Univention Bugzilla – Bug 43520
Update to UCS 4.2 via UMC
Last modified: 2018-03-05 09:21:36 CET
The update to UCS 4.2 via UMC is a critical process. 1) Apache HTTPd cannot be restarted anymore. # invoke-rc.d apache2 stop [FAIL] Stopping web server: apache2 failed! [warn] There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Please review the situation by hand. ... (warning). invoke-rc.d: initscript apache2, action "stop" failed. I think we block the restart of apache completely via UMC causing issues with systemd? → The old apache process is still running 2) Somewhen the session is destroyd leading to problems. Reauthentication doesn't work as the new UMC-Webserver runs with the old apache configuration. The new security limitations are evaluated and therefore causing that a browser refresh (javascript) is required. A dialog pops up with: """ Ein unbekannter Fehler mit Status-Code 501 trat während des Verbindungsaufbaus zum Server auf. Bitte versuchen Sie es später noch einmal.""" → if the old javascript is used And the following error is shown, if one opens UMC in a new tab: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /univention/auth was not found on this server.</p> <hr> <address>Apache/2.2.22 (Univention) Server at 10.200.28.100 Port 80</address> </body></html> The solution would be: * fix apache restart * force a restart of apache, umc-server, umc-webserver in postup * force a browser refresh in the updater
*** Bug 40034 has been marked as a duplicate of this bug. ***
(In reply to Florian Best from comment #1) > *** Bug 40034 has been marked as a duplicate of this bug. *** We should this time also handle the case if some(apache, UMC, ...) UCR conffiles are overwritten causing serious problems. But maybe this is not necessary because the files are renamed due to the apache upgrade?
I've tested the update via UMC of my test environment. It basically works but the log output gets stalled with this message: ---------------------------------------------------------------------------- Failed to process Subfile /etc/univention/templates/files/etc/apache2/sites-available/default.d/10univention-appcenter Multifile: /etc/ldap/slapd.conf Restarting ldap server(s). Stopping ldap server(s): slapd ...done. Starting ldap server(s): slapd ...failed. 564c7c1a OVER: Loading Translog Overlay 564c7c1a OVER: db_init 564c7c1a OVER: Configuring Translog Overlay 564c7c1a OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener" 564c7c1a /etc/ldap/slapd.conf: line 177: unknown attr "@univentionPortalEntry" in to clause 564c7c1a ::= access to [ by [ ] [ ] ]+ ::= bin boot dev etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | dn[.=] [filter=] [attrs=] ::= [val[/][.]=] | ::= [ , ] ::= | @ | ! | entry | children ::= [ bin boot dev etc home initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | anonymous | users | self | dn[.]= ] [ realanonymous | realusers | realself | realdn[.]= ] [dnattr=] [realdnattr=] [group[/[/]][. ----------------------------------------------------------------------------
Created attachment 8571 [details] Screenshot 1
Created attachment 8572 [details] Screenshot 2
I don't know what you did but for me after the upgrade the old Apache and old UMC-Webserver is still running and therefore one cannot login.
*** Bug 44042 has been marked as a duplicate of this bug. ***
univention-updater (12.0.4-13): r78239 | Bug #43520: adjust postup to restart UMC-Server, UMC-Webserver and Apache2 Bug #43520: don't upgrade with manually adjusted apache2 sites
(In reply to Florian Best from comment #8) > univention-updater (12.0.4-13): > r78239 | Bug #43520: adjust postup to restart UMC-Server, UMC-Webserver and > Apache2 Bug #43520: don't upgrade with manually adjusted apache2 sites I think you need to set the executable flag.
(In reply to Stefan Gohmann from comment #9) > I think you need to set the executable flag. Thanks :-) Done in: univention-updater (12.0.4-14): r78254 | Bug #43520: enable apache and UMC after postup
The updater.log contains now: Restarting web server: apache2 failed! There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Please review the situation by hand. ... (warning).
We are supressing the Apache restart (chmod -x) during Update via the UMC module. (Imho we can remove this check nowerdays). After the update the new init script is installed which treats /var/run/apache2/apache2.pid as pidfile while the old one used /var/run/apache2.pid and therefore cannot restart UMC. I copy the pidfile in the postup so that the restart works. univention-updater (12.0.4-15): r78312 | Bug #43520: copy pidfile so that apache restart after upgrade works
Created attachment 8642 [details] Screenshot Now I see this. But imho this shouldn't occur because of Bug #43845. I'll check.
(In reply to Florian Best from comment #13) > Created attachment 8642 [details] > Screenshot > > Now I see this. But imho this shouldn't occur because of Bug #43845. I'll > check. Has been fixed.
Maybe we should check for manually adjusted UCR templates in: /etc/apache2/conf.d/ /etc/apache2/conf-available/
Created attachment 8643 [details] Screenshot New behavior is: login dialog pops up showing "Forbidden". After entering credentials it says "404 Not found".
Created attachment 8646 [details] umc-update-4.1-to-4.2.png I've started a new update test. It got stuck and nothing happens. The update is finished since nearly two hours. I can see in the logfiles that the UMC processes and apache have been restarted: ------------------------------------------------------------------------------ [...] Restarting Univention Management Console Server: univention-management-console-s erver. Restarting Univention Management Console Web Server: univention-management-console-web-server. Restarting web server: apache2. **************************************************** * THE UPDATE HAS BEEN FINISHED SUCCESSFULLY. * * Please make a page reload of UMC and login again * **************************************************** Mi 18. Nov 14:42:59 CET 2015 done. Setting version/version root@master411:~# date Mi 18. Nov 15:20:11 CET 2015 root@master411:~# ps -ef | grep -i apache2 root 7157 1 0 14:42 ? 00:00:00 /usr/sbin/apache2 -k start www-data 7162 7157 0 14:42 ? 00:00:01 /usr/sbin/apache2 -k start www-data 7164 7157 0 14:42 ? 00:00:00 /usr/sbin/apache2 -k start www-data 7165 7157 0 14:42 ? 00:00:00 /usr/sbin/apache2 -k start www-data 7166 7157 0 14:42 ? 00:00:00 /usr/sbin/apache2 -k start www-data 7193 7157 0 14:43 ? 00:00:00 /usr/sbin/apache2 -k start www-data 8699 7157 0 14:47 ? 00:00:00 /usr/sbin/apache2 -k start www-data 9545 7157 0 14:50 ? 00:00:00 /usr/sbin/apache2 -k start www-data 14083 7157 0 15:05 ? 00:00:00 /usr/sbin/apache2 -k start www-data 14372 7157 0 15:06 ? 00:00:00 /usr/sbin/apache2 -k start www-data 15335 7157 0 15:09 ? 00:00:00 /usr/sbin/apache2 -k start root 18623 3036 0 15:20 pts/2 00:00:00 grep -i apache2 root@master411:~# ps -ef | grep -i management root 7015 1 0 14:42 ? 00:00:01 /usr/bin/python2.7 /usr/sbin/univention-management-console-server restart root 7060 1 0 14:42 ? 00:00:08 /usr/bin/python2.7 /usr/sbin/univention-management-console-web-server restart root 18645 3036 0 15:20 pts/2 00:00:00 grep -i management root@master411:~# ------------------------------------------------------------------------------
Can I defer the restart to one minute after the postup via an AT job?
(In reply to Florian Best from comment #18) > Can I defer the restart to one minute after the postup via an AT job? Let's try this: univention-updater (12.0.4-16): r78348 | Bug #43520: move UMC-Server restart into atjob
For me it works with the latest version. It is similar to Comment #3. maybe we could fix it that the updater log output gets stalled.
(In reply to Stefan Gohmann from comment #3) > I've tested the update via UMC of my test environment. It basically works > but the log output gets stalled with this message: > > ---------------------------------------------------------------------------- > Failed to process Subfile > /etc/univention/templates/files/etc/apache2/sites-available/default.d/ > 10univention-appcenter > Multifile: /etc/ldap/slapd.conf > Restarting ldap server(s). > Stopping ldap server(s): slapd ...done. > Starting ldap server(s): slapd ...failed. > 564c7c1a OVER: Loading Translog Overlay 564c7c1a OVER: db_init 564c7c1a > OVER: Configuring Translog Overlay 564c7c1a OVER: Configured Translog > Overlay to use file "/var/lib/univention-ldap/listener/listener" 564c7c1a > /etc/ldap/slapd.conf: line 177: unknown attr "@univentionPortalEntry" in to > clause 564c7c1a ::= access to [ by [ ] [ ] ]+ ::= bin boot dev etc home > initrd.img initrd.img.install initrd.img.old lib lib64 lost+found media mnt > opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.install > vmlinuz.old | dn[.=] [filter=] [attrs=] ::= [val[/][.]=] | ::= [ , ] ::= | @ > | ! | entry | children ::= [ bin boot dev etc home initrd.img > initrd.img.install initrd.img.old lib lib64 lost+found media mnt opt proc > root run sbin srv sys tmp usr var vmlinuz vmlinuz.install vmlinuz.old | > anonymous | users | self | dn[.]= ] [ realanonymous | realusers | realself | > realdn[.]= ] [dnattr=] [realdnattr=] [group[/[/]][. > ---------------------------------------------------------------------------- There was no escaping of "<" or ">" characters. I corrected this. Do we want to block the update to 4.2 until this erratum has been installed? I guess not. univention-updater (11.0.11-23): r78515 | Bug #43520: Make sure that log output is encoded correctly univention-updater.yaml: r78516 | Bug #43520: Add package version r78515 | Bug #43520: Make sure that log output is encoded correctly Changes merged to 4.2: univention-updater (12.0.5-5): r78517 | Bug #43520: Make sure that log output is encoded correctly
As discussed, the update is blocked unless the latest univention-updater package is installed for 4.1-4. univention-updater (12.0.5-6): r78520 | Bug #43520: Make sure that the latest UMC updater module is installed
Created attachment 8721 [details] UMC 4.1 Empty Box See attached screenshot, I've updated to test latest UCS 4.1 test errata updates and I don't see any content in the logfile window. The update is running since some minutes.
Created attachment 8722 [details] UMC Console output Another screenshot with the console.
See last comments. I've added new UCR variable since we need it for our Jenkins tests. Please make a short code review: r78522
After a page reload, the output is shown.
As discussed, I removed the block in the preup script. Instead, univention-ldap-acl-* depend now on univention-ldap-config. After some thoughts, I concluded that a call to "ucr update" is not necessary in the postinst scripts of the package, as it is the dependency which ensures a correct state: schema before ACLs. In the updater.log one can see that the order would be incorrect: ---------- 8< ---------- > root@master471:~# grep 'wird eingerichtet ...' /var/log/univention/updater.log | grep univention-ldap > univention-ldap-client (13.0.7-2A~4.2.0.201703292021) wird eingerichtet ... > univention-ldap-acl-master (13.0.7-2A~4.2.0.201703292021) wird eingerichtet ... > univention-ldap-config (13.0.7-2A~4.2.0.201703292021) wird eingerichtet ... > univention-ldap-server (13.0.7-2A~4.2.0.201703292021) wird eingerichtet ... ---------- 8< ---------- univention-ldap (13.0.7-3): r78539 | Bug #43520: Adjust dependencies for LDAP schema data and ACLs univention-updater (12.0.6-3): r78540 | Bug #43520: Remove block for latest erratum of univention-updater
(In reply to Alexander Kläser from comment #21) > [...] > univention-updater (11.0.11-23): > r78515 | Bug #43520: Make sure that log output is encoded correctly > > univention-updater.yaml: > r78516 | Bug #43520: Add package version > r78515 | Bug #43520: Make sure that log output is encoded correctly I reverted the changes in the 4.1-4 branch: univention-updater (11.0.11-24): r78545 | Bug #43520: Adapt debian changelog entry r78544 | Revert "Bug #43520: Make sure that log output is encoded correctly" univention-updater.yaml: r78544 | Revert "Bug #43520: Make sure that log output is encoded correctly" r78543 | Revert "Bug #43520: Add package version"
(In reply to Alexander Kläser from comment #27) > [...] > univention-ldap (13.0.7-3): > r78539 | Bug #43520: Adjust dependencies for LDAP schema data and ACLs This did not quit work, univention-ldap-acl-* needs to depend on univention-ldap-server, as it ships the UCR info file for slapd.conf. univention-ldap (13.0.7-4): r78558 | Bug #43520: Make ACLs depend on univention-ldap-server instead
I removed the dependency from univention-ldap-server to univention-ldap-acl-*. Instead, univentin-ldap-acl-* have now dependencies to univention-ldap-server. univention-ldap-server-* have corresponding dependencies to univention-ldap-acl-* to make sure that these packages are installed. univention-ldap (13.0.7-5): r78558 | Bug #43520: Make ACLs depend on univention-ldap-server instead
*** Bug 41475 has been marked as a duplicate of this bug. ***
That works really well now. I've tested several updates via UMC.
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".