fix: Add libsasl2-modules-gssapi-mit to Dockerfile by ryanhall07 · Pull Request #10308 · fluent/fluent-bit

ryanhall07 · 2025-05-07T17:40:05Z

This shared library is needed for users of the kafka plugin + kerberos+gssapi.

Without they get the error

sasl_[ssl://xxxxxxxxnet:6668/bootstrap](ssl://xxxxxxxxnet:6668/bootstrap): Cyrus/libsasl2 is missing a GSSAPI module: make sure the libsasl2-modules-gssapi-mit or cyrus-sasl-gssapi packages are installed

Fixes #10240

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

[ N/A] Example configuration file for the change
[ N/A] Debug log output from testing the change

[N/A ] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

[ N/A] Run local packaging test showing all targets (including any new ones) build.
[ N/A] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

[ N/A] Documentation required for this feature

Backporting

[ N/A] Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

niedbalski · 2025-05-08T07:07:20Z

@ryanhall07 Before I can merge. Please follow the contribution guidelines https://github.com/fluent/fluent-bit/blob/master/CONTRIBUTING.md#commit-changes for the commit message. Use dockerfile: xxx.

patrick-stephens · 2025-05-08T10:33:22Z

We should really update the sanity tests as well to start verifying these runtime dependencies ideally too.

patrick-stephens · 2025-05-08T10:35:24Z

Does this resolve #10240? Are there any others we should add now?

patrick-stephens · 2025-05-08T12:57:50Z

dockerfiles/Dockerfile

    libpsl5 \
    libbrotli1 \
    libsasl2-2 \
+    libsasl2-modules-gssapi-mit \


I presume this requires no additional build time dependencies?

No, builds work fine without anything additional and with this flb finds the library

edsiper · 2025-05-09T20:13:23Z

to get this merged we need the change mentioned in #10308 (comment)

stoksc · 2025-06-02T21:34:59Z

@edsiper @niedbalski I've updated the commit to match expectations.

patrick-stephens · 2025-06-03T10:59:51Z

I would like to really see some tests to be honest around preventing regressions, whacking in random libraries without them makes it hard to later know/verify why those libraries are present. Can we add a build time check potentially in cmake to test for presence or some other simple dry-run approach that will verify loading the library to ensure it is present?

e.g. a config like #10240 (comment) can be used to exercise at least the library loading.

stoksc · 2025-06-06T16:15:06Z

@patrick-stephens I will try to add a simple test.

FWIW, I have a true end to end test for this that runs Kafka and Kerberos that works, but it is complicated.

Give me a moment to digest some stuff and clean this up and I'll ping back for review. It isn't ready yet, sorry.

stoksc · 2025-06-06T16:32:24Z

A question though, why is there so much divergence between production and debug's packages?

stoksc · 2025-06-06T19:48:01Z

I had to unwind the changes to the production target because distroless doesn't have a shell and librdkafka uses the system call to invoke kinit.

patrick-stephens · 2025-06-11T09:47:25Z

A question though, why is there so much divergence between production and debug's packages?

Debug needs a lot of things to help you debug things, production should only have what is required to run. In addition, "just" adding a shell and package managers requires another entire stack of dependencies - one of the reasons for distroless.

libsasl2-modules-gssapi-mit is needed by librdkafka to use the following configurations for authentication with Kafka: ``` rdkafka.security.protocol SASL_SSL rdkafka.sasl.mechanism GSSAPI ``` krb5-user is needed by librdkafka to invoke `kinit` to obtains ticket-granting tickets These changes _cannot_ be added to the production image target because librdkafka uses the `system` call to invoke `kinit`, the distroless base does not have a shell, and we are not going to add it. Signed-off-by: Ryan Hall <ryanhall07@gmail.com> Signed-off-by: Bradley Laney <bradley.laney@chronosphere.io>

stoksc · 2025-07-09T13:31:04Z

@patrick-stephens lost this for a bit, is there an existing example of a test like that?

patrick-stephens · 2025-07-09T14:41:39Z

We have the integration tests if that's the only way but was hoping a simple dry run should work

github-actions bot added the docs-required label May 7, 2025

ryanhall07 force-pushed the rhall-gssapi-distroless branch from 28a19ec to b14b665 Compare May 7, 2025 17:45

ryanhall07 marked this pull request as ready for review May 7, 2025 17:53

ryanhall07 requested review from celalettin1286, niedbalski and patrick-stephens as code owners May 7, 2025 17:53

niedbalski previously approved these changes May 8, 2025

View reviewed changes

patrick-stephens added packaging and removed docs-required labels May 8, 2025

patrick-stephens reviewed May 8, 2025

View reviewed changes

edsiper added this to the Fluent Bit Next milestone May 9, 2025

stoksc force-pushed the rhall-gssapi-distroless branch from b14b665 to 3805046 Compare June 2, 2025 21:18

stoksc force-pushed the rhall-gssapi-distroless branch from 3805046 to e2efeed Compare June 6, 2025 16:12

stoksc force-pushed the rhall-gssapi-distroless branch from e2efeed to 13df210 Compare June 6, 2025 19:45

stoksc force-pushed the rhall-gssapi-distroless branch from 13df210 to 0c15cc5 Compare July 9, 2025 13:29

ryanhall07 dismissed niedbalski’s stale review via 0c15cc5 January 26, 2026 22:33

Conversation

ryanhall07 commented May 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

niedbalski commented May 8, 2025

Uh oh!

patrick-stephens commented May 8, 2025

Uh oh!

patrick-stephens commented May 8, 2025

Uh oh!

patrick-stephens May 8, 2025

Choose a reason for hiding this comment

Uh oh!

stoksc Jul 9, 2025

Choose a reason for hiding this comment

Uh oh!

edsiper commented May 9, 2025

Uh oh!

stoksc commented Jun 2, 2025

Uh oh!

patrick-stephens commented Jun 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

stoksc commented Jun 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

stoksc commented Jun 6, 2025

Uh oh!

stoksc commented Jun 6, 2025

Uh oh!

patrick-stephens commented Jun 11, 2025

Uh oh!

stoksc commented Jul 9, 2025

Uh oh!

patrick-stephens commented Jul 9, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

ryanhall07 commented May 7, 2025 •

edited

Loading

patrick-stephens commented Jun 3, 2025 •

edited

Loading

stoksc commented Jun 6, 2025 •

edited

Loading