Anonymous | Login | 2024-03-28 21:56 CET |
Main | My View | View Issues |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||
0004807 | [libssl0_9_8] upgrade | major | always | 2011-07-19 15:16 | 2011-11-04 23:00 | ||
Reporter | domcleal | View Status | public | ||||
Assigned To | yann | ||||||
Priority | normal | Resolution | fixed | ||||
Status | closed | ||||||
Summary | 0004807: Migration of SSL certs fails on upgrade | ||||||
Description |
When upgrading with pkgutil from openssl_rt-0.9.8,REV=2007.12.26_rev=g-SunOS5.8-sparc-CSW to openssl_rt-0.9.8r,REV=2011.02.12-SunOS5.9-sparc-CSW, the package preinstall performs a migration of SSL certs from /opt/csw/ssl/certs to /opt/csw/etc/ssl/certs. This causes the pkgadd to fail, as it also removes the /opt/csw/ssl/certs directory: Custom certificates have been installed in /opt/csw/ssl/certs/. They will be moved under /opt/csw/etc/ssl/certs. see /opt/csw/share/doc/openssl_rt/README.CSW for more information about CA. WARNING: /opt/csw/ssl/certs <no longer a directory> mv: cannot rename /opt/csw/ssl/certs/demo to /opt/csw/etc/ssl/certs/demo: File exists mv: cannot rename /opt/csw/ssl/certs/expired to /opt/csw/etc/ssl/certs/expired: File exists rmdir: directory "/opt/csw/ssl/certs": Directory not empty WARNING: /opt/csw/ssl/certs may not overwrite a populated directory. pkgadd: ERROR: /opt/csw/ssl/certs could not be installed. Updating certificates in /opt/csw/etc/ssl/certs...done. Installation of <CSWosslrt> partially failed. Removing the "rmdir /opt/csw/ssl/certs" from the preinstall lets the upgrade go through, indicating perhaps that the directory should be left in place? |
||||||
Additional Information |
Full pkgadd -v trace: + [ ! -h /opt/csw/ssl/certs ] + [ -d /opt/csw/ssl/certs ] + ls -1 /opt/csw/ssl/certs/ + [ -n 1e49180d.0 2edf7016.0 56e607f4.0 6adf0799.0 7651b327.0 7a9820c1.0 843b6c51.0 878cf4c6.0 a3c60019.0 aad3d04d.0 argena.pem argeng.pem c33a80d4.0 cdd7aee7.0 d4e39186.0 ddc328ff.0 demo eng1.pem eng2.pem eng3.pem eng4.pem eng5.pem expired f73e89fd.0 RegTP-5R.pem RegTP-6R.pem thawteCb.pem thawteCp.pem vsign1.pem vsign3.pem vsignss.pem wellsfgo.pem ] + echo Custom certificates have been installed in /opt/csw/ssl/certs/. Custom certificates have been installed in /opt/csw/ssl/certs/. + echo They will be moved under /opt/csw/etc/ssl/certs. They will be moved under /opt/csw/etc/ssl/certs. + echo see /opt/csw/share/doc/openssl_rt/README.CSW for more information see /opt/csw/share/doc/openssl_rt/README.CSW for more information + echo about CA. about CA. + cat MOVE_CERTS=Yes + exit 0 WARNING: /opt/csw/ssl/certs <no longer a directory> + [ Yes = Yes ] + mv -f /opt/csw/ssl/certs/1e49180d.0 /opt/csw/ssl/certs/2edf7016.0 /opt/csw/ssl/certs/56e607f4.0 /opt/csw/ssl/certs/6adf0799.0 /opt/csw/ssl/certs/7651b327.0 /opt/csw/ssl/certs/7a9820c1.0 /opt/csw/ssl/certs/843b6c51.0 /opt/csw/ssl/certs/878cf4c6.0 /opt/csw/ssl/certs/RegTP-5R.pem /opt/csw/ssl/certs/RegTP-6R.pem /opt/csw/ssl/certs/a3c60019.0 /opt/csw/ssl/certs/aad3d04d.0 /opt/csw/ssl/certs/argena.pem /opt/csw/ssl/certs/argeng.pem /opt/csw/ssl/certs/c33a80d4.0 /opt/csw/ssl/certs/cdd7aee7.0 /opt/csw/ssl/certs/d4e39186.0 /opt/csw/ssl/certs/ddc328ff.0 /opt/csw/ssl/certs/demo /opt/csw/ssl/certs/eng1.pem /opt/csw/ssl/certs/eng2.pem /opt/csw/ssl/certs/eng3.pem /opt/csw/ssl/certs/eng4.pem /opt/csw/ssl/certs/eng5.pem /opt/csw/ssl/certs/expired /opt/csw/ssl/certs/f73e89fd.0 /opt/csw/ssl/certs/thawteCb.pem /opt/csw/ssl/certs/thawteCp.pem /opt/csw/ssl/certs/vsign1.pem /opt/csw/ssl/certs/vsign3.pem /opt/csw/ssl/certs/vsignss.pem /opt/csw/ssl/certs/wellsfgo.pem /opt/csw/etc/ssl/certs + rmdir /opt/csw/ssl/certs + true pkgadd: ERROR: unable to remove existing directory at </opt/csw/ssl/certs> Installation of <CSWosslrt> failed (internal error) - package partially installed. |
||||||
Tags | No tags attached. | ||||||
Attached Files | |||||||
|
Notes | |
(0009202) yann (manager) 2011-07-21 17:04 |
I uploaded a new set of openssl package in my experimental repository: http://buildfarm.opencsw.org/experimental.html#yann [^] The new openssl_rt package should fix your issue. Could you try theses packages and give me some feedback ? |
(0009208) domcleal (reporter) 2011-07-21 18:10 |
Thanks for the quick response Yann. The issue's still there unfortunately. I see the method of migrating the certs has changed, but I think the issue might not be that. The error goes away when the /opt/csw/ssl/certs directory is not removed by the preinstall though, so should it not be doing this? # pkgutil --trace -t http://buildfarm.opencsw.org/opencsw/experimental/yann [^] -y -u CSWosslrt [ snip ] + read FILE + dirname ./vsign3.pem + mkdir -p -m 0755 /opt/csw/etc/ssl/certs/. + mv ./vsign3.pem /opt/csw/etc/ssl/certs/./vsign3.pem + read FILE + find . ! -name . -type d -exec rmdir {} ; + rmdir /opt/csw/ssl/certs + true pkgadd: ERROR: unable to remove existing directory at </opt/csw/ssl/certs> Installation of <CSWosslrt> failed (internal error) - package partially installed. pkgadd failed with exit code: 1 |
(0009209) yann (manager) 2011-07-22 00:37 |
Hi, The /opt/csw/ssl/certs should be removed so that pkgadd can create a symlink /opt/csw/ssl/certs -> /opt/csw/etc/ssl/certs It is perfectly normal that the /opt/csw/ssl/certs is removed. In fact, in there is no custom file installed in /opt/csw/ssl/certs, it should always be removed when the previous openssl_rt package is removed. See Demonstration 1. I am a bit surprised that removing the rmdir solves the problem. If I create custom files in /opt/csw/ssl/certs, I can't also reproduce your bug, see demonstration 2. So I suppose there is something specific in your configuration. The things that come to my mind are: - /opt/csw/ssl/certs is a mount point, - /opt/csw is zone shared. Could you give me more information about your setup so I understand the condition that trigger this bug ? Thanks in advance, Yann Demonstration 1: # pkginfo -l CSWosslrt | grep VERSION VERSION: 0.9.8,REV=2007.12.26_rev=g # ls -ld /opt/csw/ssl/certs drwxr-xr-x 4 root bin 1024 Jul 22 00:16 /opt/csw/ssl/certs # pkgrm CSWosslrt [...] # ls -ld /opt/csw/ssl/certs /opt/csw/ssl/certs: No such file or directory If the last openssl_rt is then installed, there is no problem: # pkgutil --trace -t http://buildfarm.opencsw.org/opencsw/experimental/yann [^] -i openssl_rt [...] Installation of <CSWosslrt> was successful. Demonstration 2: # # Let's create some custom files # cd /opt/csw/ssl/certs # mkdir -p demo expired # touch test1.pem demo/test2.pem expired/test3.pem # I also create demo and expired directory at the new location to create a clash (triggered a problem with the previous package). # mkdir -p /opt/csw/etc/ssl/certs/demo /opt/csw/etc/ssl/certs/expired # pkgrm CSWosslrt Removal of <CSWosslrt> was successful. # ls -l /opt/csw/ssl/certs/ total 4 drwxr-xr-x 2 root bin 512 Jul 22 00:29 demo drwxr-xr-x 2 root bin 512 Jul 22 00:29 expired -rw-r--r-- 1 root root 0 Jul 22 00:27 test1.pem [...] ## Executing checkinstall script. + /usr/bin/uname -p PLATFORM=i386 + /usr/bin/uname -r VERSION=5.10 + [ 5.10 -eq 5.8 ] + [ ! -c /dev/random ] + [ ! -c /dev/urandom ] + [ = 1 ] + [ ! -h /opt/csw/ssl/certs ] + [ -d /opt/csw/ssl/certs ] + ls -1 /opt/csw/ssl/certs/ + [ -n demo expired test1.pem ] + echo Custom certificates have been installed in /opt/csw/ssl/certs/. Custom certificates have been installed in /opt/csw/ssl/certs/. + echo They will be moved under /opt/csw/etc/ssl/certs. They will be moved under /opt/csw/etc/ssl/certs. + echo see /opt/csw/share/doc/openssl_rt/README.CSW for more information see /opt/csw/share/doc/openssl_rt/README.CSW for more information + echo about CA. about CA. + cat MOVE_CERTS=Yes + exit 0 [...] ## Executing preinstall script. + [ Yes = Yes ] + cd /opt/csw/ssl/certs + [ 0 -eq 0 ] + pwd + [ /opt/csw/ssl/certs = /opt/csw/ssl/certs ] + find . -type f + read FILE + dirname ./demo/test2.pem + mkdir -p -m 0755 /opt/csw/etc/ssl/certs/./demo + mv ./demo/test2.pem /opt/csw/etc/ssl/certs/./demo/test2.pem + read FILE + dirname ./expired/test3.pem + mkdir -p -m 0755 /opt/csw/etc/ssl/certs/./expired + mv ./expired/test3.pem /opt/csw/etc/ssl/certs/./expired/test3.pem + read FILE + dirname ./test1.pem + mkdir -p -m 0755 /opt/csw/etc/ssl/certs/. + mv ./test1.pem /opt/csw/etc/ssl/certs/./test1.pem + read FILE + find . ! -name . -type d -exec rmdir {} ; + rmdir /opt/csw/ssl/certs + true [...] /opt/csw/ssl/certs <symbolic link> [...] Installation of <CSWosslrt> was successful. |
(0009210) domcleal (reporter) 2011-07-22 12:22 |
I don't think that it's a particular local configuration, but to do with the method. I'm using the pkgutil -u method to upgrade the package in-place. Looking under the covers at pkgutil, the pkgrm is failing as the admin file has rdepend=quit and other packages (CSWwget etc) are installed and depend on it. pkgutil continues and does the pkgadd (using instance=overwrite) while the old package remains on the system. Therefore the issue occurs if you perform a pkgadd over the existing package, using instance=overwrite. The pkgutil admin file looks like this: # cat /var/opt/csw/pkgutil/admin mail= instance=overwrite partial=quit runlevel=quit idepend=quit rdepend=quit space=quit setuid=nocheck conflict=nocheck action=nocheck basedir=default First install the old package: # ls -ld /opt/csw/etc/ssl/certs /opt/csw/ssl/certs /opt/csw/etc/ssl/certs: No such file or directory /opt/csw/ssl/certs: No such file or directory # pkgadd -n -a /var/opt/csw/pkgutil/admin -d openssl_rt-0.9.8\,REV\=2007.12.26_rev\=g-SunOS5.8-sparc-CSW.pkg CSWosslrt [snip] Installation of <CSWosslrt> was successful. # pkginfo -x CSWosslrt CSWosslrt openssl_rt - Openssl runtime libraries (sparc) 0.9.8,REV=2007.12.26_rev=g # ls -ld /opt/csw/etc/ssl/certs /opt/csw/ssl/certs /opt/csw/etc/ssl/certs: No such file or directory drwxr-xr-x 4 root bin 34 Jul 22 11:11 /opt/csw/ssl/certs And then install the new package: # pkgadd -v -n -a /var/opt/csw/pkgutil/admin -d openssl_rt-0.9.8r\,REV\=2011.07.21-SunOS5.9-sparc-CSW.pkg CSWosslrt [snip] + rmdir /opt/csw/ssl/certs + true pkgadd: ERROR: unable to remove existing directory at </opt/csw/ssl/certs> Installation of <CSWosslrt> failed (internal error) - package # ls -ld /opt/csw/etc/ssl/certs /opt/csw/ssl/certs /opt/csw/ssl/certs: No such file or directory drwxr-xr-x 4 root other 34 Jul 22 11:11 /opt/csw/etc/ssl/certs |
(0009211) yann (manager) 2011-07-22 14:53 |
Hi, I still don't reproduce the bug using directly pkgutil. # pkginfo -x CSWosslrt CSWosslrt openssl_rt - Openssl runtime libraries (i386) 0.9.8,REV=2007.12.26_rev=g # pkgutil -t http://buildfarm.opencsw.org/opencsw/experimental/yann [^] -y -u openssl_rt [...] => Removing old version of CSWosslrt (1/1) ... Removal of <CSWosslrt> was successful. => Installing CSWosslrt-0.9.8r,REV=2011.07.21 (1/1) ... Please see /opt/csw/share/doc/openssl_rt/license for license information. Custom certificates have been installed in /opt/csw/ssl/certs/. They will be moved under /opt/csw/etc/ssl/certs. see /opt/csw/share/doc/openssl_rt/README.CSW for more information about CA. Updating certificates in /opt/csw/etc/ssl/certs...done. Installation of <CSWosslrt> was successful. The difference is in our admin file: # cat /var/opt/csw/pkgutil/admin mail= instance=overwrite partial=nocheck runlevel=nocheck idepend=nocheck rdepend=nocheck space=nocheck setuid=nocheck conflict=nocheck action=nocheck basedir=default I checked the 2.1,REV=2010.07.28 and the 2.4,REV=2011.05.15 versions, and the default provided admin files is identical to mine. Have you made some modification to your admin file ? |
(0009212) domcleal (reporter) 2011-07-22 17:50 |
That was it, thanks for spotting the difference. I wasn't aware that this had been changed in our environment. Having tested with your correct admin file, the upgrade works fine - removing the old package and standard certs, migrating custom certs and setting up the symlink without errors. Sorry for the unnecessary bug report. |
(0009213) yann (manager) 2011-07-22 18:24 |
No problem, you also rose a corner case that I fixed with the new package. |
Copyright © 2000 - 2008 Mantis Group |