Bug 48731 - 00ucs-school-app-version-check.inst fails immediately on initial join of a DC backup
00ucs-school-app-version-check.inst fails immediately on initial join of a DC...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v1
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
Depends on:
Blocks: 48751
  Show dependency treegraph
 
Reported: 2019-02-21 23:36 CET by Sönke Schwardt-Krummrich
Modified: 2019-03-12 10:59 CET (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.549
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
join.log (contains 2 join attempts: 1 fails, 1 successful) (25.27 KB, application/gzip)
2019-02-21 23:38 CET, Sönke Schwardt-Krummrich
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2019-02-21 23:36:22 CET
The joinscript 00ucs-school-app-version-check.inst failed silently on initial join of a UCS 4.4 DC backup. On the DC master, UCS@school had been installed and correctly configured (a join hook had been installed). The join hook installed the UCS@school app and the metapackage ucs-school-master on the DC backup. The postinst scripts of several packages directly call their joinscript. This is why 63ucs-school-portal-entry.inst is called directly before  
00ucs-school-app-version-check.inst.

00ucs-school-app-version-check.inst is started but then immediately fails without error message in the logfile. Since this is the first join script on a DC backup, the join attempt fails.

A second join attempts runs through without problems. The reason for the first fail is currently unknown.

Calling joinscript 63ucs-school-portal-entry.inst ...
2019-02-20 18:48:14.366037821+01:00 (in joinscript_init)
WARNING: cannot append cn=domain,cn=portal,cn=univention,dc=nstx,dc=local to portal, value exists
WARNING: cannot append ['de_DE', 'UCS@school'] to displayName, value exists
WARNING: cannot append ['en_US', 'UCS@school'] to displayName, value exists
WARNING: cannot append ['fr_FR', 'UCS@school'] to displayName, value exists
WARNING: cannot append ['de_DE', 'UCS@school Module in der Univention Management Console'] to description, value exists
WARNING: cannot append ['en_US', 'UCS@school modules in the Univention Management Console'] to description, value exists
WARNING: cannot append ['fr_FR', 'Modules UCS@school dans Univention Management'] to description, value exists
No modification: cn=teacherconsole,cn=portal,cn=univention,dc=nstx,dc=local
No modification: cn=teacherconsole,cn=portal,cn=univention,dc=nstx,dc=local
2019-02-20 18:48:14.932175226+01:00 (in joinscript_save_current_version)
Joinscript 63ucs-school-portal-entry.inst finished with exitcode 0
Trigger für univention-config (13.0.0-6A~4.3.0.201811121038) werden verarbeitet ...
Trigger für python-support (1.0.15.18.201403132013) werden verarbeitet ...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
Configure 00ucs-school-app-version-check.inst Wed Feb 20 18:48:16 CET 2019
2019-02-20 18:48:16.595955986+01:00 (in joinscript_init)


**************************************************************************
* Join failed!                                                           *
* Contact your system administrator                                      *
**************************************************************************
* Message:  Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- FAILED: 00ucs-school-app-version-check.inst
**************************************************************************
Wed Feb 20 18:48:16 CET 2019: finish /usr/sbin/univention-join
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2019-02-21 23:37:40 CET
s/silently/immediately and without log output/
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2019-02-21 23:38:55 CET
Created attachment 9857 [details]
join.log (contains 2 join attempts: 1 fails, 1 successful)
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2019-02-24 03:09:08 CET
I finally understood the problem:

An unjoined domain controller backup should be added to an existing UCS@school-4.4 domain via univention-join. univention-join creates a host account in LDAP and also empties the /var/univention-join/status file, which lists which join scripts have already been executed in which version.

Now the join hook becomes active and installs the UCS@school app as well as the metapackage ucs-school-master/ucs-school-singlemaster and its various dependencies. During the installation of the packages, various join scripts of these packages are also executed in the postinst scripts. This happens e.g. via a call_joinscript call. The (All?) join scripts run successfully because they have received valid join credentials as arguments and the local host account is already valid also. The join scripts then enter themselves in the /var/univention-join/status file as successfully completed.

After the hook is finished, the control goes back to univention-join, which then executes all existing join scripts. As soon as univention-join now executes a joinscript, which has already run successfully during the installation of UCS@school, the joinscript terminates with exitcode 1 (which means for univention-run-join-scripts as much as "I have already run successfully in the lastest version. I don't have to do anything anymore"). According to univention-join, all joinscripts have not been run yet (the status file was emptied a moment ago), and therefore every exitcode != 0 is interpreted as a serious error and aborts the join process.
This also happened in the above case.

