-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
segfault on s390x #333
Comments
I unfortunately don't have a host to really test this on so it's not going to be something I can easily fix. One thing that would be good to know is whether it fails trying to import gssapi or whether it fails when you are actually using it. |
I've tried to reproduce this with the latest release using binfmt to run under a different architecture and was unable to replicate the stacktrace. # podman run --rm -it --arch=s390x debian:11
apt-get update
apt-get upgrade
export DEBIAN_FRONTEND=noninteractive
apt-get install python3 python3-pip python3-venv python3-dev gcc krb5-user libkrb5-dev git curl wget vim
python3 -m venv .venv
. .venv/bin/activate
python -m pip install gssapi requests
# Configure your krb5.conf as needed
kinit username@DOMAIN.COM
python winrm_test.py target-host.domain.com whoami The |
Thx jborean93 for taking a look. It was already tested with a test build of a python3-gssapi package in v1.8.3: I cannot follow your way on trying to recreate, since I run into this error:
× pip subprocess to install build dependencies did not run successfully. note: This error originates from a subprocess, and is likely not a problem with pip. But anyway, I believe your attempt will also not work for me - on a s390x system. Because it works for me fine (even using using ipa-client-install) on an amd64 system: root@jammy:~# sudo ipa-client-install WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd DNS discovery failed to determine your DNS domain it's highly likely an s390x-specific issue! |
Sorry if I wasn't clear the test I ran was using s390x emulation with I've now retested it with an Ubuntu 22.04 image and now can replicate the seg fault when installing the package from the normal repos. # podman run --rm -it --arch=s390x ubuntu:22.04
apt-get update
apt-get install python3-gssapi
# Segmentation fault
python3 -c "import gssapi" The same test in Debian 11 and 12 works just fine though indicating their built packages are fine. Ubuntu 22.04 ships with gssapi 1.6.12, Debian 11 with 1.6.11, and Debian 12 with 1.8.2. The fact that it works fine in Debian for 1.6.11 makes me suspicious of the build process that created the artifact. The next thing I tried was manually building it myself using the Python sdist. This is how I originally installed it with my previous Debian test but this time round I tried Ubuntu 22.04. # podman run --rm -it --arch=s390x ubuntu:22.04
apt-get update
apt-get install python3 python3-dev python3-pip python3-venv gcc libkrb5-dev krb5-user
python3 -m venv .venv
. .venv/bin/activate
python3 -m pip install 'gssapi==1.6.12' --verbose
python3 -c "import gssapi" This fails with
Which is somewhat expected as the sdists for 1.6.x included already cythonized .c files which always had problems with Python versions released after that point in time. In the 1.8.x releases we migrated to a PEP 517 compliant sdist where the installer needed to cythonize the files as part of the build process allowing it to take advantage of newer Cython versions at that point in time. We can ignore this as Ubuntu's builds use pure source files and will Cythonize the files with a newer version of Cython that generated the ones in the sdist. Using a newer Cython version alongside with the original source data we can see that it is fine with the built package. # podman run --rm -it --arch=s390x ubuntu:22.04
apt-get update
apt-get install python3 python3-dev python3-pip python3-venv gcc libkrb5-dev krb5-user
python3 -m venv .venv
. .venv/bin/activate
# Cython 3 support was added in v1.8.3
python3 -m pip install 'cython<3.0.0'
python3 -m pip install https://github.com/pythongssapi/python-gssapi/archive/v1.6.12.tar.gz --verbose
python3 -c "import gssapi" This works just fine and the package does not error or segfault here. When looking at the build logs for this package for Jammy at https://launchpadlibrarian.net/591008002/buildlog_ubuntu-jammy-s390x.python-gssapi_1.6.12-1build2_BUILDING.txt.gz I can see that the build process is using the package called cython3 which for Jammy is at
When building from the same build2 source as the Jammy build with the # podman run --rm -it --arch=s390x ubuntu:22.04
apt-get update
apt-get install python3 python3-dev python3-pip gcc libkrb5-dev krb5-user cython3
python3 -m pip install https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-gssapi/1.6.12-1build2/python-gssapi_1.6.12.orig.tar.gz --verbose
python3 -c "import gssapi" Unfortunately at this point I don't know what else it could be. Building it locally with the same Cythonized files and source as the build job seems to work just fine but the pre-built package is having troubles. At this point I'm not sure what else I can do here as it seems to be more of a build problem rather than an actual code problem. |
Hi, I see this issue on Ubuntu 23.10 on my real s390x machine with python3-gssapi/mantic 1.8.2-1build1.
The segfault happens here:
=> No mapping at 0x400016418c0 thus we get the segfault. With objdump, we see that there is a relocation for PyExc_ImportError ...:
... which can be found in the python-binary:
The calculation of the relocation at runtime is:
The lgrl-instruction then loads from here as observed by the segfault: The sources for python3-gssapi does not contain the c-file gssapi/raw/_enum_extensions/ext_dce.c but gssapi/raw/_enum_extensions/ext_dce.pyx. |
Thanks for the great investigation there it is very helpful.
The code that interacts with the C gssapi is written in # -2 is language mode 2 which this project still uses
python3 -m cython -2 gssapi/raw/*.pyx gssapi/raw/_enum_extensions/*.pyx The version of Cython used here is very important as the generated code can differ across versions to either include bugfixes or support for newer Python versions. For Ubuntu it should typically correspond to the The build logs for s309x show all these steps to see what Ubuntu is doing to build their package. The build process according to these logs is that it retrieves the source code, installs some required packages (including the
|
Thanks a lot for the explanation. Seems to be an issue with the Ubuntu gcc (which is configured with --enable-default-pie), some issue in the past with pie in the python3-gssapi Ubuntu package (unfortunately no hint in the debian/changelog file) and that LTO is used by default. In addition there seems to be a bug in s390x part of gcc/linker in this scenario as I assume it works on other architectures. From debian/rules:
If I either rebuild the package without disabling pie: ... I can start ipa-client-install as root:
=> Stopped here as I don't have an IPA server and can't reconfigure my system. Without lto, the shared library contains this relocation in got-slot: |
Thanks for the investigation I was able to replicate the stacktrace with the following reproducer now. # podman run --rm -it --arch=s390x ubuntu:22.04
apt-get update
export DEBIAN_FRONTEND=noninteractive
apt-get install python3 python3-dev python3-pip gcc libkrb5-dev krb5-user cython3
python3 -m pip install 'cython<3.0.0'
CFLAGS="-flto=auto -ffat-lto-objects -specs=/usr/share/dpkg/no-pie-compile.specs" python3 -m pip install https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-gssapi/1.6.12-1build2/python-gssapi_1.6.12.orig.tar.gz --verbose Unfortunately even when testing with Cython 3.x.y the problem still exists so I've opened cython/cython#5893 with a simple reproducer with just Cython. There seems to be a fundamental problem there that it a bit out of my depth but hopefully that reproducer can help figure out what the problem is with the auto generated code. |
Based on stliibm's investigations I've re-build the package without LTO and using this things worked for me. Cross-posting from Launchpad: |
Closing as it looks like Ubuntu has adjusted their build process to solve this issue and the fundamental problem originally reported is due to the Cython C generated code as reported in cython/cython#5893. |
What went wrong?
segfault running ipa-client-install on s390x, happens also with 1.8.3
How do we reproduce?
needs an s390x host to join an IPA domain
Component versions (python-gssapi, Kerberos, OS / distro, etc.)
Happens at least on Ubuntu 22.04:
python-gssapi 1.6.12 (also tested with 1.8.3)
cython 0.29.28
and 23.10:
python-gssapi 1.8.2
cython 0.29.36
The text was updated successfully, but these errors were encountered: