[Bug 2078244] Re: ceph: Does not respect compiler flags for Python extensions

Sat Nov 8 11:16:49 UTC 2025

** Description changed:

  [Impact]
- The packaging does not respect compiler flags when building the Python extensions, notably hardening flags like the stack protector, as well as frame-pointer.

- [Test plan]
- Look at the build log and see that the build flags have been passed, notably stuff like
+ Ceph packaging does not respect compiler flags when building Python
+ extensions, notably hardening flags like the stack protector, as well as
+ frame-pointer.

- -fno-strict-overflow -Wsign-compare -DNDEBUG -g -O2 -Wall -g -O2 -Werror=implicit-function-declaration -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=for
- mat-security -fcf-protection
+ They were enabled and present in focal, but lost somewhere after impish.
+ Jammy is missing them, and noble is too.

- It can be seen that this is already the case for the shared libraries,
- it is only the Python extensions that are missing flags.
+ If we look at the buildlog for 19.2.1-0ubuntu0.24.04.2 on noble amd64,
+ we see CFLAGS="".

- [Where problems could occur]
- Hardening flags could surface existing (possibly security) bugs that have been asymptomatic so far; frame-pointers will incur some slow down.
+ [ 76%] Generating ../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
+ cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS="" CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)' -D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++" LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w" LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12 /<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3
+ 
+ This should be fixed to include the standard Ubuntu defined hardening
+ CFLAGS.
+ 
+ [Testcase]
+ 
+ Check the buildlog for CFLAGS on "cython_modules" binaries.
+ 
+ There are test packages available in the following ppa:
+ 
+ https://launchpad.net/~mruffell/+archive/ubuntu/lp2119024-updates
+ 
+ If you check the build log for noble amd64, you should see:
+ 
+ [ 77%] Generating ../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
+ cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS=""\ -g\ -O2\ -fno-omit-frame-pointer\ -mno-omit-leaf-frame-pointer\ -ffile-prefix-map=/<<PKGBUILDDIR>>=.\ -fstack-protector-strong\ -fstack-clash-protection\ -Wformat\ -Werror=format-security\ -fcf-protection\ -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/ceph-19.2.3-0ubuntu0.24.04.1~lp2119024v20251106b1\ -Wdate-time\ -D_FORTIFY_SOURCE=3 CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)' -D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++" LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w" LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib\ \ -Wl,-Bsymbolic-functions\ -Wl,-z,relro\ -Wl,-z,now\ -Wl,--as-needed\ -latomic CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12 /<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3
+ 
+ Where all CFLAGS are present.
+ 
+ [Where problems can occur]
+ 
+ We are enabling compiler hardening flags which tighten up execution and
+ security requirements as expected of any package in the Ubuntu archive.
+ 
+ This could potentially lead to these compiled python libraries
+ segmentation faulting if they happen to rely on faulty behaviour of
+ exceeding the stack boundary and overwriting the newly placed stack
+ canaries.
+ 
+ Ideally, all python modules should be exercised before release, but in
+ general, a certification pass of the ceph point release verification
+ should be enough to smoke test these modules.
+ 
+ [Other info]
+ 
+ Gentoo commit:
+ https://github.com/gentoo/gentoo/commit/c588d0c55a2facb7b98331abf3ccb2439cc34286
+ 
+ Gentoo bugs:
+ https://bugs.gentoo.org/866159
+ https://bugs.gentoo.org/866161

** Changed in: ceph (Ubuntu Noble)
       Status: Triaged => In Progress

** Changed in: ceph (Ubuntu Noble)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/2078244

Title:
   ceph: Does not respect compiler flags for Python extensions

Status in ceph package in Ubuntu:
  Fix Released
Status in ceph source package in Noble:
  In Progress
Status in ceph source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  Ceph packaging does not respect compiler flags when building Python
  extensions, notably hardening flags like the stack protector, as well
  as frame-pointer.

  They were enabled and present in focal, but lost somewhere after
  impish. Jammy is missing them, and noble is too.

  If we look at the buildlog for 19.2.1-0ubuntu0.24.04.2 on noble amd64,
  we see CFLAGS="".

  [ 76%] Generating ../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
  cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS="" CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)' -D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++" LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w" LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12 /<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3

  This should be fixed to include the standard Ubuntu defined hardening
  CFLAGS.

  [Testcase]

  Check the buildlog for CFLAGS on "cython_modules" binaries.

  There are test packages available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/lp2119024-updates

  If you check the build log for noble amd64, you should see:

  [ 77%] Generating ../../../lib/cython_modules/lib.3/cephfs.cpython-312-x86_64-linux-gnu.so
  cd /<<PKGBUILDDIR>>/src/pybind/cephfs && env CC="/usr/bin/cc" CFLAGS=""\ -g\ -O2\ -fno-omit-frame-pointer\ -mno-omit-leaf-frame-pointer\ -ffile-prefix-map=/<<PKGBUILDDIR>>=.\ -fstack-protector-strong\ -fstack-clash-protection\ -Wformat\ -Werror=format-security\ -fcf-protection\ -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/ceph-19.2.3-0ubuntu0.24.04.1~lp2119024v20251106b1\ -Wdate-time\ -D_FORTIFY_SOURCE=3 CPPFLAGS="-iquote/<<PKGBUILDDIR>>/src/include -w -D'void0=dead_function(void)' -D'__Pyx_check_single_interpreter(ARG)=ARG##0'" CXX="/usr/bin/c++" LDSHARED="/usr/bin/cc -shared" OPT="-DNDEBUG -g -fwrapv -O2 -w" LDFLAGS=-L/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib\ \ -Wl,-Bsymbolic-functions\ -Wl,-z,relro\ -Wl,-z,now\ -Wl,--as-needed\ -latomic CYTHON_BUILD_DIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/src/pybind/cephfs CEPH_LIBDIR=/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib /usr/bin/python3.12 /<<PKGBUILDDIR>>/src/pybind/cephfs/setup.py build --build-base /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules --build-platlib /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/lib/cython_modules/lib.3

  Where all CFLAGS are present.

  [Where problems can occur]

  We are enabling compiler hardening flags which tighten up execution
  and security requirements as expected of any package in the Ubuntu
  archive.

  This could potentially lead to these compiled python libraries
  segmentation faulting if they happen to rely on faulty behaviour of
  exceeding the stack boundary and overwriting the newly placed stack
  canaries.

  Ideally, all python modules should be exercised before release, but in
  general, a certification pass of the ceph point release verification
  should be enough to smoke test these modules.

  [Other info]

  Gentoo commit:
  https://github.com/gentoo/gentoo/commit/c588d0c55a2facb7b98331abf3ccb2439cc34286

  Gentoo bugs:
  https://bugs.gentoo.org/866159
  https://bugs.gentoo.org/866161

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/2078244/+subscriptions