Fixed issue where rhel >8 packages would not have correct openssl dependency version #1570
Conversation
craigcomstock
force-pushed
the
ENT-12587/master
branch
from
e2f98b5 to
6fc4077
Compare
craigcomstock
requested review from
vpodzime
and removed request for
vpodzime
craigcomstock
force-pushed
the
ENT-12587/master
branch
from
6fc4077 to
dd97095
Compare
build-scripts/package
Outdated
| if [ "$OS" = "rhel" ]; then | ||
| SELINUX_POLICY_VERSION=$(rpm -q --qf '%{VERSION}\n' selinux-policy) | ||
| if [ -z "$SELINUX_POLICY_VERSION" ]; then | ||
| echo "error: unable to determine selinux-policy package version" | ||
| exit 1 | ||
| fi | ||
| OPENSSL_VERSION=$(rpm -q --qf '%{VERSION}\n' openssl | sed 's/\([0-9]*.[0-9]*.\)[0-9]*/\10/') |
There was a problem hiding this comment.
It's not always x.y.0, see this rpm -q --provides openssl-libs output on my system:
libcrypto.so.3()(64bit)
libcrypto.so.3(OPENSSL_3.0.0)(64bit)
libcrypto.so.3(OPENSSL_3.0.1)(64bit)
libcrypto.so.3(OPENSSL_3.0.3)(64bit)
libcrypto.so.3(OPENSSL_3.0.8)(64bit)
libcrypto.so.3(OPENSSL_3.0.9)(64bit)
libcrypto.so.3(OPENSSL_3.1.0)(64bit)
libcrypto.so.3(OPENSSL_3.2.0)(64bit)
libssl.so.3()(64bit)
libssl.so.3(OPENSSL_3.0.0)(64bit)
libssl.so.3(OPENSSL_3.2.0)(64bit)
openssl-libs = 1:3.2.2-3.fc40
openssl-libs(x86-64) = 1:3.2.2-3.fc40
config(openssl-libs) = 1:3.2.2-3.fc40
libcrypto.so.3
libcrypto.so.3(OPENSSL_3.0.0)
libcrypto.so.3(OPENSSL_3.0.1)
libcrypto.so.3(OPENSSL_3.0.3)
libcrypto.so.3(OPENSSL_3.0.8)
libcrypto.so.3(OPENSSL_3.0.9)
libcrypto.so.3(OPENSSL_3.1.0)
libcrypto.so.3(OPENSSL_3.2.0)
libssl.so.3
libssl.so.3(OPENSSL_3.0.0)
libssl.so.3(OPENSSL_3.2.0)
openssl-libs = 1:3.2.2-3.fc40
openssl-libs(x86-32) = 1:3.2.2-3.fc40
We should take the highest version from the above, I think.
There was a problem hiding this comment.
Yeah, I tried 3.2.2 aka latest first but that didn't work well. I'll have to remember/rediscover why.
I don't know that there is one answer that "just works" in this case.
There was a problem hiding this comment.
Probably a better strategy would be to know that libcurl has this dependency on openssl, among other packages, and to examine those binaries (.so files) and find the max symbol in there.
Ideally we would repeat that for other libraries we build against but don't vendor, in case they include references for a specific version of the library that folks could not have updated before installing/upgrading cfengine.
[root@rocky9 lib]# objdump -x libpromises.so.3 | grep " OPENSSL_[0-9]"
0x06702b20 0x00 04 OPENSSL_3.0.0
0x06702b20 0x00 03 OPENSSL_3.0.0
[root@rocky9 lib]# objdump -x libcurl.so.4 | grep " OPENSSL_[0-9]"
0x06702b20 0x00 04 OPENSSL_3.0.0
0x06702d20 0x00 11 OPENSSL_3.2.0
0x06702b20 0x00 03 OPENSSL_3.0.0
[root@rocky9 lib]# objdump -x libldap.so.2 | grep " OPENSSL_[0-9]"
0x06702b20 0x00 08 OPENSSL_3.0.0
0x06702b20 0x00 03 OPENSSL_3.0.0
e.g. libpromises.so has these dependencies, not all of which we vendor. Really just openssl, glibc and acl.
Version References:
required from libm.so.6:
0x06969189 0x00 13 GLIBC_2.29
0x09691a75 0x00 09 GLIBC_2.2.5
required from libacl.so.1:
0x05822450 0x00 07 ACL_1.0
required from libssl.so.3:
0x06702b20 0x00 04 OPENSSL_3.0.0
required from libcrypto.so.3:
0x06702b20 0x00 03 OPENSSL_3.0.0
required from libc.so.6:
0x06969187 0x00 17 GLIBC_2.27
0x0d696917 0x00 16 GLIBC_2.7
0x06969197 0x00 15 GLIBC_2.17
0x06969194 0x00 14 GLIBC_2.14
0x069691b3 0x00 12 GLIBC_2.33
0x069691b2 0x00 11 GLIBC_2.32
0x0d696914 0x00 10 GLIBC_2.4
0x0d696913 0x00 08 GLIBC_2.3
0x069691b4 0x00 06 GLIBC_2.34
0x09691a75 0x00 05 GLIBC_2.2.5
0x09691972 0x00 02 GLIBC_2.3.2
libldap.so has this unique entry:
required from liblber.so.2:
0x02881810 0x00 05 OPENLDAP_2.200
There was a problem hiding this comment.
Well, yeah, objdump -x is a mess. That's why I suggested we should query the installed openssl-libs package we built with and linked against. It's not perfect, but as good as we can go with a relatively simple approach. AFAIK, we don't want to accidentally rely on other things on the system except for OpenSSL for which we do it explicitly and on purpose.
There was a problem hiding this comment.
So you mean something like
rpm -q --provides openssl-libs | grep OPENSSL_ | cut -d'(' -f2 | cut -d')' -f1 | cut -d_ -f2 | sort | tail -1
or
rpm -q --provides openssl-libs | grep OPENSSL_ | sed 's/^.*_\([0-9.]*\).*$/\1/' | sort | tail -1
which on my rocky-9 un-upgraded system takes this initial output
[vagrant@rocky9 ~]$ rpm -q --provides openssl-libs
config(openssl-libs) = 1:3.0.7-24.el9
libcrypto.so.3()(64bit)
libcrypto.so.3(OPENSSL_3.0.0)(64bit)
libcrypto.so.3(OPENSSL_3.0.1)(64bit)
libcrypto.so.3(OPENSSL_3.0.3)(64bit)
libssl.so.3()(64bit)
libssl.so.3(OPENSSL_3.0.0)(64bit)
openssl-libs = 1:3.0.7-24.el9
openssl-libs(x86-64) = 1:3.0.7-24.el9
and results in 3.0.3.
There was a problem hiding this comment.
With sort -n, but yes. I think that's the best possible easy way.
craigcomstock
force-pushed
the
ENT-12587/master
branch
from
dd97095 to
80167af
Compare
…endency version libcurl will likely have a hard dependency on the exact version so include it in our Requires: entries. Ticket: ENT-12587 Changelog: title
craigcomstock
force-pushed
the
ENT-12587/master
branch
from
80167af to
9ff7f5e
Compare
libcurl will likely have a hard dependency on the exact version so include it in our Requires: entries.
Ticket: ENT-12587
Changelog: title