RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2095650 - Dependency from mod_http2 on httpd broken
Summary: Dependency from mod_http2 on httpd broken
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: httpd-2.4-module
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: Branislav Náter
URL:
Whiteboard:
Depends On:
Blocks: 2143176
TreeView+ depends on / blocked
 
Reported: 2022-06-10 06:38 UTC by Stefan Neufeind
Modified: 2023-05-16 09:28 UTC (History)
1 user (show)

Fixed In Version: httpd-2.4-8080020221213105150.fd72936b
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2143176 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:28:23 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-124947 0 None None None 2022-06-10 06:52:18 UTC
Red Hat Product Errata RHBA-2023:2789 0 None None None 2023-05-16 08:29:14 UTC

Description Stefan Neufeind 2022-06-10 06:38:01 UTC 
I upgraded packages explicitly not (yet) updating httpd and its module mod_ssl:
dnf update --exclude=httpd\*,mod_ssl --skip-broken

That also triggered an update for mod_http2 (which went unnoticed, between many other updates). No automatic reload of httpd happened and everything still worked afterwards.
Upon logfile-rotation httpd was reloaded - and then a problem because of the updated mod_http2 showed, with a failing httpd and a downtime for websites.
After also updating httpd* and mod_ssl another httpd-restart went fine.

I wonder why it was possible to update mod_http2 if it somehow depended on httpd. And why a "reload" (to trigger logfile-reopening) didn't simply continue to use httpd and mod_http2. (Well, the latter might be explainable since that's actually a "graceful-restart".)

mod_http2   x86_64 1.15.7-5.module+el8.6.0+823+f143cee1   appstream
and worked after also updating httpd with dependent packages:
httpd   x86_64   2.4.37-47.module+el8.6.0+823+f143cee1.1   appstream
Comment 1 Luboš Uhliarik 2022-11-03 19:48:15 UTC 
Hello Stefan, 

Do you know, what version mod_http2 had before and after the update?
Comment 2 Stefan Neufeind 2022-11-04 09:35:40 UTC 
Can't say anymore, sorry. Not easy to retest this in the environment I had around that time.
I only see the versions that I logged in this issue. So that seems to have been *after* the update mod_http2 1.15.7-5.module+el8.6.0+823+f143cee1 - which does seem to have some dependency to httpd and failed a reload with the old httpd/mod_ssl-version I had ... but worked fine after updating to httpd 2.4.37-47.module+el8.6.0+823+f143cee1.1
(I bet the httpd-release before was just one minor patch-level update before that - it's usually alway kept up-to-date.)
Comment 3 Luboš Uhliarik 2022-11-10 23:47:35 UTC 
Hi Stefan,

I found out what is the problem - when I was backporting the CVE fix for httpd, there was a change in API [0]. As a part of that CVE fix, new function ap_post_read_request has been introduced. Therefore, if you try to run a new mod_http2 containing the fix of that CVE, with the older httpd which does not include ap_post_read_request function, httpd startup will end up with the following error:


Nov 10 06:14:21 ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com systemd[1]: Starting The Apache HTTP Server...
Nov 10 06:14:21 ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com httpd[6922]: httpd: Syntax error on line 59 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/…ead_request
Nov 10 06:14:21 ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Nov 10 06:14:21 ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Nov 10 06:14:21 ci-vm-10-0-137-130.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start The Apache HTTP Server.


Unfortunately I forgot to add correct dependency of mod_http2 to the httpd. I will fix this in the next mod_http2 release and I will try to come up with some tests so it will be less likely to this issue to happen again.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=2035030
Comment 4 Stefan Neufeind 2022-11-11 07:18:31 UTC 
Wow, thanks a bunch for digging this deep into it. Sounds logical and promising. Thanks for the update.
Comment 18 errata-xmlrpc 2023-05-16 08:28:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (httpd:2.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2789
Note You need to log in before you can comment on or make changes to this bug.