-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix krb5 library SO name in the gss api shim #59526
Conversation
The library name used in the shim is a name of the build time library which is usually installed only for development purposes. We should use libgssapi_krb5.so.2 which is the underlying runtime library.
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsThe library name used in the shim is a name of the build time library which Close #59518
|
I assumed it is the purpose of libgssapi_krb5.so - to link to the actual underlying library, assuming there are different implementations of the api with different names, i.e. MIT vs. Heimdall. Do they both just install “so.2”? |
@@ -123,7 +123,7 @@ static void* volatile s_gssLib = NULL; | |||
#define GSS_C_NT_HOSTBASED_SERVICE (*GSS_C_NT_HOSTBASED_SERVICE_ptr) | |||
#define gss_mech_krb5 (*gss_mech_krb5_ptr) | |||
|
|||
#define gss_lib_name "libgssapi_krb5.so" | |||
#define gss_lib_name "libgssapi_krb5.so.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we align it with how it's done for numa/ssl?
try dlopen libgssapi_krb5.so.2
then try dlopen libgssapi_krb5.so.2.2
then try dlopen libgssapi_krb5.so
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For SSL, it is different as there are several incompatible versions of the library we support. We always use a versioned one though. But adding fallback to libgssapi_krb5.so sounds probably fine, even though I am not aware of a distro where it would be named that way and usually a change in the major version of the library means a compatibility break. So loading just the .so if present might result in hard to debug crashes in case e.g. libgssapi_krb5.so.3 was released and had some subtle incompatible changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@am11, it actually seems that for the NUMA case, attempting to use the versionless .so is also something that we might not want to do for the same reason I've mentioned. And do you remember why you have also added the probe for libnuma.so.1.0.0? Have we found systems where the libnuma.so.1 was not present? The comment on the PR that added the libnuma probing is actually not right, there is also libnuma.so on Fedora, the package is numactl-devel.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@janvorli, good points, I think krb5's .2
and numa's .1
are undisputed, other two variants (version-less and .krb5 2.2 / numa .1.0.0) are probably not too great to probe.
The reason of probe for actual binary (1.0.0) was that at the time I was making a .NET example for nanos unikernel docs https://github.com/nanovms/ops-examples/tree/master/dotnet and trying to reduce extra files in that environment (which strives for minimalism). Now I am realizing we can update nanos' packaging tool (ops
) so it follows symlink and add both in the resultant image (which we can boot on azure/aws/google hypervisor).
No, in most cases, the .so without version is a dev time library. The linker then stores the actual library SONAME which includes the version to the target binary (when linking the library at build time). |
The only thing I am not sure about is FreeBSD. I have found I have two of the libraries installed there:
Might be just a result of my past experiments. I wonder if the libgssapi_krb5.so.10 is the one to use on FreeBSD and so we should add probing for it. |
It seems like in general the most consistent way would be to mimic the static linker behavior - resolve the link at build time and dlopen the actual versioned .so - not because it is strictly better, but just to match the common practice. However, since we have just one case like this, if we are sure it is always so.2, then current fix is good enough. |
The Seems like the packaging strategy is different on Linux. In bot cases for Heimdal and MIT the I'm wondering if we should scope this change to Linux only where the claim about development is probably true. |
BTW since this is regression, I would be ok if we proceed with this for 6.0. |
TL;DR: The ports version (aka MIT version, the one found in Long version: A specific example of this is that FreeBSD ships with a full LLVM suite. This is great until you want to use an Also, I think we currently list |
@Thefrank thank you a lot for your quick response! Then the current change is good for FreeBSD too. |
@janvorli I think this PR is getting bit by the "license/cla missing" bug |
@dotnet/dnceng why am I seeing the license/cla "waiting for status to be reported"? What is the way to fix it? Closing and reopening the PR? |
A close and re-open will probably fix it. This is the cla bot that the opensource team manages. Re-opening the PR would re-trigger the web hooks that make the cla thing go. I haven't heard of any current issues with the bot or github. |
/backport to release/6.0-rc2 |
Started backporting to release/6.0-rc2: https://github.com/dotnet/runtime/actions/runs/1269896275 |
The library name used in the shim is a name of the build time library which
is usually installed only for development purposes. We should use
libgssapi_krb5.so.2 which is the underlying runtime library.
Close #59518