containerd: compile option compliance

Signed-off-by: xiadanni <xiadanni1@huawei.com>

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        107
+Release:        108
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -39,6 +39,7 @@ cd $GO_BUILD_PATH/src/%{goipath}
 export GOPATH=$GO_BUILD_PATH:%{gopath}
 export BUILDTAGS="no_btrfs no_cri"
 make
+strip ./bin/containerd ./bin/containerd-shim
 
 %install
 install -d $RPM_BUILD_ROOT/%{_bindir}
@@ -50,6 +51,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
 %{_bindir}/containerd-shim
 
 %changelog
+* Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.2.0-108
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:compile option compliance
+
 * Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 1.2.0-107
 - Type:bugfix
 - ID:NA

git-commit

@@ -1 +1 @@
-04eb93cb4ae835a46fbd7df3dbd29f78d2a082c8
+aec25f8e033c265f30268f7170d83095404adcef

patch/0068-containerd-compile-option-compliance.patch

@@ -0,0 +1,49 @@
+From 0cda15b8d0241f9c15c0efe12d19877761f7b387 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Thu, 18 Mar 2021 10:29:02 +0800
+Subject: [PATCH] containerd: compile option compliance
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ Makefile | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index f69559b..102db9f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -82,7 +82,7 @@ BEP_DIR=/tmp/containerd-build-bep
+ BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep
+ 
+ GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
+-SHIM_GO_LDFLAGS=-ldflags ' -buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -extldflags "-static"'
++SHIM_GO_LDFLAGS=-ldflags '-extldflags=-static' -ldflags '-buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -linkmode=external -extldflags=-Wl,-z,relro,-z,now'
+ 
+ #Replaces ":" (*nix), ";" (windows) with newline for easy parsing
+ GOPATHS=$(shell echo ${GOPATH} | tr ":" "\n" | tr ";" "\n")
+@@ -171,11 +171,21 @@ FORCE:
+ bin/%: cmd/% FORCE
+ 	mkdir -p $(BEP_DIR)
+ 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
++	CGO_ENABLED=1 \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
++	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
++	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
+ 
+ bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) bin/containerd-shim"
+-	go build ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
++	CGO_ENABLED=1 \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
++	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
++	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
+ 
+ bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) bin/containerd-shim-runc-v1"
+-- 
+1.8.3.1
+

series.conf

@@ -72,4 +72,5 @@ patch/0064-containerd-check-task-list-to-avoid-unnecessary-clea.patch
 patch/0065-containerd-fix-dead-loop.patch
 patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch
 patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch
+patch/0068-containerd-compile-option-compliance.patch
 # end