Ubuntu
gce-compute-image-packages package

Incomplete linking with boost_regex

Bug #1798706 reported by Daniel Axtens
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gce-compute-image-packages (Ubuntu)
Fix Released
Critical
Daniel Axtens
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification
=================

[Impact]
oslogin fails on Xenial and Trusty.

In auth.log we see:

Oct 17 16:35:59 davecore-oslogin sshd[10073]: PAM unable to dlopen(pam_oslogin_login.so): /lib/security/pam_oslogin_login.so: cannot open shared object file: No such file or directory
Oct 17 16:35:59 davecore-oslogin sshd[10073]: PAM adding faulty module: pam_oslogin_login.so
Oct 17 16:35:59 davecore-oslogin sshd[10073]: PAM unable to dlopen(pam_oslogin_admin.so): /lib/security/pam_oslogin_admin.so: cannot open shared object file: No such file or directory
Oct 17 16:35:59 davecore-oslogin sshd[10073]: PAM adding faulty module: pam_oslogin_admin.so

The error message is a bit deceptive - PAM tries to load the module from the correct location, fails, and then tries the other location where it is missing. It then reports the missing error rather than the real error.

symlink the module into both paths leads to a much more useful error message:

Oct 18 06:45:12 dja-202158 sshd[16554]: PAM unable to dlopen(pam_oslogin_login.so): /lib/security/pam_oslogin_login.so: undefined symbol: _ZN5boost9re_detail12perl_matcherIN9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEESaINS_9sub_matchISC_EEENS_12regex_traitsIcNS_16cpp_regex_traitsIcEEEEE14construct_initERKNS_11basic_regexIcSJ_EENS_15regex_constants12_match_flagsE
Oct 18 06:45:12 dja-202158 sshd[16554]: PAM adding faulty module: pam_oslogin_login.so
Oct 18 06:45:12 dja-202158 sshd[16554]: PAM unable to dlopen(pam_oslogin_admin.so): /lib/security/pam_oslogin_admin.so: undefined symbol: _ZN5boost9re_detail12perl_matcherIN9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEESaINS_9sub_matchISC_EEENS_12regex_traitsIcNS_16cpp_regex_traitsIcEEEEE14construct_initERKNS_11basic_regexIcSJ_EENS_15regex_constants12_match_flagsE

[Test case]
 - set up GCE VM
 - turn on oslogin
 - attempt to log in

[Fix]
debian/patches/0002-Set-LDFLAGS-at-the-end-of-the-c-command-line-right-b.patch re-orders the link flags to link boost_regex for oslogin. However, this didn't change the flags for PAM module linking. So fix that too.

[Regression Potential]
- fixes a regression
- limited to oslogin, and how it is linked.

[Other Notes]
We still see a scary list of warnings when building, but they don't seem to have an impact on the common path:
dpkg-shlibdeps: warning: symbol _ZN5boost9re_detail13put_mem_blockEPv used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost9re_detail14verify_optionsEjNS_15regex_constants12_match_flagsE used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZNK5boost9re_detail31cpp_regex_traits_implementationIcE17transform_primaryEPKcS4_ used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost13match_resultsIN9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEESaINS_9sub_matchISB_EEEE12maybe_assignERKSF_ used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost9re_detail12perl_matcherIN9__gnu_cxx17__normal_iteratorIPKcNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEEESaINS_9sub_matchISC_EEENS_12regex_traitsIcNS_16cpp_regex_traitsIcEEEEE14construct_initERKNS_11basic_regexIcSJ_EENS_15regex_constants12_match_flagsE used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost11basic_regexIcNS_12regex_traitsIcNS_16cpp_regex_traitsIcEEEEE9do_assignEPKcS7_j used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost9re_detail19raise_runtime_errorERKSt13runtime_error used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZNK5boost9re_detail31cpp_regex_traits_implementationIcE9transformEPKcS4_ used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost9re_detail24get_default_error_stringENS_15regex_constants10error_typeE used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries
dpkg-shlibdeps: warning: symbol _ZN5boost9re_detail13get_mem_blockEv used by debian/google-compute-engine-oslogin/lib/libnss_google-compute-engine-oslogin-1.3.1.so found in none of the libraries

Related branches

~daxtens/ubuntu/+source/gce-compute-image-packages:trusty-pam-ldflags-1798706
Thomas Ward (community): Approve
Balint Reczey (community): Approve
Andreas Hasenack: Abstain
Diff: 51 lines (+29/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/set-LDFLAGS-for-PAM.patch (+20/-0)
~daxtens/ubuntu/+source/gce-compute-image-packages:xenial-pam-ldflags-1798706
Thomas Ward (community): Approve
Andreas Hasenack: Abstain
Balint Reczey (community): Approve
Diff: 51 lines (+29/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/set-LDFLAGS-for-PAM.patch (+20/-0)
Revision history for this message
Daniel Axtens (daxtens) wrote :
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Daniel Axtens (daxtens)
tags: added: sts
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Balint Reczey (rbalint)
affects: linux (Ubuntu) → gce-compute-image-packages (Ubuntu)
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Daniel, or anyone else affected,

Accepted gce-compute-image-packages into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gce-compute-image-packages/20180905+dfsg1-0ubuntu1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gce-compute-image-packages (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-trusty
Changed in gce-compute-image-packages (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Daniel, or anyone else affected,

Accepted gce-compute-image-packages into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gce-compute-image-packages/20180905+dfsg1-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Daniel Axtens (daxtens) wrote :

Hi,

For Xenial:

daniel_axtens_canonical_com@dja-202158:~$ sudo apt install google-compute-engine-oslogin=20180905+dfsg1-0ubuntu1~16.04.1
...
Get:1 http://au.archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 google-compute-engine-oslogin amd64 20180905+dfsg1-0ubuntu1~16.04.1 [76.7 kB]
...
Unpacking google-compute-engine-oslogin (20180905+dfsg1-0ubuntu1~16.04.1) over (20180510+dfsg1-0ubuntu3~16.04.1) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Setting up google-compute-engine-oslogin (20180905+dfsg1-0ubuntu1~16.04.1) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
daniel_axtens_canonical_com@dja-202158:~$ logout
Connection to 35.189.60.142 closed.

$ gcloud compute --project "ubuntu-os-support" ssh --zone "australia-southeast1-b" "dja-202158"
WARNING: Using OS Login user [daniel_axtens_canonical_com] instead of default user [dja]
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1021-gcp x86_64)

---> Xenial verification succeeds.

For Trusty:

dja@dja-trusty:~$ sudo apt install google-compute-engine-oslogin/trusty-proposed
Reading package lists... Done
Building dependency tree
Reading state information... Done
Selected version '20180905+dfsg1-0ubuntu1~14.04.1' (Ubuntu:14.04/trusty-proposed [amd64]) for 'google-compute-engine-oslogin'
...

$ gcloud compute instances add-metadata --project "ubuntu-os-support" --zone "australia-southeast1-b" "dja-trusty" --metadata enable-oslogin=TRUE
Updated [https://www.googleapis.com/compute/v1/projects/ubuntu-os-support/zones/australia-southeast1-b/instances/dja-trusty].

$ gcloud compute --project "ubuntu-os-support" ssh --zone "australia-southeast1-b" "dja-trusty"
WARNING: Using OS Login user [daniel_axtens_canonical_com] instead of default user [dja]
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-137-generic x86_64)

---> Trusty verification succeeds.

Regards,
Daniel

tags: added: verification-done-trusty verification-done-xenial
removed: verification-needed-trusty verification-needed-xenial
Francis Ginther (fginther)
tags: added: id-5bc9b862a6ff8a053b9d2fce
Balint Reczey (rbalint)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gce-compute-image-packages - 20180905+dfsg1-0ubuntu1~14.04.1

---------------
gce-compute-image-packages (20180905+dfsg1-0ubuntu1~14.04.1) trusty; urgency=medium

  * debian/patches/set-LDFLAGS-for-PAM.patch: Fix missing symbols
    when using oslogin due to misording of the boost regex library
    in linking the PAM modules. (LP: #1798706)

gce-compute-image-packages (20180905+dfsg1-0ubuntu1~14.04.0) trusty; urgency=medium

  * Backport to Trusty
    - Revert ordering shutdown scripts after snapd.service.
    - Revert adding /snap/bin to PATH for startup/shutdown scripts
    - Revert to using dh-systemd because Xenial does not have the debhelper
  * Revert "Build depend on debhelper (>= 9.20160709) instead of on dh-systemd"
    This reverts commit 1afdbde3f27ab4d1712b1a0d4cc14df3a0528bdc.
    Xenial does not have that debhelper version thus dh-systemd is needed there.
  * Build-depend on libboost-regex-dev for regex support
  * Choose std:: or boost:: regex based on support for C++11
  * Set LDFLAGS at the end of the the c++ command line right before libs.
    This fixes passig additional libs to make, namely -lboost_regex
  * Link with boost for regex support
  * Free tests from C++11 constructs to let them being compiled without C++11 support

gce-compute-image-packages (20180905+dfsg1-0ubuntu1) cosmic; urgency=medium

  [ Balint Reczey ]
  * New upstream version 20180905+dfsg1 (LP: #1792466)
    - Restart the network daemon if networking is restarted.
    - Prevent setup of the default ethernet interface.
    - Accounts daemon can now verify username is 32 characters or less.
    - Prevent IP forwarding daemon log spam.
    - Make default shell configurable when executing metadata scripts.
    - Rename distro directory to distro_lib.
  * debian/control: Update Vcs-* fields to point to the new packaging repository
  * Update shared library symlinks
  * Drop 0001-Adjust-tests-to-changed-LoadJsonArrayToCache-behavio.patch,
    it is integrated upstream
  * Build depend on debhelper (>= 9.20160709) instead of on dh-systemd
    to keep Lintian happy.

  [ Google Cloud Team ]
  * Remove NTP dependency from packaging

gce-compute-image-packages (20180510+dfsg1-0ubuntu5) cosmic; urgency=medium

  * Depend on the same version of google-compute-engine-oslogin
  * Only Recommend rsyslog | system-log-daemon (LP: #1780109)

gce-compute-image-packages (20180510+dfsg1-0ubuntu4) cosmic; urgency=medium

  * debian/patches/0004-order-shutdown-scripts-after-snapd.patch: Order
    shutdown scripts after snapd.service.
  * debian/patches/0005-add-snap-bin-to-path.patch: Add /snap/bin to
    PATH for startup/shutdown scripts.

 -- Daniel Axtens <email address hidden> Fri, 19 Oct 2018 12:41:42 +1100

Changed in gce-compute-image-packages (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for gce-compute-image-packages has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gce-compute-image-packages - 20180905+dfsg1-0ubuntu1~16.04.1

---------------
gce-compute-image-packages (20180905+dfsg1-0ubuntu1~16.04.1) xenial; urgency=medium

  * debian/patches/set-LDFLAGS-for-PAM.patch: Fix missing symbols
    when using oslogin due to misording of the boost regex library
    in linking the PAM modules. (LP: #1798706)

gce-compute-image-packages (20180905+dfsg1-0ubuntu1~16.04.0) xenial; urgency=medium

  * Backport to Xenial
    - Revert ordering shutdown scripts after snapd.service.
    - Revert adding /snap/bin to PATH for startup/shutdown scripts
    - Revert to using dh-systemd because Xenial does not have the debhelper
  * Build-depend on libboost-regex-dev for regex support
    version making dh-systemd obsolete
  * Choose std:: or boost:: regex based on support for C++11
  * Set LDFLAGS at the end of the the c++ command line right before libs.
    This fixes passig additional libs to make, namely -lboost_regex
  * Link with boost for regex support
  * Free tests from C++11 constructs to let them being compiled without
    C++11 support

gce-compute-image-packages (20180905+dfsg1-0ubuntu1) cosmic; urgency=medium

  [ Balint Reczey ]
  * New upstream version 20180905+dfsg1 (LP: #1792466)
    - Restart the network daemon if networking is restarted.
    - Prevent setup of the default ethernet interface.
    - Accounts daemon can now verify username is 32 characters or less.
    - Prevent IP forwarding daemon log spam.
    - Make default shell configurable when executing metadata scripts.
    - Rename distro directory to distro_lib.
  * debian/control: Update Vcs-* fields to point to the new packaging repository
  * Update shared library symlinks
  * Drop 0001-Adjust-tests-to-changed-LoadJsonArrayToCache-behavio.patch,
    it is integrated upstream
  * Build depend on debhelper (>= 9.20160709) instead of on dh-systemd
    to keep Lintian happy.

  [ Google Cloud Team ]
  * Remove NTP dependency from packaging

gce-compute-image-packages (20180510+dfsg1-0ubuntu5) cosmic; urgency=medium

  * Depend on the same version of google-compute-engine-oslogin
  * Only Recommend rsyslog | system-log-daemon (LP: #1780109)

gce-compute-image-packages (20180510+dfsg1-0ubuntu4) cosmic; urgency=medium

  * debian/patches/0004-order-shutdown-scripts-after-snapd.patch: Order
    shutdown scripts after snapd.service.
  * debian/patches/0005-add-snap-bin-to-path.patch: Add /snap/bin to
    PATH for startup/shutdown scripts.

 -- Daniel Axtens <email address hidden> Fri, 19 Oct 2018 12:35:45 +1100

Changed in gce-compute-image-packages (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "set-LDFLAGS-for-PAM.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Francis Ginther (fginther)
tags: added: id-5bce0e6bdfc4204c892f4324
Revision history for this message
Balint Reczey (rbalint) wrote :

Bionic and later releases don't need the boost regex library thus this bug does not affect the latest releases.

Changed in gce-compute-image-packages (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.