Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1628

Statically linking kerberos leads to OpenSSL version conflict on RHEL8 distros

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 2.1.1
    • Affects Version/s: None
    • Component/s: CLI Module, Connectivity
    • None
    • Environment:
      OS: RHEL8
      Additional info:
    • 3
    • Not Needed
    • Iteration Pterodactyl

      Problem Statement/Rationale

      mongosh statically links OpenSSL. This conflicts with a potential transitive OpenSSL dependency in libraries that mongosh depends on, such as kerberos, which happens to depend on the system OpenSSL installation in RHEL8/9-based operating systems.

      Steps to Reproduce

      Apply https://gist.github.com/addaleax/2427e73e5306aae189005344d13b120e to mongosh, then run the connectivity test suite.

      Expected Results

      Successful tests.

      Actual Results

      Segmentation faults. Stack trace from the original user report: https://gist.github.com/addaleax/d3680ffd4e21cd6e104095da89b95c21

      Additional Notes

      ldd -v /usr/bin/mongosh output: https://gist.github.com/addaleax/12f744be7030aacafc5dc13afa1b9836

      This seems relatively high-priority, because:

      • It results in crashes without any helpful information for the user
      • It can lead to arbitrary memory corruption in mongosh processes.
        The only reason I’m not opening this as P2 is that it has a reliable and safe workaround (namely, using the shared-OpenSSL binaries).

      Unfortunately, fixing this is not trivial. Possible approaches would be to:

      • Stop statically linking the Node.js kerberos addon. This breaks with our goal to provide a single-binary experience for mongosh users.
      • Adjust the Node.js kerberos addon to (enable) loading kerberos functions at runtime. This adds a bit of complexity to the Node.js addon, but removes kerberos as a hard runtime dependency for mongosh.
      • Disable kerberos as a feature in static-OpenSSL builds of mongosh.
      • …?

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            anna.henningsen@mongodb.com Anna Henningsen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: