Bug 36934 - rdate in univention-ssl.postinst got stuck
rdate in univention-ssl.postinst got stuck
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-0-errata
Assigned To: Philipp Hahn
Sönke Schwardt-Krummrich
http://forum.univention.de/viewtopic....
:
Depends on:
Blocks: 36937
  Show dependency treegraph
 
Reported: 2014-11-21 13:37 CET by Stefan Gohmann
Modified: 2014-12-04 12:21 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-11-21 13:37:18 CET
Seen in a tester setup. During the installation the rdate command in univention-ssl got stuck.
Comment 1 Dirk Ahrnke 2014-11-21 14:18:44 CET
same behaviour was seen during "apt-get install --reinstall univention-ssl" in 3.2.4 
see my remarks in Ticket 2014111021000654 (14.11.2014 10:59)
Comment 2 Philipp Hahn univentionstaff 2014-11-21 17:08:20 CET
r56063 | Bug #36934 SSL: Timeout ntpdate command after 15s

Package: univention-ssl
Version: 9.0.4-1.150.201411211640
User: phahn
Branch: ucs_4.0-0
Scope: errata4.0-0

r56068 | Bug #36934 SSL,Bug #36935 Join,Bug #36937 USS: timeout YAML
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2014-11-26 17:14:04 CET
root@master40:~# timeout -k 20 15 ntpdate-debian
25 Nov 19:40:06 ntpdate[8714]: no servers can be used, exiting

On my UCS master test system /etc/default/ntpdate was empty
→ $NTPDATE_USE_NTP_CONF is not set (used within ntpdate-debian)
→ /var/lib/ntpdate/default.dhcp does not exist
→ no time server is given to ntpdate
→ error message from above
→ REOPEN

Why not using one of the following pools?
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org

root@master40:~# time timeout -k 20 15 rdate 10.200.18.3

real    0m15.003s
user    0m0.004s
sys     0m0.000s
root@master40:~# time timeout -k 20 15 rdate 192.168.0.3
Wed Nov 26 17:01:49 CET 2014

real    1269m58.097s
user    0m0.000s
sys     0m0.000s
root@master40:~# time timeout -k 20 15 rdate 192.168.0.3
Wed Nov 26 17:01:59 CET 2014

real    0m0.000s
user    0m0.000s
sys     0m0.004s
root@master40:~# 

→ Works as expected.

FAIL: why still using rdate as dependency? ntpdate-debian uses ntpdate

YAML: not checked yet
Comment 4 Philipp Hahn univentionstaff 2014-11-28 10:20:37 CET
(In reply to Sönke Schwardt-Krummrich from comment #3)
> root@master40:~# timeout -k 20 15 ntpdate-debian
> 25 Nov 19:40:06 ntpdate[8714]: no servers can be used, exiting
> 
> On my UCS master test system /etc/default/ntpdate was empty
> → $NTPDATE_USE_NTP_CONF is not set (used within ntpdate-debian)
> → /var/lib/ntpdate/default.dhcp does not exist
> → no time server is given to ntpdate
> → error message from above
> → REOPEN

This happens only on the DC Master, where no NTP server is configures by default; see Bug #37098.

> Why not using one of the following pools?
> - 0.pool.ntp.org
> - 1.pool.ntp.org
> - 2.pool.ntp.org
> - 3.pool.ntp.org

This is not allowed: <http://www.pool.ntp.org/de/vendors.html>
> Basic guidelines
> Do not use the standard pool.ntp.org names as a default configuration in your system.
...
> Get your vendor zone
> You must absolutely not use the default pool.ntp.org zone names as the default configuration in your application or appliance.


We should either
- apply for univention.pool.ntp.org,
- ask Debian if using debian.pool.ntp.org is okay,
- add ntp.univention.de and use that to DDoS ourselves. That's probably the easiest as an NTP query will only happen once per DC Master installation.
Comment 5 Philipp Hahn univentionstaff 2014-11-28 10:53:11 CET
Also see Bug #27728 for the hard-coded pool.ntp.org issue.
Comment 6 Philipp Hahn univentionstaff 2014-11-28 10:55:32 CET
(In reply to Sönke Schwardt-Krummrich from comment #3)
> FAIL: why still using rdate as dependency? ntpdate-debian uses ntpdate

"rdate" is still used by univention-base-files/conffiles/etc/init.d/rdate, which also violates the terms-of-use of pool.ntp.org.
Comment 7 Philipp Hahn univentionstaff 2014-11-28 11:54:53 CET
r56275 | Bug #36934: Timeout rdate command after 15+5s
 Use rdate again with fixed
  10.1.133.130.in-addr.arpa domain name pointer time.fu-berlin.de.
 Reduce SIGKILL timeout to 5s.

Package: univention-ssl
Version: 9.0.4-2.151.201411281139
User: phahn
Branch: ucs_4.0-0
Scope: errata4.0-0

r56279 | YAML Bug #36334 Bug #36937: timeout rdate
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2014-11-28 12:31:36 CET
OK: code change visibly checked
OK: YAML

Waiting for new DVD for functional check
Comment 9 Philipp Hahn univentionstaff 2014-11-28 12:37:06 CET
r56283 | Bug #36937: Timeout rdate command after 15+5s
r56286 | YAML Bug #36334 Bug #36937: timeout rdate

Package: univention-ssl
Version: 9.0.4-3.152.201411281214
User: phahn
Branch: ucs_4.0-0
Scope: errata4.0-0

Package: univention-system-setup
Version: 8.1.65-24.811.201411281217
User: phahn
Branch: ucs_4.0-0
Scope: errata4.0-0
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2014-12-01 14:22:24 CET
No problem encountered during installation.
Comment 11 Moritz Muehlenhoff univentionstaff 2014-12-04 12:21:21 CET
http://errata.univention.de/ucs/4.0/1.html