Bug 42196 - Apache does not start during the UCS 4.2 setup
Apache does not start during the UCS 4.2 setup
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Felix Botner
Stefan Gohmann
: interim-1
: 39286 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-31 06:42 CEST by Stefan Gohmann
Modified: 2017-04-04 18:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
More updates (18.24 KB, patch)
2016-09-08 10:42 CEST, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2016-08-31 06:42:23 CEST
univention-apache depends on libapache2-mod-auth-pam. libapache2-mod-auth-pam has been replaced in Debian with libapache2-mod-authnz-pam.

Restarting web server: apache2 failed!
The apache2 configtest failed. ... (warning).
Output of config test was:
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/auth_pam.load: Cannot load /usr/lib/apache2/modules/mod_auth_pam.so into server: /usr/lib/apache2/modules/mod_auth_pam.so: undefined symbol: ap_log_rerror
Action 'configtest' failed.
The Apache error log may have more information.
Comment 1 Philipp Hahn univentionstaff 2016-08-31 09:37:04 CEST
r72080 | Bug #42183 *: libapache2-mod-auth-pam -> libapache2-mod-authnz-pam
Comment 2 Stefan Gohmann univentionstaff 2016-08-31 19:49:25 CEST
Next error message:

root@unassigned-hostname:~# /etc/init.d/apache2 restart
[....] Restarting web server: apache2AH00557: apache2: apr_sockaddr_info_get() failed for unassigned-hostname
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Action 'start' failed.
The Apache error log may have more information.
 failed!
root@unassigned-hostname:~#
Comment 3 Florian Best univentionstaff 2016-09-05 18:18:20 CEST
I got this error:

AH00526: Syntax error on line 58 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLMutex', perhaps misspelled or defined by a module not included in the server configuration
Comment 4 Felix Botner univentionstaff 2016-09-06 17:47:01 CEST
Apache 2.4 config has changed quite a bit. See http://httpd.apache.org/docs/current/upgrading.html.

What i have done so far (in univention-apache):

* Removed SSLMutex from mods-available/ssl.conf, SSLMutex is replaced with
  Mutex and there is a default Mutex config in the debian apache2.conf.

* conf.d/ucs.conf: conf.d is no longer supported, moved ucs.conf to 
  conf-available and activate/deactivate ucs in postinst/prerm
  Remove old template with dpkg-maintscript-helper in postrm, postinst
  and preinst

* a2dismod auth_pam during update, a2enmod authnz_pam by default (auth-pam
  has been replaced with authnz-pam)

* Options directives like "Options ExecCGI" are no loner supported,
  + or - before each optione is required, changed in ucs.conf (add + to all
  Options without + or -)

* The NameVirtualHost directive no longer has any effect, other than to emit a 
  warning. Removed from 000-default.conf and default-ssl.conf

TODO:
 * Access control: 
     Order allow,deny
     Allow from all
   is deprecated, the new way is 
     Require all granted
   This is a bit more complicated because we have several ucr variables for 
   order, allow and deny (see mods-available/proxy.conf). But there is a 
   access_compat module to support old-sytle access controls and it is enabled
   by default. So the old access controls should work.

   Do we want to migrate access controls?

Added bug #42296 for generic "clean up"
Comment 5 Felix Botner univentionstaff 2016-09-06 18:12:37 CEST
univention-apache

 * sites in sites-available now must have the suffix .conf
   -> renamed etc/apache2/sites-available/default-ssl to
      etc/apache2/sites-available/default-ssl.conf
   -> renamed etc/apache2/sites-available/default to
      etc/apache2/sites-available/default.conf
Comment 6 Philipp Hahn univentionstaff 2016-09-08 10:42:47 CEST
Created attachment 7988 [details]
More updates

conffiles/etc/apache2/conf-available/ucs.conf duplicates many setting from the default apache2 configuration in Debian:

| CustomLog /var/log/apache2/access.log combined

This belongs into the site configuration; it conflicts with the purpose of conf-available/other-vhosts-access-log.conf

| ErrorLog /var/log/apache2/error.log

This is already configured in apache2.conf

| <Directory />
|        Options +FollowSymLinks
|        AllowOverride None
| </Directory>

This is already configured in apache2.conf

| <Directory "/usr/lib/cgi-bin">
|        AllowOverride None
|        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|        Order allow,deny
|        Allow from all
| </Directory>

This is already in conf-available/serv-cgi-bin.conf

Also in ucs-sites.conf
| ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

But the 'cgi' module is not enabled by default!


| <Directory /var/www/>
|         Options +Indexes +FollowSymLinks +MultiViews

1. This is configured in sites-available/000-default
2. Served data should be put into the ./html/ sub-directory for security reasons (#730372)
   UCRV apache2/documentroot needs adjustment

|        Order allow,deny
|        allow from all

As noted in comment 4 this is deprecated: <https://httpd.apache.org/docs/2.4/upgrading.html#run-time> → "Access control"

sites-available/000-default.conf needs to be renamed to default.conf
Comment 7 Philipp Hahn univentionstaff 2016-09-08 15:15:56 CEST
r72428 | Bug #42196 apache: Move 000-default.conf
r72427 | Bug #42196 apache: cgi-bin
r72426 | Bug #42196 apache: logging
r72425 | Bug #42196 apache: root
r72424 | Bug #42196 apache: Fix renamed conf file
r72423 | Bug #42196 apache: Restart

Package: univention-apache
Version: 9.0.1-1A~4.2.0.201609081328
Branch: ucs_4.2-0
Comment 8 Florian Best univentionstaff 2016-09-09 12:05:43 CEST
univention-management-console-module-udm (7.0.1-3):
r72457 | Bug #42196: apache: Move univention-directory-manager to univention-directory-manager.conf

univention-saml (4.0.0-3):
r72456 | Bug #42196: apache: Move univention-saml to univention-saml.conf
Comment 9 Florian Best univentionstaff 2016-09-13 14:25:30 CEST
*** Bug 39286 has been marked as a duplicate of this bug. ***
Comment 10 Florian Best univentionstaff 2016-09-15 14:37:56 CEST
REOPEN:
./base/univention-maintenance/.htaccess is not migrated. This causes 500 Internal service errors when using the statictics/mrtg module.
Comment 11 Felix Botner univentionstaff 2016-09-19 15:37:43 CEST
(In reply to Florian Best from comment #10)
> REOPEN:
> ./base/univention-maintenance/.htaccess is not migrated. This causes 500
> Internal service errors when using the statictics/mrtg module.

fixed
Comment 12 Stefan Gohmann univentionstaff 2017-01-13 16:55:12 CET
r75764:

univention-saml (4.0.1-1)
 * Consider the renamed univention-saml apache site in 91univention-
   saml.inst (Bug #42196)
Comment 13 Stefan Gohmann univentionstaff 2017-01-13 20:44:28 CET
r75786:

ucs-test (7.0.6-49)
  * 09_updater/pool.sh: Adjust configuration to Apache 2.4 (Bug #42196)
Comment 14 Stefan Gohmann univentionstaff 2017-02-01 07:43:41 CET
Apache setups works again.

Changelog: OK
Comment 15 Florian Best univentionstaff 2017-03-21 12:45:44 CET
Some more changes for this bug have been done in Bug #43988.
Comment 16 Stefan Gohmann univentionstaff 2017-04-04 18:29:49 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".