GNU bug report logs -
#48959
icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48959 in the body.
You can then email your comments to 48959 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#48959
; Package
guix
.
(Fri, 11 Jun 2021 14:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ignacio Coterillo <ignacio.coterillo <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 11 Jun 2021 14:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/html, inline)]
[Message part 2 (text/plain, inline)]
Hello,
[Summary]
- The icecat package doesn't correctly set the LD_LIBRARY_PATH
variable during the wrap-program build stage to include mit-krb5 libraries
so kerberos authentication fails as the libraries are not found at runtime:
[Details]
Execution logs obtained by running icecat with the following setup:
$ export NSPR_LOG_FILE=icecat
$ export NSPR_LOG_MODULES=negotiateauth:5
$ icecat
icecat.moz_log:
------------------------------------------------------------------------
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 30197: Main Thread]: D/negotiateauth Fail to load gssapi library
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()
Confirmed by running through strace:
$ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5"
(See results in attachment)
Best regards,
Ignacio
[icecat-strace.log (application/octet-stream, attachment)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#48959
; Package
guix
.
(Mon, 14 Jun 2021 18:51:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 48959 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Ignacio,
Ignacio Coterillo <ignacio.coterillo <at> gmail.com> writes:
> [Summary]
> - The icecat package doesn't correctly set the LD_LIBRARY_PATH
> variable during the wrap-program build stage to include mit-krb5 libraries
> so kerberos authentication fails as the libraries are not found at runtime:
Thanks for this report. I've attached a proposed patch that might fix
the problem. I've verified that the modified IceCat package builds and
runs successfully, but I'm unable to test it properly because I don't
have access to any system that uses Kerberos authentication.
Are you able to test this patch? One way to do so is to clone the
master branch of our git repository, apply this patch to the Guix git
checkout and build it, and then run that modified copy of Guix (without
installing it) to build icecat. See sections 16.1 (Building from Git)
and 16.2 (Running Guix Before It Is Installed) of our manual for details
of how to do this.
If you encounter difficulties or have additional questions, please do
not hesitate to ask.
Regards,
Mark
[0001-UNTESTED-gnu-icecat-Fix-Kerberos-support.patch (text/x-patch, inline)]
From 857f829906e0f8d9583a32ad47c91149c7714171 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw <at> netris.org>
Date: Sun, 13 Jun 2021 19:11:15 -0400
Subject: [PATCH] UNTESTED: gnu: icecat: Fix Kerberos support.
Fixes <https://bugs.gnu.org/48959>.
* gnu/packages/gnuzilla.scm (icecat)[arguments]: In the 'wrap-program' phase,
add mit-krb5 to the LD_LIBRARY_PATH.
---
gnu/packages/gnuzilla.scm | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index c63809c20c..a997fc1c73 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1276,14 +1276,19 @@ from forcing GEXP-PROMISE."
(pulseaudio (assoc-ref inputs "pulseaudio"))
(pulseaudio-lib (string-append pulseaudio "/lib"))
(libxscrnsaver (assoc-ref inputs "libxscrnsaver"))
- (libxscrnsaver-lib (string-append libxscrnsaver "/lib")))
+ (libxscrnsaver-lib (string-append libxscrnsaver "/lib"))
+ (mit-krb5 (assoc-ref inputs "mit-krb5"))
+ (mit-krb5-lib (string-append mit-krb5 "/lib")))
(wrap-program (car (find-files lib "^icecat$"))
`("XDG_DATA_DIRS" prefix (,gtk-share))
;; The following line is commented out because the icecat
;; package on guix has been observed to be unstable when
;; using wayland, and the bundled extensions stop working.
;; `("MOZ_ENABLE_WAYLAND" = ("1"))
- `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib ,mesa-lib ,libxscrnsaver-lib)))
+ `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib
+ ,mesa-lib
+ ,libxscrnsaver-lib
+ ,mit-krb5-lib)))
#t))))))
(home-page "https://www.gnu.org/software/gnuzilla/")
(synopsis "Entirely free browser derived from Mozilla Firefox")
--
2.31.1
[Message part 3 (text/plain, inline)]
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#48959
; Package
guix
.
(Mon, 14 Jun 2021 19:02:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 48959 <at> debbugs.gnu.org (full text, mbox):
Hello again,
Earlier, I wrote:
> Are you able to test this patch? One way to do so is to clone the
> master branch of our git repository, apply this patch to the Guix git
> checkout and build it, and then run that modified copy of Guix (without
> installing it) to build icecat.
