From 1f4e37cf4bd2f73dc5257d791cc4dba294ddd156 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 2 Aug 2017 23:07:36 +1000 Subject: [PATCH] *: switch to -buildmode=pie Go has supported PIC builds for a while now, and given the security benefits of using PIC binaries we should really enable them. There also appears to be some indication that non-PIC builds have been interacting oddly on ppc64le (the linker cannot load some shared libraries), and using PIC builds appears to solve this problem. Signed-off-by: Aleksa Sarai --- Dockerfile | 8 ++++---- Dockerfile.aarch64 | 6 +++--- Dockerfile.armhf | 8 ++++---- Dockerfile.e2e | 2 +- Dockerfile.ppc64le | 8 ++++---- Dockerfile.s390x | 8 ++++---- Makefile | 4 ++-- hack/dockerfile/install-binaries.sh | 10 +++++----- hack/integration-cli-on-swarm/agent/Dockerfile | 2 +- hack/make/.binary | 5 +++++ 10 files changed, 33 insertions(+), 28 deletions(-) diff --git a/Dockerfile b/Dockerfile index 146f3d901b..b49dff2f1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -114,10 +114,10 @@ RUN set -x \ && git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ && rm -rf "$GOPATH" # Install notary and notary-server @@ -127,9 +127,9 @@ RUN set -x \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ + go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ + go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ && rm -rf "$GOPATH" # Get the "docker-py" source so we can run their integration tests diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index e6a12fe370..bf5f261c7d 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -89,7 +89,7 @@ RUN set -x \ && git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ && rm -rf "$GOPATH" # Install notary and notary-server @@ -99,9 +99,9 @@ RUN set -x \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ + go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ + go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ && rm -rf "$GOPATH" # Get the "docker-py" source so we can run their integration tests diff --git a/Dockerfile.armhf b/Dockerfile.armhf index d67bdd0658..dfba8e7e5c 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -84,10 +84,10 @@ RUN set -x \ && git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ && rm -rf "$GOPATH" # Install notary and notary-server @@ -97,9 +97,9 @@ RUN set -x \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ + go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ + go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ && rm -rf "$GOPATH" # Get the "docker-py" source so we can run their integration tests diff --git a/Dockerfile.e2e b/Dockerfile.e2e index c57d7d3217..559d3f36f7 100644 --- a/Dockerfile.e2e +++ b/Dockerfile.e2e @@ -31,7 +31,7 @@ ENV DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT ADD . . # Build DockerSuite.TestBuild* dependency -RUN CGO_ENABLED=0 go build -o /output/httpserver github.com/docker/docker/contrib/httpserver +RUN CGO_ENABLED=0 go build -buildmode=pie -o /output/httpserver github.com/docker/docker/contrib/httpserver # Build the integration tests and copy the resulting binaries to /output/tests RUN hack/make.sh build-integration-test-binary diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index 709a6e6241..fe963f1336 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -82,10 +82,10 @@ RUN set -x \ && git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ && rm -rf "$GOPATH" # Install notary and notary-server @@ -95,9 +95,9 @@ RUN set -x \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ + go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ + go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ && rm -rf "$GOPATH" # Get the "docker-py" source so we can run their integration tests diff --git a/Dockerfile.s390x b/Dockerfile.s390x index 752d052c62..eb2eec4032 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -76,10 +76,10 @@ RUN set -x \ && git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ && (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ && GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ - go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ + go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ && rm -rf "$GOPATH" # Install notary and notary-server @@ -89,9 +89,9 @@ RUN set -x \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ + go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ && GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ - go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ + go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ && rm -rf "$GOPATH" # Get the "docker-py" source so we can run their integration tests diff --git a/Makefile b/Makefile index 7d50afa7d4..c2c611e6db 100644 --- a/Makefile +++ b/Makefile @@ -188,7 +188,7 @@ swagger-docs: ## preview the API documentation build-integration-cli-on-swarm: build ## build images and binary for running integration-cli on Swarm in parallel @echo "Building hack/integration-cli-on-swarm (if build fails, please refer to hack/integration-cli-on-swarm/README.md)" - go build -o ./hack/integration-cli-on-swarm/integration-cli-on-swarm ./hack/integration-cli-on-swarm/host + go build -buildmode=pie -o ./hack/integration-cli-on-swarm/integration-cli-on-swarm ./hack/integration-cli-on-swarm/host @echo "Building $(INTEGRATION_CLI_MASTER_IMAGE)" docker build -t $(INTEGRATION_CLI_MASTER_IMAGE) hack/integration-cli-on-swarm/agent # For worker, we don't use `docker build` so as to enable DOCKER_INCREMENTAL_BINARY and so on @@ -198,6 +198,6 @@ build-integration-cli-on-swarm: build ## build images and binary for running int # For avoiding bakings DOCKER_GRAPHDRIVER and so on to image, we cannot use $(DOCKER_ENVS) here docker run -t -d --name $(tmp) -e DOCKER_GITCOMMIT -e BUILDFLAGS -e DOCKER_INCREMENTAL_BINARY --privileged $(DOCKER_MOUNT_PKGCACHE) $(DOCKER_IMAGE) top docker exec $(tmp) hack/make.sh build-integration-test-binary dynbinary - docker exec $(tmp) go build -o /worker github.com/docker/docker/hack/integration-cli-on-swarm/agent/worker + docker exec $(tmp) go build -buildmode=pie -o /worker github.com/docker/docker/hack/integration-cli-on-swarm/agent/worker docker commit -c 'ENTRYPOINT ["/worker"]' $(tmp) $(INTEGRATION_CLI_WORKER_IMAGE) docker rm -f $(tmp) diff --git a/hack/dockerfile/install-binaries.sh b/hack/dockerfile/install-binaries.sh index e97385ebcc..72165d48d4 100755 --- a/hack/dockerfile/install-binaries.sh +++ b/hack/dockerfile/install-binaries.sh @@ -60,7 +60,7 @@ install_proxy() { git clone https://github.com/docker/libnetwork.git "$GOPATH/src/github.com/docker/libnetwork" cd "$GOPATH/src/github.com/docker/libnetwork" git checkout -q "$LIBNETWORK_COMMIT" - go build -ldflags="$PROXY_LDFLAGS" -o /usr/local/bin/docker-proxy github.com/docker/libnetwork/cmd/proxy + go build -buildmode=pie -ldflags="$PROXY_LDFLAGS" -o /usr/local/bin/docker-proxy github.com/docker/libnetwork/cmd/proxy } install_dockercli() { @@ -89,7 +89,7 @@ build_dockercli() { git checkout -q "v$DOCKERCLI_VERSION" mkdir -p "$GOPATH/src/github.com/docker" mv components/cli "$GOPATH/src/github.com/docker/cli" - go build -o /usr/local/bin/docker github.com/docker/cli/cmd/docker + go build -buildmode=pie -o /usr/local/bin/docker github.com/docker/cli/cmd/docker } install_gometalinter() { @@ -97,7 +97,7 @@ install_gometalinter() { go get -d github.com/alecthomas/gometalinter cd "$GOPATH/src/github.com/alecthomas/gometalinter" git checkout -q "$GOMETALINTER_COMMIT" - go build -o /usr/local/bin/gometalinter github.com/alecthomas/gometalinter + go build -buildmode=pie -o /usr/local/bin/gometalinter github.com/alecthomas/gometalinter GOBIN=/usr/local/bin gometalinter --install } @@ -108,7 +108,7 @@ do echo "Install tomlv version $TOMLV_COMMIT" git clone https://github.com/BurntSushi/toml.git "$GOPATH/src/github.com/BurntSushi/toml" cd "$GOPATH/src/github.com/BurntSushi/toml" && git checkout -q "$TOMLV_COMMIT" - go build -v -o /usr/local/bin/tomlv github.com/BurntSushi/toml/cmd/tomlv + go build -buildmode=pie -v -o /usr/local/bin/tomlv github.com/BurntSushi/toml/cmd/tomlv ;; runc) @@ -157,7 +157,7 @@ do git clone https://github.com/LK4D4/vndr.git "$GOPATH/src/github.com/LK4D4/vndr" cd "$GOPATH/src/github.com/LK4D4/vndr" git checkout -q "$VNDR_COMMIT" - go build -v -o /usr/local/bin/vndr . + go build -buildmode=pie -v -o /usr/local/bin/vndr . ;; dockercli) diff --git a/hack/integration-cli-on-swarm/agent/Dockerfile b/hack/integration-cli-on-swarm/agent/Dockerfile index c2bc2f195f..1ae228f6ef 100644 --- a/hack/integration-cli-on-swarm/agent/Dockerfile +++ b/hack/integration-cli-on-swarm/agent/Dockerfile @@ -2,5 +2,5 @@ # Please refer to the top-level Makefile for the worker image. FROM golang:1.7 ADD . /go/src/github.com/docker/docker/hack/integration-cli-on-swarm/agent -RUN go build -o /master github.com/docker/docker/hack/integration-cli-on-swarm/agent/master +RUN go build -buildmode=pie -o /master github.com/docker/docker/hack/integration-cli-on-swarm/agent/master ENTRYPOINT ["/master"] diff --git a/hack/make/.binary b/hack/make/.binary index ff5cbff722..61421937c8 100644 --- a/hack/make/.binary +++ b/hack/make/.binary @@ -50,6 +50,11 @@ if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARC esac fi +# -buildmode=pie is not supported on Windows. +if [ "$(go env GOOS)" != "windows" ]; then + BUILDFLAGS+=( "-buildmode=pie" ) +fi + echo "Building: $DEST/$BINARY_FULLNAME" go build \ -o "$DEST/$BINARY_FULLNAME" \