Red Hat SummitChapter 5. Additional toolsets for development
Additional toolsets for C and C++ development provides capabilities for building, analyzing, and optimizing applications. By using these toolsets, you can define development workflows and improve application quality.
5.1. Using the GCC Toolset
The GCC Toolset provides updated development tools on Red Hat Enterprise Linux. Install, enable, and manage the toolset to build and debug C and C++ applications.
5.1.1. What is the GCC Toolset
Red Hat Enterprise Linux 10 introduces the GCC Toolset, which is an Application Stream that contains updated versions of development and performance analysis tools. The GCC Toolset is similar in role to Red Hat Developer Toolset.
GCC Toolset is available as an Application Stream in the form of a Software Collection in the AppStream repository. The GCC Toolset is fully supported under Red Hat Enterprise Linux Subscription Level Agreements, is functionally complete, and is intended for production use. Applications and libraries provided by the GCC Toolset do not replace the Red Hat Enterprise Linux system versions, do not override them, and do not automatically become default or preferred choices. By using a framework called Software Collections, an additional set of developer tools is installed into the /opt/ directory and is explicitly enabled by the user on-demand by using the scl utility. Unless noted otherwise for specific tools or features, the GCC Toolset is available for all architectures supported by Red Hat Enterprise Linux.
5.1.2. Installing the GCC Toolset
Installing the GCC Toolset on a system installs the main tools and all necessary dependencies. Note that some parts of the toolset are not installed by default and must be installed separately.
Procedure
To install the GCC Toolset version N:
# dnf install gcc-toolset-N
5.1.3. Installing individual packages from the GCC Toolset
To install only certain tools from the GCC Toolset instead of the whole toolset, list the available packages and install the selected ones with the dnf package management tool. Use selective installation to access packages not installed by default with the full toolset.
Procedure
List the packages available in the GCC Toolset version N:
$ dnf list available gcc-toolset-N-\To install any of these packages:
# dnf install package_nameReplace package_name with a space-separated list of packages to install. For example, to install the
gcc-toolset-15-annobin-annocheckandgcc-toolset-15-binutils-develpackages:# dnf install gcc-toolset-15-annobin-annocheck gcc-toolset-15-binutils-devel
5.1.4. Uninstalling the GCC Toolset
Remove the GCC Toolset from your system by uninstalling it using the dnf package management tool.
Procedure
To uninstall the GCC Toolset version N:
# dnf remove gcc-toolset-N \
5.1.5. Accessing the GCC Toolset
To access the GCC Toolset, you can run a specific tool using the scl utility, or start a shell session where the toolset versions override the system versions.
Procedure
To run a single tool from the GCC Toolset version N:
$ gcc-toolset-N-env toolReplace tool with the command provided by the tool you want to run.
To run a shell session where tool versions from the GCC Toolset version N override system versions of these tools:
$ gcc-toolset-N-env bashNoteThe
sclutility is not used for the GCC Toolset in Red Hat Enterprise Linux 10. Thescl enablecommand does not work with the GCC Toolset.
5.2. GCC Toolset 15
GCC Toolset 15 in Red Hat Enterprise Linux offers updated compilers and debuggers for C, C++, and Fortran. It enables building, testing, and optimizing applications with current features while maintaining system stability and support.
5.2.1. The GCC Toolset 15 tools and versions
The GCC Toolset 15 offers updated versions of development tools for building and debugging applications on RHEL.
- [list of tools]
| Name | Version | Description |
| GCC | 15.1.0 | A portable compiler suite with support for C, C++, and Fortran. |
| binutils | 2.44 | A collection of binary tools and other utilities to inspect and manipulate object files and binaries. |
| dwz | 0.16 | A tool to optimize DWARF debugging information contained in ELF shared libraries and ELF executables for size. |
5.2.2. C++ compatibility in the GCC Toolset 15
GCC Toolset 15 supports a range of C++ language standards. The default standard is C++17, but you can choose C++98, C++11, C++14, or experimental versions including C++20, C++23, and C++26. Select a different standard with the appropriate compiler flag when building your code.
This compatibility information applies only to GCC from the GCC Toolset 15.
The GCC compiler in the GCC Toolset 15 can use the following C++ standards:
- C++98
- This language standard is available in the GCC Toolset 15. Binaries, shared libraries, and objects built using this standard can be freely mixed regardless of being built with GCC from the GCC Toolset 15, Red Hat Developer Toolset, and RHEL 5, 6, 7, and 8.
- C++11
This language standard is available in the GCC Toolset 15.
Using the C++11 language version is supported when all C++ objects compiled with the corresponding flag have been built using GCC version 5 or later.
- C++14
This language standard is available in the GCC Toolset 15.
Using the C++14 language version is supported when all C++ objects compiled with the corresponding flag have been built using GCC version 6 or later.
- C++17
This language standard is available in the GCC Toolset 15.
This is the default language standard setting for the GCC Toolset 15, with GNU extensions, equivalent to explicitly using option
-std=gnu++17.Using the C++17 language version is supported when all C++ objects compiled with the corresponding flag have been built using GCC version 10 or later.
- C++20, C++23, and C++26
These language standards are available in the GCC Toolset 15 only as experimental, unstable, and unsupported capabilities. Additionally, the compatibility of objects, binary files, and libraries built using these standards cannot be guaranteed.
To enable the C++20 standard, add the command-line option
-std=c++20to yourg++command line.To enable the C++23 standard, add the command-line option
-std=c++23to yourg++command line.To enable the C++26 standard, add the command-line option
-std=c++26to yourg++command line.
All of the language standards are available in both the standard-compliant variant and with GNU extensions.
Use the GCC Toolset 15 for linking when you combine objects built with the GCC Toolset 15 and objects built with the system toolchain, particulary .o or .a files. This ensures any newer library features provided only by the GCC Toolset 15 are resolved at link time.
5.2.3. Specifics of GCC in the GCC Toolset 15
Certain behaviors and requirements of binutils in the GCC Toolset 15 differ from the base Red Hat Enterprise Linux binutils. These include automatic static linking of certain library features and the requirement to specify libraries after object files during linking.
- Static linking of libraries
- Certain more recent library features are statically linked into applications built with the GCC Toolset 15 to support execution on multiple versions of Red Hat Enterprise Linux. This creates an additional minor security risk because standard Red Hat Enterprise Linux errata do not change this code. If the need arises for developers to rebuild their applications due to this risk, Red Hat will communicate this using a security erratum.
Because of this additional security risk, developers are strongly advised not to statically link their entire application for the same reasons.
- Specify libraries after object files when linking
In the GCC Toolset 15, libraries are linked by using linker scripts, which might specify some symbols through static archives. This is required to ensure compatibility with multiple versions of Red Hat Enterprise Linux. However, the linker scripts use the names of the corresponding shared object files. As a consequence, the linker uses different symbol handling rules than expected, and does not recognize symbols required by object files when the option adding the library is specified before options specifying the object files:
$ gcc-toolset-15-env gcc -lsomelib objfile.oUsing a library from the GCC Toolset 15 in this manner results in the linker error message
undefined reference to symbol. To prevent this problem, follow the standard linking practice and specify the option by adding the library after the options specifying the object files:$ gcc-toolset-15-env gcc objfile.o -lsomelibNote that this recommendation also applies when using the base Red Hat Enterprise Linux version of GCC.
5.2.4. Specifics of binutils in the GCC Toolset 15
Certain behaviors and requirements of binutils in the GCC Toolset 15 differ from the base Red Hat Enterprise Linux binutils. These include automatic static linking of certain library features and the requirement to specify libraries after object files during linking.
- Static linking of libraries
- GCC Toolset 15 statically links newer library features into applications to ensure compatibility across multiple Red Hat Enterprise Linux versions. Statically linked code can introduce minor security risks, because security updates require applications to be rebuilt. If a security vulnerability is discovered, Red Hat will notify developers to rebuild affected applications through a security advisory.
Because of this additional security risk, developers are strongly advised not to statically link their entire application for the same reasons.
- Specify libraries after object files when linking
In the GCC Toolset 15, libraries are linked by using linker scripts which might specify some symbols through static archives. This is required to ensure compatibility with multiple versions of Red Hat Enterprise Linux. However, the linker scripts use the names of the corresponding shared object files. As a consequence, the linker uses different symbol handling rules than expected, and does not recognize symbols required by object files when the option adding the library is specified before options specifying the object files:
$ gcc-toolset-15-env gcc ld -lsomelib objfile.oUsing a library from the GCC Toolset 15 in this manner results in the linker error message
undefined reference to symbol. To prevent this problem, follow the standard linking practice, and specify the option adding the library after the options specifying the object files:$ gcc-toolset-15-env ld objfile.o -lsomelibNote that this recommendation also applies when using the base Red Hat Enterprise Linux version of binutils.
5.3. Compiler toolsets
RHEL 10 provides several compiler toolsets as Application Streams, including the LLVM Toolset, Rust Toolset, and Go Toolset. These toolsets provides compilers, debuggers, dependency managers, and other related tools and libraries for C, C++, Rust, and Go development.
The following compiler toolsets are available:
- LLVM Toolset provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis.
-
Rust Toolset provides the Rust programming language compiler
rustc, thecargobuild tool and dependency manager, thecargo-vendorplug-in, and required libraries. -
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as
golang.
For more details and information about usage, see the compiler toolsets user guides on the Red Hat Developer Tools page.
5.4. The Annobin project
Use the Annobin project to add markers to Executable and Linkable Format (ELF) objects. With the Annobin project, you can track build properties and perform security hardening checks on your binaries by using the annobin plugin and the annocheck programs.
The annobin plugin scans the GNU Compiler Collection (GCC) command line, the compilation state, and the compilation process, and generates the ELF notes. The ELF notes record how the binary was built and provide information for the annocheck program to perform security hardening checks.
The security hardening checker is part of the annocheck program and is enabled by default. It checks the binary files to determine whether the program was built with necessary security hardening options and compiled correctly. annocheck is able to recursively scan directories, archives, and RPM packages for ELF object files.
The files must be in ELF format. annocheck does not handle any other binary file types.
You can perform following tasks:
-
Use the
annobinplugin -
Use the
annocheckprogram -
Remove redundant
annobinnotes
5.4.1. Using the annobin plugin
You can use the annobin plugin to annotate binary files. You can enable the annobin plugin and pass options to it.
5.4.1.1. Enabling the annobin plug-in
To add build security notes to binaries, enable the annobin plug-in by using command-line options with gcc or clang utilities.
Procedure
To enable the
annobinplug-in withgcc, use:$ gcc -fplugin=annobinIf
gccdoes not find theannobinplug-in, use:$ gcc -iplugindir=/path/to/directory/containing/annobin/Replace /path/to/directory/containing/annobin/ with the absolute path to the directory that contains
annobin.To find the directory containing the
annobinplug-in, use:$ gcc --print-file-name=plugin
To enable the
annobinplug-in withclang, use:$ clang -fplugin=/path/to/directory/containing/annobin/Replace /path/to/directory/containing/annobin/ with the absolute path to the directory that contains
annobin.Optional: To remove the redundant
annobinnotes, use theobjcopyutility:$ objcopy --merge-notes file-name
5.4.1.2. Passing options to the annobin plug-in
To pass options to the annobin plug-in, use the appropriate command-line arguments with gcc or clang.
Procedure
To pass options to the
annobinplug-in withgcc, use:$ gcc -fplugin=annobin -fplugin-arg-annobin-option file-nameReplace option with the
annobincommand line arguments and replace file-name with the name of the file.For example, to display additional details about what
annobinit is doing, use:$ gcc -fplugin=annobin -fplugin-arg-annobin-verbose file-nameReplace file-name with the name of the file.
To pass options to the
annobinplug-in withclang, use:$ clang -fplugin=/path/to/directory/containing/annobin/ -Xclang -plugin-arg-annobin -Xclang option file-nameReplace option with the
annobincommand line arguments and replace /path/to/directory/containing/annobin/ with the absolute path to the directory containingannobin.For example, to display additional details about what
annobinit is doing, use:$ clang -fplugin=/usr/lib64/clang/10/lib/annobin.so -Xclang -plugin-arg-annobin -Xclang verbose file-nameReplace file-name with the name of the file.
5.4.2. Using the annocheck program
You can use annocheck to examine files, directories, RPM packages, and extra tools.
annocheck recursively scans directories, archives, and RPM packages for ELF object files. The files have to be in the ELF format. annocheck does not handle any other binary file types.
5.4.2.1. Using annocheck to examine files
To verify hardening options and build security notes of ELF files, examine the files by using the annocheck tool.
Procedure
To examine a file, use:
$ annocheck file-nameReplace file-name with the name of a file.
NoteThe files must be in ELF format.
annocheckdoes not handle any other binary file types.annocheckprocesses static libraries that contain ELF object files.
5.4.2.2. Using annocheck to examine directories
To examine ELF files in a directory, use the annocheck tool, which recursively scans directories, subdirectories, and archives.
Procedure
To scan a directory, use:
$ annocheck directory-nameReplace directory-name with the name of a directory.
annocheckautomatically examines the contents of the directory, its sub-directories, and any archives and RPM packages within the directory.Noteannocheckonly looks for ELF files. Other file types are ignored.
5.4.2.3. Using annocheck to examine RPM packages
To examine ELF files in an RPM package, use the annocheck tool, which recursively scans all ELF files inside the package.
Procedure
To scan an RPM package, use:
$ annocheck rpm-package-nameReplace rpm-package-name with the name of an RPM package.
annocheckrecursively scans all the ELF files inside the RPM package.Noteannocheckonly looks for ELF files. Other file types are ignored.To scan an RPM package with provided debug info RPM, use:
$ annocheck rpm-package-name --debug-rpm debuginfo-rpmReplace rpm-package-name with the name of an RPM package, and debuginfo-rpm with the name of a debug info RPM associated with the binary RPM.
5.4.2.4. Using annocheck extra tools
The annocheck utility includes multiple tools for examining binary files, which you can enable by using command-line options.
The following section describes how to enable the:
-
built-bytool -
notestool -
section-sizetool
You can enable multiple tools at the same time.
The hardening checker is enabled by default.
5.4.2.4.1. Enabling the built-by tool
To find the name of the compiler that built a specific binary file, you can use the annocheck built-by tool.
Procedure
To enable the
built-bytool, use:$ annocheck --enable-built-byFor more information about the
built-bytool, see the--helpcommand-line option.
5.4.2.4.2. Enabling the notes tool
To display the notes stored inside a binary file created by the annobin plug-in, you can use the annocheck notes tool.
Procedure
To enable the
notestool, use:$ annocheck --enable-notesThe notes are displayed in a sequence sorted by the address range. For more information about the
notestool, see the--helpcommand-line option.
5.4.2.4.3. Enabling the section-size tool
To display the size of named sections, you can use the annocheck section-size tool.
Procedure
To enable the
section-sizetool, use:$ annocheck --section-size=nameReplace name with the name of the named section. The output is restricted to specific sections. A cumulative result is produced at the end. For more information about the
section-sizetool, see the--helpcommand-line option.
5.4.2.4.4. Hardening checker basics
The hardening checker is enabled by default. You can disable the hardening checker by using the --disable-hardened command-line option.
5.4.2.4.4.1. Hardening checker options
The annocheck tool verifies binaries for various hardening options, such as stack protection, PIC/PIE usage, and secure linker settings.
The following options are checked:
-
Lazy binding is disabled using the
-z nowlinker option. - The program does not have a stack in an executable region of memory.
- The relocations for the GOT table are set to read only.
- No program segment has all three of the read, write and execute permission bits set.
- There are no relocations against executable code.
- The runpath information for locating shared libraries at runtime includes only directories rooted at /usr.
-
The program was compiled with
annobinnotes enabled. -
The program was compiled with the
-fstack-protector-strongoption enabled. -
The program was compiled with
-D_FORTIFY_SOURCE=2. -
The program was compiled with
-D_GLIBCXX_ASSERTIONS. -
The program was compiled with
-fexceptionsenabled. -
The program was compiled with
-fstack-clash-protectionenabled. -
The program was compiled at
-O2or higher. - The program does not have any relocations held in a writeable.
- Dynamic executables have a dynamic segment.
-
Shared libraries were compiled with
-fPICor-fPIE. -
Dynamic executables were compiled with
-fPIEand linked with-pie. -
If available, the
-fcf-protection=fulloption was used. -
If available, the
-mbranch-protectionoption was used. -
If available, the
-mstackrealignoption was used.
5.4.2.4.4.2. Disabling the hardening checker
To skip security checks during binary analysis, disable the hardening checker by using the annocheck utility.
Procedure
To scan the notes in a file without the hardening checker, use:
$ annocheck --enable-notes --disable-hardened file-nameReplace file-name with the name of a file.
5.4.3. Removing redundant annobin notes
Using annobin increases the size of binaries. To reduce the size of the binaries compiled with annobin, use the objcopy program, which is a part of the binutils package.
Procedure
To remove the redundant
annobinnotes, use:$ objcopy --merge-notes file-nameReplace file-name with the name of the file.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}