hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colin Patrick McCabe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11216) Improve Openssl library finding
Date Tue, 28 Oct 2014 23:15:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14187679#comment-14187679
] 

Colin Patrick McCabe commented on HADOOP-11216:
-----------------------------------------------

* This patch sets bundling to false by default, but doesn't remove the openssl.prefix, openssl.include,
openssl.library.

* It fixes a bug where {{STORED_CMAKE_FIND_LIBRARY_SUFFIXES}} was not being correctly preserved.

* It adds a compile-time check that the openssl version we're compiling against is not too
old.

* We now link against {{libcrypto.so}} (no suffix).  This avoids all the issues with distro
(and distro-version)-specific suffixes.  The user can supply openssl in a few different ways
** Installing the openssl-dev package for the distro, if the distro is new enough.  This will
create a libcrypto.so (no suffix) symlink.  We don't have to play the suffix guessing game
because devel packages always include a no-suffix version.
** Bundling openssl.  I don't anticipate that any major hadoop distribution will do this.
 It would require us to update Hadoop each time an openssl vulnerability was found.  It also
has some export control issues.
** Doing a custom install of openssl and creating a symlink from the Hadoop library path to
it.  This should only be necessary on older distros that don't have a new enough openssl version.
 This is also the case where we may need openssl.suffix and the rest.

Take a look...

> Improve Openssl library finding
> -------------------------------
>
>                 Key: HADOOP-11216
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11216
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Yi Liu
>            Assignee: Colin Patrick McCabe
>         Attachments: HADOOP-11216.003.patch, HADOOP-11216.004.patch
>
>
> When we compile Openssl 1.0.0\(x\) or 1.0.1\(x\) using default options, there will be
{{libcrypto.so.1.0.0}} in output lib dir, so we expect this version suffix in cmake build
file
> {code}
> SET(STORED_CMAKE_FIND_LIBRARY_SUFFIXES CMAKE_FIND_LIBRARY_SUFFIXES)
> set_find_shared_library_version("1.0.0")
> SET(OPENSSL_NAME "crypto")
> ....
> {code}
> If we don't bundle the crypto shared library in Hadoop distribution, then Hadoop will
try to find crypto library in system path when running.
> But in real linux distribution, there may be no {{libcrypto.so.1.0.0}} or {{libcrypto.so}}
even the system embedded openssl is 1.0.1\(x\).  Then we need to make symbolic link.
> This JIRA is to improve the Openssl library finding.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message