You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2021/04/05 16:38:30 UTC
[kudu] branch master updated: [build] drop RHEL/CentOS 6 OpenSSL
ABI change workaround
This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 879c1dd [build] drop RHEL/CentOS 6 OpenSSL ABI change workaround
879c1dd is described below
commit 879c1dd50c72e160041478543e7e1362bb17bd27
Author: Alexey Serbin <al...@apache.org>
AuthorDate: Thu Apr 1 18:30:28 2021 -0700
[build] drop RHEL/CentOS 6 OpenSSL ABI change workaround
Changelist 10f525519 introduced a workaround to an OpenSSL ABI
compatibility break between RHEL/CentOS 6.4 and later versions.
RHEL/CentOS 6 is beyond its EOL date already and Kudu doesn't
officially support it since 1.14 release [1], so this patch removes
the workaround accordingly.
Nevertheless, even with this patch, Kudu can still be compiled and
run on RHEL/CentOS 6, as before. The only change is that now it
compiles against the OpenSSL which came with the OS at the build
machine, not the OpenSSL which came with RHEL/CentOS 6.4.
[1] https://kudu.apache.org/releases/1.14.0/docs/release_notes.html
Change-Id: I014d93b3b953d11281b928de9de43eec8ab4e997
Reviewed-on: http://gerrit.cloudera.org:8080/17264
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: Grant Henke <gr...@apache.org>
---
CMakeLists.txt | 8 ---
src/kudu/security/openssl_util.cc | 3 -
src/kudu/server/webserver-test.cc | 4 --
src/kudu/server/webserver.cc | 4 --
thirdparty/build-thirdparty.sh | 8 ---
thirdparty/download-thirdparty.sh | 13 ----
thirdparty/install-openssl-el6-workaround.sh | 88 ----------------------------
thirdparty/vars.sh | 2 -
8 files changed, 130 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4390b4c..2980083 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1084,14 +1084,6 @@ ADD_THIRDPARTY_LIB(mustache
##
## cmake -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl ...
##
-## If no such OPENSSL_ROOT_DIR is specified, and we see that there is an OpenSSL
-## binary in thirdparty (deposited there by thirdparty/install-openssl-el6-workaround.sh)
-## then we'll use that one. See that script for more information.
-set(CENTOS_6_4_OPENSSL_DIR "${THIRDPARTY_INSTALL_DIR}/openssl-el6-workaround/usr/")
-if (NOT OPENSSL_ROOT_DIR AND EXISTS "${CENTOS_6_4_OPENSSL_DIR}")
- set(OPENSSL_ROOT_DIR "${CENTOS_6_4_OPENSSL_DIR}")
- add_definitions("-DKUDU_OPENSSL_REQUIRE_FIPS_HEADER")
-endif()
find_package(OpenSSL 1.0.0 REQUIRED)
include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR})
ADD_THIRDPARTY_LIB(openssl_ssl
diff --git a/src/kudu/security/openssl_util.cc b/src/kudu/security/openssl_util.cc
index 1f6896c..3d9544c 100644
--- a/src/kudu/security/openssl_util.cc
+++ b/src/kudu/security/openssl_util.cc
@@ -18,9 +18,6 @@
#include "kudu/security/openssl_util.h"
#include <openssl/crypto.h>
-#if defined(KUDU_OPENSSL_REQUIRE_FIPS_HEADER)
-#include <openssl/fips.h>
-#endif
#include <openssl/err.h>
#include <openssl/rand.h> // IWYU pragma: keep
diff --git a/src/kudu/server/webserver-test.cc b/src/kudu/server/webserver-test.cc
index 44ffb3f..3b4c724 100644
--- a/src/kudu/server/webserver-test.cc
+++ b/src/kudu/server/webserver-test.cc
@@ -17,11 +17,7 @@
#include "kudu/server/webserver.h"
-#if defined(KUDU_OPENSSL_REQUIRE_FIPS_HEADER)
-#include <openssl/fips.h>
-#else
#include <openssl/crypto.h>
-#endif
#include <cstdlib>
#include <functional>
diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc
index 9e7202d..420984f 100644
--- a/src/kudu/server/webserver.cc
+++ b/src/kudu/server/webserver.cc
@@ -18,11 +18,7 @@
#include "kudu/server/webserver.h"
#include <netinet/in.h>
-#if defined(KUDU_OPENSSL_REQUIRE_FIPS_HEADER)
-#include <openssl/fips.h>
-#else
#include <openssl/crypto.h>
-#endif
#include <sys/socket.h>
#include <algorithm>
diff --git a/thirdparty/build-thirdparty.sh b/thirdparty/build-thirdparty.sh
index 101f324..4f4a842 100755
--- a/thirdparty/build-thirdparty.sh
+++ b/thirdparty/build-thirdparty.sh
@@ -155,14 +155,6 @@ if [[ "$OSTYPE" =~ ^linux ]]; then
OS_LINUX=1
DYLIB_SUFFIX="so"
PARALLEL=${PARALLEL:-$(grep -c processor /proc/cpuinfo)}
-
- if [ -d "$OPENSSL_WORKAROUND_DIR" ]; then
- # If the el6 workaround openssl is present, we must build dependencies
- # against that version of openssl, not the system version, because at test
- # runtime we use the workaround openssl.
- OPENSSL_CFLAGS="-I$OPENSSL_WORKAROUND_DIR/usr/include"
- OPENSSL_LDFLAGS="-L$OPENSSL_WORKAROUND_DIR/usr/lib64 -Wl,-rpath,$OPENSSL_WORKAROUND_DIR/usr/lib64"
- fi
elif [[ "$OSTYPE" == "darwin"* ]]; then
OS_OSX=1
DYLIB_SUFFIX="dylib"
diff --git a/thirdparty/download-thirdparty.sh b/thirdparty/download-thirdparty.sh
index 07914cf..1f6215f 100755
--- a/thirdparty/download-thirdparty.sh
+++ b/thirdparty/download-thirdparty.sh
@@ -361,19 +361,6 @@ fetch_and_patch \
$BOOST_SOURCE \
$BOOST_PATCHLEVEL
-# Return 0 if the current system appears to be el6 (either CentOS or proper RHEL)
-needs_openssl_workaround() {
- test -f /etc/redhat-release || return 1
- rel="$(cat /etc/redhat-release)"
- pat="(CentOS|Red Hat Enterprise).* release 6.*"
- [[ "$rel" =~ $pat ]]
- return $?
-}
-if needs_openssl_workaround && [ ! -d "$OPENSSL_WORKAROUND_DIR" ] ; then
- echo Building on el6: installing OpenSSL from CentOS 6.4.
- $TP_DIR/install-openssl-el6-workaround.sh
-fi
-
BREAKPAD_PATCHLEVEL=2
fetch_and_patch \
breakpad-${BREAKPAD_VERSION}.tar.gz \
diff --git a/thirdparty/install-openssl-el6-workaround.sh b/thirdparty/install-openssl-el6-workaround.sh
deleted file mode 100755
index cb95d2f..0000000
--- a/thirdparty/install-openssl-el6-workaround.sh
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/bin/bash
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# This script serves to workaround a problematic OpenSSL ABI change
-# made between RHEL 6.4 and 6.5. Namely:
-#
-# RHEL 6.4's OpenSSL library is built with no symbol versioning. For example:
-# $ objdump -T libssl.so | grep SSL_CTX_new
-# 0000000000037110 g DF .text 0000000000000577 Base SSL_CTX_new
-#
-# RHEL 6.5's OpenSSL library has symbol versions. For example:
-# $ objdump -T /usr/lib64/libssl.so | grep SSL_CTX_new
-# 0000003ae8243610 g DF .text 0000000000000597 libssl.so.10 SSL_CTX_new
-#
-# Thus, if we build Kudu on RHEL 6.5 or later, the resulting binaries expect
-# the versioned symbols in libssl and will not run on RHEL 6.4 or earlier:
-#
-# $ objdump -T kudu-tserver | grep SSL_CTX_new
-# 0000000000000000 DF *UND* 0000000000000000 libssl.so.10 SSL_CTX_new
-#
-# In contrast, if a binary is built not expecting versioned symbols, the runtime
-# linker can still resolve those symbols by choosing the versioned ones. Thus,
-# binaries built against RHEL 6.4 are forward-compatible to later versions, but
-# not vice versa.
-#
-# Note that Kudu cannot simply be built on RHEL 6.4 because the devtoolset toolchain is
-# not available. So, given that we want to produce binaries that run on RHEL 6.4,
-# we need to perform a workaround such that our binaries built on 6.6 don't depend
-# on the versioned symbols in OpenSSL. This script provides such a workaround.
-#
-# The workaround itself is quite simple: we download the OpenSSL RPMs from CentOS 6.4
-# and unpack them into a directory in thirdparty/. If we then build against those
-# the resulting binaries can run on either el6.4 or el6.6.
-
-set -e
-
-TP_DIR=$(cd "$(dirname "$BASH_SOURCE")"; pwd)
-source $TP_DIR/vars.sh
-
-mkdir -p $OPENSSL_WORKAROUND_DIR
-cd $OPENSSL_WORKAROUND_DIR
-
-# Clean up any previous leftovers.
-rm -Rf usr etc
-
-# Download and unpack OpenSSL RPMs from CentOS 6.4.
-#
-# We have mirrored these in our S3 bucket, but the original sources are in
-# http://vault.centos.org/6.4/os/x86_64/Packages/ .
-for FILENAME in openssl-1.0.0-27.el6.x86_64.rpm openssl-devel-1.0.0-27.el6.x86_64.rpm ; do
- FULL_URL="${DEPENDENCY_URL}/${FILENAME}"
- # Loop in case we encounter an error.
- for attempt in 1 2 3; do
- if [ -r "$FILENAME" ]; then
- echo $FILENAME already exists. Not re-downloading.
- else
- echo "Fetching $FILENAME from $FULL_URL"
- if ! curl --retry 3 -L -O "${FULL_URL}"; then
- echo "Error downloading $FILENAME"
- rm -f "$FILENAME"
-
- # Pause for a bit before looping in case the server throttled us.
- sleep 5
- continue
- fi
- fi
- done
-
- echo "Unpacking $FILENAME"
- rpm2cpio $FILENAME | cpio -idm
-done
-
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index ca034bd..bcad1e5 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -170,8 +170,6 @@ BOOST_VERSION=1_74_0
BOOST_NAME=boost_$BOOST_VERSION
BOOST_SOURCE=$TP_SOURCE_DIR/$BOOST_NAME
-OPENSSL_WORKAROUND_DIR="$TP_DIR/installed/openssl-el6-workaround"
-
# The breakpad source artifact is created using the script found in
# scripts/make-breakpad-src-archive.sh
BREAKPAD_VERSION=9eac2058b70615519b2c4d8c6bdbfca1bd079e39