From 91abc3917fa847ce1fea0273bc2d523534aee70c Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Thu, 8 Sep 2022 21:52:50 +0800
Subject: [PATCH] kata:optimize compile options

1. add CGO compile options for
kata-runtime/kata-netmon/containerd-shim-kata-v2, including open
BIND_NOW, SP, FS compile options.
2. use pie mode to build kata-monitor

Signed-off-by: Vanient <xiadanni1@huawei.com>
---
 kata-containers.spec                        |  8 ++-
 patches/0033-optimize-compile-options.patch | 57 +++++++++++++++++++++
 series.conf                                 |  1 +
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 patches/0033-optimize-compile-options.patch

diff --git a/kata-containers.spec b/kata-containers.spec
index 63c9a26..9725900 100644
--- a/kata-containers.spec
+++ b/kata-containers.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 
 %define VERSION 2.1.0
-%define RELEASE 29
+%define RELEASE 30
 
 Name:           kata-containers
 Version:        %{VERSION}
@@ -108,6 +108,12 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 %doc
 
 %changelog
+* Thu Sep 8 2022 xiadanni <xiadanni1@huawei.com> - 2.1.0-30
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:optimize compile options
+
 * Fri Sep 2 2022 chengzeruizhi <chengzeruizhi@huawei.com> - 2.1.0-29
 - Type:bugfix
 - ID:NA
diff --git a/patches/0033-optimize-compile-options.patch b/patches/0033-optimize-compile-options.patch
new file mode 100644
index 0000000..397901e
--- /dev/null
+++ b/patches/0033-optimize-compile-options.patch
@@ -0,0 +1,57 @@
+From 443e65326eeccb3a4ad8170670d56c32931215f9 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Thu, 8 Sep 2022 21:44:13 +0800
+Subject: [PATCH] optimize compile options
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ src/runtime/Makefile | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/src/runtime/Makefile b/src/runtime/Makefile
+index bade196..ad421d9 100644
+--- a/src/runtime/Makefile
++++ b/src/runtime/Makefile
+@@ -566,7 +566,11 @@ monitor: $(MONITOR_OUTPUT)
+ netmon: $(NETMON_TARGET_OUTPUT)
+ 
+ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
+-	$(QUIET_BUILD)(cd $(NETMON_DIR) && go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
++	$(QUIET_BUILD)(cd $(NETMON_DIR) && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION)" $(KATA_LDFLAGS))
+ 
+ runtime: $(TARGET_OUTPUT) $(CONFIGS)
+ .DEFAULT: default
+@@ -605,15 +609,23 @@ GENERATED_FILES += $(GENERATED_CONFIG)
+ GENERATED_FILES += pkg/katautils/config-settings.go
+ 
+ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
+-	$(QUIET_BUILD)(cd $(CLI_DIR) && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
++	$(QUIET_BUILD)(cd $(CLI_DIR) && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build -ldflags "-linkmode=external" $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+ 
+ $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
+ 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && ln -fs $(GENERATED_CONFIG))
+-	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
++	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build -ldflags "-linkmode=external" $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+ 
+ $(MONITOR_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) .git-commit
+ 	$(QUIET_BUILD)(cd $(MONITOR_DIR)/ && CGO_ENABLED=0 go build \
+-		--ldflags "-X main.GitCommit=$(shell cat .git-commit)" $(BUILDFLAGS) -buildmode=exe -o $@ .)
++		--ldflags "-linkmode=external -X main.GitCommit=$(shell cat .git-commit)" $(BUILDFLAGS) -o $@ .)
+ 
+ .PHONY: \
+ 	check \
+-- 
+2.27.0
+
diff --git a/series.conf b/series.conf
index d4e49ed..45bf63e 100644
--- a/series.conf
+++ b/series.conf
@@ -30,3 +30,4 @@
 0030-use-host_device-blockdev-adding.patch
 0031-add-explicit-on-after-kernel_irqchip.patch
 0032-qmp-Don-t-use-deprecated-props-field-for-object-add.patch
+0033-optimize-compile-options.patch
-- 
Gitee