From c7eb3771943eba55ec5fe61f7a31e6fce61d73d5 Mon Sep 17 00:00:00 2001
From: Jean-Francois Roy <jf@devklog.net>
Date: Thu, 5 Sep 2024 11:31:00 -0700
Subject: [PATCH] feat: glibc extension

The extension is mostly copied from the package that is in the nvidia
toolkit extensions, but with a few notable changes.

- A symbolic link to `ldconfig` is installed at `/sbin/ldconfig`. This
allows the nvidia gpu-operator to work without modification. A patch to
the extension validation logic is required to allow the new path.
- The `/usr/local/glibc` subtree is now structured as a [merged `/usr`
root](https://systemd.io/THE_CASE_FOR_THE_USR_MERGE/). This improves
compatbility with ld-linux.so.2 for library discovery.

Signed-off-by: Jean-Francois Roy <jf@devklog.net>
Signed-off-by: Noel Georgi <git@frezbo.dev>
---
 .kres.yaml                                    |  1 +
 Makefile                                      |  1 +
 README.md                                     |  7 ++---
 internal/base/pkg.yaml                        |  2 +-
 misc/glibc/ld.so.conf                         |  1 +
 misc/glibc/manifest.yaml                      | 10 +++++++
 .../glibc/pkg.yaml                            | 26 +++++++++++++++----
 misc/glibc/vars.yaml                          |  4 +++
 misc/vars.yaml                                |  2 ++
 .../nvidia-container-toolkit/glibc/ld.so.conf |  1 -
 nvidia-gpu/vars.yaml                          |  2 --
 reproducibility/pkg.yaml                      |  2 ++
 12 files changed, 47 insertions(+), 12 deletions(-)
 create mode 100644 misc/glibc/ld.so.conf
 create mode 100644 misc/glibc/manifest.yaml
 rename {nvidia-gpu/nvidia-container-toolkit => misc}/glibc/pkg.yaml (60%)
 create mode 100644 misc/glibc/vars.yaml
 create mode 100644 misc/vars.yaml
 delete mode 100644 nvidia-gpu/nvidia-container-toolkit/glibc/ld.so.conf

diff --git a/.kres.yaml b/.kres.yaml
index 5132508a..1353be19 100644
--- a/.kres.yaml
+++ b/.kres.yaml
@@ -14,6 +14,7 @@ spec:
     - ecr-credential-provider
     - fuse3
     - gasket-driver
+    - glibc
     - gvisor
     - gvisor-debug
     - hello-world-service
diff --git a/Makefile b/Makefile
index 60ac6d8f..97feb77a 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,7 @@ TARGETS += drbd
 TARGETS += ecr-credential-provider
 TARGETS += fuse3
 TARGETS += gasket-driver
+TARGETS += glibc
 TARGETS += gvisor
 TARGETS += gvisor-debug
 TARGETS += hello-world-service
diff --git a/README.md b/README.md
index f68a2f4b..72228f74 100644
--- a/README.md
+++ b/README.md
@@ -79,9 +79,10 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 
 ### Miscellaneous
 
-| Name                            | Image                                                                                                 | Description                 | Version Format  |
-| ------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------- | --------------- |
-| [binfmt-misc](misc/binfmt-misc) | [ghcr.io/siderolabs/binfmt-misc](https://github.com/siderolabs/extensions/pkgs/container/binfmt-misc) | Miscellaneous Binary Format | `talos version` |
+| Name                            | Image                                                                                                 | Description                 | Version Format     |
+| ------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------- | ------------------ |
+| [binfmt-misc](misc/binfmt-misc) | [ghcr.io/siderolabs/binfmt-misc](https://github.com/siderolabs/extensions/pkgs/container/binfmt-misc) | Miscellaneous Binary Format | `talos version`    |
+| [glibc](misc/glibc)             | [ghcr.io/siderolabs/glibc](https://github.com/siderolabs/extensions/pkgs/container/glibc)             | glibc                       | `upstream version` |
 
