From d32e56891842dd64dc756083415ef7cf85d4ab08 Mon Sep 17 00:00:00 2001 From: Sourav Moitra Date: Fri, 1 May 2026 23:05:24 +0530 Subject: [PATCH] 2064: Use system libblake if available Signed-off-by: Sourav Moitra --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/test.yaml | 36 ++++++++++++++++++++++----- Makefile.am | 8 ++++-- build-aux/release.sh | 2 +- configure.ac | 23 +++++++++++++++++ nix/derivation.nix | 2 +- rpm/crun.spec | 3 ++- src/libcrun/seccomp.c | 7 +++++- tests/alpine-build/run-tests.sh | 2 +- tests/centos10-build/run-tests.sh | 8 +++--- tests/centos8-build/run-tests.sh | 4 +-- tests/centos9-build/run-tests.sh | 4 +-- tests/clang-check/run-tests.sh | 2 +- tests/clang-format/run-tests.sh | 2 +- tests/containerd/run-tests.sh | 2 +- tests/cri-o/run-tests.sh | 2 +- tests/fuzzing/run-tests.sh | 2 +- tests/oci-validation/run-tests.sh | 2 +- tests/podman/run-tests.sh | 2 +- tests/wasmedge-build/run-tests.sh | 2 +- 20 files changed, 87 insertions(+), 30 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8cc153e473..6164195140 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,7 +37,7 @@ jobs: sudo apt-get update sudo apt-get install -y make git gcc build-essential pkgconf libtool libsystemd-dev libcap-dev libseccomp-dev libyajl-dev go-md2man libtool autoconf python3 automake libprotobuf-c-dev ./autogen.sh - ./configure + ./configure --enable-embedded-blake3 make -j $(nproc) - name: Perform CodeQL Analysis diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 32a27d615c..b47bfbb8f9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -45,7 +45,7 @@ jobs: run: | find $(pwd) -name '.git' -exec bash -c 'git config --global --add safe.directory ${0%/.git}' {} \; ./autogen.sh - ./configure CFLAGS='-Wall -Werror' || cat config.log + ./configure --enable-embedded-blake3 CFLAGS='-Wall -Werror' || cat config.log make -j $(nproc) -C libocispec libocispec.la make git-version.h make -j $(nproc) libcrun.la @@ -53,7 +53,7 @@ jobs: make -j $(nproc) clean - if ./configure CFLAGS='-Wall -Werror --enable-shared'; then + if ./configure --enable-embedded-blake3 CFLAGS='-Wall -Werror --enable-shared'; then make -j $(nproc) -C libocispec libocispec.la make git-version.h make -j $(nproc) libcrun.la @@ -68,6 +68,8 @@ jobs: include: - test: disable-systemd - test: check + - test: embedded-blake3 + - test: system-blake3 - test: podman #- test: cri-o - test: containerd @@ -109,12 +111,12 @@ jobs: run: | case "${{ matrix.test }}" in disable-systemd) - ./configure --disable-systemd + ./configure --enable-embedded-blake3 --disable-systemd make -j $(nproc) ;; check) sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 - ./configure --disable-dl + ./configure --enable-embedded-blake3 --disable-dl make # Check that autogenerated files that are in git has not changed. git diff --exit-code @@ -170,8 +172,30 @@ jobs: sudo docker build -t crun-clang-check tests/clang-check sudo docker run --privileged --rm -w /crun -v ${PWD}:/crun crun-clang-check ;; + embedded-blake3) + ./configure --enable-embedded-blake3 + make -j $(nproc) + ;; + system-blake3) + # Build blake3 as a local "system" library since libblake3-dev + # is not yet available on ubuntu-latest (24.04). + mkdir -p /tmp/blake3-inst/{lib/pkgconfig,include} + gcc -O2 -shared -fPIC \ + -o /tmp/blake3-inst/lib/libblake3.so \ + src/libcrun/blake3/blake3.c \ + src/libcrun/blake3/blake3_portable.c + cp src/libcrun/blake3/blake3.h /tmp/blake3-inst/include/ + printf 'prefix=/tmp/blake3-inst\nexec_prefix=${prefix}\nlibdir=${exec_prefix}/lib\nincludedir=${prefix}/include\n\nName: libblake3\nDescription: BLAKE3\nVersion: 0\nLibs: -L${libdir} -lblake3\nCflags: -I${includedir}\n' \ + > /tmp/blake3-inst/lib/pkgconfig/libblake3.pc + PKG_CONFIG_PATH=/tmp/blake3-inst/lib/pkgconfig \ + LD_LIBRARY_PATH=/tmp/blake3-inst/lib \ + ./configure + PKG_CONFIG_PATH=/tmp/blake3-inst/lib/pkgconfig \ + LD_LIBRARY_PATH=/tmp/blake3-inst/lib \ + make -j $(nproc) + ;; checkpoint-restore) - ./configure + ./configure --enable-embedded-blake3 make -j $(nproc) sudo python3 tests/test_checkpoint_restore.py ;; @@ -214,5 +238,5 @@ jobs: run: | find $(pwd) -name '.git' -exec bash -c 'git config --global --add safe.directory ${0%/.git}' {} \; ./autogen.sh - ./configure + ./configure --enable-embedded-blake3 make shellcheck diff --git a/Makefile.am b/Makefile.am index 57fca706af..5e380a4a68 100644 --- a/Makefile.am +++ b/Makefile.am @@ -39,8 +39,6 @@ endif libcrun_SOURCES = src/libcrun/utils.c \ src/libcrun/string_map.c \ src/libcrun/ring_buffer.c \ - src/libcrun/blake3/blake3.c \ - src/libcrun/blake3/blake3_portable.c \ src/libcrun/cgroup-cgroupfs.c \ src/libcrun/cgroup-resources.c \ src/libcrun/cgroup-setup.c \ @@ -84,6 +82,11 @@ endif libocispec/libocispec.la: $(MAKE) $(AM_MAKEFLAGS) -C libocispec libocispec.la +if HAVE_EMBEDDED_BLAKE3 +libcrun_SOURCES += src/libcrun/blake3/blake3.c \ + src/libcrun/blake3/blake3_portable.c +endif + libcrun_la_SOURCES = $(libcrun_SOURCES) libcrun_la_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src -fvisibility=hidden if ENABLE_COVERAGE @@ -170,6 +173,7 @@ endif EXTRA_DIST = COPYING COPYING.libcrun README.md NEWS SECURITY.md rpm/crun.spec autogen.sh \ src/libcrun/blake3/blake3_impl.h src/libcrun/blake3/blake3.h \ + src/libcrun/blake3/blake3.c src/libcrun/blake3/blake3_portable.c \ src/crun.h src/list.h src/run.h src/run_create.h src/delete.h src/kill.h src/pause.h src/unpause.h \ src/create.h src/start.h src/state.h src/exec.h src/oci_features.h src/spec.h src/update.h src/ps.h src/mounts.h \ src/checkpoint.h src/restore.h src/libcrun/seccomp_notify.h src/libcrun/seccomp_notify_plugin.h \ diff --git a/build-aux/release.sh b/build-aux/release.sh index a970715e82..7542aeaed3 100755 --- a/build-aux/release.sh +++ b/build-aux/release.sh @@ -11,7 +11,7 @@ test -e Makefile && make distclean ./autogen.sh -./configure +./configure --enable-embedded-blake3 make -j "$(nproc)" diff --git a/configure.ac b/configure.ac index f89a71fb6d..20a2112815 100644 --- a/configure.ac +++ b/configure.ac @@ -93,6 +93,29 @@ AC_SEARCH_LIBS(yajl_tree_get, [yajl], [AC_DEFINE([HAVE_YAJL], 1, [Define if liby PKG_CHECK_MODULES([YAJL], [yajl >= 2.0.0]) ]) +dnl embedded blake3 +AC_ARG_ENABLE(embedded-blake3, +AS_HELP_STRING([--enable-embedded-blake3], [Statically link a modified blake3 version]), +[ +case "${enableval}" in + yes) embedded_blake3=true ;; + no) embedded_blake3=false ;; + *) AC_MSG_ERROR(bad value ${enableval} for --enable-embedded-blake3) ;; +esac],[embedded_blake3=false]) + +AM_CONDITIONAL([HAVE_EMBEDDED_BLAKE3], [test x"$embedded_blake3" = xtrue]) +AM_COND_IF([HAVE_EMBEDDED_BLAKE3], [], [ +PKG_CHECK_MODULES([BLAKE3], [libblake3], [ + AC_DEFINE([HAVE_BLAKE3], 1, [Define if libblake3 is available]) + LIBS="$LIBS $BLAKE3_LIBS" + CPPFLAGS="$CPPFLAGS $BLAKE3_CFLAGS" +], [ + AC_SEARCH_LIBS(blake3_hasher_init, [blake3], [AC_DEFINE([HAVE_BLAKE3], 1, [Define if libblake3 is available])], [ + AC_MSG_ERROR([*** libblake3 not found; install libblake3 or use --enable-embedded-blake3]) + ]) +]) +]) + dnl libcap AC_ARG_ENABLE([caps], AS_HELP_STRING([--disable-caps], [Ignore libcap and disable support])) diff --git a/nix/derivation.nix b/nix/derivation.nix index 83822be5fd..1772c05c02 100644 --- a/nix/derivation.nix +++ b/nix/derivation.nix @@ -36,7 +36,7 @@ with pkgs; stdenv.mkDerivation { libsystemd yajl ] ++ lib.optionals enableCriu [ criu ]; - configureFlags = [ "--enable-static" ] ++ lib.optional (!enableSystemd) [ "--disable-systemd" ]; + configureFlags = [ "--enable-static" "--enable-embedded-blake3" ] ++ lib.optional (!enableSystemd) [ "--disable-systemd" ]; prePatch = let staticLibs = lib.optional enableCriu "${criu}/lib/libcriu.a" diff --git a/rpm/crun.spec b/rpm/crun.spec index 7881bb8954..e260048a05 100644 --- a/rpm/crun.spec +++ b/rpm/crun.spec @@ -1,6 +1,7 @@ %global krun_opts %{nil} %global wasmedge_opts %{nil} %global yajl_opts %{nil} +%global blake3_opts --enable-embedded-blake3 %if %{defined copr_username} %define copr_build 1 @@ -110,7 +111,7 @@ Recommends: wasmedge %build ./autogen.sh -./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts} +./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts} %{blake3_opts} %make_build %install diff --git a/src/libcrun/seccomp.c b/src/libcrun/seccomp.c index 4511cbf56a..be293a39f4 100644 --- a/src/libcrun/seccomp.c +++ b/src/libcrun/seccomp.c @@ -19,7 +19,6 @@ #define _GNU_SOURCE #include -#include "blake3/blake3.h" #include "seccomp.h" #include "linux.h" #include "utils.h" @@ -38,6 +37,12 @@ #include #include +#ifdef HAVE_BLAKE3 +# include +#else +# include "blake3/blake3.h" +#endif + #if HAVE_STDATOMIC_H # include # ifndef HAVE_ATOMIC_INT diff --git a/tests/alpine-build/run-tests.sh b/tests/alpine-build/run-tests.sh index 1f3e99107c..b5bea6562d 100755 --- a/tests/alpine-build/run-tests.sh +++ b/tests/alpine-build/run-tests.sh @@ -3,5 +3,5 @@ set -e cd /crun ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' --disable-systemd +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd make -j "$(nproc)" diff --git a/tests/centos10-build/run-tests.sh b/tests/centos10-build/run-tests.sh index 7cdc3423cc..7a9d593402 100755 --- a/tests/centos10-build/run-tests.sh +++ b/tests/centos10-build/run-tests.sh @@ -7,14 +7,14 @@ git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure --enable-embedded-yajl CFLAGS='-Wall -Wextra -Werror' +./configure --enable-embedded-yajl --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' make -j "$(nproc)" -make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl" +make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl --enable-embedded-blake3" git clean -fdx ./autogen.sh -./configure --enable-embedded-yajl CFLAGS='-Wall -Wextra -Werror' --disable-systemd +./configure --enable-embedded-yajl --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd make -j "$(nproc)" -make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl" +make -j "$(nproc)" distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-embedded-yajl --enable-embedded-blake3" diff --git a/tests/centos8-build/run-tests.sh b/tests/centos8-build/run-tests.sh index 0628451eac..6f5f6abcc8 100755 --- a/tests/centos8-build/run-tests.sh +++ b/tests/centos8-build/run-tests.sh @@ -7,10 +7,10 @@ git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' make -j "$(nproc)" git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' --disable-systemd +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd make -j "$(nproc)" diff --git a/tests/centos9-build/run-tests.sh b/tests/centos9-build/run-tests.sh index 0628451eac..6f5f6abcc8 100755 --- a/tests/centos9-build/run-tests.sh +++ b/tests/centos9-build/run-tests.sh @@ -7,10 +7,10 @@ git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' make -j "$(nproc)" git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' --disable-systemd +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --disable-systemd make -j "$(nproc)" diff --git a/tests/clang-check/run-tests.sh b/tests/clang-check/run-tests.sh index 7889a52d17..fa14552948 100755 --- a/tests/clang-check/run-tests.sh +++ b/tests/clang-check/run-tests.sh @@ -6,7 +6,7 @@ cd /crun git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' CC=clang +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' CC=clang intercept-build make echo -e "\n\n----------------------------- clang-check -------------------------------\n\n" diff --git a/tests/clang-format/run-tests.sh b/tests/clang-format/run-tests.sh index 88a2cd0107..789ae03be6 100755 --- a/tests/clang-format/run-tests.sh +++ b/tests/clang-format/run-tests.sh @@ -8,6 +8,6 @@ cd /crun # which happens if we run it via a Dockerfile with a volume mounted. git config --global --add safe.directory "$(pwd)" -./configure +./configure --enable-embedded-blake3 make clang-format git diff --ignore-submodules --exit-code diff --git a/tests/containerd/run-tests.sh b/tests/containerd/run-tests.sh index 210fd64017..201391739d 100755 --- a/tests/containerd/run-tests.sh +++ b/tests/containerd/run-tests.sh @@ -9,7 +9,7 @@ set -e ( cd /crun ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' make -j "$(nproc)" cp crun /usr/bin/runc ) diff --git a/tests/cri-o/run-tests.sh b/tests/cri-o/run-tests.sh index b81c1d52ff..71091c739e 100755 --- a/tests/cri-o/run-tests.sh +++ b/tests/cri-o/run-tests.sh @@ -11,7 +11,7 @@ cd /crun git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' --prefix=/usr +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --prefix=/usr make -j "$(nproc)" make install ) diff --git a/tests/fuzzing/run-tests.sh b/tests/fuzzing/run-tests.sh index bd4859c030..b75b28ff4b 100755 --- a/tests/fuzzing/run-tests.sh +++ b/tests/fuzzing/run-tests.sh @@ -15,7 +15,7 @@ CORPUS=${CORPUS:=/testcases} git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure --enable-embedded-yajl HFUZZ_CC_UBSAN=1 HFUZZ_CC_ASAN=1 CC=hfuzz-clang CPPFLAGS="-D FUZZER" CFLAGS="-ggdb3 -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls" +./configure --enable-embedded-blake3 --enable-embedded-yajl HFUZZ_CC_UBSAN=1 HFUZZ_CC_ASAN=1 CC=hfuzz-clang CPPFLAGS="-D FUZZER" CFLAGS="-ggdb3 -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls" make -j "$(nproc)" make -j "$(nproc)" tests/tests_libcrun_fuzzer diff --git a/tests/oci-validation/run-tests.sh b/tests/oci-validation/run-tests.sh index bde767102d..05fd8d0454 100755 --- a/tests/oci-validation/run-tests.sh +++ b/tests/oci-validation/run-tests.sh @@ -13,7 +13,7 @@ cd /crun git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure +./configure --enable-embedded-blake3 make -j "$(nproc)" ) diff --git a/tests/podman/run-tests.sh b/tests/podman/run-tests.sh index 043a96745d..728c20934c 100755 --- a/tests/podman/run-tests.sh +++ b/tests/podman/run-tests.sh @@ -12,7 +12,7 @@ cd /crun git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' --prefix=/usr +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --prefix=/usr make -j "$(nproc)" make install ) diff --git a/tests/wasmedge-build/run-tests.sh b/tests/wasmedge-build/run-tests.sh index ff3dec4f24..6bad0a204f 100755 --- a/tests/wasmedge-build/run-tests.sh +++ b/tests/wasmedge-build/run-tests.sh @@ -11,7 +11,7 @@ rm -rf /usr/bin/crun /usr/local/bin/crun-wasm /usr/bin/crun-wasm git config --global --add safe.directory /crun git clean -fdx ./autogen.sh -./configure CFLAGS='-Wall -Wextra -Werror' --with-wasmedge --prefix=/usr +./configure --enable-embedded-blake3 CFLAGS='-Wall -Wextra -Werror' --with-wasmedge --prefix=/usr make -j "$(nproc)" make install