GNU bug report logs - #20145
(guix build download) leaks file descriptor on TLS connections

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Thu, 19 Mar 2015 18:17:01 UTC

Severity: normal

Merged with 38836, 38857

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#38857: closed (X.509 certificate of 'crates.io' could not be
 verified during a recursive import from crates.io)
Date: Fri, 03 Jan 2020 15:13:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Fri, 03 Jan 2020 16:12:11 +0100
with message-id <87png0poac.fsf <at> gnu.org>
and subject line Re: bug#20145: (guix build download) leaks file descriptor on TLS connections
has caused the debbugs.gnu.org bug report #20145,
regarding X.509 certificate of 'crates.io' could not be verified during a recursive import from crates.io
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
20145: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=20145
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Valentin Ignatev <valentignatev <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: X.509 certificate of 'crates.io' could not be verified during a
 recursive import from crates.io
Date: Thu, 2 Jan 2020 01:45:35 +0300

[Message part 3 (text/plain, inline)]
Hi! I'm trying to recursively import a package from crates.io like this:

guix import crate notify <at> 4.0.14 --recursive

It follows redirections for a while untill at some point throws this:

Backtrace:
          12 (primitive-load "/home/vj/.config/guix/current/bin/guix")
In guix/ui.scm:
  1806:12 11 (run-guix-command _ . _)
In guix/scripts/import.scm:
   116:11 10 (guix-import . _)
In guix/scripts/import/crate.scm:
   103:16  9 (guix-import-crate . _)
In guix/import/utils.scm:
    425:7  8 (recursive-import _ _ #:repo->guix-package _ #:guix-name …)
   397:31  7 (topological-sort _ #<procedure 7f9a59729630 at guix/i…> …)
In srfi/srfi-1.scm:
   592:17  6 (map1 ("tempfile"))
In guix/import/utils.scm:
   421:36  5 (lookup-node "tempfile")
In guix/import/crate.scm:
   222:10  4 (crate->guix-package "tempfile" _)
   150:15  3 (make-crate-sexp #:name _ #:version _ #:cargo-inputs _ # …)
In guix/http-client.scm:
    88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
In guix/build/download.scm:
    419:4  1 (open-connection-for-uri _ #:timeout _ # _)
    306:6  0 (tls-wrap #<closed: file 7f9a564b3a10> _ # _)

guix/build/download.scm:306:6: In procedure tls-wrap:
X.509 certificate of 'crates.io' could not be verified:
  signer-not-found
  invalid

I suspect that it happens after the importer hits
"wasm-bindgen-webidl" and starts going circles. Maybe there's some
circullar dependencies going on, but I'm not sure. I'm attaching a
full log for convenience.

For additional info: I'm running Guix on Arch Linux. I've also
installed nss-certs package, exported all neeeded variables
(SSL_CERT_DIR, SSL_CERT_FILE and GIT_SSL_CAINFO) before running guix
import and also made sure nscd.service is running.

Regards,
Valentin Ignatev

[crates_recursive_importer.log (text/x-log, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 20145-done <at> debbugs.gnu.org
Cc: Ricardo Wurmus <rekado <at> elephly.net>,
 Valentin Ignatev <valentignatev <at> gmail.com>
Subject: Re: bug#20145: (guix build download) leaks file descriptor on TLS
 connections
Date: Fri, 03 Jan 2020 16:12:11 +0100

Hello again!

Ludovic Courtès <ludo <at> gnu.org> skribis:

> Back in 2015, I closed <https://issues.guix.gnu.org/issue/20145> saying:
>
>> ludo <at> gnu.org (Ludovic Courtès) skribis:
>>
>>> When opening an HTTPS connection, the file descriptor beneath the port
>>> returned by ‘tls-wrap’ is leaked.
>>>
>>> This is not a problem in most cases (downloads) because the process is
>>> left as soon as the download is over.
>>>
>>> This is more problematic for ‘guix lint’, which may open a large number
>>> of HTTPS connections for the ‘source’ and ‘home-page’ checkers when
>>> working on all the packages.
>>
>> This is essentially solved by commits
>> 14d6ca3e4dd23ee92adb5e2fcf58546e67534631 and
>> 097a951e96718a037dbfa6d579e2d26f7dab3e82.
>>
>> One still needs to be careful, though, for instance because closing a
>> chunked encoding port (which is a custom binary input port wrapped
>> around the real socket port) still fails to close the raw socket port
>> that’s behind the TLS session record port.
>
> Unfortunately, the bug just reported by Valentin and by Ricardo are
> instances of this problem (at least I checked with crates.io and it
> uses chunked encoding, leading to a file descriptor leak):
>
>   https://issues.guix.gnu.org/issue/38857
>   https://issues.guix.gnu.org/issue/38836

Commit f4cde9ac4aedb516c050a30fd999673da434bfa0 fixes it for good it
seems!  (You can monitor /proc/PID/fd while ‘guix refresh’ or ‘guix
import crate -r’ is running.  :-))

There was also a CRAN-specific FD leak fixed in
af0aefd8c10701fa32341506e36297e5105f6143.

Let me know is anything is amiss!

Ludo’.
This bug report was last modified 5 years and 135 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.