Foxy support

[mikaelarguedas]

Security demos work on Ubuntu Bionic but fail on Focal.
This ticket is to aggregate findings about what need to change ahead of Foxy release.

Current state:

Code to test talker listener

docker run -it --rm osrf/ros2:nightly
source /opt/ros/foxy/setup.bash 
mkdir ~/sros2_demo
cd ~/sros2_demo
export ROS_SECURITY_ROOT_DIRECTORY=~/sros2_demo/demo_keys
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
ros2 security create_keystore demo_keys
ros2 security create_key demo_keys /talker
ros2 security create_key demo_keys /listener
ros2 launch demo_nodes_cpp talker_listener.launch.xml 

• FastRTPS fails: Likely due to a lack of support of OpenSSL 1.1.1d, asked at Question: does Fast-RTPS support OpenSSL 1.1.1d ? [8117] eProsima/Fast-DDS#1087
  • FastRTPS own Security examples without any ROS or sros2 involved already fail

Error message

[talker-1] 2020-03-23 15:26:26.045 [SECURITY_AUTHENTICATION Error] OpenSSL library cannot set peer (/home/jenkins-agent/workspace/packaging_linux/ws/src/eProsima/Fast-RTPS/src/cpp/security/authentication/PKIDH.cpp:1041) -> Function on_process_handshake

• CycloneDDS fails: maybe openSSL support ?
  - not sure how to do standalone security testing for Cyclone

Works as of eclipse-cyclonedds/cyclonedds#446

• RTI Connext: works: connext ships it's own (EOL...) OpenSSL 1.0.2 (support hypothesis of OpenSSL version being the culprit)

---

OpenSSL version:

If it was an openSSL version support issue, rolling distributions like Windows and Macos should have allowed us to catch it earlier..

Windows is using 1.0.2u apparently, https://github.com/ros2/ci/blob/3ec2369bd0ddc04e80b9fadab272abcd46e08b64/windows_docker_resources/Dockerfile.msvc2019#L20 so it's normal it didnt catch any error

on MacOS there seem to be tests failing for a long time, need to track down if it worked with openssl 1.1.1 at some point

[mikaelarguedas]

As of eclipse-cyclonedds/cyclonedds#446 Cyclone works for me

[kyrofa]

Ah, excellent! We'll hope to hear back from Fast RTPS soon.

[mikaelarguedas]

	Ubuntu Focal	MacOS	Windows	Issues/Fixes
Fast-RTPS	✔️	✔️	✔️	eProsima/Fast-DDS#1087 ros2/system_tests#415
Connext	✔️	✔️	❌	ros2/system_tests#409
CycloneDDS	⏳	⏳	⏳	ros2/system_tests#408 ros2/rmw_cyclonedds#123 eclipse-cyclonedds/cyclonedds#132
		ros2/build_farmer#269 ros2/ci#436	ros2/ci#421 ros2/system_tests#433 ros2/ci#454

[clalancette]

To try and summarize the state a bit as of today:

• Question: does Fast-RTPS support OpenSSL 1.1.1d ? [8117] eProsima/Fast-DDS#1087 - I believe this is "done" from eProsima's point-of-view. It failed some of the tests on macOS, but all of those failures were of the form:

[test_publisher-1] >>> [rcutils|error_handling.c:108] rcutils_set_error_state()
[test_publisher-1] This error state is being overwritten:
[test_publisher-1] 
[test_publisher-1]   'SECURITY ERROR: directory 'NOTFOUND/enclaves/publisher' does not exist., at /Users/osrf/jenkins-agent/workspace/ci_osx/ws/src/ros2/rcl/rcl/src/rcl/security.c:196'
[test_publisher-1] 
[test_publisher-1] with this new error message:
[test_publisher-1] 
[test_publisher-1]   'provided event_type is not supported by rmw_fastrtps_cpp, at /Users/osrf/jenkins-agent/workspace/ci_osx/ws/src/ros2/rmw_fastrtps/rmw_fastrtps_shared_cpp/src/rmw_event.cpp:59'
[test_publisher-1] 
[test_publisher-1] rcutils_reset_error() should be called after error handling to avoid this.
[test_publisher-1] <<<

That suggests to me a failure on the ROS 2 side, but please correct me if I'm wrong.

• Make Connext use Connext's openssl on all platforms system_tests#409 - merged
• Run test_security on CycloneDDS as well system_tests#408 - enables more tests, but maybe we should hold off on this until we get the others under control
• Enable use of Cyclone DDS security features rmw_cyclonedds#123 - merged
• non-EOL openssl on windows ci#421 - needs to be tested in Debug mode to see if it works
• Use OpenSSL 1.0.2 for Connext on MacOS ci#436 - being worked on by @sloretz
• test_security tests failing with Connext on OS X build_farmer#269 - just a repetition of the above

[mikaelarguedas]

Few clarifications:

• Question: does Fast-RTPS support OpenSSL 1.1.1d ? [8117] eProsima/Fast-DDS#1087 - I believe this is "done" from eProsima's point-of-view. It failed some of the tests on macOS, but all of those failures were of the form:

The error message you point to are expected and part of passing tests (the tests that check that we can do non-secure communication in case of artifacts not found). The failing tests are the ones doing secure communication and they just timeout without printing much information in the console output

Also this change has not been tested on windows with a recent openssl that I know of so we don't know if it works on Windows or not. I commented at ros2/system_tests#415 (comment)

I added ros2/system_tests#415 to the Fast-RTPS line of the matrix to reflect the fact that we don't have the tests enabled yet

• Run test_security on CycloneDDS as well system_tests#408 is blocked on upstream to merge the security features into the version used for Foxy

• non-EOL openssl on windows ci#421 - needs to be tested in Debug mode to see if it works

This one doesnt pass in release mode either. It must be related to the content of these openssl archives : https://github.com/ros2/ci/blob/a0dc67363a62d43739775d0319ff9b524fdd442c/windows_docker_resources/Dockerfile.msvc2019#L106
But I don't think they've ever been used in the past as the environment variable doesn't have the right name in the dockerfile and was not used for windows prior to ros2/system_tests#409.

So it needs to be investigated in Release mode, and once that works we'll likely need to point to a different directory when building in debug mode.

ros2/ci#436 - being worked on by

❤️

[kyrofa]

@mikaelarguedas would it be worth adding eclipse-cyclonedds/cyclonedds#132 to the matrix above for CycloneDDS?

[mikaelarguedas]

mikaelarguedas would it be worth adding eclipse-cyclonedds/cyclonedds#132 to the matrix above for CycloneDDS?

Sure thing, updated the comment accordingly

[ros-discourse]

This issue has been mentioned on ROS Discourse. There might be relevant details there:

https://discourse.ros.org/t/ros-2-tsc-meeting-minutes-2020-05-21/14247/1

[mikaelarguedas]

closing as way out of date. There may be some matrix cells still not supported.