 ### Network
 
diff --git a/internal/base/pkg.yaml b/internal/base/pkg.yaml
index 9c37c88b..518e3790 100644
--- a/internal/base/pkg.yaml
+++ b/internal/base/pkg.yaml
@@ -4,7 +4,7 @@ shell: /toolchain/bin/bash
 dependencies:
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/base:{{ .BUILD_ARG_PKGS }}"
   - image: "{{ .BUILD_ARG_PKGS_PREFIX }}/ca-certificates:{{ .BUILD_ARG_PKGS }}"
-  - image: ghcr.io/siderolabs/extensions-validator:4313acf
+  - image: ghcr.io/siderolabs/extensions-validator:aa3b467
 finalize:
   - from: /
     to: /
diff --git a/misc/glibc/ld.so.conf b/misc/glibc/ld.so.conf
new file mode 100644
index 00000000..7b8c1c92
--- /dev/null
+++ b/misc/glibc/ld.so.conf
@@ -0,0 +1 @@
+/usr/local/glibc/usr/lib
diff --git a/misc/glibc/manifest.yaml b/misc/glibc/manifest.yaml
new file mode 100644
index 00000000..48428058
--- /dev/null
+++ b/misc/glibc/manifest.yaml
@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: glibc
+  version: "$VERSION"
+  author: Jean-Francois Roy
+  description: |
+    This system extension provides glibc.
+  compatibility:
+    talos:
+      version: ">= v1.9.0"
diff --git a/nvidia-gpu/nvidia-container-toolkit/glibc/pkg.yaml b/misc/glibc/pkg.yaml
similarity index 60%
rename from nvidia-gpu/nvidia-container-toolkit/glibc/pkg.yaml
rename to misc/glibc/pkg.yaml
index 059b520b..65722d2e 100644
--- a/nvidia-gpu/nvidia-container-toolkit/glibc/pkg.yaml
+++ b/misc/glibc/pkg.yaml
@@ -11,11 +11,13 @@ dependencies:
   - image: cgr.dev/chainguard/wolfi-base@{{ .WOLFI_BASE_REF }}
 steps:
   - sources:
-      - url: https://src.fedoraproject.org/lookaside/pkgs/glibc/glibc-{{ .GLIBC_VERSION }}-9-g132a72f93c.tar.xz/sha512/f88ffb4ab47104640c88504ca2619cdca0795565173daf98a37d624333e14ab96699f662597fe51ba94a274c4cc7001bd2c8cc29fd5df012733298049e533bf4/glibc-{{ .GLIBC_VERSION }}-9-g132a72f93c.tar.xz
+      - url: https://src.fedoraproject.org/lookaside/pkgs/glibc/glibc-{{ .GLIBC_VERSION }}-9-g132a72f93c.tar.xz/sha512/f88ffb4ab47104640c88504ca2619cdca0795565173daf98a37d624333e14ab96699f662597fe51ba94a274c4cc7001bd2c8cc29fd5df012733298049e533bf4/glibc-{{ .VERSION }}-9-g132a72f93c.tar.xz
         destination: glibc.tar.xz
         sha256: 49cd4eed693ffa9010d81e1c75ab33a278a7cbb404a01564b2e287e04ec3d4d3
         sha512: f88ffb4ab47104640c88504ca2619cdca0795565173daf98a37d624333e14ab96699f662597fe51ba94a274c4cc7001bd2c8cc29fd5df012733298049e533bf4
     prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
       - |
         tar -xf glibc.tar.xz --strip-components=1
 
@@ -24,8 +26,8 @@ steps:
 
         ../configure \
           --prefix=/usr/local/glibc \
-          --libdir=/usr/local/glibc/lib \
-          --libexecdir=/usr/local/glibc/lib \
+          --libdir=/usr/local/glibc/usr/lib \
+          --libexecdir=/usr/local/glibc/usr/lib \
           --enable-stack-protection=strong \
           --disable-werror
     build:
@@ -34,13 +36,25 @@ steps:
         make -j $(nproc)
     install:
       - |
-        mkdir -p /rootfs/lib64
+        mkdir -p \
+          /rootfs/usr/local/glibc/usr/bin \
+          /rootfs/usr/local/glibc/usr/lib \
+          /rootfs/usr/local/glibc/usr/lib32 \
+          /rootfs/usr/local/glibc/usr/sbin
+        ln -s usr/bin/ /rootfs/usr/local/glibc/bin
+        ln -s usr/lib/ /rootfs/usr/local/glibc/lib
+        ln -s usr/lib/ /rootfs/usr/local/glibc/lib64
+        ln -s usr/sbin/ /rootfs/usr/local/glibc/sbin
+        ln -s lib/ /rootfs/usr/local/glibc/usr/lib64
 
         cd build
         make install DESTDIR=/rootfs
 
         cp /pkg/ld.so.conf /rootfs/usr/local/glibc/etc/ld.so.conf
-        ln -s /usr/local/glibc/lib/ld-linux-x86-64.so.2 /rootfs/lib64/ld-linux-x86-64.so.2
+
+        mkdir -p /rootfs/lib64 /rootfs/sbin
+        ln -s /usr/local/glibc/usr/lib/ld-linux-x86-64.so.2 /rootfs/lib64/ld-linux-x86-64.so.2
+        ln -s /usr/local/glibc/usr/sbin/ldconfig /rootfs/sbin/ldconfig
 
         # cleanup
         rm -rf /rootfs/usr/local/glibc/include
@@ -49,3 +63,5 @@ steps:
 finalize:
   - from: /rootfs
     to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
diff --git a/misc/glibc/vars.yaml b/misc/glibc/vars.yaml
new file mode 100644
index 00000000..f70cb876
--- /dev/null
+++ b/misc/glibc/vars.yaml
@@ -0,0 +1,4 @@
+# renovate: datasource=docker versioning=docker depName=cgr.dev/chainguard/wolfi-base
+WOLFI_BASE_REF: sha256:72c8bfed3266b2780243b144dc5151150015baf5a739edbbde53d154574f1607
+
+VERSION: {{ .GLIBC_VERSION }}
diff --git a/misc/vars.yaml b/misc/vars.yaml
new file mode 100644
index 00000000..e99da6bf
--- /dev/null
+++ b/misc/vars.yaml
@@ -0,0 +1,2 @@
+# renovate: datasource=git-tags extractVersion=^glibc-(?<version>.*)$ depName=https://sourceware.org/git/glibc.git
+GLIBC_VERSION: 2.40
diff --git a/nvidia-gpu/nvidia-container-toolkit/glibc/ld.so.conf b/nvidia-gpu/nvidia-container-toolkit/glibc/ld.so.conf
deleted file mode 100644
index ef9ca6e6..00000000
--- a/nvidia-gpu/nvidia-container-toolkit/glibc/ld.so.conf
+++ /dev/null
@@ -1 +0,0 @@
-/usr/local/glibc/lib
diff --git a/nvidia-gpu/vars.yaml b/nvidia-gpu/vars.yaml
index 6b701c52..5d1fa1f1 100644
--- a/nvidia-gpu/vars.yaml
+++ b/nvidia-gpu/vars.yaml
@@ -11,8 +11,6 @@ LIBNVIDIA_CONTAINER_VERSION: v1.16.1
 LIBNVIDIA_CONTAINER_REF: 4c2494f16573b585788a42e9c7bee76ecd48c73d
 # renovate: datasource=docker versioning=docker depName=cgr.dev/chainguard/wolfi-base
 WOLFI_BASE_REF: sha256:72c8bfed3266b2780243b144dc5151150015baf5a739edbbde53d154574f1607
-# renovate: datasource=git-tags extractVersion=^glibc-(?<version>.*)$ depName=https://sourceware.org/git/glibc.git
-GLIBC_VERSION: 2.40
 # renovate: datasource=github-tags extractVersion=^v(?<version>.*)$ depName=seccomp/libseccomp
 LIBSECCOMP_VERSION: 2.5.5
 # renovate: datasource=git-tags extractVersion=^libcap-(?<version>.*)$ depName=git://git.kernel.org/pub/scm/libs/libcap/libcap.git
diff --git a/reproducibility/pkg.yaml b/reproducibility/pkg.yaml
index fae29ee0..3584476a 100644
--- a/reproducibility/pkg.yaml
+++ b/reproducibility/pkg.yaml
@@ -23,6 +23,8 @@ dependencies:
   - stage: fuse3
   # gasket-driver can be ignored from reproducibility test since it's kernel modules copied from pkgs
   # - stage: gasket-driver
+
+  - stage: glibc
   - stage: gvisor
   - stage: gvisor-debug
   - stage: hello-world-service