The fact that the join scripts are already executed during the installation of the packages is not optimal at this point. One possibility would have been to patch call_joinscript from univention-lib in such a way that the execution on a DC backup can be prevented e.g. by a UCR variable (temporarily set by the join hook). However, since there are still some packages that execute the joinscripts directly and do not do this via call_joinscript, this would not have been a reliable solution.
Nevertheless, I switched all found UCS@school packages to call_joinscript accordingly (see commits below).

In the end, I have adapted the join hook so that it checks the file /var/univention-join/status on startup and remembers the size and its presence. After all packages have been installed from the hook, the status file BEFORE the installation of UCS@school is checked to see if it was missing or 0 bytes in size (this is only the case if the hook is executed by univention-join!). In this case, the status file is restored to its original state (deleted or shortened to 0 bytes). If the control then goes over to univention-join again, there are no problems with the execution of the join scripts, because according to the status file none has been executed successfully yet.

I think it is possible to reset the status file without any major problems, as this roughly corresponds to the situation where a rejoin is triggered via univention-join on a ready-to-use UCS@school system. Even then, with the current standard behaviour, all join scripts have run successfully, the status file is shortened to 0 bytes and then all join scripts are executed again. And also all other join hooks should show this behavior, otherwise they run into the same problem.
If the status file is not 0 bytes large, the join hook is executed by univention-run-join-scripts and no further action is necessary with regard to the status file.

22bb08915 Bug #48731, #48743: update advisories
cb3993405 Bug #48731: fixup for cd09fa800c4d3f1876e8ddbe2cc5f1ae7076f4ae: remove unused file
02a6e6153 Bug #48731: update advisory
cd09fa800 Bug #48731: add changelog entry
3d9e5b1e8 Bug #48731: use call_joinscript instead of calling the joinscript directly
8d9f7b233 Bug #48731: add changelog entry
501dfff22 Bug #48731: keep /var/univention-join/status empty during univention-join
96dd92224 Bug #48731: remove debug output
3cd2f07fd Bug #48731: add changelog entry
dd18eaad5 Bug #48731: add advisory
8bd4a764a Bug #48731: use call_joinscript instead of calling joinscript directly
fdc025671 Bug #48731: update advisory
e7a221fe7 Bug #48731: add changelog entry
a93e5bf60 Bug #48731: use call_joinscript instead of calling the joinscript directly
de22f5945 Bug #48731: removed outdated conflicts
af007e1c0 Bug #48731: add debug output to 00ucs-school-app-version-check.inst

Rebuilt packages:
- ucs-school-metapackage 12.0.0-34A~4.4.0.201902240136
- ucs-school-import 17.0.4-8A~4.4.0.201902240135
- ucs-school-ldap-acls-master 17.0.0-1A~4.4.0.201902240135
- ucs-school-umc-exam 9.0.0-2A~4.4.0.201902240136
Comment 4 Daniel Tröder univentionstaff 2019-02-25 11:25:32 CET
Still manually testing the solution, but in the meantime:

OK: fix postinst to use call_joinscript
OK: removed outdated conflicts
REOPEN: /var/univention-join/status is not the join hooks data file. It should not meddle in other softwares data structures. Please apply the KeepEmptyStatusFile() code to the univention-join package, where the pre-join-hooks are called. This will also fix the problem for other pre-join-hooks and make the management team aware of it.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2019-02-25 14:25:53 CET
We discussed the topic again and decided that univention-join would reset the status file itself (see also bug 48751). The changes made to the UCS@school join hook have therefore been reversed.

eb2f22ca5 Bug #48731: removed last changes; the issues are now addressed directly in univention-join

Package: ucs-school-metapackage
Version: 12.0.0-37A~4.4.0.201902251422
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 6 Daniel Tröder univentionstaff 2019-02-25 15:28:01 CET
OK: join script 00ucs-school-app-version-check.inst runs successfully on all roles (including DC backup)
OK: revert status-file-modification here and move code to univention-join (see Bug #48751)
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2019-03-12 10:59:17 CET
UCS@school 4.4 v1 has been released.

https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html

If this error occurs again, please clone this bug.