Hacking NSS: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(updates)
(working process on f32)
Line 13: Line 13:
Below are notes on building the latest Fedora RPM on the build machine.   
Below are notes on building the latest Fedora RPM on the build machine.   


=== Build Custom NSS RPM ===
=== Build Custom NSS RPM ... ===


==== ... using <tt>fedpkg local</tt> and the build machine ====
==== ... using <tt>fedpkg local</tt> and a KVM ====


on the build machine:
Here, we use the <tt>build</tt> machine (it has lots of memory and network access) and the 9p mounted directory <tt>/pool</tt> (aka <tt>$(KVM_POOLDIR)</tt>, but /testing and /root should also work).  Just remember that any changes to build aren't permanent, we'll get to that later.
 
First lets set things up:
  $ ./kvm sh build
  $ ./kvm sh build
pick somewhere to build (here I'm using /pool aka KVM_POOLDIR, but /testing and /root should all work), then get fedpkg and use that to download:
build# cd /pool
# cd /pool
  build# dnf install -y fedpkg
  # dnf install -y fedpkg
  build# cat /etc/fedora-release
  # fedpkg clone --anonymous nss
  Fedora release 32 (Thirty Two)
  # cd nss
build# fedpkg clone --branch f32 --anonymous nss
In theory, all that's left is install the dependencies and kick off the build.  Unfortunately, not so easy:
  build# cd nss
# disable tests (so --without tests isn't needed)
  build# dnf builddep nss
# fix %[expr] which seems to be new
 
# tone down optimization
Next is to hack <tt>xmlto</tt> so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, <tt>./kvm uninstall install</tt> will wipe this):
# screw around with compiler flags
  build# sed -i -e 's/ -p / /' \
# ignore xmlto's exit code
    /usr/share/xmlto/format/docbook/man \
here's a diff:
    /usr/share/xmlto/format/docbook/html
diff --git a/nss.spec b/nss.spec
 
index e373644..230f794 100644
optionally, hobble tests during the build:
--- a/nss.spec
  build# sed -i -e 's/bcond_without tests/bcond_with tests/' nss.spec
  +++ b/nss.spec
  @@ -9,3 +9,3 @@
  # release number between nss and nspr are different.
-%global nspr_release %[%baserelease+2]
+%global nspr_release 3
  # only need to update this as we added new
@@ -19,3 +19,3 @@
 
-%bcond_without tests
+%bcond_with tests
  %bcond_with dbm
@@ -347,3 +347,3 @@ done
  for m in nspr-config.xml; do
  -  xmlto man ${m}
+  xmlto man ${m} || true
  done
@@ -370,7 +370,7 @@ export NSS_FORCE_FIPS=1
  # Enable compiler optimizations and disable debugging code
-export BUILD_OPT=1
+export BUILD_OPT=0
 
-# Uncomment to disable optimizations
-#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
-#export RPM_OPT_FLAGS
  +# Tone down optimization to make debugging more meaningful
+RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O1/g'`
+export RPM_OPT_FLAGS
 
@@ -386,3 +386,3 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
  # Similarly, but for gcc-11
-export XCFLAGS="$XCFLAGS -Wno-array-parameter"
+# export XCFLAGS="$XCFLAGS -Wno-array-parameter"
 
@@ -528,3 +528,3 @@ done
  for m in %{configFiles}  %{dbfiles}; do
-  xmlto man ${m}.xml
+  xmlto man ${m}.xml || true
  done
@@ -552,3 +552,3 @@ export FREEBL_NO_DEPEND=1
 
-export BUILD_OPT=1
+export BUILD_OPT=0
  export NSS_DISABLE_PPC_GHASH=1


continuing, pull in the dependencies and build (something better?):
finally build (something better?):
  # dnf builddep nss
  build# fedpkg local --without tests:
# fedpkg local --without tests:
or:
(or <tt>fedpkg prep --without tests; fedpkg compile --short-circuit --without tests</tt>).
build# fedpkg prep --without tests
build# fedpkg compile --short-circuit --without tests


==== ... using <tt>fedpkg mock</tt> and the Fedora host ====
==== ... using <tt>fedpkg mock</tt> and the Fedora host ====

Revision as of 19:26, 27 October 2021

Using NSS from Pluto

use lsw_nss_error*() to report errors

It includes both the error symbol name and the error message (the former is really useful when reading the code^D^D^D^D documentation when tracking down why the error was returned).

Debugging NSS

Linking libreswan against a custom NSS build

Building and Installing a Custom NSS RPMs

Below are notes on building the latest Fedora RPM on the build machine.

Build Custom NSS RPM ...

... using fedpkg local and a KVM

Here, we use the build machine (it has lots of memory and network access) and the 9p mounted directory /pool (aka $(KVM_POOLDIR), but /testing and /root should also work). Just remember that any changes to build aren't permanent, we'll get to that later.

First lets set things up:

$ ./kvm sh build
build# cd /pool
build# dnf install -y fedpkg
build# cat /etc/fedora-release
Fedora release 32 (Thirty Two)
build# fedpkg clone --branch f32 --anonymous nss
build# cd nss
build# dnf builddep nss

Next is to hack xmlto so that it doesn't try to preserve permissions when copying files within the 9p file system (remember, ./kvm uninstall install will wipe this):

build# sed -i -e 's/ -p / /' \
   /usr/share/xmlto/format/docbook/man \
   /usr/share/xmlto/format/docbook/html

optionally, hobble tests during the build:

build# sed -i -e 's/bcond_without tests/bcond_with tests/' nss.spec

finally build (something better?):

build# fedpkg local --without tests:

or:

build# fedpkg prep --without tests
build# fedpkg compile --short-circuit --without tests

... using fedpkg mock and the Fedora host

Hmm, something goes here!

fedpkg mock-config
fedpkg mockbuild

Making the Custom NSS RPs Stick

Distribute Custom NSS RPMs

For legal reasons, tar up both the .rpm and .srpm files into a single archive and make that available - it forces whoever is using the RPMs to also download the sources.