On Fri, Feb 07, 2014 at 07:23:42PM +0100, Lukas Tribus wrote: > Hi, > > > > Not a problem ... our Head of IS did a detailed write up on our > > investigation process and findings at his blog if you are interested: > > > > http://blog.tinola.com/?e=36 > > Thanks, thats really interesting and very detailed.
Indeed. > Someone from RedHat really should take a look at this. Most likely > EAI_NODATA is not defined in the libc, thats why upgrading libc > helps and upgrading libkrb5 doesn't. So the real problem is that > getaddrinfo() returns an error code unknown to the libc (other > applications than libkrb5 may suffer from problems as well; although > they probably don't abort()). I've passed along the information to the appropriate people. Interesting that it is fixed in Centos 6.5, would be great to know how it was fixed. I took a quick look at krb5-libs and glibc and nothing jumped out at me. Ryan > Looks like EAI_NODATA is deprecated, and its already removed from > freebsd for example, in favor of EAI_NONAME [1]. > > > As for the workaround: you should be able to disable the kerberos > ciphers in HAproxy configuration, so that you can continue to run > it in chroot. Or maybe compiling with -DEAI_NODATA=EAI_NONAME would > help? > > What are those ciphers anyway (openssl ciphers -v 'LOW')? I don't > seem to have them here on ubuntu ... > > > > [1] http://krbdev.mit.edu/rt/Ticket/History.html?id=5518 >
