You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2019/01/28 07:52:33 UTC
[mesos] 02/11: Added libseccomp to the build.
This is an automated email from the ASF dual-hosted git repository.
gilbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 99f3a5aaf31542576491ec72d07f36aba8e871f5
Author: Andrei Budnik <ab...@mesosphere.com>
AuthorDate: Sun Jan 27 23:51:55 2019 -0800
Added libseccomp to the build.
This library is needed to implement Seccomp syscall filtering in the
Mesos containerizer. This patch introduces `seccomp-isolator` build
flag, which is used to include or exclude sources related to Seccomp
from the build. Since Seccomp is a Linux-specific feature, the flag
is disabled by default. Enabling `seccomp-isolator` means either:
1. Compiling and linking against the bundled version of libseccomp from
sources (default).
2. Linking against the libseccomp installed in the OS,
if `--with-libseccomp` build flag is provided.
Review: https://reviews.apache.org/r/68016/
---
3rdparty/CMakeLists.txt | 40 ++++++++++++++++
3rdparty/Makefile.am | 19 ++++++++
3rdparty/cmake/FindLIBSECCOMP.cmake | 45 +++++++++++++++++
3rdparty/cmake/Versions.cmake | 2 +
3rdparty/versions.am | 1 +
cmake/CompilationConfigure.cmake | 18 +++++++
configure.ac | 77 ++++++++++++++++++++++++++++++
src/CMakeLists.txt | 7 ++-
src/Makefile.am | 11 +++++
src/python/native_common/ext_modules.py.in | 9 ++++
10 files changed, 228 insertions(+), 1 deletion(-)
diff --git a/3rdparty/CMakeLists.txt b/3rdparty/CMakeLists.txt
index b74772e..1999dd2 100644
--- a/3rdparty/CMakeLists.txt
+++ b/3rdparty/CMakeLists.txt
@@ -36,6 +36,7 @@ set(JEMALLOC_URL ${FETCH_URL}/jemalloc-${JEMALLOC_VERSION}.tar.gz)
set(LEVELDB_URL ${FETCH_URL}/leveldb-${LEVELDB_VERSION}.tar.gz)
set(LIBARCHIVE_URL ${FETCH_URL}/libarchive-${LIBARCHIVE_VERSION}.tar.gz)
set(LIBEV_URL ${FETCH_URL}/libev-${LIBEV_VERSION}.tar.gz)
+set(LIBSECCOMP_URL ${FETCH_URL}/libseccomp-${LIBSECCOMP_VERSION}.tar.gz)
set(NVML_URL ${FETCH_URL}/nvml-${NVML_VERSION}.tar.gz)
set(PICOJSON_URL ${FETCH_URL}/picojson-${PICOJSON_VERSION}.tar.gz)
set(PROTOBUF_URL ${FETCH_URL}/protobuf-${PROTOBUF_VERSION}.tar.gz)
@@ -630,6 +631,45 @@ elseif (NOT WIN32) # Windows defaults to `libwinio`, a native implementation.
endif ()
+# libseccomp: library, which provides a front-end for generating seccomp filters.
+# https://github.com/seccomp/libseccomp
+##################################################
+if (ENABLE_SECCOMP_ISOLATOR)
+ if (NOT UNBUNDLED_LIBSECCOMP)
+ EXTERNAL(libseccomp ${LIBSECCOMP_VERSION} ${CMAKE_CURRENT_BINARY_DIR})
+ add_library(libseccomp STATIC IMPORTED GLOBAL)
+ add_dependencies(libseccomp ${LIBSECCOMP_TARGET})
+
+ set_target_properties(
+ libseccomp PROPERTIES
+ IMPORTED_LOCATION ${LIBSECCOMP_ROOT}-build/src/.libs/libseccomp.a
+ INTERFACE_INCLUDE_DIRECTORIES "${LIBSECCOMP_ROOT}/include")
+
+ set(
+ LIBSECCOMP_CONFIGURE_COMMAND
+ ${LIBSECCOMP_ROOT}/configure --disable-shared --prefix=${LIBSECCOMP_ROOT}-build)
+
+ MAKE_INCLUDE_DIR(libseccomp)
+ GET_BYPRODUCTS(libseccomp)
+
+ ExternalProject_Add(
+ ${LIBSECCOMP_TARGET}
+ PREFIX ${LIBSECCOMP_CMAKE_ROOT}
+ BUILD_BYPRODUCTS ${LIBSECCOMP_BYPRODUCTS}
+ CONFIGURE_COMMAND ${LIBSECCOMP_CONFIGURE_COMMAND}
+ INSTALL_COMMAND ${CMAKE_NOOP}
+ URL ${LIBSECCOMP_URL}
+ URL_HASH ${LIBSECCOMP_HASH})
+ else ()
+ find_package(LIBSECCOMP REQUIRED)
+ add_library(libseccomp SHARED IMPORTED GLOBAL)
+ set_target_properties(libseccomp PROPERTIES
+ IMPORTED_LOCATION ${LIBSECCOMP_LIBS}
+ INTERFACE_INCLUDE_DIRECTORIES ${LIBSECCOMP_INCLUDE_DIR})
+ endif ()
+endif ()
+
+
# APR: The Apache Portable Runtime Project.
# https://apr.apache.org
###########################################
diff --git a/3rdparty/Makefile.am b/3rdparty/Makefile.am
index 99270f0..98a2623 100644
--- a/3rdparty/Makefile.am
+++ b/3rdparty/Makefile.am
@@ -64,6 +64,7 @@ LEVELDB = leveldb-$(LEVELDB_VERSION)
LIBARCHIVE = libarchive-$(LIBARCHIVE_VERSION)
LIBEV = libev-$(LIBEV_VERSION)
LIBEVENT = libevent-$(LIBEVENT_VERSION)
+LIBSECCOMP = libseccomp-$(LIBSECCOMP_VERSION)
NVML = nvml-$(NVML_VERSION)
PIP = pip-$(PIP_VERSION)
PICOJSON = picojson-$(PICOJSON_VERSION)
@@ -88,6 +89,7 @@ EXTRA_DIST = \
$(LIBARCHIVE).tar.gz \
$(LIBEV).tar.gz \
$(LIBEVENT).tar.gz \
+ $(LIBSECCOMP).tar.gz \
$(NVML).tar.gz \
$(PIP).tar.gz \
$(PROTOBUF).tar.gz \
@@ -149,6 +151,7 @@ CLEAN_EXTRACTED = \
$(LIBARCHIVE) \
$(LIBEV) \
$(LIBEVENT) \
+ $(LIBSECCOMP) \
$(NVML) \
$(PIP) \
$(PICOJSON) \
@@ -345,6 +348,22 @@ $(LIBEVENT)-build-stamp: $(LIBEVENT)-stamp
ALL_LOCAL += $(LIBEVENT)-build-stamp
endif
+if WITH_BUNDLED_LIBSECCOMP
+LIBSECCOMP_CONFIGURE_ARGS = --disable-shared
+
+LIB_LIBSECCOMP = $(LIBSECCOMP)/src/libseccomp.la
+
+$(LIB_LIBSECCOMP): $(LIBSECCOMP)-build-stamp
+
+$(LIBSECCOMP)-build-stamp: $(LIBSECCOMP)-stamp
+ cd $(LIBSECCOMP) && \
+ ./configure $(LIBSECCOMP_CONFIGURE_ARGS) $(CONFIGURE_ARGS) && \
+ $(MAKE) $(AM_MAKEFLAGS)
+ touch $@
+
+ALL_LOCAL += $(LIB_LIBSECCOMP)
+endif
+
if WITH_BUNDLED_NVML
$(NVML)/nvidia/gdk/nvml.h: $(NVML)-stamp
ALL_LOCAL += $(NVML)-stamp
diff --git a/3rdparty/cmake/FindLIBSECCOMP.cmake b/3rdparty/cmake/FindLIBSECCOMP.cmake
new file mode 100644
index 0000000..d04c19e
--- /dev/null
+++ b/3rdparty/cmake/FindLIBSECCOMP.cmake
@@ -0,0 +1,45 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include(FindPackageHelper)
+
+# TODO(tillt): Consider moving "_ROOT_DIR" logic into FindPackageHelper.
+if ("${LIBSECCOMP_ROOT_DIR}" STREQUAL "")
+ set(POSSIBLE_LIBSECCOMP_INCLUDE_DIRS "")
+ set(POSSIBLE_LIBSECCOMP_LIB_DIRS "")
+
+ if (NOT "${LIBSECCOMP_PREFIX}" STREQUAL "")
+ list(APPEND POSSIBLE_LIBSECCOMP_INCLUDE_DIRS ${LIBSECCOMP_PREFIX}/include)
+ list(APPEND POSSIBLE_LIBSECCOMP_LIB_DIRS ${LIBSECCOMP_PREFIX}/lib)
+ endif()
+
+ list(
+ APPEND POSSIBLE_LIBSECCOMP_INCLUDE_DIRS
+ /usr/include/
+ /usr/local/include/)
+
+ list(
+ APPEND POSSIBLE_LIBSECCOMP_LIB_DIRS
+ /usr/lib
+ /usr/local/lib)
+else()
+ set(POSSIBLE_LIBSECCOMP_INCLUDE_DIRS ${LIBSECCOMP_ROOT_DIR}/include)
+ set(POSSIBLE_LIBSECCOMP_LIB_DIRS ${LIBSECCOMP_ROOT_DIR}/lib)
+endif()
+
+set(LIBSECCOMP_LIBRARY_NAMES seccomp)
+
+FIND_PACKAGE_HELPER(LIBSECCOMP seccomp.h)
diff --git a/3rdparty/cmake/Versions.cmake b/3rdparty/cmake/Versions.cmake
index 69fc594..972c706 100644
--- a/3rdparty/cmake/Versions.cmake
+++ b/3rdparty/cmake/Versions.cmake
@@ -25,6 +25,8 @@ set(LIBEV_HASH "SHA256=736079E8AC543C74D59AF73F9C52737B3BFEC9601F02
# TODO(hausdorff): (MESOS-3529) transition this back to a non-beta version.
set(LIBEVENT_VERSION "2.1.5-beta")
set(LIBEVENT_HASH "SHA256=9A410E24921F59F0AB2009E5E31B3B20932E4AA5A1CBAC6A53190DC86DADE806")
+set(LIBSECCOMP_VERSION "2.3.3")
+set(LIBSECCOMP_HASH "SHA256=7FC28F4294CC72E61C529BEDF97E705C3ACF9C479A8F1A3028D4CD2CA9F3B155")
set(NVML_VERSION "352.79")
set(NVML_HASH "SHA256=D0B2CC1742CBD7CC73DA13BFA6BF2DA3D92B545E8388E642D41977F4EAD8D3D0")
set(PICOJSON_VERSION "1.3.0")
diff --git a/3rdparty/versions.am b/3rdparty/versions.am
index 99ef920..2438107 100644
--- a/3rdparty/versions.am
+++ b/3rdparty/versions.am
@@ -33,6 +33,7 @@ LEVELDB_VERSION = 1.19
LIBARCHIVE_VERSION = 3.3.2
LIBEV_VERSION = 4.22
LIBEVENT_VERSION = 2.0.22-stable
+LIBSECCOMP_VERSION = 2.3.3
NVML_VERSION = 352.79
PICOJSON_VERSION = 1.3.0
PIP_VERSION = 7.1.2
diff --git a/cmake/CompilationConfigure.cmake b/cmake/CompilationConfigure.cmake
index 2485a8a..34d085b 100644
--- a/cmake/CompilationConfigure.cmake
+++ b/cmake/CompilationConfigure.cmake
@@ -114,6 +114,19 @@ set(
CACHE STRING
"Specify the path to leveldb, e.g. \"C:\\leveldb-Win64\".")
+if (ENABLE_SECCOMP_ISOLATOR)
+ option(
+ UNBUNDLED_LIBSECCOMP
+ "Build with an installed libseccomp version instead of the bundled."
+ FALSE)
+
+ set(
+ LIBSECCOMP_ROOT_DIR
+ ""
+ CACHE STRING
+ "Specify the path to libseccomp, e.g. \"C:\\libseccomp-Win64\".")
+endif ()
+
option(
ENABLE_SSL
"Build libprocess with SSL support."
@@ -445,6 +458,11 @@ if (LINUX)
if (ENABLE_PORT_MAPPING_ISOLATOR OR ENABLE_NETWORK_PORTS_ISOLATOR)
set(ENABLE_LINUX_ROUTING TRUE)
endif ()
+
+ option(
+ ENABLE_SECCOMP_ISOLATOR
+ "Whether to enable `linux/seccomp` isolator."
+ FALSE)
endif ()
# FREEBSD CONFIGURATION.
diff --git a/configure.ac b/configure.ac
index 6778f11..21115e5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -349,6 +349,14 @@ AC_ARG_ENABLE([python-dependency-install],
downloaded or installed]),
[], [enable_python_dependency_install=yes])
+AC_ARG_ENABLE([seccomp-isolator],
+ AS_HELP_STRING([--enable-seccomp-isolator],
+ [Builds the Seccomp isolator which depends on
+ libseccomp and requires Linux kernel 3.5+
+ This flag will be deprecated in the future when
+ we drop support for the outdated Linux kernels.]),
+ [], [enable_seccomp_isolator=no])
+
AC_ARG_ENABLE([ssl],
AS_HELP_STRING([--enable-ssl],
[use ssl for libprocess communication]),
@@ -473,6 +481,11 @@ AC_ARG_WITH([libprocess],
[specify where to locate the libprocess library]),
[], [])
+AC_ARG_WITH([libseccomp],
+ AS_HELP_STRING([--with-libseccomp=@<:@=DIR@:>@],
+ [specify where to locate the libseccomp library]),
+ [without_bundled_libseccomp=yes], [])
+
AC_ARG_WITH([network-isolator],
AS_HELP_STRING([--with-network-isolator],
[builds the network isolator]),
@@ -1569,6 +1582,70 @@ fi
AM_CONDITIONAL([WITH_BUNDLED_LIBPROCESS], [test "x$with_bundled_libprocess" = "xyes"])
+AC_MSG_CHECKING([whether to enable the Seccomp isolator])
+AS_IF([test "x$enable_seccomp_isolator" = "xyes"],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])])
+
+AS_IF([test "x$enable_seccomp_isolator" = "xyes"], [
+ # We only support Seccomp on Linux.
+ AS_IF([test "$OS_NAME" = "linux"],
+ [],
+ [AC_MSG_ERROR([no Seccomp support on $OS_NAME
+-------------------------------------------------------------------
+The Seccomp isolator is only supported on Linux.
+-------------------------------------------------------------------
+ ])])
+
+ AC_CHECK_HEADERS([linux/seccomp.h], [],
+ [AC_MSG_ERROR([Cannot find seccomp system headers
+-------------------------------------------------------------------
+Please install the Linux kernel headers and make sure that you have
+Linux kernel 3.5+ installed.
+-------------------------------------------------------------------
+ ])])
+
+ # Check if libseccomp prefix path was supplied and if so, add it to
+ # CPPFLAGS while extending it by /include and to LDFLAGS while
+ # extending it by /lib.
+ if test -n "`echo $with_libseccomp`"; then
+ CPPFLAGS="$CPPFLAGS -I${with_libseccomp}/include"
+ LDFLAGS="$LDFLAGS -L${with_libseccomp}/lib"
+ fi
+
+ # Check if user has asked us to use a bundled libseccomp, or if
+ # they asked us to ignore all bundled libraries while compiling and
+ # linking.
+ if test "x$without_bundled_libseccomp" = "xyes" || \
+ test "x$enable_bundled" != "xyes"; then
+ # Check if headers and library were located.
+ AC_CHECK_HEADERS([seccomp.h], [found_libseccomp=yes])
+
+ if test "x$found_libseccomp" = "xyes"; then
+ with_bundled_libseccomp=no
+ else
+ AC_MSG_ERROR([cannot find libseccomp
+-------------------------------------------------------------------
+You have requested the use of a non-bundled libseccomp but no suitable
+libseccomp could be found.
+
+You may want specify the location of libseccomp by providing a prefix
+path via --with-libseccomp=DIR, or check that the path you provided is
+correct if you're already doing this.
+-------------------------------------------------------------------
+])
+ fi
+ else
+ with_bundled_libseccomp=yes
+ fi
+
+ AC_DEFINE([ENABLE_SECCOMP_ISOLATOR])
+])
+
+AM_CONDITIONAL([ENABLE_SECCOMP_ISOLATOR], [test "x$enable_seccomp_isolator" = "xyes"])
+AM_CONDITIONAL([WITH_BUNDLED_LIBSECCOMP], [test "x$with_bundled_libseccomp" = "xyes"])
+
+
# Perform necessary configuration for port mapping isolator.
if test "x$enable_port_mapping_isolator" = "xyes"; then
# Check for OS support.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a574d44..1748f8f 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -560,7 +560,8 @@ target_compile_definitions(
USE_CMAKE_BUILD_CONFIG
$<$<BOOL:${ENABLE_XFS_DISK_ISOLATOR}>:ENABLE_XFS_DISK_ISOLATOR>
$<$<BOOL:${ENABLE_PORT_MAPPING_ISOLATOR}>:ENABLE_PORT_MAPPING_ISOLATOR>
- $<$<BOOL:${ENABLE_NETWORK_PORTS_ISOLATOR}>:ENABLE_NETWORK_PORTS_ISOLATOR>)
+ $<$<BOOL:${ENABLE_NETWORK_PORTS_ISOLATOR}>:ENABLE_NETWORK_PORTS_ISOLATOR>
+ $<$<BOOL:${ENABLE_SECCOMP_ISOLATOR}>:ENABLE_SECCOMP_ISOLATOR>)
target_include_directories(
mesos PUBLIC
@@ -582,6 +583,10 @@ if (NOT WIN32)
target_link_libraries(mesos PUBLIC leveldb)
endif ()
+if (ENABLE_SECCOMP_ISOLATOR)
+ target_link_libraries(mesos PUBLIC libseccomp)
+endif ()
+
if (ENABLE_PRECOMPILED_HEADERS)
set_target_properties(
mesos PROPERTIES
diff --git a/src/Makefile.am b/src/Makefile.am
index cd78525..929d2d0 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -37,6 +37,7 @@ JEMALLOC = 3rdparty/jemalloc-$(JEMALLOC_VERSION)
LEVELDB = 3rdparty/leveldb-$(LEVELDB_VERSION)
LIBARCHIVE = 3rdparty/libarchive-$(LIBARCHIVE_VERSION)
LIBPROCESS = 3rdparty/libprocess
+LIBSECCOMP = 3rdparty/libseccomp-$(LIBSECCOMP_VERSION)
NVML = 3rdparty/nvml-$(NVML_VERSION)
PICOJSON = 3rdparty/picojson-$(PICOJSON_VERSION)
PIP = 3rdparty/pip-$(PIP_VERSION)
@@ -225,6 +226,15 @@ else
LIB_PROCESS = -lprocess
endif
+if ENABLE_SECCOMP_ISOLATOR
+if WITH_BUNDLED_LIBSECCOMP
+MESOS_CPPFLAGS += -I../$(LIBSECCOMP)/include
+LIB_LIBSECCOMP = ../$(LIBSECCOMP)/src/libseccomp.la
+else
+LIB_LIBSECCOMP = -lseccomp
+endif
+endif
+
if WITH_BUNDLED_NVML
MESOS_CPPFLAGS += -I../$(NVML)
endif
@@ -1645,6 +1655,7 @@ libmesos_la_LIBADD = \
$(LIB_LIBARCHIVE) \
$(LIB_PROCESS) \
$(LIB_PROTOBUF) \
+ $(LIB_LIBSECCOMP) \
$(LIB_ZOOKEEPER) \
-lsvn_subr-1 \
-lsvn_delta-1 \
diff --git a/src/python/native_common/ext_modules.py.in b/src/python/native_common/ext_modules.py.in
index 1f2e6c1..eee56a9 100644
--- a/src/python/native_common/ext_modules.py.in
+++ b/src/python/native_common/ext_modules.py.in
@@ -100,6 +100,15 @@ def _create_module(module_name):
else:
EXTRA_OBJECTS.append('-lprotobuf')
+ if '@ENABLE_SECCOMP_ISOLATOR_TRUE@' == '':
+ libseccomp = os.path.join('3rdparty', 'libseccomp-2.3.3')
+ libseccomp = os.path.join(
+ abs_top_builddir, libseccomp, 'src', '.libs', 'libseccomp.a')
+
+ if os.path.exists(libseccomp):
+ EXTRA_OBJECTS.append(libseccomp)
+ else:
+ EXTRA_OBJECTS.append('-lseccomp')
# libev is a special case because it needs to be enabled only when
# libevent *is not* enabled through the top level ./configure.