Univention Bugzilla – Bug 51034
Installing docker apps with read-only apt proxy config file fails if proxy is configured
Last modified: 2020-05-06 14:40:01 CEST
When installing a docker app based on UCS, the app gets the proxy settings configured via UCR. During univention-join, which is triggered in the app's installation, 20univention-directory-policy.inst tries to write these settings to /etc/apt/apt.conf.d/80proxy - this fails at least in the itslearning app because that file is read-only. I assume because it's mounted from the host system but didn't have time to confirm that. You can use this dirty workaround to skip that file in the config_registry handler inside the container. This is only possible if you install the app on the CLI with univention-app install --do-not-revert [...] because only then the app center doesn't revert the failed installation and removes the container. After the patch has been applied, run univention-join inside the container. --- /usr/lib/pymodules/python2.7/univention/config_registry/handler.py.bak 2020-03-27 17:48:57.881579729 +0100 +++ /usr/lib/pymodules/python2.7/univention/config_registry/handler.py 2020-03-27 17:49:42.961581304 +0100 @@ -429,6 +429,7 @@ os.rename(tmp_to_file, self.to_file) except OSError as ex: if ex.errno == errno.EBUSY: + if not self.to_file == "/etc/apt/apt.conf.d/80proxy": with open(self.to_file, 'w+') as fd: fd.write(open(tmp_to_file, 'r').read()) os.unlink(tmp_to_file)
The error from listener.log from inside the container: Configure 20univention-directory-policy.inst Fri Mar 27 17:47:29 CET 2020 2020-03-27 17:47:29.788773692+01:00 (in joinscript_init) Create directory/manager/samba3/legacy Create proxy/http Create proxy/https File: /etc/apt/apt.conf.d/80proxy Traceback (most recent call last): File "/usr/lib/univention-directory-policy/univention-policy-update-config-registry", line 146, in <module> main() File "/usr/lib/univention-directory-policy/univention-policy-update-config-registry", line 131, in main confreg.handler_set(new_set_list, {'ldap-policy': True}) File "/usr/lib/pymodules/python2.7/univention/config_registry/frontend.py", line 163, in handler_set None if quiet else 'W: %s is overridden by scope "%s"') File "/usr/lib/pymodules/python2.7/univention/config_registry/frontend.py", line 204, in _run_changed handlers(changed.keys(), (ucr, changed)) File "/usr/lib/pymodules/python2.7/univention/config_registry/handler.py", line 854, in __call__ handler(arg) File "/usr/lib/pymodules/python2.7/univention/config_registry/handler.py", line 432, in __call__ with open(self.to_file, 'w+') as fd: IOError: [Errno 30] Read-only file system: '/etc/apt/apt.conf.d/80proxy' run-parts: /usr/lib/univention-directory-policy/univention-policy-update-config-registry exited with return code 1
mhm, can we merge this with Bug #51031 ? In the end both need to be fixed to have proper proxy configuration in docker apps, right?
(In reply to Ingo Steuwer from comment #2) > mhm, can we merge this with Bug #51031 ? In the end both need to be fixed to > have proper proxy configuration in docker apps, right? Maybe but I'm hesitant since they describe different problems.
A Ticket-Number is required to qualify a Bug as "School Customer Affected". I've pushed this Bug into the appcenter Taiga Backlog.
(In reply to Valentin Heidelberger from comment #0) > When installing a docker app based on UCS, the app gets the proxy settings > configured via UCR. > > During univention-join, which is triggered in the app's installation, > 20univention-directory-policy.inst tries to write these settings to > /etc/apt/apt.conf.d/80proxy - this fails at least in the itslearning app > because that file is read-only. I assume because it's mounted from the host > system but didn't have time to confirm that. What is the context of the files mentioned here? Inside the app's Docker container or on the UCS system?
From Comment 1 I assume the problem occurs inside the running Docker container. Furthermore, I assume it is an Appbox based Docker container with UCS. Did you observe the problem with other apps than itslearning, as well?
(In reply to Nico Gulden from comment #6) > From Comment 1 I assume the problem occurs inside the running Docker > container. Furthermore, I assume it is an Appbox based Docker container with > UCS. > > Did you observe the problem with other apps than itslearning, as well? Yes it happens inside an UCS based container. I didn't observe it with other apps so far.
Reason for the traceback is that the App Center mounts /etc/apt/apt.conf.d/80proxy as read-only from the UCS host system to the container. The listener in the UCS based container tries to write that read-only file and fails with the observed traceback. On possible solution could be that the App Center mounts the file to a different name so that the listener inside the container does not clash anymore with that file. This change would require an errata update. Changed the effect of the bug to 1, since it has only been observed together with itslearning.
Merged and built in 4.4-4 Successful build Package: univention-appcenter Version: 8.0.11-132A~4.4.0.202005041147 Branch: ucs_4.4-0 Scope: errata4.4-4 commit 988492d96ff490262df770b0618b7ba33930b38d commit 5e070b4190f15c32f676daa110e36fcc05948bc4
OK - /etc/apt/apt.conf.d/81proxy is used in the container now OK - yaml ls -la /etc/apt/apt.conf.d/8* -rw-r--r-- 1 root root 593 May 4 12:27 /etc/apt/apt.conf.d/80proxy -rw-r--r-- 1 root root 593 May 4 12:17 /etc/apt/apt.conf.d/81proxy and the join works
<http://errata.software-univention.de/ucs/4.4/582.html>