SOURCE_DIR=$(FALCOSECURITY_LIBS_SRCDIR) \> 
> > +	-DDRIVER_SOURCE_DIR=$(FALCOSECURITY_LIBS_SRCDIR)/driver \
> 
> So apparently something goes wrong with this. Perhaps because
> falcosecurity-libs needs to be bumped first?

As you advised, bumping first the libs then the binary removed the above 
problem, thank you!
Regarding this, I am wondering if I should bump both of them in the same 
commit, as they are tightly coupled. What do you think?

Note that, I had to make linux-menuconfig to add CONFIG_IPV6, to avoid some 
compile errors due to some missing IPv6 related fields while compiling the 
kernel module which is parts of the libs.

> >  	-DVALIJSON_INCLUDE=$(BUILD_DIR)/valijson-0.6/include/valijson \
> 
> One thing that is a bit annoying with the packaging here is the fact
> that sysdig needs to look into the source directory of
> falcosecurity-libs and the source tree of valijson. Packages should
> normally not need to access the source/build tree of other packages.
> Not a strict requirement for this version bump, but would be good to
> address on the long run.
> 
> By the way
> -DVALIJSON_INCLUDE=$(BUILD_DIR)/valijson-0.6/include/valijson is truly
> horrible, because if valijson gets updated to another version... like
> it has:
> 
> VALIJSON_VERSION = 0.7
> 
> then this doesn't work anymore.
> 
> It needs to be VALIJSON_SRCDIR.
> 
> Curious that we can build sysdig today (I verified, it builds) with
> this mistake. Probably means this option is irrelevant.
> 
> Could you have a look at all those issues?

I removed everything about VALIJSON and it builds fine.
Glad making it simpler permits to build it!

> Thanks!
> 
> Thomas




_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH v1 2/2] package/falcosecurity-libs: bump to version 0.10.5

[Francis Laniel]

Hi.

Le lundi 31 juillet 2023, 22:49:56 CEST Thomas Petazzoni a écrit :
> Hello Francis,
> 
> On Fri, 28 Apr 2023 16:22:11 +0100
> 
> Francis Laniel <flaniel@linux.microsoft.com> wrote:
> > diff --git
> > a/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
> > b/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
> > new file mode 100644
> > index 0000000000..38a8bdd4f4
> > --- /dev/null
> > +++ b/package/falcosecurity-libs/0002-cmake-Install-shared-libraries.patch
> > @@ -0,0 +1,61 @@
> > +From b6d847fe8aa0513c6d19bd8187133699b9c4efd3 Mon Sep 17 00:00:00 2001
> > +From: Francis Laniel <flaniel@linux.microsoft.com>
> > +Date: Fri, 28 Apr 2023 15:14:27 +0100
> > +Subject: [PATCH] cmake: Install shared libraries.
> > +
> > +This is needed as sysdig is compiled as a non static binary which relies
> > on +these libraries.
> 
> Not clear. An executable can use a mix of shared and static libraries.

Indeed, but it causes troubles without this modification (see below).
Moreover, this whole magic causes a big increase in the rootfs image, as the 
limit should be increased from 60 MB to 195 MB (more than 3 times).

> What is the upstream status of this? How is falcosecurity-libs supposed
> to be used by sysdig according to upstream?

Sadly, I do not have any clue on this.
I will reach someone upstream to understand how everything is built because 
their way of building is totally incompatible with how Buildroot builds.

> All patches now need to have an "Upstream: <link>" tag that indicates
> where the patch has been submitted.

I will ensure this once I would have deal with all the issues here.

> > +diff --git a/cmake/modules/libelf.cmake b/cmake/modules/libelf.cmake
> > +index 8ca2f4f7..73d13d26 100644
> > +--- a/cmake/modules/libelf.cmake
> > ++++ b/cmake/modules/libelf.cmake
> > +@@ -10,7 +10,7 @@ if(LIBELF_INCLUDE)
> > +     add_custom_target(libelf)
> > + elseif(NOT USE_BUNDLED_LIBELF)
> > +     find_path(LIBELF_INCLUDE elf.h PATH_SUFFIXES elf)
> > +-    find_library(LIBELF_LIB NAMES libelf.a libelf.so)
> > ++    find_library(LIBELF_LIB NAMES libelf.so)
> 
> Is this really related?

