Comment 2 for bug 1376548
Revision history for this message
| Paul Bickerstaff (paul-bickerstaff) wrote RE: [Bug 1376548] [NEW] service slapd stop fails | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
The failure to stop was consistent.
There was no logging, consistent with the successful exit code triggered by --oknodo.
Experimentation showed that --exec was failing and it was because /proc/$(pidof slapd)/exe could not be read ("Permission denied" to root).
It has occurred to me belatedly that this is because I'm running slapd inside a docker container (Docker version 1.2). I apologize for not being alert enough to recognize this earlier.
The container is running with various capabilities (NET_ADMIN, SYS_ADMIN, SYSLOG, DAC_OVERRIDE, NET_BIND_SERVICE, SETGID, SETUID). It will not run in privileged mode -- due to (flaws in the profile for) apparmor. So /proc is a protected area (read-only for example if not in privileged mode but even more limited for security reasons).
While I now understand what is causing the problem, and can edit the init.d script when building the docker image, I believe that the logic in the stop_slapd function is flawed.
The slapd function is not stopping, due to a failure, but the stop function is ending with exit code 0. The fundamental flaw may well be in start-stop-daemon but this init script tests for the existence of SLAPD_PIDFILE but assumes erroneously that "--exec $SLAPD" is functional.
I admit I don't grasp why --oknodo is not recognizing a failure (which is evident if this option is dropped) and interpreting the situation as nothing to do.
I suggest that the environment I am running in will become increasingly more common and plea for a fix to be made.
The scenario of concern driving the current script, i.e. an existing pidfile but daemon has died, could be tested for. If not the case then --pidfile alone should be sufficient. If the daemon has stopped then it would be OK for the stop function to exit gracefully, possibly with a warning about the pidfile. If there is no pidfile then I think the script is already exiting. One could, if the pidfile didn't stop a running daemon, attempt the --exec option. One can also try a brute force stop without using either option if both fail.
Cheers
Paul Bickerstaff
DevOps, Portland Software Services
Mobile: +6421390266
-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Ryan Tandy
Sent: Friday, 3 October 2014 8:04 a.m.
To: <email address hidden>
Subject: Re: [Bug 1376548] [NEW] service slapd stop fails
Hi Paul,
Thanks for the report.
On Wed, Oct 1, 2014 at 8:03 PM, Paul Bickerstaff <email address hidden> wrote:
> In "Ubuntu 14.04.1 LTS" amd64 with slapd package version
> "2.4.31-
> following standard service command fails to have effect.
Is there any output from slapd in /var/log/syslog that might indicate why it didn't stop? Is it still responding normally to connections after that?
Is this happening consistently for you, or only intermittently? If the latter, can you see any pattern in when it happens?
> The problem is clouded by the --oknodo option in /etc/init.d/slapd.
> This is responsible for the erroneous report.
JFTR: the intent of --oknodo is to provide idempotence, per the examples in the start-stop-
> stop_slapd() {
> reason=
> --pidfile "$SLAPD_PIDFILE" \
> --exec $SLAPD 2>&1`"
> }
>
> Removing --oknodo demonstrates a failure with exit code 1. The role of
> oknodo should be reconsidered here.
>
> Further experimentation shows that the --exec option is not working.
That agrees with the return codes; 0 with --oknodo and 1 without it means that start-stop-
However, your ps output above shows the command as /usr/sbin/slapd, which (assuming you haven't modified the init script) is exactly what --exec should be checking for. So I don't understand why this wouldn't be working for you.
It definitely doesn't seem that slapd is failing to stop (which answers some of my questions above); I'd expect s-s-d to return 2 in that case.
Can you verify that /proc/$(pidof slapd)/exe does point to /usr/sbin/slapd?
> Since the init script is checking for $SLAPD_PIDFILE and exiting if
> empty, I suggest just dropping "--exec $SLAPD" from the init script.
> It is superfluous and the "service slapd stop" command will work after
> its removal.
As I understand it, the --exec test is there to protect against the case where the daemon has already died but the pidfile is stil present (for example, if it crashed), and some other unrelated process has already taken over the PID. My larger concern is *why* --exec isn't working properly on your system -- this could be a symptom of something more subtle.
cheers,
Ryan
--
You received this bug notification because you are subscribed to the bug report.
https:/
Title:
service slapd stop fails
Status in “openldap” package in Ubuntu:
New
Bug description:
In "Ubuntu 14.04.1 LTS" amd64 with slapd package version
"2.4.
following standard service command fails to have effect.
# service slapd stop
* Stopping OpenLDAP slapd [ OK ]
# ps -ef | grep slapd | grep -v grep
openldap 196 1 0 02:00 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
i.e. it reports all is OK but it failed to stop the running process
which continues with the same pid.
The problem is clouded by the --oknodo option in /etc/init.d/slapd.
This is responsible for the erroneous report.
stop_slapd() {
}
Removing --oknodo demonstrates a failure with exit code 1. The role of
oknodo should be reconsidered here.
Further experimentation shows that the --exec option is not working.
Since the init script is checking for $SLAPD_PIDFILE and exiting if
empty, I suggest just dropping "--exec $SLAPD" from the init script.
It is superfluous and the "service slapd stop" command will work after
its removal.
SLAPD_PIDFILE is correctly identified on my system.
Mine is a stock standard fresh slapd install.
To manage notifications about this bug go to:
https:/