Skip to content

Commit

Permalink
(PA-6387) Don't compile against openssl from homebrew
Browse files Browse the repository at this point in the history 
Previously, curl 8 on macOS 11 & 12 ARM failed to run:

   # /opt/puppetlabs/puppet/bin/curl --version
   dyld[3871]: symbol not found in flat namespace (_SSL_get0_group_name)

This occurred because we cross-compiled curl (and other components) using
headers from homebrew's openssl 3.3.0. But at runtime, we loaded the
libssl.dylib shared library that we built from openssl 3.0.13. Due to the
version mismatch between headers and libraries, curl tried to call the
SSL_get0_group_name function that only exists in openssl 3.2 and up.

This commit removes the homebrew symlinks for openssl and libyaml so that they
are not visible to our build process.

Some background about why this only affects cross compiled macOS builds. In
order to cross-compile ruby 3.2 on ARM, we have to install ruby 3.2 Intel and
use that as the base ruby, see notes/cross-compiling.md for details.

On macOS, we use homebrew to install build dependencies. Homebrew's [email protected]
package depends on openssl@3[1], which is currently 3.3.0[2]. When homebrew
installs packages, it creates symlinks in the /usr/local directory:

    # ls -l /usr/local/include/openssl
    ... /usr/local/include/openssl -> ../Cellar/openssl@3/3.3.0/include/openssl

On macOS, we compile using clang, which uses the following search path for
headers:

    # gcc -v main.c
    Apple clang version 13.0.0 (clang-1300.0.27.3)
    ...
    #include <...> search starts here:
    /usr/local/include
    /Library/Developer/CommandLineTools/usr/lib/clang/13.0.0/include
    /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/usr/include
    /Library/Developer/CommandLineTools/usr/include
    /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/System/Library/Frameworks (framework directory)
    End of search list.

Since /usr/local/include is the first directory, we are mistakenly compiling
against homebrew's openssl.

However, it wasn't an issue until we bumped to curl 8, because the conditional
calls SSL_get0_group_name doesn't exist in curl 7[3]

[1] https://github.com/Homebrew/homebrew-core/blob/6fd6f60a799501e7c093b695cc830a8708bd1c14/Formula/r/ruby%403.2.rb#L30
[2] https://github.com/Homebrew/homebrew-core/blob/6fd6f60a799501e7c093b695cc830a8708bd1c14/Formula/o/openssl%403.rb#L4
[3] https://github.com/curl/curl/blob/7490d5488e0e7835199285b0568a1c2e0d51b6a9/lib/vtls/openssl.c#L4295-L4296
  • Loading branch information
@joshcooper
joshcooper committed May 7, 2024
1 parent 0640aa8 commit 89d1403
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions configs/components/runtime-agent.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@
"zypper install -y pl-gcc8"
end
end
elsif platform.is_macos? && platform.is_cross_compiled?
if settings[:ruby_version] =~ /^3\./
pkg.install do
# These are dependencies of [email protected], remove symlinks from /usr/local
# so our build doesn't use the wrong headers
"cd /etc/homebrew && su test -c '#{platform.brew} unlink openssl libyaml'"
end
end
end

if platform.is_cross_compiled?
Expand Down

0 comments on commit 89d1403

Please sign in to comment.