Bug 1442133

Summary: Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: jcholast, ksiddiqu, pvoborni, rcritten, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:48:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
ipa 4.5 linktest output
none
ipa 4.4 linktest output none

Description Petr Vobornik 2017-04-13 15:48:33 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6846

The libkrad, liblber, libldap_r and libsss_nss_idmap libraries are uncoditionally linked in every binary and library built in IPA, even where they are not used. This creates a lot of unnecessary dependencies everywhere. Stop doing this to remote the unnecessary dependencies.

Comment 2 Petr Vobornik 2017-04-13 15:48:50 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6846

Comment 5 Scott Poore 2017-05-25 13:46:25 UTC
Verified.

Version ::

ipa-server-4.5.0-13.el7.x86_64

Result ::


[root@rhel7-3 ~]# cat linktest.sh 

for rpm in ipa-server ipa-client; do
    echo
    echo "++++++++++++++ $rpm +++++++++++++++"
    echo
    for file in $(rpm -ql $rpm|egrep "/sbin/|/bin/|lib.*.so$"); do
        file $file|grep -q ELF
        if [ $? -eq 0 ]; then
            echo "    ============= $file ==============="
            ldd $file |sort | egrep "libkrad|liblber|libldap_r|libsss_nss_idmap"|awk '{print "      " $1 " " $2 " " $3}'
        fi
    done
done

[root@rhel7-3 ~]# rpm -q ipa-server
ipa-server-4.5.0-13.el7.x86_64

[root@rhel7-3 ~]# sh linktest.sh > ipa450_linktest.out 

# Then on a RHEL7.3 server:

[root@ipa1 ~]# sh linktest > ipa440_linktest.out 

[root@ipa1 ~]# scp ipa440_linktest.out root@192.168.122.73:/root
Password: 
ipa440_linktest.out                                                  100% 4034     3.9KB/s   00:00    

# Now to compare and see what's changed:

[root@rhel7-3 ~]# diff ipa440_linktest.out ipa450_linktest.out 
5d4
<       libkrad.so.0 => /lib64/libkrad.so.0
9d7
<       libkrad.so.0 => /lib64/libkrad.so.0
13d10
<       libkrad.so.0 => /lib64/libkrad.so.0
17d13
<       libkrad.so.0 => /lib64/libkrad.so.0
22d17
<       libkrad.so.0 => /lib64/libkrad.so.0
26d20
<       libkrad.so.0 => /lib64/libkrad.so.0
30d23
<       libkrad.so.0 => /lib64/libkrad.so.0
34d26
<       libkrad.so.0 => /lib64/libkrad.so.0
38d29
<       libkrad.so.0 => /lib64/libkrad.so.0
42d32
<       libkrad.so.0 => /lib64/libkrad.so.0
46d35
<       libkrad.so.0 => /lib64/libkrad.so.0
50d38
<       libkrad.so.0 => /lib64/libkrad.so.0
54d41
<       libkrad.so.0 => /lib64/libkrad.so.0
58d44
<       libkrad.so.0 => /lib64/libkrad.so.0
62d47
<       libkrad.so.0 => /lib64/libkrad.so.0
64d48
<       libkrad.so.0 => /lib64/libkrad.so.0
66d49
<       libkrad.so.0 => /lib64/libkrad.so.0
73a57
>       libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2
75a60
>       libldap_r-2.4.so.2 => /lib64/libldap_r-2.4.so.2


You can see that most of the differences above are that the libkrad links are no longer included in the ipa4.5 binaries.

Comment 6 Scott Poore 2017-05-25 13:46:59 UTC
Created attachment 1282267 [details]
ipa 4.5 linktest output

Comment 7 Scott Poore 2017-05-25 13:51:23 UTC
Created attachment 1282269 [details]
ipa 4.4 linktest output

Comment 8 errata-xmlrpc 2017-08-01 09:48:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304