Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Ohai passwd - segmentation fault at 0x0000000000000000 #1773

Open
fibd opened this issue Oct 28, 2022 · 1 comment
Open

[BUG] Ohai passwd - segmentation fault at 0x0000000000000000 #1773

fibd opened this issue Oct 28, 2022 · 1 comment
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.

Comments

@fibd
Copy link

fibd commented Oct 28, 2022

Description

Starting Chef Client, version 18.0.161 / 17.10.3 and ohai-cli yields a stacktrace.
This happens only when Passwd ohai module is in use with libnss-mysql.

Steps to Reproduce

Clean AlmaLinux 8.6 with uptodate packages.
Additionally libnss-mysql installed from EPEL (libnss-mysql 1.5-35.el8), configured with default settings:

/usr/share/doc/libnss-mysql/sample/linux/libnss-mysql-root.cfg
/usr/share/doc/libnss-mysql/sample/linux/libnss-mysql.cfg
/usr/share/doc/libnss-mysql/sample/linux/sample_database.sql

/etc/nsswitch.conf:

passwd:       files mysql
shadow:      files mysql
group:        files mysql
mariadb.x86_64                           3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-backup.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-common.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-connector-c.x86_64               3.1.11-2.el8_3                           @almalinux-appstream
mariadb-connector-c-config.noarch        3.1.11-2.el8_3                           @almalinux-appstream
mariadb-connector-c-devel.x86_64         3.1.11-2.el8_3                           @almalinux-appstream
mariadb-errmsg.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-gssapi-server.x86_64             3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-server.x86_64                    3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream
mariadb-server-utils.x86_64              3:10.3.35-1.module_el8.6.0+3265+230ed96b @almalinux-appstream

Additional informations

Creating test script based of: /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.0.20/lib/ohai/plugins/passwd.rb:

test.rb:

require "etc" unless defined?(Etc)
require "chef-utils/mash"

Mash = ChefUtils::Mash unless defined?(Mash)

etc = Mash.new

etc[:passwd] = Mash.new
etc[:group] = Mash.new

def fix_encoding(str)
  str.force_encoding(Encoding.default_external) if str.respond_to?(:force_encoding)
  str
end

etc[:passwd] = Mash.new
etc[:group] = Mash.new

Etc.passwd do |entry|
  user_passwd_entry = Mash.new(dir: entry.dir, gid: entry.gid, uid: entry.uid, shell: entry.shell, gecos: entry.gecos)
  user_passwd_entry.each_value { |v| fix_encoding(v) }
  entry_name = fix_encoding(entry.name)
  etc[:passwd][entry_name] = user_passwd_entry unless etc[:passwd].key?(entry_name)
end

print etc[:passwd]

Executing it directly using: /opt/chef/embedded/bin/ruby test.rb works as expected, all users are returned.

Ohai Version

ohai-18.0.20 / ohai-17.9.0

Platform Version

NAME="AlmaLinux"
VERSION="8.6 (Sky Tiger)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
NAME="CloudLinux"
VERSION="8.6 (Leonid Kadenyuk)"
ID="cloudlinux"

Ohai Output

ohai -c /etc/chef/client.rb -l debug
https://gist.github.com/fibd/385c2fc855a3983bfc5bce775017cab9
@fibd fibd added Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected. labels Oct 28, 2022
@fibd
Copy link
Author

fibd commented Nov 2, 2022

AlmaLinux 8.6 use different OpenSSL version than ruby included in chef:

/opt/chef/embedded/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.2zb  23 Sep 2021

System:

- **ruby**:
/usr/bin/ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.1.1k  FIPS 25 Mar 2021
- openssl version:
OpenSSL 1.1.1k  FIPS 25 Mar 2021

libnss_mysql.so is linked with /lib64/libmariadb.so.3 which is linked with system SSL - cause in default AlmaLinux is building mariadb-connector-c with SSL enabled thus it causes conflict with libraries, cause chef loads different libssl (/opt/chef/embedded/lib/libssl.so.1.0.0) and libnss_mysql.so load different one (/lib64/libssl.so.1.1) so result is segfault.

In my opinion provided ruby should be linked with system OpenSSL thus the problem wont exist.
To fix this issue I compiled mariadb-connector-c without SSL and linked it to libnss_mysql, so had to make two packages. Cause I dont use libnss_mysql everywhere I picked this solution as easiest one.

Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.
Projects
None yet
Development

No branches or pull requests

1 participant