[1.28] Disable static PIE runc builds on arm64#4426
Merged
ktsakalozos merged 1 commit into1.28from Feb 20, 2024
Merged
Conversation
neoaggelos
force-pushed
the
KU-398/runc-builds-1.28
branch
from
8e0c107 to
7eca928
Compare
kp-mariappan-ramasamy
added a commit
to expressvpn/lightway
that referenced
this pull request
Dec 3, 2025
Revert from -static-pie back to -static for musl static linking. Issue: - Commit pqqxpkzx changed to -static-pie to remove interpreter section - While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - Attempted --no-dynamic-linker as alternative, but also causes SIGSEGV Root Cause: Both -static-pie and --no-dynamic-linker are incompatible with aarch64 at runtime: - -static-pie: Newer linker feature with limited kernel support on ARM - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader initialization - Static PIE on aarch64 has historical toolchain gaps and ongoing compatibility issues - Some projects (microk8s, runc) explicitly disable static-pie on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE linking issues ARM64 - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker flag usage Solution: - Use plain -static for maximum compatibility across architectures - Accept cosmetic "dynamically linked, interpreter..." in file output on aarch64 - What matters: no NEEDED entries (external dependencies) Verification: - aarch64-musl: Builds successfully, no NEEDED entries, runs without SIGSEGV ✓ - x86_64-musl: Works as before ✓ - Binary is functionally static despite interpreter section presence on aarch64 Trade-off: - aarch64: file shows "interpreter /lib/ld-musl-aarch64.so.1" (cosmetic only) - x86_64: file shows "static-pie linked" (clean) - Both have no NEEDED entries and are truly static - Runtime compatibility more important than cosmetic output
kp-mariappan-ramasamy
added a commit
to expressvpn/lightway
that referenced
this pull request
Dec 3, 2025
Revert from -static-pie back to -static for musl static linking. Issue: - Commit pqqxpkzx changed to -static-pie to remove interpreter section - While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - Attempted alternatives also fail: * --no-dynamic-linker: Removes PT_INTERP but causes SIGSEGV on aarch64 * -no-pie flag: Ignored by musl linker, still produces PIE binary * -C relocation-model=static: Also produces PIE binary on aarch64 Root Cause: Modern musl toolchain on aarch64 always produces PIE (Position Independent Executable) binaries with PT_INTERP section for ASLR security benefits. Both -static-pie and --no-dynamic-linker break runtime loader initialization: - -static-pie: Newer feature with limited kernel support on ARM architectures - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader startup - Historical toolchain gaps in ARM64 static-PIE support - Real-world projects (microk8s, runc) explicitly disable static-PIE on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE ARM64 issues - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker usage - rust-lang/rust#94364 - Rust 1.59 musl PIE behavior Investigation: Compared with bat binary (https://github.com/sharkdp/bat): - bat uses 'cross' tool in Docker with custom toolchain - Produces EXEC-type binary (not PIE/DYN) - We attempted: -no-pie, -C relocation-model=static - Result: musl aarch64 linker ignores these, always produces PIE Understanding NEEDED Entries: The key metric for static binaries is NEEDED entries in ELF dynamic section: - Dynamic binary: Has NEEDED entries listing shared libraries (libc.so, etc) - Static binary: No NEEDED entries, all code embedded - Our binary: No NEEDED entries despite showing "dynamically linked" ✓ Solution: - Use plain -static for maximum compatibility across architectures - Accept cosmetic "dynamically linked, interpreter..." on aarch64 - Binary is functionally static: no NEEDED entries (external dependencies) - Runtime compatibility confirmed on aarch64 hardware Verification: - aarch64-musl: No NEEDED entries, runs without SIGSEGV ✓ - x86_64-musl: Shows "static-pie linked", no NEEDED entries ✓ - Both are truly static despite different file output cosmetics Trade-off: - aarch64: Shows "dynamically linked, interpreter /lib/ld-musl-aarch64.so.1" - x86_64: Shows "static-pie linked" - Both: Zero NEEDED entries, fully static, no external dependencies - PT_INTERP section on aarch64 is harmless (never used, no libs to load) - Runtime compatibility and correctness over cosmetic output
kp-mariappan-ramasamy
added a commit
to expressvpn/lightway
that referenced
this pull request
Dec 3, 2025
Revert from -static-pie back to -static for musl static linking. Issue: - Commit pqqxpkzx changed to -static-pie to remove interpreter section - While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - Attempted --no-dynamic-linker as alternative, but also causes SIGSEGV Root Cause: Both -static-pie and --no-dynamic-linker are incompatible with aarch64 at runtime: - -static-pie: Newer linker feature with limited kernel support on ARM - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader initialization - Static PIE on aarch64 has historical toolchain gaps and ongoing compatibility issues - Some projects (microk8s, runc) explicitly disable static-pie on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE linking issues ARM64 - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker flag usage Solution: - Use plain -static for maximum compatibility across architectures - Accept cosmetic "dynamically linked, interpreter..." in file output on aarch64 - What matters: no NEEDED entries (external dependencies) Verification: - aarch64-musl: Builds successfully, no NEEDED entries, runs without SIGSEGV ✓ - x86_64-musl: Works as before ✓ - Binary is functionally static despite interpreter section presence on aarch64 Trade-off: - aarch64: file shows "interpreter /lib/ld-musl-aarch64.so.1" (cosmetic only) - x86_64: file shows "static-pie linked" (clean) - Both have no NEEDED entries and are truly static - Runtime compatibility more important than cosmetic output nix: revert to -static flag for aarch64 compatibility Revert from -static-pie back to -static for musl static linking. Issue: - Commit pqqxpkzx changed to -static-pie to remove interpreter section - While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - Attempted alternatives also fail: * --no-dynamic-linker: Removes PT_INTERP but causes SIGSEGV on aarch64 * -no-pie flag: Ignored by musl linker, still produces PIE binary * -C relocation-model=static: Also produces PIE binary on aarch64 Root Cause: Modern musl toolchain on aarch64 always produces PIE (Position Independent Executable) binaries with PT_INTERP section for ASLR security benefits. Both -static-pie and --no-dynamic-linker break runtime loader initialization: - -static-pie: Newer feature with limited kernel support on ARM architectures - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader startup - Historical toolchain gaps in ARM64 static-PIE support - Real-world projects (microk8s, runc) explicitly disable static-PIE on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE ARM64 issues - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker usage - rust-lang/rust#94364 - Rust 1.59 musl PIE behavior Investigation: Compared with bat binary (https://github.com/sharkdp/bat): - bat uses 'cross' tool in Docker with custom toolchain - Produces EXEC-type binary (not PIE/DYN) - We attempted: -no-pie, -C relocation-model=static - Result: musl aarch64 linker ignores these, always produces PIE Understanding NEEDED Entries: The key metric for static binaries is NEEDED entries in ELF dynamic section: - Dynamic binary: Has NEEDED entries listing shared libraries (libc.so, etc) - Static binary: No NEEDED entries, all code embedded - Our binary: No NEEDED entries despite showing "dynamically linked" ✓ Solution: - Use plain -static for maximum compatibility across architectures - Accept cosmetic "dynamically linked, interpreter..." on aarch64 - Binary is functionally static: no NEEDED entries (external dependencies) - Runtime compatibility confirmed on aarch64 hardware Verification: - aarch64-musl: No NEEDED entries, runs without SIGSEGV ✓ - x86_64-musl: Shows "static-pie linked", no NEEDED entries ✓ - Both are truly static despite different file output cosmetics Trade-off: - aarch64: Shows "dynamically linked, interpreter /lib/ld-musl-aarch64.so.1" - x86_64: Shows "static-pie linked" - Both: Zero NEEDED entries, fully static, no external dependencies - PT_INTERP section on aarch64 is harmless (never used, no libs to load) - Runtime compatibility and correctness over cosmetic output
kp-mariappan-ramasamy
added a commit
to expressvpn/lightway
that referenced
this pull request
Dec 3, 2025
Revert from -static-pie back to -static for musl static linking. Issue: - Commit pqqxpkzx changed to -static-pie to remove interpreter section - While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - Attempted --no-dynamic-linker as alternative, but also causes SIGSEGV Root Cause: Both -static-pie and --no-dynamic-linker are incompatible with aarch64 at runtime: - -static-pie: Newer linker feature with limited kernel support on ARM - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader initialization - Static PIE on aarch64 has historical toolchain gaps and ongoing compatibility issues - Some projects (microk8s, runc) explicitly disable static-pie on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE linking issues ARM64 - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker flag usage Solution: - Use plain -static for maximum compatibility across architectures - Accept cosmetic "dynamically linked, interpreter..." in file output on aarch64 - What matters: no NEEDED entries (external dependencies) Verification: - aarch64-musl: Builds successfully, no NEEDED entries, runs without SIGSEGV ✓ - x86_64-musl: Works as before ✓ - Binary is functionally static despite interpreter section presence on aarch64 Trade-off: - aarch64: file shows "interpreter /lib/ld-musl-aarch64.so.1" (cosmetic only) - x86_64: file shows "static-pie linked" (clean) - Both have no NEEDED entries and are truly static - Runtime compatibility more important than cosmetic output nix: revert to -static flag for aarch64 compatibility Revert from -static-pie back to -static for musl static linking. Issue: - Commit pqqxpkzx changed to -static-pie to remove interpreter section - While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - Attempted alternatives also fail: * --no-dynamic-linker: Removes PT_INTERP but causes SIGSEGV on aarch64 * -no-pie flag: Ignored by musl linker, still produces PIE binary * -C relocation-model=static: Also produces PIE binary on aarch64 Root Cause: Modern musl toolchain on aarch64 always produces PIE (Position Independent Executable) binaries with PT_INTERP section for ASLR security benefits. Both -static-pie and --no-dynamic-linker break runtime loader initialization: - -static-pie: Newer feature with limited kernel support on ARM architectures - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader startup - Historical toolchain gaps in ARM64 static-PIE support - Real-world projects (microk8s, runc) explicitly disable static-PIE on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE ARM64 issues - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker usage - rust-lang/rust#94364 - Rust 1.59 musl PIE behavior Investigation: Compared with bat binary (https://github.com/sharkdp/bat): - bat uses 'cross' tool in Docker with custom toolchain - Produces EXEC-type binary (not PIE/DYN) - We attempted: -no-pie, -C relocation-model=static - Result: musl aarch64 linker ignores these, always produces PIE Understanding NEEDED Entries: The key metric for static binaries is NEEDED entries in ELF dynamic section: - Dynamic binary: Has NEEDED entries listing shared libraries (libc.so, etc) - Static binary: No NEEDED entries, all code embedded - Our binary: No NEEDED entries despite showing "dynamically linked" ✓ Solution: - Use plain -static for maximum compatibility across architectures - Accept cosmetic "dynamically linked, interpreter..." on aarch64 - Binary is functionally static: no NEEDED entries (external dependencies) - Runtime compatibility confirmed on aarch64 hardware Verification: - aarch64-musl: No NEEDED entries, runs without SIGSEGV ✓ - x86_64-musl: Shows "static-pie linked", no NEEDED entries ✓ - Both are truly static despite different file output cosmetics Trade-off: - aarch64: Shows "dynamically linked, interpreter /lib/ld-musl-aarch64.so.1" - x86_64: Shows "static-pie linked" - Both: Zero NEEDED entries, fully static, no external dependencies - PT_INTERP section on aarch64 is harmless (never used, no libs to load) - Runtime compatibility and correctness over cosmetic output
kp-mariappan-ramasamy
added a commit
to expressvpn/lightway
that referenced
this pull request
Dec 9, 2025
I tried the following: - Use -static-pie to remove interpreter section * While -static-pie builds successfully, it causes SIGSEGV crashes on aarch64 - --no-dynamic-linker: Removes PT_INTERP but causes SIGSEGV on aarch64 - -no-pie flag: Ignored by musl linker, still produces PIE binary - -C relocation-model=static: Also produces PIE binary on aarch64 Modern musl toolchain on aarch64 always produces PIE (Position Independent Executable) binaries with PT_INTERP section for ASLR security benefits. Both -static-pie and --no-dynamic-linker break runtime loader initialization: - -static-pie: Newer feature with limited kernel support on ARM architectures - --no-dynamic-linker: Removes PT_INTERP but breaks dynamic loader startup - Historical toolchain gaps in ARM64 static-PIE support - Real-world projects (microk8s, runc) explicitly disable static-PIE on arm64 Research References: - https://bugs.debian.org/973430 - ARM64 missing --enable-static-pie - rust-lang/rust#97117 - Rust static-PIE linking issues ARM64 - rust-lang/rust#94364 - Rust 1.59 musl PIE behavior - canonical/microk8s#4426 - Disable static PIE on arm64 - https://stackoverflow.com/questions/10465875 - --no-dynamic-linker flag usage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix runc builds on arm64