make release: build/include libseccomp

libseccomp is LGPL, meaning if we statically link it, we have to include the source code of the library. Amend "make release" to download and build libseccomp, build runc against it, and include its sources into the release directory. The only caveat is I found no way to stop go build from using the stock (distro-provided) libseccomp.a, so the script checks that the stock libseccomp.a is not available, and aborts otherwise. While at it: - enable shellcheck for script/release.sh - remove libseccomp installation from the gha job - add dependecies needed for libseccomp build to the gha job [v2: also include libseccomp .asc file] [v3: rebase] Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2025-10-25 00:20:47 +08:00 · 2021-02-16 12:20:41 -08:00
parent aa6da82c4a
commit d748280aa9
3 changed files with 40 additions and 3 deletions
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -153,7 +153,7 @@ jobs:
    - name: install deps
      run: |
        sudo apt -qq update
-        sudo apt -qq install libseccomp-dev
+        sudo apt -qq install gperf
    - name: make release
      run: make release
    - name: upload artifacts
--- a/2
+++ b/2
@@ -119,7 +119,7 @@ cfmt:
 	indent -linux -l120 -il0 -ppi2 -cp1 -T size_t -T jmp_buf $(C_SRC)

 shellcheck:
-	shellcheck tests/integration/*.bats tests/integration/*.sh tests/*.sh
+	shellcheck tests/integration/*.bats tests/integration/*.sh tests/*.sh script/release.sh
 	# TODO: add shellcheck for more sh files

 shfmt:
--- a/script/release.sh
+++ b/script/release.sh
@@ -24,9 +24,46 @@ root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
 # This function takes an output path as an argument, where the built
 # (preferably static) binary should be placed.
 function build_project() {
+	local builddir
 	builddir="$(dirname "$1")"

-	make -C "$root" COMMIT_NO= static
+	# Due to libseccomp being LGPL we must include its sources,
+	# so download, install and build against it.
+
+	# Sanity check: check that the build won't use distro-provided
+	# libseccomp.a. If this is the case, explain and abort.
+	#
+	# Note go is not used here as it caches the build heavily,
+	# including, apparently, the results of pkg-config.
+	# shellcheck disable=SC2046
+	if read -ra flags < <(pkg-config --libs --cflags libseccomp 2>/dev/null) &&
+		cat <<EOF | gcc -static -x c -o /dev/null - "${flags[@]}"; then
+#include <seccomp.h>
+int main(void) { seccomp_version(); return 0; }
+EOF
+		set +x
+		echo >&2
+		echo "Distro-provided libseccomp static library is installed." >&2
+		echo "Unable to build a static binary against own libsecomp." >&2
+		echo "Please uninstall libseccomp-static to fix." >&2
+		exit 1
+	fi
+
+	local libseccomp_ver='2.5.1'
+	local tarball="libseccomp-${libseccomp_ver}.tar.gz"
+	local prefix
+	prefix="$(mktemp -d)"
+	wget "https://github.com/seccomp/libseccomp/releases/download/v${libseccomp_ver}/${tarball}"{,.asc}
+	tar xf "$tarball"
+	(
+		cd "libseccomp-${libseccomp_ver}"
+		./configure --prefix="$prefix" --enable-static --disable-shared
+		make install
+	)
+	mv "$tarball"{,.asc} "$builddir"
+
+	make -C "$root" PKG_CONFIG_PATH="${prefix}/lib/pkgconfig" COMMIT_NO= static
+	rm -rf "$prefix"
 	mv "$root/$project" "$1"
 }