[DSR] - RHEL 9 x64 #17548
Comments
|
RHEL 9 uses OpenSSL 3, which is causing issues when using the current RHEL 8 release of PowerShell. FROM quay.io/centos/centos:stream9
RUN curl https://packages.microsoft.com/config/rhel/8/prod.repo | tee /etc/yum.repos.d/microsoft.repo \
&& dnf -y upgrade --refresh \
&& dnf -y install powershell \
&& pwsh -Command "Install-Module -Name AzTable -Force"
ENTRYPOINT ["/usr/bin/env"]Note that it does not matter which module. They all fail with the following error message: With verbose output, we get a little more detail and it becomes clear where the issue is: This does not only affect PowerShell Gallery, but it is easy to reproduce this way. This version has since been removed from the DNF repo, which leaves us unable to build a container based on RHEL 9 / CentOS Stream 9. |
|
I've just done some more testing and PowerShell supports OpenSSL 3 for me. It just uses the functionality in dotnet which has been in place since .NET 6 (what pwsh 7.2.x uses) dotnet/runtime#46526. What is interested in that this works in the test container Invoke-WebRequest https://httpbin.org/getBut this does not (what Install-Module is calling) Invoke-WebRequest https://www.powershellgallery.com/api/v2/package/AzTable/2.1.0
# Invoke-WebRequest: The remote certificate is invalid because of errors in the certificate chain: NotSignatureValidI've also verified that the OpenSSL 3.x libs are loaded in the process and it's not picking up any other ones that might be in the path PS /> get-content /proc/$pid/maps | select-string 'libssl*'
7f491121f000-7f491123d000 r--p 00000000 00:21 5069468 /usr/lib64/libssl.so.3.0.1
7f491123d000-7f4911299000 r-xp 0001e000 00:21 5069468 /usr/lib64/libssl.so.3.0.1
7f4911299000-7f49112b6000 r--p 0007a000 00:21 5069468 /usr/lib64/libssl.so.3.0.1
7f49112b6000-7f49112c0000 r--p 00096000 00:21 5069468 /usr/lib64/libssl.so.3.0.1
7f49112c0000-7f49112c4000 rw-p 000a0000 00:21 5069468 /usr/lib64/libssl.so.3.0.1What is interesting is that |
|
Thank you for investigating! You are right that it seems like not all SSL connections are affected, but it is definitely not exclusive to Install-Module. I believe (although I can't verify it at the moment) Invoke-Command with a Windows host as a target is was also affected. PowerShell seems to at least try to use the installed openssl, but it seems like newer versions are causing issues (hence our workaround by locking it to an older one). |
|
Yea I’ll have to try and investigate it some more, the latest pwsh preview which is based ok dotnet 7 should be good but it also has problems. There’s something up with the cert that the PSGallery uses which is acting differently in OpenSSL 3. All this happens in dotnet and it’s not really controlled by PowerShell but it is definitely something that should be investigated and fixed if need be. |
|
This still gives me the same error: FROM quay.io/centos/centos:stream9
RUN curl https://packages.microsoft.com/config/rhel/8/prod.repo | tee /etc/yum.repos.d/microsoft.repo \
&& dnf -y upgrade --refresh \
&& dnf -y install powershell-preview \
&& pwsh-preview -Command "Install-Module -Name AzTable -Force -Verbose"
ENTRYPOINT ["/usr/bin/env"] |
|
mark , I will update the one-click install script as soon as the rpm package is available in package.microsoft.com. one-click install powershell on linux |
|
Just for the record: I just tested it with the new 7.2.5 release and still get the same error. |
|
It seems like there were (are?) some more issues related to openssl and RHEL 9. For example dotnet/runtime#70343. It seems like this particular fix was merged into .Net 6.0.7. Not sure which version the current release is using, but I suppose it's probably a little older. |
|
That does seem quite relevant, considering it was only merged 13 days ago I would be surprised if 7.2.x has been updated to 6.0.7 (6.0.6 is also the latest in the GH releases page). |
|
I don't suppose there is any way to find out if this fixes the issue by trying to build PowerShell against this unreleased .NET version, is there? 😄 We are currently stuck without a working PowerShell on RHEL 9... For what it's worth Invoke-WebRequest https://pkgs.dev.azure.com
# Invoke-WebRequest: The remote certificate is invalid because of errors in the certificate chain: NotSignatureValidWhich indicates that there are probably a lot more sites and services that don't work either. Dockerfile for reference: FROM quay.io/centos/centos:stream9
RUN curl https://packages.microsoft.com/config/rhel/8/prod.repo | tee /etc/yum.repos.d/microsoft.repo \
&& dnf -y upgrade --refresh \
&& dnf -y install powershell \
&& pwsh -Command "Invoke-WebRequest https://pkgs.dev.azure.com"
ENTRYPOINT ["/usr/bin/env"] |
|
If you can get a compiled build of dotnet including that version you should be able to replace the dll's for it in pwsh itself. There's a lot in there so it's not just a simple thing to do unless you know what to change unfortunately. |
|
It looks like v7.3.0-preview.5 fixes the problem, which would hopefully mean that the backport to .NET 6 also fixes it. In the meantime, I will have to see if we can work with the preview version for now. |
|
.NET 6.0.7 was just released: https://github.com/dotnet/runtime/releases/tag/v6.0.7  GitHubRelease
|
|
7.2.6 seems to have resolved the OpenSSL issues. |
|
Is there anything missing now to get the package in the RHEL 9 prod (|insider-(slow|fast) repo? |
|
@jborean93 (Sorry for pinging) |
|
Hello, Do we have an update on this, any ETA of a full PowerShell Support for RHEL9 distribs ? Thank you ! |
|
Hello, Same question here. When will RedHat Enterprise Linux 9 be officially supported? We have a pending project that requires Powershell on this operating system. Thanks |
|
Hello, according to the Table at Best regards, |
|
Hello, Thanks for the information. However there doesn't seem to be a Microsoft repository for RHEL 9. The URL https://packages.microsoft.com/config/rhel/9/prod.repo doesn't exist and I don't know if I should use the RHEL 8 URL. Edit: Best regards, |
|
Hi, yes, you're absolutely right. I used the RHEL 8 Repo URL on RHEL 9 and so far I did not run into issues. But it would be a much better and cleaner if the RHEL 9 Repo would contain the PowerShell Package. Even if the RPM-File is identical (e.g. I compared the sha256sum of the RPM-Package from the MS RHEL 7 Repo with the RPM-Package from the MS RHEL 8 Repo and they're identical), the proper way to be able to maintain the Package on RHEL 9 would be the use of the RHEL 9 Repo. Best regards, |
|
As far as I can see since 7.2.14 / 7.3.7 the packages are sent to the repo, thank you so much for making our lives easier! |
|
This package is now available at PMC. For more information see the PMC Readme: We are still working on the docker image pipeline. I will post an update when we have published |
|
The RHEL 9 distribution is released to PMC and MCR. |
|
📣 Hey @hanneshayashi, how did we do? We would love to hear your feedback with the link below! 🗣️ 🔗 https://aka.ms/PSRepoFeedback |
Name of the Distribution
RHEL
Version of the Distribution
9
Package Types
Processor Architecture
x86_64
.NET Core Support
Distribution Requirements
Exemption Justification
No response
Progress
For PowerShell Team ONLY
packages.microsoft.comdeploymentThe text was updated successfully, but these errors were encountered: