First Last Prev Next    This bug is not in your last search results.
Bug 44146 - Old apache 2.2 config files break access to portal and UMC
Old apache 2.2 config files break access to portal and UMC
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Florian Best
Alexander Kläser
: interim-4
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-30 12:21 CEST by Alexander Kläser
Modified: 2017-04-04 18:28 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Patch for univention-apache.maintscript (1.24 KB, patch)
2017-03-30 23:45 CEST, Alexander Kläser 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Kläser univentionstaff 2017-03-30 12:21:36 CEST 
We experienced the following issues internally with the update of billy. After the update, the users was not redirected to /univention/portal (but instead to /simplesamlphp/...). Also access to English translation JSON files resulted in tracebacks in umc-web-server.log.

The reason for this were various apache2 config files which have been renamed, however, neither were they removed in /etc/apache2/sites-available nor were their symlinks in sites-enabled removed. Here the content of sites-available after the update (custom conffiles have been removed from the list):

---------- 8< ----------
-rw-r--r-- 1 root root  728 Mär 29 22:50 000-default.conf
-rw-r--r-- 1 root root  722 Mär  2 01:04 000-default.conf.debian
-rw-r--r-- 1 root root 1332 Jul  5  2016 000-default.conf.dpkg-new
[...]
-rw-r--r-- 1 root root 1167 Nov 11  2005 default
-rw-r--r-- 1 root root  692 Jun  7  2012 default.debian.dpkg-dist
-rw-r--r-- 1 root root 1181 Okt 23  2007 default.dpkg-dist
-rw-r--r-- 1 root root 7251 Jun  7  2012 default-ssl
-rw-r--r-- 1 root root 1398 Mär 29 22:50 default-ssl.conf
-rw-r--r-- 1 root root 1352 Mär  2 01:04 default-ssl.conf.debian
-rw-r--r-- 1 root root 6437 Jul 20  2016 default-ssl.conf.dpkg-new
[...]
-rw-r--r-- 1 root root 3735 Mär 29 22:02 univention.conf
-rw-r--r-- 1 root root  912 Nov 11  2011 univention-directory-manager
-rw-r--r-- 1 root root  555 Mär 29 22:06 univention-directory-manager.conf
[...]
-rw-r--r-- 1 root root 3491 Dez 15 01:11 univention-management-console
-rw-r--r-- 1 root root  577 Mär 24  2011 univention-management-console-system-info
-rw-r--r-- 1 root root 2165 Mär 29 22:02 univention-proxy.conf
-rw-r--r-- 1 root root 1755 Mär 29 21:20 univention-saml.conf
[...]
---------- 8< ----------

And here is the content of sites-available:
---------- 8< ----------
drwxr-xr-x 2 root root 4096 Mär 29 22:02 000-default.d
-rw-r--r-- 1 root root 1311 Nov 19  2013 default
drwxr-xr-x 2 root root 4096 Mär 29 22:02 default.d
drwxr-xr-x 2 root root 4096 Mär 29 22:02 ssl.d
-rw-r--r-- 1 root root 3936 Mär 29 12:51 univention.conf
-rw-r--r-- 1 root root  109 Sep  9  2016 univention-directory-manager.conf
-rw-r--r-- 1 root root  122 Mär  9  2010 univention-management-console-system-info
-rw-r--r-- 1 root root 2005 Mär 29 13:18 univention-proxy.conf
-rwxr-xr-x 1 root root 2213 Mär  7 17:29 univention-saml.conf
---------- 8< ----------

We needed to remove various old symlinks and call a2ensite for various new config. The following commands brought the system into a working state where one could access portal and UMC again:

---------- 8< ----------
cd /etc/apache2
rm sites-enabled/univention-management-console
rm sites-enabled/univention-directory-manager
rm sites-enabled/univention-saml
rm sites-enabled/default
a2ensite univention-directory-manager
a2ensite 000-default.conf
---------- 8< ----------


+++ This bug was initially created as a clone of Bug #42196 +++

univention-apache depends on libapache2-mod-auth-pam. libapache2-mod-auth-pam has been replaced in Debian with libapache2-mod-authnz-pam.

Restarting web server: apache2 failed!
The apache2 configtest failed. ... (warning).
Output of config test was:
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/auth_pam.load: Cannot load /usr/lib/apache2/modules/mod_auth_pam.so into server: /usr/lib/apache2/modules/mod_auth_pam.so: undefined symbol: ap_log_rerror
Action 'configtest' failed.
The Apache error log may have more information.
Comment 1 Florian Best univentionstaff 2017-03-30 12:27:31 CEST 
On my system which I updated yesterday this works better: There are only broken symlinks:

root@master101:~# ls -l /etc/apache2/sites-enabled/
insgesamt 0
lrwxrwxrwx 1 root root 35 Mär 29 15:08 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 35 Mär 29 15:10 default-ssl.conf -> ../sites-available/default-ssl.conf
lrwxrwxrwx 1 root root 34 Mär 29 15:13 univention.conf -> ../sites-available/univention.conf
lrwxrwxrwx 1 root root 48 Nov 18  2015 univention-management-console -> ../sites-available/univention-management-console
lrwxrwxrwx 1 root root 34 Mär 29 14:12 univention-saml -> ../sites-available/univention-saml
lrwxrwxrwx 1 root root 39 Mär 29 15:14 univention-saml.conf -> ../sites-available/univention-saml.conf
root@master101:~# ls -l /etc/apache2/sites-available/
insgesamt 56
-rw-r--r-- 1 root root  728 Mär 29 15:16 000-default.conf
-rw-r--r-- 1 root root  722 Mär 29 14:22 000-default.conf.debian
-rw-r--r-- 1 root root 1332 Jul  5  2016 000-default.conf.dpkg-new
-rw-r--r-- 1 root root  692 Dez 22  2014 default
-rw-r--r-- 1 root root 7251 Dez 22  2014 default-ssl
-rw-r--r-- 1 root root 1392 Mär 29 15:16 default-ssl.conf
-rw-r--r-- 1 root root 1346 Mär 29 14:24 default-ssl.conf.debian
-rw-r--r-- 1 root root 6437 Jul 20  2016 default-ssl.conf.dpkg-new
-rw-r--r-- 1 root root 3707 Mär 29 15:13 univention.conf
-rw-r--r-- 1 root root  555 Mär 29 15:13 univention-directory-manager.conf
-rw-r--r-- 1 root root 2155 Mär 29 15:13 univention-proxy.conf
-rw-r--r-- 1 root root 1720 Mär 29 15:13 univention-saml.conf
Comment 2 Florian Best univentionstaff 2017-03-30 13:01:43 CEST 
univention-saml (4.0.14-2):
r78496 | Bug #44146: remove old conffiles

univention-management-console (9.0.80-2):
r78494 | Bug #44146: remove old conffiles
Comment 3 Florian Best univentionstaff 2017-03-30 14:18:48 CEST 
Even with the latest package the broken symlinks still exists. Seems dpkg-mainthelper doesn't work as documented...
Comment 4 Alexander Kläser univentionstaff 2017-03-30 15:19:07 CEST 
(In reply to Florian Best from comment #3)
> Even with the latest package the broken symlinks still exists. Seems
> dpkg-mainthelper doesn't work as documented...

No, e.g., for univention.conf, the file /etc/univention/templates/files/etc/apache2/sites-available/univention.conf is a conffile. If the old file has been removed below /etc/univention/templates/files..., dpkg-mainthelper works just fine. See for example:

> $ dpkg -S univention.conf
> lokale Umleitung von: /etc/apache2/sites-available/univention.conf
> lokale Umleitung zu: /etc/apache2/sites-available/univention.conf.debian
> lokale Umleitung von: /etc/apache2/sites-available/univention.conf
> lokale Umleitung zu: /etc/apache2/sites-available/univention.conf.debian
> univention-management-console-web-server: /etc/univention/templates/files/etc/apache2/sites-available/univention.conf

The ucr mechanism is creating /etc/apache2/sites-available/univention.conf which does not belong to any package (at least from the point of view of dpkg). After running an update, "ucr update" is called which checks the given state of all UCR template files (via /etc/univention/templates/info) with the actual state of all created UCR template files (this is registered via dpkg-divert). If there are files missing, they will be created (including the diversions); if there are files deprecated, they will be removed (including their diversions). That is the theory :) .

... a check on billy, I see the following for the deprecated config file "default":

> $ dpkg -S sites-available | grep 'sites-available/default' | grep -v -e .conf 
> apache2.2-common: /etc/apache2/sites-available/default
> univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/default.d/00start
> apache2.2-common: /etc/apache2/sites-available/default-ssl
> univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/default.d/99end
> univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/default

The diversions have been removed (as the info file has been remove), yet it seems that the config files themself (00start + 99end) have not been removed. However, this is fine as it does not result in any problems (i.e., no new file "default" is generated). The existing file /etc/apache2/sites-available/default exists as it is part of apache2.2-common which has been removed, but not purged.


Another check:

> $ LC_ALL=C dpkg -S sites-available | grep 'sites-available/univention-management-console' | grep -v -e .conf -e system-info
> local diversion from: /etc/apache2/sites-available/univention-management-console
> local diversion to: /etc/apache2/sites-available/univention-management-console.debian
> local diversion from: /etc/apache2/sites-available/univention-management-console
> local diversion to: /etc/apache2/sites-available/univention-management-console.debian

Here, the info file exists:

> $ cd /etc/univention/templates/info/
> $ rgrep 'sites-available/univention-management-console$' .
> ./univention-management-console.info:File: etc/apache2/sites-available/univention-management-console

However, the template file has been removed:

> $ LC_ALL=C ls /etc/univention/templates/files/etc/apache2/sites-available/univention-management-console
> ls: cannot access /etc/univention/templates/files/etc/apache2/sites-available/univention-management-console: No such file or directory
Comment 5 Alexander Kläser univentionstaff 2017-03-30 17:15:21 CEST 
We could add the following command to univention-apache.postinst:

> find /etc/apache2/sites-enabled/ -type l ! -exec test -e {} \; -delete

This will remove broken symlinks.

===== management/univention-management-console/debian/univention-management-console-web-server.maintscript =====
> mv_conffile /etc/univention/templates/files/etc/apache2/sites-available/univention-management-console /etc/univention/templates/files/etc/apache2/sites-available/univention.conf 9.0.0~
> rm_conffile /etc/univention/templates/files/etc/apache2/sites-enabled/univention-management-console 9.0.0~
> rm_conffile /etc/apache2/sites-enabled/univention-management-console 9.0.0~

→ The last two entries are invalid, (2) is "sites-enabled" and (3) is created by UCR.

===== saml/univention-saml/debian/univention-saml.maintscript =====
mv_conffile /etc/univention/templates/files/etc/apache2/sites-available/univention-saml /etc/univention/templates/files/etc/apache2/sites-available/univention-saml.conf 4.0.0~
rm_conffile /etc/univention/templates/files/etc/apache2/sites-enabled/univention-saml 4.0.0~
rm_conffile /etc/apache2/sites-enabled/univention-saml 4.0.0~

→ The last two entries are invalid, same as above

===== services/univention-apache/debian/univention-apache.maintscript =====
mv_conffile /etc/univention/templates/files/etc/apache2/conf.d/ucs.conf /etc/univention/templates/files/etc/apache2/conf-available/ucs.conf 9.0.1~
mv_conffile /etc/apache2/sites-available/default.d/00start /etc/apache2/sites-available/000-default.d/00start 9.0.1~
mv_conffile /etc/apache2/sites-available/default.d/99end /etc/apache2/sites-available/000-default.d/99end 9.0.1~

→ For the last two entries, the prefix "/etc/univention/templates/files" is missing, therefore, these files are not moved during the update!
Comment 6 Alexander Kläser univentionstaff 2017-03-30 17:17:31 CEST 
IMHO, we should purge the package apache2.2-common.
Comment 7 Alexander Kläser univentionstaff 2017-03-30 17:20:22 CEST 
The following files should also be removed (or moved?):

> $ dpkg -L univention-apache | grep ssl.d
> /etc/univention/templates/files/etc/apache2/sites-available/ssl.d
> /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
> /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
> /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start

It seems that univention-appcenter-docker has also a conffile in there which needs to be moved?

> $ dpkg -S sites-available/ssl.d
> univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts
> univention-appcenter-docker, univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d
> univention-appcenter-docker: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter
> univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end
> univention-apache: /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start
Comment 8 Philipp Hahn univentionstaff 2017-03-30 18:25:09 CEST 
(In reply to Alexander Kläser from comment #5)
> We could add the following command to univention-apache.postinst:
> 
> > find /etc/apache2/sites-enabled/ -type l ! -exec test -e {} \; -delete
> 
> This will remove broken symlinks.

Better and simpler: find /etc/apache2/sites-enabled/ -xtype l -delete
Comment 9 Philipp Hahn univentionstaff 2017-03-30 18:26:59 CEST 
(In reply to Florian Best from comment #3)
> Even with the latest package the broken symlinks still exists. Seems
> dpkg-mainthelper doesn't work as documented...

Dpkg-mainthelper does *Not* work on symbolic links! RTFM!
Comment 10 Alexander Kläser univentionstaff 2017-03-30 23:45:35 CEST 
Created attachment 8717 [details]
Patch for univention-apache.maintscript

Update ... with your latest patches, this looks much better:

univention-apache (9.0.5-6):
r78514 | Bug #44146: remove dead symlinks on upgrade to UCS 4.2
r78511 | Bug #44146: remove dead symlinks on upgrade to UCS 4.2

univention-management-console (9.0.80-3):
r78512 | Bug #44146: revert dead code

univention-saml (4.0.14-3):
r78513 | Bug #44146: revert dead code


As discussed, I have overseen that the UCR multifile /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/ is mapped to /etc/apache2/sites-available/default-ssl.conf. 

Remaining open points:
* Adjust moving of conffiles for 000-default.conf (→ see attached patch)
* Purging apache2.2-common in postup (to be discussed?)
Comment 11 Alexander Kläser univentionstaff 2017-03-31 09:27:20 CEST 
(In reply to Alexander Kläser from comment #10)
> [...]
> Remaining open points:
> * Adjust moving of conffiles for 000-default.conf (→ see attached patch)
> * Purging apache2.2-common in postup (to be discussed?)

I applied the patch and addressed the second point.

univention-updater (12.0.6-2):
r78528 | Bug #44146: Purge conffiles of deinstalled package apache2.2-common

univention-apache (9.0.5-7):
r78529 | Bug #44146: Correct path of moved conffiles in 000-default.d
Comment 12 Alexander Kläser univentionstaff 2017-03-31 13:17:09 CEST 
As discussed, the following code in the postinst can be very dangerous AFAIS. For instance if you move a conffile of a package. You should rather check whether the file belongs to any package. However, we saw cases were the file univention-portal.conf.dpkg-new existed after the update...

> for file in /etc/apache2/ucs-sites.conf.d/*; do
>     if [ "$file" = "${file%.conf}" ]; then
>         mv "$file" "${file}.conf"
>     fi
> done

Broken symlinks are still there after the update... probably due to the half-configured state of the system during the execution of the postinst.

I suggest to move both logics into the postup script.
Comment 13 Alexander Kläser univentionstaff 2017-03-31 13:19:36 CEST 
apache2.2-common is still there after the update.
Comment 14 Alexander Kläser univentionstaff 2017-03-31 13:37:03 CEST 
univention-self-service still has an old conffile which is not handled properly:

> # ls -1 /etc/apache2/*/univention-self-service*
> /etc/apache2/sites-available/univention-self-service
> /etc/apache2/sites-available/univention-self-service.conf
> /etc/apache2/sites-enabled/univention-self-service
> /etc/apache2/sites-enabled/univention-self-service.conf
Comment 15 Alexander Kläser univentionstaff 2017-03-31 13:39:24 CEST 
(In reply to Alexander Kläser from comment #13)
> apache2.2-common is still there after the update.

This has been fixed.

univention-updater (12.0.7-2):
r78554 | Bug #44146: Purge apache2.2-common after autoremove without check
Comment 16 Florian Best univentionstaff 2017-03-31 13:56:33 CEST 
(In reply to Alexander Kläser from comment #14)
> univention-self-service still has an old conffile which is not handled
> properly:
> 
> > # ls -1 /etc/apache2/*/univention-self-service*
> > /etc/apache2/sites-available/univention-self-service
> > /etc/apache2/sites-available/univention-self-service.conf
> > /etc/apache2/sites-enabled/univention-self-service
> > /etc/apache2/sites-enabled/univention-self-service.conf

This has been fixed:
univention-self-service (2.0.15-2):
r78556 | Bug #44146: remove old conffile during update
Comment 17 Alexander Kläser univentionstaff 2017-03-31 16:17:01 CEST 
(In reply to Florian Best from comment #16)
> [...]
> This has been fixed:
> univention-self-service (2.0.15-2):
> r78556 | Bug #44146: remove old conffile during update

No. Still the same files exist.

> # ls -1 /etc/apache2/*/univention-self-service*
> /etc/apache2/sites-available/univention-self-service
> /etc/apache2/sites-available/univention-self-service.conf
> /etc/apache2/sites-enabled/univention-self-service
> /etc/apache2/sites-enabled/univention-self-service.conf

AFAIS, you need to remove the UCR info file, as this is a conffile and remains from a previous version.

> # rgrep sites-available/univention-self-service /etc/univention/templates/info/
> /etc/univention/templates/info/univention-self-service.info:File: etc/apache2/sites-available/univention-self-service
Comment 18 Florian Best univentionstaff 2017-03-31 16:32:01 CEST 
univention-self-service (2.0.15-3):
r78564 | Bug #44146: remove old conffile during update
Comment 19 Alexander Kläser univentionstaff 2017-04-03 12:20:44 CEST 
Looks good now. Regarding the *dpkg-new files, I created Bug 44220. I added a changelog entry.

changelog-4.2-0.xml:
r78612 | Bug #44146: Added bug number to changelog entry


→ VERIFIED
Comment 20 Stefan Gohmann univentionstaff 2017-04-04 18:28:54 CEST 
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.