| Summary: | haproxy fails to build | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | papoteur <yvesbrungard> |
| Component: | RPM Packages | Assignee: | Raphael Gertz <mageia> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | jani.valimaa, mageia, marja11 |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | haproxy | CVE: | |
| Status comment: | |||
|
Description
papoteur
2022-09-13 09:01:06 CEST
papoteur
2022-09-13 09:01:34 CEST
CC:
(none) =>
mageia Ugh, another package with frequent security issues that's been imported into Mageia 9. I hope whoever imported it has been keeping up with those issues. The patch is required on mageia/redhat-like to use the distribution certificate layout which differ from debian-like. I will update the patch later today and resubmit it to upstream (again). I use it in production on my server, but it's just a hobby use... (In reply to Raphael Gertz from comment #2) > The patch is required on mageia/redhat-like to use the distribution > certificate layout which differ from debian-like. > > I will update the patch later today and resubmit it to upstream (again). I see wally pushed haproxy-2.6.5-1.mga9, but that is without your updated patch, right? CC:
(none) =>
marja11 I tried to run the 2.6.5-1.mga9 builded on my mga8, I get : FATAL ERROR: invalid code detected -- cannot go further, please recompile! The source code was miscompiled by the compiler, which usually indicates that some of the CFLAGS needed to work around overzealous compiler optimizations were overwritten at build time. Please do not force CFLAGS, and read Makefile and INSTALL files to decide on the best way to pass your local build options. Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fasynchronous-unwind-tables OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1 USE_DL=1 USE_RT=1 USE_SYSTEMD=1 USE_PROMEX=1 DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS I am no specialist in build flags, without specifying cflag, build is done with : cc -Iinclude -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS -DUSE_EPOLL -DUSE_NETFILTER -DUSE_PCRE2 -DUSE_PCRE2_JIT -DUSE_POLL -DUSE_THREAD -DUSE_BACKTRACE -DUSE_TPROXY -DUSE_LINUX_TPROXY -DUSE_LINUX_SPLICE -DUSE_LIBCRYPT -DUSE_CRYPT_H -DUSE_GETADDRINFO -DUSE_OPENSSL -DUSE_LUA -DUSE_ACCEPT4 -DUSE_ZLIB -DUSE_CPU_AFFINITY -DUSE_TFO -DUSE_NS -DUSE_DL -DUSE_RT -DUSE_SYSTEMD -DUSE_PRCTL -DUSE_THREAD_DUMP -DUSE_PROMEX -I/usr/include/lua -I/usr/include/lua -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/usr/include -DCONFIG_HAPROXY_VERSION=\"2.6.5-987a4e2\" -DCONFIG_HAPROXY_DATE=\"2022/09/03\" -c -o src/cpuset.o src/cpuset.c Without specifying : cc -Iinclude -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fasynchronous-unwind-tables -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS -DUSE_EPOLL -DUSE_NETFILTER -DUSE_PCRE2 -DUSE_PCRE2_JIT -DUSE_POLL -DUSE_THREAD -DUSE_BACKTRACE -DUSE_TPROXY -DUSE_LINUX_TPROXY -DUSE_LINUX_SPLICE -DUSE_LIBCRYPT -DUSE_CRYPT_H -DUSE_GETADDRINFO -DUSE_OPENSSL -DUSE_LUA -DUSE_ACCEPT4 -DUSE_ZLIB -DUSE_CPU_AFFINITY -DUSE_TFO -DUSE_NS -DUSE_DL -DUSE_RT -DUSE_SYSTEMD -DUSE_PRCTL -DUSE_THREAD_DUMP -DUSE_PROMEX -I/usr/include/lua -I/usr/include/lua -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/usr/include -DCONFIG_HAPROXY_VERSION=\"2.6.5-987a4e2\" -DCONFIG_HAPROXY_DATE=\"2022/09/03\" -c -o src/cpuset.o src/cpuset.c First one produce the message about invalid code, second one works on my mga8. I fixed the configuration to work for version 2.6.5 and removed some personal stuff I missed from it too. My bad wanting to provide a easy configuration template out of the box. I made a mistake, second build line is with with mga specified CFLAGS. Seems that the -fwrapv is the key, by adding it to CFLAGS it works with mga build CFLAGS. I updated the spec file, if someone may check that it don't do a disaster, that would be nice. May someone test that it works on mga9 by getting : # /usr/sbin/haproxy -f /etc/haproxy/haproxy.conf -c Configuration file is valid And basic service network check if possible. Just as a note, it seems other distributions had the same problem while upgrading : https://bugs.archlinux.org/task/71861 https://www.linuxquestions.org/questions/slackware-14/haproxy-2-5-3-compiles-but-fails-to-start-4175709643/ There are reasons, for example security, why we want to enforce certain compiler flags.
Please build again with CPU_CFLAGS="%{build_cflags}" instead of CFLAGS="%{build_cflags}". CPU_CFLAGS overrides just optimization flag -O2 and keeps rest of the flags untouched.CC:
(none) =>
jani.valimaa I tried to submit version haproxy-2.6.5-2.mga but bs seems down.
Jani, I don't understand, I readded:
CFLAGS="%{build_cflags} -fwrapv"
It's good, all security flags are added, I just add the required -fwrapv flag which seems to disable certain compiler optimisations.
(like they did for archlinux, see link earlier) Version haproxy-2.6.5-2.mga is available in mga9, may someone else test it and set this bug report as RESOLVED ? I tested it on my mga8 and everything is fine. A backport may be done for version mga8 if someone is interested. Closing, I updated it to version 2.6.6 two days ago and everything seems to work fine on my server. Reopen if you encounter a problem. Status:
NEW =>
RESOLVED |