[Release 3.1] | Address Shim gss api on Linux to delay loading libgssapi_krb5.so while using Net6 #43133
Conversation
|
linking dotnet/SqlClient#1390 |
I thought System.Data.SqlClient was removed from runtime after 3.1 and this was the last servicing branch that would contain it. This is where we've backported all SDS fixes in the past: Service releases of SDS from this 3.1 branch rely on continued backwards compatibility in .NET 5+. |
|
My assumption was that the fix needed to be in the libraries themselves. It is possible I didn't think about this clearly (moving too fast). Let's discuss in dotnet/runtime#65469 |
|
You might be right. I didn't realize the code change was not in a SqlClient-specific file. There is probably a nuance I'm missing, too. |
|
@David-Engel @danmoseley the branch is open for servicing changes. What should we do about this PR? |
System.Data.SqlClient still needs the fix. But I think the PR needs to be updated. From jkotas' comment:
@JRahnama It sounds like the fix needs to be moved into an appropriate file that only affects System.Data.SqlClient. |
|
This PR needs changes and needs tactics approval before merging. |
ericstj
added
the
* NO MERGE *
David-Engel
requested review from
danmoseley,
jkotas,
ericstj,
carlossanlop and
saurabh500
@ericstj @danmoseley - Changes have been made. What's involved with getting tactics approval for this? We have one PR approval from Jan. Do we need any others? |
...ent/src/Common/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.Extended.cs
Show resolved
Hide resolved
Once it's ready for approval you need to add the |
|
/azp run |
Some history here: we had set the precedent in 1.x that packages would be maintained in |
Where are we moving the ASP.NET relevant bits from 2.1? I am wondering whether we need to have dotnet/runtime-graveyard repo for packages that are in a perpetual servicing-only mode and that does not really make sense to carry in dotnet/runtime. |
There was a problem hiding this comment.
I share in the upset that a NuGet package is depending directly on an inbox shim, but this isn't introducing the problem.
NetSecurityNative_EnsureGssInitialized looks like it is, observationally, idempotent. So, the initializer being called twice won't break things. (It doesn't have the possibility of any fn_ptr being temporarily reassigned to nullptr that the crypto shim had at one point)
|
@JRahnama @DavoudEshtehari please add the OOB package authoring changes so this can merge. I think none of the test failures are related, but can you please also double check? |
I am not sure if I know what to do to accomplish this. Can you explain a bit more please?
The code is inside corefx and as far as I was able to see nothing was related to this change. |
|
@carlossanlop I added required OOB for System.Data.SqlClient. |
|
Can someone signoff on the packaging change? |
There was a problem hiding this comment.
@JRahnama the changes are incomplete. You also need to:
- Bump the "StableVersions" number for Microsoft.Windows.Compatibility in packageIndex.json, line 430. Do not bump the "BaselineVersion" under it.
- Bump the "PackageVersion" and "ServiceModelVersion" numbers in Microsoft.Windows.Compatibility.pkgproj.
- Bump "PackageVersion" and "AssemblyVersion" in src/System.Data.SqlClient/Directory.Build.props.
- Add the two project includes in src/package.builds.
Basically, make sure to match the same changes that were made in the old PR.
pkg/Microsoft.Windows.Compatibility/Microsoft.Windows.Compatibility.pkgproj
Show resolved
Hide resolved
|
ok, thanks for pointing out the missing parts. I have updated them now. |
|
This was probably mentioned already, but do we expect to push this out aligned with core .NET bits (presumably Nov 8th at this point) or just push out on its own? I assume the latter? |
|
Test failures are (of course) unrelated. Some bit rot in unrelated tests, not worth fixing at this point. |
We have no preference on this item. Whatever is more convenient for the servicing process. |
|
@JRahnama @David-Engel there is still one more question that needs an answer. I unresolved it. |
@carlossanlop |
|
Thanks @ericstj. Merging. |
|
Do we need to do anything particular to ship this now, or does it "join the flow"? (I feel a moral obligation to ensure we don't trip over ourselves somehow since I am partially responsible for the delays here earlier in the year!) |
|
@carlossanlop curious about the q above? |
| @@ -16,6 +16,12 @@ | |||
| <Project Include="*\pkg\**\*.pkgproj" Condition="'$(BuildAllConfigurations)' == 'true' OR '$(DotNetBuildFromSource)' == 'true'"> | |||
| <AdditionalProperties>$(AdditionalProperties)</AdditionalProperties> | |||
| </Project> | |||
| <Project Include="$(MSBuildThisFileDirectory)System.Data.SqlClient\pkg\System.Data.SqlClient.pkgproj"> | |||
There was a problem hiding this comment.
These changes were made in the wrong ItemGroup, they should have instead been made in the one bellow which is the one used for servicing.
Lines 27 to 35 in c6f58cb
The result is that these two packages are not going to be built as part of the official build, so in order for the packages to get serviced that will need to be fixed.
|
@joperezr if I make a new PR right now and move those newly added projects to the below |
|
No, it's infra only, we can take it without requesting additional Tactics approval. |
|
FYI 4.8.4 has been published, which includes this fix: https://www.nuget.org/packages/System.Data.SqlClient/4.8.4 |
Ports dotnet/sqlclient#1411 to add shim gss api on Linux following changes in dotnet/runtime#55037
Summary
When working with Kerberos authentication on Unix with recent changes in Net6 users fail to get a connection from Sql server. There is no exception thrown as well. It just crashes.
Customer Impact
This will prevent users from upgrading to Net6 while using Kerberos authentication in Unix.
Testing
Adding tests require some special setup on CI pipelines to install Net6 TFS and enabled Kerberos authentication.
cc: @danmoseley @saurabh500 @David-Engel