jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Makefile: add selinux and apparmor build tags 

Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.

This should not change anything in case BUILDTAGS is already set.

README.md is amended to clarify what BUILDTAGS are enabled by
default.

[v2: add apparmor]
[v3: add it unconditionally, fix README]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin 2020-03-11 11:39:13 -07:00
parent 69f6f32f6b
commit 89c108b1be
2 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -13,7 +13,7 @@ GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g") GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN)) RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
PROJECT := github.com/opencontainers/runc PROJECT := github.com/opencontainers/runc
BUILDTAGS ?= seccomp BUILDTAGS ?= seccomp selinux apparmor
COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true) COMMIT_NO := $(shell git rev-parse HEAD 2> /dev/null || true)
COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}") COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),"${COMMIT_NO}-dirty","${COMMIT_NO}")

21
README.md
View File

@ -34,8 +34,6 @@ It must be built with Go version 1.6 or higher in order for some features to fun
In order to enable seccomp support you will need to install `libseccomp` on your platform. In order to enable seccomp support you will need to install `libseccomp` on your platform.
> e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu > e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu
Otherwise, if you do not want to build `runc` with seccomp support you can add `BUILDTAGS=""` when running make.
```bash ```bash
# create a 'github.com/opencontainers' in your GOPATH/src # create a 'github.com/opencontainers' in your GOPATH/src
cd github.com/opencontainers cd github.com/opencontainers
@ -60,19 +58,22 @@ sudo make install
#### Build Tags #### Build Tags
`runc` supports optional build tags for compiling support of various features. `runc` supports optional build tags for compiling support of various features,
To add build tags to the make option the `BUILDTAGS` variable must be set. with some of them enabled by default (see `BUILDTAGS` in top-level `Makefile`).
To change build tags from the default, set the `BUILDTAGS` variable for make,
e.g.
```bash ```bash
make BUILDTAGS='seccomp apparmor' make BUILDTAGS='seccomp apparmor'
``` ```
| Build Tag | Feature | Dependency | | Build Tag | Feature | Enabled by default | Dependency |
|-----------|------------------------------------|-------------| |-----------|------------------------------------|--------------------|------------|
| seccomp | Syscall filtering | libseccomp | | seccomp | Syscall filtering | yes | libseccomp |
| selinux | selinux process and mount labeling | <none> | | selinux | selinux process and mount labeling | yes | <none> |
| apparmor | apparmor profile support | <none> | | apparmor | apparmor profile support | yes | <none> |
| nokmem | disable kernel memory account | <none> | | nokmem | disable kernel memory accounting | no | <none> |
### Running the test suite ### Running the test suite