Bug 43626 - apache2 reload/restart does not work during system-setup
apache2 reload/restart does not work during system-setup
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: System setup
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Erik Damrose
Stefan Gohmann
: interim-3
Depends on: 43217
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-23 14:58 CET by Erik Damrose
Modified: 2017-04-04 18:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
setup.log (290.57 KB, text/x-log)
2017-02-23 14:58 CET, Erik Damrose
Details
autotest-096-member-s3.log (644.90 KB, text/plain)
2017-03-14 06:11 CET, Stefan Gohmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2017-02-23 14:58:41 CET
Created attachment 8454 [details]
setup.log

relevant part from setup.log:

Configure /usr/lib/univention-install/92univention-management-console-web-server.inst
2017-02-23 14:02:28.553893483+01:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/umc/icon
Setting ucs/web/overview/entries/admin/umc/link
Create ucs/web/overview/entries/admin/umc/link/de
Setting ucs/web/overview/entries/admin/umc/priority
File: /var/www/univention/meta.json
Setting ucs/web/overview/entries/admin/umc/label
Setting ucs/web/overview/entries/admin/umc/label/de
Setting ucs/web/overview/entries/admin/umc/description
Setting ucs/web/overview/entries/admin/umc/description/de
File: /var/www/univention/meta.json
E: object not found
Object created: SAMLServiceProviderIdentifier=https://master.ucs.local/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=ucs,dc=local
Object modified: SAMLServiceProviderIdentifier=https://master.ucs.local/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=ucs,dc=local
Not updating ucs/server/sso/fqdn
Reloading web server: apache2 failed!
Apache2 is not running ... (warning).
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to ucs-sso.ucs.local port 443: Verbindungsaufbau abgelehnt
Comment 1 Erik Damrose univentionstaff 2017-02-27 11:46:34 CET
nameserver1 was set to the dns forwarder, not the ucs master itself. We should wait for bug 43217 before looking into it, maybe the issue is resolved with 43217 fixed
Comment 2 Erik Damrose univentionstaff 2017-02-27 14:47:59 CET
The apache2 config should be reloaded in the joinscript, but that does not happen, so the curl call fails, as is seen in the comment0 log snippet.

Throughout the setup.log every apache2 restart/reload fails this way, until the 99_restart_umc restarts apache2 successfully. First occurrence is at 40_ssl/10ssl
Comment 3 Erik Damrose univentionstaff 2017-02-27 15:43:14 CET
Seems to be a regression, previously there was an explicit apache2 restart somewhere - some joinscript? I added an apache2 restart in setup-join.sh after the host certificate is created. Also: certificate for the default FQDN "unassigned-hostname.unassigned-domain" is ignored during 40_ssl/10ssl --force-recreate 

r77126 univention-system-setup 10.0.7-11A~4.2.0.201702271540
Comment 4 Erik Damrose univentionstaff 2017-03-03 14:34:28 CET
In my implicit tests with DVDs in the last days, this did not lead to any issues, so RESOLVED for now. I added a changelog entry:

r77327 changelog
Comment 5 Erik Damrose univentionstaff 2017-03-13 16:46:26 CET
reopen: breaks reading of installation status on roles != master. I think the restart should be moved to the ssl reconfiguration step on the master.
Comment 6 Erik Damrose univentionstaff 2017-03-13 16:51:47 CET
I moved the check upwards to the role = master specific check. Lets see what effect that has for the SSO joinscripts on other system roles.

univention-system-setup 10.0.8-3A~4.2.0.201703131651
Comment 7 Erik Damrose univentionstaff 2017-03-13 17:24:43 CET
Another change after discussing this:

I removed the role specific "univention-certificate new", as this only runs on the master, but directly above that is (abbreviated):

if [ "$server_role" = "domaincontroller_master" ]; then
    /usr/lib/univention-system-setup/scripts/40_ssl/10ssl --force-recreate
fi

.. which recreates the CA and all previously created host certificates

r77654 univention-system-setup 10.0.8-4A~4.2.0.201703131724
Comment 8 Stefan Gohmann univentionstaff 2017-03-14 06:11:33 CET
It looks like it breaks the Jenkins tests. Attached you can find the Jenkins logfile of a Master / Member setup which seems to be in a endless loop.

The /etc/univention/ssl directory looks like this:

root@master096:~# ls -la /etc/univention/ssl/
insgesamt 20
drwxr-xr-x  3 root root 4096 Mär 13 18:50 .
drwxr-xr-x 11 root root 4096 Mär 13 18:52 ..
-rw-------  1 root root 2813 Mär 13 18:50 openssl.cnf
-rw-------  1 root root   20 Mär 13 18:50 password
drwxr-xr-x  6 root root 4096 Mär 13 18:51 ucsCA
root@master096:~# 

I'll revert r77654 and restart the Jenkins tests.
Comment 9 Stefan Gohmann univentionstaff 2017-03-14 06:11:57 CET
Created attachment 8527 [details]
autotest-096-member-s3.log
Comment 10 Stefan Gohmann univentionstaff 2017-03-14 06:16:33 CET
r77679:
 * Re-added the duplicated certificate renewal (Bug #43626)
Comment 11 Erik Damrose univentionstaff 2017-03-14 10:40:10 CET
I assumed the master certificate would be (re-)created in the 10ssl setup script, but it did not.

I moved the initial master certificate creation into the dc-master specific codepath in setup-join.sh
r77680 univention-system-setup 10.0.9-2A~4.2.0.201703141036

Quick test with DC Master and Backup worked.
Comment 12 Stefan Gohmann univentionstaff 2017-03-14 20:03:48 CET
Code review: OK (r77126 + r77654 + r77679 + r77680)

Changelog: tbd

Installation Master DVD: OK

Installation Slave: OK

Installation Master Remote: Fail. If I start the setup configuration via HTTPS from a webbrowser, the system setup wizards shows much too early that the setup has been finished. Maybe the new apache2 restart is responsible?
Comment 13 Erik Damrose univentionstaff 2017-03-15 10:57:54 CET
https from remote host during debian installer: Yes, this is an issue due to the apache2 restart. It was introduced by bug #42500 at the end of 2016. I think we did that because univention-ssl behaved differently, then.

So it is not strictly a regression in 4.2.

No changelog as this bug fixed a regression in 4.2 system setup: SSO joinscripts were not running completely
Comment 14 Stefan Gohmann univentionstaff 2017-03-15 17:30:55 CET
(In reply to Erik Damrose from comment #13)
> https from remote host during debian installer: Yes, this is an issue due to
> the apache2 restart. It was introduced by bug #42500 at the end of 2016. I
> think we did that because univention-ssl behaved differently, then.
> 
> So it is not strictly a regression in 4.2.

OK.

> No changelog as this bug fixed a regression in 4.2 system setup: SSO
> joinscripts were not running completely

OK, it works now.
Comment 15 Stefan Gohmann univentionstaff 2017-04-04 18:29:03 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".