Libreswan on Debian Wheezy: Difference between revisions
No edit summary |
Tuomo Soini (talk | contribs) No edit summary |
||
(33 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Executive Summary = | |||
You need 3 workarounds on Wheezy | <pre> | ||
# enable workarounds and compile: | |||
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local | |||
echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local | |||
echo "USE_DNSSEC=false" >> Makefile.inc.local | |||
echo "USE_NIC_OFFLOAD=false" >> Makefile.inc.local | |||
make deb | |||
</pre> | |||
= Details about the issues of libreswan on Debian Wheezy = | |||
You need 3 workarounds to compile on Debian Wheezy. The workaround #1 is very specific to Wheezy (libc < 2.19 and kernel < 3.12). Later distributions fixed issues #1 and #2. #3 is because libunbound is too old. | |||
== conflict between netinet/in.h and linux/in6.h == | == conflict between netinet/in.h and linux/in6.h == | ||
It got worse by commit 07a01d3 to xfrm.in in libreswan. The issue has a long history. It is partly due to UAPI ABI out of sync and partly due to updating local copy of xfrm.h with commit 07a01d3 while supporting nic-offload for | It got worse by commit 07a01d3 to xfrm.in in libreswan. The issue has a long history. It is partly due to UAPI ABI out of sync and partly due to updating local copy of xfrm.h with commit 07a01d3 while supporting nic-offload for Mellanox cards. We could have worked around 07a01d3, however, it was easy to keep xfrm.h in sync with kernel UAPI copy 4.12 which seemed to work in most cases(glibc 2.19+ kernel 3.12+); except Wheezy! | ||
<pre> | <pre> | ||
Line 34: | Line 44: | ||
</pre> | </pre> | ||
=== Workaround : | === Workaround : enable header files workaround === | ||
<pre> | <pre> | ||
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local | |||
</pre> | </pre> | ||
=== Details about the conflict === | === Details about the conflict === | ||
Line 49: | Line 57: | ||
</pre> | </pre> | ||
===== Why not commit this | ===== Why not commit this ===== | ||
We default to ensure newer systems compile properly. If there is a conflict with older systems, we write workarounds for the older code. Ideally, we get to remove ancient workarounds after a long long time without the need to keep old version workarounds forever. | |||
===== How does this work on RHEL/CentOS 7.3 or even 6.8 ===== | |||
Most likely they have backports to fix this. 7.3 has kernel 3.10 and glibc 2.17 | |||
==== With kernel 3.12 and libc-dev 2.19+ ===== | ==== With kernel 3.12 and libc-dev 2.19+ ===== | ||
Kernel made more efforts fix this issue | Kernel made more efforts fix this issue | ||
https://github.com/torvalds/linux/commit/cfd280c91253cc28e4919e349fa7a813b63e71e8 | https://github.com/torvalds/linux/commit/cfd280c91253cc28e4919e349fa7a813b63e71e8 | ||
== Can't link with libsystemd == | == Can't link with libsystemd == | ||
This error is with | This error is with debian. | ||
<pre> | <pre> | ||
/usr/bin/ld: cannot find -lsystemd | /usr/bin/ld: cannot find -lsystemd | ||
Line 90: | Line 97: | ||
Source: unbound | Source: unbound | ||
Version: 1.4.17-3+deb7u2 | Version: 1.4.17-3+deb7u2 | ||
</pre> | |||
=== Workaround : USE_DNSSEC=false ==== | ==== Workaround : USE_DNSSEC=false ==== | ||
<pre> | <pre> | ||
echo "USE_DNSSEC=false" >> Makefile.inc.local | echo "USE_DNSSEC=false" >> Makefile.inc.local | ||
Line 100: | Line 107: | ||
NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream. unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy. Strech package is not dowards compaitable. | NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream. unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy. Strech package is not dowards compaitable. | ||
= | = Fixed in.h/in6.h conflict in #master = | ||
If you have have master with commit a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba on Debian Wheezy disable NIC Offload and use system's xfrm.h. Then you can compile. | |||
== nic-offload disable commit to v3.21 == | |||
<pre> | |||
git clone https://github.com/libreswan/libreswan | |||
cd libreswan | |||
git checkout v3.21 | |||
git cherry-pick a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba | |||
echo USE_XFRM_HEADER_COPY=false >> Makefile.inc.local | |||
echo USE_NIC_OFFLOAD=false >> Makefile.inc.local | |||
echo USE_DNSSEC=false >> Makefile.inc.local | |||
echo USE_SYSTEMD_WATCHDOG=false >> Makefile.inc.local | |||
</pre> | |||
https://github.com/libreswan/libreswan/commit/a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba | |||
https:// | |||
= Kernel headers 4.16 later : uapi/if_ether.h error: redefinition of 'struct in6_addr' struct in6_addr = | |||
Kernel 4.16 got a fix that could cause error: | |||
<pre> | |||
In file included from /<<PKGBUILDDIR>>/programs/pluto/linux-copy/linux/xfrm.h:4:0, | |||
from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:55: | |||
/usr/include/linux/in6.h:33:8: error: redefinition of 'struct in6_addr' struct in6_addr { | |||
^~~~~~~~ | |||
In file included from /<<PKGBUILDDIR>>/linux/include/libreswan.h:76:0, | |||
from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:54: | |||
/usr/include/netinet/in.h:211:8: note: originally defined here struct in6_addr | |||
^~~~~~~~ | |||
<pre> | |||
https://www.spinics.net/lists/stable/msg215023.html | |||
https:// |
Latest revision as of 17:49, 18 June 2018
Executive Summary
# enable workarounds and compile: echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local echo "USE_DNSSEC=false" >> Makefile.inc.local echo "USE_NIC_OFFLOAD=false" >> Makefile.inc.local make deb
Details about the issues of libreswan on Debian Wheezy
You need 3 workarounds to compile on Debian Wheezy. The workaround #1 is very specific to Wheezy (libc < 2.19 and kernel < 3.12). Later distributions fixed issues #1 and #2. #3 is because libunbound is too old.
conflict between netinet/in.h and linux/in6.h
It got worse by commit 07a01d3 to xfrm.in in libreswan. The issue has a long history. It is partly due to UAPI ABI out of sync and partly due to updating local copy of xfrm.h with commit 07a01d3 while supporting nic-offload for Mellanox cards. We could have worked around 07a01d3, however, it was easy to keep xfrm.h in sync with kernel UAPI copy 4.12 which seemed to work in most cases(glibc 2.19+ kernel 3.12+); except Wheezy!
-c /home/build/libreswan/programs/pluto/kernel_netlink.c /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) In file included from /home/build/libreswan/programs/pluto/linux-copy/linux/xfrm.h:4:0, from /home/build/libreswan/programs/pluto/kernel_netlink.c:52: /usr/include/linux/in6.h:30:8: error: redefinition of 'struct in6_addr' In file included from /home/build/libreswan/linux/include/libreswan.h:212:0, from /home/build/libreswan/programs/pluto/kernel_netlink.c:51: /usr/include/netinet/in.h:198:8: note: originally defined here dpkg -S linux/in6.h linux-libc-dev:amd64: /usr/include/linux/in.h dpkg -S netinet/in.h libc6-dev:amd64: /usr/include/netinet/in.h Package: libc6-dev Source: eglibc Version: 2.13-38+deb7u10 The local copy programs/pluto/linux-copy/linux/xfrm.h is updated linux kernel 4.12
Workaround : enable header files workaround
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local
Details about the conflict
glibc 2.19+
https://sourceware.org/bugzilla/show_bug.cgi?id=15850 If you have glibc 2.19+ you may have flip the two lines in programs/pluto/kernel_netlink.c
52 #include "linux/xfrm.h" /* local (if configured) or system copy */ 51 #include "libreswan.h" /* before xfrm.h otherwise break on F22 */
Why not commit this
We default to ensure newer systems compile properly. If there is a conflict with older systems, we write workarounds for the older code. Ideally, we get to remove ancient workarounds after a long long time without the need to keep old version workarounds forever.
How does this work on RHEL/CentOS 7.3 or even 6.8
Most likely they have backports to fix this. 7.3 has kernel 3.10 and glibc 2.17
With kernel 3.12 and libc-dev 2.19+ =
Kernel made more efforts fix this issue https://github.com/torvalds/linux/commit/cfd280c91253cc28e4919e349fa7a813b63e71e8
Can't link with libsystemd
This error is with debian.
/usr/bin/ld: cannot find -lsystemd collect2: error: ld returned 1 exit status Package: libsystemd-daemon-dev Source: systemd Version: 44-11+deb7u5
Workaround: USE_SYSTEMD_WATCHDOG=false
in libreswan src directory
echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local
FYI: debian stretch seems to have proper libsystemd-dev
Wheezy libunbound2 (1.4.17) do not support libevent
(NOTE: this is not re-compiling issue, you need > 1.5x)
/home/build/libreswan/lib/libswan/unbound.c:187: undefined reference to `ub_ctx_create_event' collect2: error: ld returned 1 exit status apt-cache show libunbound2 Package: libunbound2 Source: unbound Version: 1.4.17-3+deb7u2
Workaround : USE_DNSSEC=false
echo "USE_DNSSEC=false" >> Makefile.inc.local
If you have libunbound version less than 1.5.0 disable is the only way. libunbound2 1.5.0 above should be compiled with --with-libevent --enable-event-api
NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream. unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy. Strech package is not dowards compaitable.
Fixed in.h/in6.h conflict in #master
If you have have master with commit a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba on Debian Wheezy disable NIC Offload and use system's xfrm.h. Then you can compile.
nic-offload disable commit to v3.21
git clone https://github.com/libreswan/libreswan cd libreswan git checkout v3.21 git cherry-pick a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba echo USE_XFRM_HEADER_COPY=false >> Makefile.inc.local echo USE_NIC_OFFLOAD=false >> Makefile.inc.local echo USE_DNSSEC=false >> Makefile.inc.local echo USE_SYSTEMD_WATCHDOG=false >> Makefile.inc.local
https://github.com/libreswan/libreswan/commit/a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba
Kernel headers 4.16 later : uapi/if_ether.h error: redefinition of 'struct in6_addr' struct in6_addr
Kernel 4.16 got a fix that could cause error:
In file included from /<<PKGBUILDDIR>>/programs/pluto/linux-copy/linux/xfrm.h:4:0, from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:55: /usr/include/linux/in6.h:33:8: error: redefinition of 'struct in6_addr' struct in6_addr { ^~~~~~~~ In file included from /<<PKGBUILDDIR>>/linux/include/libreswan.h:76:0, from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:54: /usr/include/netinet/in.h:211:8: note: originally defined here struct in6_addr ^~~~~~~~https://www.spinics.net/lists/stable/msg215023.html