Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add versions without --enable-shared for ruby <= 2.3 #3

Closed
wants to merge 3 commits into from
Closed

Add versions without --enable-shared for ruby <= 2.3 #3

wants to merge 3 commits into from

Conversation

bak1an
Copy link

@bak1an bak1an commented Aug 21, 2020
edited
Loading

This PR adds builds without --enable-shared for rubies <= 2.3. Those will have _noshared suffix after version in the release filename (for example ruby-2.3.1_noshared-ubuntu-18.04.tar.gz).

Builds with --enable-shared are left as they are.

Idea is that in https://github.com/ruby/setup-ruby we could request _noshared suffixed version if needed (or add a separate action input there to do so).

Why this is required:

When trying to use gems with native extensions which are linked with openssl 1.1 this --enable-shared old ruby will segfault as the ruby itself loads openssl 1.0 and the gems (like mysql2 or rugged) load system installed openssl 1.1 (or more precisely, libraries like libmysqclient or libgit2 which those gems are wrapping are doing so).

Sample segfault when trying to use shared ruby 2.3.8 and mysql2 gem (wraps libmysqlient) in github action:

-- C level backtrace information -------------------------------------------
/home/runner/.rubies/ruby-2.3.8/lib/libruby.so.2.3(rb_vm_bugreport+0x974) [0x7efe783764c4] vm_dump.c:724
/home/runner/.rubies/ruby-2.3.8/lib/libruby.so.2.3(rb_bug_context+0xd4) [0x7efe781fda74] error.c:435
/home/runner/.rubies/ruby-2.3.8/lib/libruby.so.2.3(sigsegv+0x3e) [0x7efe782e150e] signal.c:890
/lib/x86_64-linux-gnu/libc.so.6 [0x7efe77dcdf20]
/lib/x86_64-linux-gnu/libc.so.6 [0x7efe77e38e8a]
/home/runner/.rubies/ruby-2.3.8/openssl/lib/libcrypto.so.1.0.0(lh_insert+0x10d) [0x7efe7542a6cd]
/home/runner/.rubies/ruby-2.3.8/openssl/lib/libcrypto.so.1.0.0(OBJ_NAME_add+0x6b) [0x7efe7537068b]
/usr/lib/x86_64-linux-gnu/libssl.so.1.1 [0x7efe7378613e]
/lib/x86_64-linux-gnu/libpthread.so.0(__pthread_once_slow+0xb7) [0x7efe77b7f827]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(CRYPTO_THREAD_run_once+0x9) [0x7efe73462039]
/usr/lib/x86_64-linux-gnu/libssl.so.1.1(OPENSSL_init_ssl+0x67) [0x7efe73786337]
/usr/lib/x86_64-linux-gnu/libmysqlclient.so.20 [0x7efe73a3b754]
/usr/lib/x86_64-linux-gnu/libmysqlclient.so.20(mysql_server_init+0x67) [0x7efe73a00c27]

Note that at some point calls jump from system libcrypto.so.1.1 into ruby bundled libcrypto.so.1.0.

The same thing happens when trying to call rugged gem, which wraps libgit2. This makes such ruby builds useless when testing some projects.

This problem is not an issue with rubies >= 2.4, as those are built with openssl 1.1 around.

Having noshared build for ruby 2.3 helps as there will be no .so files around for openssl1.0 as it will be statically linked into the ruby.

@bak1an
Copy link
Author

bak1an commented Aug 21, 2020
edited
Loading

https://github.com/bak1an/oldruby-crash-sample/blob/master/main.rb
https://github.com/bak1an/oldruby-crash-sample/actions/runs/218785129

There I added a repo where the segfault can be observed.

@eregon
Copy link
Member

eregon commented Aug 22, 2020

Doesn't a very similar problem happen if openssl is statically linked?
I.e., the Ruby process will use both OpenSSL 1.0 and 1.1 functions?

@eregon
Copy link
Member

eregon commented Aug 22, 2020

From what I see libssl/libcrypto are not linked dynamically depending on --enabled-shared or not.
At least on 2.6.6:
Not shared:

$ ldd ~/.rubies/ruby-2.6.6/bin/ruby
	linux-vdso.so.1 (0x00007ffdc091a000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f2be08ea000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2be08c8000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f2be08bd000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f2be08b6000)
	libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f2be087b000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f2be0735000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f2be056a000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f2be0caf000)

--enabled-shared:

$ ldd ~/.rubies/ruby-266-shared/bin/ruby
	linux-vdso.so.1 (0x00007ffec3dda000)
	libruby.so.2.6 => /home/eregon/.rubies/ruby-266-shared/lib/libruby.so.2.6 (0x00007f54a6803000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f54a67c5000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f54a67a3000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f54a6798000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f54a6791000)
	libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f54a6756000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f54a660e000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f54a6445000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f54a6b89000)
$ ldd /home/eregon/.rubies/ruby-266-shared/lib/libruby.so.2.6
	linux-vdso.so.1 (0x00007fff7a3a4000)
	libz.so.1 => /lib64/libz.so.1 (0x00007fd682b7a000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd682b58000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fd682b4d000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fd682b46000)
	libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007fd682b0b000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fd6829c5000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fd6827fa000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fd682f3e000)

And even if I look at https://github.com/ruby/ruby-builder/releases/download/enable-shared/ruby-2.3.8-ubuntu-18.04.tar.gz:

$ ldd bin/ruby
	linux-vdso.so.1 (0x00007ffcd25f0000)
	libruby.so.2.3 => not found
	libc.so.6 => /lib64/libc.so.6 (0x00007f1e72e69000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f1e7325a000)
$ ldd lib/libruby.so.2.3.0 
	linux-vdso.so.1 (0x00007ffc08691000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc25669b000)
	libgmp.so.10 => /lib64/libgmp.so.10 (0x00007fc25661e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fc256617000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fc2565dc000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fc256496000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fc2562cd000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc256bd7000)

No libssl/libcrypto there anywhere.
So it looks like libssl is already statically linked, and that this would change nothing.

So I think this issue comes from using ruby-build which builds (also on Linux with my change) its own openssl for Ruby <= 2.3:
eregon/ruby-build@b7eff43
And AFAIK it needs to, because even on Ubuntu 16.04 OpenSSL 1.1 is used in GItHub Actions.

I think there is no solution here, to work well the system would need to use the same OpenSSL version as ruby.
Since there is no GitHub runner using OpenSSL 1.0 on GitHub Actions, and Ruby <= 2.3 does not compile with OpenSSL 1.1, I think the only option is Docker here with a old OS version that uses OpenSSL 1.0 (which is EOL by now).

@eregon
Copy link
Member

eregon commented Aug 22, 2020

I looked at the wrong place, of course libssl/libcrypto is only linked from the openssl.so C extension:

ldd ~/.rubies/ruby-2.6.6/lib/ruby/2.6.0/x86_64-linux/openssl.so 
	linux-vdso.so.1 (0x00007ffe5b2ee000)
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fbb77830000)
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fbb77549000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fbb77403000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fbb7723a000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fbb77218000)
	libz.so.1 => /lib64/libz.so.1 (0x00007fbb771fe000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fbb771f5000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fbb77945000)

ldd ~/.rubies/ruby-266-shared/lib/ruby/2.6.0/x86_64-linux/openssl.so 
	linux-vdso.so.1 (0x00007ffd97fbf000)
	libruby.so.2.6 => /home/eregon/.rubies/ruby-266-shared/lib/libruby.so.2.6 (0x00007fd60e569000)
	libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fd60e4af000)
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fd60e1c8000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fd60e082000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fd60deb9000)
	libz.so.1 => /lib64/libz.so.1 (0x00007fd60de9f000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd60de7b000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fd60de70000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fd60de69000)
	libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007fd60de2e000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fd60e948000)

ldd lib/ruby/2.3.0/x86_64-linux/openssl.so
	linux-vdso.so.1 (0x00007ffcb3ffc000)
	libruby.so.2.3 => not found
	libssl.so.1.0.0 => not found
	libcrypto.so.1.0.0 => not found
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc428ad2000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fc428909000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc428d70000)

So libssl/libcrypto seem to always be linked dynamically, whether or not --enabled-shared, so it sounds unlikely --enable-shared will help.

@bak1an
Copy link
Author

bak1an commented Aug 22, 2020

@eregon Thanks for digging! You are right indeed. I've just tried to build 2.3.8 with eregon/ruby-build@b7eff43 without --enable-shared in a clean 18.04 vm and it segfaults with my sample program the same way as it does with --enable-shared.

I'll close this PR as it is not doing what I assumed it would.

I have another old 18.04 env where I got ruby 2.3.7 built with rbenv/ruby-build, which does not have --enable-shared by default for <=2.3. So I thought this was a difference that was making it work.

openssl extension there is linked with openssl 1.0 from libssl1.0.0 ubuntu package:

~/.rbenv/versions/2.3.7$ ldd ./lib/ruby/2.3.0/x86_64-linux/openssl.so
        linux-vdso.so.1 (0x00007ffcfd3f2000)
        libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007feafb6b0000)
        libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007feafb26d000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007feafb04e000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007feafac5d000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007feafaa59000)
        /lib64/ld-linux-x86-64.so.2 (0x00007feafbb6e000)

And gems in that env are linked with openssl 1.1 from libssl1.1 package:

~/.rbenv/versions/2.3.7$ ldd ./lib/ruby/gems/2.3.0/gems/rugged-1.0.1/lib/rugged/rugged.so
        linux-vdso.so.1 (0x00007ffd64993000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f3c441fa000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f3c43fdb000)
        libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f3c43d4e000)
        libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f3c43883000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f3c43666000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3c43275000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f3c44762000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3c43071000)

Surprisingly, that sample app does not segfault there despite having both libssl1.0 and libssl1.1 in dependencies:

oldruby-crash-sample$ bundle exec ruby --version
ruby 2.3.7p456 (2018-03-28 revision 63024) [x86_64-linux]

oldruby-crash-sample$ bundle exec ruby main.rb
Latest commit here was: Update README.md

I'll try to dig into what exact build/libs difference actually makes it work there and post the results here if I have any.

Thanks for your help again!

@bak1an bak1an closed this Aug 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bak1an @eregon