feat: glibc extension

The extension is mostly copied from the package that is in the nvidia
toolkit extensions, but with a few notable changes.

- A symbolic link to `ldconfig` is installed at `/sbin/ldconfig`. This
allows the nvidia gpu-operator to work without modification. A patch to
the extension validation logic is required to allow the new path.
- The `/usr/local/glibc` subtree is now structured as a [merged `/usr`
root](https://systemd.io/THE_CASE_FOR_THE_USR_MERGE/). This improves
compatbility with ld-linux.so.2 for library discovery.

Signed-off-by: Jean-Francois Roy <jf@devklog.net>

.kres.yaml

@@ -14,6 +14,7 @@ spec:
     - ecr-credential-provider
     - fuse3
     - gasket-driver
+    - glibc
     - gvisor
     - gvisor-debug
     - hello-world-service

Makefile

@@ -65,6 +65,7 @@ TARGETS += drbd
 TARGETS += ecr-credential-provider
 TARGETS += fuse3
 TARGETS += gasket-driver
+TARGETS += glibc
 TARGETS += gvisor
 TARGETS += gvisor-debug
 TARGETS += hello-world-service

README.md

@@ -79,9 +79,10 @@ cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oi
 
 ### Miscellaneous
 
-| Name                            | Image                                                                                                 | Description                 | Version Format  |
-| ------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------- | --------------- |
-| [binfmt-misc](misc/binfmt-misc) | [ghcr.io/siderolabs/binfmt-misc](https://github.com/siderolabs/extensions/pkgs/container/binfmt-misc) | Miscellaneous Binary Format | `talos version` |
+| Name                            | Image                                                                                                 | Description                 | Version Format     |
+| ------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------- | ------------------ |
+| [binfmt-misc](misc/binfmt-misc) | [ghcr.io/siderolabs/binfmt-misc](https://github.com/siderolabs/extensions/pkgs/container/binfmt-misc) | Miscellaneous Binary Format | `talos version`    |
+| [glibc](misc/glibc)             | [ghcr.io/siderolabs/glibc](https://github.com/siderolabs/extensions/pkgs/container/glibc)             | glibc                       | `upstream version` |
 
 ### Network
 

misc/glibc/ld.so.conf

@@ -0,0 +1 @@
+/usr/local/glibc/usr/lib

misc/glibc/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: glibc
+  version: "$VERSION"
+  author: Jean-Francois Roy
+  description: |
+    This system extension provides glibc.
+  compatibility:
+    talos:
+      version: ">= v1.5.0"

nvidia-gpu/nvidia-container-toolkit/glibc/pkg.yaml → misc/glibc/pkg.yaml

@@ -11,11 +11,13 @@ dependencies:
   - image: cgr.dev/chainguard/wolfi-base@{{ .WOLFI_BASE_REF }}
 steps:
   - sources:
-      - url: https://src.fedoraproject.org/lookaside/pkgs/glibc/glibc-{{ .GLIBC_VERSION }}-9-g132a72f93c.tar.xz/sha512/f88ffb4ab47104640c88504ca2619cdca0795565173daf98a37d624333e14ab96699f662597fe51ba94a274c4cc7001bd2c8cc29fd5df012733298049e533bf4/glibc-{{ .GLIBC_VERSION }}-9-g132a72f93c.tar.xz
+      - url: https://src.fedoraproject.org/lookaside/pkgs/glibc/glibc-{{ .VERSION }}-9-g132a72f93c.tar.xz/sha512/f88ffb4ab47104640c88504ca2619cdca0795565173daf98a37d624333e14ab96699f662597fe51ba94a274c4cc7001bd2c8cc29fd5df012733298049e533bf4/glibc-{{ .VERSION }}-9-g132a72f93c.tar.xz
         destination: glibc.tar.xz
         sha256: 49cd4eed693ffa9010d81e1c75ab33a278a7cbb404a01564b2e287e04ec3d4d3
         sha512: f88ffb4ab47104640c88504ca2619cdca0795565173daf98a37d624333e14ab96699f662597fe51ba94a274c4cc7001bd2c8cc29fd5df012733298049e533bf4
     prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
       - |
         tar -xf glibc.tar.xz --strip-components=1
 
@@ -24,8 +26,8 @@ steps:
 
         ../configure \
           --prefix=/usr/local/glibc \
-          --libdir=/usr/local/glibc/lib \
-          --libexecdir=/usr/local/glibc/lib \
+          --libdir=/usr/local/glibc/usr/lib \
+          --libexecdir=/usr/local/glibc/usr/lib \
           --enable-stack-protection=strong \
           --disable-werror
     build:
@@ -34,13 +36,25 @@ steps:
         make -j $(nproc)
     install:
       - |
-        mkdir -p /rootfs/lib64
+        mkdir -p \
+          /rootfs/usr/local/glibc/usr/bin \
+          /rootfs/usr/local/glibc/usr/lib \
+          /rootfs/usr/local/glibc/usr/lib32 \
+          /rootfs/usr/local/glibc/usr/sbin
+        ln -s usr/bin/ /rootfs/usr/local/glibc/bin
+        ln -s usr/lib/ /rootfs/usr/local/glibc/lib
+        ln -s usr/lib/ /rootfs/usr/local/glibc/lib64
+        ln -s usr/sbin/ /rootfs/usr/local/glibc/sbin
+        ln -s lib/ /rootfs/usr/local/glibc/usr/lib64
 
         cd build
         make install DESTDIR=/rootfs
 
         cp /pkg/ld.so.conf /rootfs/usr/local/glibc/etc/ld.so.conf
-        ln -s /usr/local/glibc/lib/ld-linux-x86-64.so.2 /rootfs/lib64/ld-linux-x86-64.so.2
+
+        mkdir -p /rootfs/lib64 /rootfs/sbin
+        ln -s /usr/local/glibc/usr/lib/ld-linux-x86-64.so.2 /rootfs/lib64/ld-linux-x86-64.so.2
+        ln -s /usr/local/glibc/usr/sbin/ldconfig /rootfs/sbin/ldconfig
 
         # cleanup
         rm -rf /rootfs/usr/local/glibc/include
@@ -49,3 +63,5 @@ steps:
 finalize:
   - from: /rootfs
     to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /

misc/glibc/vars.yaml

@@ -0,0 +1,2 @@
+VERSION: 2.40
+WOLFI_BASE_REF: sha256:72c8bfed3266b2780243b144dc5151150015baf5a739edbbde53d154574f1607

reproducibility/pkg.yaml

@@ -23,6 +23,8 @@ dependencies:
   - stage: fuse3
   # gasket-driver can be ignored from reproducibility test since it's kernel modules copied from pkgs
   # - stage: gasket-driver
+
+  - stage: glibc
   - stage: gvisor
   - stage: gvisor-debug
   - stage: hello-world-service