Haproxy 2.6.2 (LTS) and luaossl error - or it seems so

Question

Haproxy 2.6.2 (LTS) and luaossl error - or it seems so

CanadianHorseman opened this issue 3 years ago · 6 comments

Hello
I'm experiencing an issue after haproxy update to latest stable LTS version.
haproxy 2.6.2-16a3646 compiled with lua support

[ALERT] (20995) : config : parsing [/etc/haproxy//00-global.cfg:10] : Lua runtime error: error loading module '_openssl.pkey' from file '/usr/local/lib/lua/5.3/_openssl.so':
/usr/local/lib/lua/5.3/_openssl.so: undefined symbol: lua_setuservalue

I've tried to reinstall haproxy-lua-oauth using luaossl:rel-20220711 with no luck.

Is there something I can do? This is a latest LTS branch of Haproxy, so I'd think haproxy-lua-oauth should work fine...

Answer 1 · 2022-08-08T03:35:59.000Z

@CanadianHorseman I've updated the example Docker-Compose project to use HAProxy 2.6. When using the example, I do not get the error. This library has a dependency on https://github.com/wahern/luaossl and that is probably where the error is coming from. I suspect that it would be unrelated to the version of HAProxy, since this OAuth Lua library is what interacts with the OpenSSL library (to validate the JWT token signature).

A few follow-up questions for you:

Are you running the install.sh script in this library to install the library and its dependencies?
Do you get the error with HAProxy 2.5?
Which operating system are you using (Ubuntu, RHEL, etc.)?

Thanks

Answer 2 · 2022-09-07T18:20:34.000Z

I'm returning to luaoauth
It's now troubling me again (Centos7 as earlier)

[NOTICE] (29722) : haproxy version is 2.6.2-16a3646
[NOTICE] (29722) : path to executable is /usr/sbin/haproxy
[ALERT] (29722) : config : parsing [/etc/haproxy//00-global.cfg:11] : Lua runtime error: error loading module 'mime.core' from file '/usr/local/lib/lua/5.4/mime/core.so':
/usr/local/lib/lua/5.4/mime/core.so: undefined symbol: luaL_prepbuffer

I don't know why there is "lua 5.4" in logs
The recent luaossl update may be causing it.
Is there a way to fix it?

Answer 3 · 2022-09-11T21:06:25.000Z

@CanadianHorseman I am able to reproduce this, and also think I have the fix.

I think it relates to where the lua include and lib files were installed. For example, in the script below, I am installing Lua 5.3 and copying the lua files to /usr/local/include/ and /usr/local/lib. I set these paths when compiling HAProxy too.

# HAProxy 2.6 on CentOS 7

# Install HAProxy 1.8
sudo yum install -y haproxy

# Install dependencies
sudo yum install -y git ca-certificates gcc glibc-devel pcre-devel openssl-devel readline-devel systemd-devel make wget zlib-devel

# Build Lua
cd ~
LUA_VERSION=5.3.6
curl -sLO https://www.lua.org/ftp/lua-$LUA_VERSION.tar.gz
tar xf lua-$LUA_VERSION.tar.gz && rm lua-$LUA_VERSION.tar.gz
cd lua-$LUA_VERSION
sudo make linux local
sudo cp install/include/* /usr/local/include/
sudo cp -r install/lib/* /usr/local/lib/

# Fetch the latest HAProxy source code
cd ~
git clone https://github.com/haproxy/haproxy.git

# Build HAProxy 2.6
cd haproxy
git checkout v2.6.0
sudo make clean
sudo make -j $(nproc) \
  TARGET=linux-glibc \
  USE_LUA=1 \
  USE_OPENSSL=1 \
  USE_PCRE=1 \
  USE_ZLIB=1 \
  USE_SYSTEMD=1 \
  USE_PROMEX=1 \
  LUA_INC=/usr/local/include \
  LUA_LIB=/usr/local/lib/lua/5.3

sudo make install-bin

# Overwrite HAProxy 1.8 with HAProxy 2.6
sudo cp /usr/local/sbin/haproxy /usr/sbin/haproxy

# Enabe / start HAProxy
sudo systemctl enable haproxy
sudo systemctl start haproxy

The trouble seems to be that the install script hardcodes the include path to /usr/include when installing luasocket (which is the source of the "prepbuffer" function).

curl -sLO https://github.com/lunarmodules/luasocket/archive/refs/heads/master.zip
unzip -qo master.zip && rm master.zip
cd luasocket-master/
make clean all install-both LUAINC=/usr/include/ >/dev/null

Change that last line to:

make clean all install-both LUAINC=/usr/local/include/ >/dev/null

(or substitute LUAINC with where you installed the lua include files)

Then re-run the install script.

sudo ./install.sh luaoauth

Answer 4 · 2023-06-22T03:33:31.000Z

@CanadianHorseman Any luck with this solution?

Answer 5 · 2023-08-03T13:58:17.000Z

There is a very subtle balance here.
The version of Lua on the host and the version of Lua with which haproxy is built must match the versions used during the installation of this project. And it should be 5.3.x :)
For example, in Rocky 9, Lua is already version 5.4.5, and nothing works with it.
But Rocky 8 is okay.

So if you don't mess with versions of lua or your RH-derivative, it works fine.
Still it saddens me for Rocky 9 not working...

Answer 6 · 2023-08-14T03:25:19.000Z

Thanks for researching this @CanadianHorseman . I've updated the library to expect Lua 5.4.4, which should resolve this.