[SOLVED] collectd network plugin is missing encryption support

[deviantintegral]

collectd has been broken for the past week, as the network plugin is no longer linked to libgcrypt and libgpg-error.

Code: [Select]

May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `SecurityLevel' is not allowed here.
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `Username' is not allowed here.
May 10 13:22:32 blackbox collectd[32863]: network plugin: Option `Password' is not allowed here.
I manually installed collectd 5.7.0 from 16.7 as I couldn't find prior builds for 17.1. That version has:

Code: [Select]

root@blackbox:/tmp # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
libgcrypt.so.20 => /usr/local/lib/libgcrypt.so.20 (0x3482980b000)
libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x34829b1d000)
libc.so.7 => /lib/libc.so.7 (0x34828dfa000)
And in the latest 5.7.1 release:

Code: [Select]

root@blackbox:/usr/local/etc # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
libc.so.7 => /lib/libc.so.7 (0x205546c4000)
For now, I've locked the older package, though if there's prior builds actually against 17.1 I can install that would be better. Or, is there a way to simply blacklist the specific release of collectd, so when a new (presumably fixed) version is out it will be upgraded to automatically?

[franco]

Oops, look like this was never supposed to be working. We changed the build to do isolated runs like FreeBSD does, it looks like collectd has unregistered dependencies that fail now. Let's investigate.


Cheers,
Franco

[franco]

PS: This one should still work:

# opnsense-revert -r 17.1.4 collectd5


https://github.com/opnsense/ports/issues/41

[franco]

scratch that, also looks problematic

[deviantintegral]

Turns out that running the build from 16.7 didn't throw any errors, but did send wrong data in the networking plugin. Following https://forum.opnsense.org/index.php?topic=2004 I installed collectd from ports and crypt support is working fine.

[franco]

I've added this to the build for the upcoming 17.1.8:

https://github.com/opnsense/tools/commit/2160deb86

I'm not sure it'll solve the issue as simply rebuilding in place doesn't change that option, but it would bring the build closer to how it looked like when you reported it.

Do you have libgcrypt manually installed? What does ldd say now for your port-build collectd5?


Cheers,
Franco

[deviantintegral]

Here's ldd after install:

Code: [Select]

root@blackbox:/usr/ports/net-mgmt/collectd5 # ldd /usr/local/sbin/collectd������ /usr/local/sbin/collectd:
        libm.so.5 => /lib/libm.so.5 (0x3442ba34000)
        libthr.so.3 => /lib/libthr.so.3 (0x3442bc5f000)
        libstatgrab.so.10 => /usr/local/lib/libstatgrab.so.10 (0x3442be87000)
        libdevstat.so.7 => /lib/libdevstat.so.7 (0x3442c099000)
        libltdl.so.7 => /usr/local/lib/libltdl.so.7 (0x3442c29f000)
        libc.so.7 => /lib/libc.so.7 (0x3442af14000)
        libkvm.so.7 => /lib/libkvm.so.7 (0x3442c4a8000)
        libelf.so.2 => /lib/libelf.so.2 (0x3442c6b7000)
You're right, there is no gcrypt support (nor shown in pkg info as well). However, encryption support is working fine. Perhaps there's multiple libraries it can use to support it, but I'm not finding anything obvious. I'd probably lean towards enabling gcrypt just to match what previous builds did.

I have a cron job for a nightly firmware upgrade. It looks like collectd has been replaced by the binary version on me from the repos. I thought I locked the package after install, but perhaps I didn't. Is there anything else to do when installing ports to keep them in place?

[franco]

Locking the package is the best bet. But the lock will be lifted when major upgrades (not minor, so for e.g. 17.7) are performed (opnsense-update) or when packages are reverted to their upstream equivalent (opnsense-revert).

Check back when 17.1.8 hits to see what we can do to fix this still of not working as expected then.


Thanks,
Franco

[deviantintegral]

Of course, the above ldd paste was on the colletctd binary, not network.so

libgcrypt is in the network plugin, using the default build options:

Code: [Select]

root@blackbox:~ # ldd /usr/local/lib/collectd/network.so
/usr/local/lib/collectd/network.so:
libgcrypt.so.20 => /usr/local/lib/libgcrypt.so.20 (0x2e31a0b000)
libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x2e31d1d000)
libc.so.7 => /lib/libc.so.7 (0x2e3102c000)


[franco]

I missed this was network.so, sorry. But in any case it can only build against libgcrypt if it was installed, default configuration or not, because it automatically picks it up like it did before. That's not true anymore for the build system, but that also means flipping on GCRYPT option should make this work again in 17.1.8.


Cheers,
Franco

[franco]

Hi deviantintegral,

Was this fixed as discussed with 17.1.8?


Thanks,
Franco

[deviantintegral]

It did! Thanks.