Project

General

Profile

Bug #1382

Unable to successfully build ./make-testing due to dependancy errors for: libssl1.0.0:amd64

Added by Phil Levin over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
testing
Target version:
Start date:
05.04.2016
Due date:
Estimated time:
Affected version:
5.4.0
Resolution:
Fixed

Description

Hello,

I've seen libssl dependency failures when trying to build the test environment for 5.4.0 after
invoking the following script:

./make-testing

Please see the "issue.txt" attachment for details.

Thanks in advance.

/Phil

issue.txt (18.1 KB) issue.txt Phil Levin, 05.04.2016 15:43

Associated revisions

Revision 76397efa (diff)
Added by Tobias Brunner over 4 years ago

testing: Disable leak detective when generating CRLs

GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing. This causes invalid frees if
leak detective is active. Other invalid frees are related to time
conversions (tzset).

References #1382.

Revision aa65b8c1 (diff)
Added by Tobias Brunner over 4 years ago

testing: Version bump to 5.4.0

References #1382.

Revision 1e71eb84
Added by Tobias Brunner about 4 years ago

Merge branch 'testing-jessie'

Updates the default Debian image used for the test environment from wheezy
to jessie. Also adds a script that allows chrooting to an image (base,
root or one of the guests). In pretty much all test scenarios
expect-connection is used to make test runs more reliable.

Fixes #1382.

History

#1 Updated by Tobias Brunner over 4 years ago

  • Tracker changed from Issue to Bug
  • Subject changed from unable to successfully build ./make-testing due to dependancy errors for: libssl1.0.0:amd64 to Unable to successfully build ./make-testing due to dependancy errors for: libssl1.0.0:amd64
  • Category set to testing
  • Status changed from New to Feedback
  • Target version set to 5.5.0

First, there are reports of multiple copies of libssl unpacked.

As you noticed, that's due to calling wget with -r on an URL that has subdirectories with other versions of the package.

A while ago I started porting the testing environment to Debian jessie (testing-jessie* branches) which required additional packages. I guess I misinterpreted wget's --no-directories argument and assumed no files in subdirs would get fetched by the existing Makefile. And since I rarely rebuild the base image I haven't noticed it didn't work anymore (I also expected to complete the port to jessie a lot sooner).

For now, as a workaround, you could perhaps change the URL in source:testing/scripts/recipes/012_openssl.mk#L5 to https://download.strongswan.org/testing/openssl-fips/wheezy/1.0.1e-2+deb7u17/ (https://download.strongswan.org/testing/openssl-fips/wheezy/ might work too).

Second, at least one of those version eventually fails because it finds a dependency issue. See "error log" below.

That's related to the issue above. Since the jessie versions of the packages are newer (in regards to the version numbers) dpkg probably tries to install these, which obviously won't work on wheezy.

#2 Updated by Phil Levin over 4 years ago

Hello Tobias,

The following seems to work:

SRC = http://download.strongswan.org/testing/openssl-fips/wheezy

$(PKG):
wget $(SRC) -r --level=1 --no-directories --directory-prefix $(PKG) --accept deb --no-parent

Question: for wheezy, Should wget be pulling-down the debians at this level?:

http://download.strongswan.org/testing/openssl-fips/wheezy

[ ] libssl-dev_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 1.9M
[ ] libssl1.0.0-dbg_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 2.9M
[ ] libssl1.0.0_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 1.4M
[ ] openssl_1.0.1e-strongswan1~2+deb7u17_amd64.deb 08-Dec-2015 11:40 665K

or this level?:

http://download.strongswan.org/testing/openssl-fips/wheezy/1.0.1e-2+deb7u17

[ ] libssl-dev_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 1.9M
[ ] libssl1.0.0-dbg_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 2.9M
[ ] libssl1.0.0_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 1.4M
[ ] openssl_1.0.1e-2+deb7u17_amd64.deb 27-Nov-2015 17:20 665K

However, the build now fails (with strongswan.deb debians):

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 /srv/strongswan-testing/build/images/winnetou.qcow2
Formatting '/srv/strongswan-testing/build/images/winnetou.qcow2', fmt=qcow2 size=1468006400 backing_file='/srv/strongswan-testing/build/images/root.qcow2' encryption=off cluster_size=65536 lazy_refcounts=off 
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/winnetou.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/winnetou/etc /srv/strongswan-testing/build/loop
cp -rf /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/default/etc /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/default/root /home/phlevin/strongswan-5.4.0/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop ldconfig
mkdir /srv/strongswan-testing/build/loop/var/log/apache2/ocsp
cp -rf /home/phlevin/strongswan-5.4.0/testing/scripts/../images /srv/strongswan-testing/build/loop/var/www/
chroot /srv/strongswan-testing/build/loop ln -s /etc/openssl/certs /var/www/certs
chroot /srv/strongswan-testing/build/loop /etc/openssl/generate-crl
Using configuration from /etc/openssl/openssl.cnf
freeing invalid memory (0x1ad3430)
 dumping 7 stack frame addresses:
  /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 [0x7fa11606cf2d]
    -> ??:0
  /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 (tzset+0x40) [0x7fa11606d1c0]
    -> ??:0
  /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 (timelocal+0x9) [0x7fa11606c009]
    -> ??:0
  pki @ 0x400000 [0x403f4c]
addr2line: 'pki': No such file
    -> 
  pki @ 0x400000 [0x40afe5]
addr2line: 'pki': No such file
    -> 
  /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa115fcd000 (__libc_start_main+0xfd) [0x7fa115febead]
    -> ??:0
  pki @ 0x400000 [0x403add]
addr2line: 'pki': No such file
    -> 
No leaks detected, 603 suppressed by whitelist
Using configuration from /etc/openssl/research/openssl.cnf
Using configuration from /etc/openssl/sales/openssl.cnf
Using configuration from /etc/openssl/ecdsa/openssl.cnf
Using configuration from /etc/openssl/monster/openssl.cnf
Using configuration from /etc/openssl/rfc3779/openssl.cnf
Error: invalid --digest type
strongSwan 5.3.3 PKI tool
usage:
  pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days]
                [--lastcrl crl] [--basecrl crl] [--crluri uri]+
                [[--reason key-compromise|ca-compromise|affiliation-changed|
                           superseded|cessation-of-operation|certificate-hold]
                 [--date timestamp] --cert file|--serial hex]*
                [--digest md5|sha1|sha224|sha256|sha384|sha512]
                [--outform der|pem]
        --help            (-h)  show usage information
        --cacert          (-c)  CA certificate file
        --cakey           (-k)  CA private key file
        --cakeyid         (-x)  keyid on smartcard of CA private key
        --lifetime        (-l)  days the CRL gets a nextUpdate, default: 15
        --this-update     (-F)  date/time the validity of the CRL starts
        --next-update     (-T)  date/time the validity of the CRL ends
        --dateform        (-D)  strptime(3) input format, default: %d.%m.%y %T
        --lastcrl         (-a)  CRL of lastUpdate to copy revocations from
        --basecrl         (-b)  base CRL to create a delta CRL for
        --crluri          (-u)  freshest delta CRL URI to include
        --cert            (-z)  certificate file to revoke
        --serial          (-s)  hex encoded certificate serial number to revoke
        --reason          (-r)  reason for certificate revocation
        --date            (-d)  revocation date as unix timestamp, default: now
        --digest          (-g)  digest for signature creation, default: key-specific
        --outform         (-f)  encoding of generated crl, default: der
        --debug           (-v)  set debug level, default: 1
        --options         (-+)  read command line options from file
No leaks detected, 602 suppressed by whitelist
chroot /srv/strongswan-testing/build/loop update-rc.d apache2 defaults
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = "en_US:",
    LC_ALL = (unset),
    LANG = "en_US" 
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
update-rc.d: using dependency based boot sequencing
chroot /srv/strongswan-testing/build/loop update-rc.d slapd defaults
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = "en_US:",
    LC_ALL = (unset),
    LANG = "en_US" 
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
update-rc.d: using dependency based boot sequencing
chroot /srv/strongswan-testing/build/loop rm -rf /var/lib/ldap/*
chroot /srv/strongswan-testing/build/loop slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf
chroot /srv/strongswan-testing/build/loop chown -R openldap:openldap /var/lib/ldap
chroot /srv/strongswan-testing/build/loop dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org
Verifying the zone using the following algorithms: RSASHA256.

Should I open another issue for the above?

Thanks in advance.

/Phil
Philip Levin

#3 Updated by Tobias Brunner over 4 years ago

Question: for wheezy, Should wget be pulling-down the debians at this level?:

http://download.strongswan.org/testing/openssl-fips/wheezy

or this level?:

http://download.strongswan.org/testing/openssl-fips/wheezy/1.0.1e-2+deb7u17

Doesn't really matter, if both are fetched those with *strongswan* in the name will get used.

However, the build now fails (with strongswan.deb debians)

This seems to happen during the guest image build (last step in the make-testing script, which can also be done manually by executing the testing/scripts/build-guestimages script).

This here

freeing invalid memory (0x1ad3430)

is a known issue and there is even a fix for it in the testing-jessie branches (I pulled that fixed to master now). It's not really an issue though, it just looks scary.

The error here

Error: invalid --digest type
strongSwan 5.3.3 PKI tool

is due to the default strongSwan version listed in source:testing/testing.conf#L34 is too old (5.3.3). Since SHA-3 support was added with 5.3.4 the call at source:testing/hosts/winnetou/etc/openssl/generate-crl#L51 fails when 5.3.3 is used. Please change the strongSwan version in the config file or define SWANVERSION in testing.conf.local. You may also use the source:testing/scripts/build-strongswan script to build the strongSwan code in the current source tree.

#4 Updated by Phil Levin over 4 years ago

Hello Tobias,

Thank you for your time and assistance with this - I'm almost there...

I made the changes you described (changed test version to 5.4.0) and rebuilt
the test strongswan:

phlevin@XXXXX:~/strongswan-5.4.0/testing/scripts$ sudo ./build-strongswan
Preparing root image
[....] Connecting root image to NBD device /dev/nbd0 [ ok
[....] Mounting /dev/nbd0p1 to /srv/strongswan-testing/build/loop [ ok
[....] Mounting proc filesystem to /srv/strongswan-testing/build/loop/proc [ ok
[....] Mounting /srv/strongswan-testing/build/shared as /root/shared [ ok
[....] Mounting /home/phlevin/strongswan-5.4.0 as /root/strongswan [ ok
[....] Remove SWID tags of previous versions [ ok
Building and installing strongSwan
[....] Determine strongSwan version ./build-strongswan: line 58: git: command not found
[ ok
[....] Preparing source tree [ ok
[....] Installing from recipe 013_strongswan.mk [ ok
Creating guest images
[....] Creating guest image for alice [ ok
[....] Creating guest image for bob [ ok
[....] Creating guest image for carol [ ok
[....] Creating guest image for dave [ ok
[....] Creating guest image for moon [ ok
[....] Creating guest image for sun [ ok
[....] Creating guest image for venus [ ok
[....] Creating guest image for winnetou [ ok

However, now when I run 'sudo ./start-test' (as root), I see the following in testing.log:

ln -fs /srv/strongswan-testing/build/linux-4.2/arch/x86/boot/bzImage /var/run/kvm-swan-kernel
chown -R libvirt-qemu:kvm /srv/strongswan-testing/build/shared
ln -Tfs /srv/strongswan-testing/build/shared /var/run/kvm-swan-hostfs
virsh net-create /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet1.xml
Network vnet1 created from /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet1.xml

virsh net-create /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet2.xml
Network vnet2 created from /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet2.xml

virsh net-create /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet3.xml
Network vnet3 created from /home/phlevin/strongswan-5.4.0/testing/config/kvm/vnet3.xml

virsh create /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml
error: Failed to create domain from /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml
error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/var/lib/libvirt/images/alice.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=writethrough: could not open disk image /var/lib/libvirt/images/alice.qcow2: Could not open backing file: Could not open backing file: Could not open '/srv/strongswan-testing/build/images/debian-wheezy-amd64.qcow2': Permission denied

Yet the file permissions seem OK for root:

ls atl
total 1585748
-rw-r--r-
1 root root 9502720 Apr 6 09:41 winnetou.qcow2
drwxr-xr-x 2 root root 4096 Apr 6 09:41 .
rw-r--r- 1 root root 3342336 Apr 6 09:41 venus.qcow2
rw-r--r- 1 root root 3276800 Apr 6 09:41 sun.qcow2
rw-r--r- 1 root root 3276800 Apr 6 09:40 moon.qcow2
rw-r--r- 1 root root 3538944 Apr 6 09:40 dave.qcow2
rw-r--r- 1 root root 3276800 Apr 6 09:40 carol.qcow2
rw-r--r- 1 root root 3342336 Apr 6 09:40 bob.qcow2
rw-r--r- 1 root root 3735552 Apr 6 09:40 alice.qcow2
drwxr-xr-x 7 root root 4096 Apr 6 09:39 ..
rw-r--r- 1 libvirt-qemu kvm 404750336 Apr 6 09:38 root.qcow2
rw-r--r- 1 root root 1186332672 Apr 6 09:23 debian-wheezy-amd64.qcow2

Any pointers on this?

Thanks in advance.
/Phil
Philip Levin

#5 Updated by Tobias Brunner over 4 years ago

virsh create /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml
error: Failed to create domain from /home/phlevin/strongswan-5.4.0/testing/config/kvm/alice.xml
error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/var/lib/libvirt/images/alice.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=writethrough: could not open disk image /var/lib/libvirt/images/alice.qcow2: Could not open backing file: Could not open backing file: Could not open '/srv/strongswan-testing/build/images/debian-wheezy-amd64.qcow2': Permission denied

Please see the notes regarding AppArmor on TestingEnvironment.

#6 Updated by Phil Levin over 4 years ago

Tobias,

Got it, thanks. It's working now.

Thanks again for your assistance.

Regards.

/Phil

#7 Updated by Tobias Brunner about 4 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

The testing environment is now updated to jessie.

Also available in: Atom PDF