meson: optionally build seccomp if it supports notify #339
Conversation
|
theoretically this fixes #337 |
meson.build
Outdated
| endif | ||
| if sd_journal.found() | ||
| add_project_arguments('-DUSE_JOURNALD=1', language : 'c') | ||
| endif | ||
|
|
||
| if run_command('./hack/seccomp-notify.sh', check: false).returncode() == 0 |
There was a problem hiding this comment.
This relies on a shell script to do compile checks, which doesn't respect $CC (there may not necessarily be a cc on $PATH, though there likely is) or $PKG_CONFIG (which may point to pkgconf).
Maybe it should be ported to something Meson understands natively?
There was a problem hiding this comment.
I have attempted to make the script respect those variables, PTAL
There was a problem hiding this comment.
That's not something Meson understands natively. Also that doesn't help if someone configures Meson using a machine file (e.g. cross-compilation).
meson.build
Outdated
| endif | ||
| if sd_journal.found() | ||
| add_project_arguments('-DUSE_JOURNALD=1', language : 'c') | ||
| endif | ||
|
|
||
| if run_command('./hack/seccomp-notify.sh', check: false).returncode() == 0 | ||
| seccomp = dependency('libseccomp', required : false) |
There was a problem hiding this comment.
You don't seem to ever add this dependency anywhere?
There was a problem hiding this comment.
fun fact: I've never used meson before! thanks for the heads up :-)
|
IMO that is not correct solution. Using some additional script to check availability of the |
|
Just checked and it is not possible to build libseccomp without that |
|
the only reason we link with libseccomp is to use seccomp notify, which requires that structure |
haircommander
force-pushed
the
meson-seccmop
branch
from
7c53053 to
a2fa046
Compare
|
I've updated with some suggestions, thanks for the reviews y'all
the problem is we need to know if seccomp notify is supported, but I believe packaged libseccomps don't necessarily correctly reflect that with pkg-config (for instance if support was backported) hence the additional check by compiling |
Just checked last libseccomp 2.5.4 and in last version I see
If it is about that bit all what woud be good to do is require libseccomps >= 2.5.4 and looks like that script can be dropped. Yet another small thing which I fould looking on patch of that PR . |
|
Maybe it would be cleaner to use the built-in test features of meson? See https://mesonbuild.com/Compiler-properties.html - there's a brute force "does snippet compile" function and a separate helper for sizeof: https://mesonbuild.com/Compiler-properties.html#expression-size. Should do the trick for structure presence detection. Bonus: since it uses the same C compiler meson is setup to use, there shouldn't be any issues with the check being done with one compiler and the build performed by another. |
|
To be honest I've not been looking on that aspect closer. |
Yes, that's what I suggested above too. |
haircommander
force-pushed
the
meson-seccmop
branch
from
a2fa046 to
ef619b8
Compare
|
thanks for the help everyone, I have attempted with the sizeof function |
That's completely insane, which distro is going around willy-nilly breaking ABI by backporting something that isn't a bugfix into a different version? Also, even if some distro is insane enough to do this, there's zero downside of simply not recognizing the unannounced breaking change. Simply don't compile with that feature, and conmon still works. Anyone who wants to use the notify functionality has to use a system that isn't a Frankensystem. Also, the current script requires the right version anyway, so that wouldn't actually work. The script quote clearly requires at least 2.5.0, and then additionally does a compile check. |
meson.build
Outdated
| endif | ||
| if sd_journal.found() | ||
| add_project_arguments('-DUSE_JOURNALD=1', language : 'c') | ||
| endif | ||
|
|
||
| seccomp = dependency('libseccomp', required : false) |
There was a problem hiding this comment.
| seccomp = dependency('libseccomp', required : false) | |
| seccomp = dependency('libseccomp', version: '>=2.5.0', required : false) |
The previous build system enforced this restriction.
|
I think that frankensystem was ubuntu: #275 since 16.04 is out of service, and ubuntu 18.04 is on its way, maybe we won't need it much longer For now, risk seems low to keep it |
haircommander
force-pushed
the
meson-seccmop
branch
from
ef619b8 to
aa372fc
Compare
I took a look at this, the actual problem is that those definitions come from Linux not seccomp, and seccomp will simply define them locally if you don't have a new enough kernel. This allows seccomp to build even on systems too old to support this feature, on the theory that you can later upgrade the kernel and use said feature. There's no backport of anything. Again: seccomp doesn't provide the struct you're testing in the first place, the only test here is if you have a 5.0 kernel (Ubuntu 16.04 does not). So the test is fine. But of course it should be done directly in Meson... Which it now does. Yay. :) |
|
@haircommander What is going on with this? |
|
IM that PR soes not make any sense because notify is supported since exact version of the libseccomp so checking dependencies usimg only --- a/meson.build
+++ b/meson.build
@@ -33,6 +33,10 @@
language : 'c')
glib = dependency('glib-2.0')
+seccomp = dependency('libseccomp', version : '>= 2.5.2')
+if seccomp.found()
+ add_project_arguments('-DUSE_SECCOMP=1', language : 'c')
+endif
cc = meson.get_compiler('c')
null_dep = dependency('', required : false)
@@ -85,7 +86,7 @@
'src/utils.h',
'src/seccomp_notify.c',
'src/seccomp_notify.h'],
- dependencies : [glib, libdl, sd_journal],
+ dependencies : [glib, libdl, sd_journal, seccomp]
install : true,
install_dir : join_paths(get_option('libexecdir'), 'podman'),
)With that patch hack/seccomp-notify.sh can be deleted. |
Signed-off-by: Peter Hunt <[email protected]>
haircommander
force-pushed
the
meson-seccmop
branch
from
aa372fc to
a627951
Compare
|
adapted as suggested. @rhatdan PTAL and I'll cut v2.1.3 |
|
With that this shell backed sritpt can be removed as well 😋 (as no longer needed) |
|
I'd prefer to keep it for now as it's still used in the makefile :) |
|
/lgtm |
Signed-off-by: Peter Hunt [email protected]