Bug 46467 - UMC session issues when updating to UCS 4.3
UMC session issues when updating to UCS 4.3
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Software update
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3
Assigned To: Stefan Gohmann
Erik Damrose
: interim-4
Depends on:
Blocks: 46420
  Show dependency treegraph
 
Reported: 2018-03-02 15:38 CET by Erik Damrose
Modified: 2019-02-27 18:05 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Usability
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2018-03-02 15:38:11 CET
When updating to UCS 4.3 via UMC i get logged out of my UMC Session. There is a popup telling me to reauthenticate, and the message "Forbidden".

I would expect to be able to monitor the updater.log in the UMC updater module while the update is happening - short warnings when the UMC server is restarted are okay.
Comment 1 Stefan Gohmann univentionstaff 2018-03-05 09:32:35 CET
Did you login via SAML?
Comment 2 Erik Damrose univentionstaff 2018-03-05 09:55:30 CET
No, regular login
Comment 3 Stefan Gohmann univentionstaff 2018-03-05 21:59:39 CET
It looks like the postinst of unviention-apache restarts the apache process. 

By default, the apache2 executable flag is removed before the update is started and the init script doesn't restart the service. At least, it was the case before systemd.

So, something like this:

root@backup422:~# chmod -x /usr/sbin/apache2
root@backup422:~# ls -la /usr/sbin/apache2
-rw-r--r-- 1 root root 662632 Nov 27  2017 /usr/sbin/apache2
root@backup422:~# pidof apache2
26693 26692 26690 26689 26688 26687 26686 26685 26683
root@backup422:~# /etc/init.d/apache2 stop
[ ok ] Stopping apache2 (via systemctl): apache2.service.
root@backup422:~# pidof apache2
root@backup422:~# /etc/init.d/apache2 start
[....] Starting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.
 failed!
root@backup422:~# pidof apache2
root@backup422:~# chmod +x /usr/sbin/apache2
root@backup422:~# /etc/init.d/apache2 start
[ ok ] Starting apache2 (via systemctl): apache2.service.
root@backup422:~# 

Next, I'll check if it works if apache is restarted normally.
Comment 4 Stefan Gohmann univentionstaff 2018-03-06 06:51:40 CET
[4.3-0 d3f2e61696] * Restart apache2 in postinst only if configtest is successful   (Bug #46467)
Comment 5 Stefan Gohmann univentionstaff 2018-03-06 07:50:56 CET
[4.3-0 37b9199661] * Restart Apache only if configtest is successful (Bug #46467)
Comment 6 Stefan Gohmann univentionstaff 2018-03-06 08:14:38 CET
[4.3-0 82ce41e23b] Changelog Bug #46467
Comment 7 Stefan Gohmann univentionstaff 2018-03-06 09:16:07 CET
[4.3-0 aea7fd3b54] * Ensure apache is up and running during the installation process   (Bug #46467)
Comment 8 Stefan Gohmann univentionstaff 2018-03-06 09:42:22 CET
At least if I login via SAML, I get during the upgrade a session expires. Nevertheless, the updater log info in the background is still updated. I can see a 401 response in the firefox network console:

POST /univention/get/session-info HTTP/1.1
Host: 10.201.42.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1
Accept-Language: de-DE
Accept-Encoding: gzip, deflate
Referer: http://10.201.42.1/univention/management/
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: UMCSessionId=c1408e94-eb9f-4a2f-8fa1-197cbd75cb60
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0

HTTP/1.1 401 Unauthorized
Date: Tue, 06 Mar 2018 08:33:50 GMT
Server: CherryPy/3.5.0
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Length: 98
Content-Type: application/json
Via: 1.1 master421.deadlock42.intranet
Keep-Alive: timeout=5, max=5
Connection: Keep-Alive

{"status": 401, "message": "", "traceback": null, "location": "http://10.201.42.1/univention/get"}
Comment 9 Stefan Gohmann univentionstaff 2018-03-06 11:10:14 CET
[4.3-0 91b3a5ee3d] * Move apache start to startxwithfirefox (Bug #46467)
Comment 10 Stefan Gohmann univentionstaff 2018-03-06 11:47:55 CET
[4.3-0 a9e65b797e] * Ensure apache is started in startxwithfirefox (Bug #46467)
Comment 11 Stefan Gohmann univentionstaff 2018-03-06 20:46:21 CET
(In reply to Stefan Gohmann from comment #8)
> At least if I login via SAML, I get during the upgrade a session expires.
> Nevertheless, the updater log info in the background is still updated. I can
> see a 401 response in the firefox network console:
> 
> POST /univention/get/session-info HTTP/1.1
> Host: 10.201.42.1
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101
> Firefox/58.0
> Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1
> Accept-Language: de-DE
> Accept-Encoding: gzip, deflate
> Referer: http://10.201.42.1/univention/management/
> Content-Type: application/x-www-form-urlencoded
> X-Requested-With: XMLHttpRequest
> Cookie: UMCSessionId=c1408e94-eb9f-4a2f-8fa1-197cbd75cb60
> DNT: 1
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> Content-Length: 0
> 
> HTTP/1.1 401 Unauthorized
> Date: Tue, 06 Mar 2018 08:33:50 GMT
> Server: CherryPy/3.5.0
> X-Permitted-Cross-Domain-Policies: master-only
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> X-Frame-Options: DENY
> Content-Length: 98
> Content-Type: application/json
> Via: 1.1 master421.deadlock42.intranet
> Keep-Alive: timeout=5, max=5
> Connection: Keep-Alive
> 
> {"status": 401, "message": "", "traceback": null, "location":
> "http://10.201.42.1/univention/get"}

That is Bug #37715 and no regression. The best solution would be Bug #37223. Anyway, it is the same as in previous UCS versions.

It is now better because of the Apache changes but it is not perfect.
Comment 12 Erik Damrose univentionstaff 2018-03-07 13:25:44 CET
OK: the behavior is improved, i get the popup at the end of the upgrade, not while upgrading
OK: changelog
Verified
Comment 13 Philipp Hahn univentionstaff 2018-03-13 13:54:04 CET
I got this while installing a UCS-4.3-0 test errata:
> Ihre Sitzung ist abgelaufen, bitte melden Sie sich erneut an.
> Verboten

What is 'verboten'?
I guess it is:
> /usr/sbin/apache2ctl: 208: /usr/sbin/apache2ctl: /usr/sbin/apache2: Permission denied
> Action '--configtest' failed.
Please provide human understandable error messages!

FYI: I did not use SAML/Kerberos.
Comment 14 Florian Best univentionstaff 2018-03-13 16:07:50 CET
(In reply to Philipp Hahn from comment #13)
> I got this while installing a UCS-4.3-0 test errata:
> > Ihre Sitzung ist abgelaufen, bitte melden Sie sich erneut an.
> > Verboten
> 
> What is 'verboten'?
> I guess it is:
> > /usr/sbin/apache2ctl: 208: /usr/sbin/apache2ctl: /usr/sbin/apache2: Permission denied
> > Action '--configtest' failed.
> Please provide human understandable error messages!
> 
> FYI: I did not use SAML/Kerberos.

"Forbidden" means the command is not allowed because you are not authenticated or you don't have the permissions to execute it. It has nothing with some apache restart to do. It's from the UMC-Server core. I think this is because the UMC-Webserver was restarted during the update and the current session is lost.
Comment 15 Stefan Gohmann univentionstaff 2018-03-14 14:38:21 CET
UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".