Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1723777 - gnutls-dane depends on unbound-libs which creates huge bootstrap loop
Summary: gnutls-dane depends on unbound-libs which creates huge bootstrap loop
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: RejectedBlocker
Depends On:
Blocks: F31FailsToInstall 1732841
TreeView+ depends on / blocked
 
Reported: 2019-06-25 11:36 UTC by Miro Hrončok
Modified: 2022-08-30 12:14 UTC (History)
20 users (show)

Fixed In Version: unbound-1.8.3-6.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-25 23:47:50 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Miro Hrončok 2019-06-25 11:36:37 UTC
After the unannounced update of iptables [0], systemd no longer installs:

nothing provides libip4tc.so.0()(64bit) needed by 
systemd-242-3.git7a6d834.fc31.x86_64

Or builds:

Error: 
 Problem 1: package gnutls-dane-3.6.8-1.fc31.x86_64 requires libunbound.so.8()(64bit), but none of the providers can be installed
  - package gnutls-devel-3.6.8-1.fc31.x86_64 requires libgnutls-dane.so.0()(64bit), but none of the providers can be installed
  - package gnutls-devel-3.6.8-1.fc31.x86_64 requires gnutls-dane(x86-64) = 3.6.8-1.fc31, but none of the providers can be installed
  - package unbound-libs-1.8.3-4.fc30.x86_64 requires systemd, but none of the providers can be installed
  - conflicting requests
  - nothing provides libip4tc.so.0()(64bit) needed by systemd-242-3.git7a6d834.fc31.x86_64
 Problem 2: package cryptsetup-libs-2.2.0-0.2.fc31.x86_64 requires libdevmapper.so.1.02()(64bit), but none of the providers can be installed
  - package cryptsetup-libs-2.2.0-0.2.fc31.x86_64 requires libdevmapper.so.1.02(Base)(64bit), but none of the providers can be installed
  - package cryptsetup-libs-2.2.0-0.2.fc31.x86_64 requires libdevmapper.so.1.02(DM_1_02_97)(64bit), but none of the providers can be installed
  - package device-mapper-libs-1.02.158-1.fc31.x86_64 requires device-mapper = 1.02.158-1.fc31, but none of the providers can be installed
  - package cryptsetup-devel-2.2.0-0.2.fc31.x86_64 requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
  - package device-mapper-1.02.158-1.fc31.x86_64 requires systemd >= 189-3, but none of the providers can be installed
  - conflicting requests
  - nothing provides libip4tc.so.0()(64bit) needed by systemd-242-3.git7a6d834.fc31.x86_64
 Problem 3: package gnutls-devel-3.6.8-1.fc31.x86_64 requires libgnutls-dane.so.0()(64bit), but none of the providers can be installed
  - package gnutls-devel-3.6.8-1.fc31.x86_64 requires gnutls-dane(x86-64) = 3.6.8-1.fc31, but none of the providers can be installed
  - package gnutls-dane-3.6.8-1.fc31.x86_64 requires libunbound.so.8()(64bit), but none of the providers can be installed
  - package libmicrohttpd-devel-1:0.9.64-1.fc31.x86_64 requires pkgconfig(gnutls), but none of the providers can be installed
  - package unbound-libs-1.8.3-4.fc30.x86_64 requires systemd, but none of the providers can be installed
  - conflicting requests
  - nothing provides libip4tc.so.0()(64bit) needed by systemd-242-3.git7a6d834.fc31.x86_64


[0] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/EJZQZHKPFO7A2CRH43HQVCX3VNXRGQU4/

Comment 1 Igor Raits 2019-06-25 11:42:46 UTC
I have untagged new iptables to prevent this breakage.

Comment 2 Igor Raits 2019-06-25 11:54:17 UTC
Phil,

please please please, check things before you upgrade packages. Whether it will break anything else or not.

Comment 3 Miro Hrončok 2019-06-25 11:55:40 UTC
With iptables untagged, systemd install and builds. However there must be some kind of bootstrap to allow the update.

Comment 4 Igor Raits 2019-06-25 12:00:09 UTC
(In reply to Miro Hrončok from comment #3)
> With iptables untagged, systemd install and builds. However there must be
> some kind of bootstrap to allow the update.

The culprit here I think is gnutls which started to depend on unbound...

Comment 5 Phil Sutter 2019-06-25 12:15:06 UTC
Hi,

(In reply to Igor Gnatenko from comment #2)
> please please please, check things before you upgrade packages. Whether it
> will break anything else or not.

Sorry for the mess. The goal was to rebuild iptables to cover for libnftnl rebase in Rawhide and rebasing while doing so seemed like a good idea.

Comment 7 Björn 'besser82' Esser 2019-06-25 13:37:07 UTC
(In reply to Miro Hrončok from comment #3)
> With iptables untagged, systemd install and builds. However there must be
> some kind of bootstrap to allow the update.

For so-name bump bootstrapping packages that are Requires within minimal buildroot package, you need to keep the libraries with the old so-name available in an intermediate bootstrap build of the package.  See [1] for an example.

I'm open to offer some provenpackager help here, if needed.


[1]  https://src.fedoraproject.org/rpms/json-c/blob/master/f/json-c.spec

Comment 8 Phil Sutter 2019-06-25 13:53:53 UTC
Hi Björn,

(In reply to Björn 'besser82' Esser from comment #7)
> (In reply to Miro Hrončok from comment #3)
> > With iptables untagged, systemd install and builds. However there must be
> > some kind of bootstrap to allow the update.
> 
> For so-name bump bootstrapping packages that are Requires within minimal
> buildroot package, you need to keep the libraries with the old so-name
> available in an intermediate bootstrap build of the package.  See [1] for an
> example.
> 
> I'm open to offer some provenpackager help here, if needed.

Thanks for your help, I'll copy the example from json-c to provide a build which provides both old and new libip{4,6}tc.so libs. If possible, I'll then trigger a rebuild of systemd package.

Comment 9 Björn 'besser82' Esser 2019-06-25 14:07:04 UTC
Hi Phil,

sounds good to me.

Don't forget to disable bootstrap after finishing the systemd rebuild and build iptables another time then.

The follwing packages need a rebuild after finishing the bootstrap process as well:

collectd
connman
keepalived
miniupnpd
perl-IPTables-libiptc

Comment 10 Björn 'besser82' Esser 2019-06-25 18:46:31 UTC
Allrighty, I've rebuilt iptables without bootstrap and the listed consumers successfully.  Closing here, as the issue is solved.

Comment 11 Miro Hrončok 2019-06-25 20:28:55 UTC
I now get: nothing provides libqrencode.so.3()(64bit) needed by systemd-242-4.git7a6d834.fc31.x86_64

Comment 12 Miro Hrončok 2019-06-25 20:38:24 UTC
And this when I attempt to build:

Error: 
 Problem 1: package gnutls-dane-3.6.8-1.fc31.x86_64 requires libunbound.so.8()(64bit), but none of the providers can be installed
  - package gnutls-devel-3.6.8-1.fc31.x86_64 requires libgnutls-dane.so.0()(64bit), but none of the providers can be installed
  - package gnutls-devel-3.6.8-1.fc31.x86_64 requires gnutls-dane(x86-64) = 3.6.8-1.fc31, but none of the providers can be installed
  - package unbound-libs-1.8.3-4.fc30.x86_64 requires systemd, but none of the providers can be installed
  - conflicting requests
  - nothing provides libqrencode.so.3()(64bit) needed by systemd-242-4.git7a6d834.fc31.x86_64
 Problem 2: package cryptsetup-libs-2.2.0-0.2.fc31.x86_64 requires libdevmapper.so.1.02()(64bit), but none of the providers can be installed
  - package cryptsetup-libs-2.2.0-0.2.fc31.x86_64 requires libdevmapper.so.1.02(Base)(64bit), but none of the providers can be installed
  - package cryptsetup-libs-2.2.0-0.2.fc31.x86_64 requires libdevmapper.so.1.02(DM_1_02_97)(64bit), but none of the providers can be installed
  - package device-mapper-libs-1.02.158-1.fc31.x86_64 requires device-mapper = 1.02.158-1.fc31, but none of the providers can be installed
  - package cryptsetup-devel-2.2.0-0.2.fc31.x86_64 requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
  - package device-mapper-1.02.158-1.fc31.x86_64 requires systemd >= 189-3, but none of the providers can be installed
  - conflicting requests
  - nothing provides libqrencode.so.3()(64bit) needed by systemd-242-4.git7a6d834.fc31.x86_64
 Problem 3: package gnutls-devel-3.6.8-1.fc31.x86_64 requires libgnutls-dane.so.0()(64bit), but none of the providers can be installed
  - package gnutls-devel-3.6.8-1.fc31.x86_64 requires gnutls-dane(x86-64) = 3.6.8-1.fc31, but none of the providers can be installed
  - package gnutls-dane-3.6.8-1.fc31.x86_64 requires libunbound.so.8()(64bit), but none of the providers can be installed
  - package libmicrohttpd-devel-1:0.9.64-1.fc31.x86_64 requires pkgconfig(gnutls), but none of the providers can be installed
  - package unbound-libs-1.8.3-4.fc30.x86_64 requires systemd, but none of the providers can be installed
  - conflicting requests
  - nothing provides libqrencode.so.3()(64bit) needed by systemd-242-4.git7a6d834.fc31.x86_64

Can somebody please untag the qrencode update?

Comment 13 Björn 'besser82' Esser 2019-06-25 23:47:50 UTC
qrencode and all its consumers have been successfully rebuilt against the new so version.  [1]


[1]  https://koji.fedoraproject.org/koji/taskinfo?taskID=35827273

Comment 14 Igor Raits 2019-06-26 05:42:00 UTC
So since we reuse this bug for multiple things, let me do it once more :)

gnutls-dane did not depend on unbound at some point so all this issues would not appear. Also people probably should not get unbound on their systems by default.

Comment 15 Zbigniew Jędrzejewski-Szmek 2019-06-26 08:36:31 UTC
All the dependencies in this loop should be carefully minimized.
gnutls-dane depends on unbound-libs, so removing the dependency might not be easy.
But gnutls-libs does not need to depend on systemd at all:
https://src.fedoraproject.org/rpms/unbound/pull-request/2.

Comment 16 Phil Sutter 2019-06-26 09:46:01 UTC
Hi Björn,

(In reply to Björn 'besser82' Esser from comment #10)
> Allrighty, I've rebuilt iptables without bootstrap and the listed consumers
> successfully.  Closing here, as the issue is solved.

Thanks for helping out! I had to leave yesterday while analyzing the cause for
the extra libiptc.so files. Upstream has dropped that and I wanted to check if
perl-IPTables-libiptc (the only direct user) builds without it. It does, but
I'll leave removal of that shared object to another day.

Thanks, Phil

Comment 17 Nikos Mavrogiannopoulos 2019-06-26 11:30:15 UTC
> So since we reuse this bug for multiple things, let me do it once more :)
> gnutls-dane did not depend on unbound at some point so all this issues would not appear. Also people probably should not get unbound on their systems by default.

Hi,
 gnutls-dane depends on unbound libraries for dnssec but not unbound itself. That dependency was always there.

Comment 18 Stephen Gallagher 2019-07-15 13:24:14 UTC
Being unable to install systemd would definitely violate release criteria, so +1 blocker.

Comment 19 Geoffrey Marr 2019-07-15 18:58:44 UTC
Discussed during the 2019-07-15 blocker review meeting: [1]

The decision to classify this bug as a "RejectedBlocker" was made as our understanding is that the initial problem covered by this bug indeed was a blocker (it would've prevented composes), but that issue was resolved and now the bug has been re-opened for a different and less critical reason (see comment #14). As we understand the current issue, it does not violate any criteria.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2019-07-15/f31-blocker-review.2019-07-15-16.05.txt

Comment 20 Zbigniew Jędrzejewski-Szmek 2019-08-05 20:23:39 UTC
I built unbound without the build-time and installation-time deps on systemd. I'm leaving this open since there might be other things to fix.

Comment 21 Ben Cotton 2019-08-13 18:32:33 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 22 Fedora Release Engineering 2019-09-22 04:22:40 UTC
Dear Maintainer,

your package has not been built successfully in 31. Action is required from you.

If you can fix your package to build, perform a build in koji, and either create
an update in bodhi, or close this bug without creating an update, if updating is
not appropriate [1]. If you are working on a fix, set the status to ASSIGNED to
acknowledge this. Following the latest policy for such packages [2], your package
can be orphaned if this bug remains in NEW state more than 8 weeks.

A week before the mass branching of Fedora 32 according to the schedule [3],
any packages which still have open FTBFS bugs from Fedora 31 will be retired.

[1] https://fedoraproject.org/wiki/Updates_Policy
[2] https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/
[3] https://fedoraproject.org/wiki/Releases/32/Schedule

Comment 23 Miro Hrončok 2019-09-22 08:58:05 UTC
Unblocking F31FTBFS to avoid being tracked as such.

Comment 24 Petr Menšík 2019-11-27 14:44:31 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #20)
> I built unbound without the build-time and installation-time deps on
> systemd. I'm leaving this open since there might be other things to fix.

unbound-libs in fact provides not only libraries. It also provides unbound-anchor binary and corresponding unbound-anchor.service. They need systemd to maintain valid DNS root trust key. Because every validation done by unbound-libs requires also valid root trust anchor, it has to stay with libs. But in default case, it should validate also without working unbound-anchor.service if recent enough.

But unbound has some support for systemd, which might be eventually compiled in. That would affect also unbound-libs, if that was the case.

Would it help, if gnutls was built in bootstrap mode without DANE support? unbound-libs are required just for DANE, which might not be useful for very basic bootstrap builds. This dependency is there just for gnutls-dane, which is used by gnutls-utils only. I think that might be omitted. It already supports building --without dane. Would turning it off help in bootstrap mode? What do you think?

Comment 25 Fedora Admin user for bugzilla script actions 2020-07-03 02:46:27 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 26 Ben Cotton 2020-11-03 16:47:07 UTC
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 27 Petr Menšík 2022-07-08 16:28:54 UTC
I think this might be fixed by unbound-libs not requiring systemd anymore. It needs it only to have valid storage for unbound-anchor.service unit, but which is not mandatory.

I am making further difference between unbound-anchor and unbound-libs in build unbound-1.16.0-5.fc36. But I believe the described loop happened only because of dependency on systemd.

I made a proposal to filesystem to include also systemd unit directories:
https://src.fedoraproject.org/rpms/filesystem/pull-request/6

That would make unit files owned when the package provides systemd units, but its functionality does not require them running. Just as is a majority of services I think.
Is there more to solve for this bug?


Note You need to log in before you can comment on or make changes to this bug.