Unable to list readers inside flatpak, when pcscd runs on host. #118
Comments
|
In the two logs I see that you NEVER introduced a smart card in the HP reader. Note that |
Don't know what to say to that. This has been my daily driver since 2018. Both readers get used regularly by apps loaded directly on the host with a package manager. There wasn't a card in the reader at the time of the test, but the client software can't even find the readers (when run in a container), much less cards in the reader. It's operation from within containers that's an issue.
The slots are listed regardless of whether a card is inserted. The error is that inside the flatpak, no slots are listed, whereas on the host, they show up as they should. On the host: In the flatpak: I agree there is nothing that says "ERROR" in the logs, and always running pcscd on the host results in correct discovery of the hardware. But clients of the pcscd daemon are not doing the expected thing when the client runs inside a container (docker, flatpak, etc.) while the server is on the host.
|
|
I will also try to play with flatpak but I don't know when. |
|
Ok. Updated the exemplar flatpak with |
|
The error code 0x53204253 is very very strange. I will try to reproduce the issue on my side. |
|
Looks like it's this call that causes the bad/mystery return value: |
|
I just wrote this But I have no idea where the value 0x53204253 comes from. Can you provide a pcscd log as described in https://pcsclite.apdu.fr/#support ? |
|
"Mixing" 32 and 64 bits should only become an issue if something other than messages were traversing the socket. But I'll check: I made a new pcscd log here: pcsc_scan_log.txt I'll try building your flatpak to see if that fixes things. |
|
No joy. Building your flatpak leads to: I made a pcscd log for this too: The only difference I can see is that my build line included |
|
I see from your logs that you started the flatpak container "many" times. Exact? Do you use custom build of pcsc-lite on the host? |
Not during the course of a single log file. For each trial, I started pcscd on the host, there was a bunch of output, then I started the container once, observed the error message, then hit ^C on pcscd in the terminal. The actual output from the container is pretty far down in the file. Not sure exactly what else on the system is talking to pcscd, but it includes at least the instance of Google Chrome I'm using to update this issue.
|
|
I found the problem. I extracted the patch from the package sources https://fedora.pkgs.org/35/fedora-updates-x86_64/pcsc-lite-libs-1.9.5-1.fc35.x86_64.rpm.html diff -up ./src/PCSC/pcsclite.h.in.readers_32 ./src/PCSC/pcsclite.h.in
--- ./src/PCSC/pcsclite.h.in.readers_32 2018-08-20 16:02:17.708302410 -0700
+++ ./src/PCSC/pcsclite.h.in 2018-08-20 16:02:49.462500967 -0700
@@ -281,7 +281,7 @@ extern const SCARD_IO_REQUEST g_rgSCardT
#define PCSCLITE_VERSION_NUMBER "@VERSION@" /**< Current version */
/** Maximum readers context (a slot is count as a reader) */
-#define PCSCLITE_MAX_READERS_CONTEXTS 16
+#define PCSCLITE_MAX_READERS_CONTEXTS 48
#define MAX_READERNAME 128
diff -up ./src/PCSC/pcsclite.h.readers_32 ./src/PCSC/pcsclite.h
--- ./src/PCSC/pcsclite.h.readers_32 2018-08-20 16:02:30.993385481 -0700
+++ ./src/PCSC/pcsclite.h 2018-08-20 16:03:00.061567242 -0700
@@ -281,7 +281,7 @@ extern const SCARD_IO_REQUEST g_rgSCardT
#define PCSCLITE_VERSION_NUMBER "1.9.5" /**< Current version */
/** Maximum readers context (a slot is count as a reader) */
-#define PCSCLITE_MAX_READERS_CONTEXTS 16
+#define PCSCLITE_MAX_READERS_CONTEXTS 48
#define MAX_READERNAME 128You need to apply the same patch on pcsc-lite inside the flatpak container. |
|
Does this patch included in server break compatibility with all clients which use pcsc without the patch? If yes then does it also break them in the opposite way (server unpatched, client patched)? |
|
You totally rock! I updated my simple flatpak with the patch from the Fedora RPMS and behold: You totally solved my problem / answered my question, so I'll close this! But we did expose something that may be common in the context of containers, be they flatpaks, docker containers, or other: it's going to be common to be running code packaged differently outside a container vs within. Should we open a separate feature request to make the client/server libraries robust against a peer which has different constants defined? Perhaps the message length could be used as an indicator to detect this problem and fail gracefully, or recover what is possible to recover? Thanks again for all your help!! |
If the option -v|--version is used then pcscd displays 2 constant values: MAX_READERNAME & PCSCLITE_MAX_READERS_CONTEXTS It is interesting to display PCSCLITE_MAX_READERS_CONTEXTS because Fedora includes a patch to increase the value from 16 (default) to 48. This change will help diagnose problems like Fedora + flatpak #118
The message length is NOT exchanged between the server and the client. This is (was) not needed since both sides know the length. If the client tries to read more data than the server sent then the client will be blocked. This would be the case with a Fedora client talking to an unpatched server. I could improve the protocol to make it more robust. But then I would have to change the protocol version and we would have protocol mismatch errors like in flatpak/flatpak#4066 again. Maybe not the best idea. |
|
Does fedora patch make sense to be added to upstream pcsc? |
|
@Erick555 I don't think so. |
|
I do like the notion of using a list instead of a static array, as mentioned in your blog post. Without a list, any decision about a maximum number of readers is final, and will eventually lead to patches like the fedora one, or like the 96 smartcard reader post you link to. A list lets everyone use what they have, whatever that is. Protocol mismatch errors are not precisely the issue. A lack of backwards compatibility is the issue, which in this case seems pretty easy to manage. There's already a rudimentary protocol negotiation phase of the connection. What is necessary is that an outcome other than "my way or the highway" becomes possible. For instance, I can view older webpages in an HTML 5 compatible browser, and I can connect to postgresql database servers with newer or older clients. After they agree on what procotol they're going to speak, they start speaking it. In this case, nearly everything between the current protocol and the posited future protocol is the same, but the transfer of lists of readers becomes a transfer of the list of detected readers, rather than just blindly flushing a buffer of unknown fullness down the socket and assuming that the remote side has the same size buffer as the local side. The current state of affairs is that we have uncovered an error condition which is not handled gracefully. Providing something other than a core dump and an impossible error code would be ideal. I think the mechanism to detect and report this error condition would also make this issue moot and handle these differences as a matter of course...so there's that. It's also possible we can file an issue with the Fedora packagers to ask that they consider a different means of supporting the high-smart card reader crowd. |
|
Entered a bugzilla for this, stating the choice and referring the packagers back to this issue and your well-written blog. Cross fingers we'll see what they say. |
|
Heya, still kinda got the issue, sadly. The host is fedora37, for the flatpak the patch is applied. The error code is a different one, though: EDIT: Nevermind, had the patch file accidentally in the long location so it wasn't loaded. But now it is working! |
Versions
/usr/sbin/pcscd --versionPlatform
Issue
pkcs11-tool -Lfrom the host as well as inside a simple exemplar flatpak container. (see Smart Card Support flatpak/flatpak#4723)This seems similar to the OP's problem on #59--where no full log was ever posted--in that the daemon and the clients are running in different namespaces. The subsequent discussion apparently resulted in a situation where the daemon and the clients both ran inside the docker container, and direct access to the USB device was provided to the daemon running inside the container.
Log
Two logs are produced:
The text was updated successfully, but these errors were encountered: