Omnibus produces RHEL builds that don't work on Fedora unless libxcrypt-compat is installed
michel-slm opened this issue · 3 comments
Description
Omnibus produces RPMs with incomplete dependencies; the whitelisted dependencies do not show up as library requirements e.g.
❯ rpm -q --requires chef
/bin/sh
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1
❯ rpm -q chef
chef-13.9.1-1.el7.x86_64
But Fedora 28 and above ship libcrypt.so.2 by default (from libxcrypt) instead of libcrypt.so.1 (from glibc) as in RHEL 7, so we can't assume that libcrypt.so.1 is available without either embedding it or listing it as a required library in the RPM spec (it's still available, but provided by libxcrypt-compat).
Omnibus Version
N/A (didn't build myself)
Platform Version
RHEL 7 x86_64
Replication Case
- Install Fedora Workstation with the default package set
- Download chef-13.9.1-1.el7.x86_64.rpm and chef-15.0.300-1.el7.x86_64.rpm
- Check the dependencies for the embedded Ruby (either unpack the RPM with rpm2cpio or install it)
- Notice that libcrypt.so.1 is not found, but the RPM does not pull it in
❯ ldd /opt/chef/embedded/bin/ruby
linux-vdso.so.1 (0x00007fff72a8d000)
libruby.so.2.4 => /opt/chef/embedded/lib/libruby.so.2.4 (0x00007f62c927f
000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f62c923f000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f62c9239000)
libcrypt.so.1 => not found
libm.so.6 => /lib64/libm.so.6 (0x00007f62c90f3000)
libc.so.6 => /lib64/libc.so.6 (0x00007f62c8f2d000)
/lib64/ld-linux-x86-64.so.2 (0x00007f62c9797000)
libcrypt.so.1 => not found
❯ sudo chef-client -s
[sudo] password for michel:
/opt/chef/embedded/bin/ruby: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory
The same is still true for the latest chef-15.0.300-1.el7.x86_64.rpm:
/tmp/chef15
❯ rpm -qp --requires ~/Downloads/chef-15.0.300-1.el7.x86_64.rpm
warning: /home/michel/Downloads/chef-15.0.300-1.el7.x86_64.rpm: Header V4 DSA/SH
A1 Signature, key ID 83ef826a: NOKEY
/bin/sh
/bin/sh
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1
/tmp/chef15
❯ rpm2cpio ~/Downloads/chef-15.0.300-1.el7.x86_64.rpm| cpio -vid 2>/dev/null
/tmp/chef15
❯ ldd opt/chef/embedded/bin/ruby
linux-vdso.so.1 (0x00007ffcfa6fb000)
libruby.so.2.6 => /lib64/libruby.so.2.6 (0x00007f00923b0000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f009238f000)
librt.so.1 => /lib64/librt.so.1 (0x00007f0092385000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f009237f000)
libcrypt.so.1 => not found
libm.so.6 => /lib64/libm.so.6 (0x00007f0092239000)
libc.so.6 => /lib64/libc.so.6 (0x00007f0092071000)
libgmp.so.10 => /lib64/libgmp.so.10 (0x00007f0091ff4000)
libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f0091fb9000)
/lib64/ld-linux-x86-64.so.2 (0x00007f00926e5000)
/tmp/chef15
❯ ls opt/chef/embedded/lib/libcrypt*
opt/chef/embedded/lib/libcrypto.a opt/chef/embedded/lib/libcrypto.so.1.0.0
opt/chef/embedded/lib/libcrypto.so
Build Output
N/A (bug with official build)
Just as reference, got the same issue with Fedora 30.
Workaround: "dnf install libxcrypt-compat"
Root Cause: https://fedoraproject.org/wiki/Changes/FullyRemoveDeprecatedAndUnsafeFunctionsFromLibcrypt
@tpowell-progress This is now a problem in Fedora ELN, since the -compat package got removed https://src.fedoraproject.org/rpms/libxcrypt/pull-request/16
@tpowell-progress not just ELN (which will become RHEL 11) - it's already dropped in the c10s branch which will become RHEL 10 in a few months too