fix: ensure -zlazy for systems that default to -znow by xandris · Pull Request #1729 · containers/toolbox

xandris · 2025-11-10T01:08:56Z

I see #1706 and #1722. this is more minimal change for systems that default to znow

Adds -zlazy to the go build wrapper and the 'go run' command for generating completions. Some systems like Gentoo default to znow if it is left unset. See: containers#1729 Signed-off-by: Alexandra Parker <alex.iris.parker@gmail.com>

softwarefactory-project-zuul · 2025-11-10T01:18:36Z

Build failed.
https://softwarefactory-project.io/zuul/t/local/buildset/ed68c8790364412a8cd4f6d1837084e3

silverhadch · 2025-12-19T08:01:56Z

Ping.

debarshiray

Thanks for looking into this, @xandris , and my apologies for the delay! I always shudder at this linker hackery. :)

debarshiray · 2026-06-04T22:23:34Z

recheck

debarshiray

It looks like this fixes #1706 Could you please link to the issue instead of the PR in the commit message?

centosinfra-prod-github-app · 2026-06-04T22:29:36Z

Build failed.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/local/buildset/3c49960b8e7c4bf2967623ab1160d65b

centosinfra-prod-github-app · 2026-06-05T04:47:13Z

Build failed.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/local/buildset/a1f27a2b43a7433bbf971100e2160db6

It's not necessary to prefix each external linker flag with its own -Wl option. One -Wl option can carry everything because the commas will be used to split the string. containers#1706

debarshiray · 2026-06-09T00:36:23Z

Thanks for updating this PR, @xandris ! Let me try to rebase this against main. I am temporarily marking this as a draft while I do so.

centosinfra-prod-github-app · 2026-06-09T02:40:16Z

Build failed.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/local/buildset/cc7ce3d8e25d437d95ad5a88714fca53

Many operating systems default to '-z now' in their linker flags to harden binaries using Relocation Read-Only (or RELRO) [1]. Such as, Fedora [2,3] and Gentoo [4,5,6,7,8,9]. Some, like Fedora, pass it through the LDFLAGS environment variable that's usually injected into the clang(1) and gcc(1) compiler drivers' command line by build systems like Meson. Some, like Gentoo, use a Clang configuration file or GCC specs instead. The reference Go toolchain (ie., gc, not gccgo) in its external linking mode always uses the clang(1) or gcc(1) compiler drivers [10], and whether '-z now' gets used or not depends on which of the above mechanisms are in use. The Meson adapter scripts in Toolbx to connect Meson to 'go build' and 'go run', since Meson doesn't natively support Go [11], don't respect the LDFLAGS environment variable. So, anything passed through it gets filtered out from the linker flags. However, the default Clang configuration files or the built-in GCC specs can't be avoided. So, if '-z now' is specified there, then it gets used. This leads to a broken toolbox(1) binary and fails to generate the shell completions. [1] https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro [2] Fedora redhat-rpm-config commit 796b80f2f49f2301 https://src.fedoraproject.org/rpms/redhat-rpm-config/c/796b80f2f49f2301 [3] Fedora redhat-rpm-config commit d9235d2d90873ff6 https://src.fedoraproject.org/rpms/redhat-rpm-config/c/d9235d2d90873ff6 https://bugzilla.redhat.com/show_bug.cgi?id=1192183 https://fedoraproject.org/wiki/Changes/Harden_All_Packages [4] Gentoo ebuild commit 8bfd8afef6dd8c66 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bfd8afef6dd8c66 https://bugs.gentoo.org/876923 [5] Gentoo gcc-patches commit 8ffd428773f8e1e6 gentoo/gcc-patches@8ffd428773f8e1e6 [6] Gentoo ebuild commit 718448f923ae9302 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=718448f923ae9302 [7] Gentoo gcc-patches commit 98c1d96dbf03d704 gentoo/gcc-patches@98c1d96dbf03d704 https://bugs.gentoo.org/876923 [8] Gentoo ebuild commit adf44514cf590a86 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=adf44514cf590a86 https://bugs.gentoo.org/876923 [9] Gentoo ebuild commit 975678507aa3cebb https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=975678507aa3cebb https://bugs.gentoo.org/876923 [10] https://pkg.go.dev/cmd/link [11] mesonbuild/meson#123 containers#1706 Signed-off-by: Alexandra Parker <alex.iris.parker@gmail.com>

debarshiray · 2026-06-09T18:59:02Z

I took the liberty to dump all the references you dug up for me in #1706 in the commit message for the sake of my future self.

This should have been part of commit 83f28c5. containers#1706

centosinfra-prod-github-app · 2026-06-09T21:00:04Z

Build failed.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/local/buildset/b6d2d57b119145889b81002a44c610bb

centosinfra-prod-github-app · 2026-06-09T23:47:08Z

Build failed.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/local/buildset/2c9465a0661544b89f4c3822984dc1fe

xandris · 2026-06-11T06:47:45Z

👀

debarshiray · 2026-06-11T09:31:54Z

Build failed. https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/local/buildset/2c9465a0661544b89f4c3822984dc1fe

❌ system-test-fedora-rawhide-commands-options TIMED_OUT in 2h 00m 26s
❌ system-test-fedora-44-commands-options TIMED_OUT in 1h 45m 29s

These are the same CI failures that showed up recently and is being debugged. See #1802 and #1805

So, let's ignore them here.

debarshiray · 2026-06-11T09:35:03Z

Thanks for all the insight and investigation, @xandris !

xandris requested a review from debarshiray as a code owner November 10, 2025 01:08

xandris force-pushed the bugfix/ensure-z-lazy branch from 59be97f to 73ed56e Compare November 10, 2025 01:11

dhirschfeld mentioned this pull request Mar 20, 2026

brev v0.6.318 conda-forge/brev-feedstock#12

Merged

3 tasks

debarshiray requested changes Jun 4, 2026

View reviewed changes

Comment thread src/go-build-wrapper Outdated

debarshiray reviewed Jun 4, 2026

View reviewed changes

xandris force-pushed the bugfix/ensure-z-lazy branch from 73ed56e to 8811838 Compare June 5, 2026 02:44

build: Tweak the external linker flags for brevity

ac96de9

It's not necessary to prefix each external linker flag with its own -Wl option. One -Wl option can carry everything because the commas will be used to split the string. containers#1706

debarshiray mentioned this pull request Jun 5, 2026

failing to compile when C compiler driver defaults to -z now #1706

Closed

debarshiray force-pushed the bugfix/ensure-z-lazy branch from 8811838 to ac96de9 Compare June 9, 2026 00:36

debarshiray marked this pull request as draft June 9, 2026 00:39

build: Notify distributors that the '-z now' linker flag is unsupported

5fd129b

This should have been part of commit 83f28c5. containers#1706

debarshiray marked this pull request as ready for review June 9, 2026 21:44

debarshiray merged commit 5fd129b into containers:main Jun 11, 2026
2 of 3 checks passed

Conversation

xandris commented Nov 10, 2025

Uh oh!

softwarefactory-project-zuul Bot commented Nov 10, 2025

Uh oh!

silverhadch commented Dec 19, 2025

Uh oh!

debarshiray left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

debarshiray commented Jun 4, 2026

Uh oh!

debarshiray left a comment

Choose a reason for hiding this comment

Uh oh!

centosinfra-prod-github-app Bot commented Jun 4, 2026

Uh oh!

centosinfra-prod-github-app Bot commented Jun 5, 2026

Uh oh!

debarshiray commented Jun 9, 2026

Uh oh!

centosinfra-prod-github-app Bot commented Jun 9, 2026

Uh oh!

debarshiray commented Jun 9, 2026

Uh oh!

centosinfra-prod-github-app Bot commented Jun 9, 2026

Uh oh!

centosinfra-prod-github-app Bot commented Jun 9, 2026

Uh oh!

xandris commented Jun 11, 2026

Uh oh!

debarshiray commented Jun 11, 2026

Uh oh!

Uh oh!

debarshiray commented Jun 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants