Who Modified My Program in Bottlerocket?

calendar Sep 11, 2025 · 2 min read · Linux Bottlerocket  ·
Share on: copy

There are a few programs we install in Bottlerocket that cannot be built from source. For these programs, we download the binary from S3 and install it using an RPM spec like this:

1# foo.spec
2Name: %{_cross_os}foo
3
4Source0: foo
5
6%install
7install -d %{buildroot}%{_cross_sbindir}
8install -D -p -m 0755 %{S:0} %{buildroot}%{_cross_sbindir}

A teammate discovered that the foo binary downloaded from S3 differs from the /sbin/foo installed in the built Bottlerocket AMI:

 1# The file downloaded from S3
 2% ls -lh build/packages/foo/foo
 3-rwxr-xr-x 1 peng peng 71M Sep  9 21:50 build/packages/foo/foo
 4
 5% md5sum build/packages/foo/foo
 6275a077ff7a81225e050ae3c4ff17a6e  build/packages/foo/foo
 7
 8# The file installed in the AMI
 9bash-5.2# ls -lh /sbin/foo
10-rwxr-xr-x. 1 root root 56M Sep 12 00:42 /sbin/foo
11
12bash-5.2# md5sum /sbin/foo
13ba790c4aaf58b1364745043d18c83537  /sbin/foo

So who modified foo?

RPM Build Strip Process

In Bottlerocket, the %__strip macro is defined as:

1%__strip %{_bindir}/%{_cross_target}-strip

This macro strips debug symbols from the binary during the RPM build process, which explains the size difference (71M → 56M). We can disable stripping by adding this line at the beginning of the .spec file:

1%global __strip /bin/true

With stripping disabled, the foo binary in the AMI matches the one from S3. We can also confirm this by extracting foo directly from the RPM file:

 1% RPM_FILE=/home/peng/BottlerocketVariants/build/rpms/foo/foo-0.0-0.1755731416.9333e95b.br1.x86_64.rpm
 2% IMAGE=public.ecr.aws/amazonlinux/amazonlinux:2023
 3% docker run --rm -it -v ${RPM_FILE}:/tmp/foo.rpm $IMAGE /bin/sh
 4
 5# Inside the container
 6sh-5.2# rpm2cpio /tmp/foo.rpm | cpio -t
 7sh-5.2# mkdir data && cd data
 8sh-5.2# rpm2cpio /tmp/foo.rpm | cpio -idmv
 9sh-5.2# ls -lh ./x86_64-bottlerocket-linux-gnu/sys-root/usr/sbin/foo
10-rwxr-xr-x 1 root root 71M Sep  9 22:18 ./x86_64-bottlerocket-linux-gnu/sys-root/usr/sbin/foo
11sh-5.2# md5sum ./x86_64-bottlerocket-linux-gnu/sys-root/usr/sbin/foo
12275a077ff7a81225e050ae3c4ff17a6e  ./x86_64-bottlerocket-linux-gnu/sys-root/usr/sbin/foo