On second thought, it would be sufficient and *much* easier to simply
verify that Kerberos authentication works in IceCat if you launch it
with the following Bash shell command:
LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
Would you like to try it and report back?
Thanks,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
Reply sent
to
Mark H Weaver <mhw <at> netris.org>
:
You have taken responsibility.
(Tue, 15 Jun 2021 09:58:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ignacio Coterillo <ignacio.coterillo <at> gmail.com>
:
bug acknowledged by developer.
(Tue, 15 Jun 2021 09:58:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 48959-done <at> debbugs.gnu.org (full text, mbox):
Hi Ignacio,
Ignacio Coterillo <ignacio.coterillo <at> gmail.com> writes:
> First, I confirm that Kerberos authentication works when running
> icecat as:
>
> LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
Thanks. I just pushed my proposed patch to the master branch, commit
61b904b744c1f16084c79e526837cc7fe73f9b92. I'm also closing this bug
now, but feel free to reopen it if there are remaining problems.
> Regarding the patch, I actually tried to build the package with those
> exact changes myself before submitting the bug for further testing but
> didn't manage to complete the build. The build process would go on
> for over a day (most of the time spent in bootstrapping the rust
> inputs) until failing because of lack of disk space.
Hmm. If you built a recent commit from the 'master' branch of Guix, and
had substitutes enabled, then it should _not_ have tried to build Rust
locally.
My guess is that you didn't pass "--sysconfdir=/etc" to ./configure.
Consequently, the locally-built Guix is looking in /usr/local/etc/guix
for its authorized signing keys, whereas the default configuration of
Guix (as self-built by Guix itself and as installed by our distributed
installers) looks in /etc/guix. That would explain why the
locally-built Guix is not using substitutes.
I suggest passing "--sysconfdir=/etc" (and "--localstatedir=/var") to
./configure, re-running "make" in your Git checkout, and trying again.
Alternatively, you could copy (using "cp -a") /etc/guix to
/usr/local/etc/guix.
> Is it possible to estimate a priori the amount of space a build would
> require to prevent failures?
No. However, 80 GB is more than sufficient to build an entire
GNOME-based Guix system plus Rust and IceCat from source code. I know
this because for several years I've been building my GNOME-based Guix
system locally (with substitutes disabled) on a Thinkpad X200 with 4 GB
of RAM, 8 GB of Swap, and only ~75 GB of disk available for Guix.
If you have a separate /tmp partition, perhaps it is too small. When
building packages locally, the temporary build directories are put in
/tmp by default. It's possible to configure 'guix-daemon' to put them
elsewhere, either by passing the TMPDIR environment variable to
'guix-daemon' (if running it by hand), or via the 'tmpdir' field of the
'guix-configuration' by putting something like the following code in the
'services' field of your OS configuration.
--8<---------------cut here---------------start------------->8---
_ (services (cons* …
__________________ (modify-services %desktop-services
____________________ (guix-service-type config =>
_______________________________________ (guix-configuration
_________________________________________ (inherit config)
_________________________________________ (tmpdir "/var/tmp"))))))
--8<---------------cut here---------------end--------------->8---
Please let us know if you continue to have difficulties.
Regards,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#48959
; Package
guix
.
(Tue, 15 Jun 2021 14:13:04 GMT)
Full text and
rfc822 format available.
Message #19 received at 48959 <at> debbugs.gnu.org (full text, mbox):
Hi Mark,
Thank you for looking at his.
First, I confirm that Kerberos authentication works when running
icecat as:
LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
Regarding the patch, I actually tried to build the package with
those
exact changes myself before submitting the bug for further testing
but didn't manage to complete the build.
The build process would go on for over a day (most of the time
spent in
bootstrapping the rust inputs) until failing because of lack of
disk space.
I've been reading through the different mailing list archives and
the rust
bootstrapping process seems to be a known problem.
Is there a way of improve the behaviour to work on these kind of
big packages?
Is it possible to estimate a priori the amount of space a build
would
require to prevent failures?
Best regards,
Ignacio
Mark H Weaver <mhw <at> netris.org> writes:
> Hello again,
>
> Earlier, I wrote:
>> Are you able to test this patch? One way to do so is to clone
>> the
>> master branch of our git repository, apply this patch to the
>> Guix git
>> checkout and build it, and then run that modified copy of Guix
>> (without
>> installing it) to build icecat.
>
> On second thought, it would be sufficient and *much* easier to
> simply
> verify that Kerberos authentication works in IceCat if you
> launch it
> with the following Bash shell command:
>
> LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
>
> Would you like to try it and report back?
>
> Thanks,
> Mark
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 14 Jul 2021 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 286 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.