1410433 – named-pkcs11 will fail to start with recent bind-dyndb-ldap plugin

Bug 1410433 - named-pkcs11 will fail to start with recent bind-dyndb-ldap plugin

Summary: named-pkcs11 will fail to start with recent bind-dyndb-ldap plugin

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Menšík
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1403352
TreeView+	depends on / blocked

Reported:	2017-01-05 13:38 UTC by Petr Menšík
Modified:	2017-03-16 15:25 UTC (History)
CC List:	7 users (show)
Fixed In Version:	bind-9.11.0-6.P2.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-16 15:24:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
named-pkcs11 log (82.74 KB, text/plain) 2017-01-05 13:38 UTC, Petr Menšík	no flags	Details
View All

Description Petr Menšík 2017-01-05 13:38:36 UTC

Created attachment 1237635 [details]
named-pkcs11 log

Description of problem:


Version-Release number of selected component (if applicable):
bind-pkcs11-9.11.0-2.P1.fc26.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install bind-pkcs11
2. Prepare IPA configuration
3. Prepare softhsm token for named, export SOFTHSM2_CONF=/var/named/softhsm2.conf
4. cd /var/named && named-pkcs11 -g -u named -d 5

Actual results:
...
05-Jan-2017 14:24:09.295 automatic empty zone: D.F.IP6.ARPA
05-Jan-2017 14:24:09.296 automatic empty zone: 8.E.F.IP6.ARPA
05-Jan-2017 14:24:09.296 automatic empty zone: 9.E.F.IP6.ARPA
05-Jan-2017 14:24:09.296 automatic empty zone: A.E.F.IP6.ARPA
05-Jan-2017 14:24:09.296 automatic empty zone: B.E.F.IP6.ARPA
05-Jan-2017 14:24:09.296 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
05-Jan-2017 14:24:09.296 automatic empty zone: EMPTY.AS112.ARPA
05-Jan-2017 14:24:09.296 zone_settimer: zone version.bind/CH: enter
05-Jan-2017 14:24:09.296 zone_settimer: zone version.bind/CH: settimer inactive
05-Jan-2017 14:24:09.297 view.c:951: REQUIRE(view->zonetable != ((void *)0)) failed, back trace
05-Jan-2017 14:24:09.297 #0 0x55a40e2c45d0 in ??
05-Jan-2017 14:24:09.297 #1 0x7f97520a5dda in ??
05-Jan-2017 14:24:09.297 #2 0x7f97524600da in ??
05-Jan-2017 14:24:09.297 #3 0x55a40e2e0be9 in ??
05-Jan-2017 14:24:09.297 #4 0x55a40e2a7196 in ??
05-Jan-2017 14:24:09.297 #5 0x55a40e2ed04b in ??
05-Jan-2017 14:24:09.297 #6 0x55a40e2eebd3 in ??
05-Jan-2017 14:24:09.297 #7 0x7f97520cb843 in ??
05-Jan-2017 14:24:09.297 #8 0x7f97501a073a in ??
05-Jan-2017 14:24:09.297 #9 0x7f974f21639f in ??
05-Jan-2017 14:24:09.297 exiting (due to assertion failure)
Aborted (core dumped)


Expected results:


Additional info:

Backtrace from coredumpctl:
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f974f14563a in __GI_abort () at abort.c:89
#2  0x000055a40e2c4778 in assertion_failed (file=<optimized out>, 
    line=<optimized out>, type=<optimized out>, cond=<optimized out>)
    at ./main.c:229
#3  0x00007f97520a5dda in isc_assertion_failed (
    file=file@entry=0x7f97524e7ba2 "view.c", line=line@entry=951, 
    type=type@entry=isc_assertiontype_require, 
    cond=cond@entry=0x7f97524e7e70 "view->zonetable != ((void *)0)")
    at assertions.c:49
#4  0x00007f97524600da in dns_view_addzone (view=view@entry=0x7f9741d78960, 
    zone=<optimized out>) at view.c:951
#5  0x000055a40e2e0be9 in configure_zone (config=config@entry=0x7f9752b44010, 
    zconfig=0x7f9752b3fd58, vconfig=vconfig@entry=0x7f9752b3f3f8, 
    mctx=mctx@entry=0x55a40e9303d0, view=view@entry=0x7f9741d78960, 
    viewlist=viewlist@entry=0x7f974d618910, aclconf=0x7f9752b1b0d8, 
    added=isc_boolean_false, old_rpz_ok=isc_boolean_false, 
    modify=isc_boolean_false) at ./server.c:5555
#6  0x000055a40e2a7196 in configure_view (view=0x7f9741d78960, 
    viewlist=viewlist@entry=0x7f974d618910, config=0x7f9752b44010, 
    vconfig=vconfig@entry=0x7f9752b3f3f8, 
    cachelist=cachelist@entry=0x7f974d618930, bindkeys=0x7f9752b49c90, 
    mctx=0x55a40e9303d0, actx=0x7f9752b1b0d8, need_hints=isc_boolean_false)
    at ./server.c:3332
#7  0x000055a40e2ed04b in load_configuration (filename=<optimized out>, 
    server=server@entry=0x7f9752b1a010, 
    first_time=first_time@entry=isc_boolean_true) at ./server.c:7672
#8  0x000055a40e2eebd3 in run_server (task=<optimized out>, 
    event=<optimized out>) at ./server.c:8270
#9  0x00007f97520cb843 in dispatch (manager=0x7f9752b12010) at task.c:1139
#10 run (uap=0x7f9752b12010) at task.c:1311
#11 0x00007f97501a073a in start_thread (arg=0x7f974d619700)
    at pthread_create.c:333
#12 0x00007f974f21639f in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Comment 1 Petr Menšík 2017-01-05 13:49:02 UTC

Something bad happens in lib/dns/view.c:118 and bind-dyndb-ldap src/ldap_driver.c:1062. It is propably related to existence of two almost same libraries libisc+libdns for named and libisc-pkcs11+libdns-pkcs11 for named-pkcs11.

Strange thing is it will not fail assertions if bind-dyndb-ldap is linked against libisc-pkcs11 and libdns-pkcs11. Previous versions did not need that. What happened exactly is still unclear.

Comment 2 Petr Menšík 2017-01-19 09:57:58 UTC

It seems bind-dyndb-ldap plugin is using its own library linked from libdns. The same calls are not used from bind and from bind-dyndb-ldap plugin, that creates inconsistent state. Until pkcs11 libraries are split by less conflicting way, the best solution is to not use RTLD_DEEPBIND for dlopen.

Comment 3 Fedora End Of Life 2017-02-28 10:53:03 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 4 Petr Menšík 2017-03-16 15:24:23 UTC

Fixed by commit 3d5ea105bd877f0069452e450320f8877b01cb52
version bind-9.11.0-6.P2.fc26

Note You need to log in before you can comment on or make changes to this bug.