Univention Bugzilla – Bug 47969
Add pre-joinscript hook for UCS@school
Last modified: 2019-03-12 10:58:42 CET
Add a pre-joinscript hook for UCS@school, that installs the role-packages on all UCS systems and installs UCS@school on edu/admin school slaves.
Please run univention-app update before trying to install ucs@school. The setup on my slave (ucs appliance) failed with univention-join-hooks: looking for hook type "join/pre-joinscripts" on master.test.local Found hooks: cn=ucsschool-join-hook.py,cn=data,cn=univention,dc=test,dc=local Running: ucsschool-join-hook.py (cn=ucsschool-join-hook.py,cn=data,cn=univention,dc=test,dc=local) in /tmp/tmp4JvL9G/tmpI7ZB87 Unable to cache apps usage: univention-app install [-h] [--noninteractive] [--username USERNAME] [--pwdfile PWDFILE] [--set KEY=VALUE [KEY=VALUE ...]] [--dry-run] [--do-not-revert] [--only-master-packages] [--do-not-install-master-packages-remotely] [--do-not-pull-image] app univention-app install: error: Unable to find version 4.4 v1 of app ucsschool. Maybe "/usr/bin/univention-app update" to get the latest list of applications? ERROR:__main__:univention-app install ucsschool=4.4 v1 --skip-check must_have_valid_license --do-not-call-join-scripts failed with exit code 2! ERROR: join/pre-joinscripts hook /tmp/tmp4JvL9G/tmpI7ZB87 failed. after univention-app update, the join worked
The goal of this bug is to implement the adjustments to reduce the number of installation scenarios of UCS@school (see also 20190211-Konzept-Sambavereinfachungen.odt in filestore). As part of these adjustments, a join hook of the type "join/pre-joinscripts" was added in this bug. The hook is registered by the ucs-school-master/ucs-school-singlemaster joinscript via ucs_registerLDAPExtension in LDAP (new settings/data object). The hook is then executed (starting with UCS 4.4-0) by univention-join and univention-run-join-scripts *before* running the join scripts (due to its hook type: other hook types: "join/pre-join" and "join/post-joinscripts"). The hook should automatically install UCS@school metapackages, which among other things make important Samba settings, so that e.g. the Samba RIDs (and thus also SIDs) are generated uniformly by UDM and not by the different AD systems, in order to avoid SID collisions. The hook automatically determines whether a metapackage of UCS@school should be installed on the affected system. The system role and group memberships (administration DC vs. educational DC vs. central slave) for DC slaves are used for this. No metapackage is currently installed on member servers (→ no metapackage available/required). Since the hook is executed before the join scripts, the Samba can be configured correctly on school servers (no DRS etc.) BEFORE the Samba is provisioned for the first time. This is a crucial factor in reducing complexity. If a metapackage is to be installed, the UCS@school repositories must be included. The simplest, most comprehensible and update-safe way is to install the "UCS@school" app on the affected systems. The hook therefore installs the standard packages of the app --> the UCS@school installer. The determined metapackage is then installed. Each time the hook is run, the system checks again whether the UCS@school app has been installed (and if so, makes up for it) and whether all the necessary metapackages have been installed (and if so, makes up for it). When installing the UCS@school app, the hook uses the same app version that is installed on the master. The master version used is queried by the master via univention-ssh. If a different Major Minor version of UCS is installed on the Master, no version specification is used for the App during App installation to avoid installation problems. Since the master must have a higher or the same size UCS version as the system to be joined anyway, a query for version equality is sufficient here. On already jointed systems (backup + central slave), the necessary metapackage from UCS@school is also installed after the installation of UCS@school on the master with the next execution of univention-run-join-scripts on these systems. The LDAP connection used in the hook is established directly to the master with the specified join credentials, since the local LDAP may not yet be provisioned at the time of execution. In docker containers (recognized by UCRV docker/container/uuid), the hook terminates immediately after startup, since no meta packets from UCS@school are required or could be harmful there. The following data is passed to the join hook by univention-join or univention-run-join-scripts via command line parameters: --server-role: Server role --master: FQDN of the master --binddn: BindDN of the join user (e.g. uid=administrator,cn=uses,$LDAP_BASE) --bindpwdfile: File name that contains the BindPWD. --hooktype: For which hook type the script is executed (currently only 'join/post-joinscripts' are supported)
The determination algorithm has been adapted slightly: - on domaincontroller_backup and domaincontroller_slave systems, the hook now checks, if a metapackage is already installed. If this is the case, exactly this package name ist returned. - the hook now installs ucs-school-master resp. ucs-school-singlemaster on domaincontroller_backup system (depending on the master's UCR variable ucsschool/singleserver). The UCR variable ucsschool/join/hook/join/pre-joinscripts has been introduced. If ucsschool/join/hook/join/pre-joinscripts=no is set, the hook quits directly after parsing the CLI arguments (→ hook is disabled). A small logic error has been fixed when checking the hook type argument. 5ac932462 Bug #47969: fix hook type check 1d4310ec7 Bug #47969: update detection/determination of metapackages in join hook Package: ucs-school-metapackage Version: 12.0.0-29A~4.4.0.201902211717 Branch: ucs_4.4-0 Scope: ucs-school-4.4
Installation/update tests showed, that the join scripts for the DC master do not fail if the registration of the new join hook fails → fixed. Also, the join hook is now a little bit more chatty. 1dd022535 Bug #47969: joinscript should die if hook registration fails bcbbcbb39 Bug #47969: add additional debug output Package: ucs-school-metapackage Version: 12.0.0-30A~4.4.0.201902220124 Branch: ucs_4.4-0 Scope: ucs-school-4.4
OK: changes to join scripts OK: pre-joinscript code **: extra cookies for using namedtuples OK: pre-joinscript is installed by dc master and started by u-join OK: on a DC backup "ucs-school-master" is installed, on slaves "ucs-school-slave" or "ucs-school-nonedu-slave" OK: exits when executed in a docker container OK: detects and installs on a central slave (unrelated error: Bug #47957#c11) OK: user documentation is handled in Bug #47953 [4.4 e95eed52c] Bug #47969: advisory
UCS@school 4.4 v1 has been released. https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html If this error occurs again, please clone this bug.