View previous topic :: View next topic |
Author |
Message |
depontius Advocate
Joined: 05 May 2004 Posts: 3522
|
Posted: Sun Sep 13, 2020 11:07 pm Post subject: Moving to no-multilib |
|
|
This is more on my ongoing game of musical motherboards...
I'm converting a deskside into a server. First I did a full update. Then I looked at @world and started removing stuff, doing a --depclean every so often. At some point I remembered that this is supposed to be a server, and switched the profile to "default/linux/amd64/17.1/hardened (stable)". The next emerge gave me some problems, but between some more removals, some USE flag adjustments, etc, I again got clean updates. (including --depclean) So I also started installing server-related code, and so far all is going well.
Then I remembered that a lot of people don't like multilib. I can certainly see that it increases the attack surface, at the very least. So I started looking into getting rid of it. Some time back I had some ABI_X86 issues while doing updates, so in /etc/portage/make.conf I have ABI_X86="32 64". Looks like multilib to me. I know that there's a separate no-multilib profile - "default/linux/amd64/17.1/no-multilib/hardened (stable)", but figured I'd first see what it looked like if I tried just using ABI_X86="64" on a pretend emerge. Many packages would install, but then I start getting all sorts of conflicts, all focused around ABI_X86.
A few of those packages were mesa and llvm, along with things involved with them. (I have USE="X" so that I can have GUI code, but I don't run an X server on this machine.) When I start trying to focus on a few individual things, like just mesa and perhaps a few other programs with ABI_X86="64" I get hate-mail, but it indicates that they will be rebuilt that way.
MAYBE I could just walk through the process this way. First do the easy stuff, then start doing sets of packages. But I have a bad feeling that it could leave me halfway up the creek without a paddle. By the way, "--backtrack=100" didn't help.
Does switching to a no-multilib profile make a difference beyond ABI_X86? I figured I'd look at the "easy part" first. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54577 Location: 56N 3W
|
Posted: Sun Sep 13, 2020 11:27 pm Post subject: |
|
|
depontius,
If you don't actually install any 32 bit only code, only your toolchain will remain 32 bit capable.
/no-multilib/ has a different on disk layout to mulltlib. Multilib has to keep the 64 bit and 32 bit files of the same name apart.
As the 32 bit code won't be used, is it worth the work to convert? _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3522
|
Posted: Sun Sep 13, 2020 11:59 pm Post subject: |
|
|
Thank you for that view.
I presume that the difference for no-multilib is just a reduced attack surface, so I don't see the disk layout as being a big issue.
This makes me think that I can get rid of the 32-bit code in an iterative fashion, largely as I've been describing. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Ionen Developer
Joined: 06 Dec 2018 Posts: 2852
|
Posted: Mon Sep 14, 2020 1:09 am Post subject: |
|
|
Nowadays, for 17.1, layout is pretty much identical actually. 17.1 no-multilib amd64 will still have a separate lib64 and a non-symlink lib, only difference is that lib will almost only be populated by python stuff, some gcc stuff, kernel modules, etc... rather than 32bit libraries.
I guess this is to make it "possible" to switch to back&forth, although if have any reason to think may want to, don't do no-multilib anyway I only use it for servers myself where I also disabled support in the kernel (or if low flash storage + no build deps binpkg-using box). But only real difference I see is that no-multilib allows you to lack 32bit glibc, while you're forced to keep it on multilib regardless of ABI_X86= |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 3005 Location: Edge of marsh USA
|
Posted: Mon Sep 14, 2020 3:12 am Post subject: |
|
|
I don't think your make.conf ABI_X86="32 64" is doing what you think. I am running multilib, I don't have ABI_X86= in make.conf and emerge --info shows ABI_X86="64". _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6146 Location: Dallas area
|
Posted: Mon Sep 14, 2020 9:53 am Post subject: |
|
|
ABI_X86 affects some things, and changing the profile (which sets multilib on gcc and glibc, apart from the ABI flag), and there's a multilib flag.
I changed (a while back) from multilib to straight 64 bit, when I gave up on wine. I just don't remember the whole process, not painful, but some things will require rebuilding, gcc, glibc, and any other program that creates 32 bit libs/progs. First thing I did was resolve the ABI stuff, which still leaves some packages there, gcc, glibc, etc, and then swapped out the profile (or maybe I turned off the multilib USE flag first then swapped profile, I don't remember). _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6146 Location: Dallas area
|
Posted: Mon Sep 14, 2020 9:54 am Post subject: |
|
|
figueroa wrote: | I don't think your make.conf ABI_X86="32 64" is doing what you think. I am running multilib, I don't have ABI_X86= in make.conf and emerge --info shows ABI_X86="64". |
If you don't set it, you get a base ABI_X86 from the the profile, but it can be overwritten, global or per package. _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54577 Location: 56N 3W
|
Posted: Mon Sep 14, 2020 10:37 am Post subject: |
|
|
Ionen,
Its not possible to switch from no-multilib to multilib as the no-multilib toolchain in the stage3 is built with (-no-multilib).
That means all the code to build 32 bit binaries is missing, so its not possible to build gcc, glibc and friends with 32 bit support.
The switch the other way has been done, I'm sure I saw it on the forums a long time ago.
For completeness, nothing is impossible on Gentoo.
The switch from no-multilib to multilib requires an atomic replacement of the toolchain. I think that's been done too. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Ionen Developer
Joined: 06 Dec 2018 Posts: 2852
|
Posted: Mon Sep 14, 2020 11:06 am Post subject: |
|
|
Yeah that's why I used quotes around "possible", I didn't mean it's intended or straight forward. But the directory structure at least shouldn't need any migration as it is now if done anyway. |
|
Back to top |
|
|
ff11 l33t
Joined: 10 Mar 2014 Posts: 664
|
Posted: Mon Sep 14, 2020 11:17 am Post subject: |
|
|
NeddySeagoon wrote: | Ionen,
Its not possible to switch from no-multilib to multilib as the no-multilib toolchain in the stage3 is built with (-no-multilib).
That means all the code to build 32 bit binaries is missing, so its not possible to build gcc, glibc and friends with 32 bit support.
The switch the other way has been done, I'm sure I saw it on the forums a long time ago.
For completeness, nothing is impossible on Gentoo.
The switch from no-multilib to multilib requires an atomic replacement of the toolchain. I think that's been done too. |
Hi friends!
Around one month ago I migrated from no-multilib to multilib while developing a 64bit multilib AppImage, and I intend to go back to no-multilib after finishing this work.
Nowadays things are much easier, if no-multilib stage3 doesn't have 32bits, then just use multilib stage3 (it's not a problem).
The change to no-multilib is smooth, and doesn't need advanced procedures, just remove the ABI 32, change the profile and rebuild anything that ask to be rebuild.
To change from no-multilib to multilib, you have several options, which I will highlight 3:
* NOTE: the packages that need attention are just glibc and gcc.
1- The easiest is to use binary packages to install gcc and glibc after change the profile, but watch out for the version of glibc (don't install an older one).
2- Use the same update strategy as a very old installation to rebuild glibc and gcc after change the profile, using stage3 multilib (the method I used, because the glibc of the binary repository was with the old version):
https://wiki.gentoo.org/wiki/Upgrading_Gentoo#Updating_old_systems
3- Using only a few includes files from stage3 multilib to rebuild glibc and gcc after change the profile, as described by NTU:
https://forums.gentoo.org/viewtopic-t-1026944-start-0.html
In all these 3 options, the procedures are very simple and few for a Gentoo Linux user. So, I believe there is no need to worry about the switch. And we can be happy with the easily flexibility with which Gentoo Linux offers us _________________ | Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6780
|
Posted: Mon Sep 14, 2020 4:41 pm Post subject: |
|
|
depontius wrote: | I presume that the difference for no-multilib is just a reduced attack surface |
I would really be curious why 32 bit would have a larger attack surface. Do you really imagine that somebody is clever enough to execute arbitrary code on your system but then stupid enough to provide this arbitrary code only in 32 bit? 10 years ago, maybe, but nowadays?
And even to protect for this unlikely case, the crucial thing in reducing the attack surface is making the kernel execute only 64 bit code. I haven't tried, but maybe you can still compile a multilib toolchain with such a kernel. If the latter is true, there is absolutely no reason to change anything but the kernel. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6146 Location: Dallas area
|
Posted: Mon Sep 14, 2020 5:30 pm Post subject: |
|
|
The reason for me going to no-multilib was just getting rid of the 32 bit libs (once I quit using wine) as they were of no use to me, saves space, save emerge time (on those multilib packages), and gets rid of the annoying (at times) cry of you need some ABI_X86 set a certain way when emerging.
As far as attack surface, 32bit libs are no more or less prone than the 64bit libs. _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Sep 14, 2020 7:15 pm Post subject: |
|
|
Anon-E-moose wrote: | The reason for me going to no-multilib was just getting rid of the 32 bit libs (once I quit using wine) as they were of no use to me, saves space, save emerge time (on those multilib packages), and gets rid of the annoying (at times) cry of you need some ABI_X86 set a certain way when emerging. |
Exactly!
One more reason: there are many threads where users report issues when emerge compiles the 32 bit version of packages. Every time I see such a thread, I think: how good that I switched to no-multilib!
Quote: | As far as attack surface, 32bit libs are no more or less prone than the 64bit libs. |
less code = smaller attack surface. For that reason, I try to keep the number of packages and the amount of installed code as small as possible. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22645
|
Posted: Mon Sep 14, 2020 7:50 pm Post subject: |
|
|
Anon-E-moose wrote: | As far as attack surface, 32bit libs are no more or less prone than the 64bit libs. | I agree in principle that attack surface is an odd argument for going to no-multilib, but I must disagree slightly with the quoted bit. Some exploits are viable on 32-bit, but not on 64-bit, due to the more limited address space, making it practical to fill up the address space, or guess a useful address in reasonable time. Code that processes potentially hostile data is safer in 64-bit mode because certain classes of attacks would take an unreasonably long time to guess their way to success. That said, if the administrator is not feeding maliciously crafted data to the program, then the bitness is irrelevant. For how Gentoo uses multilib, I would expect it to be very rare that 32-bit code is given malicious data, since routine system processes will be 64-bit. The biggest risk would be Wine running 32-bit Windows programs, and since everyone here considering no-multilib is excluding use of Wine, the greater exploitability of programs under Wine is a non-issue. (It's also harder to fix/avoid, since 64-bit Wine means a 64-bit Windows program, and most Windows programs do not provide source, so the user is stuck with whatever bitness the vendor provided.) |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3522
|
Posted: Mon Sep 14, 2020 8:07 pm Post subject: |
|
|
I'll agree that the attack surface argument is a small one, but it's an increment.
As for progress, this morning I recompiled everything that would go simply to 64-bit only, and I'm stuck with (at least) these.
Code: | emerge -ptv \
app-arch/bzip2 \
app-arch/zstd \
dev-libs/expat \
dev-libs/libffi \
media-libs/libglvnd \
media-libs/mesa \
sys-devel/llvm \
sys-libs/zlib \
virtual/opengl \
x11-base/xcb-proto \
x11-libs/libX11 \
x11-libs/libXau \
x11-libs/libXdamage \
x11-libs/libXdmcp \
x11-libs/libXext \
x11-libs/libXfixes \
x11-libs/libXrandr \
x11-libs/libXrender \
x11-libs/libXxf86vm \
x11-libs/libxcb \
x11-libs/libxshmfence \
x11-libs/libva \
dev-libs/elfutils \
x11-libs/libvdpau \
media-libs/libglvnd
|
They all get tied in a circular knot, one can't go 64-bit-only because another needs 32-bit, but they're all in this list. I've tried adding "--backtrack=100" to no avail.
Simply removing X, if only temporarily, and going back to the console would certainly reduce the problem set, and maybe I could solve it with just elf and compression related problems.
Or I could go into package.use and leave the 32-bit there. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22645
|
Posted: Mon Sep 14, 2020 9:09 pm Post subject: |
|
|
If they're all part of the same set, what happens if you tell Portage to rebuild all of them as pure 64-bit in a single call to emerge? Usually, circular requirements like this only cause a problem if you try to rebuild only part of the circle, and Portage gets stuck that the part you didn't allow it to rebuild would become unsatisfied. |
|
Back to top |
|
|
Etal Veteran
Joined: 15 Jul 2005 Posts: 1932
|
Posted: Mon Sep 14, 2020 9:32 pm Post subject: |
|
|
mv wrote: | depontius wrote: | I presume that the difference for no-multilib is just a reduced attack surface |
I would really be curious why 32 bit would have a larger attack surface. Do you really imagine that somebody is clever enough to execute arbitrary code on your system but then stupid enough to provide this arbitrary code only in 32 bit? 10 years ago, maybe, but nowadays? |
There have been some CVEs related to running 32-bit code on a 64-bit kernel: CVE-2007-4573, CVE-2008-0598, CVE-2010-3081, CVE-2010-3301 _________________ “And even in authoritarian countries, information networks are helping people discover new facts and making governments more accountable.”– Hillary Clinton, Jan. 21, 2010 |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22645
|
Posted: Mon Sep 14, 2020 9:49 pm Post subject: |
|
|
The newest of those is around 10 years old, and all 4 of them are about kernel bugs in IA32 emulation. Switching to no-multilib is necessary before disabling kernel support for IA32 emulation, but switching to no-multilib, on its own, would not have protected against those. The administrator must take the additional step of rebuilding the kernel without IA32 emulation. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6146 Location: Dallas area
|
Posted: Mon Sep 14, 2020 10:27 pm Post subject: |
|
|
depontius wrote: | I'll agree that the attack surface argument is a small one, but it's an increment.
As for progress, this morning I recompiled everything that would go simply to 64-bit only, and I'm stuck with (at least) these.
...
They all get tied in a circular knot, one can't go 64-bit-only because another needs 32-bit, but they're all in this list. I've tried adding "--backtrack=100" to no avail.
Simply removing X, if only temporarily, and going back to the console would certainly reduce the problem set, and maybe I could solve it with just elf and compression related problems.
Or I could go into package.use and leave the 32-bit there. |
With the few packages that you have left, what happens if you switch to a no-multilib profile and emerge with -U?
Note: If switching from another profile, especially a desktop one, where many use flags are set, you'll have to add many of them to your USE= line in make.conf, as the no-multilib doesn't provide much in the way of preset USE flags (or at least they didn't when I changed) _________________ UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3522
|
Posted: Mon Sep 14, 2020 10:44 pm Post subject: |
|
|
Hu wrote: | If they're all part of the same set, what happens if you tell Portage to rebuild all of them as pure 64-bit in a single call to emerge? Usually, circular requirements like this only cause a problem if you try to rebuild only part of the circle, and Portage gets stuck that the part you didn't allow it to rebuild would become unsatisfied. |
Got it, finally. It turns out that the problem list emitted by portage is a bit irregular. It seems to emit stanzas, the first line of which is the package having problems. I'd been simply collecting stanza names using that to build my set of packages for the emerge command. However looking inside the stanzas, the "required by" includes a few extras that don't have their own stanza. Picking up these extra packages, it only took me a few more iterations to come up with an emerge list that works.
This was my problem interpreting the emerge listing, though perhaps when it hits cycles like this is could be clearer and/or more helpful.
Thanks to all of you. "emerge" running now. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5099 Location: Bavaria
|
Posted: Tue Sep 15, 2020 8:52 am Post subject: |
|
|
Anon-E-moose wrote: | Note: If switching from another profile, especially a desktop one, where many use flags are set, you'll have to add [...] |
this =>
Last post of this thread: https://forums.gentoo.org/viewtopic-t-1110124-highlight-.html
(I have running no-multilib even on my desktops since many years.) |
|
Back to top |
|
|
ff11 l33t
Joined: 10 Mar 2014 Posts: 664
|
Posted: Tue Sep 15, 2020 4:37 pm Post subject: |
|
|
depontius wrote: |
...
Thanks to all of you. "emerge" running now. |
Very good.
Remember that multilib isn't the only option for 32bits multiarch, nor the easiest. I will highlight more two:
* Flatpak can be a good alternative, as it has the entire 32-bit environment ready to run applications on a no-multilib installation (and can have everything installed on the user's home).
* Some AppImages also have 32-bit dependencies for no-multilib (I use AppImage for wine 32-bit, as a single file solves everything). _________________ | Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22645
|
Posted: Tue Sep 15, 2020 4:51 pm Post subject: |
|
|
Note that both Flatpak and AppImage achieve their "ease" by failing to integrate with the system, and instead bundling everything the wrapped application will need. This means redundant, and potentially outdated / unmaintained / insecure, copies of libraries will be present and used by the wrapped application. |
|
Back to top |
|
|
ff11 l33t
Joined: 10 Mar 2014 Posts: 664
|
Posted: Tue Sep 15, 2020 4:58 pm Post subject: |
|
|
Hu wrote: | Note that both Flatpak and AppImage achieve their "ease" by failing to integrate with the system, and instead bundling everything the wrapped application will need. This means redundant, and potentially outdated / unmaintained / insecure, copies of libraries will be present and used by the wrapped application. |
Flatpak has its own update mechanism, so it's not a bigger problem than an Linux distribution installation.
AppImage keeps everything inside a file, and the content only appears when used, in randomly mounted directories, in addition to other security measures.
There are security measures in place, and more can be implemented over time, but not maintained by Gentoo Linux, as they are alternative solutions. _________________ | Proverbs 26:12 |
| There is more hope for a fool than for a wise man that are wise in his own eyes. |
* AlphaGo - The Movie - Full Documentary "I want to apologize for being so powerless" - Lee |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3522
|
Posted: Tue Sep 15, 2020 5:12 pm Post subject: |
|
|
In the current case, it's all pure Gentoo. No flatpak or appimage or anything else like that. Oh, a couple of overlays, but I think they may be hangovers from deskside days. I need to root them out and see about getting rid of them.
After making sure I was up to date this morning, I did another emerge with "-multilib" and nothing changed.
I may try the no-multilib/hardened profile, if only temporarily, to see if it calls for changes. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|