Red Hat Bugzilla – Bug 601153
[apache] Failed configuration update doesn't return gracefully
Last modified: 2010-08-12 12:53:46 EDT
Description of problem:
I tried to update apache configuration with insufficient privileges of the user running the agent. The agent.log contained an error message:
2010-06-07 12:36:20,363 ERROR [ResourceContainer.invoker.nonDaemon-1] (org.rhq.plugins.apache.ApacheDirectoryComponent)- Augeas failed to save configuration Error open_augnew
message Permission denied
That appeared straight after the attempt but the server UI still reported the configuration update "in progress" and failed it only after a timeout of 1 minute.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run agent as unprivileged user
2. try to update some apache configuration
The configuration update fails only after timeout, giving the timeout as the reason for the failure, when in fact the error is that the agent doesn't have enough privileges to perform the update.
Correct failure message associated with the config update attempt.
Correction of description:
This specifically happened when trying to update a directory resource. I'm not sure how other resource types behave.
The underlying problem is a TransientObjectException which is getting thrown in ConfigurationManagerBean.completeResourceConfigurationUpdate at line 1245-ish on the call to,
failedConfiguration = entityManager.merge(failedConfiguration);
I came across http://opensource.atlassian.com/projects/hibernate/browse/HHH-2612 which gave me a some additional insight into a possible cause, and HHH-2612 does in fact appear to be involved. I tried setting the Ip property that is nested inside the Listen list property. Looking at the failedConfiguration object in the debugger I discovered that the parent Configuration object referenced by the Listen property had an id of zero which effectively means that the property has a non-existent FK reference.
It should be noted that the failedConfiguration object is the configuration sent across the wire from the agent as part of the ConfigurationUpdateResponse. It could be the case that the parent reference is getting mangled before the configuration is sent down to the agent in which case this would be a server-side bug. If however the parent reference is getting mangled on the agent side, then the problem points to the apache plugin.
I have confirmed that the parent reference is getting mangled on the agent side so it seems that the issue is in the apache plugin or in the plugin container service, ConfigurationManager.
The parent configuration reference is to a transient instance in ApacheServerComponent.updateResourceConfiguration at line 330 which is,
mapping.updateAugeas(tree.getRootNode(), report.getConfiguration(), resourceConfigDef);
I need to investigate the augeas code a bit to see what is going on there. Given that a collection with a cascade style of delete_orphan cannot reference a non-existent (i.e., transient) parent, we might want to consider managing the association between parent and children in these situations. In the case of Configuration and Property objects, when a Property is added to the Configuration we would set the parent reference on the Property at the time.
A slight correction. Configuration.put(Property p) already sets the parent reference on the Property object; however, Configuration.remove(String name) does not unset the parent reference.
Modifying apache plugin so that the parent reference of the Property objects is not changed to a transient Configuration object. The correct update error should be getting reported now.
commit hash: 308cd90c3151705727d172864a6262073043c151
QA Verified. When trying to commit a config change w/ a non privileged user, I get a failure with following error:
net.augeas.AugeasException: Failed to save configuration: Error open_augnewmessage Permission deniedError open_augnewmessage Permission denied at org.rhq.plugins.apache.ApacheServerComponent.updateResourceConfiguration(ApacheServerComponent.java:340)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:616)at org.rhq.core.pc.inventory.ResourceContainer$ComponentInvocationThread.call(ResourceContainer.java:525)at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)at java.util.concurrent.FutureTask.run(FutureTask.java:166)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)at java.lang.Thread.run(Thread.java:636)Caused by: net.augeas.AugeasException: save failedat net.augeas.Augeas.processLastCall(Unknown Source)at net.augeas.Augeas.save(Unknown Source)at org.rhq.augeas.tree.impl.AbstractAugeasTree.save(AbstractAugeasTree.java:155)at org.rhq.plugins.apache.ApacheServerComponent.updateResourceConfiguration(ApacheServerComponent.java:331)... 10 more
Mass-closure of verified bugs against JON.