Open tsrats opened 10 months ago
Hello, Sorry no, and I should update the readme / docs for telling that. See this related issue, and help welcome! https://github.com/OpenIDC/mod_auth_openidc/discussions/1067
Hello again, What are your processors / architecture, more precisely?
Hi!
I am running this on Oracle Cloud, which is using Ampere Altra A1 I believe.
Let's track when mod_auth_openidc 2.4.15 with https://github.com/OpenIDC/mod_auth_openidc/commit/4a4e198b62bf0370e60545ff26064a0b65d50784 lands in Debian https://packages.debian.org/bookworm/libapache2-mod-auth-openidc or in Alpine https://pkgs.alpinelinux.org/packages?name=apache-mod-auth-openidc-doc&branch=edge&arch=armv7
apache-mod-auth-openidc-doc 2.4.15.3-r0 is available for alpine in the testing repo (armv7 and armv8 (arm64), is this enough?
Alpine testing is only used in our https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/Dockerfile-Newest
So please try the following. Feedback or additional PR welcome:
freshrss:
image: freshrss/freshrss:newest
build:
context: https://github.com/FreshRSS/FreshRSS.git#edge
dockerfile: Docker/Dockerfile-Newest
...
I'm sorry I missed this, but until this issue is resolved, OIDC also won't work for ARM64, correct? I see ARM mentioned a lot and I'm not clear if this includes ARM64. I ask because I've been trying to get OIDC working on RPi 4 running 64 bit OS and it's not working.
I just tried running "Newest" with errors:
freshrss | Enabling module auth_openidc.
freshrss | [Fri Mar 08 11:12:33.507019 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_CRYPTO_KEY} is not defined
freshrss | AH00526: Syntax error on line 22 of /etc/apache2/conf.d/FreshRSS.Apache.conf:
freshrss | The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED.
freshrss exited with code 0
It would be good with a bit of manual testing.
Run the Newest image without OIDC_ENABLED
, and then check the content of /etc/apache2/conf.d/mod-auth-openidc.conf.bak
, what it refers to, and related files.
docker run -it --rm freshrss/freshrss:newest cat /etc/apache2/conf.d/mod-auth-openidc.conf.bak
```
LoadModule auth_openidc_module modules/mod_auth_openidc.so
########################################################################################
#
# Common Settings
#
########################################################################################
# (Mandatory)
# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.
# You can use a relative URL like /protected/redirect_uri if you want to
# support multiple vhosts that belong to the same security domain in a dynamic way
#OIDCRedirectURI https://www.example.com/protected/redirect_uri
# (Mandatory)
# Set a password for crypto purposes, this is used for:
# - encryption of the (temporary) state cookie
# - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType
# Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password, e.g:
# OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
# (notice that the above typically only works in non-clustered environments)
# The command may be absolute or relative to the web server root.
#
# A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase
# will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined),
# both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should
# (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again.
#OIDCCryptoPassphrase [
Module location (find / -type f -iname mod_auth_openidc.so
): /usr/lib/apache2/mod_auth_openidc.so
The module file is there apparently. Do you need more info?
(Ran from Raspberry PI 4B, arm64)
The first line reads LoadModule auth_openidc_module modules/mod_auth_openidc.so
That does not seem to be the correct path, is it?
It could be good to compare with the x86_64 version
Cannot compare it with the self-built version for now (user namespace is enabled on the x86_64 docker host, and the image build will fail there: touch: /var/www/FreshRSS/Docker/env.txt: Permission denied
).
The current edge image does not have the oidc config.
Multipass VM on x64_84:
```
LoadModule auth_openidc_module modules/mod_auth_openidc.so
########################################################################################
#
# Common Settings
#
########################################################################################
# (Mandatory)
# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.
# You can use a relative URL like /protected/redirect_uri if you want to
# support multiple vhosts that belong to the same security domain in a dynamic way
#OIDCRedirectURI https://www.example.com/protected/redirect_uri
# (Mandatory)
# Set a password for crypto purposes, this is used for:
# - encryption of the (temporary) state cookie
# - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType
# Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password, e.g:
# OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
# (notice that the above typically only works in non-clustered environments)
# The command may be absolute or relative to the web server root.
#
# A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase
# will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined),
# both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should
# (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again.
#OIDCCryptoPassphrase [
Module location (find / -type f -iname mod_auth_openidc.so): /usr/lib/apache2/mod_auth_openidc.so
``` ubuntu@docker:~/freshrss-test$ docker run --rm -e OIDC_ENABLED=1 -it freshrss/freshrss:newest Enabling module auth_openidc. [Tue Mar 19 17:03:30.643018 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_PROVIDER_METADATA_URL} is not defined [Tue Mar 19 17:03:30.643051 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_ID} is not defined [Tue Mar 19 17:03:30.643056 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_SECRET} is not defined [Tue Mar 19 17:03:30.643076 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_CRYPTO_KEY} is not defined [Tue Mar 19 17:03:30.643081 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_REMOTE_USER_CLAIM} is not defined [Tue Mar 19 17:03:30.643091 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_SCOPES} is not defined [Tue Mar 19 17:03:30.643099 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_X_FORWARDED_HEADERS} is not defined AH00526: Syntax error on line 22 of /etc/apache2/conf.d/FreshRSS.Apache.conf: The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED. ```
This seems to be invalid for both x86_64 and arm64.
It seems that OIDC support is broken on all Alpine based images regardless of architecture while the Debian based ones are fine. Tested on a x86_64
machine and the mod_auth_openidc.so
module still can not be found, the same as my arm64
machine.
It seems that Alpine's package manager installs the file to /usr/lib/apache2/mod_auth_openidc.so
as mentioned by @mytlogos regardless of archtecture but the config file shipped is still refer to the modules/mod_auth_openidc.so
path.
I tried to force load the module in FreshRSS.Apache.conf
by adding LoadModule mod_auth_openidc /usr/lib/apache2/mod_auth_openidc.so
at the beginning of the file but without success. I used objdump
to inspect the shared library and it seems fine. I suspect the issue has something to do with the ordering of LoadModule
and IfModule
: the condition check is done before the module is actually loaded? I am not very familiar with Apache2 so it can be because of I did the config wrong.
The Debian based image works on x86_64
machine. A possible workaround is to use qemu
to emulate the thing on aarch64
. I haven't tested this on my Oracle Cloud ARM machine yet but I doubt it will bring more subtle architectual and performance issue.
I tried to force load the module in
FreshRSS.Apache.conf
by addingLoadModule mod_auth_openidc /usr/lib/apache2/mod_auth_openidc.so
at the beginning of the file but without success. I usedobjdump
to inspect the shared library and it seems fine. I suspect the issue has something to do with the ordering ofLoadModule
andIfModule
: the condition check is done before the module is actually loaded? I am not very familiar with Apache2 so it can be because of I did the config wrong.
It turns out that the issue with the thing not working is to do with my building system (sigh). The change is never incoperated into the image. I did get this work with the following changes on x86_64
and arm64
.
It seems the root cause is the wrong shared library path. I can try come up a fix here in FreshRSS once I finish my setup. And it seems that it is a upstream bug that I can bring to attention to the Alpine maintainer.
diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index 49411441..66087c6a 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -6,6 +6,8 @@ ServerTokens OS
TraceEnable Off
ErrorLog /dev/stderr
+LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so
+
# For logging the original user-agent IP instead of proxy IPs:
<IfModule mod_remoteip.c>
# Can be disabled by setting the TRUSTED_PROXY environment variable to 0:
@@ -21,7 +23,6 @@ CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
<IfModule !auth_openidc_module>
Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
</IfModule>
-
# Workaround to be able to check whether an environment variable is set
# See: https://serverfault.com/questions/1022233/using-ifdefine-with-environment-variables/1022234#1022234
Define VStart "${"
A bug report is filed to upstream Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15999
Thanks for your debugging efforts 👍🏻
A bug report is filed to upstream Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15999
Tried another test, now that the referenced issue in alpine seems to have been fixed. It still fails for some reason...
I used the same steps, from here:
Alpine testing is only used in our https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/Dockerfile-Newest
So please try the following. Feedback or additional PR welcome:
freshrss: image: freshrss/freshrss:newest build: context: https://github.com/FreshRSS/FreshRSS.git#edge dockerfile: Docker/Dockerfile-Newest ...
* https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/freshrss/docker-compose.yml * https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/README.md#build-custom-docker-image
The MR related to the alpine issue has been merged in on 7th mai 2024.
The current alpine:edge image comes from 6.6.24/7.6.24 with the version being 3.21.0_alpha20240606
.
The MR is already incoporated (it removes the modules/
part from the module load thingy.
Build Command: docker compose build --no-cache --pull
When i start the compose project, the logs show that it again fails:
The openidc module is still at the same location: docker run -it --rm freshrss/freshrss:newest find / -type f -iname mod_auth_openidc.so
: /usr/lib/apache2/mod_auth_openidc.so
Did i do something wrong or why is this still happening?
OS: Raspberry PI OS (Debian 12) Model: Raspberry Pi 4 Docker: 27.1.1
@mytlogos Thanks for the tests 👍🏻
You should provide the environment variables such as OIDC_PROVIDER_METADATA_URL
in your docker-compose.
But this is not the main error, which seems indeed to be Syntax error on line 1 of /etc/apache2/conf.d/mod-auth-openidc.conf: Cannot load mod_auth_openidc.so into server: Error loading shared library mod_auth_openidc.so: No such file or directory
I do not know why this still seems to fail, but additional debugging welcome.
It could be interesting to replace loading line with the full path to check whether it makes any difference: LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so
. I suspect another problem, though
Describe the bug Attempting to deploy the container freshrss/freshrss:1.22.0-arm to a Kubernetes cluster, and the container crashes with only the error log "Enabling module auth_openidc". Looking at the https://github.com/OpenIDC/mod_auth_openidc project, it is unclear if ARM/ARM64 is supported, or only x64.
To Reproduce Steps to reproduce the behavior: Deploy latest container image with OpenID Connect enabled in ENV.
Expected behavior Container at least runs (unsure if other ENV values are right, but cannot test with container crashing
Screenshots N/A
Environment information (please complete the following information):
Additional context N/A