New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl port redirection fail ( segfault at 60 ip error 4 in libglib-2.0.so.0.3600.3) #1581

Closed
subhashc opened this Issue Dec 12, 2014 · 23 comments

Comments

Projects
None yet
6 participants
@subhashc
Copy link

subhashc commented Dec 12, 2014

I have successfully installed cockpit server in
OS: Redhat Enterprise Linux release 7.0.1406 (Core)
Kernel: 3.10.0-123.el7.x86_64
when i try to browse http://10.10.10.6:9090 it redirect to (SSL) https://10.10.10.6:9090 page is not opening.

http://10.10.10.6:9090 URL is working in local machine but if i open in remote this URL https://10.10.8.6:9090 page is not loading and through below errors

[root@docker-host3 build]# systemctl status cockpit.socket
cockpit.socket - Cockpit Web Server Socket
Loaded: loaded (/usr/lib/systemd/system/cockpit.socket; disabled)
Active: active (listening) since Wed 2014-12-10 23:21:22 IST; 6min ago
Docs: man:cockpit-ws(8)
Listen: [::]:9090 (Stream)

Dec 10 23:21:22 docker-host3 systemd[1]: Starting Cockpit Web Server Socket.
Dec 10 23:21:22 docker-host3 systemd[1]: Listening on Cockpit Web Server Socket.
[root@docker-host3 build]#

var - log

Dec 10 23:25:54 docker-host3 systemd: Starting Cockpit Web Server...
Dec 10 23:25:54 docker-host3 systemd: Started Cockpit Web Server.
Dec 10 23:25:54 docker-host3 cockpit-ws: Using certificate: /usr/etc/cockpit/ws-certs.d/~self-signed.cert
Dec 10 23:25:54 docker-host3 cockpit-ws: HTTP Server listening on port 9090
Dec 10 23:25:55 docker-host3 kernel: cockpit-ws[18479]: segfault at 60 ip 00007f934f0e7621 sp 00007fffe958a6d0 error 4 in libglib-2.0.so.0.3600.3[7f934f0a2000+127000]
Dec 10 23:25:55 docker-host3 abrt-hook-ccpp: Saved core dump of pid 18479 (/usr/libexec/cockpit-ws) to /var/tmp/abrt/ccpp-2014-12-10-23:25:55-18479 (10547200 bytes)
Dec 10 23:25:55 docker-host3 systemd: cockpit.service: main process exited, code=dumped, status=11/SEGV
Dec 10 23:25:55 docker-host3 systemd: Unit cockpit.service entered failed state.
Dec 10 23:25:55 docker-host3 abrt-server: Executable '/usr/libexec/cockpit-ws' doesn't belong to any package and ProcessUnpackaged is set to 'no'
Dec 10 23:25:55 docker-host3 abrt-server: 'post-create' on '/var/tmp/abrt/ccpp-2014-12-10-23:25:55-18479' exited with 1
Dec 10 23:25:55 docker-host3 abrt-server: Deleting problem directory '/var/tmp/abrt/ccpp-2014-12-10-23:25:55-18479'

I have installed and uninstalled multiple times but no luck.

Can any one suggest how to fix?

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

I haven't yet managed to run Cockpit on stock RHEL 7.0 due to dependencies.

But I think this is the same issue that @kbsingh saw on CentOS 7.0. It needed a patch to GLib in order to fix :(

Could you try adding --no-tls to the service file? You can do this like so:

$ sudo mkdir -p /etc/systemd/system/cockpit.service.d
$ sudo printf "[Service]\nExecStart=/usr/libexec/cockpit-ws --no-tls\n" > /etc/systemd/system/cockpit.service.d/no-tls.conf
$ sudo systemctl daemon-reload
$ sudo systemctl restart cockpit
@stefwalter

This comment has been minimized.

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

@subhashc

This comment has been minimized.

Copy link
Author

subhashc commented Dec 12, 2014

Thanks stefwalter,

As you suggested updated the config, but i am unable to login using root credentials.

