Unable to successfully build ./make-testing due to dependancy errors for: libssl1.0.0:amd64
I've seen libssl dependency failures when trying to build the test environment for 5.4.0 after
invoking the following script:
Please see the "issue.txt" attachment for details.
Thanks in advance.
testing: Disable leak detective when generating CRLs
GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing. This causes invalid frees if
leak detective is active. Other invalid frees are related to time
Merge branch 'testing-jessie'
Updates the default Debian image used for the test environment from wheezy
to jessie. Also adds a script that allows chrooting to an image (base,
root or one of the guests). In pretty much all test scenarios
expect-connection is used to make test runs more reliable.
#1 Updated by Tobias Brunner over 4 years ago
- Tracker changed from Issue to Bug
- Subject changed from unable to successfully build ./make-testing due to dependancy errors for: libssl1.0.0:amd64 to Unable to successfully build ./make-testing due to dependancy errors for: libssl1.0.0:amd64
- Category set to testing
- Status changed from New to Feedback
- Target version set to 5.5.0
First, there are reports of multiple copies of libssl unpacked.
As you noticed, that's due to calling
-r on an URL that has subdirectories with other versions of the package.
A while ago I started porting the testing environment to Debian jessie (testing-jessie* branches) which required additional packages. I guess I misinterpreted wget's
--no-directories argument and assumed no files in subdirs would get fetched by the existing Makefile. And since I rarely rebuild the base image I haven't noticed it didn't work anymore (I also expected to complete the port to jessie a lot sooner).
For now, as a workaround, you could perhaps change the URL in source:testing/scripts/recipes/012_openssl.mk#L5 to
https://download.strongswan.org/testing/openssl-fips/wheezy/ might work too).
Second, at least one of those version eventually fails because it finds a dependency issue. See "error log" below.
That's related to the issue above. Since the jessie versions of the packages are newer (in regards to the version numbers)
dpkg probably tries to install these, which obviously won't work on wheezy.
#2 Updated by Phil Levin over 4 years ago
The following seems to work:
wget $(SRC) -r --level=1 --no-directories --directory-prefix $(PKG) --accept deb --no-parent
Question: for wheezy, Should wget be pulling-down the debians at this level?:
[ ] libssl-dev_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 1.9M
[ ] libssl1.0.0-dbg_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 2.9M
[ ] libssl1.0.0_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 1.4M
[ ] openssl_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 665K
or this level?:
[ ] libssl-dev_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 1.9M
[ ] libssl1.0.0-dbg_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 2.9M
[ ] libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 1.4M
[ ] openssl_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 665K
However, the build now fails (with strongswan.deb debians):
qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 /srv/strongswan-testing/build/images/winnetou.qcow2 Formatting '/srv/strongswan-testing/build/images/winnetou.qcow2', fmt=qcow2 size=1468006400 backing_file='/srv/strongswan-testing/build/images/root.qcow2' encryption=off cluster_size=65536 lazy_refcounts=off qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/winnetou.qcow2 mount /dev/nbd0p1 /srv/strongswan-testing/build/loop cp -rf /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/winnetou/etc /srv/strongswan-testing/build/loop cp -rf /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/default/etc /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/default/root /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop chroot /srv/strongswan-testing/build/loop ldconfig mkdir /srv/strongswan-testing/build/loop/var/log/apache2/ocsp cp -rf /home/phlevin/strongswan-5.4.0/testing/scripts/../images /srv/strongswan-testing/build/loop/var/www/ chroot /srv/strongswan-testing/build/loop ln -s /etc/openssl/certs /var/www/certs chroot /srv/strongswan-testing/build/loop /etc/openssl/generate-crl Using configuration from /etc/openssl/openssl.cnf freeing invalid memory (0x1ad3430) dumping 7 stack frame addresses: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 [0x7fa11606cf2d] -> ??:0 /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 (tzset+0x40) [0x7fa11606d1c0] -> ??:0 /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 (timelocal+0x9) [0x7fa11606c009] -> ??:0 pki @ 0x400000 [0x403f4c] addr2line: 'pki': No such file -> pki @ 0x400000 [0x40afe5] addr2line: 'pki': No such file -> /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 (__libc_start_main+0xfd) [0x7fa115febead] -> ??:0 pki @ 0x400000 [0x403add] addr2line: 'pki': No such file -> No leaks detected, 603 suppressed by whitelist Using configuration from /etc/openssl/research/openssl.cnf Using configuration from /etc/openssl/sales/openssl.cnf Using configuration from /etc/openssl/ecdsa/openssl.cnf Using configuration from /etc/openssl/monster/openssl.cnf Using configuration from /etc/openssl/rfc3779/openssl.cnf Error: invalid --digest type strongSwan 5.3.3 PKI tool usage: pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days] [--lastcrl crl] [--basecrl crl] [--crluri uri]+ [[--reason key-compromise|ca-compromise|affiliation-changed| superseded|cessation-of-operation|certificate-hold] [--date timestamp] --cert file|--serial hex]* [--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem] --help (-h) show usage information --cacert (-c) CA certificate file --cakey (-k) CA private key file --cakeyid (-x) keyid on smartcard of CA private key --lifetime (-l) days the CRL gets a nextUpdate, default: 15 --this-update (-F) date/time the validity of the CRL starts --next-update (-T) date/time the validity of the CRL ends --dateform (-D) strptime(3) input format, default: %d.%m.%y %T --lastcrl (-a) CRL of lastUpdate to copy revocations from --basecrl (-b) base CRL to create a delta CRL for --crluri (-u) freshest delta CRL URI to include --cert (-z) certificate file to revoke --serial (-s) hex encoded certificate serial number to revoke --reason (-r) reason for certificate revocation --date (-d) revocation date as unix timestamp, default: now --digest (-g) digest for signature creation, default: key-specific --outform (-f) encoding of generated crl, default: der --debug (-v) set debug level, default: 1 --options (-+) read command line options from file No leaks detected, 602 suppressed by whitelist chroot /srv/strongswan-testing/build/loop update-rc.d apache2 defaults perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = "en_US:", LC_ALL = (unset), LANG = "en_US" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). update-rc.d: using dependency based boot sequencing chroot /srv/strongswan-testing/build/loop update-rc.d slapd defaults perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = "en_US:", LC_ALL = (unset), LANG = "en_US" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). update-rc.d: using dependency based boot sequencing chroot /srv/strongswan-testing/build/loop rm -rf /var/lib/ldap/* chroot /srv/strongswan-testing/build/loop slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf chroot /srv/strongswan-testing/build/loop chown -R openldap:openldap /var/lib/ldap chroot /srv/strongswan-testing/build/loop dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org Verifying the zone using the following algorithms: RSASHA256.
Should I open another issue for the above?
Thanks in advance.
#3 Updated by Tobias Brunner over 4 years ago
Question: for wheezy, Should wget be pulling-down the debians at this level?:
or this level?:
Doesn't really matter, if both are fetched those with
*strongswan* in the name will get used.
However, the build now fails (with strongswan.deb debians)
This seems to happen during the guest image build (last step in the
make-testing script, which can also be done manually by executing the
freeing invalid memory (0x1ad3430)
is a known issue and there is even a fix for it in the testing-jessie branches (I pulled that fixed to master now). It's not really an issue though, it just looks scary.
The error here
Error: invalid --digest type strongSwan 5.3.3 PKI tool
is due to the default strongSwan version listed in source:testing/testing.conf#L34 is too old (5.3.3). Since SHA-3 support was added with 5.3.4 the call at source:testing/hosts/winnetou/etc/openssl/generate-crl#L51 fails when 5.3.3 is used. Please change the strongSwan version in the config file or define SWANVERSION in
testing.conf.local. You may also use the source:testing/scripts/build-strongswan script to build the strongSwan code in the current source tree.
#4 Updated by Phil Levin over 4 years ago
Thank you for your time and assistance with this - I'm almost there...
I made the changes you described (changed test version to 5.4.0) and rebuilt
the test strongswan:
phlevin@XXXXX:~/strongswan-5.4.0/testing/scripts$ sudo ./build-strongswan
Preparing root image
[....] Connecting root image to NBD device /dev/nbd0 [1G[ ok
[....] Mounting /dev/nbd0p1 to /srv/strongswan-testing/build/loop [1G[ ok
[....] Mounting proc filesystem to /srv/strongswan-testing/build/loop/proc [1G[ ok
[....] Mounting /srv/strongswan-testing/build/shared as /root/shared [1G[ ok
[....] Mounting /home/phlevin/strongswan-5.4.0 as /root/strongswan [1G[ ok
[....] Remove SWID tags of previous versions [1G[ ok
Building and installing strongSwan
[....] Determine strongSwan version ./build-strongswan: line 58: git: command not found
[....] Preparing source tree [1G[ ok
[....] Installing from recipe 013_strongswan.mk [1G[ ok
Creating guest images
[....] Creating guest image for alice [1G[ ok
[....] Creating guest image for bob [1G[ ok
[....] Creating guest image for carol [1G[ ok
[....] Creating guest image for dave [1G[ ok
[....] Creating guest image for moon [1G[ ok
[....] Creating guest image for sun [1G[ ok
[....] Creating guest image for venus [1G[ ok
[....] Creating guest image for winnetou [1G[ ok
However, now when I run 'sudo ./start-test' (as root), I see the following in testing.log:
ln -fs /srv/strongswan-testing/build/linux-4.2/arch/x86/boot/bzImage /var/run/kvm-swan-kernel
chown -R libvirt-qemu:kvm /srv/strongswan-testing/build/shared
ln -Tfs /srv/strongswan-testing/build/shared /var/run/kvm-swan-hostfs
virsh net-create /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet1.xml
Network vnet1 created from /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet1.xml
virsh net-create /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet2.xml
Network vnet2 created from /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet2.xml
virsh net-create /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet3.xml
Network vnet3 created from /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet3.xml
virsh create /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml
error: Failed to create domain from /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml
error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/var/lib/libvirt/images/alice.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=writethrough: could not open disk image /var/lib/libvirt/images/alice.qcow2: Could not open backing file: Could not open backing file: Could not open '/srv/strongswan-testing/build/images/debian-wheezy-amd64.qcow2': Permission denied
Yet the file permissions seem OK for root:
atl1 root root 9502720 Apr 6 09:41 winnetou.qcow2
drwxr-xr-x 2 root root 4096 Apr 6 09:41 .
rw-r--r-1 root root 3342336 Apr 6 09:41 venus.qcow2 rw-r--r-1 root root 3276800 Apr 6 09:41 sun.qcow2 rw-r--r-1 root root 3276800 Apr 6 09:40 moon.qcow2 rw-r--r-1 root root 3538944 Apr 6 09:40 dave.qcow2 rw-r--r-1 root root 3276800 Apr 6 09:40 carol.qcow2 rw-r--r-1 root root 3342336 Apr 6 09:40 bob.qcow2 rw-r--r-1 root root 3735552 Apr 6 09:40 alice.qcow2
drwxr-xr-x 7 root root 4096 Apr 6 09:39 ..
rw-r--r-1 libvirt-qemu kvm 404750336 Apr 6 09:38 root.qcow2 rw-r--r-1 root root 1186332672 Apr 6 09:23 debian-wheezy-amd64.qcow2
Any pointers on this?
Thanks in advance.
#5 Updated by Tobias Brunner over 4 years ago
virsh create /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml error: Failed to create domain from /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/var/lib/libvirt/images/alice.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=writethrough: could not open disk image /var/lib/libvirt/images/alice.qcow2: Could not open backing file: Could not open backing file: Could not open '/srv/strongswan-testing/build/images/debian-wheezy-amd64.qcow2': Permission denied
Please see the notes regarding AppArmor on TestingEnvironment.