Failure when converting Oracle Linux 9.4 to Rocky 9.4
Closed this issue · 11 comments
The script fails with this error:
Error: Transaction test error:
file /usr/lib64/ossl-modules/fips.so from install of openssl-libs-1:3.0.7-27.el9.0.1.x86_64 conflicts with file from package openssl-fips-provider-3.0.7-2.0.1.el9.x86_64
Hi, can you please share your full migrate2rocky.log file?
Here's the complete log file. Note that it's an OL9 VM running under VirtualBox.
migrate2rocky.log
openssl-fips-provider is conflicting with openssl-libs. You don't need openssl-fips-provider and cannot legitimately have both that and openssl-libs installed at the same time. You should remove openssl-fips-provider and reinstall openssl-libs before attempting to run migrate2rocky9:
dnf shell
remove openssl-fips-provider
reinstall openssl-libs
run
> remove openssl-fips-provider
> reinstall openssl-libs
> run
Problem: package openssl-libs-1:3.0.7-27.0.3.el9.x86_64 from ol9_baseos_latest requires openssl-fips-provider, but none of the providers can be installed
- openssl-fips-provider-3.0.7-2.0.1.el9.i686 from ol9_baseos_latest does not belong to a distupgrade repository
- conflicting requests
On Oracle Linux, openssl-libs depends on openssl-fips-provider. I cannot remove it.
Yuk, Oracle deviated from RHEL on that one. RHEL stuck that file into openssl-libs and got rid of the other package. I'm not sure off the top of my head what could be a good solution for it.
It might work to manually swap out the openssl* packages for the Rocky Linux ones before running migrate2rocky9.
It's likely the opposite.
In openssl-fips-provider (from rhel):
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
cp fips_module/fips.so.%{_arch} $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
%{nil}
In openssl (from rhel):
%if ( %{defined rhel} && (! %{defined centos}) )
%define __spec_install_post \
rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
%{nil}
%else
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
%{nil}
%endif
In Rocky Linux, we had both packages where fips.so was provided in both spots. As a result, we removed openssl-fips-provider (due to the logic above). This issue isn't just Oracle Linux conversions. The migration script could be modified to deal with this sort of edge case or we can maybe look into changing the provides/conflicts/obsoletes of openssl-libs to deal with this particular scenario. However I don't know if the latter is actually worth it.
As it stands now, conversions from CentOS Stream 9, AlmaLinux 9 should work as they don't have openssl-fips-provider. RHEL 9 and Oracle Linux 9 have those and since openssl-fips-provider is involved, it does not work from those.
Perhaps ensuring openssl-fips-provider is removed via --nodeps is the closest to right approach here via addl_pkg_removes.
I did try rpm -e --nodeps openssl-fips-provider before trying the conversion, but then the script complained that my system was broken, and required me to fix the dependencies before proceeding.
diff --git a/migrate2rocky/migrate2rocky9.sh b/migrate2rocky/migrate2rocky9.sh
index 60de33c..1d2be16 100644
--- a/migrate2rocky/migrate2rocky9.sh
+++ b/migrate2rocky/migrate2rocky9.sh
@@ -718,6 +718,9 @@ collect_system_info () {
redhat-release
redhat-release-eula
)
+ addl_pkg_removes=(
+ openssl-fips-provider
+ )
# Check to make sure that we don't already have a full or partial
# RockyLinux install.
After doing this, the conversion completes successfully on Oracle Linux (a minimal installation anyway). I have tried this twice so far and it seems to work. I do not have a RHEL system to test this, however.
I also submitted #219 to try to address this. If this fix isn't it and there's additional changes, we can just change the branch before merge.
Does the package end up being removed from the dnf shell command or does it have to later force the removal with one of the rpm commands a bit further down?
The addl_pkg_removes was originally created to remove extra system packages in RHEL that were a bit stubborn, so they did have to sometimes be forcibly removed with rpm when dnf couldn't do it. openssl-libs isn't considered (in this context) a system package, though and as such is updated later in the distro-sync stage. Since openssl-fips-provider is a dependancy of openssl-libs I'm a bit worried about removing it early, can it cause breakage in later commands that might use openssl? I'm not opposed to this solution, just a bit concerned.