We need this patch, otherwise, building sysdig fails with the following:
[ 22%] Linking C shared library libscap_engine_bpf.so
/home/francis-buildroot/buildroot/output/host/lib/gcc/x86_64-buildroot-linux-
gnu/12.3.0/../../../../x86_64-buildroot-linux-gnu/bin/ld: /home/francis-
buildroot/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/../
lib64/libelf.a(elf_error.o): relocation R_X86_64_TPOFF32 against 
`global_error' can not be used when making a shared object; recompile with -
fPIC
/home/francis-buildroot/buildroot/output/host/lib/gcc/x86_64-buildroot-linux-
gnu/12.3.0/../../../../x86_64-buildroot-linux-gnu/bin/ld: failed to set 
dynamic section sizes: bad value

> > diff --git a/package/falcosecurity-libs/falcosecurity-libs.hash
> > b/package/falcosecurity-libs/falcosecurity-libs.hash index
> > 2e239ca2fe..ef805cbcf6 100644
> > --- a/package/falcosecurity-libs/falcosecurity-libs.hash
> > +++ b/package/falcosecurity-libs/falcosecurity-libs.hash
> > @@ -1,5 +1,5 @@
> > 
> >  # sha256 locally computed
> > 
> > -sha256  80903bc57b7f9c5f24298ecf1531cf66ef571681b4bd1e05f6e4db704ffb380b 
> > falcosecurity-libs-e5c53d648f3c4694385bbe488e7d47eaa36c229a.tar.gz
> > +sha256  2a4b37c08bec4ba81326314831f341385aff267062e8d4483437958689662936
> >  falcosecurity-libs-0.10.5.tar.gz> 
> >  sha256  21ec9433a87459b3477faf542bacec419dc03af841309eac35edeffe481cf10b 
> >  COPYING sha256 
> >  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 
> >  driver/GPL2.txt sha256 
> >  f17d3f2c2d565a74a7d5bf96f880c43701e141897e8dff0c8aa13e5d07aaf226 
> >  driver/MIT.txt> 
> > diff --git a/package/falcosecurity-libs/falcosecurity-libs.mk
> > b/package/falcosecurity-libs/falcosecurity-libs.mk index
> > 92d5c61832..acd46cf7a5 100644
> > --- a/package/falcosecurity-libs/falcosecurity-libs.mk
> > +++ b/package/falcosecurity-libs/falcosecurity-libs.mk
> > @@ -4,7 +4,7 @@
> > 
> >  #
> >  #########################################################################
> >  #######> 
> > -FALCOSECURITY_LIBS_VERSION = e5c53d648f3c4694385bbe488e7d47eaa36c229a
> > +FALCOSECURITY_LIBS_VERSION = 0.10.5
> > 
> >  FALCOSECURITY_LIBS_SITE = $(call
> >  github,falcosecurity,libs,$(FALCOSECURITY_LIBS_VERSION))
> >  FALCOSECURITY_LIBS_LICENSE = Apache-2.0 (userspace), MIT or GPL-2.0
> >  (driver) FALCOSECURITY_LIBS_LICENSE_FILES = COPYING driver/MIT.txt
> >  driver/GPL2.txt> 
> > @@ -57,17 +57,19 @@ endef
> > 
> >  # For the others, it was taken by inspecting
> >  # falcosecurity-libs/*/CMakeLists.txt, which normally creates these
> >  # files, but doesn't work well with the kernel-module infrastructure.
> > 
> > +# The magical number for API_VERSION and SCHEMA_VERSION are taken from
> > +# corresponding files.
> 
> Which corresponding files? :-)

I just removed this comment as the files were already mentioned above.

> 
> Thomas




_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot