Project

General

Profile

Actions

Support #7463

open

Can I compile suricata into statically build file?

Added by QianKai Lin about 1 month ago. Updated 26 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Actions #1

Updated by Victor Julien about 1 month ago

  • Tracker changed from Feature to Support
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)

I've heard some ppl have done it, but we have no guide to do it. If you manage to do it, it would be great if you can share the steps.

Actions #2

Updated by Jason Ish about 1 month ago

Basic steps, but I haven't tried myself, have only thought about it:

- build static versions of all the C dependencies, most modern Linux distributions as far as I know don't provide static versions for everything needed
- point Suricata at these static versions instead of shared ones, it can probably all be done with ./configure flags, but I wouldn't be surprised if some patching required
- the last bit, static libc - I'm not so sure, final build with MUSL maybe

Actions #3

Updated by Hans Vermeer about 1 month ago · Edited

We've managed to do this successfully, however, the plugin loading has a dlopen, patching this out (Its sadly not a configuration option) gave a fully static build of suricata.
Most dependencies (In (docker) ubuntu at least) came with a static library. We only had to rebuild libpcap without some dependencies, for example:

CFLAGS="-static" ./configure --disable-rdma --disable-shared --disable-usb --disable-netmap --disable-bluetooth --disable-dbus --without-libnl --with-pcap=linux

A command like

CFLAGS="-static" LDFLAGS="-static-libgcc -static -L/path/to/libpcap -L/lib/x86_64-linux-gnu/ -L/usr/lib/gcc/x86_64-linux-gnu/11/ -l:libgcc.a -l:libjansson.a -l:libm.a -l:liblz4.a -l:libyaml.a -l:libcap-ng.a -l:libyaml.a -l:libpcre2-8.a -l:libc.a -l:libz.a" CPPFLAGS="-I/path/to/libpcap" ./configure --disable-shared --enable-static --disable-gccmarch-native

Is probably enough to build suricata statically

Actions #4

Updated by QianKai Lin 26 days ago · Edited

I tried to build it in alpine linux 3.21 but when I compiled it with hyperscan, it will produce a problem, i don't know how to fix, this is my steps.

Build steps

apk add git clang llvm make automake autoconf pkgconfig libtool linux-headers bash vim
apk add zlib zlib-dev zlib-static 
apk add lz4 lz4-dev lz4-static
apk add pcre2-dev
apk add jansson-dev jansson-static
apk add yaml yaml-dev yaml-static
apk add libpcap-dev
apk add libcap-ng-dev libcap-ng-static
apk add file file libmagic
apk add libunwind-dev libunwind-static
apk add libelf libbpf-dev libxdp-dev libxdp-static
apk add rust cargo
apk add ragel boost-dev cmake

echo 'export PATH=/root/.cargo/bin:$PATH' >> /etc/profile
source /etc/profile
cargo install --force cbindgen

git clone https://github.com/Intel/hyperscan
cd hyperscan
cmake -DBUILD_STATIC_AND_SHARED=1 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_C_FLAGS="-march=core-avx2" -DCMAKE_CXX_FLAGS="-march=core-avx2" 
cmake --build ./
cmake --install ./
cd ..

git clone https://github.com/OISF/suricata
cd suricata
git clone https://github.com/OISF/libhtp
./autogen.sh
# don't know why hyperscan can't configure
ln -s /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc.a /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc_s.a
LDFLAGS="-static" PKG_CONFIG="pkg-config --static" ./configure --disable-shared --enable-static --prefix=/usr --localstatedir=/var --sysconfdir=/etc
# compile rust failed
rm -f /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc_s.a
make -j4 V=1 LDFLAGS="-static -all-static" 
ln -s /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc.a /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc_s.a
make -j4 V=1 LDFLAGS="-static -all-static" 

Error

/usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/../../../../x86_64-alpine-linux-musl/bin/ld: cannot find -lgcc_s: No such file or directory
Actions #5

Updated by QianKai Lin 26 days ago

Hans Vermeer wrote in #note-3:

We've managed to do this successfully, however, the plugin loading has a dlopen, patching this out (Its sadly not a configuration option) gave a fully static build of suricata.
Most dependencies (In (docker) ubuntu at least) came with a static library. We only had to rebuild libpcap without some dependencies, for example:

[...]

A command like
[...]

Is probably enough to build suricata statically

Thank you so much!!! I will try it.

Actions

Also available in: Atom PDF