Difference between revisions of "Libreswan on Debian Wheezy"

From Libreswan
Jump to navigation Jump to search
 
(39 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
= Executive Summary =
 +
 
<pre>
 
<pre>
I am sharing how to compile libreswan 3.21 on Debian Wheezy and the details.
+
# enable workarounds and compile:
 +
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local
 +
echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local
 +
echo "USE_DNSSEC=false" >> Makefile.inc.local
 +
echo "USE_NIC_OFFLOAD=false" >>  Makefile.inc.local
 +
make deb
 +
</pre>
  
You need 3 workarounds on Wheezy to compile. The workaround for #1 is very
+
= Details about the issues of libreswan on Debian Wheezy =
specific to Wheezy (libc < 2.19 and kernel < 3.12). Later distributions
 
fixed issues #1 and #2. #3 has different workarounds depending on your
 
libunbound2 version.
 
  
1. Debian Wheezy has a conflict between netinet/in.h and linux/in6.h It got
+
You need 3 workarounds to compile on Debian Wheezy. The workaround #1 is very specific to Wheezy (libc < 2.19 and kernel < 3.12). Later distributions fixed issues #1 and #2. #3 is because libunbound is too old.
worse by commit 07a01d3 to xfrm.in in libreswan. The issue has a long
 
history.  It is partly due to UAPI ABI out of sync and partly due to
 
updating local copy of xfrm.h with commit 07a01d3 while supporting
 
nic-offload for mellonex cards. We could have worked around 07a01d3,
 
however, it was easy to keep xfrm.h in sync with kernel UAPI copy 4.12
 
which seemed to work in most cases(glibc 2.19+ kernel 3.12+); except Wheezy!
 
  
 +
== conflict between netinet/in.h and linux/in6.h ==
 +
It got worse by commit 07a01d3 to xfrm.in in libreswan. The issue has a long  history.  It is partly due to UAPI ABI out of sync and partly due to updating local copy of xfrm.h with commit 07a01d3 while supporting nic-offload for Mellanox cards. We could have worked around 07a01d3, however, it was easy to keep xfrm.h in sync with kernel UAPI copy 4.12 which seemed to work in most cases(glibc 2.19+ kernel 3.12+); except Wheezy!
 +
 +
<pre>
 
                 -c /home/build/libreswan/programs/pluto/kernel_netlink.c
 
                 -c /home/build/libreswan/programs/pluto/kernel_netlink.c
 
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
 
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Line 39: Line 42:
 
The local copy
 
The local copy
 
programs/pluto/linux-copy/linux/xfrm.h is updated linux kernel 4.12
 
programs/pluto/linux-copy/linux/xfrm.h is updated linux kernel 4.12
 +
</pre>
  
Workaround : remove the following line from
+
=== Workaround : enable header files workaround ===
programs/pluto/linux-copy/linux/xfrm.h
+
<pre>
 
+
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local
#include <linux/in6.h>
+
</pre>
 
+
=== Details about the conflict ===
more details about this issue:
+
==== glibc 2.19+ ====
https://sourceware.org/bugzilla/show_bug.cgi?id=15850
+
https://sourceware.org/bugzilla/show_bug.cgi?id=15850 If you have glibc 2.19+ you may have flip the two lines in
If you have glibc 2.19+ you may have flip the two lines in
 
 
programs/pluto/kernel_netlink.c
 
programs/pluto/kernel_netlink.c
 
+
<pre>
 
52 #include "linux/xfrm.h" /* local (if configured) or system copy */
 
52 #include "linux/xfrm.h" /* local (if configured) or system copy */
 
51 #include "libreswan.h" /* before xfrm.h otherwise break on F22 */
 
51 #include "libreswan.h" /* before xfrm.h otherwise break on F22 */
 +
</pre>
  
With kernel 3.12 and libc-dev 2.19+ has made more efforts fix this issue
+
===== Why not commit this =====
 +
We default to ensure newer systems compile properly. If there is a conflict with older systems, we write workarounds for the older code. Ideally, we get to remove ancient workarounds after a long long time without the need to keep old version workarounds forever.
 +
 
 +
===== How does this work on RHEL/CentOS 7.3 or even 6.8 =====
 +
Most likely they have backports to fix this. 7.3 has kernel 3.10 and glibc 2.17
 +
 
 +
 +
==== With kernel 3.12 and libc-dev 2.19+ =====
 +
Kernel made more efforts fix this issue
 
https://github.com/torvalds/linux/commit/cfd280c91253cc28e4919e349fa7a813b63e71e8
 
https://github.com/torvalds/linux/commit/cfd280c91253cc28e4919e349fa7a813b63e71e8
  
NOTE: Fedora 22 keep the order in kernel_netlink.c
+
== Can't link with libsystemd ==
 
+
This error is with debian.  
2. /usr/bin/ld: cannot find -lsystemd
+
<pre>
 +
/usr/bin/ld: cannot find -lsystemd  
 
collect2: error: ld returned 1 exit status
 
collect2: error: ld returned 1 exit status
 
+
This error is with. This is not new in 3.21, an old one.
 
