Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update .NET Linux Build for .NET 10 #109939

Open
richlander opened this issue Nov 18, 2024 · 12 comments
Open

Update .NET Linux Build for .NET 10 #109939

richlander opened this issue Nov 18, 2024 · 12 comments
Labels
area-Infrastructure untriaged New issue has not been triaged by the area owner

Comments

@richlander
Copy link
Member

richlander commented Nov 18, 2024

The Microsoft distribution of .NET is built to be compatible with the broad Linux ecosystem. We decide and communicate minimum supported distro versions with each release, first to get feedback, and then to set expectations. Distro compatibility is an important property of each release.

Minimum compatible distros:

We model compatibility on Ubuntu for glibc distros and Alpine for musl distros.

This means that .NET 10 apps will run on Alpine 3.17 and Ubuntu 18.04 and later (and other compatible distro versions). They will not run on distros versions before that (like Ubuntu 16.04), while .NET 8 and 9 apps will.

If an app is run on a distro with an older libc than the .NET build targets, the app will fail to launch with errors related to missing libc exports.

We have communicated similar plans for .NET 8 and .NET 9.

Details

The Microsoft distribution for .NET 10 is built in an Azure Linux 3.0 container and targets the minimum supported distro using cross-compilation techniques. The approach we use is covered in more detail in Linux build methodology.

It is important that we continue to move the minimum supported versions forward so that we can securely build .NET and to take advantage of low-level capabilities that are present in newer libc versions. For example, we were forced to do that Arm32.

The versions listed in this document are a compatibility not support statement. Supported distros and versions are provided separately.

glibc compatibility

Ubuntu 18.04 includes glibc version 2.27.

The following distro versions (and higher) are compatible:

  • AlmaLinux 8: 2.28
  • Amazon Linux 2023: 2.34
  • Arch Linux 20241027.0.273886: 2.40
  • CentOS Stream 9: 2.34
  • Debian 11: 2.31
  • Fedora 38: 2.37
  • RHEL 8: 2.28

Recent Ubuntu glibc versions:

  • Ubuntu 24.04: 2.39
  • Ubuntu 22.04: 2.35
  • Ubuntu 20.04: 2.31
  • Ubuntu 18.04: 2.27
  • Ubuntu 16.04: 2.23

musl compatibility

Alpine 3.17 includes musl version 1.2.3.

The following distro versions (and higher) are compatible:

  • None listed; please contribute non-Alpine distros you use.

Recent Alpine musl versions:

  • Alpine 3.20: 1.2.5
  • Alpine 3.19: 1.2.4
  • Alpine 3.18: 1.2.4
  • Alpine 3.17: 1.2.3
  • Alpine 3.16: 1.2.3
  • Alpine 3.15: 1.2.2
  • Alpine 3.14: 1.2.2
  • Alpine 3.13: 1.2.2

Toolset

The Microsoft build uses a variety of tools. This choice is most relevant for distros that build .NET from source and want to use the same or similar tool versions to ensure compatible results. It can also be important for users that want to understand if an observed behavior is due to known issues with those tools.

Tools:

  • clang 20
  • cmake 3.26
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Nov 18, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-infrastructure-libraries
See info in area-owners.md if you want to be subscribed.

@richlander
Copy link
Member Author

@dotnet/distro-maintainers @omajid @dviererbe @mateoatr @normj

Copy link
Contributor

Tagging subscribers to this area: @dotnet/runtime-infrastructure
See info in area-owners.md if you want to be subscribed.

@dviererbe
Copy link
Contributor

I talked today to Mateus and Samir about this issue and we think it is totally reasonable, that .NET 10 will not support the glibc version of Ubuntu 16.04. Thanks for keeping us in the loop :)

@richlander
Copy link
Member Author

Great! Thanks for the feedback.

For clarity, this plan only affects the Microsoft build. It would be possible for another party to build .NET targeting a different glibc or musl version, higher or lower. We have no expectation that others follow our approach.

@normj
Copy link

normj commented Nov 19, 2024

For clarity, this plan only affects the Microsoft build. It would be possible for another party to build .NET targeting a different glibc or musl version, higher or lower. We have no expectation that others follow our approach.

Doesn't your comment in the post "take advantage of low-level capabilities that are present in newer libc versions." imply that .NET will start calling APIs that are only available in newer versions of libc which would block users from building with older versions glibc? Not that I'm saying this shouldn't be done but it does seem the change raises the contract between .NET and the platform for everybody.

@richlander
Copy link
Member Author

richlander commented Nov 19, 2024

Great q. Those calls can always be made conditional. For example, .NET 9+ Arm32 is now built for Ubuntu 22.04+. It's possible to build it another way.

Example: #107989

sbomer added a commit to dotnet/dotnet-buildtools-prereqs-docker that referenced this issue Nov 25, 2024
Contributes to dotnet/runtime#109939. These
images have LLVM 19.1.0, but will be updated to LLVM 20 per the plan,
once that is released.
@am11
Copy link
Member

am11 commented Dec 3, 2024

If the reason for increasing the minimum libc version is that we are genuinely utilizing features from a modern version which simplifies runtime code (by removing fallback paths for older libc) or addressing a breaking change like time_t moving to 64-bit on 32-bit platforms in a past release, then this makes sense, and you can disregard the rest of this comment.

However, increasing the libc version doesn't seem ideal otherwise. Microsoft's builds use modern Azure Linux 3.0 containers with a cross-compiling toolchain for various targets (x64, arm64, etc.). The way these builds use the cross-toolchain on Linux is by importing some C/C++ headers and linking to libraries under the sysroot (ROOTFS_DIR).

Since these libraries are neither statically linked nor executed during the build, the cross-build process treats them merely as files providing symbols. When build artifacts are downloaded to a consumer machine, the only items carried over from the build machine are these symbols and their versions. There is no security risk here, even if ROOTFS_DIR contains libraries or headers from an out of support system like Ubuntu 16.04, because:

a) Nothing is executed from the ROOTFS_DIR on the build machines.
b) The only elements "copied" from the rootfs are symbols.

@richlander
Copy link
Member Author

See Security-related servicing for an analysis of which elements are "copied" from the rootfs.

@Raviuppa
Copy link

Raviuppa commented Dec 6, 2024

@richlander, Under glibc Compatibility section , remove the reference to Ubuntu 18.04 inclusion of glibc 2.27 as it confuses because immediately succeeding is Fedora distro and we do have a separate Ubuntu section which already listed Ubuntu 18.04 with glibc 2.7. Listing the required minimum glibc version at the beginning will help.

Same with musl too.

@richlander
Copy link
Member Author

I'm not quite following. My goal was to make the top section about distro versions not about libc versions (which most users don't know about). I don't grasp the point about Fedora.

Ubuntu 18.04 includes glibc version 2.27.

The reason I have the distro there is that I'm trying to make it clear where the glibc version is coming from. I'm trying to establish a strong association.

@richlander
Copy link
Member Author

richlander commented Dec 9, 2024

As promised, I added a link (in the initial text above) to the .NET 10 supported OSes file once it was available.

https://github.com/dotnet/core/blob/main/release-notes/10.0/supported-os.md

The OS/distro versions are subject to change. When in doubt, ask.

vcsjones added a commit to vcsjones/runtime that referenced this issue Jan 10, 2025
Since Linux 3.17, the syscall `getrandom` can be used to generate bytes from the same entropy source as `/dev/urandom`. This makes it suitable for cryptographic random number generation, something our Guid generator needs.

If `getrandom` is not available because the LibC provided is too old - or if the syscall itself is not available, it will fall back to the previous method of reading from `/dev/urandom`.

`EPERM` is treated like `ENOSYS` - some older Linux kernels returned this when the syscall is not available. The syscall can also be blocked by seccomp. That would be weird, and Docker permits it by default, but if anyone has explicitly gone out of their way to block it, it falls back to using the file descriptor mechanism.

The use of the syscall implementation instead of the file device offers some performance improvements. Anywhere from 10% to 15% in benchmarks.

This does require glibc 2.25. For non-portable builds, that's largely fine. For Microsoft builds, those are (currently) being done on Ubuntu Xenial, which has 2.23. However, it is expected that with .NET 10, the glibc floor is going to change to 2.27 with dotnet#109939. If that happens, then the Microsoft portable builds will pick this up as well.

This PR does _not_ change the user-facing `RandomNumberGenerator` that will continue to use `RAND_bytes` from OpenSSL.

| Method         | Toolchain | Mean     | Error   | StdDev  | Ratio |
|--------------- |---------- |---------:|--------:|--------:|------:|
| NewGuid        | branch    | 265.1 ns | 0.24 ns | 0.22 ns |  0.87 |
| NewGuid        | main      | 304.6 ns | 0.16 ns | 0.15 ns |  1.00 |
|                |           |          |         |         |       |
| CreateVersion7 | branch    | 293.2 ns | 0.20 ns | 0.18 ns |  0.88 |
| CreateVersion7 | main      | 335.0 ns | 0.27 ns | 0.23 ns |  1.00 |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-Infrastructure untriaged New issue has not been triaged by the area owner
Projects
Status: No status
Development

No branches or pull requests

6 participants