Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
d
defensivedepth
08/18/2022, 1:51 AMTrying to dig back into the history of when the linux osqueryd binary increased in size....
Anyone recall why it increased so dramatically from
4.95.0s
sharvil
08/18/2022, 1:57 AM5.0 was a major effort to redo packaging and releasing, and get us closer to reproduce-able builds, perhaps we now include debug symbols by default..? Or forgot to strip them
I will have to check this later when I am at a computer
And @Stefano Bonicatti might also have a clue
s
seph
08/18/2022, 2:05 AMThat's the tarball? It's not stripped.
IMO it's a packaging bug.
You can strip it, or extract from the rpm or Deb
s
Stefano Bonicatti
08/18/2022, 9:34 AMhttps://github.com/osquery/osquery/issues/7169 This was the issue you’ve opened. I wouldn’t call it a bug? Providing the debug symbols so that one can split them and keep them it’s useful. That been said we can do that job, creating 2 archives, one with the stripped binary, and the other just with the debug symbols.
They also can be merged back with a tool called
eu-unstripd
defensivedepth
08/18/2022, 11:41 AMOk so the osqueryd binary in the tarball is being generated with debug symbols but the one in the rpm isnt?
200mb in the tarball vs. 49mb in the rpm
This came up because there is a group I am working with that is deploying osquery and their deployment package is massive. Looks like they are using the tarball as the source.
s
Stefano Bonicatti
08/18/2022, 1:10 PMyeah the rpm isn’t because it splits the debug symbols in a different package.
s
seph
08/18/2022, 1:18 PMI consider this a bug, because I think most use cases do not want the debug symbols. So the easy paths should be the stripped versions.
m
Mike Myers
08/18/2022, 5:11 PMWell this requires a change in
osquery-codesigns
seph
08/18/2022, 5:44 PMDoes it? I think it’s mostly something in the cpack code. Which is in osquery repo
s
Stefano Bonicatti
08/18/2022, 6:21 PMThere should be no problem on the codesign side, since Linux binaries are not signed
there’s should also be minimal logic to upload the debug symbols separately in the codesign repo, but again that should be straightforward
m
Mike Myers
08/18/2022, 6:31 PMah, okay, then anyone who has time to make the PR to
osquery/osqueryd
defensivedepth
04/14/2023, 12:38 AMIf someone gives me a few pointers, I can take a crack at this. It's become much more important for a project Im working on to get this file size reduced 🙂
s
seph
04/14/2023, 1:40 AMI’d certainly appreciate it.
I don’t really understand cpack. But whereever cpack does stuff, the binary should be stripped. I suspect we also need to extract the debugging symbols for distribution seperately.
But this is all deep in the cpack code. And I don’t know who other than the ToB folk really understand it
s
Stefano Bonicatti
04/14/2023, 9:04 AMSo CPack is just something mainly automatic that you can control via options that you set in a CMakeLists.txt.
There are global options and per package options, and they are all documented https://cmake.org/cmake/help/latest/module/CPack.html
It takes control of the CMake install phase (it runs the
installFor osquery specifically though we have split things. We first install via CMake only into a folder, whose files are used to create the packages in a second step and with a different CMake/CPack project (osquery-packaging)
Now the last tidbit is that CPack can only create one package per target defined in CMake. I don’t think it’s worth making all the changes to duplicate the targets or components inside
osquery-packagingThe logic that drives the packaging via CI is here: https://github.com/osquery/osquery/blob/e29abce93789f718aeb56fd5da3e94c6fee08073/.github/workflows/hosted_runners.yml#L433
As far as telling CPack to strip files, there’s the
CPACK_STRIP_FILESI gave a long explanation just to give more insight in how things work, it seems complicated but it’s not that much and CPack is documented and behaves much like CMake (it’s automatic and you can control it via flags; no ones remember them by heart the options, so the manual is there to help), and now that I’m writing this, I think you could even not touch the
osquery-packagingCPACK_STRIP_FILESFrom there the work is just letting the CI know where this new tgz is and upload it where necessary; the logic would be all in the
osqueryFrom there we have to take over in the codesign repo, to copy the new tgz coming from the
osqueryhttps://osquery.slack.com/archives/CBLGAN1HD/p1681463866643789?thread_ts=1660787519.172489&cid=CBLGAN1HD
Forgot the aarch64 workflow too (the logic there is a copy basically) https://github.com/osquery/osquery/blob/master/.github/workflows/self_hosted_runners.yml#L351
Another thing you will encounter is that the name of the archive generated is parametric but the parameters are given via the CMakeLists.txt, so unless you change them it’s “hardcoded”. This means that a second run of the tgz packaging will overwrite the previous tgz. Here, depending on if we want to have this logic be usable outside of the CI, you can just rename the first archive in the workflow, after you generate it, and then call the second tgz generation with the stripping. Or if we want to have this logic easily available just by passing an option to the
osquery-packagingifosquery-packaging