Cyril, I use a tool called Omnibus by Chef ( https://github.com/chef/omnibus ) which builds “fat” rpm’s:
Really all it does it bundle all the dependencies for your project in the package, aka fat package, which helps in our case because the environments we install in often have restricted connectivity to the outside world. Here is a brief example below of the commands it would run for OpenSSL and then HAProxy. # open ssl export CFLAGS=-I/opt/haproxy/include export LDFLAGS='-Wl,-rpath,/opt/haproxy/embedded/lib -L/opt/haproxy/embedded/lib' ./config --prefix=/opt/haproxy/embedded --with-zlib-lib=/opt/haproxy/embedded/lib --with-zlib-include=/opt/haproxy/embedded/include no-idea no-mdc2 no-rc5 zlib shared disable-gost -L/opt/haproxy/embedded/lib -I/opt/haproxy/embedded/include -Wl,-rpath,/opt/haproxy/embedded/lib HAProxy export LDFLAGS=/opt/haproxy/embedded/lib -I/opt/haproxy/embedded/include export CFLAGS=/opt/haproxy/embedded/lib -I/opt/haproxy/embedded/include export LD_RUN_PATH=/opt/haproxy/embedded/lib export PATH=/opt/haproxy/embedded/bin:$PATH export LD_LIBRARY_PATH=/opt/haproxy/embedded/lib export DESTDIR=/opt/haproxy/embedded export PCREDIR=/opt/haproxy/embedded export PCRE_INC=/opt/haproxy/embedded/include make TARGET=linux26 USE_STATIC_PCRE=1 ARCH=x86_64 USE_OPENSSL=1 USE_ZLIB=1 make install PREFIX=/opt/haproxy/embedded Thanks! -- John Dyer Sent with Airmail On April 2, 2015 at 6:39:01 PM, Cyril Bonté ([email protected]) wrote: Le 02/04/2015 23:35, Lukas Tribus a écrit : >>> Please provide the output of "haproxy -vv" of the 1.5.11 executable. >>> >>> I guess you have an ABI problem between openssl 1.0.1 and 1.0.2. >> >> I wonder if we are not seeing a case not covered by CVE-2015-0290 : >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0290 > > And linking haproxy 1.5.11 against openssl 1.0.1 would bypass this new > 1.0.2 feature for the time being. Likely that combination is safe. Still, I'm really not sure it happens in the multiblock part. And there's one thing I don't get : the gdb output shows an exit due to a SIGPIPE (happening on a write call), but haproxy is supposed to catch and ignore them. John, can you describe how you generate the binaries (openssl and haproxy) ? -- Cyril Bonté
