From 321aa20c49568ea2e2a3f708a50ccffb1bd67c79 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Sat, 19 Aug 2023 12:18:08 +1000
Subject: [PATCH] scripts: add proper 386 and amd64 target triples and builds

We need these to match the Makefile detection of the right gcc for
runc-dmz, as well as making sure that everything builds properly for our
cross-i386 tests. While we're at it, add x86 to the list of build
targets for release builds (presumably nobody will use it, but since we
do test builds of this anyway it probably won't hurt).

In addition, clean up the handling of the native architecture build by
treating it the same as any other build (ensuring that building runc
from a different platform will work the same way regardless of the
native architecture). In practice, the build works the same way as
before.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 Dockerfile              | 20 ++++++++++-------
 Makefile                |  2 +-
 script/lib.sh           | 50 +++++++++++++++++++++++++++++++++--------
 script/release_build.sh | 42 +++++++++++++++++-----------------
 script/seccomp.sh       |  9 ++++++--
 5 files changed, 83 insertions(+), 40 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9fd29a59371..6fa8752b5e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,19 +9,15 @@ ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debi
 RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
     wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
     && echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \
+    && dpkg --add-architecture i386 \
     && apt-get update \
     && apt-get install -y --no-install-recommends \
         build-essential \
         criu \
-        gcc-aarch64-linux-gnu libc-dev-arm64-cross \
-        gcc-arm-linux-gnueabi libc-dev-armel-cross \
-        gcc-arm-linux-gnueabihf libc-dev-armhf-cross \
-        gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \
-        gcc-s390x-linux-gnu libc-dev-s390x-cross \
-        gcc-riscv64-linux-gnu libc-dev-riscv64-cross \
+        gcc \
+        gcc-multilib \
         curl \
         gawk \
-        gcc \
         gperf \
         iptables \
         jq \
@@ -32,6 +28,14 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
         sudo \
         uidmap \
         iproute2 \
+    && apt-get install -y --no-install-recommends \
+        libc-dev:i386 libgcc-s1:i386 \
+        gcc-aarch64-linux-gnu libc-dev-arm64-cross \
+        gcc-arm-linux-gnueabi libc-dev-armel-cross \
+        gcc-arm-linux-gnueabihf libc-dev-armhf-cross \
+        gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \
+        gcc-s390x-linux-gnu libc-dev-s390x-cross \
+        gcc-riscv64-linux-gnu libc-dev-riscv64-cross \
     && apt-get clean \
     && rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
 
@@ -54,7 +58,7 @@ RUN cd /tmp \
 ARG LIBSECCOMP_VERSION
 COPY script/seccomp.sh script/lib.sh /tmp/script/
 RUN mkdir -p /opt/libseccomp \
-    && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le riscv64 s390x
+    && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp 386 amd64 arm64 armel armhf ppc64le riscv64 s390x
 ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
 ENV LD_LIBRARY_PATH=/opt/libseccomp/lib
 ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
diff --git a/Makefile b/Makefile
index 0d48fe8c521..4e90e1c7c4f 100644
--- a/Makefile
+++ b/Makefile
@@ -68,7 +68,7 @@ recvtty sd-helper seccompagent fs-idmap:
 static:
 	$(GO_BUILD_STATIC) -o runc .
 
-releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
+releaseall: RELEASE_ARGS := "-a 386 -a amd64 -a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x"
 releaseall: release
 
 release: runcimage
diff --git a/script/lib.sh b/script/lib.sh
index 9fee8e29f38..f79dc3c2335 100644
--- a/script/lib.sh
+++ b/script/lib.sh
@@ -1,33 +1,65 @@
 #!/bin/bash
 
+# NOTE: Make sure you keep this file in sync with cc_platform.mk.
+
 # set_cross_vars sets a few environment variables used for cross-compiling,
 # based on the architecture specified in $1.
 function set_cross_vars() {
 	GOARCH="$1" # default, may be overridden below
 	unset GOARM
 
+	PLATFORM=linux-gnu
+	# openSUSE has a custom PLATFORM
+	if grep -iq "ID_LIKE=.*suse" /etc/os-release; then
+		PLATFORM=suse-linux
+		is_suse=1
+	fi
+
 	case $1 in
+	386)
+		# Always use the 64-bit compiler to build the 386 binary, which works
+		# for the more common cross-build method for x86 (namely, the
+		# equivalent of dpkg --add-architecture).
+		local cpu_type
+		if [ -v is_suse ]; then
+			# There is no x86_64-suse-linux-gcc, so use the native one.
+			HOST=
+			cpu_type=i586
+		else
+			HOST=x86_64-${PLATFORM}
+			cpu_type=i686
+		fi
+		CFLAGS="-m32 -march=$cpu_type ${CFLAGS[*]}"
+		;;
+	amd64)
+		if [ -n "${is_suse:-}" ]; then
+			# There is no x86_64-suse-linux-gcc, so use the native one.
+			HOST=
+		else
+			HOST=x86_64-${PLATFORM}
+		fi
+		;;
 	arm64)
-		HOST=aarch64-linux-gnu
+		HOST=aarch64-${PLATFORM}
 		;;
 	armel)
-		HOST=arm-linux-gnueabi
+		HOST=arm-${PLATFORM}eabi
 		GOARCH=arm
 		GOARM=6
 		;;
 	armhf)
-		HOST=arm-linux-gnueabihf
+		HOST=arm-${PLATFORM}eabihf
 		GOARCH=arm
 		GOARM=7
 		;;
 	ppc64le)
-		HOST=powerpc64le-linux-gnu
+		HOST=powerpc64le-${PLATFORM}
 		;;
 	riscv64)
-		HOST=riscv64-linux-gnu
+		HOST=riscv64-${PLATFORM}
 		;;
 	s390x)
-		HOST=s390x-linux-gnu
+		HOST=s390x-${PLATFORM}
 		;;
 	*)
 		echo "set_cross_vars: unsupported architecture: $1" >&2
@@ -35,8 +67,8 @@ function set_cross_vars() {
 		;;
 	esac
 
-	CC=$HOST-gcc
-	STRIP=$HOST-strip
+	CC="${HOST:+$HOST-}gcc"
+	STRIP="${HOST:+$HOST-}strip"
 
-	export HOST GOARM GOARCH CC STRIP
+	export HOST CFLAGS GOARM GOARCH CC STRIP
 }
diff --git a/script/release_build.sh b/script/release_build.sh
index af238628cbd..6c7aee88b23 100755
--- a/script/release_build.sh
+++ b/script/release_build.sh
@@ -60,24 +60,14 @@ function build_project() {
 	# it can reuse cached pkg-config results).
 	local make_args=(COMMIT_NO= EXTRA_FLAGS="-a" EXTRA_LDFLAGS="${ldflags}" static)
 
-	# Build natively.
-	make -C "$root" \
-		PKG_CONFIG_PATH="$seccompdir/lib/pkgconfig" \
-		"${make_args[@]}"
-	strip "$root/$project"
-	# Sanity check: make sure libseccomp version is as expected.
-	local ver
-	ver=$("$root/$project" --version | awk '$1 == "libseccomp:" {print $2}')
-	if [ "$ver" != "$LIBSECCOMP_VERSION" ]; then
-		echo >&2 "libseccomp version mismatch: want $LIBSECCOMP_VERSION, got $ver"
-		exit 1
-	fi
+	# Save the original cflags.
+	local original_cflags="${CFLAGS:-}"
 
-	mv "$root/$project" "$builddir/$project.$native_arch"
-
-	# Cross-build for for other architectures.
+	# Build for all requested architectures.
 	local arch
 	for arch in "${arches[@]}"; do
+		# Reset CFLAGS.
+		CFLAGS="$original_cflags"
 		set_cross_vars "$arch"
 		make -C "$root" \
 			PKG_CONFIG_PATH="$seccompdir/$arch/lib/pkgconfig" \
@@ -86,6 +76,14 @@ function build_project() {
 		mv "$root/$project" "$builddir/$project.$arch"
 	done
 
+	# Sanity check: make sure libseccomp version is as expected.
+	local ver
+	ver=$("$builddir/$project.$native_arch" --version | awk '$1 == "libseccomp:" {print $2}')
+	if [ "$ver" != "$LIBSECCOMP_VERSION" ]; then
+		echo >&2 "libseccomp version mismatch: want $LIBSECCOMP_VERSION, got $ver"
+		exit 1
+	fi
+
 	# Copy libseccomp source tarball.
 	cp "$seccompdir"/src/* "$builddir"
 
@@ -122,12 +120,17 @@ commit="HEAD"
 version=""
 releasedir=""
 hashcmd=""
-declare -a add_arches
+# Always build a native binary.
+native_arch="$(go env GOARCH || echo "amd64")"
+arches=("$native_arch")
 
 while getopts "a:c:H:hr:v:" opt; do
 	case "$opt" in
 	a)
-		add_arches+=("$OPTARG")
+		# Add architecture if not already present in arches.
+		if ! (printf "%s\0" "${arches[@]}" | grep -zqxF "$OPTARG"); then
+			arches+=("$OPTARG")
+		fi
 		;;
 	c)
 		commit="$OPTARG"
@@ -158,9 +161,8 @@ done
 version="${version:-$(<"$root/VERSION")}"
 releasedir="${releasedir:-release/$version}"
 hashcmd="${hashcmd:-sha256sum}"
-native_arch="$(go env GOARCH || echo "amd64")"
 # Suffixes of files to checksum/sign.
-suffixes=("$native_arch" "${add_arches[@]}" tar.xz)
+suffixes=("${arches[@]}" tar.xz)
 
 log "creating $project release in '$releasedir'"
 log "  version: $version"
@@ -174,7 +176,7 @@ set -x
 rm -rf "$releasedir" && mkdir -p "$releasedir"
 
 # Build project.
-build_project "$releasedir/$project" "$native_arch" "${add_arches[@]}"
+build_project "$releasedir/$project" "$native_arch" "${arches[@]}"
 
 # Generate new archive.
 git archive --format=tar --prefix="$project-$version/" "$commit" | xz >"$releasedir/$project.tar.xz"
diff --git a/script/seccomp.sh b/script/seccomp.sh
index beea612ac83..955437c2fb4 100755
--- a/script/seccomp.sh
+++ b/script/seccomp.sh
@@ -33,16 +33,21 @@ function build_libseccomp() {
 	tar xf "$tar" -C "$srcdir"
 	pushd "$srcdir/libseccomp-$ver" || return
 
-	# Build natively and install to /usr/local.
+	# Install native version for Dockerfile builds.
 	./configure \
 		--prefix="$dest" --libdir="$dest/lib" \
 		--enable-static --enable-shared
 	make install
 	make clean
 
-	# Build and install for additional architectures.
+	# Save the original cflags.
+	local original_cflags="${CFLAGS:-}"
+
+	# Build and install for all requested architectures.
 	local arch
 	for arch in "${arches[@]}"; do
+		# Reset CFLAGS.
+		CFLAGS="$original_cflags"
 		set_cross_vars "$arch"
 		./configure --host "$HOST" \
 			--prefix="$dest/$arch" --libdir="$dest/$arch/lib" \