[Freeipa-devel] beware of abrt.pth
John Dennis
jdennis at redhat.com
Tue Oct 30 15:34:26 UTC 2012
I've been adding some functionality to python-nss to support IPA. Right
before I was ready to wrap up the work I upgraded my system and started
to see failures in things that had previously worked. I finally tracked
the problem down to the abrt-addon-python package which installs
abrt.pth into Python's site-packages directory. abrt.pth causes the
abrt_exception_handler to be loaded into every Python application which
then pulls in a lot of other modules which execute during initialization
with the potential for damaging (silent) side effects.
In particular any application using nss_init() to initialize NSS to a
NSS database will fail all it's PKI operations (which we do in IPA)
because abrt loads rpm which initializes NSS without a database.
We should be using nss_init_context() instead as explained in this document:
https://wiki.mozilla.org/NSS_Library_Init
The following trac ticket has been opened, #3227
I have filed these bugs against abrt and rpm
https://bugzilla.redhat.com/show_bug.cgi?id=871506
https://bugzilla.redhat.com/show_bug.cgi?id=871485
In the near term we need to aware the abrt-addon-python package has the
potential to cause problems with PKI.
IPA may be immune from the issue because we initialize and shutdown NSS
multiple times which may undo the damage done by abrt, yet on the other
hand if we've shutdown NSS and the abrt exception handler runs it may fail.
The initialization of NSS by libraries loaded by us on on behalf of
external agents may explain some of the NSS shutdown problems we've been
having (mostly because NSS was never designed to support the use of NSS
by libraries as explained in the above document. The introduction of NSS
context's was grafted onto NSS to mitigate but not fully solve the issue.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list