Kubler bob-musl builder fails to emerge openssh due to util-linux's su use-flag requiring pam

[berney]

The kubler/bob-musl builder's configure_bob() re-emerges openssh and openssl to remove the bindist use-flag, this causes util-linux to be re-emerged, but it gets an unmet requirements error because it's su use-flag is enabled and this requires the pam use-flag, which is disabled.

!!! Problem resolving dependencies for sys-apps/util-linux:0 from @__auto_slot_operator_replace_installed__
... done!

!!! The ebuild selected to satisfy "sys-apps/util-linux:0" has unmet requirements.
- sys-apps/util-linux-2.37.4::gentoo USE="cramfs hardlink logger nls readline (split-usr) su suid (unicode) -audit -build -caps -cryptsetup -fdformat -kill -magic -ncurses -pam -python (-rtas) (-selinux) -slang -static-libs (-systemd) -test -tty-helpers -udev" PYTHON_TARGETS="python3_10 -python3_8 -python3_9"

  The following REQUIRED_USE flag constraints are unsatisfied:
    su? ( pam )

  The above constraints are a subset of the following complete expression:
    python? ( any-of ( python_targets_python3_8 python_targets_python3_9 python_targets_python3_10 ) ) su? ( pam )

(dependency required by "@__auto_slot_operator_replace_installed__" [argument])

Full `kubler build -v kubler/busybox` output

``` berne@LAPTOP-RSH1JKF0 2022-09-11 22:43:25 berney (main)[1] % kubler build -v kubler/busybox »»»»»[init]» generate build graph »»» required engines: docker »»» required stage3: stage3-amd64-musl-hardened »»» required builders: kubler/bob-musl »»» build sequence: kubler/busybox »[✔]»[init]» done. »»»»»[kubler/bob-musl]» bootstrap builder environment switching portage profile to: /var/db/repos/gentoo/profiles/default/linux/amd64/17.0/musl/hardened Performing Global Updates (Could take a couple of minutes if you have a lot of binary packages.) .='update pass' *='binary update' #='/var/db update' @='/var/db move' s='/var/db SLOT move' %='binary move' S='binary SLOT move' p='update /etc/portage/package.*' /var/db/repos/gentoo/profiles/updates/3Q-2022................ Calculating dependencies... done! >>> Emerging binary (1 of 5) app-shells/push-3.4::gentoo >>> Installing (1 of 5) app-shells/push-3.4::gentoo >>> Emerging binary (2 of 5) app-shells/quoter-4.2::gentoo >>> Installing (2 of 5) app-shells/quoter-4.2::gentoo >>> Emerging binary (3 of 5) app-portage/flaggie-0.2.1-r2::gentoo >>> Installing (3 of 5) app-portage/flaggie-0.2.1-r2::gentoo >>> Recording app-portage/flaggie in "world" favorites file... >>> Emerging binary (4 of 5) app-portage/eix-0.36.5::gentoo >>> Installing (4 of 5) app-portage/eix-0.36.5::gentoo >>> Recording app-portage/eix in "world" favorites file... >>> Emerging binary (5 of 5) app-portage/gentoolkit-0.5.1-r1::gentoo >>> Installing (5 of 5) app-portage/gentoolkit-0.5.1-r1::gentoo >>> Recording app-portage/gentoolkit in "world" favorites file... >>> Jobs: 5 of 5 complete Load avg: 0.60, 0.40, 0.26 * Messages for package app-portage/flaggie-0.2.1-r2: * Please note that flaggie creates backups of your package.* files * before performing each change through appending a single '~'. * If you'd like to keep your own backup of them, please use another * naming scheme (or even better some VCS). * * If you want to use bash-completion, you need to install: * app-shells/gentoo-bashcomp * Messages for package app-portage/gentoolkit-0.5.1-r1: * * For further information on gentoolkit, please read the gentoolkit * guide: https://wiki.gentoo.org/wiki/Gentoolkit * * Another alternative to equery is app-portage/portage-utils * * Additional tools that may be of interest: * * app-admin/eclean-kernel * app-portage/diffmask * app-portage/flaggie * app-portage/portpeek * app-portage/smart-live-rebuild >>> Auto-cleaning packages... >>> No outdated packages were found on your system. Reading Portage settings... Building database (/var/cache/eix/portage.eix)... [0] "gentoo" /var/db/repos/gentoo/ (cache: metadata-md5-or-flat) Reading category 169|169 (100) Finished Applying masks... Calculating hash tables... Writing database file /var/cache/eix/portage.eix... Database contains 19621 packages in 169 categories >>> Regenerating /etc/ld.so.cache... XXX Berney, about to remove openssh and openssl * This action can remove important packages! In order to be safer, use * `emerge -pv --depclean ` to check for reverse dependencies before * removing packages. !!! 'net-misc/openssh' (virtual/ssh) is part of your system profile. !!! Unmerging it may be damaging to your system. net-misc/openssh selected: 9.0_p1-r2 protected: none omitted: none dev-libs/openssl selected: 1.1.1q protected: none omitted: none All selected packages: =net-misc/openssh-9.0_p1-r2 =dev-libs/openssl-1.1.1q >>> 'Selected' packages are slated for removal. >>> 'Protected' and 'omitted' packages will not be removed. >>> Waiting 5 seconds before starting... >>> (Control-C to abort)... >>> Unmerging in: 5 4 3 2 1 >>> Unmerging (1 of 2) net-misc/openssh-9.0_p1-r2... >>> Unmerging (2 of 2) dev-libs/openssl-1.1.1q... !!! existing preserved libs: >>> package: dev-libs/openssl-1.1.1q * - /usr/lib/libssl.so.1.1 * used by /usr/bin/wget (net-misc/wget-1.21.3-r1) * used by /usr/lib/libcurl.so.4.8.0 (net-misc/curl-7.84.0) * used by /usr/lib/python3.10/lib-dynload/_ssl.cpython-310-x86_64-linux-gnu.so (dev-lang/python-3.10.6_p2) * - /usr/lib/libcrypto.so.1.1 * used by /usr/bin/q (app-portage/portage-utils-0.93.3) * used by /usr/bin/rsync (net-misc/rsync-3.2.4-r3) * used by /usr/bin/wget (net-misc/wget-1.21.3-r1) * used by 3 other files Use emerge @preserved-rebuild to rebuild packages using these libraries XXX Berney, removed openssh and openssl XXX Berney, about to emerge openssh Calculating dependencies | !!! Problem resolving dependencies for sys-apps/util-linux:0 from @__auto_slot_operator_replace_installed__ ... done! !!! The ebuild selected to satisfy "sys-apps/util-linux:0" has unmet requirements. - sys-apps/util-linux-2.37.4::gentoo USE="cramfs hardlink logger nls readline (split-usr) su suid (unicode) -audit -build -caps -cryptsetup -fdformat -kill -magic -ncurses -pam -python (-rtas) (-selinux) -slang -static-libs (-systemd) -test -tty-helpers -udev" PYTHON_TARGETS="python3_10 -python3_8 -python3_9" The following REQUIRED_USE flag constraints are unsatisfied: su? ( pam ) The above constraints are a subset of the following complete expression: python? ( any-of ( python_targets_python3_8 python_targets_python3_9 python_targets_python3_10 ) ) su? ( pam ) (dependency required by "@__auto_slot_operator_replace_installed__" [argument]) »[✘]»[kubler/bob-musl]» fatal: Failed to run image kubler/bob-musl-core:20220731T170548Z »[✘]»[kubler/bob-musl]» removing rootfs-builder-kubler-bob-musl-30492-13752, NO_CLEANUP env prevents this berne@LAPTOP-RSH1JKF0 2022-09-11 22:44:03 berney (main)[1] % kubler build -i kubler/busybox »»»»»[init]» generate build graph for interactive build of kubler/busybox »»» required engines: docker »»» required stage3: stage3-amd64-musl-hardened »»» required builders: kubler/bob-musl »[✔]»[init]» done. »[⠇]»[kubler/bob-musl]» bootstrap builder environment »[✘]»[kubler/bob-musl]» removing rootfs-builder-kubler-bob-musl-30664-5476, NO_CLEANUP env prevents this ```

In kubler-bob-musl-core before building bob-musl, this is the state of util-linux:

kubler-bob-musl-core / # equery u util-linux
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for sys-apps/util-linux-2.37.4:
 U I
 - - audit                     : Use sys-process/audit to emit audit messages about system changes
 - - build                     : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for creating build images and the first half of bootstrapping [make stage1]
 - - caps                      : build setpriv helper (run programs with diff capabilities)
 + + cramfs                    : build mkfs/fsck helpers for cramfs filesystems
 - - cryptsetup                : Use sys-fs/cryptsetup to have built-in dm-verity in libmount
 - - fdformat                  : build fdformat (floppy disk format)
 + + hardlink                  : build hardlink program
 - - kill                      : build the kill program
 + + logger                    : build the logger program
 - - magic                     : Add support for file type detection via magic bytes (usually via libmagic from sys-apps/file)
 - + ncurses                   : Add ncurses support (console display library)
 + + nls                       : Add Native Language Support (using gettext - GNU locale utilities)
 - + pam                       : build runuser helper
 - - python                    : Add optional support/bindings for the Python language
 + + python_targets_python3_10 : Build with Python 3.10
 - - python_targets_python3_8  : Build with Python 3.8
 - - python_targets_python3_9  : Build with Python 3.9
 + + readline                  : Enable support for libreadline, a GNU line-editing library that almost everyone wants
 - - slang                     : Add support for the slang text display library (it's like ncurses, but different)
 - - static-libs               : Build static versions of dynamic libraries as well
 + + su                        : build the su program
 + + suid                      : Install some programs with suid bit set to provide additional functionality. mount/umount: non-root users may mount/umount devices wall/write: non-root users can notify other users su: non-root users may
                                 become root
 - - test                      : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
 - - tty-helpers               : install the mesg/wall/write tools for talking to local users
 - - udev                      : Enable virtual/udev integration (device discovery, power and storage device support, etc)
kubler-bob-musl-core / # eix util-linux
[I] sys-apps/util-linux
     Available versions:  2.37.4^t ~2.38^t ~2.38.1^t **9999*l^t {audit build caps +cramfs cryptsetup fdformat +hardlink kill +logger magic ncurses nls pam python +readline rtas selinux slang split-usr static-libs +su +suid systemd test tty-helpers udev unicode verify-sig ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python3_8 python3_9 python3_10"}
     Installed versions:  2.37.4^t(02:26:01 07/04/22)(cramfs hardlink logger ncurses nls pam readline split-usr su suid unicode -audit -build -caps -cryptsetup -fdformat -kill -magic -python -rtas -selinux -slang -static-libs -systemd -test -tty-helpers -udev ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_TARGETS="python3_10 -python3_8 -python3_9")
     Homepage:            https://www.kernel.org/pub/linux/utils/util-linux/ https://github.com/util-linux/util-linux
     Description:         Various useful Linux utilities

After adding update_use 'sys-apps/util-linux' '+pam' to the configure_bob() this is the emerge -vt openssh:

[ebuild  N     ] net-misc/openssh-9.0_p1-r2::gentoo  USE="(pie) ssl -X -X509 -audit (-debug) -hpn -kerberos -ldns -libedit -livecd -pam -sctp -security-key (-selinux) -static -test -verify-sig -xmss" 1780 KiB
[ebuild  r  U  ] sys-apps/systemd-utils-251.3::gentoo [250.7::gentoo] USE="acl kmod (split-usr) tmpfiles udev -boot (-selinux) -sysusers -test" 11196 KiB
[ebuild  rR    ] sys-auth/passwdqc-2.0.2-r1::gentoo  87 KiB
[ebuild  r  U  ] sys-apps/shadow-4.12.3:0/4::gentoo [4.11.1:0/4::gentoo] USE="acl nls (split-usr) xattr -audit -bcrypt -cracklib -pam* (-selinux) -skey -su -verify-sig%" 1707 KiB
[ebuild  rR    ] dev-lang/python-3.10.6_p2:3.10::gentoo  USE="ensurepip hardened readline sqlite ssl xml -bluetooth -build -examples -gdbm* -libedit -lto -ncurses* -pgo -test -tk -verify-sig" 19154 KiB
[ebuild  rR    ]  sys-apps/util-linux-2.37.4::gentoo  USE="cramfs hardlink logger nls pam readline (split-usr) su suid (unicode) -audit -build -caps -cryptsetup -fdformat -kill -magic -ncurses* -python (-rtas) (-selinux) -slang -static-libs (-systemd) -test -tty-helpers -udev" PYTHON_TARGETS="python3_10 -python3_8 -python3_9" 0 KiB
[ebuild  r  U  ]   sys-libs/pam-1.5.2-r2::gentoo [1.5.1_p20210622-r1::gentoo] USE="(split-usr) -audit -berkdb -debug -filecaps -nis (-selinux)" 1399 KiB
[ebuild  rR    ] dev-lang/perl-5.34.1-r3:0/5.34::gentoo  USE="-berkdb -debug -doc -gdbm -ithreads -minimal -quadmath" 0 KiB
[nomerge       ] dev-lang/python-3.10.6_p2:3.10::gentoo  USE="ensurepip hardened readline sqlite ssl xml -bluetooth -build -examples -gdbm* -libedit -lto -ncurses* -pgo -test -tk -verify-sig"
[binary  N     ]  dev-libs/openssl-1.1.1q-1:0/1.1::gentoo  USE="asm -rfc3779 -sctp -sslv3 -static-libs -test -tls-compression -tls-heartbeat -vanilla -verify-sig -weak-ssl-ciphers" CPU_FLAGS_X86="(sse2)" 0 KiB
[binary  r  U  ]  virtual/libcrypt-2-1:0/2::gentoo [1-r1:0/1::gentoo] USE="-static-libs" 0 KiB

[berney]

util-linux has seemed to have had this USE su->pam dependency for a long time, see https://gitweb.gentoo.org/repo/gentoo.git/commit/sys-apps/util-linux?id=fe07c3e46ee67b99c88c249cacaab79336e68682. So I'm not sure why bob-musl is breaking just now, nor why the stage3 (bob-musl-core) has USE -pam. The stage3 has shadow, but equery b /usr/bin/su says it belongs to util-linux and lddtree shows it uses libpam.

shadow was going to remove their su, which doesn't need pam, but because util-linux needs pam, they have for now stated they won't remove it just yet. See https://github.com/shadow-maint/shadow/issues/464#issuecomment-1006649952.

[r7l]

I am still waiting for Gentoo to figure out what to do with libpam and for now i am trying to avoid it. I am having this in my custom builders:

update_use 'sys-apps/util-linux' '-su'
update_use 'sys-apps/shadow' '+su'

But thanks for the link. I haven't seen that issue and maybe it's a good idea to raise objections agains removing the option without libpam.

[edannenberg]

Couldn't reproduce this with a fresh install (no binary packages). Maybe resolved by upstream?

[berney]

I did a clean build with no binary packages and this problem went away. So it appears it is an artifact of the binary packages I had cached. Closing this issue and the PR.