[Freeipa-devel] beware of abrt.pth

Simo Sorce simo at redhat.com
Tue Oct 30 15:42:40 UTC 2012 

On Tue, 2012-10-30 at 11:34 -0400, John Dennis wrote:
> I've been adding some functionality to python-nss to support IPA. Right 
> before I was ready to wrap up the work I upgraded my system and started 
> to see failures in things that had previously worked. I finally tracked 
> the problem down to the abrt-addon-python package which installs 
> abrt.pth into Python's site-packages directory. abrt.pth causes the 
> abrt_exception_handler to be loaded into every Python application which 
> then pulls in a lot of other modules which execute during initialization 
> with the potential for damaging (silent) side effects.
> 
> In particular any application using nss_init() to initialize NSS to a 
> NSS database will fail all it's PKI operations (which we do in IPA) 
> because abrt loads rpm which initializes NSS without a database.
> We should be using nss_init_context() instead as explained in this document:
> 
> https://wiki.mozilla.org/NSS_Library_Init
> 
> The following trac ticket has been opened, #3227
> 
> I have filed these bugs against abrt and rpm
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=871506
> https://bugzilla.redhat.com/show_bug.cgi?id=871485
> 
> In the near term we need to aware the abrt-addon-python package has the 
> potential to cause problems with PKI.
> 
> IPA may be immune from the issue because we initialize and shutdown NSS 
> multiple times which may undo the damage done by abrt, yet on the other 
> hand if we've shutdown NSS and the abrt exception handler runs it may fail.
> 
> The initialization of NSS by libraries loaded by us on on behalf of 
> external agents may explain some of the NSS shutdown problems we've been 
> having (mostly because NSS was never designed to support the use of NSS 
> by libraries as explained in the above document. The introduction of NSS 
> context's was grafted onto NSS to mitigate but not fully solve the issue.
> 

Should we make freeipa packages conflict with that module for the time
being ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list