Bug 51034 – Installing docker apps with read-only apt proxy config file fails if proxy is configured

Bug 51034 - Installing docker apps with read-only apt proxy config file fails if proxy is configured


Summary:	Installing docker apps with read-only apt proxy config file fails if proxy is...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	App Center
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-4-errata
Assigned To:	Christian Castens
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-03-27 18:01 CET by Valentin Heidelberger
Modified:	2020-05-06 14:40 CEST (History)
CC List:	6 users (show)

See Also:	51031
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valentin Heidelberger

2020-03-27 18:01:36 CET

When installing a docker app based on UCS, the app gets the proxy settings configured via UCR.

During univention-join, which is triggered in the app's installation, 20univention-directory-policy.inst tries to write these settings to /etc/apt/apt.conf.d/80proxy - this fails at least in the itslearning app because that file is read-only. I assume because it's mounted from the host system but didn't have time to confirm that.

You can use this dirty workaround to skip that file in the config_registry handler inside the container. This is only possible if you install the app on the CLI with 

univention-app install --do-not-revert [...]

because only then the app center doesn't revert the failed installation and removes the container. After the patch has been applied, run univention-join inside the container.


--- /usr/lib/pymodules/python2.7/univention/config_registry/handler.py.bak      2020-03-27 17:48:57.881579729 +0100
+++ /usr/lib/pymodules/python2.7/univention/config_registry/handler.py  2020-03-27 17:49:42.961581304 +0100
@@ -429,6 +429,7 @@
                                os.rename(tmp_to_file, self.to_file)
                        except OSError as ex:
                                if ex.errno == errno.EBUSY:
+                                    if not self.to_file == "/etc/apt/apt.conf.d/80proxy":
                                        with open(self.to_file, 'w+') as fd:
                                                fd.write(open(tmp_to_file, 'r').read())
                                        os.unlink(tmp_to_file)

Comment 1 Valentin Heidelberger

2020-03-27 18:03:40 CET

The error from listener.log from inside the container:

Configure 20univention-directory-policy.inst Fri Mar 27 17:47:29 CET 2020
2020-03-27 17:47:29.788773692+01:00 (in joinscript_init)
Create directory/manager/samba3/legacy
Create proxy/http
Create proxy/https
File: /etc/apt/apt.conf.d/80proxy
Traceback (most recent call last):
  File "/usr/lib/univention-directory-policy/univention-policy-update-config-registry", line 146, in <module>
    main()
  File "/usr/lib/univention-directory-policy/univention-policy-update-config-registry", line 131, in main
    confreg.handler_set(new_set_list, {'ldap-policy': True})
  File "/usr/lib/pymodules/python2.7/univention/config_registry/frontend.py", line 163, in handler_set
    None if quiet else 'W: %s is overridden by scope "%s"')
  File "/usr/lib/pymodules/python2.7/univention/config_registry/frontend.py", line 204, in _run_changed
    handlers(changed.keys(), (ucr, changed))
  File "/usr/lib/pymodules/python2.7/univention/config_registry/handler.py", line 854, in __call__
    handler(arg)
  File "/usr/lib/pymodules/python2.7/univention/config_registry/handler.py", line 432, in __call__
    with open(self.to_file, 'w+') as fd:
IOError: [Errno 30] Read-only file system: '/etc/apt/apt.conf.d/80proxy'
run-parts: /usr/lib/univention-directory-policy/univention-policy-update-config-registry exited with return code 1

Comment 2 Ingo Steuwer

2020-03-30 12:28:21 CEST

mhm, can we merge this with Bug #51031 ? In the end both need to be fixed to have proper proxy configuration in docker apps, right?

Comment 3 Valentin Heidelberger

2020-03-30 14:53:13 CEST

(In reply to Ingo Steuwer from comment #2)
> mhm, can we merge this with Bug #51031 ? In the end both need to be fixed to
> have proper proxy configuration in docker apps, right?

Maybe but I'm hesitant since they describe different problems.

Comment 4 Arvid Requate

2020-04-02 13:59:15 CEST

A Ticket-Number is required to qualify a Bug as "School Customer Affected".

I've pushed this Bug into the appcenter Taiga Backlog.

Comment 5 Nico Gulden

2020-04-03 14:21:04 CEST

(In reply to Valentin Heidelberger from comment #0)
> When installing a docker app based on UCS, the app gets the proxy settings
> configured via UCR.
> 
> During univention-join, which is triggered in the app's installation,
> 20univention-directory-policy.inst tries to write these settings to
> /etc/apt/apt.conf.d/80proxy - this fails at least in the itslearning app
> because that file is read-only. I assume because it's mounted from the host
> system but didn't have time to confirm that.

What is the context of the files mentioned here? Inside the app's Docker container or on the UCS system?

Comment 6 Nico Gulden

2020-04-03 14:24:41 CEST

From Comment 1 I assume the problem occurs inside the running Docker container. Furthermore, I assume it is an Appbox based Docker container with UCS.

Did you observe the problem with other apps than itslearning, as well?

Comment 7 Valentin Heidelberger

2020-04-03 14:30:54 CEST

(In reply to Nico Gulden from comment #6)
> From Comment 1 I assume the problem occurs inside the running Docker
> container. Furthermore, I assume it is an Appbox based Docker container with
> UCS.
> 
> Did you observe the problem with other apps than itslearning, as well?

Yes it happens inside an UCS based container. I didn't observe it with other apps so far.

Comment 8 Nico Gulden

2020-04-06 10:05:51 CEST

Reason for the traceback is that the App Center mounts /etc/apt/apt.conf.d/80proxy as read-only from the UCS host system to the container.

The listener in the UCS based container tries to write that read-only file and fails with the observed traceback.

On possible solution could be that the App Center mounts the file to a different name so that the listener inside the container does not clash anymore with that file. This change would require an errata update.

Changed the effect of the bug to 1, since it has only been observed together with itslearning.

Comment 9 Christian Castens

2020-05-04 12:23:37 CEST

Merged and built in 4.4-4

Successful build
Package: univention-appcenter
Version: 8.0.11-132A~4.4.0.202005041147
Branch: ucs_4.4-0
Scope: errata4.4-4


commit 988492d96ff490262df770b0618b7ba33930b38d
commit 5e070b4190f15c32f676daa110e36fcc05948bc4

Comment 10 Felix Botner

2020-05-04 12:31:15 CEST

OK - /etc/apt/apt.conf.d/81proxy is used in the container now
OK - yaml

ls -la /etc/apt/apt.conf.d/8*
-rw-r--r-- 1 root root 593 May  4 12:27 /etc/apt/apt.conf.d/80proxy
-rw-r--r-- 1 root root 593 May  4 12:17 /etc/apt/apt.conf.d/81proxy

and the join works

Comment 11 Erik Damrose

2020-05-06 14:40:01 CEST

<http://errata.software-univention.de/ucs/4.4/582.html>