kata:optimize compile options

1. add CGO compile options for kata-runtime/kata-netmon/containerd-shim-kata-v2, including open BIND_NOW, SP, FS compile options. 2. use pie mode to build kata-monitor Signed-off-by: Vanient <xiadanni1@huawei.com> (cherry picked from commit 91abc3917fa847ce1fea0273bc2d523534aee70c)
2022-09-08 21:52:50 +08:00 · 2022-09-08 21:52:50 +08:00 · 0c47c835f8
commit 0c47c835f8
parent a40fe16a9f
3 changed files with 65 additions and 1 deletions
--- a/kata-containers.spec
+++ b/kata-containers.spec
@ -2,7 +2,7 @@
 %global debug_package %{nil}
 %define VERSION 2.1.0
-%define RELEASE 29
+%define RELEASE 30
 Name:           kata-containers
 Version:        %{VERSION}
@ -108,6 +108,12 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 %doc
 %changelog
 * Thu Sep 8 2022 xiadanni <xiadanni1@huawei.com> - 2.1.0-30
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:optimize compile options
 * Fri Sep 2 2022 chengzeruizhi <chengzeruizhi@huawei.com> - 2.1.0-29
 - Type:bugfix
 - ID:NA
--- a/patches/0033-optimize-compile-options.patch
+++ b/patches/0033-optimize-compile-options.patch
@ -0,0 +1,57 @@
 From 443e65326eeccb3a4ad8170670d56c32931215f9 Mon Sep 17 00:00:00 2001
 From: Vanient <xiadanni1@huawei.com>
 Date: Thu, 8 Sep 2022 21:44:13 +0800
 Subject: [PATCH] optimize compile options
 Signed-off-by: Vanient <xiadanni1@huawei.com>
 ---
 src/runtime/Makefile | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)
 diff --git a/src/runtime/Makefile b/src/runtime/Makefile
 index bade196..ad421d9 100644
 --- a/src/runtime/Makefile
 +++ b/src/runtime/Makefile
@@ -566,7 +566,11 @@ monitor: $(MONITOR_OUTPUT)
 netmon: $(NETMON_TARGET_OUTPUT)
 $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
 -	$(QUIET_BUILD)(cd $(NETMON_DIR) && go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
 +	$(QUIET_BUILD)(cd $(NETMON_DIR) && \
 +	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
 +	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
 +	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 +	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION)" $(KATA_LDFLAGS))
 runtime: $(TARGET_OUTPUT) $(CONFIGS)
 .DEFAULT: default
@@ -605,15 +609,23 @@ GENERATED_FILES += $(GENERATED_CONFIG)
 GENERATED_FILES += pkg/katautils/config-settings.go
 $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
 -	$(QUIET_BUILD)(cd $(CLI_DIR) && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
 +	$(QUIET_BUILD)(cd $(CLI_DIR) && \
 +	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
 +	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
 +	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 +	go build -ldflags "-linkmode=external" $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
 $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && ln -fs $(GENERATED_CONFIG))
 -	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
 +	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && \
 +	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
 +	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
 +	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 +	go build -ldflags "-linkmode=external" $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
 $(MONITOR_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) .git-commit
 	$(QUIET_BUILD)(cd $(MONITOR_DIR)/ && CGO_ENABLED=0 go build \
 -		--ldflags "-X main.GitCommit=$(shell cat .git-commit)" $(BUILDFLAGS) -buildmode=exe -o $@ .)
 +		--ldflags "-linkmode=external -X main.GitCommit=$(shell cat .git-commit)" $(BUILDFLAGS) -o $@ .)
 .PHONY: \
 	check \
 -- 
 2.27.0
--- a/series.conf
+++ b/series.conf
@ -30,3 +30,4 @@
 0030-use-host_device-blockdev-adding.patch
 0031-add-explicit-on-after-kernel_irqchip.patch
 0032-qmp-Don-t-use-deprecated-props-field-for-object-add.patch
 0033-optimize-compile-options.patch