Description of problem: When running haproxy with the `nbthread` directive in the configuration `http-request auth` is broken. Version-Release number of selected component (if applicable): haproxy-1.8.14-1.fc29 How reproducible: Almost always (data race?) Steps to Reproduce: 1. git clone https://github.com/rbjorklin/selinux-haproxy-bug.git 2. ./setup29.sh 3. visit http://localhost:8080/ 4. enter credentials test/test Actual results: Credential popup keeps reappearing. Expected results: Credential popup disappears and site proceeds to load correctly. Additional info: This does not seem to happen on the official haproxy docker image based on Debian. Try it out by running ./setup.sh in the above mentioned git repository.
*** Bug 1643560 has been marked as a duplicate of this bug. ***
I mentioned this to upstream and was told that they could not reproduce the problem using the scripts -- it works 10% of the time. You might want to start a discussion there. I saw the other BZ related to selinux. How are you disabling selinux? Is it disabled on the host and the docker image? Do you have any haproxy logs?
(In reply to Ryan O'Hara from comment #2) > I mentioned this to upstream and was told that they could not reproduce the > problem using the scripts -- it works 10% of the time. You might want to > start a discussion there. Sorry, meant to say 100% of the the time. Big difference. :)
To disable selinux I ran "setenforce 0" on the host system. I don't have any haproxy logs as nothing really useful is printed to journald. I can't reproduce this with the official haproxy image either, only under Fedora which makes me wonder if there are any patches applied in the build chain which are not used by upstream?
(In reply to Robin from comment #4) > To disable selinux I ran "setenforce 0" on the host system. I don't have any > haproxy logs as nothing really useful is printed to journald. OK. > I can't reproduce this with the official haproxy image either, only under > Fedora which makes me wonder if there are any patches applied in the build > chain which are not used by upstream? No, haproxy in Fedora is unpatched. Same bits as upstream. I talked with upstream about this and Willy sent a possible patch. I do not know if this will fix the problem. Applying the patch and releasing an update in Fedora is easy enough, but I am unsure how/where/when the Fedora image is created. If you know and want to test the patch, please advise. I will attach the patch.
Created attachment 1498983 [details] BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe Potential patch to solve issue. Unsure if this will resolve problem.
I am going to commit this patch and would greatly appreciate any assistance testing. First order of business is to figure out how/when the docker images are being built.
haproxy-1.8.14-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7d14594565
haproxy-1.8.14-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7d14594565
A Fedora update associated with this bug has been pushed to the stable repository.