OpenCSW Bug Tracker


Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0004807 [libssl0_9_8] upgrade major always 2011-07-19 15:16 2011-11-04 23:00
Reporter domcleal View Status public  
Assigned To yann
Priority normal Resolution fixed  
Status closed  
Summary 0004807: Migration of SSL certs fails on upgrade
Description When upgrading with pkgutil from openssl_rt-0.9.8,REV=2007.12.26_rev=g-SunOS5.8-sparc-CSW to openssl_rt-0.9.8r,REV=2011.02.12-SunOS5.9-sparc-CSW, the package preinstall performs a migration of SSL certs from /opt/csw/ssl/certs to /opt/csw/etc/ssl/certs.

This causes the pkgadd to fail, as it also removes the /opt/csw/ssl/certs directory:

Custom certificates have been installed in /opt/csw/ssl/certs/.
They will be moved under /opt/csw/etc/ssl/certs.
see /opt/csw/share/doc/openssl_rt/README.CSW for more information
about CA.
WARNING: /opt/csw/ssl/certs <no longer a directory>
mv: cannot rename /opt/csw/ssl/certs/demo to /opt/csw/etc/ssl/certs/demo: File exists
mv: cannot rename /opt/csw/ssl/certs/expired to /opt/csw/etc/ssl/certs/expired: File exists
rmdir: directory "/opt/csw/ssl/certs": Directory not empty
WARNING: /opt/csw/ssl/certs may not overwrite a populated directory.
pkgadd: ERROR: /opt/csw/ssl/certs could not be installed.
Updating certificates in /opt/csw/etc/ssl/certs...done.
Installation of <CSWosslrt> partially failed.


Removing the "rmdir /opt/csw/ssl/certs" from the preinstall lets the upgrade go through, indicating perhaps that the directory should be left in place?
Additional Information Full pkgadd -v trace:

+ [ ! -h /opt/csw/ssl/certs ]
+ [ -d /opt/csw/ssl/certs ]
+ ls -1 /opt/csw/ssl/certs/
+ [ -n 1e49180d.0
2edf7016.0
56e607f4.0
6adf0799.0
7651b327.0
7a9820c1.0
843b6c51.0
878cf4c6.0
a3c60019.0
aad3d04d.0
argena.pem
argeng.pem
c33a80d4.0
cdd7aee7.0
d4e39186.0
ddc328ff.0
demo
eng1.pem
eng2.pem
eng3.pem
eng4.pem
eng5.pem
expired
f73e89fd.0
RegTP-5R.pem
RegTP-6R.pem
thawteCb.pem
thawteCp.pem
vsign1.pem
vsign3.pem
vsignss.pem
wellsfgo.pem ]
+ echo Custom certificates have been installed in /opt/csw/ssl/certs/.
Custom certificates have been installed in /opt/csw/ssl/certs/.
+ echo They will be moved under /opt/csw/etc/ssl/certs.
They will be moved under /opt/csw/etc/ssl/certs.
+ echo see /opt/csw/share/doc/openssl_rt/README.CSW for more information
see /opt/csw/share/doc/openssl_rt/README.CSW for more information
+ echo about CA.
about CA.
+ cat
MOVE_CERTS=Yes
+ exit 0
WARNING: /opt/csw/ssl/certs <no longer a directory>
+ [ Yes = Yes ]
+ mv -f /opt/csw/ssl/certs/1e49180d.0 /opt/csw/ssl/certs/2edf7016.0 /opt/csw/ssl/certs/56e607f4.0 /opt/csw/ssl/certs/6adf0799.0 /opt/csw/ssl/certs/7651b327.0 /opt/csw/ssl/certs/7a9820c1.0 /opt/csw/ssl/certs/843b6c51.0 /opt/csw/ssl/certs/878cf4c6.0 /opt/csw/ssl/certs/RegTP-5R.pem /opt/csw/ssl/certs/RegTP-6R.pem /opt/csw/ssl/certs/a3c60019.0 /opt/csw/ssl/certs/aad3d04d.0 /opt/csw/ssl/certs/argena.pem /opt/csw/ssl/certs/argeng.pem /opt/csw/ssl/certs/c33a80d4.0 /opt/csw/ssl/certs/cdd7aee7.0 /opt/csw/ssl/certs/d4e39186.0 /opt/csw/ssl/certs/ddc328ff.0 /opt/csw/ssl/certs/demo /opt/csw/ssl/certs/eng1.pem /opt/csw/ssl/certs/eng2.pem /opt/csw/ssl/certs/eng3.pem /opt/csw/ssl/certs/eng4.pem /opt/csw/ssl/certs/eng5.pem /opt/csw/ssl/certs/expired /opt/csw/ssl/certs/f73e89fd.0 /opt/csw/ssl/certs/thawteCb.pem /opt/csw/ssl/certs/thawteCp.pem /opt/csw/ssl/certs/vsign1.pem /opt/csw/ssl/certs/vsign3.pem /opt/csw/ssl/certs/vsignss.pem /opt/csw/ssl/certs/wellsfgo.pem /opt/csw/etc/ssl/certs
+ rmdir /opt/csw/ssl/certs
+ true
pkgadd: ERROR: unable to remove existing directory at </opt/csw/ssl/certs>

Installation of <CSWosslrt> failed (internal error) - package
partially installed.
Tags No tags attached.
Attached Files

- Relationships

-  Notes
(0009202)
yann (manager)
2011-07-21 17:04

I uploaded a new set of openssl package in my experimental repository:
http://buildfarm.opencsw.org/experimental.html#yann [^]

The new openssl_rt package should fix your issue. Could you try theses packages and give me some feedback ?
(0009208)
domcleal (reporter)
2011-07-21 18:10

Thanks for the quick response Yann.

The issue's still there unfortunately. I see the method of migrating the certs has changed, but I think the issue might not be that.

The error goes away when the /opt/csw/ssl/certs directory is not removed by the preinstall though, so should it not be doing this?

# pkgutil --trace -t http://buildfarm.opencsw.org/opencsw/experimental/yann [^] -y -u CSWosslrt
[ snip ]
+ read FILE
+ dirname ./vsign3.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/.
+ mv ./vsign3.pem /opt/csw/etc/ssl/certs/./vsign3.pem
+ read FILE
+ find . ! -name . -type d -exec rmdir {} ;
+ rmdir /opt/csw/ssl/certs
+ true
pkgadd: ERROR: unable to remove existing directory at </opt/csw/ssl/certs>

Installation of <CSWosslrt> failed (internal error) - package
partially installed.

pkgadd failed with exit code: 1
(0009209)
yann (manager)
2011-07-22 00:37

Hi,

The /opt/csw/ssl/certs should be removed so that pkgadd can create a symlink /opt/csw/ssl/certs -> /opt/csw/etc/ssl/certs

It is perfectly normal that the /opt/csw/ssl/certs is removed.
In fact, in there is no custom file installed in /opt/csw/ssl/certs, it should always be removed when the previous openssl_rt package is removed. See Demonstration 1.
I am a bit surprised that removing the rmdir solves the problem.

If I create custom files in /opt/csw/ssl/certs, I can't also reproduce your bug, see demonstration 2.

So I suppose there is something specific in your configuration.
The things that come to my mind are:
 - /opt/csw/ssl/certs is a mount point,
 - /opt/csw is zone shared.

Could you give me more information about your setup so I understand the condition that trigger this bug ?
Thanks in advance,

Yann






Demonstration 1:

# pkginfo -l CSWosslrt | grep VERSION
   VERSION: 0.9.8,REV=2007.12.26_rev=g
# ls -ld /opt/csw/ssl/certs
drwxr-xr-x 4 root bin 1024 Jul 22 00:16 /opt/csw/ssl/certs
# pkgrm CSWosslrt
[...]
# ls -ld /opt/csw/ssl/certs
/opt/csw/ssl/certs: No such file or directory

If the last openssl_rt is then installed, there is no problem:
# pkgutil --trace -t http://buildfarm.opencsw.org/opencsw/experimental/yann [^] -i openssl_rt
[...]
Installation of <CSWosslrt> was successful.