Status Cockpit service

[root@docker-host3 ~]# systemctl status cockpit.service
cockpit.service - Cockpit Web Server
Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static)
Active: active (running) since Fri 2014-12-12 12:36:28 IST; 20s ago
Docs: man:cockpit-ws(8)
Process: 11320 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group= (code=exited, status=0/SUCCESS)
Main PID: 11322 (cockpit-ws)
CGroup: /system.slice/cockpit.service
ââ11322 /usr/libexec/cockpit-ws --no-tls

Var error log

[root@docker-host3 ~]# tail -f /var/log/messages
Dec 12 12:34:34 docker-host3 systemd: Started Flexible Branding Service.
Dec 12 12:36:28 docker-host3 systemd: Starting Cockpit Web Server...
Dec 12 12:36:28 docker-host3 systemd: Started Cockpit Web Server.
Dec 12 12:36:28 docker-host3 cockpit-ws: HTTP Server listening on port 9090
Dec 12 12:36:41 docker-host3 cockpit-ws: received invalid HTTP request line
Dec 12 12:38:13 docker-host3 cockpit-ws: cockpit-session: gssapi auth failed: An unsupported mechanism was requested (Unknown error)
Dec 12 12:38:23 docker-host3 cockpit-ws: cockpit-session: gssapi auth failed: An unsupported mechanism was requested (Unknown error)
^C
[root@docker-host3 ~]#

Could you please suggest.

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

How did you install Cockpit? Did you build from source? Did you follow all the instructions in https://github.com/cockpit-project/cockpit/blob/master/HACKING.md

@stefwalter stefwalter added the question label Dec 12, 2014

@subhashc

This comment has been minimized.

Copy link
Author

subhashc commented Dec 12, 2014

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

What are the contents of /etc/pam.d/cockpit ?

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

By the way, join us on IRC at #cockpit on FreeNode if you'd like to look into this a bit quicker.

@subhashc

This comment has been minimized.

Copy link
Author

subhashc commented Dec 12, 2014

After restarting cockpit and i am able to login cockpit portal.

Folder  /etc/pam.d/cockpit
---------------------------------
[root@docker-host3 ~]# cat /etc/pam.d/cockpit
#%PAM-1.0
auth            required     pam_sepermit.so
auth            substack     password-auth
auth            include      postlogin
auth            optional     pam_reauthorize.so prepare
account         required     pam_nologin.so
account         include      password-auth
password        include      password-auth
# pam_selinux.so close should be the first session rule
session         required     pam_selinux.so close
session         required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session         required     pam_selinux.so open env_params
session         optional     pam_keyinit.so force revoke
session         optional     pam_reauthorize.so prepare
session         include      password-auth
session         include      postlogin
---------------------------------------------------------------------
Thanks alot for quick support. 

How to add remote servers in to cockpit server. do you i need any agent on rhel 6 and rhel 7.

@stefwalter stefwalter added the invalid label Dec 12, 2014

@stefwalter stefwalter closed this Dec 12, 2014

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

Those other servers neeed to have Cockpit installed too. The cockpit-bridge (which is sort of an agent) is started automatically on the remote server when Cockpit connects. Nothing else needs to be running on those servers.

Building on RHEL 6 is an open work item, with some issues tracked here: #1438

@subhashc

This comment has been minimized.

Copy link
Author

subhashc commented Dec 12, 2014

do you mean to say installed complete Cockpit server or do i need to install specific module for cockpit-bride?

Could you please provide any reference on this.

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Dec 12, 2014

The reference is here: http://files.cockpit-project.org/guide/latest/guide.html

Please could you open issues in this github tracker for information you feel is absent from the guide, and we'll see how we can add it.

But to answer your question, currently the simplest way is to install the entirety Cockpit on the other servers, although it does not have to be running.

We are actively refactoring Cockpit so that only certain required parts of it are necessary for installation on other servers. If you would like to participate in trying this out (pre-release stuff) then you could join us on IRC at #cockpit on FreeNode.

@subhashc

This comment has been minimized.

Copy link
Author

subhashc commented Dec 12, 2014

Thanks alot for info..

@e-minguez

This comment has been minimized.

Copy link

e-minguez commented Feb 4, 2015

In my tests, the no-tls.conf needs to "clear" execstart first:

cat /etc/systemd/system/cockpit.service.d/no-tls.conf
[Service]
ExecStart=
ExecStart=/usr/libexec/cockpit-ws --no-tls

(because ExecStart doesn’t allow overwrite the /usr/lib/… default without first “clear” it)

@Ralnoc

This comment has been minimized.

Copy link

Ralnoc commented Mar 4, 2015

The SSL port issue is most likely a result of the fact that CentOS 7 is running on glibc 2.17 and glib2 2.36.3 and Fedora is running on glibc 2.20 and glib2 2.42.1.

Running with the --no-tls option will likely be required until there is an update to that package available for CentOS 7.

@kbsingh

This comment has been minimized.

Copy link

kbsingh commented Mar 4, 2015

cockpit on CentOS-7 is done against glib2 2.36.3 ref: #1581 (comment)

given that we've already moved forward from whats in the baseline distro, to satisfy the cockpit requirement - is there any reason why we cant move to a newer ver ?

the flip side might be - why is cockpit moving to only working with very new versions of deps

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Mar 4, 2015

Why is cockpit moving to only working with very new versions of deps

That's not what we do. Cockpit requires the minimum glib dependency that allows it to function. That is glib-2.37.4. Earlier upstream versions of glib crash due to the glib bug mentioned above. If you've back ported the relevant patches to earlier versions, then you should patch your cockpit.spec to account for that.

I posted this on cockpit-devel many months ago, with specifically CentOS in mind:

https://lists.fedorahosted.org/pipermail/cockpit-devel/2014-December/000212.html

@kbsingh

This comment has been minimized.

Copy link

kbsingh commented Mar 4, 2015

adding @lsm5

we have fozen on cockpit 0.27 since dec due to the Atomic folks asking for it to not move beyond, is this something we need to consider for 0.27 as well ?

Lokesh thoughts ?

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Mar 4, 2015

we have fozen on cockpit 0.27 since dec due to the Atomic folks asking for it to not move beyond, is this something we need to consider for 0.27 as well ?

Yes, that continues to be our last stable release. We're moving toward stabilizing another release in the next month or so.

And yes, the glib bug (and versions in which it is patched) above applies to cockpit-0.27 just as much as it does to the latest development release.

@Ralnoc

This comment has been minimized.

Copy link

Ralnoc commented Mar 4, 2015

Does anyone know if there is there a glibc patched RPM for CentOS 7 out there? Otherwise I'll look into building one for it.

@lsm5

This comment has been minimized.

Copy link
Contributor

lsm5 commented Mar 5, 2015

ok, so these 2 patches were added in the glib2 that cockpit uses: http://fpaste.org/193998/58535414/ and http://fpaste.org/193997/42558532/ .

@stefwalter could you dumb this down for me please: you can use the mechanism provided by pkg-config to override the check in question. Is it a matter of BuildRequires: pkgconfig(glib2) ? Also, I don't see any failure output on running configure. This is probably the missing piece causing trouble on c7.

Sorry about that.

Btw, the NVRs I have:

$ rpm -q cockpit glib2
cockpit-0.27-1.el7.centos.x86_64
glib2-2.36.3-6.el7.centos.x86_64
@lsm5

This comment has been minimized.

Copy link
Contributor

lsm5 commented Mar 5, 2015

@Ralnoc feel free to take this up if you prefer.

@stefwalter

This comment has been minimized.

Copy link
Contributor

stefwalter commented Mar 5, 2015

@lsm5 The cockpit build failures happened here #1586 and commit 7f0a31e

git tag --contains 7f0a31e44b6f590728c02689784a031f14e07e85
0.35
0.36
0.37
0.38
0.39
0.40
0.41

So if you're building any of those versions you either need Glib 2.37.4+ or override pkg-config as described here with environment variables:

https://lists.fedorahosted.org/pipermail/cockpit-devel/2014-December/000212.html

GLIB_TLS_CFLAGS='-pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include' GLIB_TLS_LIBS='-lgio-2.0 -lgobject-2.0 -lglib-2.0' ./configure --prefix=/usr --enable-debug
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment