Univention Bugzilla – Bug 44146
Old apache 2.2 config files break access to portal and UMC
Last modified: 2017-04-04 18:28:54 CEST
We experienced the following issues internally with the update of billy. After the update, the users was not redirected to /univention/portal (but instead to /simplesamlphp/...). Also access to English translation JSON files resulted in tracebacks in umc-web-server.log. The reason for this were various apache2 config files which have been renamed, however, neither were they removed in /etc/apache2/sites-available nor were their symlinks in sites-enabled removed. Here the content of sites-available after the update (custom conffiles have been removed from the list): ---------- 8< ---------- -rw-r--r-- 1 root root 728 Mär 29 22:50 000-default.conf -rw-r--r-- 1 root root 722 Mär 2 01:04 000-default.conf.debian -rw-r--r-- 1 root root 1332 Jul 5 2016 000-default.conf.dpkg-new [...] -rw-r--r-- 1 root root 1167 Nov 11 2005 default -rw-r--r-- 1 root root 692 Jun 7 2012 default.debian.dpkg-dist -rw-r--r-- 1 root root 1181 Okt 23 2007 default.dpkg-dist -rw-r--r-- 1 root root 7251 Jun 7 2012 default-ssl -rw-r--r-- 1 root root 1398 Mär 29 22:50 default-ssl.conf -rw-r--r-- 1 root root 1352 Mär 2 01:04 default-ssl.conf.debian -rw-r--r-- 1 root root 6437 Jul 20 2016 default-ssl.conf.dpkg-new [...] -rw-r--r-- 1 root root 3735 Mär 29 22:02 univention.conf -rw-r--r-- 1 root root 912 Nov 11 2011 univention-directory-manager -rw-r--r-- 1 root root 555 Mär 29 22:06 univention-directory-manager.conf [...] -rw-r--r-- 1 root root 3491 Dez 15 01:11 univention-management-console -rw-r--r-- 1 root root 577 Mär 24 2011 univention-management-console-system-info -rw-r--r-- 1 root root 2165 Mär 29 22:02 univention-proxy.conf -rw-r--r-- 1 root root 1755 Mär 29 21:20 univention-saml.conf [...] ---------- 8< ---------- And here is the content of sites-available: ---------- 8< ---------- drwxr-xr-x 2 root root 4096 Mär 29 22:02 000-default.d -rw-r--r-- 1 root root 1311 Nov 19 2013 default drwxr-xr-x 2 root root 4096 Mär 29 22:02 default.d drwxr-xr-x 2 root root 4096 Mär 29 22:02 ssl.d -rw-r--r-- 1 root root 3936 Mär 29 12:51 univention.conf -rw-r--r-- 1 root root 109 Sep 9 2016 univention-directory-manager.conf -rw-r--r-- 1 root root 122 Mär 9 2010 univention-management-console-system-info -rw-r--r-- 1 root root 2005 Mär 29 13:18 univention-proxy.conf -rwxr-xr-x 1 root root 2213 Mär 7 17:29 univention-saml.conf ---------- 8< ---------- We needed to remove various old symlinks and call a2ensite for various new config. The following commands brought the system into a working state where one could access portal and UMC again: ---------- 8< ---------- cd /etc/apache2 rm sites-enabled/univention-management-console rm sites-enabled/univention-directory-manager rm sites-enabled/univention-saml rm sites-enabled/default a2ensite univention-directory-manager a2ensite 000-default.conf ---------- 8< ---------- +++ This bug was initially created as a clone of Bug #42196 +++ univention-apache depends on libapache2-mod-auth-pam. libapache2-mod-auth-pam has been replaced in Debian with libapache2-mod-authnz-pam. Restarting web server: apache2 failed! The apache2 configtest failed. ... (warning). Output of config test was: apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/auth_pam.load: Cannot load /usr/lib/apache2/modules/mod_auth_pam.so into server: /usr/lib/apache2/modules/mod_auth_pam.so: undefined symbol: ap_log_rerror Action 'configtest' failed. The Apache error log may have more information.
On my system which I updated yesterday this works better: There are only broken symlinks: root@master101:~# ls -l /etc/apache2/sites-enabled/ insgesamt 0 lrwxrwxrwx 1 root root 35 Mär 29 15:08 000-default.conf -> ../sites-available/000-default.conf lrwxrwxrwx 1 root root 35 Mär 29 15:10 default-ssl.conf -> ../sites-available/default-ssl.conf lrwxrwxrwx 1 root root 34 Mär 29 15:13 univention.conf -> ../sites-available/univention.conf lrwxrwxrwx 1 root root 48 Nov 18 2015 univention-management-console -> ../sites-available/univention-management-console lrwxrwxrwx 1 root root 34 Mär 29 14:12 univention-saml -> ../sites-available/univention-saml lrwxrwxrwx 1 root root 39 Mär 29 15:14 univention-saml.conf -> ../sites-available/univention-saml.conf root@master101:~# ls -l /etc/apache2/sites-available/ insgesamt 56 -rw-r--r-- 1 root root 728 Mär 29 15:16 000-default.conf -rw-r--r-- 1 root root 722 Mär 29 14:22 000-default.conf.debian -rw-r--r-- 1 root root 1332 Jul 5 2016 000-default.conf.dpkg-new -rw-r--r-- 1 root root 692 Dez 22 2014 default -rw-r--r-- 1 root root 7251 Dez 22 2014 default-ssl -rw-r--r-- 1 root root 1392 Mär 29 15:16 default-ssl.conf -rw-r--r-- 1 root root 1346 Mär 29 14:24 default-ssl.conf.debian -rw-r--r-- 1 root root 6437 Jul 20 2016 default-ssl.conf.dpkg-new -rw-r--r-- 1 root root 3707 Mär 29 15:13 univention.conf -rw-r--r-- 1 root root 555 Mär 29 15:13 univention-directory-manager.conf -rw-r--r-- 1 root root 2155 Mär 29 15:13 univention-proxy.conf -rw-r--r-- 1 root root 1720 Mär 29 15:13 univention-saml.conf
univention-saml (4.0.14-2): r78496 | Bug #44146: remove old conffiles univention-management-console (9.0.80-2): r78494 | Bug #44146: remove old conffiles
Even with the latest package the broken symlinks still exists. Seems dpkg-mainthelper doesn't work as documented...
(In reply to Florian Best from comment #3) > Even with the latest package the broken symlinks still exists. Seems > dpkg-mainthelper doesn't work as documented... No, e.g., for univention.conf, the file /etc/univention/templates/files/etc/apache2/sites-available/univention.conf is a conffile. If the old file has been removed below /etc/univention/templates/files..., dpkg-mainthelper works just fine. See for example: > $ dpkg -S univention.conf > lokale Umleitung von: /etc/apache2/sites-available/univention.conf > lokale Umleitung zu: /etc/apache2/sites-available/univention.conf.debian > lokale Umleitung von: /etc/apache2/sites-available/univention.conf > lokale Umleitung zu: /etc/apache2/sites-available/univention.conf.debian > univention-management-console-web-server: /etc/univention/templates/files/etc/apache2/sites-available/univention.conf The ucr mechanism is creating /etc/apache2/sites-available/univention.conf which does not belong to any package (at least from the point of view of dpkg). After running an update, "ucr update" is called which checks the given state of all UCR template files (via /etc/univention/templates/info) with the actual state of all created UCR template files (this is registered via dpkg-divert). If there are files missing, they will be created (including the diversions); if there are files deprecated, they will be removed (including their diversions). That is the theory :) . ... a check on billy, I see the following for the deprecated config file "default": > $ dpkg -S sites-available | grep 'sites-available/default' | grep -v -e .conf > apache2.2-common: /etc/apache2/sites-available/default > univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/default.d/00start > apache2.2-common: /etc/apache2/sites-available/default-ssl > univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/default.d/99end > univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/default The diversions have been removed (as the info file has been remove), yet it seems that the config files themself (00start + 99end) have not been removed. However, this is fine as it does not result in any problems (i.e., no new file "default" is generated). The existing file /etc/apache2/sites-available/default exists as it is part of apache2.2-common which has been removed, but not purged. Another check: > $ LC_ALL=C dpkg -S sites-available | grep 'sites-available/univention-management-console' | grep -v -e .conf -e system-info > local diversion from: /etc/apache2/sites-available/univention-management-console > local diversion to: /etc/apache2/sites-available/univention-management-console.debian > local diversion from: /etc/apache2/sites-available/univention-management-console > local diversion to: /etc/apache2/sites-available/univention-management-console.debian Here, the info file exists: > $ cd /etc/univention/templates/info/ > $ rgrep 'sites-available/univention-management-console$' . > ./univention-management-console.info:File: etc/apache2/sites-available/univention-management-console However, the template file has been removed: > $ LC_ALL=C ls /etc/univention/templates/files/etc/apache2/sites-available/univention-management-console > ls: cannot access /etc/univention/templates/files/etc/apache2/sites-available/univention-management-console: No such file or directory
We could add the following command to univention-apache.postinst: > find /etc/apache2/sites-enabled/ -type l ! -exec test -e {} \; -delete This will remove broken symlinks. ===== management/univention-management-console/debian/univention-management-console-web-server.maintscript ===== > mv_conffile /etc/univention/templates/files/etc/apache2/sites-available/univention-management-console /etc/univention/templates/files/etc/apache2/sites-available/univention.conf 9.0.0~ > rm_conffile /etc/univention/templates/files/etc/apache2/sites-enabled/univention-management-console 9.0.0~ > rm_conffile /etc/apache2/sites-enabled/univention-management-console 9.0.0~ → The last two entries are invalid, (2) is "sites-enabled" and (3) is created by UCR. ===== saml/univention-saml/debian/univention-saml.maintscript ===== mv_conffile /etc/univention/templates/files/etc/apache2/sites-available/univention-saml /etc/univention/templates/files/etc/apache2/sites-available/univention-saml.conf 4.0.0~ rm_conffile /etc/univention/templates/files/etc/apache2/sites-enabled/univention-saml 4.0.0~ rm_conffile /etc/apache2/sites-enabled/univention-saml 4.0.0~ → The last two entries are invalid, same as above ===== services/univention-apache/debian/univention-apache.maintscript ===== mv_conffile /etc/univention/templates/files/etc/apache2/conf.d/ucs.conf /etc/univention/templates/files/etc/apache2/conf-available/ucs.conf 9.0.1~ mv_conffile /etc/apache2/sites-available/default.d/00start /etc/apache2/sites-available/000-default.d/00start 9.0.1~ mv_conffile /etc/apache2/sites-available/default.d/99end /etc/apache2/sites-available/000-default.d/99end 9.0.1~ → For the last two entries, the prefix "/etc/univention/templates/files" is missing, therefore, these files are not moved during the update!
IMHO, we should purge the package apache2.2-common.
The following files should also be removed (or moved?): > $ dpkg -L univention-apache | grep ssl.d > /etc/univention/templates/files/etc/apache2/sites-available/ssl.d > /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end > /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts > /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start It seems that univention-appcenter-docker has also a conffile in there which needs to be moved? > $ dpkg -S sites-available/ssl.d > univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts > univention-appcenter-docker, univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d > univention-appcenter-docker: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter > univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end > univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
(In reply to Alexander Kläser from comment #5) > We could add the following command to univention-apache.postinst: > > > find /etc/apache2/sites-enabled/ -type l ! -exec test -e {} \; -delete > > This will remove broken symlinks. Better and simpler: find /etc/apache2/sites-enabled/ -xtype l -delete
(In reply to Florian Best from comment #3) > Even with the latest package the broken symlinks still exists. Seems > dpkg-mainthelper doesn't work as documented... Dpkg-mainthelper does *Not* work on symbolic links! RTFM!
Created attachment 8717 [details] Patch for univention-apache.maintscript Update ... with your latest patches, this looks much better: univention-apache (9.0.5-6): r78514 | Bug #44146: remove dead symlinks on upgrade to UCS 4.2 r78511 | Bug #44146: remove dead symlinks on upgrade to UCS 4.2 univention-management-console (9.0.80-3): r78512 | Bug #44146: revert dead code univention-saml (4.0.14-3): r78513 | Bug #44146: revert dead code As discussed, I have overseen that the UCR multifile /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/ is mapped to /etc/apache2/sites-available/default-ssl.conf. Remaining open points: * Adjust moving of conffiles for 000-default.conf (→ see attached patch) * Purging apache2.2-common in postup (to be discussed?)
(In reply to Alexander Kläser from comment #10) > [...] > Remaining open points: > * Adjust moving of conffiles for 000-default.conf (→ see attached patch) > * Purging apache2.2-common in postup (to be discussed?) I applied the patch and addressed the second point. univention-updater (12.0.6-2): r78528 | Bug #44146: Purge conffiles of deinstalled package apache2.2-common univention-apache (9.0.5-7): r78529 | Bug #44146: Correct path of moved conffiles in 000-default.d
As discussed, the following code in the postinst can be very dangerous AFAIS. For instance if you move a conffile of a package. You should rather check whether the file belongs to any package. However, we saw cases were the file univention-portal.conf.dpkg-new existed after the update... > for file in /etc/apache2/ucs-sites.conf.d/*; do > if [ "$file" = "${file%.conf}" ]; then > mv "$file" "${file}.conf" > fi > done Broken symlinks are still there after the update... probably due to the half-configured state of the system during the execution of the postinst. I suggest to move both logics into the postup script.
apache2.2-common is still there after the update.
univention-self-service still has an old conffile which is not handled properly: > # ls -1 /etc/apache2/*/univention-self-service* > /etc/apache2/sites-available/univention-self-service > /etc/apache2/sites-available/univention-self-service.conf > /etc/apache2/sites-enabled/univention-self-service > /etc/apache2/sites-enabled/univention-self-service.conf
(In reply to Alexander Kläser from comment #13) > apache2.2-common is still there after the update. This has been fixed. univention-updater (12.0.7-2): r78554 | Bug #44146: Purge apache2.2-common after autoremove without check
(In reply to Alexander Kläser from comment #14) > univention-self-service still has an old conffile which is not handled > properly: > > > # ls -1 /etc/apache2/*/univention-self-service* > > /etc/apache2/sites-available/univention-self-service > > /etc/apache2/sites-available/univention-self-service.conf > > /etc/apache2/sites-enabled/univention-self-service > > /etc/apache2/sites-enabled/univention-self-service.conf This has been fixed: univention-self-service (2.0.15-2): r78556 | Bug #44146: remove old conffile during update
(In reply to Florian Best from comment #16) > [...] > This has been fixed: > univention-self-service (2.0.15-2): > r78556 | Bug #44146: remove old conffile during update No. Still the same files exist. > # ls -1 /etc/apache2/*/univention-self-service* > /etc/apache2/sites-available/univention-self-service > /etc/apache2/sites-available/univention-self-service.conf > /etc/apache2/sites-enabled/univention-self-service > /etc/apache2/sites-enabled/univention-self-service.conf AFAIS, you need to remove the UCR info file, as this is a conffile and remains from a previous version. > # rgrep sites-available/univention-self-service /etc/univention/templates/info/ > /etc/univention/templates/info/univention-self-service.info:File: etc/apache2/sites-available/univention-self-service
univention-self-service (2.0.15-3): r78564 | Bug #44146: remove old conffile during update
Looks good now. Regarding the *dpkg-new files, I created Bug 44220. I added a changelog entry. changelog-4.2-0.xml: r78612 | Bug #44146: Added bug number to changelog entry → VERIFIED
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".