GNU bug report logs - #20145
(guix build download) leaks file descriptor on TLS connections

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Thu, 19 Mar 2015 18:17:01 UTC

Severity: normal

Merged with 38836, 38857

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Valentin Ignatev <valentignatev <at> gmail.com>
Subject: bug#38857: closed (Re: bug#20145: (guix build download) leaks
 file descriptor on TLS connections)
Date: Fri, 03 Jan 2020 15:13:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#20145: X.509 certificate of 'crates.io' could not be verified during a recursive import from crates.io

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 38857 <at> debbugs.gnu.org.

-- 
20145: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=20145
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 20145-done <at> debbugs.gnu.org
Cc: Ricardo Wurmus <rekado <at> elephly.net>,
 Valentin Ignatev <valentignatev <at> gmail.com>
Subject: Re: bug#20145: (guix build download) leaks file descriptor on TLS
 connections
Date: Fri, 03 Jan 2020 16:12:11 +0100

Hello again!

Ludovic Courtès <ludo <at> gnu.org> skribis:

> Back in 2015, I closed <https://issues.guix.gnu.org/issue/20145> saying:
>
>> ludo <at> gnu.org (Ludovic Courtès) skribis:
>>
>>> When opening an HTTPS connection, the file descriptor beneath the port
>>> returned by ‘tls-wrap’ is leaked.
>>>
>>> This is not a problem in most cases (downloads) because the process is
>>> left as soon as the download is over.
>>>
>>> This is more problematic for ‘guix lint’, which may open a large number
>>> of HTTPS connections for the ‘source’ and ‘home-page’ checkers when
>>> working on all the packages.
>>
>> This is essentially solved by commits
>> 14d6ca3e4dd23ee92adb5e2fcf58546e67534631 and
>> 097a951e96718a037dbfa6d579e2d26f7dab3e82.
>>
>> One still needs to be careful, though, for instance because closing a
>> chunked encoding port (which is a custom binary input port wrapped
>> around the real socket port) still fails to close the raw socket port
>> that’s behind the TLS session record port.
>
> Unfortunately, the bug just reported by Valentin and by Ricardo are
> instances of this problem (at least I checked with crates.io and it
> uses chunked encoding, leading to a file descriptor leak):
>
>   https://issues.guix.gnu.org/issue/38857
>   https://issues.guix.gnu.org/issue/38836

Commit f4cde9ac4aedb516c050a30fd999673da434bfa0 fixes it for good it
seems!  (You can monitor /proc/PID/fd while ‘guix refresh’ or ‘guix
import crate -r’ is running.  :-))

There was also a CRAN-specific FD leak fixed in
af0aefd8c10701fa32341506e36297e5105f6143.

Let me know is anything is amiss!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Valentin Ignatev <valentignatev <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: X.509 certificate of 'crates.io' could not be verified during a
 recursive import from crates.io
Date: Thu, 2 Jan 2020 01:45:35 +0300

[Message part 4 (text/plain, inline)]
Hi! I'm trying to recursively import a package from crates.io like this:

guix import crate notify <at> 4.0.14 --recursive

It follows redirections for a while untill at some point throws this:

Backtrace:
          12 (primitive-load "/home/vj/.config/guix/current/bin/guix")
In guix/ui.scm:
  1806:12 11 (run-guix-command _ . _)
In guix/scripts/import.scm:
   116:11 10 (guix-import . _)
In guix/scripts/import/crate.scm:
   103:16  9 (guix-import-crate . _)
In guix/import/utils.scm:
    425:7  8 (recursive-import _ _ #:repo->guix-package _ #:guix-name …)
   397:31  7 (topological-sort _ #<procedure 7f9a59729630 at guix/i…> …)
In srfi/srfi-1.scm:
   592:17  6 (map1 ("tempfile"))
In guix/import/utils.scm:
   421:36  5 (lookup-node "tempfile")
In guix/import/crate.scm:
   222:10  4 (crate->guix-package "tempfile" _)
   150:15  3 (make-crate-sexp #:name _ #:version _ #:cargo-inputs _ # …)
In guix/http-client.scm:
    88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
In guix/build/download.scm:
    419:4  1 (open-connection-for-uri _ #:timeout _ # _)
    306:6  0 (tls-wrap #<closed: file 7f9a564b3a10> _ # _)

guix/build/download.scm:306:6: In procedure tls-wrap:
X.509 certificate of 'crates.io' could not be verified:
  signer-not-found
  invalid

I suspect that it happens after the importer hits
"wasm-bindgen-webidl" and starts going circles. Maybe there's some
circullar dependencies going on, but I'm not sure. I'm attaching a
full log for convenience.

For additional info: I'm running Guix on Arch Linux. I've also
installed nss-certs package, exported all neeeded variables
(SSL_CERT_DIR, SSL_CERT_FILE and GIT_SSL_CAINFO) before running guix
import and also made sure nscd.service is running.

Regards,
Valentin Ignatev

[crates_recursive_importer.log (text/x-log, attachment)]
This bug report was last modified 5 years and 135 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.