Using ipa-client-install with version 4.5.90.dev201708161122+git799551892-0 results in this error:
Configured /etc/krb5.conf for IPA realm MINE.DOM sk_num: "function 'sk_num' not found in library 'libcrypto.so.1.1': /lib64/libcrypto.so.1.1: undefined symbol: sk_num" The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
After installing compat-openssl10 (and calling ldconfig) it is working. The manual ldconfig call is needed because of a missing ldconfig call in post install of compat-openssl10 (https://bugzilla.redhat.com/show_bug.cgi?id=1483011)
The code in FreeIPA's csr generator loads sk_num via FFI but openssl did change sk_num to be OPENSSL_sk_num in 1.1.0 series.
$ rpm -qf /usr/include/openssl/stack.h openssl-devel-1.1.0f-7.fc26.x86_64 $ fgrep -r sk_num /usr/include/openssl/stack.h int OPENSSL_sk_num(const OPENSSL_STACK *); # define sk_num OPENSSL_sk_num
So the change would be to prepend our symbol usage with OPENSSL_.
Not so simple, actually!
I was playing with this for a while today and had some fun WTF moments because of ldconfig caching (ctypes.util.find_library() uses ldconfig internally to resolve the library you require).
ldconfig
ctypes.util.find_library()
If we just add the OPENSSL_ prefix to the certain spots, it will break machines that have compat-openssl installed. If we don't add it, however, we break the machines that don't have it installed (typically the "Cloud" Fedora machines).
OPENSSL_
compat-openssl
I've fixed this by catching an exception and re-trying without OPENSSL_ prefix. Should work because accessing symbols from dynamically loaded libraries in FFI is like accessing attributes. If a symbol doesn't exist, AttributeError is generated.
See https://github.com/abbra/freeipa/pull/2/commits/40d09fafe9ef42efa70ec933782007a9d4650296 for details.
A good fix, let's get it upstream.
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.6
I submitted https://github.com/freeipa/freeipa/pull/1012
master:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
This also has to be fixed in 4.5.
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.6) - Issue status updated to: Open (was: Closed)
Actually, csrgen_ffi.py is not in 4.5. It was introduced in e7588ab which is only in master (4.6).
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.6 (was: FreeIPA 4.5.4) - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.