Filip Chabik

BCC & libbpf

Latest versions of BCC (v0.22.0) and libbpf (v0.5.0) are now available from the bpftrace PPA¹ for bionic, focal and hirsute:

sudo add-apt-repository ppa:hadret/bpftrace
sudo apt update
sudo apt install bpftrace bpfcc-tools libbpf

Right now bionic builds of bpftrace are still done using LLVM9 which means that they are still affected by the Accessing pointers broken on LLVM <12 bug. I did however port LLVM12 to Launchpad and was able to build bpftrace for bionic with it. Fixed version will require some additional dependencies though and I had no time yet for proper testing.

Additionally all the latest builds are now also available for arm64 architecture.

NGINX Extended

Latest builds in stable for bionic, focal and hirsute followed the tracks of official Ubuntu builds and dropped Lua module:

Remove the Lua modules from NGINX (Server Team Decision) - future support for Lua module now requires resty-core from OpenResty, meaning that if we want to continue to support the Lua module, we have to start becoming OpenResty - users should just use OpenResty at this point for Lua.

The package naming has been aligned with latest, upcoming changes as seen in Debian: nginx-full has been dropped and nginx-extras should now be used for installing all available modules:

sudo add-apt-repository ppa:hadret/nginx
sudo apt update
sudo apt install nginx-extras

Mainline has finally been updated to follow 1.21.x branch, builds for bionic, focal and hirsute are up for the taking:

sudo add-apt-repository ppa:hadret/nginx-mainline
sudo apt-get update
sudo apt install nginx-extras

Here as well arm64 builds are now available – also from the Docker hub:²

docker run hadret/nginx-extended:latest

Test all the things

Finally, I published my docker-compose setup for quick testing for the packages I build for the PPA. Be sure to check it out on GitHub: docker-compose-tests.

Debian news:

After 2 years, 1 month, and 9 days of development, the Debian project is proud to present its new stable version 11 (code name bullseye), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and the Debian Long Term Support team.

I’ve been rocking Gentoo on my NUC for some time, but eventually I moved to Debian Sid as I wanted to use “bare-metal” for packages building. While I do miss certain features of Gentoo, I immediately felt at home with Debian. Even with all of the systemd parts that rub me the wrong way – especially as was proven by other distros it’s not the only way¹ – the overall experience is just right. Congrats to the Debian project for the bullseye release.

In June latest release of libbpf has landed in Ubuntu repositories for impish (upcoming 21.10 release). I grabbed the 0.4.0 version and backported it to bionic, focal, groovy and hirsute – these are test builds and are available from the following PPA:

sudo add-apt-repository ppa:hadret/libbpf
sudo apt-get update

Right now these are not really used for anything. In the future though, I’d like to build against them as it’s done in the upcoming releases of Ubuntu and Debian (I had no luck with such builds myself, especially for the older LTS releases).

Latest versions of BCC (v0.21.0) and bpftrace (v0.13.0) are now available from the bpftrace PPA for bionic, focal, groovy and hirsute:

sudo add-apt-repository ppa:hadret/bpftrace
sudo apt-get update

I had a broken build against bpfcc PPA so this one is going to lag behind until the next release – this is because Launchpad doesn’t allow to upload new original tarballs more than once for a given version per repository, even if the broken packages are deleted.

BCC and bpftrace builds went fine and were tested – they work, but the thing is, that both are being build against LLVM versions that are available in the official Ubuntu repositories. This means that only focal and hirsute are being build against LLVM12 and are not being hit by this bug: Accessing pointers broken on LLVM <12 #1305. bionic builds are using LLVM9 and groovy’s are stuck on LLVM11. What I think I’ll do is to try and backport/transplant official LLVM repository to be build on some Launchpad PPA so that I could potentially use it to build against LLVM12 for these two – probably I’ll keep the versions that don’t require additional 3rd-party repositories around, with the caveat of being hit but the mentioned bug.

Last month I patched NGINX Extended against the CVE-2021-23017. I was still having trouble with upgrading to anything higher than 1.19.5 though – which I wrote about back in January. I was getting to the point where I started to explore alternatives when I finally got it building properly.

There are some changes involved though as I had to drop the following modules:

• http-upstream-check
• http-upstream-fair
• nchan

If you rely on any or all of these, please don’t upgrade. Few modules had also been upgraded, namely:

• http-fancyindex to version 0.5.1
• http-modsecurity to version 1.0.2
• http-upsync to version 2.1.3
• rtmp to version 1.2.2

At the moment the latest stable build 1.20.1 is available in the mainline PPA for bionic, focal, groovy (last release) and hirsute (first release). Here’s a quick recap on how to grab it:

sudo add-apt-repository ppa:hadret/nginx-mainline
sudo apt-get update
sudo apt-get install nginx-full

For the upcoming future the plan is simple: migrate 1.20.1 build to the stable PPA branch and prepare 1.21 in the mainline. But for that to happen I need to do some proper testing of the 1.20 builds first.

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

That’s the essence of the CVE-2021-23017 that was published on May 25. I patched NGINX Extended few days later for bionic, focal and groovy Ubuntu releases. hirsute will join the builds eventually.

Additionally there was a minor bugfix release for ModSecurity, v1.0.2. It’s now also available in the PPA.