Univention Bugzilla – Bug 54495
Invalid UCR proxy configuration breaks freshclam.conf, univention-join, …
Last modified: 2023-11-17 11:15:11 CET
Beim Debugging, warum clamav keine Antivirussignaturen updated, ist mir ein Fehler in /etc/clamav/freshclam.conf aufgefallen. Beim Einrichten von UCS hatte ich die Syntax der http_proxy Umgebungsvariablen übernommen, mit / am Ende. ucr set proxy/https=${https_proxy} Das resultiert im Befehl: ucr set proxy/https=http://10.61.16.6:3128/ Falls die Variable ein / am Ende hat, steht in der freshclam.conf 3128/ mit Slash am Ende. Damit weigert sich der Service zu starten. Nachdem ich manuell den Port auf 3128 ohne Slash korrigiert habe, ließ sich der Service starten. Verbesserungsvorschlag: In Portnummern nur Ziffern erlauben.
Many more services are extremely picky about HTTP(S) proxy configuration: Generally the should never be a trailing slash! So this is not restricted to ClamAV, but also affects many more services like - docker - GitLab - Python - … Sadly their is no written standard for ENV "(https?,ftp,all,no)_proxy" respective "(HTTPS?,FTP,ALL,NO)_PROXY"; the question is also not new: <https://superuser.com/questions/944958/are-http-proxy-https-proxy-and-no-proxy-environment-variables-standard>. Sadly UCR does not have a mechanism for validating its values. Long time ago there was Bug #8768, nut it never was implemented. Right now we would have to duplicate the validation code in every location where UCRV `proxy/*` is used. This probably will not happen any time soon. We could add a simple diagnostics module, which would warn when UCRV are set wrong.
Yet again the LDAP LMDB and its backing storage device was filled up; after increasing the disk size the Backup had to be re-joined, which failed due to a strange error message issued by all `slap*` commands: > error : Unknown IO error This underlying cause were two wrong UCRV: > proxy/http: $USER:$PASSWORD@$IP:$PORT > proxy/https: $USER:$PASSWORD@$IP:$PORT Note the missing `http://` prefix! When `slapadd` is called it loads libsasl -> libsaml -> liblasso -> libxmlsec -> libxml2, which initializes its internal HTTP client. For that it evaluates the environment variables $http_proxy, $https_proxy, $no_proxy and fails to do so, printing that mysterious message. 1. We may add an UMC diagnostics module to warn about broken proxy config 2. We really should extend UCR to check the values for correct syntax: we already have the unused "type=str|int|bool", but should extend this with some schema to allow specifying - regular expression - sequence of valid choices - is a list of $things separated by $separator - lower / upper bound for type=int - … gdb --args slapcat -f ./slapd.conf -b cn=translog ... break write run ... Breakpoint 1, write () at ../sysdeps/unix/syscall-template.S:84 84 ../sysdeps/unix/syscall-template.S: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 write () at ../sysdeps/unix/syscall-template.S:84 #1 0x00007ffff5a5c817 in _IO_new_file_write (f=0x7ffff5d84520 <_IO_2_1_stderr_>, data=0x7fffffff53b0, n=8) at fileops.c:1271 #2 0x00007ffff5a5bb62 in new_do_write (fp=fp@entry=0x7ffff5d84520 <_IO_2_1_stderr_>, data=data@entry=0x7fffffff53b0 "error : ", to_do=to_do@entry=8) at fileops.c:526 #3 0x00007ffff5a5cf6e in _IO_new_file_xsputn (f=0x7ffff5d84520 <_IO_2_1_stderr_>, data=<optimized out>, n=8) at fileops.c:1350 #4 0x00007ffff5a33cc5 in buffered_vfprintf (s=0x7ffff5d84520 <_IO_2_1_stderr_>, format=<optimized out>, args=<optimized out>) at vfprintf.c:2346 #5 0x00007ffff5a30f25 in _IO_vfprintf_internal (s=s@entry=0x7ffff5d84520 <_IO_2_1_stderr_>, format=0x7ffff33b8ea5 "error : ", ap=0x7fffffff7970) at vfprintf.c:1293 #6 0x00007ffff5ae12b6 in ___vfprintf_chk (fp=0x7ffff5d84520 <_IO_2_1_stderr_>, flag=1, format=<optimized out>, ap=<optimized out>) at vfprintf_chk.c:33 #7 0x00007ffff3290e53 in xmlGenericErrorDefaultFunc () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #8 0x00007ffff3290fcb in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #9 0x00007ffff3292f0d in __xmlRaiseError () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #10 0x00007ffff3293046 in __xmlSimpleError () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #11 0x00007ffff331e80d in xmlNanoHTTPInit () from /usr/lib/x86_64-linux-gnu/libxml2.so.2 #12 0x00007fffef544dd0 in xmlSecIOInit () from /usr/lib/libxmlsec1.so.1 #13 0x00007fffef569e4e in xmlSecInit () from /usr/lib/libxmlsec1.so.1 #14 0x00007ffff2a70658 in lasso_init () from /usr/lib/liblasso.so.3 #15 0x00007ffff38265dc in sasl_server_plug_init () from /usr/lib/x86_64-linux-gnu/sasl2/libsaml.so #16 0x00007ffff713fdab in sasl_server_add_plugin () from /usr/lib/x86_64-linux-gnu/libsasl2.so.2 #17 0x00007ffff714365f in ?? () from /usr/lib/x86_64-linux-gnu/libsasl2.so.2 #18 0x00007ffff7141279 in sasl_server_init () from /usr/lib/x86_64-linux-gnu/libsasl2.so.2 #19 0x00005555555e11f3 in slap_sasl_init () #20 0x00005555555bbf40 in slap_init () #21 0x00005555555ff8cd in slap_tool_init () #22 0x00005555555fed50 in slapcat () #23 0x0000555555570867 in main ()
Implementation of this issue consists of several parts: 1. New Validation Module A new module validation.py including unit tests were implemented to perform the validation if a value to be set with UCR is compatible with the respective type. There is currently no validation implemented if a type definition refers to the supported types, unknown types are defaulted to str. Supported types are: str: string int: integer bool: boolean value ipv4address: IP v4 address portnumber: network port number For the str and the int type additional constraints are supported, which can be configured in the respective .univention-config-registry-variables files. For int the optional constraints Min and Max allow to specify the smallest and the largest possible value a variable can take. For str the optional constraint Regex defines a valid regular expression the value has to match. 2. Changed behavior of UCR set ... A new UCR variable ucr/check/type is introduced impacting the overall behavior of UCR when setting an UCR variable. A new optional argument for the UCR set command --ignore-check can be used to override the setting of ucr/check/type for a single case. The logic in UCR is as follows: When setting a new value for a UCR variable checks are performed by validation.py to verify the compatibility of the value to be set with the type of the variable. In case of incompatibility a warning message is displayed. Moreover, the variable is not set to the new value if the UCR variable ucr/check/type is true (default is false). If the --ignore-check option is used, the value is always set independent of type compatibility and setting of ucr/check/type. 3. New UMC diagnostic module A new UMC diagnostic module 64_check_ucr_types.py is now available that checks for all defined UCR variables if the actual values are compatible with the defined types (if type definition is available) and reports incompatibilities. 4. Correction of wrong type definitions Several definition of UCR variables are corrected, e.g. with type 'string' updated to 'str'. Other types are adopted according to their actual usage based on the output of the UMC diagnostic module.
MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/357/
Package: univention-config-registry Version: 15.0.7-20A~5.0.0.202209291831 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: univention-management-console-module-diagnostic Version: 6.0.2-3A~5.0.0.202209291833 Package: univention-base-files Version: 9.0.3-9A~5.0.0.202209291835 Package: univention-antivir-mail Version: 11.0.0-4A~5.0.0.202209291836 [5.0-2] 4e5d8d5b4c Bug #54495: UCR type checking YAML doc/errata/staging/univention-antivir-mail.yaml | 2 +- doc/errata/staging/univention-base-files.yaml | 2 +- doc/errata/staging/univention-config-registry.yaml | 2 +- doc/errata/staging/univention-management-console-module-diagnostic.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) QA: https://git.knut.univention.de/univention/ucs/-/merge_requests/357#note_96712
[5.0-2] 46ae2c723a fix[UCR]: type checking .../univention-base-files.univention-config-registry-variables | 2 +- base/univention-config-registry/debian/changelog | 9 +++++-- .../python/univention/config_registry/frontend.py | 4 +-- base/univention-config-registry/tests/test_frontend.py | 8 +++--- .../debian/changelog | 6 +++++ .../umc/python/diagnostic/de.po | 41 ++++++++++++++++------------- .../umc/python/diagnostic/plugins/64_check_ucr_types.py | 10 ++++--- 7 files changed, 49 insertions(+), 31 deletions(-) Package: univention-management-console-module-diagnostic Version: 6.0.2-4A~5.0.0.202209301220 Branch: ucs_5.0-0 Scope: errata5.0-2 Package: univention-config-registry Version: 15.0.7-21A~5.0.0.202209301222 Branch: ucs_5.0-0 Scope: errata5.0-2 [5.0-2] e84b729a4f Bug #54495: UCR type checking YAML doc/errata/staging/univention-config-registry.yaml | 2 +- doc/errata/staging/univention-management-console-module-diagnostic.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) [5.0-2] 7a0dc1d62a fix[diag]: Add description at top management/univention-management-console-module-diagnostic/debian/changelog | 6 ++++++ .../umc/python/diagnostic/plugins/64_check_ucr_types.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) Package: univention-management-console-module-diagnostic Version: 6.0.2-5A~5.0.0.202209301239 Branch: ucs_5.0-0 Scope: errata5.0-2 [5.0-2] 03772b7f7f Bug #54495: univention-management-console-module-diagnostic 6.0.2-5A~5.0.0.202209301239 doc/errata/staging/univention-management-console-module-diagnostic.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
UCR functional: OK UCR CLI: OK base-files / antivir UCR definitions: OK Diagnostic module / functional: OK Diagnostic module / messages: OK Tests: OK YAML: OK
<https://errata.software-univention.de/#/?erratum=5.0x451> <https://errata.software-univention.de/#/?erratum=5.0x452> <https://errata.software-univention.de/#/?erratum=5.0x453> <https://errata.software-univention.de/#/?erratum=5.0x454>