After bug 955127, and commit 43a3a234, trafficserver is built as follows: ./configure --enable-layout=Gentoo --libdir=%{_libdir}/trafficserver --with-tcl=%{_libdir} --with-user=ats --with-group=ats make %{?_smp_mflags} LDFLAGS="%{?__global_ldflags}" CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" The problem with this approach is that trafficserver must be compiled with -fno-strict-aliasing, otherwise several inline functions in proxy/hdrs/HTTP.h which violate strict aliasing (e.g. object_key_get, object_size_get and friends) will be miscompiled. (Actually, these functions should be rewritten in less fragile/undefined form, but that is a task for upstream.) The configure script normally adds the -fno-strict-aliasing flag, but the way make is invoked here overrides any of those additions. In effect, all the sources are compiled with -O2 -g (at least, that seems to be the default on my testing machine). Instead, please pass the flags as environment variables to the configure script, like so: LDFLAGS="%{?__global_ldflags}" CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" ./configure --enable-layout=Gentoo --libdir=%{_libdir}/trafficserver --with-tcl=%{_libdir} --with-user=ats --with-group=ats make %{?_smp_mflags} This way, you can be sure that 1) any hardening flags from $RPM_OPT_FLAGS are still passed, and 2) any other flags determined to be necessary by upstream, such as -fno-strict-aliasing, are also passed.
Created attachment 783473 [details] Ensure the correct optimization flags are added for building trafficserver
Yeah, we really should fix this upstream :/. Fwiw, there's at least one bug filed on this in Apache TS: https://issues.apache.org/jira/browse/TS-302
OK, so this and the previously fixed bug all stem from the fact that trafficserver.spec doesn't use the %configure macro, and resorts to overrides in the 'make' command. Let me offer another approach, use %configure :) Inline proof-of-concept .spec patch I just tested: diff --git a/trafficserver.spec b/trafficserver.spec index d806fa3..b53c074 100644 --- a/trafficserver.spec +++ b/trafficserver.spec @@ -40,8 +40,16 @@ caching proxy server. %patch2 -p1 -b .patch2 %build -LDFLAGS="%{?__global_ldflags}" CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" ./configure --enable-layout=Gentoo --libdir=%{_libdir}/trafficserver --with-tcl=%{_libdir} --with -make %{?_smp_mflags} LDFLAGS="%{?__global_ldflags}" CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" +%configure \ + --enable-layout=Gentoo \ + --libdir=%{_libdir}/trafficserver \ + --libexecdir=%{_libdir}/trafficserver/plugins \ + --sysconfdir=%{_sysconfdir}/trafficserver \ + --with-tcl=%{_libdir} \ + --with-user=ats --with-group=ats \ + --disable-silent-rules + +make %{?_smp_mflags}
Wasn't the suggested fix by Dimitry Andric OK? I.e.: LDFLAGS="%{?__global_ldflags}" \ CFLAGS="$RPM_OPT_FLAGS" \ CXXFLAGS="$RPM_OPT_FLAGS" \ ./configure \ --enable-layout=Gentoo \ --libdir=%{_libdir}/trafficserver \ --with-tcl=%{_libdir} \ --with-user=ats \ --with-group=ats make %{?_smp_mflags} \ LDFLAGS="%{?__global_ldflags}" \ CFLAGS="$RPM_OPT_FLAGS" \ CXXFLAGS="$RPM_OPT_FLAGS" It looks to me to be building with the exact same set of flags as using the %configure macro, but %configure looks cleaner in the .specfile.. Building with Dimitry Andric's fix: ------------------------------------------------------- + LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' + CXXFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' + ./configure --enable-layout=Gentoo --libdir=/usr/lib64/trafficserver --with-tcl=/usr/lib64 --with-user=ats --with-group=ats <snip> + make -j4 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' ------------------------------------------------------- Using Rex Dieter's suggested %configure macro: ------------------------------------------------------- + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' + export CFLAGS + CXXFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' + export CXXFLAGS + FFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -I/usr/lib64/gfortran/modules' + export FFLAGS + LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' + export LDFLAGS + ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-layout=Gentoo --libdir=/usr/lib64/trafficserver --libexecdir=/usr/lib64/trafficserver/plugins --sysconfdir=/etc/trafficserver --with-tcl=/usr/lib64 --with-user=ats --with-group=ats --disable-silent-rules + make -j4 g++ -DHAVE_CONFIG_H -I. -I../../lib/ts -I../../lib -I../../lib/records -I../../lib/ts -D_LARGEFILE64_SOURCE=1 -D_COMPILE64BIT_SOURCE=1 -D_GNU_SOURCE -D_REENTRANT -Dlinux -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Werror -feliminate-unused-debug-symbols -fno-strict-aliasing -Wno-invalid-offsetof -c -o EventSystem.o EventSystem.cc <snip> -------------------------------------------------------
(In reply to Jan-Frode Myklebust from comment #4) > Wasn't the suggested fix by Dimitry Andric OK? I.e.: > > > LDFLAGS="%{?__global_ldflags}" \ > CFLAGS="$RPM_OPT_FLAGS" \ > CXXFLAGS="$RPM_OPT_FLAGS" \ > ./configure \ > --enable-layout=Gentoo \ > --libdir=%{_libdir}/trafficserver \ > --with-tcl=%{_libdir} \ > --with-user=ats \ > --with-group=ats > make %{?_smp_mflags} \ > LDFLAGS="%{?__global_ldflags}" \ > CFLAGS="$RPM_OPT_FLAGS" \ > CXXFLAGS="$RPM_OPT_FLAGS" Please note, the important part was to *not* pass rpm-provided CFLAGS, LDFLAGS etc as arguments on the make command line. Otherwise, the command line arguments will override whatever the configure script has written to the makefile. > It looks to me to be building with the exact same set of flags as using the > %configure macro, but %configure looks cleaner in the .specfile.. Sure, I guess that is the goal of the %configure macro, to make sure that packages all get configured in a similar way? That seems to be the proper method then. (Though on my RHEL/CentOS 6.x boxes, the %configure macro does not seem to pass LDFLAGS to the configure script. It only passes CFLAGS, CXXFLAGS and FFLAGS.)
Could someone please have a look at http://kojipkgs.fedoraproject.org//packages/trafficserver/3.2.5/3.fc21/data/logs/x86_64/build.log and tell me if it has all the right flags?
Yes, this looks good: + make -j3 ... g++ -DHAVE_CONFIG_H -I. -I../../lib/ts -I../../lib -I../../lib/records -I../../lib/ts -D_LARGEFILE64_SOURCE=1 -D_COMPILE64BIT_SOURCE=1 -D_GNU_SOURCE -D_REENTRANT -Dlinux -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Werror -feliminate-unused-debug-symbols -fno-strict-aliasing -Wno-invalid-offsetof -c -o EventSystem.o EventSystem.cc So both the hardening flags and -fno-strict-aliasing are there.
trafficserver-3.2.5-3.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/trafficserver-3.2.5-3.el6
trafficserver-3.2.5-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/trafficserver-3.2.5-3.fc19
trafficserver-3.2.5-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/trafficserver-3.2.5-3.fc18
Package trafficserver-3.2.5-3.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing trafficserver-3.2.5-3.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11337/trafficserver-3.2.5-3.el6 then log in and leave karma (feedback).
trafficserver-3.2.5-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
trafficserver-3.2.5-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
trafficserver-5.3.0-1.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/trafficserver-5.3.0-1.el7
trafficserver-5.3.0-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/trafficserver-5.3.0-1.el6
trafficserver-5.3.0-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/trafficserver-5.3.0-1.fc22
trafficserver-5.3.0-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/trafficserver-5.3.0-1.fc21
Sweet! Just a heads up (not sure what / how we'd normally communicate such intent), but ATS v5.3.1 is schedule to be released in the next week.
trafficserver-5.3.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
trafficserver-5.3.0-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
trafficserver-5.3.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
trafficserver-5.3.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
FYI, ATS v5.3.1 was released a few days ago, this is purely a bug fix over 5.3.0. This includes a fix for CVE-2015-3249, which affects H2 (HTTP/2). We strongly recommend that everyone upgrades to 5.3.1.