From fb528fd05611d86efa60d7159b813dd17188fb5b Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Wed, 7 Aug 2024 19:37:40 +0200 Subject: [PATCH 1/4] clang: upgrade to use Clang 18 Signed-off-by: Mahe Tardy --- Dockerfile | 4 ++-- Dockerfile.dev | 2 +- Dockerfile.test | 2 +- Makefile | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index b0b1324a5ee..7ae25fa8990 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ # https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/ # First builder (cross-)compile the BPF programs -FROM --platform=$BUILDPLATFORM quay.io/cilium/clang:aeaada5cf60efe8d0e772d032fe3cc2bc613739c@sha256:b440ae7b3591a80ffef8120b2ac99e802bbd31dee10f5f15a48566832ae0866f AS bpf-builder +FROM --platform=$BUILDPLATFORM quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53cd42aefd54a2f@sha256:e1c8ed0acd2e24ed05377f2861d8174af28e09bef3bbc79649c8eba165207df0 AS bpf-builder WORKDIR /go/src/github.com/cilium/tetragon RUN apt-get update && apt-get install -y linux-libc-dev COPY . ./ @@ -36,7 +36,7 @@ RUN apk add --no-cache git \ # This builder (cross-)compile a stripped static version of bpftool. # This step was kept because the downloaded version includes LLVM libs with the # disassembler that makes the static binary grow from ~2Mo to ~30Mo. -FROM --platform=$BUILDPLATFORM quay.io/cilium/clang:aeaada5cf60efe8d0e772d032fe3cc2bc613739c@sha256:b440ae7b3591a80ffef8120b2ac99e802bbd31dee10f5f15a48566832ae0866f AS bpftool-builder +FROM --platform=$BUILDPLATFORM quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53cd42aefd54a2f@sha256:e1c8ed0acd2e24ed05377f2861d8174af28e09bef3bbc79649c8eba165207df0 AS bpftool-builder WORKDIR /bpftool ARG TARGETARCH BUILDARCH RUN if [ $BUILDARCH != $TARGETARCH ]; \ diff --git a/Dockerfile.dev b/Dockerfile.dev index 06afb513292..629ccbd9732 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM quay.io/cilium/clang:aeaada5cf60efe8d0e772d032fe3cc2bc613739c@sha256:b440ae7b3591a80ffef8120b2ac99e802bbd31dee10f5f15a48566832ae0866f AS bpf-builder +FROM quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53cd42aefd54a2f@sha256:e1c8ed0acd2e24ed05377f2861d8174af28e09bef3bbc79649c8eba165207df0 AS bpf-builder WORKDIR /go/src/github.com/cilium/tetragon RUN apt-get update RUN apt-get install -y linux-libc-dev diff --git a/Dockerfile.test b/Dockerfile.test index dbf18c5a486..30e8007bd5a 100644 --- a/Dockerfile.test +++ b/Dockerfile.test @@ -1,4 +1,4 @@ -FROM quay.io/cilium/clang:aeaada5cf60efe8d0e772d032fe3cc2bc613739c@sha256:b440ae7b3591a80ffef8120b2ac99e802bbd31dee10f5f15a48566832ae0866f AS bpf-builder +FROM quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53cd42aefd54a2f@sha256:e1c8ed0acd2e24ed05377f2861d8174af28e09bef3bbc79649c8eba165207df0 AS bpf-builder WORKDIR /go/src/github.com/cilium/tetragon RUN apt-get update RUN apt-get install -y linux-libc-dev diff --git a/Makefile b/Makefile index dcc94a6df20..46ef2c0bd8f 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ LOCAL_CLANG ?= 0 LOCAL_CLANG_FORMAT ?= 0 FORMAT_FIND_FLAGS ?= -name '*.c' -o -name '*.h' -not -path 'bpf/include/vmlinux.h' -not -path 'bpf/include/api.h' -not -path 'bpf/libbpf/*' NOOPT ?= 0 -CLANG_IMAGE = quay.io/cilium/clang:aeaada5cf60efe8d0e772d032fe3cc2bc613739c@sha256:b440ae7b3591a80ffef8120b2ac99e802bbd31dee10f5f15a48566832ae0866f +CLANG_IMAGE = quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53cd42aefd54a2f@sha256:e1c8ed0acd2e24ed05377f2861d8174af28e09bef3bbc79649c8eba165207df0 TESTER_PROGS_DIR = "contrib/tester-progs" # Extra flags to pass to test binary EXTRA_TESTFLAGS ?= From a02c8a813b2ba10e7ebf5df755aa154d9f1dd95d Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Wed, 14 Aug 2024 14:56:44 +0000 Subject: [PATCH 2/4] bpf: satisfy the verifier on v5.3 generic programs Verifier complains with clang-18 compiling bpf_generic_kprobe_v53.o and loading it on 5.4.278. Signed-off-by: Mahe Tardy --- bpf/process/pfilter.