Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use OpenSSL 1.0.2 for Connext on MacOS #436

Merged
merged 5 commits into from
Jun 17, 2020
Merged

Conversation

mikaelarguedas
Copy link
Member

Without this, Connext cannot use the security plugins: ros2/build_farmer#269

Mini2: Build Status
Lore: Build Status

Mini3: Build Status
Not sure what's going on on mini3, It shows the exact same error as the other ones without this patch applied (e.g. nightly on lore https://ci.ros2.org/view/nightly/job/nightly_osx_release/1620/).
it doesn't have the same OpenSSL version as the other ones (1.0.2s vs 1.0.2t), maybe that's part of the reason ?

Tested with #421

@nuclearsandwich
Copy link
Member

@mikaelarguedas am I correct that this modified version of my branch is using OpenSSL 1.0.2 from Homebrew rather than the one distributed by Connext? I have two concerns if that's the case. First I'm not sure when homebrew will drop that OpenSSL version and second it's not guaranteed that Connext will continue to work with that version rather than the one they distribute.

@mikaelarguedas
Copy link
Member Author

am I correct that this modified version of my branch is using OpenSSL 1.0.2 from Homebrew rather than the one distributed by Connext?

Yes

First I'm not sure when homebrew will drop that OpenSSL version

That's a valid concern

second it's not guaranteed that Connext will continue to work with that version rather than the one they distribute.

I'm not sure I got this concern. the deb of connext is not changing so it will keep supporting it. If Connext version finally gets updated it means we will be able to use 1.1.1 and drop the use of the EOL one.

I'm fine using the version provided by RTI as well. I chose to use the homebrew one as this is the only thing that's available on all workers and easily testable for us not managing these machines. I'm 👍 for any approach that gets us to the point where we can test security changes for Foxy

@sloretz
Copy link
Contributor

sloretz commented Apr 30, 2020

am I correct that this modified version of my branch is using OpenSSL 1.0.2 from Homebrew rather than the one distributed by Connext

First I'm not sure when homebrew will drop that OpenSSL version

That's a valid concern

Looks like Homebrew already dropped [email protected]: Homebrew/homebrew-core#46876

@sloretz
Copy link
Contributor

sloretz commented May 1, 2020

Testing this with 1 minor tweak to the path and with osrf/homebrew-ros2#8 which has been installed onto mini1. Just test_security since those are the tests that have been failing.

Build Status -> ros2/ros2_documentation#641

Build Status

@sloretz
Copy link
Contributor

sloretz commented May 1, 2020

Test results look ok using osrf/homebrew-ros2#8. @clalancette was asking why roll a homebrew formula instead of use the RTI provided openssl. It seems like there should be some file called openssl-1.0.2n-host-x64Darwin17clang9.rtipkg, but I've completely failed to find it.

@mikaelarguedas @nuclearsandwich @dirk-thomas do you know how to get access to the connext build of OpenSSL 1.0.2? If not, I'm inclined to move forward with osrf/homebrew-ros2#8.

@mikaelarguedas
Copy link
Member Author

clalancette was asking why roll a homebrew formula instead of use the RTI provided openssl. It seems like there should be some file called openssl-1.0.2n-host-x64Darwin17clang9.rtipkg, but I've completely failed to find it.

Yes I believe that's what @nuclearsandwich tried with the first commit of this PR (ros2/system_tests#409 (comment)). But there were still the security failures. As I didnt know which machines had the connext openssl installed, I used the homebrew one because I could see from the job logs that is was installed on all nodes.

I do not know where @nuclearsandwich found the rtipkgs for MacOS

@sloretz
Copy link
Contributor

sloretz commented May 1, 2020

I do not know where @nuclearsandwich found the rtipkgs for MacOS

Since ros2/system_tests#409 has been merged I'll install openssl using osrf/homebrew-ros2#8 and set RTI_OPENSSL_BIN and RTI_OPENSSL_LIBS in ~/.bashrc. That way the tests will be useful over the weekend until we can get and use the RTI provided openssl.

@sloretz
Copy link
Contributor

sloretz commented May 5, 2020

Since ros2/system_tests#409 has been merged I'll install openssl using osrf/homebrew-ros2#8 and set RTI_OPENSSL_BIN and RTI_OPENSSL_LIBS in ~/.bashrc. That way the tests will be useful over the weekend until we can get and use the RTI provided openssl.

Seems the variables in ~/.bashrc didn't have an effect, but I know this PR works. Merged this branch with master and running a full OSX job Build Status

@ruffsl
Copy link
Member

ruffsl commented May 5, 2020

It seems like there should be some file called openssl-1.0.2n-host-x64Darwin17clang9.rtipkg, but I've completely failed to find it.

I'm guessing that OSRF keeps a local archive of such files, but if you've lost them then you could use the support account that RTI presumably gave to OSRF to download the openssl rtipkgs from: https://support.rti.com/s/downloads?Release=5.3.1

Two days ago they updated the support portal to rename accounts via [email protected], so you may also want to check the respective email address with the account for reset credentials.

