OpenEmbedded (core) build: "...ca-certificates_20150426.bb, do_install) failed with exit code '1'"

lmoellendorf · September 9, 2016, 7:52am

The build of the angstrom-lxde-image as descibed here fails with the following error:

DEBUG: Executing shell function do_install
NOTE: make -j 4 CERTSDIR=/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates SBINDIR=/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin DESTDIR=/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image install
for dir in mozilla spi-inc.org; do \
  mkdir /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image//local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates/$dir; \
  make -C $dir install CERTSDIR=/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image//local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates/$dir; \
done
make[1]: Entering directory '/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git/mozilla'
for p in *.crt; do \
 install -m 644 $p /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image//local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates/mozilla/$p ; \
done
make[1]: Leaving directory '/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git/mozilla'
make[1]: Entering directory '/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git/spi-inc.org'
for p in *.crt; do \
 install -m 644 $p /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image//local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates/spi-inc.org/$p ; \
done
make[1]: Leaving directory '/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git/spi-inc.org'
for dir in sbin; do \
  make -C $dir install CERTSDIR=/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image//local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates/$dir; \
done
make[1]: Entering directory '/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git/sbin'
install -d /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin
install -m755 update-ca-certificates /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin/
make[1]: Leaving directory '/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git/sbin'
Updating certificates in /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/etc/ssl/certs...
WARNING: /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/temp/run.do_install.26760:1 exit 1 from
  SYSROOT="/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux" /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates
ERROR: Function failed: do_install (log file is located at /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/temp/log.do_install.26760)

It seems like there is a faulty concatenation of several directory paths, e.g. line 4:

  mkdir /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image//local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/share/ca-certificates/$dir; \

There should be a whitespace between the slashes in “…image//local”. And my guess is that “$dir” should have been expanded.

max.tx · September 9, 2016, 9:42am

Hi

It seems like there is a faulty concatenation of several directory paths,
This is not the reason for your error. Bitbake installs into the “image” directory.
‘image’ then has a subdirectory tree as it will be in the final target.

The error occurs when calling executing a script:

WARNING: /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/temp/run.do_install.26760:1 exit 1 from   SYSROOT="/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux" /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates

However I have no idea why.
Could you try to debug in the devshell:

bitbake ca-certificates-native -fc install
bitbake ca-certificates-native -fc devshell

and then execute the script manually:

SYSROOT="/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux" /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates

And report the output here?

In one of my working! installations that looks as follows

> SYSROOT=".../work/x86_64-linux/ca-certificates-native/20150426-r0/image/.../build/out-glibc/sysroots/x86_64-linux" .../work/x86_64-linux/ca-certificates-native/20150426-r0/image/.../build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates
Updating certificates in .../work/x86_64-linux/ca-certificates-native/20150426-r0/image/.../build/out-glibc/sysroots/x86_64-linux/etc/ssl/certs...
177 added, 0 removed; done.
Running hooks in .../work/x86_64-linux/ca-certificates-native/20150426-r0/image/.../build/out-glibc/sysroots/x86_64-linux/etc/ca-certificates/update.d...
.../work/x86_64-linux/ca-certificates-native/20150426-r0/image/.../build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates: line 227: run-parts: command not found
done.

Max

lmoellendorf · September 9, 2016, 11:14am

First of all, I am new to openembedded. I executed the 2 bitbake commands in

/local/home/user/3rdparty/toradex/oe-core/build/

The second command opens a tmux pane in

/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/git

There I execute this command

SYSROOT="/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux" /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates

This is the output:

Updating certificates in /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/etc/ssl/certs...

max.tx · September 9, 2016, 12:13pm

Can you try again, but before executing the command edit update-ca-certificates first line to no longer have the -e?

#!/bin/sh -e -> #!/bin/sh

With -e the command seems to silently fail which isn’t very helpful.

Max

lmoellendorf · September 9, 2016, 12:48pm

SYSROOT="/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux" /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linuxertificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/usr/sbin/update-ca-certificates
Updating certificates in /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/etc/ssl/certs...
6 added, 0 removed; done.
Running hooks in /local/home/user/3rdparty/toradex/oe-core/build/out-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/user/3rdparty/toradex/oe-core/build/out-glibc/sysroots/x86_64-linux/etc/ca-certificates/update.d...
done.

stefan.tx · September 9, 2016, 4:40pm

Maybe a missing dependency as described here?

Does it help if you execute this first?

bitbake openssl-native

stefan.tx · September 9, 2016, 4:43pm

What host system/version do you use?

lmoellendorf · September 13, 2016, 6:55am

bitbake openssl-native
Loading cache: 100% |#################################################################################| ETA:  00:00:00
Loaded 3075 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION        = "1.28.0"
BUILD_SYS         = "x86_64-linux"
NATIVELSBSTRING   = "Gentoo"
TARGET_SYS        = "arm-angstrom-linux-gnueabi"
MACHINE           = "colibri-t30"
DISTRO            = "angstrom"
DISTRO_VERSION    = "v2015.12"
TUNE_FEATURES     = "arm armv7a vfp thumb neon callconvention-hard"
TARGET_FPU        = "vfp-neon"
meta-angstrom     = "HEAD:85ac035eabb11d57467c58c18d9e5627a1f6fc9e"
meta-toradex      = "HEAD:485643678b2d39d37b1cc9d1aa2200bb934b08de"
meta-linaro-toolchain = "HEAD:7390e4fd59f547f83efe128cb7040ad7c2da0d40"
meta-oe
meta-efl
meta-gpe
meta-gnome
meta-xfce
meta-initramfs
meta-systemd
meta-networking
meta-multimedia
meta-python       = "HEAD:8ab04afbffb4bc5184cfe0655049de6f44269990"
meta-lxde         = "HEAD:59eae5a746ef6cb150bef2a03254d086f2eae0fb"
meta-browser      = "HEAD:e114d625d4bd23a52cc1108a45d96ffd8dc0ab7f"
meta-fsl-arm      = "HEAD:c9e576bdae8c481f5a836531c7865fe8b8a5a36f"
meta-fsl-arm-extra = "HEAD:dd074c47af53948041f6c5671e519fbf815b0980"
meta-fsl-demos    = "HEAD:8bffde8d803dd2362fbded79781ce084d723b048"
meta-jetson-tk1   = "HEAD:400dae80d29bb45b4886cf7f048c6f7b12cb0b01"
meta-qt5          = "HEAD:ea37a0bc987aa9484937ad68f762b4657c198617"
meta              = "HEAD:1f4bfa33073584c25396d74f3929f263f3df188b"

NOTE: Preparing RunQueue
NOTE: Executing SetScene Tasks
NOTE: Executing RunQueue Tasks
NOTE: Tasks Summary: Attempted 101 tasks of which 101 didn't need to be rerun and all succeeded.
NOTE: Writing buildhistory

lmoellendorf · September 13, 2016, 6:56am

uname -a
Linux lmo-gentoo 4.4.6-gentoo #1 SMP Sun Jul 24 22:40:32 CEST 2016 x86_64 Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz GenuineIntel GNU/Linux

max.tx · September 13, 2016, 1:14pm

Still not output pointing to the error.

Are you using an unusual shell?
e.g. what is the output of
echo $SHELL

Could you try again, this time with -ex, so it prints each command before executing it and will stop the script when a command returns with something other than 0.

#!/bin/sh -e -> #!/bin/sh -ex

max.tx · September 13, 2016, 1:17pm

Hi Stefan

I think this is relevant only in krogoth and later, e.g. after this patch no longer gets applied.

Max

lmoellendorf · September 16, 2016, 7:10am

Attached the output of update-ca-certificates with #!/bin/sh -ex

I am using bash:

echo $SHELL
/bin/bash

EDIT: Please note, I changed the working directory to /oe and re-started with an empty /oe/build directory

lmoellendorf · September 19, 2016, 1:51pm

Nevermind, I just setup a VM with Ubuntu Server 16.04. Now the build fails with other errors - I will open a new thread for those.

In Prerequisites for Ubuntu you should add:

sudo apt install build-essential

max.tx · September 20, 2016, 7:33am

@lmoellendorf
Note that Prerequisites chapter points to Openembedded’s getting started which tells you what to install, including build-essential. Whatever is on our page is for additional stuff because we want to build some 32 bit x86 binaries used for our deployment process.

lmoellendorf · September 20, 2016, 11:50am

Thank you, I missed that this time. This solved Issue 5522

lmoellendorf · November 14, 2016, 1:31pm

I found the solution:

I changed #!/bin/sh -e to #!/bin/sh -ex and commented out trap cleanup 0 in update-ca-certificates. Then I got this error:

...
+ mv -f /tmp/ca-certificates.crt.tmp.0ZHoY0 ca-certificates.crt
+ '[' -x /sbin/restorecon ']'
+ /sbin/restorecon ca-certificates.crt

So I changed

[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1

to [ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE"

and got

+ mv -f /tmp/ca-certificates.crt.tmp.0ZHoY0 ca-certificates.crt
+ '[' -x /sbin/restorecon ']'
+ /sbin/restorecon ca-certificates.crt
No such file or directory

I checked if the file ca-certificates.crt exists and if the pwd is correct by adding some debugging echo statements to update-ca-certificates:

+ chmod 0644 /tmp/ca-certificates.crt.tmp.Lg1qLA
+ echo 'DEBUG: TEMPBUNDLE is'
DEBUG: TEMPBUNDLE is
+ ls -al /tmp/ca-certificates.crt.tmp.Lg1qLA
-rw-r--r-- 1 oe domain users 282094 Nov 11 10:28 /tmp/ca-certificates.crt.tmp.Lg1qLA
+ mv /tmp/ca-certificates.crt.tmp.Lg1qLA ca-certificates.crt
+ echo 'DEBUG: CERTBUNDLE is'
DEBUG: CERTBUNDLE is
+ ls -al ca-certificates.crt
-rw-r--r-- 1 oe domain users 282094 Nov 11 10:28 ca-certificates.crt
+ echo 'DEBUG: pwd is'
DEBUG: pwd is
+ pwd
/local/home/oe/oe-core/build/tmp-glibc/work/x86_64-linux/ca-certificates-native/20150426-r0/image/local/home/oe/oe-core/build/tmp-glibc/sysroots/x86_64-linux/etc/ssl/certs
+ '[' -x /sbin/restorecon ']'
+ /sbin/restorecon ca-certificates.crt
No such file or directory

I called strace -f /sbin/restorecon ca-certificates.crt:

...
open("/etc/selinux/config", O_RDONLY)   = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=631, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9e04a8e000
read(3, "# This file controls the state o"..., 4096) = 631
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f9e04a8e000, 4096)            = 0
futex(0x7f9e0486d830, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/etc/selinux/strict/contexts/files/file_contexts.subs_dist", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=298, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=298, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9e04a8e000
read(3, "/etc/init.d /etc/rc.d/init.d\n/li"..., 4096) = 298
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f9e04a8e000, 4096)            = 0
open("/etc/selinux/strict/contexts/files/file_contexts.subs", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/selinux/strict/contexts/files/file_contexts", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/selinux/strict/contexts/files/file_contexts.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
dup(2)                                  = 3
fcntl(3, F_GETFL)                       = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 5), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9e04a8e000
write(3, "No such file or directory\n", 26No such file or directory
) = 26
close(3)                                = 0
munmap(0x7f9e04a8e000, 4096)            = 0
exit_group(1)                           = ?
+++ exited with 1 +++

The problem is that /sbin/restorecon exists on my system but SELinux has never been set up and is not active. The reason this tool exists on my system is that it is part of the package sys-apps/policycoreutils.
This package has been pulled in by installing sys-auth/sssd, but not as a direct dependency (selinux USE flag is not set), but as a indirect dependency (unconfined USE flag is set by default).

equery depends -D sys-apps/policycoreutils
 * These packages depend on sys-apps/policycoreutils:
sec-policy/selinux-base-2.20161023-r1 (>=sys-apps/policycoreutils-2.3)
 sec-policy/selinux-base-policy-2.20161023-r1 (=sec-policy/selinux-base-2.20161023-r1[systemd?])
  sec-policy/selinux-unconfined-2.20151208-r4 (>=sec-policy/selinux-base-policy-2.20151208-r4)
   sec-policy/selinux-base-policy-2.20161023-r1 (unconfined ? sec-policy/selinux-unconfined)

To cut a long story short: I properly configured SELinux on my Gentoo, so /sbin/restorecon works as expected.

Alternatively, I could have disabled the unconfined USE flag to get rid of SELinux entirely.