[Pkg-ganeti-devel] [ganeti] 09/10: Fix Python daemons with GnuTLS >= 3.3
Apollon Oikonomopoulos
apoikos at moszumanska.debian.org
Mon Oct 6 07:17:23 UTC 2014
This is an automated email from the git hooks/post-receive script.
apoikos pushed a commit to branch master
in repository ganeti.
commit 5376ad12d821dbe85e067b3b5b6775b5debc6513
Author: Apollon Oikonomopoulos <apoikos at debian.org>
Date: Mon Oct 6 09:51:45 2014 +0300
Fix Python daemons with GnuTLS >= 3.3
GnuTLS >= 3.3 opens /dev/urandom in an ELF ctor and causes the process
to abort(3) if /dev/urandom is closed and subsequently accessed. We work
our way around this by keeping all FDs referring to /dev/urandom open
during fork().
---
debian/patches/fix-daemon-with-gnutls-3.3 | 59 +++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 60 insertions(+)
diff --git a/debian/patches/fix-daemon-with-gnutls-3.3 b/debian/patches/fix-daemon-with-gnutls-3.3
new file mode 100644
index 0000000..d5d8f5d
--- /dev/null
+++ b/debian/patches/fix-daemon-with-gnutls-3.3
@@ -0,0 +1,59 @@
+commit 49ff7848e8b2f9acda9f231c388fbf06ce9a2bb5
+Author: Apollon Oikonomopoulos <apoikos at gmail.com>
+Date: Sat Oct 4 20:32:21 2014 +0300
+
+ ganeti.daemon: fix daemon mode with GnuTLS >= 3.3
+
+ Newer GnuTLS versions (>= 3.3.0) use a library constructor for
+ initialization and open /dev/urandom on library load time, way before we
+ fork(). Closing /dev/urandom on fork causes subsequent
+ ganeti.http.client requests to cause a failure to re-seed GnuTLS's
+ random number generator, which causes the process to silently abort(3).
+
+ For more background on this behavior, see the thread at the GnuTLS
+ mailing list:
+
+ http://lists.gnupg.org/pipermail/gnutls-help/2014-April/003429.html
+
+ Note that calling pycurl.global_init() at the correct place (as we do)
+ does not cause a re-initialization of the GnuTLS library and does not
+ mitigate the isssue.
+
+ As we cannot reliably detect GnuTLS's socket, we work our way around
+ this by keeping all fds referring to /dev/urandom open. Note that we are
+ using the /proc/self/fd interface, as we need to actually find out where
+ the fd points to.
+
+ This fixes issues #961 and #964.
+
+ Signed-off-by: Apollon Oikonomopoulos <apoikos at gmail.com>
+
+diff --git a/lib/daemon.py b/lib/daemon.py
+index 6cc00a4..a276c52 100644
+--- a/lib/daemon.py
++++ b/lib/daemon.py
+@@ -810,7 +810,23 @@ def GenericMain(daemon_name, optionparser,
+ log_filename = constants.DAEMONS_LOGFILES[daemon_name]
+
+ if options.fork:
+- utils.CloseFDs()
++ # Newer GnuTLS versions (>= 3.3.0) use a library constructor for
++ # initialization and open /dev/urandom on library load time, way before we
++ # fork(). Closing /dev/urandom causes subsequent ganeti.http.client
++ # requests to fail and the process to receive a SIGABRT. As we cannot
++ # reliably detect GnuTLS's socket, we work our way around this by keeping
++ # all fds referring to /dev/urandom open.
++ noclose_fds = []
++ for fd in os.listdir("/proc/self/fd"):
++ try:
++ if os.readlink(os.path.join("/proc/self/fd", fd)) == "/dev/urandom":
++ noclose_fds.append(int(fd))
++ except EnvironmentError:
++ # The fd might have disappeared (although it shouldn't as we're running
++ # single-threaded).
++ continue
++
++ utils.CloseFDs(noclose_fds=noclose_fds)
+ (wpipe, stdio_reopen_fn) = utils.Daemonize(logfile=log_filename)
+ else:
+ (wpipe, stdio_reopen_fn) = (None, None)
diff --git a/debian/patches/series b/debian/patches/series
index 69cc170..da516cf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ cfgupgrade12-remove-old-ssconf.patch
0003-Disable-local-checks-during-build.patch
do-not-backup-export-dir.patch
backport-psutil-for-cpu-pinning.patch
+fix-daemon-with-gnutls-3.3
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ganeti/ganeti.git
More information about the Pkg-ganeti-devel
mailing list