[ssl + hardening apache trusty-mitaka] caught SIGTERM, shutting down on juju update hook.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
On a Trusty mitaka openstack deployment where dashboard is deployed on HA, every juju update hook
I can read the following output on /var/log/
[Mon Feb 05 12:21:57.599471 2018] [core:notice] [pid 45036:tid 140322761824128] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 05 12:27:15.038971 2018] [mpm_event:notice] [pid 45036:tid 140322761824128] AH00491: caught SIGTERM, shutting down
[Mon Feb 05 12:27:16.133030 2018] [ssl:warn] [pid 1116:tid 139686050834304] AH01909: juju-baab69-
[Mon Feb 05 12:27:16.149425 2018] [ssl:warn] [pid 1117:tid 139686050834304] AH01909: juju-baab69-
[Mon Feb 05 12:27:16.151705 2018] [mpm_event:notice] [pid 1117:tid 139686050834304] AH00489: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.4 Python/2.7.6 configured -- resuming normal operations
[Mon Feb 05 12:27:16.151729 2018] [core:notice] [pid 1117:tid 139686050834304] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 05 12:31:49.834311 2018] [mpm_event:notice] [pid 1117:tid 139686050834304] AH00491: caught SIGTERM, shutting down
[Mon Feb 05 12:31:50.931838 2018] [ssl:warn] [pid 6030:tid 139668206278528] AH01909: juju-baab69-
[Mon Feb 05 12:31:50.947896 2018] [ssl:warn] [pid 6031:tid 139668206278528] AH01909: juju-baab69-
[Mon Feb 05 12:31:50.950319 2018] [mpm_event:notice] [pid 6031:tid 139668206278528] AH00489: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.4 Python/2.7.6 configured -- resuming normal operations
[Mon Feb 05 12:31:50.950349 2018] [core:notice] [pid 6031:tid 139668206278528] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 05 12:37:45.785726 2018] [mpm_event:notice] [pid 6031:tid 139668206278528] AH00491: caught SIGTERM, shutting down
[Mon Feb 05 12:37:46.882574 2018] [ssl:warn] [pid 11545:tid 140014746675072] AH01909: juju-baab69-
[Mon Feb 05 12:37:46.898069 2018] [ssl:warn] [pid 11546:tid 140014746675072] AH01909: juju-baab69-
[Mon Feb 05 12:37:46.900170 2018] [mpm_event:notice] [pid 11546:tid 140014746675072] AH00489: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.4 Python/2.7.6 configured -- resuming normal operations
[Mon Feb 05 12:37:46.900195 2018] [core:notice] [pid 11546:tid 140014746675072] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 05 12:43:00.907437 2018] [mpm_event:notice] [pid 11546:tid 140014746675072] AH00491: caught SIGTERM, shutting down
[Mon Feb 05 12:43:02.002314 2018] [ssl:warn] [pid 16737:tid 140561918715776] AH01909: juju-baab69-
[Mon Feb 05 12:43:02.017202 2018] [ssl:warn] [pid 16738:tid 140561918715776] AH01909: juju-baab69-
[Mon Feb 05 12:43:02.019455 2018] [mpm_event:notice] [pid 16738:tid 140561918715776] AH00489: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.4 Python/2.7.6 configured -- resuming normal operations
[Mon Feb 05 12:43:02.019479 2018] [core:notice] [pid 16738:tid 140561918715776] AH00094: Command line: '/usr/sbin/apache2'
Also, but not all the update hooks, it's possible to see the following output:
[Mon Feb 05 13:08:32.034604 2018] [:error] [pid 34010] [remote 100.86.0.145:54985] mod_wsgi (pid=34010): Exception occurred processing WSGI script '/usr/share/
[Mon Feb 05 13:08:32.034682 2018] [:error] [pid 34010] [remote 100.86.0.145:54985] IOError: failed to write data
The configuration looks like:
$ juju config openstack-dashboard
application: openstack-dashboard
charm: openstack-dashboard
settings:
action-
default: true
description: |
If True enables openstack upgrades for this charm via juju actions.
You will still need to set openstack-origin to the new repository but
instead of an upgrade running automatically across all units, it will
wait for you to execute the openstack-upgrade action for this charm on
each unit. If False it will revert to existing behavior of upgrading
all units on config change.
type: boolean
value: false
cinder-backup:
description: Enable cinder backup panel.
type: boolean
value: true
customization
default: true
description: |
Module that overriding layout for customization.
This is available from Liberty
type: string
value: ""
database:
default: true
description: Database name for Horizon (if enabled)
type: string
value: horizon
database-user:
default: true
description: Username for Horizon database access (if enabled)
type: string
value: horizon
debug:
description: Show Django debug messages.
type: string
value: "false"
default-role:
default: true
description: |
Default role for Horizon operations that will be created in
Keystone upon introduction of an identity-service relation.
type: string
value: Member
default-theme:
default: true
description: |
Specify path to theme to use
(relative to /usr/share/
NOTE: This setting is supported when deploying OpenStack Liberty or
newer. This setting and ubuntu-theme setting are mutually exclusive.
type: string
dns-ha:
default: true
description: |
Use DNS HA with MAAS 2.0. Note if this is set do not set vip
settings below.
type: boolean
value: false
endpoint-type:
description: |
Specifies the endpoint types to use for endpoints in the Keystone
service catalog. Valid values are 'publicURL', 'internalURL',
and 'adminURL'. Both the primary and secondary endpoint types can
be specified by providing multiple comma delimited values.
type: string
value: publicURL
enforce-ssl:
default: true
description: |
If True, redirects plain http requests to https port 443. For this option
to have an effect, SSL must be configured.
type: boolean
value: false
ha-bindiface:
default: true
description: |
Default network interface on which HA cluster will bind to communication
with the other members of the HA Cluster.
type: string
value: ethX
ha-mcastport:
default: true
description: |
Default multicast port number that will be used to communicate between
HA Cluster nodes.
type: int
value: 5410
haproxy-
default: true
description: |
Client timeout configuration in ms for haproxy, used in HA
configura
type: int
haproxy-
default: true
description: |
Connect timeout configuration in ms for haproxy, used in HA
configura
type: int
haproxy-
default: true
description: |
Queue timeout configuration in ms for haproxy, used in HA
configura
type: int
haproxy-
default: true
description: |
Server timeout configuration in ms for haproxy, used in HA
configura
type: int
harden:
description: |
Apply system hardening. Supports a space-delimited list of modules
to run. Supported modules currently include os, ssh, apache and mysql.
type: string
value: apache
nagios_
default: true
description: Parameters to pass to the nrpe plugin check_http.
type: string
value: -H localhost -I 127.0.0.1 -u '/' -e 200,301,302
nagios_context:
default: true
description: |
Used by the nrpe-external-
A string that will be prepended to instance name to set the host name
in nagios. So for instance the hostname would be something like:
.
.
If you're running multiple environments with the same services in them
this allows you to differentiate between them.
type: string
value: juju
nagios_
default: true
description: |
A comma-separated list of nagios servicegroups. If left empty, the
nagios_
type: string
value: ""
neutron-
default: true
description: |
Enable Neutron distributed virtual router (DVR) feature in the
Router panel.
type: boolean
value: false
neutron-
default: true
description: Enable neutron firewall service panel.
type: boolean
value: false
neutron-
default: true
description: |
Enable HA (High Availability) mode in Neutron virtual router in
the Router panel.
type: boolean
value: false
neutron-
default: true
description: Enable neutron load balancer service panel.
type: boolean
value: false
neutron-
default: true
description: Enable neutron vpn service panel.
type: boolean
value: false
offline-
default: true
description: Use pre-generated Less compiled JS and CSS.
type: string
value: "yes"
openstack-origin:
description: |
Repository from which to install. May be one of the following:
distro (default), ppa:somecustom/ppa, a deb url sources entry,
or a supported Cloud Archive release pocket.
Supported Cloud Archive sources include:
cloud:
cloud:
cloud:
cloud:
For series=Precise we support cloud archives for openstack-release:
* icehouse
For series=Trusty we support cloud archives for openstack-release:
* juno
* kilo
* ...
NOTE: updating this setting to a source that is known to provide
a later version of OpenStack will trigger a software upgrade.
type: string
value: cloud:trusty-
openstack-
default: true
description: |
Specifies a default OpenStack release name, or a YAML dictionary
listing the git repositories to install from.
