From 89d140371d2d8ee4f6a723949acd165daae84c67 Mon Sep 17 00:00:00 2001 From: Josh Cooper Date: Mon, 6 May 2024 16:53:22 -0700 Subject: [PATCH] (PA-6387) Don't compile against openssl from homebrew Previously, curl 8 on macOS 11 & 12 ARM failed to run: # /opt/puppetlabs/puppet/bin/curl --version dyld[3871]: symbol not found in flat namespace (_SSL_get0_group_name) This occurred because we cross-compiled curl (and other components) using headers from homebrew's openssl 3.3.0. But at runtime, we loaded the libssl.dylib shared library that we built from openssl 3.0.13. Due to the version mismatch between headers and libraries, curl tried to call the SSL_get0_group_name function that only exists in openssl 3.2 and up. This commit removes the homebrew symlinks for openssl and libyaml so that they are not visible to our build process. Some background about why this only affects cross compiled macOS builds. In order to cross-compile ruby 3.2 on ARM, we have to install ruby 3.2 Intel and use that as the base ruby, see notes/cross-compiling.md for details. On macOS, we use homebrew to install build dependencies. Homebrew's ruby@3.2 package depends on openssl@3[1], which is currently 3.3.0[2]. When homebrew installs packages, it creates symlinks in the /usr/local directory: # ls -l /usr/local/include/openssl ... /usr/local/include/openssl -> ../Cellar/openssl@3/3.3.0/include/openssl On macOS, we compile using clang, which uses the following search path for headers: # gcc -v main.c Apple clang version 13.0.0 (clang-1300.0.27.3) ... #include <...> search starts here: /usr/local/include /Library/Developer/CommandLineTools/usr/lib/clang/13.0.0/include /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/usr/include /Library/Developer/CommandLineTools/usr/include /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/System/Library/Frameworks (framework directory) End of search list. Since /usr/local/include is the first directory, we are mistakenly compiling against homebrew's openssl. However, it wasn't an issue until we bumped to curl 8, because the conditional calls SSL_get0_group_name doesn't exist in curl 7[3] [1] https://github.com/Homebrew/homebrew-core/blob/6fd6f60a799501e7c093b695cc830a8708bd1c14/Formula/r/ruby%403.2.rb#L30 [2] https://github.com/Homebrew/homebrew-core/blob/6fd6f60a799501e7c093b695cc830a8708bd1c14/Formula/o/openssl%403.rb#L4 [3] https://github.com/curl/curl/blob/7490d5488e0e7835199285b0568a1c2e0d51b6a9/lib/vtls/openssl.c#L4295-L4296 --- configs/components/runtime-agent.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/configs/components/runtime-agent.rb b/configs/components/runtime-agent.rb index 7f9e96214..4bf916115 100644 --- a/configs/components/runtime-agent.rb +++ b/configs/components/runtime-agent.rb @@ -13,6 +13,14 @@ "zypper install -y pl-gcc8" end end + elsif platform.is_macos? && platform.is_cross_compiled? + if settings[:ruby_version] =~ /^3\./ + pkg.install do + # These are dependencies of ruby@3.x, remove symlinks from /usr/local + # so our build doesn't use the wrong headers + "cd /etc/homebrew && su test -c '#{platform.brew} unlink openssl libyaml'" + end + end end if platform.is_cross_compiled?