Univention Bugzilla – Bug 51625
Add join hook that prevents (re)join of UCS systems prior to version 4.4-6
Last modified: 2021-05-25 15:59:26 CEST
To avoid incompatible mixed environments, a joinhook from UCS5 should be installed to prevent joining of UCS systems with version 4.4-5 or earlier. There are ~4 apps the use an 4.3 appbox image. It has to be checked, which specific apps are affected and if the hook has to block them too, or if these apps are correctly prepared for UCS 5 even with "outdated" appbox image.
Join hooks are only supported since UCS 4.4-0 (Bug #47940), so this solution doesn't prevent UCS 4.3-X systems to join into the domain. The hook has been implemented in: univention-join (12.0.0-4) | Bug #51625: prevent Systems between UCS 4.4-0 and UCS 4.4-5 to join into the domain changelog-5.0-0.xml | Changelog Bug #51625
(In reply to Sönke Schwardt-Krummrich from comment #0) > There are ~4 apps the use an 4.3 appbox image. It has to be checked, which > specific apps are affected and if the hook has to block them too, or if > these apps are correctly prepared for UCS 5 even with "outdated" appbox > image. The following Apps are currently using an appbox image: benno-mailarchiv: ucs-appbox-amd64 UCS 4.4-3 digitec-suitecrm: ucs-appbox-amd64 UCS 4.3-3 etherpad-lite: ucs-appbox-amd64 UCS 4.3-3 horde: ucs-appbox-amd64 UCS 4.3-3 openproject: ucs-appbox-amd64 UCS 4.3-3 tine20: ucs-appbox-amd64 UCS 4.2-2
Didn't we decide that we upgrade the appbox containers to UCS 4.4-6 and publish them in the UCS 4 & 5 App-Center before we release UCS 5?! With the join hooks I have no possibility to detect that this is a docker/app container. So the installation of these apps will fail.
(In reply to Florian Best from comment #3) > Didn't we decide that we upgrade the appbox containers to UCS 4.4-6 and > publish them in the UCS 4 & 5 App-Center before we release UCS 5?! > With the join hooks I have no possibility to detect that this is a > docker/app container. So the installation of these apps will fail. We discussed this a moment ago and the short answer is yes. Join hooks are supported since UCS 4.4-0, so 4.3 appbox images simply ignore them. So we decided that all 4.3 appbox images have to be updated to a 4.4-6 appbox image, that is able to register LDAP objects with correct ucsversionstart/ucsversionend and custom filenames. On the DC Master, the update to UCS 5.0 must be blocked by the preup.sh script if there is a system that is not yet using UCS 4.4-6. This now includes appbox images in addition to native UCS systems. This means that a domain can only be upgraded to UCS 5 if all appbox images are based on at least UCS 4.4-6. If a 4.3 appbox image is installed after updating the master to UCS 5.0, the listener module on the master will immediately delete the invalid LDAP object (due to invalid specification of ucsversionstart/ucsversionend) and the join script of the 4.3 appbox image will fail. It is not possible to install outdated appbox images in a UCS5 domain. Furthermore, the domain can only be changed to UCS5 after the obsolete appbox images have been removed/updated.
(In reply to Sönke Schwardt-Krummrich from comment #4) OK, then everything is implemented here.
The hook works well. But: univention-join 12.0.0-4A~5.0.0.202008131400 still checks for UCS 4.4-5 and not 4.4-6! → REOPEN ---[join.log]--- Thu Jan 9 13:39:42 CET 2020 univention-join-hooks: looking for hook type "join/pre-join" on master142.nstx142.ucs Found hooks: cn=ensure-minmum-ucs-version,cn=data,cn=univention,dc=nstx,dc=ucs Running: ensure-minmum-ucs-version (cn=ensure-minmum-ucs-version,cn=data,cn=univention,dc=nstx,dc=ucs) in /tmp/tmp81I1vY/tmpbQUouB Please upgrade your system to UCS 4.4-5 before joining into this domain. ERROR: join/pre-join hook /tmp/tmp81I1vY/tmpbQUouB failed. ************************************************************************** * Join failed! * * Contact your system administrator * ************************************************************************** * Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- join/pre-join failed, see /var/log/univention/join.log ************************************************************************** Thu Jan 9 13:39:46 CET 2020: finish /usr/sbin/univention-join ---[end]--- Additionally I think the message is hard to find for inexperienced users. Therefore I suggest the following patch: --- a/management/univention-join/ensure-minmum-ucs-version +++ b/management/univention-join/ensure-minmum-ucs-version @@ -35,8 +35,13 @@ eval "$(univention-config-registry shell version/version version/patchlevel)" required_version="4.4-6" if dpkg --compare-versions "${version_version}-${version_patchlevel}" lt "$required_version"; then - + echo + echo '********************************************************************************' + echo "This system does not meet the minimum UCS version to join this domain." + echo "The update is therefore aborted at this point." echo "Please upgrade your system to UCS ${required_version} before joining into this domain." + echo '********************************************************************************' + echo exit 1 fi
> + echo "The update is therefore aborted at this point." + echo "The join attempt is therefore aborted at this point."
OK: text adjustments done in univention-join 12.0.0-4A~5.0.0.202008242344 univention-run-joinscript --run-scripts --force 20univention-join.inst
---[join.log]--- Thu Jan 9 14:07:46 CET 2020 univention-join-hooks: looking for hook type "join/pre-join" on master142.nstx142.ucs Found hooks: cn=ensure-minmum-ucs-version,cn=data,cn=univention,dc=nstx,dc=ucs Running: ensure-minmum-ucs-version (cn=ensure-minmum-ucs-version,cn=data,cn=univention,dc=nstx,dc=ucs) in /tmp/tmp1FfKc_/tmp6cObMQ ******************************************************************************** This system does not meet the minimum UCS version to join this domain. The join attempt is therefore aborted at this point. Please upgrade your system to UCS 4.4-6 before joining into this domain. ******************************************************************************** ERROR: join/pre-join hook /tmp/tmp1FfKc_/tmp6cObMQ failed. --- → VERIFIED
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".