pfSense

I think just installing all necessary package binaries in a specific folder with pkg_add will solve the issue.
It just needs to install them in a specific folder and needs to teach ldconfig where to find the libraries.

Kind of chroot'ing packages.

I added some protection between packages but it is still not enough

Well i did a lot of testing today on this.
The only plausible option is to hardlink /usr/local/lib files that ship with base pfsense to /usr/$somedir and provide this path to ldconfig so programs find the libraries even in this folder or during package removal we check if the library is present in this folder and get done with it.

The other options are quite intrusive since involve makeing $PREFIX changed in package builds pfSense pacakages code and putting $PREFIX to some other dir. This is quite safer and works but too much work for 2.0 and to support later on.

for instance:

removing squid is breaking several part of the box. At least, racoon does not work anymore, because of "missing" (????) shared library:

# ldd /usr/local/sbin/racoon
/usr/local/sbin/racoon:
       libipsec.so.0 => /usr/local/lib/libipsec.so.0 (0x28108000)
       libutil.so.8 => /lib/libutil.so.8 (0x28115000)
       libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x28124000)
       libcrypt.so.5 => /lib/libcrypt.so.5 (0x28158000)
       libradius.so.4 => /usr/lib/libradius.so.4 (0x28171000)
       libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x28177000)
       liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x281b4000)
       libssl.so.6 => /usr/lib/libssl.so.6 (0x281c0000)
       libcrypto.so.6 => /lib/libcrypto.so.6 (0x28208000)
       libc.so.7 => /lib/libc.so.7 (0x28363000)
       libncurses.so.8 => /lib/libncurses.so.8 (0x2847d000)
       libsasl2.so.2 => not found (0x0)
       libssl.so.7 => not found (0x0)
       libcrypto.so.7 => not found (0x0)

However, before installing squid :

# ldd /usr/local/sbin/racoon
/usr/local/sbin/racoon:
       libipsec.so.0 => /usr/local/lib/libipsec.so.0 (0x28108000)
       libutil.so.8 => /lib/libutil.so.8 (0x28115000)
       libreadline.so.6 => /usr/local/lib/libreadline.so.6 (0x28124000)
       libcrypt.so.5 => /lib/libcrypt.so.5 (0x28158000)
       libradius.so.4 => /usr/lib/libradius.so.4 (0x28171000)
       libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x28177000)
       liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x281b2000)
       libssl.so.6 => /usr/lib/libssl.so.6 (0x281be000)
       libcrypto.so.6 => /lib/libcrypto.so.6 (0x28206000)
       libc.so.7 => /lib/libc.so.7 (0x28361000)
       libncurses.so.8 => /lib/libncurses.so.8 (0x2847b000)

Installing squid installs an extra openssl packages, and racoon starts to link with libraries inside this package. When removing squid, this openssl packages is removed and racoon becomes broken.

I do not know how the dynamic linker is working with freebsd. I suspect something is missing (linux equivalent to ldconfig -a) during the removal, to reconfigure the dynamic linker. If you have any pointers, I will try to fix it.

This also apply to some php modules :

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/ldap.so' - Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.7" in Unknown on line 0
*** Welcome to pfSense 2.0-BETA5-pfSense (i386) on fwyul ***

I added a ldconfig call to rebuilt the lib caches 'just in case'.

Uninstalling the ntop package results in the removal of rrdtool, possibly others as it does have a long list of dependencies. After removing the ntop package you'll see the following messages in your system logs when you attempt to view your rrdgraphs. I was able to get the rrdgraphs to work again by reinstalling the ntop package.

php: /status_rrd_graph_img.php: 
   Failed to create graph with error code 127, the error is:   
   nice: /usr/local/bin/rrdtool: No such file or directory/usr/bin/nice -n20 /usr/local/bin/rrdtool graph ...

I just committed a change that should hopefully preserve rrdtool. Please test the next snapshot run.

I finally had a opportunity to update my pfSense install at work. And the rrdtool issue with uninstalling the ntop package is fixed.

Thanks

I've installed/uninstalled quite a few packages and the only way I have managed to break the system is if I use pkg_delete by hand from the command prompt, which is something we can't really protect against (without relocating where all the packages install to...)

I think what we have here now is likely good enough for 2.0, and we could revisit the relocation/PBI methods for 2.1+.

I belive this bug still exist.

I've recently installed and subsequently removed a few packages for testing purposes. After a reboot I was no longer able to login on the WebConsole with any user besides admin. That happened because after reboot the php ldap module failed to load.

Here is the error taken from /tmp/PHP_errors.log:

[12-Jul-2012 21:40:50] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20060613/ldap.so' - Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8" in Unknown on line 0

As you can see libsasl2 is missing.

And without the ldap module loaded the getAllowedPages function in /etc/inc/priv.inc will return prematurely. Here is a code excerpt of the function:

249 function getAllowedPages($username) {
250 global $config, $_SESSION;
251
252 if (!function_exists("ldap_connect"))
253 return;

I've installed and removed many packages and don't know which one exactly caused the problem. I think it was squid but Im not 100% sure.

Im sorry, I didn't mention that it happened on 2.0.1-RELEASE (amd64)

The real fix here is already in 2.1 -- we've moved to PBI based packages that are completely self-contained/isolated, and cannot harm system libraries.