 
  Package: libsystemd-daemon-dev
 
  Package: libsystemd-daemon-dev
 
  Source: systemd
 
  Source: systemd
 
  Version: 44-11+deb7u5
 
  Version: 44-11+deb7u5
 +
</pre>
  
Workaround: USE_SYSTEMD_WATCHDOG=false e.g. libreswan src directory
+
=== Workaround: USE_SYSTEMD_WATCHDOG=false ===
 +
in libreswan src directory  
 +
<pre>
 
echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local
 
echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local
 
+
</pre>
 
FYI: debian stretch seems to have proper libsystemd-dev
 
FYI: debian stretch seems to have proper libsystemd-dev
  
3. Wheezy libunbound2 (1.4.17) does not support libevent, (NOTE: this is not
+
== Wheezy libunbound2 (1.4.17) do not support libevent ==
re-compiling issue, you need > 1.5x)
+
(NOTE: this is not re-compiling issue, you need > 1.5x)
 
+
<pre>
 
/home/build/libreswan/lib/libswan/unbound.c:187: undefined reference to
 
/home/build/libreswan/lib/libswan/unbound.c:187: undefined reference to
 
`ub_ctx_create_event'
 
`ub_ctx_create_event'
Line 82: Line 97:
 
Source: unbound
 
Source: unbound
 
Version: 1.4.17-3+deb7u2
 
Version: 1.4.17-3+deb7u2
 +
</pre>
 +
==== Workaround : USE_DNSSEC=false ====
 +
<pre>
 +
echo "USE_DNSSEC=false" >> Makefile.inc.local
 +
</pre>
 +
If you have libunbound version less than 1.5.0 disable is the only way.
 +
libunbound2 1.5.0  above should be compiled with --with-libevent --enable-event-api
  
Workaround : USE_DNSSEC=false e.g
+
NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream. unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy. Strech package is not dowards compaitable.
echo "USE_DNSSEC=false" >> Makefile.inc.local
 
  
If you have libunbound version less than 1.5.0 disable is the only way.
+
= Fixed in.h/in6.h conflict in #master =
libunbound2 1.5.0  above should be compiled with --with-libevent
+
If you have have master with commit a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba on Debian Wheezy disable NIC Offload and use system's xfrm.h. Then you can compile.
--enable-event-api
 
  
NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream.
+
== nic-offload disable commit to v3.21 ==
unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy.
+
<pre>
Strech packges is not dowards compaitable.
+
git clone https://github.com/libreswan/libreswan
 +
cd libreswan
 +
git checkout v3.21
 +
git cherry-pick a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba
  
FYI: libunbound2 related bugs and feature requests to support libevent + in
+
echo USE_XFRM_HEADER_COPY=false >>  Makefile.inc.local
other distributions.
+
echo USE_NIC_OFFLOAD=false >>  Makefile.inc.local
 +
echo USE_DNSSEC=false >> Makefile.inc.local
 +
echo USE_SYSTEMD_WATCHDOG=false >> Makefile.inc.local
 +
</pre>
  
Debian feature requests
 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871675
 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859584
 
  
RH bugs
+
https://github.com/libreswan/libreswan/commit/a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba
https://bugzilla.redhat.com/show_bug.cgi?id=1434662 RHEL 6.10
 
https://bugzilla.redhat.com/show_bug.cgi?id=1434661 RHEL 7.4
 
  
Libreswan bug report:
+
= Kernel headers 4.16 later : uapi/if_ether.h error: redefinition of 'struct in6_addr' struct in6_addr  =
https://github.com/libreswan/libreswan/issues/117
+
Kernel 4.16 got a fix that could cause error:
  
 
<pre>
 
<pre>
 +
In file included from /<<PKGBUILDDIR>>/programs/pluto/linux-copy/linux/xfrm.h:4:0,
 +
                from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:55:
 +
/usr/include/linux/in6.h:33:8: error: redefinition of 'struct in6_addr'  struct in6_addr {
 +
          ^~~~~~~~
 +
In file included from /<<PKGBUILDDIR>>/linux/include/libreswan.h:76:0,
 +
                  from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:54:
 +
/usr/include/netinet/in.h:211:8: note: originally defined here  struct in6_addr
 +
        ^~~~~~~~
 +
<pre>
 +
 +
https://www.spinics.net/lists/stable/msg215023.html

Latest revision as of 18:49, 18 June 2018

Executive Summary

# enable workarounds and compile:
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local
echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local
echo "USE_DNSSEC=false" >> Makefile.inc.local
echo "USE_NIC_OFFLOAD=false" >>  Makefile.inc.local
make deb

Details about the issues of libreswan on Debian Wheezy

You need 3 workarounds to compile on Debian Wheezy. The workaround #1 is very specific to Wheezy (libc < 2.19 and kernel < 3.12). Later distributions fixed issues #1 and #2. #3 is because libunbound is too old.

conflict between netinet/in.h and linux/in6.h

It got worse by commit 07a01d3 to xfrm.in in libreswan. The issue has a long history. It is partly due to UAPI ABI out of sync and partly due to updating local copy of xfrm.h with commit 07a01d3 while supporting nic-offload for Mellanox cards. We could have worked around 07a01d3, however, it was easy to keep xfrm.h in sync with kernel UAPI copy 4.12 which seemed to work in most cases(glibc 2.19+ kernel 3.12+); except Wheezy!

