diff options
| author | Thomas Watson <twatson52@icloud.com> | 2022-12-20 00:19:01 +0000 |
|---|---|---|
| committer | Rick van Schijndel <Mindavi@users.noreply.github.com> | 2022-12-20 08:24:19 +0100 |
| commit | af256922142285201e72f00b105f6cb6f5dcbde4 (patch) | |
| tree | 8ae1abb3f4e82aa31ecfeaf5ff39ab7602ac4b50 /nixos | |
| parent | f4137f3e93caa09a330f86cd17696fd961e90583 (diff) | |
nixos/stage-1: Examine binaries for libraries in a consistent order
To reduce size, stage 1 (the initrd) is populated by copying specific binaries in, then copying the libraries specifically needed by those binaries. `patchelf` is then used to make the binaries search in the directory where these libraries are copied to instead of their original store paths. Some filesystems (e.g. ZFS) do not guarantee that copying the same files in the same order into a given directory will result in `find` returning them in any particular order (though the order appears consistent so long as the directory is not modified). Therefore, when the binaries are scanned for libraries to copy in, they might be scanned in a different order each time the derivation is built. If two binaries need two different libraries with the same name, then a different instance of the library might be copied in first, changing the derivation contents and breaking reproducibility. This turns out to be the case with `libudev.so.1` from both `systemd` (needed by e.g. `mdadm`) and `systemdMinimal` (needed by e.g. `dmsetup`). This issue is fixed by sorting the list of binaries to be scanned instead of relying on filesystem order so that the same instance always gets seen and copied first. Both before this change (at least on ext4) and after this change (without any options that affect stage 1), this is the `libudev.so.1` from `systemdMinimal` by way of `dmsetup`. Whether this is appropriate and how much the two different systemd configurations and udev libraries need to be involved is a topic left for future work.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 28c76fb169f11..95dcdfd7fbe16 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -205,8 +205,9 @@ let # Copy ld manually since it isn't detected correctly cp -pv ${pkgs.stdenv.cc.libc.out}/lib/ld*.so.? $out/lib - # Copy all of the needed libraries - find $out/bin $out/lib -type f | while read BIN; do + # Copy all of the needed libraries in a consistent order so + # duplicates are resolved the same way. + find $out/bin $out/lib -type f | sort | while read BIN; do echo "Copying libs for executable $BIN" for LIB in $(${findLibs}/bin/find-libs $BIN); do TGT="$out/lib/$(basename $LIB)" |