While glibc's highly configurable name resolution and character set handling features offer an advantage when it comes to system configuration and installed content, there are limitations when it comes to statically linked applications. This article summarizes the current state, recent improvements, and plans for moving toward truly statically linked applications.
Although dynamic linking has advantages, making it the default choice for situations where binary compatibility is guaranteed (i.e., many Red Hat Enterprise Linux components), static linking is still useful in many situations such as:
- Application developers wanting to ensure that their binaries run on a wide range of operating system vendors and versions.
- Container introspection tools injected via oc-inject might bring their own dependencies into the system via static linking to avoid depending on in-container libraries.
- Languages such as Go might produce statically linked binaries by default.
Statically linking against glibc
Regardless of the use case, when you statically link an application, the reasonable expectation is that all dependencies are linked statically. When it comes to glibc, this is currently not the case due to several glibc features, such as:
- Name service switch (nsswitch)
- Character set handling and conversion (iconv)
- Thread cancellation (unwinder)
- Internationalized domain names (libidn2)
- Dynamic library loading from static code (dlopen)
The first two features allow glibc to be highly configurable when it comes to name resolution and character set handling. There are several non-glibc name resolution services implemented in the form of NSS modules. For example, systemd provides a caching DNS resolver installed by default on Fedora. Along the same lines, while vendor plugins for character set handling are less common, glibc's fairly exhaustive list of character set converters can be shipped and installed separately, reducing system footprint.
These features also come with a limitation related to statically linked applications. The application can potentially dynamically load (dlopen) NSS or iconv modules during execution, depending on system configuration and module availability. A documented fact which still goes against the principle of least surprise. In the case of Go, while it tries to generate statically linked binaries by default, linking against glibc for NSS ends up making "many Go programmes dynamically-linked, to the point that a lot of people think Go dynamically links by default / preference."
Recent changes
The GNU C library offers an --enable-static-nss configure time option that builds libc.a (i.e., statically linked glibc) in a way that NSS modules are statically linked. However, a relatively recent refactor of NSS code removed this feature. It was never enabled for Fedora’s or RHEL’s glibc-static package. Since the refactor, the DNS and files back-ends (the most frequently used) have been moved into glibc instead of being shipped as separate modules. This means that doing name lookups from /etc/hosts or /etc/passwd does not lead to an NSS module load as long as /etc/nsswitch.conf only lists the files and DNS database providers. This has left the --enable-static-nss configure option redundant. However, there is more to be done here.
Iterating toward a solution
While there are five subsystems in this problem area, I have picked two to begin the process of iterating toward a solution: NSS and iconv.
The next step toward avoiding surprising NSS module loads in statically linked applications is to either bring back the functionality that --enable-static-nss provides or do even better by allowing configuring behavior at application build-time instead of distribution build-time and providing a way to completely suppress all dynamic loading, regardless of the contents of nsswitch.conf requiring it.
I'm currently in the process of trying to solve this. I did some initial experimentation by trying to build a new statically linked library that contains copies of glibc internal functions involved in NSS module loading, but with the module loading disabled. The idea being that with the appropriate linker command line, this can be used to link the alternative (non module loading) versions of the NSS component instead of the default versions that call dlopen. Once I had an idea of the changes we are looking at, I started a conversation upstream.
I am now working through the implementation details, starting with collecting NSS code scattered across the glibc source tree into one place. Once I am finished with that, I will start posting patches upstream and working toward consensus.
Please stay tuned for my future article describing glibc's progress on supporting truly statically linked applications.