                -c /home/build/libreswan/programs/pluto/kernel_netlink.c
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
In file included from
/home/build/libreswan/programs/pluto/linux-copy/linux/xfrm.h:4:0,
                 from
/home/build/libreswan/programs/pluto/kernel_netlink.c:52:
/usr/include/linux/in6.h:30:8: error: redefinition of 'struct in6_addr'
In file included from /home/build/libreswan/linux/include/libreswan.h:212:0,
                 from
/home/build/libreswan/programs/pluto/kernel_netlink.c:51:
/usr/include/netinet/in.h:198:8: note: originally defined here

dpkg -S linux/in6.h
linux-libc-dev:amd64: /usr/include/linux/in.h

dpkg -S netinet/in.h
libc6-dev:amd64: /usr/include/netinet/in.h

Package: libc6-dev
Source: eglibc
Version: 2.13-38+deb7u10

The local copy
programs/pluto/linux-copy/linux/xfrm.h is updated linux kernel 4.12

Workaround : enable header files workaround

echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local

Details about the conflict

glibc 2.19+

https://sourceware.org/bugzilla/show_bug.cgi?id=15850 If you have glibc 2.19+ you may have flip the two lines in programs/pluto/kernel_netlink.c

52 #include "linux/xfrm.h" /* local (if configured) or system copy */
51 #include "libreswan.h" /* before xfrm.h otherwise break on F22 */
Why not commit this

We default to ensure newer systems compile properly. If there is a conflict with older systems, we write workarounds for the older code. Ideally, we get to remove ancient workarounds after a long long time without the need to keep old version workarounds forever.

How does this work on RHEL/CentOS 7.3 or even 6.8

Most likely they have backports to fix this. 7.3 has kernel 3.10 and glibc 2.17


With kernel 3.12 and libc-dev 2.19+ =

Kernel made more efforts fix this issue https://github.com/torvalds/linux/commit/cfd280c91253cc28e4919e349fa7a813b63e71e8

Can't link with libsystemd

This error is with debian.

/usr/bin/ld: cannot find -lsystemd 
collect2: error: ld returned 1 exit status
 
 Package: libsystemd-daemon-dev
 Source: systemd
 Version: 44-11+deb7u5

Workaround: USE_SYSTEMD_WATCHDOG=false

in libreswan src directory

echo "USE_SYSTEMD_WATCHDOG=false" >> Makefile.inc.local

FYI: debian stretch seems to have proper libsystemd-dev

Wheezy libunbound2 (1.4.17) do not support libevent

(NOTE: this is not re-compiling issue, you need > 1.5x)

/home/build/libreswan/lib/libswan/unbound.c:187: undefined reference to
`ub_ctx_create_event'
collect2: error: ld returned 1 exit status

apt-cache show libunbound2
Package: libunbound2
Source: unbound
Version: 1.4.17-3+deb7u2

Workaround : USE_DNSSEC=false

echo "USE_DNSSEC=false" >> Makefile.inc.local

If you have libunbound version less than 1.5.0 disable is the only way. libunbound2 1.5.0 above should be compiled with --with-libevent --enable-event-api

NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream. unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy. Strech package is not dowards compaitable.

Fixed in.h/in6.h conflict in #master

If you have have master with commit a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba on Debian Wheezy disable NIC Offload and use system's xfrm.h. Then you can compile.

nic-offload disable commit to v3.21

git clone https://github.com/libreswan/libreswan 
cd libreswan 
git checkout v3.21
git cherry-pick a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba

echo USE_XFRM_HEADER_COPY=false >>  Makefile.inc.local
echo USE_NIC_OFFLOAD=false >>  Makefile.inc.local
echo USE_DNSSEC=false >> Makefile.inc.local
echo USE_SYSTEMD_WATCHDOG=false >> Makefile.inc.local


https://github.com/libreswan/libreswan/commit/a7d8a0bbb9cff171b9d0ba5ee36293f92a1b1eba

Kernel headers 4.16 later : uapi/if_ether.h error: redefinition of 'struct in6_addr' struct in6_addr

Kernel 4.16 got a fix that could cause error:

In file included from /<<PKGBUILDDIR>>/programs/pluto/linux-copy/linux/xfrm.h:4:0,
                 from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:55:
/usr/include/linux/in6.h:33:8: error: redefinition of 'struct in6_addr'  struct in6_addr {
           ^~~~~~~~
In file included from /<<PKGBUILDDIR>>/linux/include/libreswan.h:76:0,
                  from /<<PKGBUILDDIR>>/programs/pluto/kernel_netlink.c:54:
/usr/include/netinet/in.h:211:8: note: originally defined here  struct in6_addr
         ^~~~~~~~

https://www.spinics.net/lists/stable/msg215023.html