The default Openstack release name may be one of the following, where
the corresponding OpenStack github branch will be used:
* liberty
* mitaka
* newton
* master
The YAML must minimally include requirements and horizon repositories,
and may also include repositories for other dependencies:
- {name: requirements,
branch: master}
- {name: horizon,
branch: master}
release: master
type: string
os-admin-
default: true
description: |
The hostname or address of the admin endpoints created for
openstack
This value will be used for admin endpoints. For example, an
os-
the following admin endpoint for the swift-proxy:
https:/
type: string
os-admin-network:
description: |
The IP address and netmask of the OpenStack Admin network (e.g., 192.168.0.0/24).
This network will be used for admin endpoints.
type: string
value: X.X.X.X/Y
os-internal-
default: true
description: |
The hostname or address of the internal endpoints created for
openstack
This value will be used for internal endpoints. For example, an
os-
create the following internal endpoint for the swift-proxy:
https:/
type: string
os-internal-
default: true
description: |
The IP address and netmask of the OpenStack Internal network (e.g., 192.168.0.0/24).
This network will be used for internal endpoints.
type: string
os-public-
default: true
description: |
The hostname or address of the public endpoints created for
openstack
This value will be used for public endpoints. For example, an
os-
the following public endpoint for the swift-proxy:
https:/
type: string
os-public-
default: true
description: |
The IP address and netmask of the OpenStack Public network (e.g., 192.168.0.0/24).
This network will be used for public endpoints.
type: string
password-
description: Enable "Retrieve password" instance action.
type: boolean
value: true
prefer-ipv6:
default: true
description: |
If True enables IPv6 support. The charm will expect network
interfaces to be configured with an IPv6 address. If set to False
(default) IPv4 is expected.
.
NOTE: these charms do not currently support IPv6 privacy extension.
In order for this charm to function correctly, the privacy extension
must be disabled and a non-temporary address must be
configure
type: boolean
value: false
profile:
default: true
description: Default profile for the dashboard. Eg. cisco.
type: string
secret:
description: |
Secret for Horizon to use when securing internal data; set this when
using multiple dashboard units.
type: string
value: <valid_secret>
ssl_ca:
description: |
Base64-
with keystone https endpoints and must, therefore, be the same CA
used by any endpoint configured as https/ssl.
type: string
value: |-
<my_key_here>
ssl_cert:
description: |
Base64-
juju set openstack-dashbaord ssl_cert="$(cat cert| base64)" \
type: string
value: |-
<my_key_here>
ssl_key:
description: |
Base64-
type: string
value: |-
<my_key_here>
ubuntu-theme:
default: true
description: Use Ubuntu theme for the dashboard.
type: string
value: "yes"
use-syslog:
description: |
Setting this to True will allow supporting services to log to syslog.
type: boolean
value: true
vip:
description: |
Virtual IP to use to front openstack dashboard ha configuration.
type: string
value: X.X.X.X
vip_cidr:
default: true
description: |
Default CIDR netmask to use for HA vip when it cannot be automatically
determined.
type: int
value: 24
vip_iface:
default: true
description: |
Default network interface to use for HA vip when it cannot be
automatically determined.
type: string
value: ethY
webroot:
description: |
Directory where application will be accessible, relative to
http://
type: string
value: /
The cycle shown from the juju unit log:
2018-02-05 16:32:20 DEBUG update-status * apache2 is running
2018-02-05 16:32:20 INFO juju-log Unit is ready
2018-02-05 16:32:22 INFO juju.worker.
2018-02-05 16:36:38 INFO juju-log Registered config file: /usr/share/
2018-02-05 16:36:38 INFO juju-log Registered config file: /etc/openstack-
2018-02-05 16:36:38 INFO juju-log Registered config file: /etc/haproxy/
2018-02-05 16:36:38 INFO juju-log Registered config file: /etc/apache2/
2018-02-05 16:36:40 INFO juju-log Registered config file: /etc/apache2/
2018-02-05 16:36:40 INFO juju-log Registered config file: /etc/apache2/
2018-02-05 16:36:40 INFO juju-log Registered config file: /etc/apache2/
2018-02-05 16:36:40 INFO juju-log Registered config file: /usr/share/
2018-02-05 16:36:40 DEBUG juju-log Hardening function 'install'
2018-02-05 16:36:40 DEBUG juju-log Hardening function 'upgrade_charm'
2018-02-05 16:36:40 DEBUG juju-log Hardening function 'config_changed'
2018-02-05 16:36:40 DEBUG juju-log Hardening function 'update_status'
2018-02-05 16:36:40 DEBUG juju-log Executing hardening module 'run_apache_checks'
2018-02-05 16:36:40 DEBUG juju-log Starting Apache hardening checks.
2018-02-05 16:36:40 DEBUG juju-log Found user-provided config overrides file '/var/lib/
2018-02-05 16:36:40 DEBUG juju-log No overrides found for 'apache'
2018-02-05 16:36:40 DEBUG juju-log Running 'FilePermission
2018-02-05 16:36:40 DEBUG juju-log Running 'TemplatedFile' check
2018-02-05 16:36:40 INFO juju-log File /etc/apache2/
2018-02-05 16:36:40 INFO juju-log File /etc/apache2/
2018-02-05 16:36:40 INFO juju-log Applying compliance criteria to '/etc/apache2/
2018-02-05 16:36:40 DEBUG juju-log Rendering from template: alias.conf
2018-02-05 16:36:40 DEBUG juju-log Wrote template /etc/apache2/
2018-02-05 16:36:40 DEBUG juju-log Running service 'apache2' actions '['restart']'
2018-02-05 16:36:40 DEBUG update-status * Restarting web server apache2
2018-02-05 16:36:42 DEBUG update-status ...done.
2018-02-05 16:36:42 DEBUG juju-log Running 'TemplatedFile' check
2018-02-05 16:36:42 DEBUG juju-log Running 'DirectoryPermi
2018-02-05 16:36:43 DEBUG juju-log Running 'DisabledModule
2018-02-05 16:36:43 DEBUG juju-log Running 'NoReadWriteFor
2018-02-05 16:36:43 INFO juju-log File /etc/apache2 is not in compliance.
2018-02-05 16:36:43 INFO juju-log Applying compliance criteria to '/etc/apache2'
2018-02-05 16:36:43 DEBUG juju-log Apache hardening checks complete.
2018-02-05 16:36:43 INFO juju-log Updating status.
2018-02-05 16:36:44 INFO juju-log Generating template context for identity-service
2018-02-05 16:36:44 INFO juju-log Missing required data: service_port service_host
2018-02-05 16:36:44 DEBUG update-status ERROR no relation id specified
2018-02-05 16:36:44 INFO juju-log CA cert is the same as installed version
2018-02-05 16:36:44 INFO juju-log Generating template context for identity-service
2018-02-05 16:36:44 INFO juju-log Missing required data: service_port service_host
2018-02-05 16:36:44 INFO juju-log Ensuring haproxy enabled in /etc/default/
2018-02-05 16:36:45 DEBUG juju-log Ensuring haproxy enabled in /etc/default/
2018-02-05 16:36:45 DEBUG update-status haproxy is running.
2018-02-05 16:36:45 DEBUG update-status * memcached is running
2018-02-05 16:36:45 DEBUG update-status * apache2 is running
...
Any tip what can be producing this continuous restart is appreciated.
Thanks!
José.
tags: | added: 4010 cpe-onsite |
summary: |
- caught SIGTERM, shutting down on juju update hook. + [hardening apache] caught SIGTERM, shutting down on juju update hook. |
description: | updated |
summary: |
- [hardening apache] caught SIGTERM, shutting down on juju update hook. + [ssl + hardening apache trusty-mitaka] caught SIGTERM, shutting down on + juju update hook. |
The following might be the solution:
``` ers/contrib/ hardening/ apache/ checks/ config. py 2017-12-15 10:11:04.162592891 +0000
'mods- available/ alias.conf' ),
context,
TEMPLATES_ DIR,
user= 'root',
service_ actions= [{'service' : 'apache2',
' actions' : ['restart']}]),
--- hooks/charmhelp
+++ - 2018-03-23 14:45:11.059832343 +0000
@@ -52,7 +52,7 @@
- mode=0o0755,
+ mode=0o0640,
```
As line 69 applies a stricter mode to the whole apache_dir directory.