[Freeipa-devel] beware of abrt.pth
Simo Sorce
simo at redhat.com
Tue Oct 30 15:42:40 UTC 2012
On Tue, 2012-10-30 at 11:34 -0400, John Dennis wrote:
> I've been adding some functionality to python-nss to support IPA. Right
> before I was ready to wrap up the work I upgraded my system and started
> to see failures in things that had previously worked. I finally tracked
> the problem down to the abrt-addon-python package which installs
> abrt.pth into Python's site-packages directory. abrt.pth causes the
> abrt_exception_handler to be loaded into every Python application which
> then pulls in a lot of other modules which execute during initialization
> with the potential for damaging (silent) side effects.
>
> In particular any application using nss_init() to initialize NSS to a
> NSS database will fail all it's PKI operations (which we do in IPA)
> because abrt loads rpm which initializes NSS without a database.
> We should be using nss_init_context() instead as explained in this document:
>
> https://wiki.mozilla.org/NSS_Library_Init
>
> The following trac ticket has been opened, #3227
>
> I have filed these bugs against abrt and rpm
>
> https://bugzilla.redhat.com/show_bug.cgi?id=871506
> https://bugzilla.redhat.com/show_bug.cgi?id=871485
>
> In the near term we need to aware the abrt-addon-python package has the
> potential to cause problems with PKI.
>
> IPA may be immune from the issue because we initialize and shutdown NSS
> multiple times which may undo the damage done by abrt, yet on the other
> hand if we've shutdown NSS and the abrt exception handler runs it may fail.
>
> The initialization of NSS by libraries loaded by us on on behalf of
> external agents may explain some of the NSS shutdown problems we've been
> having (mostly because NSS was never designed to support the use of NSS
> by libraries as explained in the above document. The introduction of NSS
> context's was grafted onto NSS to mitigate but not fully solve the issue.
>
Should we make freeipa packages conflict with that module for the time
being ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list