Browse code
*: switch to -buildmode=pie
Go has supported PIC builds for a while now, and given the security
benefits of using PIC binaries we should really enable them. There also
appears to be some indication that non-PIC builds have been interacting
oddly on ppc64le (the linker cannot load some shared libraries), and
using PIC builds appears to solve this problem.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Aleksa Sarai authored on 2017/08/02 22:07:36Showing 10 changed files
- Dockerfile
- Dockerfile.aarch64
- Dockerfile.armhf
- Dockerfile.e2e
- Dockerfile.ppc64le
- Dockerfile.s390x
- Makefile
- hack/dockerfile/install-binaries.sh
- hack/integration-cli-on-swarm/agent/Dockerfile
- hack/make/.binary
| ... | ... |
@@ -114,10 +114,10 @@ RUN set -x \ |
| 114 | 114 |
&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ |
| 115 | 115 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ |
| 116 | 116 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 117 |
- go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 117 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 118 | 118 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ |
| 119 | 119 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 120 |
- go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 120 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 121 | 121 |
&& rm -rf "$GOPATH" |
| 122 | 122 |
|
| 123 | 123 |
# Install notary and notary-server |
| ... | ... |
@@ -127,9 +127,9 @@ RUN set -x \ |
| 127 | 127 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
| 128 | 128 |
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ |
| 129 | 129 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 130 |
- go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 130 |
+ go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 131 | 131 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 132 |
- go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 132 |
+ go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 133 | 133 |
&& rm -rf "$GOPATH" |
| 134 | 134 |
|
| 135 | 135 |
# Get the "docker-py" source so we can run their integration tests |
| ... | ... |
@@ -89,7 +89,7 @@ RUN set -x \ |
| 89 | 89 |
&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ |
| 90 | 90 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ |
| 91 | 91 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 92 |
- go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 92 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 93 | 93 |
&& rm -rf "$GOPATH" |
| 94 | 94 |
|
| 95 | 95 |
# Install notary and notary-server |
| ... | ... |
@@ -99,9 +99,9 @@ RUN set -x \ |
| 99 | 99 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
| 100 | 100 |
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ |
| 101 | 101 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 102 |
- go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 102 |
+ go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 103 | 103 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 104 |
- go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 104 |
+ go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 105 | 105 |
&& rm -rf "$GOPATH" |
| 106 | 106 |
|
| 107 | 107 |
# Get the "docker-py" source so we can run their integration tests |
| ... | ... |
@@ -84,10 +84,10 @@ RUN set -x \ |
| 84 | 84 |
&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ |
| 85 | 85 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ |
| 86 | 86 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 87 |
- go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 87 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 88 | 88 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ |
| 89 | 89 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 90 |
- go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 90 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 91 | 91 |
&& rm -rf "$GOPATH" |
| 92 | 92 |
|
| 93 | 93 |
# Install notary and notary-server |
| ... | ... |
@@ -97,9 +97,9 @@ RUN set -x \ |
| 97 | 97 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
| 98 | 98 |
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ |
| 99 | 99 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 100 |
- go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 100 |
+ go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 101 | 101 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 102 |
- go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 102 |
+ go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 103 | 103 |
&& rm -rf "$GOPATH" |
| 104 | 104 |
|
| 105 | 105 |
# Get the "docker-py" source so we can run their integration tests |
| ... | ... |
@@ -31,7 +31,7 @@ ENV DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT |
| 31 | 31 |
ADD . . |
| 32 | 32 |
|
| 33 | 33 |
# Build DockerSuite.TestBuild* dependency |
| 34 |
-RUN CGO_ENABLED=0 go build -o /output/httpserver github.com/docker/docker/contrib/httpserver |
|
| 34 |
+RUN CGO_ENABLED=0 go build -buildmode=pie -o /output/httpserver github.com/docker/docker/contrib/httpserver |
|
| 35 | 35 |
|
| 36 | 36 |
# Build the integration tests and copy the resulting binaries to /output/tests |
| 37 | 37 |
RUN hack/make.sh build-integration-test-binary |
| ... | ... |
@@ -82,10 +82,10 @@ RUN set -x \ |
| 82 | 82 |
&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ |
| 83 | 83 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ |
| 84 | 84 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 85 |
- go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 85 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 86 | 86 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ |
| 87 | 87 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 88 |
- go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 88 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 89 | 89 |
&& rm -rf "$GOPATH" |
| 90 | 90 |
|
| 91 | 91 |
# Install notary and notary-server |
| ... | ... |
@@ -95,9 +95,9 @@ RUN set -x \ |
| 95 | 95 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
| 96 | 96 |
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ |
| 97 | 97 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 98 |
- go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 98 |
+ go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 99 | 99 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 100 |
- go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 100 |
+ go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 101 | 101 |
&& rm -rf "$GOPATH" |
| 102 | 102 |
|
| 103 | 103 |
# Get the "docker-py" source so we can run their integration tests |
| ... | ... |
@@ -76,10 +76,10 @@ RUN set -x \ |
| 76 | 76 |
&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \ |
| 77 | 77 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \ |
| 78 | 78 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 79 |
- go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 79 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \ |
|
| 80 | 80 |
&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \ |
| 81 | 81 |
&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \ |
| 82 |
- go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 82 |
+ go build -buildmode=pie -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \ |
|
| 83 | 83 |
&& rm -rf "$GOPATH" |
| 84 | 84 |
|
| 85 | 85 |
# Install notary and notary-server |
| ... | ... |
@@ -89,9 +89,9 @@ RUN set -x \ |
| 89 | 89 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
| 90 | 90 |
&& (cd "$GOPATH/src/github.com/docker/notary" && git checkout -q "$NOTARY_VERSION") \ |
| 91 | 91 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 92 |
- go build -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 92 |
+ go build -buildmode=pie -o /usr/local/bin/notary-server github.com/docker/notary/cmd/notary-server \ |
|
| 93 | 93 |
&& GOPATH="$GOPATH/src/github.com/docker/notary/vendor:$GOPATH" \ |
| 94 |
- go build -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 94 |
+ go build -buildmode=pie -o /usr/local/bin/notary github.com/docker/notary/cmd/notary \ |
|
| 95 | 95 |
&& rm -rf "$GOPATH" |
| 96 | 96 |
|
| 97 | 97 |
# Get the "docker-py" source so we can run their integration tests |
| ... | ... |
@@ -188,7 +188,7 @@ swagger-docs: ## preview the API documentation |
| 188 | 188 |
|
| 189 | 189 |
build-integration-cli-on-swarm: build ## build images and binary for running integration-cli on Swarm in parallel |
| 190 | 190 |
@echo "Building hack/integration-cli-on-swarm (if build fails, please refer to hack/integration-cli-on-swarm/README.md)" |
| 191 |
- go build -o ./hack/integration-cli-on-swarm/integration-cli-on-swarm ./hack/integration-cli-on-swarm/host |
|
| 191 |
+ go build -buildmode=pie -o ./hack/integration-cli-on-swarm/integration-cli-on-swarm ./hack/integration-cli-on-swarm/host |
|
| 192 | 192 |
@echo "Building $(INTEGRATION_CLI_MASTER_IMAGE)" |
| 193 | 193 |
docker build -t $(INTEGRATION_CLI_MASTER_IMAGE) hack/integration-cli-on-swarm/agent |
| 194 | 194 |
# For worker, we don't use `docker build` so as to enable DOCKER_INCREMENTAL_BINARY and so on |
| ... | ... |
@@ -198,6 +198,6 @@ build-integration-cli-on-swarm: build ## build images and binary for running int |
| 198 | 198 |
# For avoiding bakings DOCKER_GRAPHDRIVER and so on to image, we cannot use $(DOCKER_ENVS) here |
| 199 | 199 |
docker run -t -d --name $(tmp) -e DOCKER_GITCOMMIT -e BUILDFLAGS -e DOCKER_INCREMENTAL_BINARY --privileged $(DOCKER_MOUNT_PKGCACHE) $(DOCKER_IMAGE) top |
| 200 | 200 |
docker exec $(tmp) hack/make.sh build-integration-test-binary dynbinary |
| 201 |
- docker exec $(tmp) go build -o /worker github.com/docker/docker/hack/integration-cli-on-swarm/agent/worker |
|
| 201 |
+ docker exec $(tmp) go build -buildmode=pie -o /worker github.com/docker/docker/hack/integration-cli-on-swarm/agent/worker |
|
| 202 | 202 |
docker commit -c 'ENTRYPOINT ["/worker"]' $(tmp) $(INTEGRATION_CLI_WORKER_IMAGE) |
| 203 | 203 |
docker rm -f $(tmp) |
| ... | ... |
@@ -60,7 +60,7 @@ install_proxy() {
|
| 60 | 60 |
git clone https://github.com/docker/libnetwork.git "$GOPATH/src/github.com/docker/libnetwork" |
| 61 | 61 |
cd "$GOPATH/src/github.com/docker/libnetwork" |
| 62 | 62 |
git checkout -q "$LIBNETWORK_COMMIT" |
| 63 |
- go build -ldflags="$PROXY_LDFLAGS" -o /usr/local/bin/docker-proxy github.com/docker/libnetwork/cmd/proxy |
|
| 63 |
+ go build -buildmode=pie -ldflags="$PROXY_LDFLAGS" -o /usr/local/bin/docker-proxy github.com/docker/libnetwork/cmd/proxy |
|
| 64 | 64 |
} |
| 65 | 65 |
|
| 66 | 66 |
install_dockercli() {
|
| ... | ... |
@@ -89,7 +89,7 @@ build_dockercli() {
|
| 89 | 89 |
git checkout -q "v$DOCKERCLI_VERSION" |
| 90 | 90 |
mkdir -p "$GOPATH/src/github.com/docker" |
| 91 | 91 |
mv components/cli "$GOPATH/src/github.com/docker/cli" |
| 92 |
- go build -o /usr/local/bin/docker github.com/docker/cli/cmd/docker |
|
| 92 |
+ go build -buildmode=pie -o /usr/local/bin/docker github.com/docker/cli/cmd/docker |
|
| 93 | 93 |
} |
| 94 | 94 |
|
| 95 | 95 |
install_gometalinter() {
|
| ... | ... |
@@ -97,7 +97,7 @@ install_gometalinter() {
|
| 97 | 97 |
go get -d github.com/alecthomas/gometalinter |
| 98 | 98 |
cd "$GOPATH/src/github.com/alecthomas/gometalinter" |
| 99 | 99 |
git checkout -q "$GOMETALINTER_COMMIT" |
| 100 |
- go build -o /usr/local/bin/gometalinter github.com/alecthomas/gometalinter |
|
| 100 |
+ go build -buildmode=pie -o /usr/local/bin/gometalinter github.com/alecthomas/gometalinter |
|
| 101 | 101 |
GOBIN=/usr/local/bin gometalinter --install |
| 102 | 102 |
} |
| 103 | 103 |
|
| ... | ... |
@@ -108,7 +108,7 @@ do |
| 108 | 108 |
echo "Install tomlv version $TOMLV_COMMIT" |
| 109 | 109 |
git clone https://github.com/BurntSushi/toml.git "$GOPATH/src/github.com/BurntSushi/toml" |
| 110 | 110 |
cd "$GOPATH/src/github.com/BurntSushi/toml" && git checkout -q "$TOMLV_COMMIT" |
| 111 |
- go build -v -o /usr/local/bin/tomlv github.com/BurntSushi/toml/cmd/tomlv |
|
| 111 |
+ go build -buildmode=pie -v -o /usr/local/bin/tomlv github.com/BurntSushi/toml/cmd/tomlv |
|
| 112 | 112 |
;; |
| 113 | 113 |
|
| 114 | 114 |
runc) |
| ... | ... |
@@ -157,7 +157,7 @@ do |
| 157 | 157 |
git clone https://github.com/LK4D4/vndr.git "$GOPATH/src/github.com/LK4D4/vndr" |
| 158 | 158 |
cd "$GOPATH/src/github.com/LK4D4/vndr" |
| 159 | 159 |
git checkout -q "$VNDR_COMMIT" |
| 160 |
- go build -v -o /usr/local/bin/vndr . |
|
| 160 |
+ go build -buildmode=pie -v -o /usr/local/bin/vndr . |
|
| 161 | 161 |
;; |
| 162 | 162 |
|
| 163 | 163 |
dockercli) |
| ... | ... |
@@ -2,5 +2,5 @@ |
| 2 | 2 |
# Please refer to the top-level Makefile for the worker image. |
| 3 | 3 |
FROM golang:1.7 |
| 4 | 4 |
ADD . /go/src/github.com/docker/docker/hack/integration-cli-on-swarm/agent |
| 5 |
-RUN go build -o /master github.com/docker/docker/hack/integration-cli-on-swarm/agent/master |
|
| 5 |
+RUN go build -buildmode=pie -o /master github.com/docker/docker/hack/integration-cli-on-swarm/agent/master |
|
| 6 | 6 |
ENTRYPOINT ["/master"] |
| ... | ... |
@@ -50,6 +50,11 @@ if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARC |
| 50 | 50 |
esac |
| 51 | 51 |
fi |
| 52 | 52 |
|
| 53 |
+# -buildmode=pie is not supported on Windows. |
|
| 54 |
+if [ "$(go env GOOS)" != "windows" ]; then |
|
| 55 |
+ BUILDFLAGS+=( "-buildmode=pie" ) |
|
| 56 |
+fi |
|
| 57 |
+ |
|
| 53 | 58 |
echo "Building: $DEST/$BINARY_FULLNAME" |
| 54 | 59 |
go build \ |
| 55 | 60 |
-o "$DEST/$BINARY_FULLNAME" \ |