Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-17226

l_getsepol does not build due to not requiring openssl-devel

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • Lustre 2.16.0, Lustre 2.15.5
    • Lustre 2.15.3
    • llnl build farm

      lustre 2.15.3_3.llnl
    • 3
    • 9223372036854775807

    Description

      The l_getsepol utility does not build in our buildfarm because openssl-devel is not installed. The only "BuildRequires: openssl-devel" is for "with gss" and we aren't using gss.

      Attachments

        Issue Links

          Activity

            [LU-17226] l_getsepol does not build due to not requiring openssl-devel

            "Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/54190/
            Subject: LU-17226 build: create config option for l_getsepol
            Project: fs/lustre-release
            Branch: b2_15
            Current Patch Set:
            Commit: e12e831794cd172ba687567b7b50548740d83b49

            gerrit Gerrit Updater added a comment - "Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/54190/ Subject: LU-17226 build: create config option for l_getsepol Project: fs/lustre-release Branch: b2_15 Current Patch Set: Commit: e12e831794cd172ba687567b7b50548740d83b49

            Can we get a second review on the b2_15 backport this week if possible? Thanks!

            defazio Gian-Carlo Defazio added a comment - Can we get a second review on the b2_15 backport this week if possible? Thanks!

            "Gian-Carlo DeFazio <defazio1@llnl.gov>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54190
            Subject: LU-17226 build: create config option for l_getsepol
            Project: fs/lustre-release
            Branch: b2_15
            Current Patch Set: 1
            Commit: 2c3e803bea474fc141702925e6c846e709fc2323

            gerrit Gerrit Updater added a comment - "Gian-Carlo DeFazio <defazio1@llnl.gov>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/54190 Subject: LU-17226 build: create config option for l_getsepol Project: fs/lustre-release Branch: b2_15 Current Patch Set: 1 Commit: 2c3e803bea474fc141702925e6c846e709fc2323
            pjones Peter Jones added a comment -

            Landed for 2.16

            pjones Peter Jones added a comment - Landed for 2.16

            "Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/52849/
            Subject: LU-17226 build: create config option for l_getsepol
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 2777adcabd1032ddb886f913fa04d82a292ab379

            gerrit Gerrit Updater added a comment - "Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/c/fs/lustre-release/+/52849/ Subject: LU-17226 build: create config option for l_getsepol Project: fs/lustre-release Branch: master Current Patch Set: Commit: 2777adcabd1032ddb886f913fa04d82a292ab379

            "Gian-Carlo DeFazio <defazio1@llnl.gov>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/52849
            Subject: LU-17226 build: create config option for l_getsepol
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: deddcb57ab27ba7fb4b961ce0aa51db7f1129612

            gerrit Gerrit Updater added a comment - "Gian-Carlo DeFazio <defazio1@llnl.gov>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/52849 Subject: LU-17226 build: create config option for l_getsepol Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: deddcb57ab27ba7fb4b961ce0aa51db7f1129612

            Yes, good point Olaf.

            There is currently no config flag to disable l_getsepol build. Would that help with "mock", if we build l_getsepol by default but give the ability to disable via --disable-l_getsepol or something?

            Otherwise we can add openssl-devel to the BuildRequires as default, if it is not a too strong requirement.

            Thanks!

            sebastien Sebastien Buisson added a comment - Yes, good point Olaf. There is currently no config flag to disable l_getsepol build. Would that help with "mock", if we build l_getsepol by default but give the ability to disable via --disable-l_getsepol or something? Otherwise we can add openssl-devel to the BuildRequires as default, if it is not a too strong requirement. Thanks!
            ofaaland Olaf Faaland added a comment -

            > So maybe the most suitable fix could be to improve the config check so that we simply do not build l_getsepol if openssl-devel is not available.

            I believe this is what is currently implemented. But this contradicts the way "mock" (the build tool used by fedora, redhat, and others) work. It extracts BuildRequires from the spec file and installs the named packages in the build environment, and then performs the build. This then provides verification that the actual build requirements and the advertised build requirements are consistent.

            > This binary is not strictly required to be able to run a Lustre client with SELinux enabled, it is only needed if 'send_sepol' is explicitly activated (it is off by default).

            If there is a config flag to enable the builder to separately decide whether or not to build l_getsepol (I'm guessing not)? If not, then shouldn't we always require openssm to be consistent with that?

            ofaaland Olaf Faaland added a comment - > So maybe the most suitable fix could be to improve the config check so that we simply do not build l_getsepol if openssl-devel is not available. I believe this is what is currently implemented. But this contradicts the way "mock" (the build tool used by fedora, redhat, and others) work. It extracts BuildRequires from the spec file and installs the named packages in the build environment, and then performs the build. This then provides verification that the actual build requirements and the advertised build requirements are consistent. > This binary is not strictly required to be able to run a Lustre client with SELinux enabled, it is only needed if 'send_sepol' is explicitly activated (it is off by default). If there is a config flag to enable the builder to separately decide whether or not to build l_getsepol (I'm guessing not)? If not, then shouldn't we always require openssm to be consistent with that?

            Today we have this in the .spec file for the lustre (or lustre-client) package:

            %if %{with gss}
            BuildRequires: krb5-devel openssl-devel
            %endif
            %if "%{_vendor}" == "redhat" || "%{_vendor}" == "fedora" || "%{_vendor}" == "openEuler"
            #suse don't support selinux
            BuildRequires: pkgconfig(libselinux)
            %endif
            

            So we already have a require on libselinux, but indeed a require on openssl-devel only for "with gss".

            I think it could be too strong to require openssl-devel in all cases.
            So maybe the most suitable fix could be to improve the config check so that we simply do not build l_getsepol if openssl-devel is not available. This binary is not strictly required to be able to run a Lustre client with SELinux enabled, it is only needed if 'send_sepol' is explicitly activated (it is off by default).

            sebastien Sebastien Buisson added a comment - Today we have this in the .spec file for the lustre (or lustre-client ) package: %if %{with gss} BuildRequires: krb5-devel openssl-devel %endif %if "%{_vendor}" == "redhat" || "%{_vendor}" == "fedora" || "%{_vendor}" == "openEuler" #suse don't support selinux BuildRequires: pkgconfig(libselinux) %endif So we already have a require on libselinux, but indeed a require on openssl-devel only for "with gss". I think it could be too strong to require openssl-devel in all cases. So maybe the most suitable fix could be to improve the config check so that we simply do not build l_getsepol if openssl-devel is not available. This binary is not strictly required to be able to run a Lustre client with SELinux enabled, it is only needed if 'send_sepol' is explicitly activated (it is off by default).
            pjones Peter Jones added a comment -

            Sébastien

            What do you advise here?

            Peter

            pjones Peter Jones added a comment - Sébastien What do you advise here? Peter

            People

              sebastien Sebastien Buisson
              defazio Gian-Carlo Defazio
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: