[SOLVED] collectd network plugin is missing encryption support

Started by deviantintegral, May 10, 2017, 07:40:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 10, 2017, 07:40:51 PM Last Edit: July 04, 2017, 04:04:18 PM by franco
collectd has been broken for the past week, as the network plugin is no longer linked to libgcrypt and libgpg-error.

Code Select
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `SecurityLevel' is not allowed here.
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `Username' is not allowed here.
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `Password' is not allowed here.

I manually installed collectd 5.7.0 from 16.7 as I couldn't find prior builds for 17.1. That version has:

Code Select
root@blackbox:/tmp # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
libgcrypt.so.20 => /usr/local/lib/libgcrypt.so.20 (0x3482980b000)
libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x34829b1d000)
libc.so.7 => /lib/libc.so.7 (0x34828dfa000)

And in the latest 5.7.1 release:

Code Select
root@blackbox:/usr/local/etc # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
libc.so.7 => /lib/libc.so.7 (0x205546c4000)

For now, I've locked the older package, though if there's prior builds actually against 17.1 I can install that would be better. Or, is there a way to simply blacklist the specific release of collectd, so when a new (presumably fixed) version is out it will be upgraded to automatically?
May 11, 2017, 04:05:22 PM #1
Oops, look like this was never supposed to be working. We changed the build to do isolated runs like FreeBSD does, it looks like collectd has unregistered dependencies that fail now. Let's investigate. :)


Cheers,
Franco
May 11, 2017, 04:07:32 PM #2
PS: This one should still work:

# opnsense-revert -r 17.1.4 collectd5


https://github.com/opnsense/ports/issues/41
May 11, 2017, 04:24:57 PM #3
scratch that, also looks problematic
May 18, 2017, 10:45:50 PM #4
Turns out that running the build from 16.7 didn't throw any errors, but did send wrong data in the networking plugin. Following https://forum.opnsense.org/index.php?topic=2004 I installed collectd from ports and crypt support is working fine.
May 22, 2017, 08:54:48 AM #5
I've added this to the build for the upcoming 17.1.8:

https://github.com/opnsense/tools/commit/2160deb86

I'm not sure it'll solve the issue as simply rebuilding in place doesn't change that option, but it would bring the build closer to how it looked like when you reported it.

Do you have libgcrypt manually installed? What does ldd say now for your port-build collectd5?


Cheers,
Franco
May 22, 2017, 02:24:38 PM #6
Here's ldd after install:

Code Select
root@blackbox:/usr/ports/net-mgmt/collectd5 # ldd /usr/local/sbin/collectd������ /usr/local/sbin/collectd:
        libm.so.5 => /lib/libm.so.5 (0x3442ba34000)
        libthr.so.3 => /lib/libthr.so.3 (0x3442bc5f000)
        libstatgrab.so.10 => /usr/local/lib/libstatgrab.so.10 (0x3442be87000)
        libdevstat.so.7 => /lib/libdevstat.so.7 (0x3442c099000)
        libltdl.so.7 => /usr/local/lib/libltdl.so.7 (0x3442c29f000)
        libc.so.7 => /lib/libc.so.7 (0x3442af14000)
        libkvm.so.7 => /lib/libkvm.so.7 (0x3442c4a8000)
        libelf.so.2 => /lib/libelf.so.2 (0x3442c6b7000)

You're right, there is no gcrypt support (nor shown in pkg info as well). However, encryption support is working fine. Perhaps there's multiple libraries it can use to support it, but I'm not finding anything obvious. I'd probably lean towards enabling gcrypt just to match what previous builds did.

I have a cron job for a nightly firmware upgrade. It looks like collectd has been replaced by the binary version on me from the repos. I thought I locked the package after install, but perhaps I didn't. Is there anything else to do when installing ports to keep them in place?
May 22, 2017, 03:42:22 PM #7
Locking the package is the best bet. But the lock will be lifted when major upgrades (not minor, so for e.g. 17.7) are performed (opnsense-update) or when packages are reverted to their upstream equivalent (opnsense-revert).

Check back when 17.1.8 hits to see what we can do to fix this still of not working as expected then. :)


Thanks,
Franco
May 24, 2017, 03:15:30 PM #8
Of course, the above ldd paste was on the colletctd binary, not network.so :(

libgcrypt is in the network plugin, using the default build options:

Code Select

root@blackbox:~ # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
libgcrypt.so.20 => /usr/local/lib/libgcrypt.so.20 (0x2e31a0b000)
libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x2e31d1d000)
libc.so.7 => /lib/libc.so.7 (0x2e3102c000)
May 24, 2017, 08:14:04 PM #9
I missed this was network.so, sorry. But in any case it can only build against libgcrypt if it was installed, default configuration or not, because it automatically picks it up like it did before. That's not true anymore for the build system, but that also means flipping on GCRYPT option should make this work again in 17.1.8. :)


Cheers,
Franco
June 09, 2017, 07:00:34 PM #10
Hi deviantintegral,

Was this fixed as discussed with 17.1.8?


Thanks,
Franco
June 09, 2017, 11:10:38 PM #11
It did! Thanks.
Print
Go Up Pages1
User actions