runc icon indicating copy to clipboard operation
runc copied to clipboard
verified publisher icon opencontainers

build: make runc binary 7.6% smaller

Open xnox opened this issue 3 weeks ago • 7 comments

In general runc does not do any cryptography or TLS networking.

go-systemd module has optional support for TLS. It is compiled by default, and pulls in all of crypto/tls stack into the binary. Despite being unused, it is not optimised out, as there is no sophisticated LTO-like functionality in go toolchain.

By removing this single file from the vendored modules, runc binary size is 7.6% smaller (both stripped and unstripped).

This also has a nice compliance side effect - the only other cryptography modules pulled in are crypto/rand and crypto/sha1 neither of which are used to protect information at rest or in-transit, meaning the same build of runc can be used in FIPS and non-FIPS contexts, as not using any cryptography make the binary out of scope for FIPS cryptographic module compliance.

If this is of interest, will also proposed to go-systemd project to add a build tag, to allow building go-systemd without tls-listeners.

xnox avatar Dec 05 '25 12:12 xnox

Fwiw, I would prefer a build tag...

cyphar avatar Dec 05 '25 15:12 cyphar

Fwiw, I would prefer a build tag...

Ack! Let me try to submit a build tag upstream.

xnox avatar Dec 05 '25 18:12 xnox

Perhaps we can just copy the activation.Files code to runc?

kolyshkin avatar Dec 05 '25 22:12 kolyshkin

Perhaps we can just copy the activation.Files code to runc?

Something like this: https://github.com/opencontainers/runc/pull/5057

kolyshkin avatar Dec 05 '25 22:12 kolyshkin

This also has a nice compliance side effect - the only other cryptography modules pulled in are crypto/rand and crypto/sha1 neither of which are used to protect information at rest or in-transit, meaning the same build of runc can be used in FIPS and non-FIPS contexts, as not using any cryptography make the binary out of scope for FIPS cryptographic module compliance.

sha1 is not allowed in the go fips 140-only mode. It will cause a panic at runtime. So I dont think unless crypto/sha1 usage is also removed, the runc binary will not be completely out of scope for FIPS compliance.

akhilerm avatar Dec 08 '25 04:12 akhilerm

But yeah, I think #5057 is an even better solution than a build tag.

cyphar avatar Dec 08 '25 05:12 cyphar

This also has a nice compliance side effect - the only other cryptography modules pulled in are crypto/rand and crypto/sha1 neither of which are used to protect information at rest or in-transit, meaning the same build of runc can be used in FIPS and non-FIPS contexts, as not using any cryptography make the binary out of scope for FIPS cryptographic module compliance.

sha1 is not allowed in the go fips 140-only mode. It will cause a panic at runtime. So I dont think unless crypto/sha1 usage is also removed, the runc binary will not be completely out of scope for FIPS compliance.

Correct, however the approach taken by golang toolchain doesn't match what I.G.2.4.A allows. The point is that one doesn't need to build runc using FIPS mode toolchain at all.

Also sha1 could be replaced with sha1cd.

xnox avatar Dec 08 '25 08:12 xnox

Also sha1 could be replaced with sha1cd.

Could you elaborate? runc does not use crypto/sha1 directly; I found two uses in the vendored libraries, those are:

  • in cilium/ebpf (the only user is (asm.Instructions).Tag method which afaics we don't use);
  • in godbus/dbus (the only user is _windows.go file so it is not included during compile time).

kolyshkin avatar Dec 15 '25 19:12 kolyshkin