lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 4 Feb 2020 11:29:24 -0800
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Toke Høiland-Jørgensen <toke@...hat.com>
Cc:     David Ahern <dsahern@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Stephen Hemminger <stephen@...workplumber.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        David Miller <davem@...emloft.net>,
        Jesper Dangaard Brouer <brouer@...hat.com>,
        Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>
Subject: Re: [RFC bpf-next 0/5] Convert iproute2 to use libbpf (WIP)

On Tue, Feb 4, 2020 at 11:19 AM Toke Høiland-Jørgensen <toke@...hat.com> wrote:
>
> Andrii Nakryiko <andrii.nakryiko@...il.com> writes:
>
> > On Tue, Feb 4, 2020 at 12:25 AM Toke Høiland-Jørgensen <toke@...hat.com> wrote:
> >>
> >> Andrii Nakryiko <andrii.nakryiko@...il.com> writes:
> >>
> >> > On Mon, Feb 3, 2020 at 8:53 PM David Ahern <dsahern@...il.com> wrote:
> >> >>
> >> >> On 2/3/20 8:41 PM, Andrii Nakryiko wrote:
> >> >> > On Mon, Feb 3, 2020 at 5:46 PM David Ahern <dsahern@...il.com> wrote:
> >> >> >>
> >> >> >> On 2/3/20 5:56 PM, Andrii Nakryiko wrote:
> >> >> >>> Great! Just to disambiguate and make sure we are in agreement, my hope
> >> >> >>> here is that iproute2 can completely delegate to libbpf all the ELF
> >> >> >>>
> >> >> >>
> >> >> >> iproute2 needs to compile and continue working as is when libbpf is not
> >> >> >> available. e.g., add check in configure to define HAVE_LIBBPF and move
> >> >> >> the existing code and move under else branch.
> >> >> >
> >> >> > Wouldn't it be better to statically compile against libbpf in this
> >> >> > case and get rid a lot of BPF-related code and simplify the rest of
> >> >> > it? This can be easily done by using libbpf through submodule, the
> >> >> > same way as BCC and pahole do it.
> >> >> >
> >> >>
> >> >> iproute2 compiles today and runs on older distributions and older
> >> >> distributions with newer kernels. That needs to hold true after the move
> >> >> to libbpf.
> >> >
> >> > And by statically compiling against libbpf, checked out as a
> >> > submodule, that will still hold true, wouldn't it? Or there is some
> >> > complications I'm missing? Libbpf is designed to handle old kernels
> >> > with no problems.
> >>
> >> My plan was to use the same configure test I'm using for xdp-tools
> >> (where I in turn copied the structure of the configure script from
> >> iproute2):
> >>
> >> https://github.com/xdp-project/xdp-tools/blob/master/configure#L59
> >>
> >> This will look for a system libbpf install and compile against it if it
> >> is compatible, and otherwise fall back to a statically linking against a
> >> git submodule.
> >
> > How will this work when build host has libbpf installed, but target
> > host doesn't? You'll get dynamic linker error when trying to run that
> > tool.
>
> That's called dependency tracking; distros have various ways of going
> about that :)

I'm confused, honestly. libbpf is either a dependency and thus can be
relied upon to be present in the target system, or it's not and this
whole dance with detecting libbpf presence needs to be performed.

If libbpf is optional, then I don't see how iproute2 BPF-related code
and complexity can be reduced at all, given it should still support
loading BPF programs even without libbpf. Furthermore, given libbpf
supports more features already and will probably be outpacing
iproute2's own BPF support in the future, some users will start
relying on BPF features supported only by libbpf "backend", so
iproute2's own BPF backend will just fail to load such programs,
bringing unpleasant surprises, potentially. So I still fail to see how
libbpf can be optional and what benefit does that bring. But shared or
static - whatever fits iproute2 best, no preferences.

>
> But yeah, if you're going to do you own cross-compilation, you'd
> probably want to just force using the static library.
>
> > If the goal is to have a reliable tool working everywhere, and you
> > already support having libbpf as a submodule, why not always use
> > submodule's libbpf? What's the concern? Libbpf is a small library, I
> > don't think a binary size argument is enough reason to not do this. On
> > the other hand, by using libbpf from submodule, your tool is built
> > *and tested* with a well-known libbpf version that tool-producer
> > controls.
>
> I thought we already had this discussion? :)

Yeah, I guess we did for bpftool :) No worries, I don't care that
much, just see my notes above about optional libbpf and consequences.

>
> libbpf is a library like any other. Distros that package the library
> want the tools that use it to be dynamically linked against it so
> library upgrades (especially of the CVE-fixing kind) get picked up by
> all users. Other distros have memory and space constraints (iproute2 is
> shipped on OpenWrt, for instance, which is *extremely*
> space-constrained). And yeah, other deployments don't care and will just
> statically compile in the vendored version. So we'll need to support all
> of those use cases.
>
> -Toke
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