Tuesday, May 29, 2018

How to generate CentOS 7 sysroot on Ubuntu 18.04

There was some delay since the previous post... So might be there will be more posts soon.

Ok, I want to compile 32-bit C application with clang 6 for CentOS 7 on my 64-bit Ubuntu 18.04. glibc on Ubuntu is 2.27, very custom 2.17 on CentOS 7 (full version - 2.17-222.el7), and some other potential dependencies.

Prerequisites

Installed clang and lld (to compile and link), yum and rpm.

Sysroot 

  • wget -c http://mirror.centos.org/altarch/7/os/i386/Packages/centos-release-7-5.1804.el7.centos.i.i686.rpm
    • for 64-bit: http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-5.1804.el7.centos.x86_64.rpm
  • mkdir centos7sysroot
  • cd centos7sysroot
  • sudo rpm -i --root=$PWD --nodeps ../centos-release-7-5.1804.el7.centos.i.i686.rpm
    • Output:
      rpm: RPM should not be used directly install RPM packages, use Alien instead!
      rpm: However assuming you know what you are doing...
      warning: ../centos-release-7-5.1804.el7.centos.i.i686.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
      warning: %post(centos-release-7-5.1804.el7.centos.i.i686) scriptlet failed, exit status 127
      
  • sudo sed -i "s/\$basearch/i386/g" etc/yum.repos.d/CentOS-Base.repo
    • for 32 bits, as otherwise host yum will use x86_64
  •  sudo sed -i "s/gpgcheck=1/gpgcheck=0/g" etc/yum.repos.d/CentOS-Base.repo
  •  sudo yum --installroot=$PWD install -y glibc-devel glibc-headers
    • Output:
      ...
      Running Transaction
      ** Found 3 pre-existing rpmdb problem(s), 'yum check' output follows:
      centos-release-7-5.1804.el7.centos.i.i686 has missing requires of /bin/sh
      centos-release-7-5.1804.el7.centos.i.i686 has missing requires of coreutils
      centos-release-7-5.1804.el7.centos.i.i686 has missing requires of grep
      
      ...
      
      Installed:
        glibc-devel.i686 0:2.17-222.el7                                                                   glibc-headers.i686 0:2.17-222.el7                                                                  
      
      Dependency Installed:
        basesystem.noarch 0:10.0-7.el7.centos            bash.i686 0:4.2.46-30.el7          filesystem.i686 0:3.2-25.el7                                glibc.i686 0:2.17-222.el7                         
        glibc-common.i686 0:2.17-222.el7                 info.i686 0:5.1-5.el7              kernel-headers.i686 0:3.10.0-862.3.2.el7.centos.plus        libgcc.i686 0:4.8.5-28.el7_5.1                    
        libselinux.i686 0:2.5-12.el7                     libsepol.i686 0:2.5-8.1.el7        libstdc++.i686 0:4.8.5-28.el7_5.1                           ncurses-base.noarch 0:5.9-14.20130511.el7_4       
        ncurses-libs.i686 0:5.9-14.20130511.el7_4        nspr.i686 0:4.19.0-1.el7_5         nss-softokn-freebl.i686 0:3.36.0-5.el7_5                    nss-util.i686 0:3.36.0-1.el7_5                    
        pcre.i686 0:8.32-17.el7                          setup.noarch 0:2.8.71-9.el7        tzdata.noarch 0:2018e-3.el7                                 zlib.i686 0:1.2.7-17.el7                          
      
      Complete! 
Sysroot is created.

Compiler settings

CC = clang-6.0 -m32 --sysroot=sysroot_path
LD = $(CC) -fuse-ld=lld
or
LD = clang-6.0 -m32 --sysroot=sysroot_path -fuse-ld=lld

Some hardening clang options:
CHARDENING = -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fasynchronous-unwind-tables -fexceptions  -fPIC \
                -grecord-gcc-switches -g -O2 -pipe -Wall -Werror=format-security -Werror=implicit-function-declaration \
                -fstack-protector-strong -fsanitize=safe-stack -fsanitize=cfi -fvisibility=hidden -flto
LHARDENING = $(CHARDENING) -Wl,-z,defs -Wl,-z,now -Wl,-z,relro 
 
(-Wall and so on are enabled by default)
 
That's all.