You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs-internal/arch/glibc-portability.md
+23-18Lines changed: 23 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,35 +3,38 @@
3
3
## Summary
4
4
5
5
The `secure-exec-v8` binary (Rust + V8 engine) is dynamically linked against glibc.
6
-
The minimum glibc version on target systems is determined by two factors:
6
+
The minimum glibc version on target systems is determined by the build environment's glibc version, because the linker stamps versioned symbol requirements into the binary at link time.
7
7
8
-
1.**rusty_v8 prebuilt static libraries** require **glibc >= 2.32** (due to `sem_clockwait` in V8's `sem_waiter.o`)
9
-
2.**Rust standard library** links against pthread symbols that were re-versioned in **glibc 2.34** when `libpthread.so` was merged into `libc.so.6`
8
+
The two key factors:
10
9
11
-
If we build on a system with glibc >= 2.34, the resulting binary requires glibc >= 2.34 at runtime because all pthread symbols (`pthread_create`, `sem_wait`, `dlsym`, etc.) get stamped with `GLIBC_2.34` version tags.
12
-
13
-
If we build on a system with glibc 2.32–2.33, pthread symbols resolve against the older separate `libpthread.so` version tags, and the effective floor drops to 2.32 (set by V8).
10
+
1.**Rust standard library** links against pthread symbols. In glibc 2.34, `libpthread.so` was merged into `libc.so.6`, so all pthread symbols got re-versioned to `GLIBC_2.34`. Building on glibc < 2.34 avoids this jump.
11
+
2.**rusty_v8 prebuilt static libraries** reference `sem_clockwait` (`GLIBC_2.30`) and other symbols. On Bullseye (glibc 2.31), `sem_clockwait` is available in the separate `libpthread.so`.
14
12
15
13
## Build base image policy
16
14
17
-
All Linux build environments (Dockerfiles, CI runners) must use **Ubuntu 22.04 (Jammy)** as the base, which ships glibc 2.35. This:
15
+
All Linux build environments (Dockerfiles, CI runners) must use **Debian Bullseye (glibc 2.31)**.
16
+
17
+
This produces binaries requiring only **glibc >= 2.29**, verified empirically:
18
18
19
-
- Satisfies V8's hard floor of glibc 2.32
20
-
- Produces binaries compatible with glibc 2.35+ systems
- Dockerfiles: `FROM rust:1.85.0-jammy` (not bookworm, not bullseye)
25
-
- GitHub Actions: `ubuntu-22.04` (not `ubuntu-latest`, which floats)
25
+
- Dockerfiles: `FROM rust:1.85.0-bullseye`
26
+
- GitHub Actions: `ubuntu-22.04` (the oldest available runner; glibc 2.35, but still better than `ubuntu-latest` which floats to newer versions)
27
+
28
+
Note: GitHub Actions doesn't offer a Bullseye runner, so CI builds will have a higher glibc floor (~2.29 from Bullseye Docker, ~2.34 from ubuntu-22.04 runner). For maximum portability, prefer Docker-based builds.
26
29
27
30
## Why not older?
28
31
29
-
-**Bullseye (glibc 2.31)**: V8's `sem_clockwait`symbol requires 2.32. Linking would fail.
30
-
-**CentOS 7 (glibc 2.17)**: Same problem, plus ancient toolchain.
-**Buster (glibc 2.28)**: `sem_clockwait` (GLIBC_2.30) is missing from libpthread.
31
34
32
35
## Why not musl?
33
36
34
-
The rusty_v8 crate only ships prebuilt `.a` files for `*-linux-gnu` targets. Building V8 from source against musl would require patching V8's build system and takes 30–60 minutes per platform. Not worth it given the glibc 2.35 floor is adequate.
37
+
The rusty_v8 crate only ships prebuilt `.a` files for `*-linux-gnu` targets. Building V8 from source against musl would require patching V8's build system and takes 30–60 minutes per platform. Not worth it given the glibc 2.29 floor covers virtually all active Linux distributions.
35
38
36
39
## How to verify
37
40
@@ -47,12 +50,14 @@ The highest version in the output is the minimum glibc required at runtime.
0 commit comments