[Bug 939829] New: nagios from server:monitoring breaks apache due to deprecated config files
http://bugzilla.suse.com/show_bug.cgi?id=939829 Bug ID: 939829 Summary: nagios from server:monitoring breaks apache due to deprecated config files Classification: openSUSE Product: openSUSE Factory Version: 201505* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Apache Assignee: bnc-team-apache@forge.provo.novell.com Reporter: wagner-thomas@gmx.at QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On a fresh Tumbleweed installation I installed nagios from server:monitoring. Then I couldn't restart apache. Journalctl shows: Jul 29 11:01:18 tumbleweed start_apache2[9496]: AH00526: Syntax error on line 14 of /etc/apache2/conf.d/nagios.conf: Jul 29 11:01:18 tumbleweed start_apache2[9496]: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration The reason: "Order" is from apache 2.2 but with tumbleweed apache 2.4 is shipped. According to http://httpd.apache.org/docs/2.4/upgrading.html two solutions for this probelm exist: 1) using "Require" instead of order for apache 2.4 2) mod_access_compat can be used. Solution 1) is IMHO the way to go. However it's incompatible with apache 2.2 and server:monitoring builds for lots of distributions. Is any of these still using apache 2.2? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c1 Petr Gajdos <pgajdos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pgajdos@suse.com Assignee|bnc-team-apache@forge.provo |lars.vogdt@suse.com |.novell.com | --- Comment #1 from Petr Gajdos <pgajdos@suse.com> --- (In reply to Thomas Wagner from comment #0)
Solution 1) is IMHO the way to go. However it's incompatible with apache 2.2 and server:monitoring builds for lots of distributions. Is any of these still using apache 2.2?
Yes, there are, for example 13.1. But a patch can be applied depending for which distro is nagios building. Ideally, the old and new syntax should be used depending if access_compat module is loaded, see https://build.opensuse.org/package/view_file/devel:tools:scm/git/apache2-git... for example. Lars, it seems you are maintaining nagios, aren't you? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c2 --- Comment #2 from Petr Gajdos <pgajdos@suse.com> --- Oops, 13.1 has 2.4.6, mistake. So it is only SLE_11_SP3 with apache 2.2 which is nagios building against in server:monitoring. Lars, please look at sr#319692 -- untested. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c3 --- Comment #3 from Thomas Wagner <wagner-thomas@gmx.at> --- (In reply to Petr Gajdos from comment #1)
Ideally, the old and new syntax should be used depending if access_compat module is loaded, see
https://build.opensuse.org/package/view_file/devel:tools:scm/git/apache2- gitweb.conf
How does this config file work with apache 2.2? IMHO <IfModule !mod_access_compat.c> would resolve to "True" and the "Require" part is included in apache 2.2 instead of the "Order/Allow" part. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c4 --- Comment #4 from Petr Gajdos <pgajdos@suse.com> --- This patch is not to be applied when package is building for e. g. (In reply to Thomas Wagner from comment #3)
https://build.opensuse.org/package/view_file/devel:tools:scm/git/apache2- gitweb.conf
How does this config file work with apache 2.2? IMHO <IfModule !mod_access_compat.c> would resolve to "True" and the "Require" part is included in apache 2.2 instead of the "Order/Allow" part.
Correct, this conf file is not intended for 2.2 at all. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c5 Lars Vogdt <lars.vogdt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |lars.vogdt@suse.com, | |wagner-thomas@gmx.at Flags| |needinfo?(wagner-thomas@gmx | |.at) --- Comment #5 from Lars Vogdt <lars.vogdt@suse.com> --- FYI: I accepted request 319692 - but shortly after that I noticed that Nagios Enterprises released a newer nagios version (4.1.0) containing a slightly different configuration that uses mod_version to determine if the old or new options should be used. To follow upstream a bit more, I decided to remove the nagios-apache24.patch and instead rely more on the upstream sample configuration (and load mod_version in apache2). Nevertheless I added a small patch that brings kohanna back into the game if it is available. @Thomas: can you please test if the latest nagios package works for you? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c6 Thomas Wagner <wagner-thomas@gmx.at> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(wagner-thomas@gmx | |.at) | --- Comment #6 from Thomas Wagner <wagner-thomas@gmx.at> --- (In reply to Lars Vogdt from comment #5)
@Thomas: can you please test if the latest nagios package works for you? Just did two test, one on latest tumbleweed and one on openSUSE 13.1. The tumbleweed installation does work, however the nagios webfrontend is now broken on openSUSE 13.1. On openSUSE 13.1, I get a 403 (access denied) from apache when accessing http://localhost/nagios
I had to manually replace the "Require all granted" with the old "Order/Allow" syntax to make nagios' webfrontend accessible again. Below I pasted the "zypper info" (without the long description) to show which versions of nagios an apache I used. # zypper info nagios Loading repository data... Reading installed packages... Information for package nagios: ------------------------------- Repository: server:monitoring Name: nagios Version: 4.1.0-2.1 Arch: x86_64 Vendor: obs://build.opensuse.org/server:monitoring Installed: Yes Status: up-to-date Installed Size: 976.0 KiB Summary: The Nagios Network Monitor # zypper info apache2 Loading repository data... Reading installed packages... Information for package apache2: -------------------------------- Repository: openSUSE-13.1-Update Name: apache2 Version: 2.4.6-6.47.1 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date Installed Size: 3.5 MiB Summary: The Apache Web Server Version 2.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=939829 http://bugzilla.suse.com/show_bug.cgi?id=939829#c8 --- Comment #8 from Petr Gajdos <pgajdos@suse.com> --- (In reply to Andrew Daugherity from comment #7)
This happens if your are using mod_access_compat. When that is enabled, you *must* use the 2.2 syntax and you'll get a 403 if trying to use the 2.4
*Generally*, that is not exactly true as far as I know. If both authz_core and access_compat are loaded, you can use either system you want.
Require ... syntax. It might work to use both at once but that gets confusing (and possibly undefined if they conflict!).
You can even use both of them together, but the result has to be consistent, that is: access is allowed if both systems allow. If at least one forbids, access is forbidden. See 881506 comment 18.
Because of this, relying on a version check is insufficient, as 2.4
Yes, thats true (because of access_compat), nevertheless ..
w/mod_access_compat behaves like 2.2. Adding wrappers like <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> <IfModule !mod_access_compat.c> Require all granted </IfModule>
.. whether this will work depends also on which syntax is used previously. If mod_access is loaded but new syntax forbid into this dir, this won't work. Also note that access_compat is not present in sle11. So I would disclaim my comment 1 for distros older than Tumbleweed.
e.g. default-server.conf. I would suggest backporting the fix to 13.1/13.2, but that's beyond the scope of this bug, and the other one is closed, so ???
In my opinion, this is too invasive change to backport, I am afraid. The situation on newly installed distros (not upgrades!) is as follows: sle11 no access_compat httpd.conf (Deny for /): old syntax 13.1 access_compat static httpd.conf (Deny for /): new syntax 13.2 access_compat static httpd.conf (Deny for /): new syntax Tumbleweed access_compat shared, not loaded by default httpd.conf (Deny for /): old syntax when access_compat loaded, new syntax otherwise So everywhere in supported openSUSEs we can assume that new syntax should be preferred. I tend to agree with Lars to use upstream solution. Currently I do not se a way to catch all possibilities. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com