GNU bug report logs - #48959
icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ignacio  Coterillo <ignacio.coterillo <at> gmail.com>
Subject: bug#48959: closed (Re: bug#48959: icecat imcomplete
 LD_LIBRARY_PATH affecting Kerberos authentication)
Date: Tue, 15 Jun 2021 09:58:01 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 48959 <at> debbugs.gnu.org.

-- 
48959: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=48959
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: Ignacio  Coterillo <ignacio.coterillo <at> gmail.com>
Cc: 48959-done <at> debbugs.gnu.org
Subject: Re: bug#48959: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos
 authentication
Date: Tue, 15 Jun 2021 05:56:00 -0400

Hi Ignacio,

Ignacio  Coterillo <ignacio.coterillo <at> gmail.com> writes:

> First, I confirm that Kerberos authentication works when running 
> icecat as:
>
>   LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat

Thanks.  I just pushed my proposed patch to the master branch, commit
61b904b744c1f16084c79e526837cc7fe73f9b92.  I'm also closing this bug
now, but feel free to reopen it if there are remaining problems.

> Regarding the patch, I actually tried to build the package with those
> exact changes myself before submitting the bug for further testing but
> didn't manage to complete the build.  The build process would go on
> for over a day (most of the time spent in bootstrapping the rust
> inputs) until failing because of lack of disk space.

Hmm.  If you built a recent commit from the 'master' branch of Guix, and
had substitutes enabled, then it should _not_ have tried to build Rust
locally.

My guess is that you didn't pass "--sysconfdir=/etc" to ./configure.
Consequently, the locally-built Guix is looking in /usr/local/etc/guix
for its authorized signing keys, whereas the default configuration of
Guix (as self-built by Guix itself and as installed by our distributed
installers) looks in /etc/guix.  That would explain why the
locally-built Guix is not using substitutes.

I suggest passing "--sysconfdir=/etc" (and "--localstatedir=/var") to
./configure, re-running "make" in your Git checkout, and trying again.
Alternatively, you could copy (using "cp -a") /etc/guix to
/usr/local/etc/guix.

> Is it possible to estimate a priori the amount of space a build would
> require to prevent failures?

No.  However, 80 GB is more than sufficient to build an entire
GNOME-based Guix system plus Rust and IceCat from source code.  I know
this because for several years I've been building my GNOME-based Guix
system locally (with substitutes disabled) on a Thinkpad X200 with 4 GB
of RAM, 8 GB of Swap, and only ~75 GB of disk available for Guix.

If you have a separate /tmp partition, perhaps it is too small.  When
building packages locally, the temporary build directories are put in
/tmp by default.  It's possible to configure 'guix-daemon' to put them
elsewhere, either by passing the TMPDIR environment variable to
'guix-daemon' (if running it by hand), or via the 'tmpdir' field of the
'guix-configuration' by putting something like the following code in the
'services' field of your OS configuration.

--8<---------------cut here---------------start------------->8---
_ (services (cons* …
__________________ (modify-services %desktop-services
____________________ (guix-service-type config =>
_______________________________________ (guix-configuration
_________________________________________ (inherit config)
_________________________________________ (tmpdir "/var/tmp"))))))
--8<---------------cut here---------------end--------------->8---

Please let us know if you continue to have difficulties.

     Regards,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

[Message part 3 (message/rfc822, inline)]

From: Ignacio  Coterillo <ignacio.coterillo <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: icecat imcomplete LD_LIBRARY_PATH affecting Kerberos authentication
Date: Fri, 11 Jun 2021 13:21:02 +0200

[Message part 4 (text/html, inline)]

[Message part 5 (text/plain, inline)]

Hello,

[Summary]
- The icecat package doesn't correctly set the LD_LIBRARY_PATH
variable during the wrap-program build stage to include mit-krb5 libraries
so kerberos authentication fails as the libraries are not found at runtime:

[Details]
Execution logs obtained by running icecat with the following setup:

$ export NSPR_LOG_FILE=icecat
$ export NSPR_LOG_MODULES=negotiateauth:5
$ icecat

icecat.moz_log:
------------------------------------------------------------------------
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 30197: Main Thread]: D/negotiateauth Fail to load gssapi library
[Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()


Confirmed by running through strace:

$ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5"

(See results in attachment)

Best regards,

Ignacio

[icecat-strace.log (application/octet-stream, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.