GNU bug report logs - #48959
icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Mark H Weaver <mhw <at> netris.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#48959: closed (icecat imcomplete LD_LIBRARY_PATH affecting
 Kerberos authentication)
Date: Tue, 15 Jun 2021 09:58:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Tue, 15 Jun 2021 05:56:00 -0400
with message-id <87pmwn30z8.fsf <at> netris.org>
and subject line Re: bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication
has caused the debbugs.gnu.org bug report #48959,
regarding icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
48959: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=48959
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ignacio  Coterillo <ignacio.coterillo <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication
Date: Fri, 11 Jun 2021 13:21:02 +0200

[Message part 3 (text/html, inline)]

[Message part 4 (text/plain, inline)]

Hello,

[Summary]
- The icecat package doesn't correctly set the LD_LIBRARY_PATH
variable during the wrap-program build stage to include mit-krb5 libraries
so kerberos authentication fails as the libraries are not found at runtime:

[Details]
Execution logs obtained by running icecat with the following setup:

$ export NSPR_LOG_FILE=icecat
$ export NSPR_LOG_MODULES=negotiateauth:5
$ icecat

icecat.moz_log:
------------------------------------------------------------------------
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 30197: Main Thread]: D/negotiateauth Fail to load gssapi library
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()


Confirmed by running through strace:

$ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5"

(See results in attachment)

Best regards,

Ignacio

[icecat-strace.log (application/octet-stream, attachment)]

[Message part 6 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: Ignacio  Coterillo <ignacio.coterillo <at> gmail.com>
Cc: 48959-done <at> debbugs.gnu.org
Subject: Re: bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos
 authentication
Date: Tue, 15 Jun 2021 05:56:00 -0400

Hi Ignacio,

Ignacio  Coterillo <ignacio.coterillo <at> gmail.com> writes:

> First, I confirm that Kerberos authentication works when running 
> icecat as:
>
>   LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat

Thanks.  I just pushed my proposed patch to the master branch, commit
61b904b744c1f16084c79e526837cc7fe73f9b92.  I'm also closing this bug
now, but feel free to reopen it if there are remaining problems.

> Regarding the patch, I actually tried to build the package with those
> exact changes myself before submitting the bug for further testing but
> didn't manage to complete the build.  The build process would go on
> for over a day (most of the time spent in bootstrapping the rust
> inputs) until failing because of lack of disk space.

Hmm.  If you built a recent commit from the 'master' branch of Guix, and
had substitutes enabled, then it should _not_ have tried to build Rust
locally.

My guess is that you didn't pass "--sysconfdir=/etc" to ./configure.
Consequently, the locally-built Guix is looking in /usr/local/etc/guix
for its authorized signing keys, whereas the default configuration of
Guix (as self-built by Guix itself and as installed by our distributed
installers) looks in /etc/guix.  That would explain why the
locally-built Guix is not using substitutes.

I suggest passing "--sysconfdir=/etc" (and "--localstatedir=/var") to
./configure, re-running "make" in your Git checkout, and trying again.
Alternatively, you could copy (using "cp -a") /etc/guix to
/usr/local/etc/guix.

> Is it possible to estimate a priori the amount of space a build would
> require to prevent failures?

No.  However, 80 GB is more than sufficient to build an entire
GNOME-based Guix system plus Rust and IceCat from source code.  I know
this because for several years I've been building my GNOME-based Guix
system locally (with substitutes disabled) on a Thinkpad X200 with 4 GB
of RAM, 8 GB of Swap, and only ~75 GB of disk available for Guix.

If you have a separate /tmp partition, perhaps it is too small.  When
building packages locally, the temporary build directories are put in
/tmp by default.  It's possible to configure 'guix-daemon' to put them
elsewhere, either by passing the TMPDIR environment variable to
'guix-daemon' (if running it by hand), or via the 'tmpdir' field of the
'guix-configuration' by putting something like the following code in the
'services' field of your OS configuration.

--8<---------------cut here---------------start------------->8---
_ (services (cons* …
__________________ (modify-services %desktop-services
____________________ (guix-service-type config =>
_______________________________________ (guix-configuration
_________________________________________ (inherit config)
_________________________________________ (tmpdir "/var/tmp"))))))
--8<---------------cut here---------------end--------------->8---

Please let us know if you continue to have difficulties.

     Regards,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.