(PA-6383) Enable PIE for Ubuntu and Debian

[skyamgarp]

Enable PIE for Ubuntu 22, Debian 10 and up

agent-runtime-main: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3168/

agent-runtime-7.x: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3167/

pdk-runtime: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3170/

bolt-runtime: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3171/

pe-installer-runtime-2021.7.x: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3172/

pe-installer-runtime-main: https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3173/

[joshcooper]

Thanks @skyamgarp I had a few comments:

1. Could you add a _shared-compiler-settings.rb like @h0tw1r3 did in https://github.com/puppetlabs/puppet-runtime/pull/831/files#diff-c682e6498bfc9db6945b066a648384113b3f91de927edac5e67f3b31c6336b96 containing:

# Define default CFLAGS and LDFLAGS for most platforms, and then
# tweak or adjust them as needed.
proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
proj.setting(:cflags, "-frecord-gcc-switches #{proj.cppflags}")
proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")

if (platform.is_sles? && platform.os_version.to_i >= 15) ||
      (platform.is_el? && platform.os_version.to_i >= 8 && platform.architecture !~ /ppc64/) ||
      (platform.is_debian? && platform.os_version.to_i >= 10) ||
      (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
      platform.is_fedora?
  proj.setting(:supports_pie, true)
end

Then refactor all of the projects to include the shared compiler settings. For example, in configs/projects/_shared-agent-settings.rb

-proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-proj.setting(:cflags, "#{proj.cppflags}")
-proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
+# Load default compiler settings
+instance_eval File.read('configs/projects/_shared-compiler-settings.rb')

Then in each project/component, you can test for settings[:supports_pie] instead of copying the conditional. For example, in augeas.rb:

-  if((platform.is_sles? && platform.os_version.to_i >= 15) ||
-      (platform.is_el? && platform.os_version.to_i >= 8 && platform.architecture !~ /ppc64/) ||
-      (platform.is_debian? && platform.os_version.to_i >= 10) ||
-      (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
-      platform.is_fedora?
-    )
+ if proj.settings[:supports_pie]

2. I think it's fine to skip power architecture for now, but please make a ticket so we come back to it.

3. IIUC, your PR enables PIE for projects that include configs/projects/_shared-agent-settings.rb because that's where we define FORTIFY_SOURCE, etc More work is needed to enable PIE for other projects. For example, we'd need to move these settings into the shared-compiler-settings component and do this for each project. Could you add another commit to your PR or file a separate ticket?

4. Could you verify that all of the executables built during agent-runtime-* have PIE enabled and can be executed/loaded? Gems with native extensions are likely to be problematic, for example ffi. Running /opt/puppetlabs/puppet/bin/ruby -e 'puts "require \"ffi\""' is a good test.