[-- Attachment #1: Type: text/html, Size: 3395 bytes --] [-- Attachment #2: Type: text/plain, Size: 869 bytes --] Hello, [Summary] - The icecat package doesn't correctly set the LD_LIBRARY_PATH variable during the wrap-program build stage to include mit-krb5 libraries so kerberos authentication fails as the libraries are not found at runtime: [Details] Execution logs obtained by running icecat with the following setup: $ export NSPR_LOG_FILE=icecat $ export NSPR_LOG_MODULES=negotiateauth:5 $ icecat icecat.moz_log: ------------------------------------------------------------------------ [Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI() [Parent 30197: Main Thread]: D/negotiateauth Fail to load gssapi library [Parent 30197: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init() Confirmed by running through strace: $ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5" (See results in attachment) Best regards, Ignacio [-- Attachment #3: icecat-strace.log --] [-- Type: application/octet-stream, Size: 6856 bytes --] ❯ strace -e "open,openat" icecat 2>&1 |grep -E "gssapi|krb5" openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.4", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi_krb5.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/k4lccf55n3b43jfhf1rgivlmr5wbi52a-pulseaudio-14.0/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/m59c9hj9d4n65maimbpmx2xq56d2mvqs-mesa-20.2.4/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/5nwyg1wacrngnz9dynlx7wab733n3lz3-libxscrnsaver-1.2.3/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/zyyiykxmm1bfz0as66avswwrzfxkh1x2-icecat-78.11.0-guix0-preview1/lib/icecat/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/01b4w3m6mp55y531kyi1g8shh722kwqm-gcc-7.5.0-lib/lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libgssapi.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[-- Attachment #1: Type: text/plain, Size: 1073 bytes --] Hi Ignacio, Ignacio Coterillo <ignacio.coterillo@gmail.com> writes: > [Summary] > - The icecat package doesn't correctly set the LD_LIBRARY_PATH > variable during the wrap-program build stage to include mit-krb5 libraries > so kerberos authentication fails as the libraries are not found at runtime: Thanks for this report. I've attached a proposed patch that might fix the problem. I've verified that the modified IceCat package builds and runs successfully, but I'm unable to test it properly because I don't have access to any system that uses Kerberos authentication. Are you able to test this patch? One way to do so is to clone the master branch of our git repository, apply this patch to the Guix git checkout and build it, and then run that modified copy of Guix (without installing it) to build icecat. See sections 16.1 (Building from Git) and 16.2 (Running Guix Before It Is Installed) of our manual for details of how to do this. If you encounter difficulties or have additional questions, please do not hesitate to ask. Regards, Mark [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: [PATCH] UNTESTED: gnu: icecat: Fix Kerberos support --] [-- Type: text/x-patch, Size: 2081 bytes --] From 857f829906e0f8d9583a32ad47c91149c7714171 Mon Sep 17 00:00:00 2001 From: Mark H Weaver <mhw@netris.org> Date: Sun, 13 Jun 2021 19:11:15 -0400 Subject: [PATCH] UNTESTED: gnu: icecat: Fix Kerberos support. Fixes <https://bugs.gnu.org/48959>. * gnu/packages/gnuzilla.scm (icecat)[arguments]: In the 'wrap-program' phase, add mit-krb5 to the LD_LIBRARY_PATH. --- gnu/packages/gnuzilla.scm | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index c63809c20c..a997fc1c73 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1276,14 +1276,19 @@ from forcing GEXP-PROMISE." (pulseaudio (assoc-ref inputs "pulseaudio")) (pulseaudio-lib (string-append pulseaudio "/lib")) (libxscrnsaver (assoc-ref inputs "libxscrnsaver")) - (libxscrnsaver-lib (string-append libxscrnsaver "/lib"))) + (libxscrnsaver-lib (string-append libxscrnsaver "/lib")) + (mit-krb5 (assoc-ref inputs "mit-krb5")) + (mit-krb5-lib (string-append mit-krb5 "/lib"))) (wrap-program (car (find-files lib "^icecat$")) `("XDG_DATA_DIRS" prefix (,gtk-share)) ;; The following line is commented out because the icecat ;; package on guix has been observed to be unstable when ;; using wayland, and the bundled extensions stop working. ;; `("MOZ_ENABLE_WAYLAND" = ("1")) - `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib ,mesa-lib ,libxscrnsaver-lib))) + `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib + ,mesa-lib + ,libxscrnsaver-lib + ,mit-krb5-lib))) #t)))))) (home-page "https://www.gnu.org/software/gnuzilla/") (synopsis "Entirely free browser derived from Mozilla Firefox") -- 2.31.1 [-- Attachment #3: Type: text/plain, Size: 154 bytes --] -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
Hello again, Earlier, I wrote: > Are you able to test this patch? One way to do so is to clone the > master branch of our git repository, apply this patch to the Guix git > checkout and build it, and then run that modified copy of Guix (without > installing it) to build icecat. On second thought, it would be sufficient and *much* easier to simply verify that Kerberos authentication works in IceCat if you launch it with the following Bash shell command: LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat Would you like to try it and report back? Thanks, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.
Hi Mark,
Thank you for looking at his.
First, I confirm that Kerberos authentication works when running
icecat as:
LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
Regarding the patch, I actually tried to build the package with
those
exact changes myself before submitting the bug for further testing
but didn't manage to complete the build.
The build process would go on for over a day (most of the time
spent in
bootstrapping the rust inputs) until failing because of lack of
disk space.
I've been reading through the different mailing list archives and
the rust
bootstrapping process seems to be a known problem.
Is there a way of improve the behaviour to work on these kind of
big packages?
Is it possible to estimate a priori the amount of space a build
would
require to prevent failures?
Best regards,
Ignacio
Mark H Weaver <mhw@netris.org> writes:
> Hello again,
>
> Earlier, I wrote:
>> Are you able to test this patch? One way to do so is to clone
>> the
>> master branch of our git repository, apply this patch to the
>> Guix git
>> checkout and build it, and then run that modified copy of Guix
>> (without
>> installing it) to build icecat.
>
> On second thought, it would be sufficient and *much* easier to
> simply
> verify that Kerberos authentication works in IceCat if you
> launch it
> with the following Bash shell command:
>
> LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat
>
> Would you like to try it and report back?
>
> Thanks,
> Mark
Hi Ignacio, Ignacio Coterillo <ignacio.coterillo@gmail.com> writes: > First, I confirm that Kerberos authentication works when running > icecat as: > > LD_LIBRARY_PATH=$(guix build mit-krb5)/lib icecat Thanks. I just pushed my proposed patch to the master branch, commit 61b904b744c1f16084c79e526837cc7fe73f9b92. I'm also closing this bug now, but feel free to reopen it if there are remaining problems. > Regarding the patch, I actually tried to build the package with those > exact changes myself before submitting the bug for further testing but > didn't manage to complete the build. The build process would go on > for over a day (most of the time spent in bootstrapping the rust > inputs) until failing because of lack of disk space. Hmm. If you built a recent commit from the 'master' branch of Guix, and had substitutes enabled, then it should _not_ have tried to build Rust locally. My guess is that you didn't pass "--sysconfdir=/etc" to ./configure. Consequently, the locally-built Guix is looking in /usr/local/etc/guix for its authorized signing keys, whereas the default configuration of Guix (as self-built by Guix itself and as installed by our distributed installers) looks in /etc/guix. That would explain why the locally-built Guix is not using substitutes. I suggest passing "--sysconfdir=/etc" (and "--localstatedir=/var") to ./configure, re-running "make" in your Git checkout, and trying again. Alternatively, you could copy (using "cp -a") /etc/guix to /usr/local/etc/guix. > Is it possible to estimate a priori the amount of space a build would > require to prevent failures? No. However, 80 GB is more than sufficient to build an entire GNOME-based Guix system plus Rust and IceCat from source code. I know this because for several years I've been building my GNOME-based Guix system locally (with substitutes disabled) on a Thinkpad X200 with 4 GB of RAM, 8 GB of Swap, and only ~75 GB of disk available for Guix. If you have a separate /tmp partition, perhaps it is too small. When building packages locally, the temporary build directories are put in /tmp by default. It's possible to configure 'guix-daemon' to put them elsewhere, either by passing the TMPDIR environment variable to 'guix-daemon' (if running it by hand), or via the 'tmpdir' field of the 'guix-configuration' by putting something like the following code in the 'services' field of your OS configuration. --8<---------------cut here---------------start------------->8--- _ (services (cons* … __________________ (modify-services %desktop-services ____________________ (guix-service-type config => _______________________________________ (guix-configuration _________________________________________ (inherit config) _________________________________________ (tmpdir "/var/tmp")))))) --8<---------------cut here---------------end--------------->8--- Please let us know if you continue to have difficulties. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about <https://stallmansupport.org>.