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h index b1bf2d52784..4bd630d05a3 100644 --- a/bpf/process/pfilter.h +++ b/bpf/process/pfilter.h @@ -281,6 +281,13 @@ process_filter_capability_change(__u32 ty, __u32 op, __u32 ns, __u64 val, return PFILTER_REJECT; icaps = init->caps.c[ty]; + + // When compiling bpf_generic_kprobe_v53.o with clang-18 and loading it on + // 5.4.278, the verifier complains than ty could be negative while in this + // context it's just the capability set type (effective, inheritable, or + // permitted), let's blindly remind the verifier it's a u32. + asm volatile("%[ty] &= 0xffffffff;\n" + : [ty] "+r"(ty)); ccaps = c->c[ty]; /* we have a change in the capabilities that we care */ From 8e994cf0bc2ad2ccd88ba9a490913052a1b9a825 Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Fri, 16 Aug 2024 12:54:26 +0200 Subject: [PATCH 3/4] Dockerfile: fix a static linking issue with bpftool When bumping the builder image to Ubuntu 24.04, the static build of bpftool started to fail. We cannot use EXTRA_LDFLAGS unfortunately and need to mofiy the LIBS and LIBS_BOOTSTRAP Makefile variables. Maybe we can upstream this fix later. Signed-off-by: Mahe Tardy --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 7ae25fa8990..0bfc0453578 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,6 +56,8 @@ RUN if [ $BUILDARCH != $TARGETARCH ]; \ # v7.3.0 ENV BPFTOOL_REV="687e7f06f2ee104ed6515ec3a9816af77bfa7a17" RUN git clone https://github.com/libbpf/bpftool.git . && git checkout ${BPFTOOL_REV} && git submodule update --init --recursive +# From Ubuntu 24.04 builder image, libzstd must be added at the end of LIBS and LIBS_BOOTSTRAP to compile statically +RUN sed -i 's/\(LIBS = $(LIBBPF) -lelf -lz\)/\1 -lzstd/; s/\(LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz\)/\1 -lzstd/' src/Makefile RUN if [ $BUILDARCH != $TARGETARCH ]; \ then make -C src EXTRA_CFLAGS=--static CC=aarch64-linux-gnu-gcc -j $(nproc) && aarch64-linux-gnu-strip src/bpftool; \ else make -C src EXTRA_CFLAGS=--static -j $(nproc) && strip src/bpftool; fi From 911d77429100205272d8c7e6f677b18b0dc9c82e Mon Sep 17 00:00:00 2001 From: Mahe Tardy Date: Fri, 16 Aug 2024 11:56:10 +0000 Subject: [PATCH 4/4] Dockerfile: Ubuntu apt now uses the deb822 format Things look different but they are fairly similar... Signed-off-by: Mahe Tardy --- Dockerfile | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0bfc0453578..5ed4f68422a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,14 +40,26 @@ FROM --platform=$BUILDPLATFORM quay.io/cilium/clang:b97f5b3d5c38da62fb009f21a53c WORKDIR /bpftool ARG TARGETARCH BUILDARCH RUN if [ $BUILDARCH != $TARGETARCH ]; \ - then apt-get update && echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse\n\ -deb [arch=amd64] http://security.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse\n\ -deb [arch=amd64] http://security.ubuntu.com/ubuntu jammy-security main restricted universe multiverse\n\ -deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse\n\ -deb [arch=arm64] http://ports.ubuntu.com/ jammy main restricted universe multiverse\n\ -deb [arch=arm64] http://ports.ubuntu.com/ jammy-updates main restricted universe multiverse\n\ -deb [arch=arm64] http://ports.ubuntu.com/ jammy-security main restricted universe multiverse\n\ -deb [arch=arm64] http://ports.ubuntu.com/ jammy-backports main restricted universe multiverse" > /etc/apt/sources.list \ + then apt-get update && echo "Types: deb\n\ +URIs: http://archive.ubuntu.com/ubuntu/\n\ +Suites: noble noble-updates noble-backports\n\ +Components: main universe restricted multiverse\n\ +Architectures: amd64\n\ +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg\n\ +\n\ +Types: deb\n\ +URIs: http://archive.ubuntu.com/ubuntu/\n\ +Suites: noble-security\n\ +Components: main universe restricted multiverse\n\ +Architectures: amd64\n\ +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg\n\ +\n\ +Types: deb\n\ +URIs: http://ports.ubuntu.com/\n\ +Suites: noble noble-updates noble-backports noble-security\n\ +Components: main universe restricted multiverse\n\ +Architectures: arm64\n\ +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg" > /etc/apt/sources.list.d/ubuntu.sources \ && dpkg --add-architecture arm64; fi RUN apt-get update RUN if [ $BUILDARCH != $TARGETARCH ]; \