[SERVER-38130] python pip requirements must be customized to find toolchain openssl Created: 14/Nov/18  Updated: 27/Oct/23  Resolved: 05/Dec/18

Status: Closed
Project: Core Server
Component/s: Build
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Billy Donahue Assignee: Andrew Morrow (Inactive)
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Sprint: Dev Tools 2018-12-17
Participants:

 Description   

server-build-time pip installs of cryptographic packages are not being given the appropriate options to point them at the toolchain's openssl libraries. So they end up dynamically linked to the system's openssl libraries, which causes a misalignment and segfaults on some build variants.

(e.g. https://jira.mongodb.org/browse/BF-11234 )

The toolchain cannot anticipate every version of every cryptographic python package to have them available when mongo needs to be built on every buildvariant and every active mongo release branch.

It would be good if we provided a way to make these unanticipated pip installs always point at the toolchain openssl libraries and headers. When toolchain-builder makes the crpytography-2.0 python package, this is done by setting CFLAGS and LDFLAGS in a precise way, deriving values from `pkg-config openssl` with the `PKG_CONFIG_PATH` set to include the openssl stow directory's lib/pkgconfig (see https://github.com/10gen/toolchain-builder/blob/34052ef713cfab4a005f5b8a5fbab692beb1b423/scripts/build-python.sh#L203 ). This pattern needs to be made available for use during mongo configuration when we set up the `virtualenv`s from scons.



 Comments   
Comment by Andrew Morrow (Inactive) [ 05/Dec/18 ]

The underlying issue here was addressed in SERVER-38154 and SERVER-38155, no work remains to do, it has been fixed.

Comment by Billy Donahue [ 15/Nov/18 ]

BF-11234
was caused by the nassl library doing a poor job of isolating its internal SSL symbols.
So we don't know if this is a real problem from just this sslyze and nassl failure.
Holding off on this ticket until another case shows up.

Generated at Thu Feb 08 04:48:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.