@sloretz
Copy link
Contributor

sloretz commented May 6, 2020

@ruffsl @mikaelarguedas what generates the permissions.p7s file? Mini1 is set up to use the RTI provided openssl version, and RTI_OPENSSL_BIN/RTI_OPENSSL_LIBS appear to be set up correctly, but I'm still seeing the security tests fail. It looks like complaint is the current time is earlier than the not_before time in the permissions.p7s file

7: RTI Security Plugins Evaluation License issued to OSRF (OSRF01) ... For non-production use only.
7: Expires on 22-oct-2020 See www.rti.com for more information.
7: [CREATE Participant]RTI_Security_PermissionsGrant_isValidTime:now is before not_before of permissions file
7: [CREATE Participant]RTI_Security_AccessControl_validate_permissions:grant has invalid time
7: [CREATE Participant]RTI_Security_AccessControl_validate_local_permissions:failed to validate local permissions. XML file:
7: [CREATE Participant]RTI_Security_AccessControl_validate_local_permissions:/Users/osrf/jenkins-agent/workspace/test_ci_osx/ws/build/test_security/test/test_security_files/enclaves/subscriber/permissions.p7s
7: [CREATE Participant]DDS_DomainParticipantTrustPlugins_getLocalParticipantSecurityState:!security function validate_local_permissions returned NULL
7: [CREATE Participant]DDS_DomainParticipant_createI:!get local participant security state
7: [CREATE Participant]DDS_DomainParticipantFactory_create_participant_disabledI:!create participant
7: DDSDomainParticipant_impl::create_disabledI:!create participant
7: DDSDomainParticipant_impl::createI:!create participant
7: DomainParticipantFactory_impl::create_participant():!create failure creating participant

permissions.p7s validity section

      <validity>^M
        <not_before>2020-05-06T19:33:29</not_before>^M
        <not_after>2030-05-04T19:33:29</not_after>^M
      </validity>^M

Current date on mini1

$ date
Wed May  6 13:30:01 PDT 2020

Is the permissions.p7s file being generated in the right timezone? The timestamp in permissions.p7s looks like UTC.

@mikaelarguedas
Copy link
Member Author

oh this is a new one then.
Dates are generated in UTC time because Connext was complaining about it in the certificates before ros2/sros2#148.

These files are generated by sros2.
This issue must have appeared in ros2/sros2#205.
Can you can try with ros2/sros2#209 to see if it works around your issue ?

As the tests were failing before that was merged, I would imagine you'll uncover another failure mode after this one.

@ruffsl
Copy link
Member

ruffsl commented May 6, 2020

Is there some logic in checking for daylights savings time or leap seconds that is tripping up MacOS?

https://www.timeanddate.com/worldclock/converter.html?iso=20200506T193329&p1=tz_pt&p2=1440

It seems that mini1 is 3 minutes behind whatever python3 returns here:

https://github.com/ros2/sros2/blob/d4b32b4827b1a45529b8183c82b0841c8132e9a1/sros2/sros2/api/_utilities.py#L83

The mini1's local clock should read after 12:33pm PDT when the cert is created.

@sloretz
Copy link
Contributor

sloretz commented May 6, 2020

Is there some logic in checking for daylights savings time or leap seconds that is tripping up MacOS?

The mini1's local clock should read after 12:33pm PDT when the cert is created.

It probably did read 12:33pm. I would interpret the difference between 13:30 and 12:33 as from the time I ran the build it took 57 minutes until I was ready to write a comment on github.

Can you can try with ros2/sros2#209 to see if it works around your issue ?

It works 🎉 All test_security tests passed using that PR

@mikaelarguedas
Copy link
Member Author

It works 🎉 All test_security tests passed using that PR

@sloretz is this ready for merge then ? or are there some failing tests that arose since?

@sloretz
Copy link
Contributor

sloretz commented May 13, 2020

@sloretz is this ready for merge then ? or are there some failing tests that arose since?

I think we could close this one. The OSX machines are setup with the RTI_OPENSSL_BIN and RTI_OPENSSL_LIBS variables in the ~/.bashrc of the user running the jenkins agent. They're all configured to use the RTI provided openssl, which is a tar archive extracted to /User/<user>/openssl..... It may not make sense to use the old homebrew path as the default since that's no longer available.

@mikaelarguedas
Copy link
Member Author

The OSX machines are setup with the RTI_OPENSSL_BIN and RTI_OPENSSL_LIBS variables in the ~/.bashrc of the user running the jenkins agent.

That's great news! Do you know when this change is expected to take effect?

Apparently the nightlies test_security tests still fail the same way and don't seem to have any /User/<user>/openssl on their PATH/DYLD_LIBRARY_PATH (suggesting the RTI_OPENSSL_* vars are not set)

@sloretz
Copy link
Contributor

sloretz commented May 13, 2020

Apparently the nightlies test_security tests still fail the same way and don't seem to have any /User//openssl on their PATH/DYLD_LIBRARY_PATH (suggesting the RTI_OPENSSL_* vars are not set)

Which nightly has the failing tests? AFAIK all machines are set up this way already.

@sloretz
Copy link
Contributor

sloretz commented May 13, 2020

https://ci.ros2.org/view/nightly/job/nightly_osx_debug/1623/#showFailuresLink

Strange, this one happened on mini3, and it looks like it couldn't open libssl...dylib

7: [CREATE Participant]RTIOsapiLibrary_open:error opening library libnddssecurityd.dylib: dlopen(libnddssecurityd.dylib, 2): Library not loaded: libssl.1.0.0.dylib
7:   Referenced from: /Applications/rti_connext_dds-5.3.1/lib/x64Darwin16clang8.0/libnddssecurityd.dylib
7:   Reason: image not found
7: [CREATE Participant]DDS_DomainParticipantTrustPlugins_initialize:!failed to load library
7: [CREATE Participant]DDS_DomainParticipant_createI:!create builtin trust plugins support
7: [CREATE Participant]DDS_DomainParticipantFactory_create_participant_disabledI:!create participant
7: DDSDomainParticipant_impl::create_disabledI:!create participant
7: DDSDomainParticipant_impl::createI:!create participant
7: DomainParticipantFactory_impl::create_participant():!create failure creating participant

but the RTI_OPENSSL_* environment variables look ok when I ssh in. It looks like the agent process is a child ofPID 1, so maybe it's not being started in a bash terminal, and no environment variables from ~/.bashrc are set? This is strange because I would have sworn it worked on mini1 using the test_ci_osx job.

@mikaelarguedas
Copy link
Member Author

A while back .bashrc and bash_profile didn't take effect in Jenkins, this is why defining variables in here was needed. Maybe this is still the case.

@mikaelarguedas
Copy link
Member Author

@sloretz friendly ping: is there anything we can do to move this forward ? Maybe by installing the openssl 1.0 bottle you built? or by modifying this PR to point the variables to the installation location of RTI's OpenSSL ?

@sloretz
Copy link
Contributor

sloretz commented May 29, 2020

@sloretz friendly ping: is there anything we can do to move this forward ?

@jacobperron will pick it up from here

@mikaelarguedas
Copy link
Member Author

@jacobperron any update on this ? This seems to still be the source of failing tests. If provided the path to the connext security plugins install location on the macOS machines, I can update this PR to point to it and it should hopefully fix all the failing test_security tests

cc @kyrofa

@jacobperron
Copy link
Member

@mikaelarguedas Thanks for the bump. It dropped from my radar. I'll take a look today.

@jacobperron
Copy link
Member

@mikaelarguedas I believe the location of the missing dylib (libssl.1.0.0.dylib) is the same on all of our CI machines: "/Users/osrf/openssl-1.0.2n/x64Darwin17clang9.0/release/lib"

RTI_OPENSSL_LIBS is pointing to the correct place when I login and run the tests manually, but I still see the same test failures. If I manually set DYLD_LIBRARY_PATH in a shell, then the tests pass, (e.g. DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:${RTI_OPENSSL_LIBS}).

@mikaelarguedas
Copy link
Member Author

mikaelarguedas commented Jun 17, 2020

I believe the location of the missing dylib (libssl.1.0.0.dylib) is the same on all of our CI machines: "/Users/osrf/openssl-1.0.2n/x64Darwin17clang9.0/release/lib"

I gave that a try with f095669.
Looks to be working on all machines but lore:

agent Release Debug
lore https://ci.ros2.org/job/ci_osx/9126/testReport/ https://ci.ros2.org/job/ci_osx/9128/testReport/
mini1 https://ci.ros2.org/job/ci_osx/9125/testReport/ https://ci.ros2.org/job/ci_osx/9145/testReport/
mini2 https://ci.ros2.org/job/ci_osx/9127/testReport/ https://ci.ros2.org/job/ci_osx/9137/testReport/
mini3 https://ci.ros2.org/job/ci_osx/9124/testReport/ https://ci.ros2.org/job/ci_osx/9138/testReport/

@jacobperron
Copy link
Member

@mikaelarguedas I've updated the path to the RTI OpenSSL libraries on lore. Please try again.

nuclearsandwich and others added 5 commits June 17, 2020 22:09
Connext 5.3.1 requires an older version of openssl which is no longer
available from the system macOS installation.
Connext supplies a compatible openssl distribution and
ros2/system_tests#409 sets up a convention for
using it only for the security tests which require it when running with
Connext.

Signed-off-by: Steven! Ragnarök <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
Signed-off-by: Mikael Arguedas <[email protected]>
@mikaelarguedas
Copy link
Member Author

Lore Release: Build Status
Lore Debug: Build Status

Looks like this can finally be merged

@kyrofa
Copy link
Member

kyrofa commented Jun 17, 2020

I've updated the path to the RTI OpenSSL libraries on lore.

Thank you @jacobperron! @mikaelarguedas, thank you for your continued efforts.

@jacobperron jacobperron merged commit 8c758cf into master Jun 17, 2020
@delete-merged-branch delete-merged-branch bot deleted the mikael/rti-openssl branch June 17, 2020 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants