Build the ring rust crate with a stable build path

kpcyrd kpcyrd at archlinux.org
Mon May 8 00:08:09 UTC 2023 

Hello!

I was using github actions to compile my project but had trouble 
matching the binary, even when using podman with a ubuntu:22.04 
container to match the ubuntu used by my github actions.

I was attempting to use --remap-path-prefix with RUSTFLAGS to prevent 
rustc from recording build paths, but using diffoscope I discovered the 
binary still contains paths like 
"/home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/pregenerated" 
from the github environment or 
"/root/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/pregenerated/aesni-gcm-x86_64-elf.S" 
from my build container.

After some research I discovered this is a known issue[1] in the ring 
crate with a pending patch[2], but also found a workaround I want to 
share with this list.

[1]: https://github.com/briansmith/ring/issues/715
[2]: https://github.com/briansmith/ring/pull/802

I setup a script called build.sh that looks like this:

```
#!/bin/sh
CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}"
mkdir -p -- "$CARGO_HOME"
unshare -Umr sh -xe <<EOF
mount -t tmpfs tmpfs /mnt
mkdir /mnt/src /mnt/cargo
mount --bind "$PWD" /mnt/src
mount --bind "$CARGO_HOME" /mnt/cargo
cd /mnt/src/
CARGO_HOME=/mnt/cargo cargo build --release --verbose 
--target=x86_64-unknown-linux-musl
EOF
```

This can be run without root privileges if user namespaces are enabled. 
The script sets up two directories in /mnt to provide the source code, 
build directory and $CARGO_HOME folder at stable locations.

This view on the file system is exclusive to the compiler process and 
doesn't interfere with any other processes making use of the /mnt 
directory, but this approach obviously only works if the input 
directories are located in e.g. /home and not /mnt itself. You may need 
to delete the target/ directory to get rid of any embedded build paths 
in your build cache that aren't /mnt/src or /mnt/cargo.

This allowed me to match the binary built by github actions with one 
built in my ubuntu:22.04 container. You still need to match all 
compilers used or you may run into "GNU AS 2.38" vs "GNU AS 2.40.0" or 
"GCC: (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0" vs "GCC: (GNU) 13.1.1 
20230429". And obviously to change the binary output is the whole point 
of releasing a new compiler version. Linux distributions are using 
buildinfo files for this, I'm not aware of any github native solutions 
for this.

I hope somebody considers this useful.

Cheers,
kpcyrd

More information about the rb-general mailing list