Nixpkgs: ntp-4.2.8p9 fails to build against libressl

Created on 1 Dec 2016 · 15Comments · Source: NixOS/nixpkgs

Issue description

For the last few days (on my grsecurity-enabled system -- which seems to be the cause of most such failures), my nixos-rebuild builds have been failing with the ntp package:

...
[lots of build output]
...
env CCACHE_DISABLE=1 gcc -DHAVE_CONFIG_H -I.  -I./../include -I./../lib/isc/include -I./../lib/isc/pthreads/include -I./../lib/isc/unix/include -I./libopts -I./libevent/include -I./libevent/include -I/nix/store/h2rci49qj04dzwdjrg05jii31xssd3b9-libressl-2.4.4-dev/include  -ffunction-sections -fdata-sections -Wall -Wcast-align -Wcast-qual -Wmissing-prototypes -Wpointer-arith -Wshadow -Winit-self -Wstrict-overflow   -Wno-strict-prototypes -g -O2 -c version.c -o version.o
  CCLD     sntp
libsntp.a(crypto.o): In function `make_mac':
/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/sntp/crypto.c:31: undefined reference to `EVP_MD_CTX_new'
/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/sntp/crypto.c:36: undefined reference to `EVP_MD_CTX_free'
../libntp/libntp.a(ssl_init.o): In function `keytype_from_text':
/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/libntp/ssl_init.c:116: undefined reference to `EVP_MD_CTX_new'
/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/libntp/ssl_init.c:119: undefined reference to `EVP_MD_CTX_free'
collect2: error: ld returned 1 exit status
make[4]: *** [Makefile:896: sntp] Error 1
make[4]: Leaving directory '/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/sntp'
make[3]: *** [Makefile:1057: all-recursive] Error 1
make[3]: Leaving directory '/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/sntp'
make[2]: *** [Makefile:685: all] Error 2
make[2]: Leaving directory '/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9/sntp'
make[1]: *** [Makefile:667: all-recursive] Error 1
make[1]: Leaving directory '/tmp/nix-build-ntp-4.2.8p9.drv-0/ntp-4.2.8p9'
make: *** [Makefile:599: all] Error 2
builder for ‘/nix/store/av8bvv753ka8kfalavmikcxydx5hp481-ntp-4.2.8p9.drv’ failed with exit code 2
...

System: (NixOS: nixos-version, Ubuntu/Fedora: lsb_release -a, ...)
17.03.git.d3a7404 (Gorilla)
Nix version: (run nix-env --version)
nix-env (Nix) 1.11.4
Nixpkgs version: (run nix-instantiate --eval '<nixpkgs>' -A lib.nixpkgsVersion)
"17.03.git.d3a7404"

Source

mrobbetts

Most helpful comment

@mrobbetts This is an error I saw a few weeks ago when trying to build ntp with libressl. Do you maybe have an override for openssl in your packageOverrides?

fpletz on 2 Dec 2016

👍2

All 15 comments

If this is due to grsecurity, you'll most likely see a corresponding message in dmesg

joachifm on 1 Dec 2016

@joachifm, I was being a little throwaway there; just, most of my recent problems have been due to the fact that I use grsecurity in some way -- not necessarily that the enhanced security prevents things from working, but that the grsec module/infrastructure has odd problems from time to time (e.g. see #20490).

Perhaps it's nothing to do with this, of course, but it seems like something other people would have reported already, otherwise...

Anyhow, I don't see anything from grsecurity in my dmesg that doesn't look informational (mostly about mounts and unmounts due to nixos-rebuild)

mrobbetts on 1 Dec 2016

Note that the nixpkgs version you're in on is behind even nixos-unstable. ntp builds fine for me on master. Not sure what's going on here. Perhaps @fpletz knows.

joachifm on 1 Dec 2016

Oh, that isn't right. I'm following master -- I override nix.nixPath in my configuration.nix with a local clone of the repo (I know I know, following master breaks now and then... like now, possibly). I take it thatnix-instantiate doesn't notice!

Anyway, I normally wait out breakages like this and they normally get fixed in a few days. But it has been long enough now that it seemed worth reporting.

mrobbetts on 1 Dec 2016

There is a substitute for ntp in cache (https://hydra.nixos.org/build/44311688); the fact that nixos-rebuild wants to build the package indicates that something's not quite right.

joachifm on 2 Dec 2016

This system actually builds a lot of its packages from scratch. Not all, but many. I've assumed that something about my configuration changes some low-level hash and the effect ripples through. Could it be the non-usual location for my nixpkgs clone, or something like that?

Things generally work fine though, and errors I get are reproducible by others.

mrobbetts on 2 Dec 2016

If you're tracking master, local builds are expected (depending on the state of the cache at the time you issue the build command), but not if the packages in question are available in cache, as is the case for ntp right now.

joachifm on 2 Dec 2016

You can do something like

nix-build -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz '<nixpkgs/nixos>' -I nixos-config=/path/to/configuration.nix -A system

to be sure that you're building against current master.

joachifm on 2 Dec 2016

@mrobbetts This is an error I saw a few weeks ago when trying to build ntp with libressl. Do you maybe have an override for openssl in your packageOverrides?

fpletz on 2 Dec 2016

👍2

@fpletz, I absolutely do :)

Any workaround?

mrobbetts on 2 Dec 2016

Unfortunately not. Somehow the version bump from ntp-4.2.8p8 to ntp-4.2.8p9 broke libressl support. We had to bump ntp to fix quite a few security issues.

But at least ntp succeeds to build with openssl-1.1.0. That's what we're currently doing. We aren't using ntpd on production machines though.

fpletz on 2 Dec 2016

👍1

(triage) still a problem?