#8233 4.8.5 master Installation error
Closed: fixed 4 years ago by abbra. Opened 4 years ago by slev.

I'm trying to build and install FreeIPA 4.8.5 on ALTLinux.

The master installation fails with:

[2020-03-18 05:19:29]   [17/30]: adding RA agent as a trusted user
[2020-03-18 05:19:29]   [18/30]: authorizing RA to modify profiles
[2020-03-18 05:19:29]   [19/30]: authorizing RA to manage lightweight CAs
[2020-03-18 05:19:29]   [20/30]: Ensure lightweight CAs container exists
[2020-03-18 05:19:29]   [21/30]: configure certificate renewals
[2020-03-18 05:19:33]   [22/30]: Configure HTTP to proxy connections
[2020-03-18 05:19:40]   [error] CalledProcessError: CalledProcessError(Command ['/sbin/systemctl', 'restart', 'httpd2.service'] returned non-zero exit status 1: 'Job for httpd2.service failed because the control process exited with error code.\nSee "systemctl status httpd2.service" and "journalctl -xe" for details.\n')
[2020-03-18 05:19:40] CalledProcessError(Command ['/sbin/systemctl', 'restart', 'httpd2.service'] returned non-zero exit status 1: 'Job for httpd2.service failed because the control process exited with error code.\nSee "systemctl status httpd2.service" and "journalctl -xe" for details.\n')
[2020-03-18 05:19:40] The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Mar 18 05:19:34 master1.ipa.test httpd2[2145]: AH00526: Syntax error on line 3 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf:
Mar 18 05:19:34 master1.ipa.test httpd2[2145]: Invalid command 'ProxyRequests', perhaps misspelled or defined by a module not included in the server configuration
Mar 18 05:19:34 master1.ipa.test apachectl2[2145]: AH00526: Syntax error on line 3 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf:
Mar 18 05:19:34 master1.ipa.test apachectl2[2145]: Invalid command 'ProxyRequests', perhaps misspelled or defined by a module not included in the server configuration

The error comes with the recent AJP changes https://github.com/freeipa/freeipa/pull/4337/commits/bf137c233385b127b22a4173ab3acc32d9786a5b, where apache is going to be restarted by the installer, but is not ready for that. The httpd is configured later on its own phase. So, I think nobody should rely on running apache until its configuration will be done.

Note: apache configuration process for ALT is similar to Debian's one.
https://www.altlinux.org/Apache2/Configs (Russian version). That's why it is not caught by upstream CI.


After the removing of apache restart I have an error on 'http' phase:

Mar 18 08:52:51 master1.ipa.test httpd2[3640]: AH00526: Syntax error on line 9 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf:
Mar 18 08:52:51 master1.ipa.test httpd2[3640]: ProxyPass unknown Worker parameter
Mar 18 08:52:51 master1.ipa.test apachectl2[3640]: AH00526: Syntax error on line 9 of /etc/httpd2/conf/extra-enabled/ipa-pki-proxy.conf:
Mar 18 08:52:51 master1.ipa.test apachectl2[3640]: ProxyPass unknown Worker parameter
Mar 18 08:52:56 master1.ipa.test systemd[1]: httpd2.service: Control process exited, code=exited, status=3/NOTIMPLEMENTED
Mar 18 08:52:56 master1.ipa.test systemd[1]: httpd2.service: Failed with result 'exit-code'.
Mar 18 08:52:56 master1.ipa.test systemd[1]: Failed to start The Apache2 HTTP Server.
# httpd2 -v
Server version: Apache/2.4.41 (Unix)
Server built:   Aug 14 2019 04:53:18

I tried to remove the 'secret' attribute from 'ipa-pki-proxy.conf' and 'httpd' has started.
So, 'secret' attribute is not supported by mod_proxy_ajp for bare 'httpd'.

Fedora applies https://src.fedoraproject.org/rpms/httpd/blob/master/f/httpd-2.4.34-r1738878.patch to bring support for "secret" attribute of mod_proxy_ajp. This patch is the backport of upstream's one for apache-2.5.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1397243

ALTLinux's apache is not patched for the same. May be Debian too? I didn't check.

Fortunately, as we can see from upstream tracker:
Upstream BZ: https://bz.apache.org/bugzilla/show_bug.cgi?id=53098
the original patch has been backported to 2.4 branch and will be part of 2.4.42.

So, for ALT I'll backport that patch until 2.4.42.
But I don't know about RHEL.

I checked that RHEL 8.2 beta has this patch as well.

I checked even more and it is fixed since RHEL 8.0.

master:

  • 14c9cf9 pki-proxy: Don't rely on running apache until it's configured

ipa-4-7:

  • 0db9969 pki-proxy: Don't rely on running apache until it's configured

ipa-4-8:

  • 24c6ea3 pki-proxy: Don't rely on running apache until it's configured

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed.

4 years ago

Login to comment on this ticket.

Metadata