[WIP] Manylinux2010

.travis.yml

@@ -19,11 +19,10 @@ env:
 
 matrix:
   include:
-    - env: PLATFORM="i686"
     - env: PLATFORM="x86_64"
 
 script:
-  - PLATFORM=$PLATFORM TRAVIS_COMMIT=$TRAVIS_COMMIT ./build.sh
+  - PLATFORM=$PLATFORM TRAVIS_COMMIT=$TRAVIS_COMMIT travis_wait 60 ./build.sh
 
 
 deploy:

build.sh

@@ -4,4 +4,7 @@
 set -ex
 
 docker/build_scripts/prefetch.sh openssl curl
-docker build --rm -t quay.io/pypa/manylinux1_$PLATFORM:$TRAVIS_COMMIT -f docker/Dockerfile-$PLATFORM docker/
+if [ $PLATFORM == x86_64 ]; then
+    docker build --rm -t quay.io/pypa/manylinux2010_centos-6-no-vsyscall -f docker/glibc/Dockerfile docker/glibc/
+fi
+docker build --rm -t quay.io/pypa/manylinux2010_$PLATFORM:$TRAVIS_COMMIT -f docker/Dockerfile-$PLATFORM docker/

docker/Dockerfile-x86_64

@@ -1,12 +1,13 @@
-FROM centos:5
-MAINTAINER The ManyLinux project
+# See docker/glibc/
+FROM quay.io/pypa/manylinux2010_centos-6-no-vsyscall
+LABEL maintainer="The ManyLinux project"
 
 ENV LC_ALL en_US.UTF-8
 ENV LANG en_US.UTF-8
 ENV LANGUAGE en_US.UTF-8
-ENV PATH /opt/rh/devtoolset-2/root/usr/bin:$PATH
-ENV LD_LIBRARY_PATH /opt/rh/devtoolset-2/root/usr/lib64:/opt/rh/devtoolset-2/root/usr/lib:/usr/local/lib64:/usr/local/lib
-ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
+ENV PATH /opt/rh/devtoolset-7/root/usr/bin:$PATH
+ENV LD_LIBRARY_PATH /opt/rh/devtoolset-7/root/usr/lib64:/opt/rh/devtoolset-7/root/usr/lib:/opt/rh/devtoolset-7/root/usr/lib64/dyninst:/opt/rh/devtoolset-7/root/usr/lib/dyninst:/usr/local/lib64:/usr/local/lib
+ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig
 
 COPY build_scripts /build_scripts
 COPY sources /

docker/build_scripts/build.sh

@@ -10,20 +10,10 @@ MY_DIR=$(dirname "${BASH_SOURCE[0]}")
 
 # Dependencies for compiling Python that we want to remove from
 # the final image after compiling Python
-# GPG installed to verify signatures on Python source tarballs.
-PYTHON_COMPILE_DEPS="zlib-devel bzip2-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel gpg libffi-devel"
+PYTHON_COMPILE_DEPS="zlib-devel bzip2-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel"
 
-# Libraries that are allowed as part of the manylinux1 profile
-MANYLINUX1_DEPS="glibc-devel libstdc++-devel glib2-devel libX11-devel libXext-devel libXrender-devel  mesa-libGL-devel libICE-devel libSM-devel ncurses-devel"
-
-# Centos 5 is EOL and is no longer available from the usual mirrors, so switch
-# to http://vault.centos.org
-# From: https://github.com/rust-lang/rust/pull/41045
-# The location for version 5 was also removed, so now only the specific release
-# (5.11) can be referenced.
-sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
-sed -i 's/mirrorlist/#mirrorlist/' /etc/yum.repos.d/*.repo
-sed -i 's/#\(baseurl.*\)mirror.centos.org\/centos\/$releasever/\1vault.centos.org\/5.11/' /etc/yum.repos.d/*.repo
+# Libraries that are allowed as part of the manylinux2010 profile
+MANYLINUX2010_DEPS="glibc-devel libstdc++-devel glib2-devel libX11-devel libXext-devel libXrender-devel mesa-libGL-devel libICE-devel libSM-devel"
 
 # Get build utilities
 source $MY_DIR/build_utils.sh
@@ -41,39 +31,28 @@ echo "multilib_policy=best" >> /etc/yum.conf
 # Decided not to clean at this point: https://github.com/pypa/manylinux/pull/129
 yum -y update
 
-# EPEL support
-yum -y install wget
-# https://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
-cp $MY_DIR/epel-release-5-4.noarch.rpm .
-check_sha256sum epel-release-5-4.noarch.rpm $EPEL_RPM_HASH
-
-# Dev toolset (for LLVM and other projects requiring C++11 support)
-wget -q http://people.centos.org/tru/devtools-2/devtools-2.repo
-check_sha256sum devtools-2.repo $DEVTOOLS_HASH
-mv devtools-2.repo /etc/yum.repos.d/devtools-2.repo
-rpm -Uvh --replacepkgs epel-release-5*.rpm
-rm -f epel-release-5*.rpm
-
-# from now on, we shall only use curl to retrieve files
-yum -y erase wget
+# Software collection and EPEL support
+yum -y install centos-release-scl https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
 
 # Development tools and libraries
 yum -y install \
     automake \
     bison \
     bzip2 \
     cmake28 \
-    devtoolset-2-binutils \
-    devtoolset-2-gcc \
-    devtoolset-2-gcc-c++ \
-    devtoolset-2-gcc-gfortran \
+    devtoolset-7-binutils \
+    devtoolset-7-gcc \
+    devtoolset-7-gcc-c++ \
+    devtoolset-7-gcc-gfortran \
     diffutils \
     expat-devel \
     gettext \
-    kernel-devel-`uname -r` \
     file \
+    kernel-devel-`uname -r` \
+    libffi-devel \
     make \
     patch \
+    perl-devel \
     unzip \
     which \
     yasm \
@@ -147,18 +126,40 @@ rm -rf patchelf.tar.gz patchelf-$PATCHELF_VERSION
 
 ln -s $PY36_BIN/auditwheel /usr/local/bin/auditwheel
 
+# HACK: The newly compiled and installed curl messes with the system's
+# py2.6 installation, on which yum depends.  Work around it by
+# rewiring libcurl.so specifically for yum.  /usr/local/bin/ has higher
+# priority on the PATH than /usr/bin/
+cat <<'EOF' > /usr/local/bin/yum && chmod +x /usr/local/bin/yum
+#!/bin/bash
+if [ "x$(arch)" != xi686 ]; then
+  LD_PRELOAD=/usr/lib64/libcurl.so.4
+else
+  LD_PRELOAD=/usr/lib/libcurl.so.4
+fi
+export LD_PRELOAD
+/usr/bin/yum "$@"
+EOF
+# the above might not shadow the real yum just yet, so call hash to be
+# sure:
+type yum
+hash yum
+
+
 # Clean up development headers and other unnecessary stuff for
 # final image
 yum -y erase \
     avahi \
     bitstream-vera-fonts \
+    expat-devel \
     freetype \
+    gettext \
     gtk2 \
     hicolor-icon-theme \
     libX11 \
     wireless-tools \
-    ${PYTHON_COMPILE_DEPS}  > /dev/null 2>&1
-yum -y install ${MANYLINUX1_DEPS}
+    ${PYTHON_COMPILE_DEPS} > /dev/null 2>&1
+yum -y install ${MANYLINUX2010_DEPS}
 yum -y clean all > /dev/null 2>&1
 yum list installed
 
@@ -180,7 +181,7 @@ find /opt/_internal -depth \
 for PYTHON in /opt/python/*/bin/python; do
     # Smoke test to make sure that our Pythons work, and do indeed detect as
     # being manylinux compatible:
-    $PYTHON $MY_DIR/manylinux1-check.py
+    $PYTHON $MY_DIR/manylinux-check.py
     # Make sure that SSL cert checking works
     $PYTHON $MY_DIR/ssl-check.py
 done

docker/build_scripts/build_env.sh

@@ -37,5 +37,5 @@ GIT_HASH=ba2fed9d02e424b735e035c4f2b0bdb168ef0df7e35156b5051d900dc7247787
 GIT_DOWNLOAD_URL=https://github.com/git/git/archive
 
 GET_PIP_URL=https://bootstrap.pypa.io/get-pip.py
-EPEL_RPM_HASH=0dcc89f9bf67a2a515bad64569b7a9615edc5e018f676a578d5fd0f17d3c81d4
+EPEL_RPM_HASH=e5ed9ecf22d0c4279e92075a64c757ad2b38049bcf5c16c4f2b75d5f6860dc0d
 DEVTOOLS_HASH=a8ebeb4bed624700f727179e6ef771dafe47651131a00a78b342251415646acc

docker/build_scripts/build_utils.sh

@@ -54,10 +54,7 @@ function do_cpython_build {
     if [ -e ${prefix}/bin/python3 ]; then
         ln -s python3 ${prefix}/bin/python
     fi
-    # --force-reinstall is to work around:
-    #   https://github.com/pypa/pip/issues/5220
-    #   https://github.com/pypa/get-pip/issues/19
-    ${prefix}/bin/python get-pip.py --force-reinstall
+    ${prefix}/bin/python get-pip.py
     if [ -e ${prefix}/bin/pip3 ] && [ ! -e ${prefix}/bin/pip ]; then
         ln -s pip3 ${prefix}/bin/pip
     fi

docker/build_scripts/manylinux1-check.py → docker/build_scripts/manylinux-check.py

@@ -1,6 +1,6 @@
 # Logic copied from PEP 513
 
-def is_manylinux1_compatible():
+def is_manylinux2010_compatible():
     # Only Linux, and only x86-64 / i686
     from distutils.util import get_platform
     if get_platform() not in ["linux-x86_64", "linux-i686"]:
@@ -14,8 +14,8 @@ def is_manylinux1_compatible():
         # Fall through to heuristic check below
         pass
 
-    # Check glibc version. CentOS 5 uses glibc 2.5.
-    return have_compatible_glibc(2, 5)
+    # Check glibc version. CentOS 6 uses glibc 2.12.
+    return have_compatible_glibc(2, 12)
 
 def have_compatible_glibc(major, minimum_minor):
     import ctypes
@@ -45,9 +45,9 @@ def have_compatible_glibc(major, minimum_minor):
     return True
 
 import sys
-if is_manylinux1_compatible():
-    print("%s is manylinux1 compatible" % (sys.executable,))
+if is_manylinux2010_compatible():
+    print("%s is manylinux2010 compatible" % (sys.executable,))
     sys.exit(0)
 else:
-    print("%s is NOT manylinux1 compatible" % (sys.executable,))
+    print("%s is NOT manylinux2010 compatible" % (sys.executable,))
     sys.exit(1)

docker/deploy.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 docker login -u $QUAY_USERNAME -p $QUAY_PASSWORD quay.io
-tag="quay.io/pypa/manylinux1_$PLATFORM"
+tag="quay.io/pypa/manylinux2010_$PLATFORM"
 docker tag ${tag}:${TRAVIS_COMMIT} ${tag}:latest
 docker push ${tag}:latest

docker/glibc/Dockerfile

@@ -0,0 +1,11 @@
+FROM centos:6 as centos-with-vsyscall
+
+COPY ./build_scripts /build_scripts
+RUN bash /build_scripts/rebuild-glibc-without-vsyscall.sh
+
+FROM centos:6
+LABEL maintainer="The Manylinux project"
+
+COPY --from=centos-with-vsyscall /rpms /rpms
+
+RUN yum -y install /rpms/* && rm -rf /rpms

docker/glibc/README.rst

@@ -0,0 +1,79 @@
+centos-6-no-vsyscall
+====================
+
+*Summary*: Because of
+https://mail.python.org/pipermail/wheel-builders/2016-December/000239.html,
+this a CentOS 6.10 Docker image that rebuilds ``glibc`` without
+*vsyscall* is necessary to reliably run ``manylinux2010`` on 64-bit
+hosts.  This requires building the image on a system with
+``vsyscall=emulate`` but allows the resulting container to run on
+systems with ``vsyscall=none`` or ``vsyscall=emulate``.
+
+*vsyscall* is an antiquated optimization for a small number of
+frequently-used system calls.  A vsyscall-enabled Linux kernel maps a
+read-only page of data and system calls into a process' memory at a
+fixed address.  These system calls can then be invoked by
+dereferencing a function pointers to fixed offsets in that page,
+saving a relatively expensive context switch. [1]_
+
+Unfortunately, because the code and its location in memory are fixed
+and well-known, the vsyscall mechanism has become a source of gadgets
+for ROP attacks (specifically, Sigreturn-Oriented Programs). [2]_
+Linux 3.1 introduced vsyscall emulation that prevents attackers from
+jumping into the middle of the system calls' code at the expense of
+speed, as well as the ability to disable it entirely.  [3]_ [4]_ The
+vsyscall mechanism could not be eliminated at the time because
+``glibc`` versions earlier than 2.14 contained hard-coded references
+to the fixed memory address, specifically in ``time(2)``. [5]_ These
+segfault when attempting to issue a vsyscall-optimized system call
+against a kernel that has disabled it.
+
+Linux introduced a "virtual dynamic shared object" (vDSO) that
+achieves the same high-speed, in-process system call mechanism via
+shared objects sometime before the kernel's migration to git.  While
+old itself, vDSO 's presentation as a shared library allows it to
+benefit from ASLR on modern systems, making it no more amenable to ROP
+gadgets than any other shared library.  ``glibc`` only switched over
+completely to vDSO as of glibc 2.25, so until recently vsyscall
+emulation has remained on for most kernels. [6]_ Furthermore, i686
+does not use vsyscall at all, so no version of ``glibc`` requires
+patching on that architecture.
+
+At the same time, vsyscall emulation still exposed values useful to
+ROP attacks, so Linux 4.4 added a compilation option to disable
+it. [7]_ [8]_ Distributions are beginning to ship kernels configured
+without vsyscall, and running CentOS 5 (``glibc`` 2.5) or 6 (``glibc``
+2.12) Docker containers on these distributions indeed causes segfaults
+without ``vsyscall=emulate`` [9]_ [10]_.  CentOS 6, however, is
+supported until 2020.  It is likely that more and more distributions
+will ship with ``CONFIG_LEGACY_VSYSCALL_NONE``; if managed CI services
+like Travis make this switch, developers will be unable to build
+``manylinux2010`` wheels with our Docker image.
+
+Fortunately, vsyscall is merely an optimization, and patches that
+remove it can be backported to glibc 2.12 and the library recompiled.
+The result is this Docker image.  It can be run on kernels regardless
+of their vsyscall configuration because executable and libraries on
+CentOS are dynamically linked against glibc.  Libraries built on this
+image are unaffected because:
+
+a) the kernel only maps vsyscall pages into processes;
+b) only glibc used the vsyscall interface directly, and it's
+   included in manylinux2010's whitelist policy.
+
+Developers who build this vsyscall-less Docker image itself, however,
+must do so on a system with ``vsyscall=emulate``.
+
+References:
+===========
+
+.. [1] https://lwn.net/Articles/446528/
+.. [2] http://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf
+.. [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5cec93c216db77c45f7ce970d46283bcb1933884
+.. [4] https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1
+.. [5] https://sourceware.org/git/?p=glibc.git;a=blob;f=ChangeLog;h=3a6abda7d07fdaa367c48a9274cc1c08498964dc;hb=356f8bc660a154a07b03da7c536831da5c8f74fe
+.. [6] https://sourceware.org/git/?p=glibc.git;a=blob;f=ChangeLog;h=6037fef737f0338a84c6fb564b3b8dc1b1221087;hb=58557c229319a3b8d2eefdb62e7df95089eabe37
+.. [7] https://googleprojectzero.blogspot.fr/2015/08/three-bypasses-and-fix-for-one-of.html
+.. [8] https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/
+.. [9] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852620#20
+.. [10] https://github.com/CentOS/sig-cloud-instance-images/issues/62

docker/glibc/build_scripts/CentOS-source.repo

@@ -0,0 +1,7 @@
+[base-source]
+name=CentOS-6.10 - Base SRPMS
+baseurl=http://vault.centos.org/6.10/os/Source/
+gpgcheck=1
+gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
+priority=1
+enabled=1

docker/glibc/build_scripts/glibc.spec.patch

@@ -0,0 +1,29 @@
+diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec
+index 9bd07c9..c389711 100644
+--- a/SPECS/glibc.spec
++++ b/SPECS/glibc.spec
+@@ -1,6 +1,6 @@
+ %define glibcsrcdir glibc-2.12-2-gc4ccff1
+ %define glibcversion 2.12
+-%define glibcrelease 1.212%{?dist}
++%define glibcrelease 1.212.1%{?dist}
+ %define run_glibc_tests 1
+ %define auxarches athlon sparcv9v sparc64v alphaev6
+ %define xenarches i686 athlon
+@@ -279,6 +279,7 @@ 
+ Patch247: glibc-rh1452717-4.patch
+ Patch248: glibc-rh1504810-1.patch
+ Patch249: glibc-rh1504810-2.patch
++Patch250: remove-vsyscall.patch
+
+ Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+ Obsoletes: glibc-profile < 2.4
+@@ -731,6 +732,7 @@
+ %patch247 -p1
+ %patch248 -p1
+ %patch249 -p1
++%patch250 -E -p3
+
+ # A lot of programs still misuse memcpy when they have to use
+ # memmove. The memcpy implementation below is not tolerant at
+