Bug 1365226

Summary: error running non-shared postrotate script for /var/log/radius/radius.log of '/var/log/radius/radius.log '
Product: Red Hat Enterprise Linux 7 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: freeradiusAssignee: Alex Scheel <ascheel>
Status: CLOSED DUPLICATE QA Contact: Jaroslav Aster <jaster>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: ascheel, dpal, ebenes, glamb, jaster, joerg.kastning, mkosek, nikolai.kondrashov, pkis, qe-baseos-security, redhat-bugzilla, robert.scheck, santony
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1249725 Environment:
Last Closed: 2019-07-24 16:49:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1191920, 1249725    
Bug Blocks: 1269194    

Comment 1 Nikolai Kondrashov 2016-08-08 16:38:40 UTC 
The original bug says:
Above error is triggered if radius is not running while the postrotate
script of logrotate tries to reload the daemon
Comment 3 Nikolai Kondrashov 2017-02-16 11:48:19 UTC 
This is fixed easily by changing

    postrotate
            /usr/bin/systemctl reload radiusd

To

    postrotate
            /usr/bin/systemctl reload-or-try-restart radiusd

A simple test could be to stop the service and then run logrotate.
Like this:

    sudo service radiusd stop
    sudo logrotate -f /etc/logrotate.d/radiusd

Logrotate should exit succesfully, without an error message.
Comment 6 Jaroslav Aster 2017-06-16 16:33:24 UTC 
Hi Nikolai,

unfortunately your fix does not work. May be it is a problem in systemd, because systemctl returns on-zero return code if you try reload/restart unit which is not active. Becuase of that, logrotate still produce error message.

# rpm -q freeradius
freeradius-3.0.13-6.el7.aarch64

# grep systemctl /etc/logrotate.d/radiusd 
                /usr/bin/systemctl reload-or-try-restart radiusd

# systemctl stop radiusd

# logrotate -f /etc/logrotate.d/radiusd 
Job for radiusd.service invalid.
error: error running non-shared postrotate script for /var/log/radius/radius.log of '/var/log/radius/radius.log '


I found command which works, but it is not pretty :-).

/usr/bin/systemctl -q is-active radiusd && /usr/bin/systemctl reload-or-try-restart radiusd || true


I suggest to postpone this bug to 7.5 and remove it from the errata. The fix can stay and we can live with bad changelog. It's not a problem. We do not have time for another respin.
Comment 7 Nikolai Kondrashov 2017-06-19 09:47:43 UTC 
Thanks for testing, Jaroslav.

This seems to be a bug in systemd. 'systemctl reload-or-try-restart' should return success in case the unit is not running. This is its whole purpose and is specified in the manpage. I think it was fixed in systemd v229. I think this is the issue:

    https://github.com/systemd/systemd/issues/688
Comment 8 Jaroslav Aster 2017-06-19 15:46:14 UTC 
I see, there is a rhel bug for that bz#1191920. Two years old.

I do not know how to solve it. Freeradius has been fixed, but the behaviour for customers will be the same.
Comment 9 Nikolai Kondrashov 2017-06-19 16:30:56 UTC 
How about we change the command to this:

    /usr/bin/systemctl is-active -q radiusd && /usr/bin/systemctl reload-or-restart radiusd
Comment 10 Jaroslav Aster 2017-06-19 16:53:04 UTC 
This does not work, I tested it before. Postrotate section needs zero return code and systemctl is-active returns non-zero code if unit is inactive.

# systemctl is-active radiusd
failed
# echo $?
3


original:

# grep systemctl /etc/logrotate.d/radiusd 
                /usr/bin/systemctl reload-or-try-restart radiusd
# logrotate -f /etc/logrotate.d/radiusd 
Job for radiusd.service invalid.
error: error running non-shared postrotate script for /var/log/radius/radius.log of '/var/log/radius/radius.log '


your solution:

# grep systemctl /etc/logrotate.d/radiusd 
                /usr/bin/systemctl is-active -q radiusd && /usr/bin/systemctl reload-or-try-restart radiusd
# logrotate -f /etc/logrotate.d/radiusd 
error: error running non-shared postrotate script for /var/log/radius/radius.log of '/var/log/radius/radius.log '


my solution:

# grep systemctl /etc/logrotate.d/radiusd 
                /usr/bin/systemctl is-active -q radiusd && /usr/bin/systemctl reload-or-try-restart radiusd || true
# logrotate -f /etc/logrotate.d/radiusd


My solution works, there is no error message, but we mask any issue in running postrotate script, so it's not clean.

The best way is to fix systemd, but it will not be done in 7.4. We have two options. We can verified this bug and mention the issue in some release notes or remove the bug from errata and leave the fix in package. We do not have time for respin.
Comment 11 Nikolai Kondrashov 2017-06-19 17:02:29 UTC 
Well, I can probably throw together a little script which will return the proper return value for logrotate (I hadn't noticed that problem, indeed). However, if you say we don't have time for a respin, then let's remove this bug from errata and postpone the fix.

Perhaps we'll have an opportunity to work this around before systemd has an opportunity to fix their bug.
Comment 12 Robert Scheck 2017-06-19 18:07:34 UTC 
Let me summarize this from customer perspective: I filed this issue nearly
2 years ago against RHEL 6...where nothing happened and it got finally now
closed because RHEL 6 is too old for non-critical fixes. And we are playing
now a similar game for RHEL 7. I know my comment is technically not helpful
at all, but based on current progress it smells like a WONTFIX for RHEL 7.
Comment 18 Nikolai Kondrashov 2017-06-20 15:34:37 UTC 
Hi Robert,

I understand your frustration. Sorry, we couldn't make the right fix for this on time. We'll keep this bug open and implement a workaround at the next opportunity, unless systemd fixes their bug first.

We'll probably be putting this into postrotate section as the workaround:

    if /usr/bin/systemctl is-active -q radiusd; then /usr/bin/systemctl reload-or-restart radiusd; fi
Comment 20 Joerg K 2018-07-24 10:13:14 UTC 
Hello all,

the last update to this bug is from a year ago. I stepped on this bug today with freeradius-utils-3.0.13-9.el7_5.x86_64 in RHEL 7.5. From a short look at /etc/logrotate.d/radiusd I would guess that the workaround from Nikolai is not implemented, yet.

Are there any news when this workaround could be provided by a package update or the root problem gets fixed?

Best regards,
Joerg
Comment 21 Nikolai Kondrashov 2018-08-14 13:45:11 UTC 
Joerg, we don't have a plan for a FreeRADIUS update at this moment, but the underlying systemd Bug 1191920 seems to have finally been fixed and the fix might make it into RHEL7.6.
Comment 22 Joerg K 2018-08-15 09:06:21 UTC 
(In reply to Nikolai Kondrashov from comment #21)
Hi Nikolai,

Thanks for your answer.

I'm going to follow the systemd [Bug 1191920](https://bugzilla.redhat.com/show_bug.cgi?id=1191920) and hope the fix make it into RHEL 7.6.

Thanks,
Joerg
Comment 23 Robert Scheck 2018-08-30 16:51:43 UTC 
Nikolai, one year later: Why did a simple fix like below still not happen
after 2+ years now?

…
postrotate
 /bin/systemctl --quiet is-active radiusd.service && /bin/systemctl reload-or-try-restart radiusd.service || true
endscript
…
Comment 24 Nikolai Kondrashov 2018-08-30 17:08:34 UTC 
Hi Robert, we didn't have an update to FreeRADIUS scheduled during that time. The fix is indeed simple. If you're customer, please raise this issue through support, as this bug might have simply fallen through the cracks. Thank you.
Comment 25 Robert Scheck 2018-08-30 17:33:41 UTC 
Nikolai, I did this 3+ years ago when opening bug #1249725 already. And I
now escalated the case there, even this likely only affects GSS rather the
engineering.