Demonstration 2:

# # Let's create some custom files
# cd /opt/csw/ssl/certs
# mkdir -p demo expired
# touch test1.pem demo/test2.pem expired/test3.pem

# I also create demo and expired directory at the new location to create a clash (triggered a problem with the previous package).
# mkdir -p /opt/csw/etc/ssl/certs/demo /opt/csw/etc/ssl/certs/expired

# pkgrm CSWosslrt
Removal of <CSWosslrt> was successful.

# ls -l /opt/csw/ssl/certs/
total 4
drwxr-xr-x 2 root bin 512 Jul 22 00:29 demo
drwxr-xr-x 2 root bin 512 Jul 22 00:29 expired
-rw-r--r-- 1 root root 0 Jul 22 00:27 test1.pem

[...]
## Executing checkinstall script.
+ /usr/bin/uname -p
PLATFORM=i386
+ /usr/bin/uname -r
VERSION=5.10
+ [ 5.10 -eq 5.8 ]
+ [ ! -c /dev/random ]
+ [ ! -c /dev/urandom ]
+ [ = 1 ]
+ [ ! -h /opt/csw/ssl/certs ]
+ [ -d /opt/csw/ssl/certs ]
+ ls -1 /opt/csw/ssl/certs/
+ [ -n demo
expired
test1.pem ]
+ echo Custom certificates have been installed in /opt/csw/ssl/certs/.
Custom certificates have been installed in /opt/csw/ssl/certs/.
+ echo They will be moved under /opt/csw/etc/ssl/certs.
They will be moved under /opt/csw/etc/ssl/certs.
+ echo see /opt/csw/share/doc/openssl_rt/README.CSW for more information
see /opt/csw/share/doc/openssl_rt/README.CSW for more information
+ echo about CA.
about CA.
+ cat
MOVE_CERTS=Yes
+ exit 0
[...]
## Executing preinstall script.
+ [ Yes = Yes ]
+ cd /opt/csw/ssl/certs
+ [ 0 -eq 0 ]
+ pwd
+ [ /opt/csw/ssl/certs = /opt/csw/ssl/certs ]
+ find . -type f
+ read FILE
+ dirname ./demo/test2.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/./demo
+ mv ./demo/test2.pem /opt/csw/etc/ssl/certs/./demo/test2.pem
+ read FILE
+ dirname ./expired/test3.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/./expired
+ mv ./expired/test3.pem /opt/csw/etc/ssl/certs/./expired/test3.pem
+ read FILE
+ dirname ./test1.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/.
+ mv ./test1.pem /opt/csw/etc/ssl/certs/./test1.pem
+ read FILE
+ find . ! -name . -type d -exec rmdir {} ;
+ rmdir /opt/csw/ssl/certs
+ true
[...]
/opt/csw/ssl/certs <symbolic link>
[...]
Installation of <CSWosslrt> was successful.
(0009210)
domcleal (reporter)
2011-07-22 12:22

I don't think that it's a particular local configuration, but to do with the method. I'm using the pkgutil -u method to upgrade the package in-place.

Looking under the covers at pkgutil, the pkgrm is failing as the admin file has rdepend=quit and other packages (CSWwget etc) are installed and depend on it. pkgutil continues and does the pkgadd (using instance=overwrite) while the old package remains on the system.

Therefore the issue occurs if you perform a pkgadd over the existing package, using instance=overwrite.

The pkgutil admin file looks like this:

# cat /var/opt/csw/pkgutil/admin
mail=
instance=overwrite
partial=quit
runlevel=quit
idepend=quit
rdepend=quit
space=quit
setuid=nocheck
conflict=nocheck
action=nocheck
basedir=default

First install the old package:

# ls -ld /opt/csw/etc/ssl/certs /opt/csw/ssl/certs
/opt/csw/etc/ssl/certs: No such file or directory
/opt/csw/ssl/certs: No such file or directory

# pkgadd -n -a /var/opt/csw/pkgutil/admin -d openssl_rt-0.9.8\,REV\=2007.12.26_rev\=g-SunOS5.8-sparc-CSW.pkg CSWosslrt
[snip]
Installation of <CSWosslrt> was successful.

# pkginfo -x CSWosslrt
CSWosslrt openssl_rt - Openssl runtime libraries
           (sparc) 0.9.8,REV=2007.12.26_rev=g

# ls -ld /opt/csw/etc/ssl/certs /opt/csw/ssl/certs
/opt/csw/etc/ssl/certs: No such file or directory
drwxr-xr-x 4 root bin 34 Jul 22 11:11 /opt/csw/ssl/certs

And then install the new package:

# pkgadd -v -n -a /var/opt/csw/pkgutil/admin -d openssl_rt-0.9.8r\,REV\=2011.07.21-SunOS5.9-sparc-CSW.pkg CSWosslrt
[snip]
+ rmdir /opt/csw/ssl/certs
+ true
pkgadd: ERROR: unable to remove existing directory at </opt/csw/ssl/certs>

Installation of <CSWosslrt> failed (internal error) - package

# ls -ld /opt/csw/etc/ssl/certs /opt/csw/ssl/certs
/opt/csw/ssl/certs: No such file or directory
drwxr-xr-x 4 root other 34 Jul 22 11:11 /opt/csw/etc/ssl/certs
(0009211)
yann (manager)
2011-07-22 14:53

Hi,

I still don't reproduce the bug using directly pkgutil.

 # pkginfo -x CSWosslrt
CSWosslrt openssl_rt - Openssl runtime libraries
           (i386) 0.9.8,REV=2007.12.26_rev=g

# pkgutil -t http://buildfarm.opencsw.org/opencsw/experimental/yann [^] -y -u openssl_rt
[...]
=> Removing old version of CSWosslrt (1/1) ...

Removal of <CSWosslrt> was successful.

=> Installing CSWosslrt-0.9.8r,REV=2011.07.21 (1/1) ...
Please see /opt/csw/share/doc/openssl_rt/license for license information.
Custom certificates have been installed in /opt/csw/ssl/certs/.
They will be moved under /opt/csw/etc/ssl/certs.
see /opt/csw/share/doc/openssl_rt/README.CSW for more information
about CA.
Updating certificates in /opt/csw/etc/ssl/certs...done.

Installation of <CSWosslrt> was successful.


The difference is in our admin file:

# cat /var/opt/csw/pkgutil/admin
mail=
instance=overwrite
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=nocheck
setuid=nocheck
conflict=nocheck
action=nocheck
basedir=default


I checked the 2.1,REV=2010.07.28 and the 2.4,REV=2011.05.15 versions, and the default provided admin files is identical to mine.
Have you made some modification to your admin file ?
(0009212)
domcleal (reporter)
2011-07-22 17:50

That was it, thanks for spotting the difference. I wasn't aware that this had been changed in our environment.

Having tested with your correct admin file, the upgrade works fine - removing the old package and standard certs, migrating custom certs and setting up the symlink without errors.

Sorry for the unnecessary bug report.
(0009213)
yann (manager)
2011-07-22 18:24

No problem, you also rose a corner case that I fixed with the new package.




- Issue History
Date Modified Username Field Change
2011-07-19 15:16 domcleal New Issue
2011-07-21 17:04 yann Note Added: 0009202
2011-07-21 17:04 yann Assigned To => yann
2011-07-21 17:04 yann Status new => feedback
2011-07-21 18:10 domcleal Note Added: 0009208
2011-07-22 00:37 yann Note Added: 0009209
2011-07-22 12:22 domcleal Note Added: 0009210
2011-07-22 14:53 yann Note Added: 0009211
2011-07-22 17:50 domcleal Note Added: 0009212
2011-07-22 18:24 yann Note Added: 0009213
2011-07-22 18:24 yann Status feedback => resolved
2011-07-22 18:24 yann Resolution open => fixed
2011-11-04 23:00 yann Status resolved => closed


Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker