Bug 1040027

Summary: bind (named): fails to start since the introduction of namespaced openSSL packages
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: OtherAssignee: Navin Kukreja <navin.kukreja>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P2 - High CC: bill, dimstar, jeroen.forums.opensuse.org, max, normand, tchvatal
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1040697    
Bug Blocks:    

Description Dominique Leuenberger 2017-05-20 10:44:40 UTC 
openssl had quite substantial changes as it is now possible to have openssl 1.0 and 1.1 in parallel on the system.

In plus, it moved from / to /usr to make this easier to manage

As a consequence, bind's init script is no longer able to find the ssl engines to copy to the chroot

The result being that named fails to start (unless one sets it not to start in chroot)
Comment 1 Dominique Leuenberger 2017-05-20 10:46:04 UTC 
openQA is currently blocking openSUSE Tumbleweed snapshots based on this issue:

openSUSE:Factory:Staging:C:DVD/java-1_7_0-openjdk-bootstrap/standard/x86_64
Comment 2 Dominique Leuenberger 2017-05-20 10:50:46 UTC 
(In reply to Dominique Leuenberger from comment #1)

> openSUSE:Factory:Staging:C:DVD/java-1_7_0-openjdk-bootstrap/standard/x86_64

Obviously of no interest to this bug - the interesting link would be to openQA:

https://openqa.opensuse.org/tests/406102#step/dns_srv/11
Comment 3 Dominique Leuenberger 2017-05-20 12:22:12 UTC 
I created sr#496935

The path to the engines is detected during build and injected into the init script

It relies on correct information provided by libcrypto.pc (which, if inaccurate, would be an openssl bug)

I tested this package on my VM running snapshot 0518
* cleaned out /var/lib/named (just to be sure)
* installed the bind packages from home:dimstar:Factory
* started the service ==> successfully
Comment 4 Bernhard Wiedemann 2017-05-20 16:01:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1040027) was mentioned in
https://build.opensuse.org/request/show/496968 Factory / bind
Comment 5 Jeroen Pluimers 2017-05-24 20:03:12 UTC 
To make it easier to find this, I've included the below `journalctl -xe` fragment:

```
May 24 21:29:51 laurel named[3235]: ENGINE_by_id failed (crypto failure)
May 24 21:29:51 laurel named[3235]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
May 24 21:29:51 laurel named[3235]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
May 24 21:29:51 laurel named[3235]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
May 24 21:29:51 laurel named[3235]: initializing DST: crypto failure

```

A more elaborate log is at https://gist.github.com/jpluimers/2e35edc7b3b1cd0a7edca42916518ab5
Comment 6 Thorsten Kukuk 2017-05-30 06:07:27 UTC 
*** Bug 1036630 has been marked as a duplicate of this bug. ***
Comment 7 Michel Normand 2017-06-28 18:00:45 UTC 
What is the status of this bug ?
There was a SR #496968 referencing it and changing bind package in TW (2)
But last openQA trial still reports failure (3) and a comment about need for bind rebuild.

There is a similar failure for PowerPC (4) so I assume we need also a bind rebuild for it (ppc64/ppc64le) in (5)

(1) https://build.opensuse.org/request/show/496968
(2) https://build.opensuse.org/package/view_file/openSUSE:Factory/bind/bind.changes?expand=1
(3) https://openqa.opensuse.org/tests/433055#comments

(4) https://openqa.opensuse.org/tests/432920#step/dns_srv/11
(5) $osc jobhist -l5 openSUSE:Factory:PowerPC   bind standard ppc64le
time              package reason           code   build time worker
2017-03-31 16:12:10  bind source change    succeeded  4m 34s obs-power8-03:5 
2017-05-06 06:10:44  bind rebuild counter  succeeded  5m 18s obs-power8-04:11
2017-05-06 15:50:24  bind rebuild counter  succeeded  5m  0s obs-power8-05:1 
2017-05-19 02:59:23  bind rebuild counter  succeeded  4m 45s obs-power8-05:14
2017-05-20 18:01:12  bind source change    succeeded  4m 39s obs-power8-02:13
Comment 8 Dominique Leuenberger 2017-06-28 19:07:13 UTC 
(In reply to Michel Normand from comment #7)
> What is the status of this bug ?
> There was a SR #496968 referencing it and changing bind package in TW (2)
> But last openQA trial still reports failure (3) and a comment about need for
> bind rebuild.

has been fixed - except for armv6l - where bind failed (the 'bug we depend on to be able to consider this one really fixed)
 
> There is a similar failure for PowerPC (4) so I assume we need also a bind
> rebuild for it (ppc64/ppc64le) in (5)

right - openssl moved the engines again and bind needs an explicit rebuild, as the path is detected at build time; this was a one-snapshot failure for 0627
Comment 9 Tomáš Chvátal 2017-09-21 13:59:48 UTC 
*** Bug 1040053 has been marked as a duplicate of this bug. ***
Comment 10 Navin Kukreja 2018-04-05 11:15:44 UTC 
Latest build status shows bind is building successfully for armv6l. Can we close this now?
Comment 11 Dominique Leuenberger 2018-04-05 11:19:09 UTC 
(In reply to Navin Kukreja from comment #10)
> Latest build status shows bind is building successfully for armv6l. Can we
> close this now?

IMHO, yes