[Bug 1782806] Re: Typo in apache2-maintscript-helper causes MPM check to misfire

Andreas Hasenack andreas at canonical.com
Thu Oct 11 18:41:14 UTC 2018 

** Description changed:

  [Impact]
  There are two conditions for this bug to happen, as far as I could figure out:
  a) the mpm_prefork module configuration files are named just prefork.{conf,module} instead of, or in addition to, mpm_prefork.{conf,module}
  b) this renamed prefork mpm module is enabled manually instead of using a2enmod
  
  These conditions mean that one will have two mpm modules enabled at the
  same time in /etc/apache2/mod-enabled, something that the a2enmod tool
  knows how to prevent. But the symlinks can still be created manually.
+ Note that apache2 will fail to (re)start in this situation.
  
  These were the conditions I could figure out via code inspection and
  from logs from this bug and #1771934, meaning, I could reproduce the
  same error, including shell code path execution.
  
  It's quite a corner case, but it showed a real bug in the apache apache2
  -maintscript-helper shell script. It seems to be triggered by a
  puppetlabs module, but I didn't install or configure puppet to confirm.
  
  One could argue it's a local configuration issue, since non-standard
  tools were used, but the bug it showed in the apache script is real and
  I believe it's worth fixing.
  
- Once the two mpm modules (event, from the default install, and preform, from the manual symlink) are enabled at the same time, the following happens when php is installed:
+ Once the two mpm modules (event, from the default install, and prefork, from the manual symlink) are enabled at the same time (see testing instructions for an example on how to do it), the following happens when php is installed:
  - php's postinst runs a2query -M to check which mpm is in use
  - that call returns "event", so php proceeds to switch the mpm to prefork by calling "apache2_switch_mpm prefork"
- - due to the bug, apache2_switch_mpm() will check if "prefork" (and NOT mpm_prefork) is already enabled. At this line, $MPM=preform, and $mpm is not defined. So this:
+ - due to the bug, apache2_switch_mpm() will check if "prefork" (and NOT mpm_prefork) is already enabled. In this line, $MPM=prefork, and $mpm is not defined. So this:
  
      a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$?
  
  Turns into:
+ 
      a2query -m "prefork" > /dev/null 2>&1 || a2query_ret=$?
  
  - because there is a /etc/apache2/mods-enabled/prefork.* symlink (manually created), this returns 0, in which case the function determines there is nothing to do (prefork is already enabled!) and exits 0 without actually switching anything
- - mpm_event is still enabled, and when a2enmod is called to enable php, that correctly complains and fails.
+ - but mpm_event is still enabled, and when a2enmod is called to enable php, that correctly complains and fails.
  
  With the fix, the a2query call from apache2_switch_mpm() will correctly
  determine that mpm_prefork is not enabled, and perform the requested
  switch.
  
  In the end, prefork will be loaded twice, but apache handles that
  gracefully and ignores the second load:
  
  [Thu Oct 11 18:33:48.576838 2018] [so:warn] [pid 9923] AH01574: module
  mpm_prefork_module is already loaded, skipping
  
  [Test Case]
  
  sudo apt update
  sudo apt install apache2
  sudo cp /etc/apache2/mods-available/{mpm_prefork,prefork}.conf
  sudo cp /etc/apache2/mods-available/{mpm_prefork,prefork}.load
  sudo ln -s /etc/apache2/mods-{available,enabled}/prefork.load
  sudo ln -s /etc/apache2/mods-{available,enabled}/prefork.conf
  
  Installing the php7.2 module now will fail:
  sudo apt install libapache2-mod-php7.2
  
  Creating config file /etc/php/7.2/apache2/php.ini with new version
  apache2_switch_mpm prefork: No action required
  dpkg: error processing package libapache2-mod-php7.2 (--configure):
   installed libapache2-mod-php7.2 package post-installation script subprocess returned error exit status 1
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  
  With the package from proposed, the above will work just fine.
  If a user is in the failed situation already, a dist-upgrade also fixes the problem.
  
  [Regression Potential]
+ One has to wonder if there are modules and helpers out there relying on this bug, or what kind of workarounds they might have implemented already for this.
  
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
+ There is an example in the puppetlaps apache2 module where they
+ deliberately disable mpm_event while installing php:
  
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
+ https://github.com/puppetlabs/puppetlabs-
+ apache/blob/3bd70296be093a10713fd2f85676ac08d305e93f/manifests/mpm.pp#L76
  
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
- 
+  
  [Other Info]
- 
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
-  * and address these questions in advance
+ The reproducer steps might be a bit too artificial, but are easy to follow than an actual puppet installation, and I believe they show the problem correctly. Nonetheless, it would be good to see puppet users perform this verification using the actual puppet module that is suspected to trigger the bug.
  
  [Original Description]
  
  The following line appears to have a typo:
  
  a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$?
  
  It should read:
  
  a2query -m "mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$?
  
  Since $mpm is not defined. Later on there are references to enabling and
  disabling "mpm_$MPM".
  
  https://salsa.debian.org/apache-
  team/apache2/blob/master/debian/debhelper/apache2-maintscript-
  helper#L290
  
  This appears to trip up the Puppet apache module since it creates a
  prefork module (rather than mpm_prefork), which results in the above
  query returning a positive response. This is what's happening in bug
  #1771934.
  
  Fix is obvious and trivial so can hopefully be implemented soon. Appears
  only to affect bionic since xenial had different code.

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1782806

Title:
  Typo in apache2-maintscript-helper causes MPM check to misfire

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1782806/+subscriptions

More information about the Ubuntu-server-bugs mailing list