GGUS-Ticket-ID: #158702 "WAITING FOR REPLY" "ARGUS" "can not start argus pepd process after update of IGTF certs"
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Enrico Vianello
STATUS: waiting for reply
PUBLIC DIARY:
Hi all,
I'm testing the rpms currently stored into Argus beta repo:
Repo site: http://argus-authz.github.io/repo/
Beta repo file URL: http://argus-authz.github.io/repo/yum/argus-rpm-beta-centos7.repo
Pep server 1.7.4 fixes this issues. I'm going to release them next monday but some debug/help on testing them is welcome.
The list of updated rpms includes also other components because there were some pending updates so it was also time to release all of them. The list is:
- argus-pap-1.7.3-1.el7.noarch.rpm
- argus-pdp-1.7.1-1.el7.noarch.rpm
- argus-pdp-pep-common-1.5.2-1.el7.noarch.rpm
- argus-pep-api-c-2.3.1-1.el7.x86_64.rpm
- argus-pep-api-c-debuginfo-2.3.1-1.el7.x86_64.rpm
- argus-pep-api-c-devel-2.3.1-1.el7.x86_64.rpm
- argus-pep-server-1.7.4-1.el7.noarch.rpm
Let me know if you will test them. In any case soon they'll be officially released.
Cheers,
Enrico
*********************************************************************
This is an automated mail. When replying don't change the subject line!
S T R I P P R E V I O U S M A I L S please!!
*********************************************************************
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
Hi Enrico,
that's good news. Do you know from which tags/releases/branches the different packages are built? I was trying to figure out what is new.
And does this also fix https://ggus.eu/index.php?mode=ticket_info&ticket_id=151766 ?
Cheers
Mischa
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Enrico Vianello
PUBLIC DIARY:
Hi Mischa,
yes, that argus-pap-1.7.3 has been built from develop branch which contains that fix:
https://github.com/argus-authz/argus-pap/commits/develop (it's the second from the top)
I know it's a little bit a mess but I'm going to tag things and do some merge and also set for each component the latest branch as the github default in order to highlight the latest commit/changes.
I'm going to update the release notes ot argus-authz official doc.
Cheers,
Enrico
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Robert Currie
PUBLIC DIARY:
Hi,
Just to contribute, I tried updating to the beta repo on one of our Argus servers (with latest java, and 117 CA...) and hit the following:
pep is fine :)
pap is fine :)
pdp is NOT fine :(
I see the following from systemd:
pdpctl[1685]: /usr/sbin/pdpctl: ERROR: /usr/share/java/voms-api-java.jar in classpath does not exist
This blocking error meant I couldn't start the pdp service. (I only have epel, argus and the default CO7 repos enabled so all packages are from these).
For now I've rolled back to stable rather than debug this further as I think this is a dependency on some OSG rpm (from a quick google). I don't know if it's possible to update pep+pap and leave pdp but I didn't want to spend too long with the argus server offline.
Best Regards,
Rob
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Enrico Vianello
PUBLIC DIARY:
Hi Robert,
this is a. very strange behaviour because the pdp rpm checks if:
%{_localstatedir}/lib/argus/pdp/lib/provided/voms-api-java-*.jar is installed
and it also requires directly voms-api-java as a dependency.
Requires: voms-api-java
You should have voms-api-java installed on your host.
# rpm -qa | grep voms-api
voms-api-java-3.3.2-1.el7.noarch
Yesterday I reloaded twice the beta rpms and at a certain point there were some broken rpms on it so I'd suggest to retry to update all the components with:
yum update argus-pap argus-pdp argus-pdp-pep-common argus-pep-api-c argus-pep-server
I did this on my testbed and I'm not seeing any problem on components restart:
# systemctl restart argus-pepd argus-pap argus-pdp
# systemctl status argus-pepd argus-pap argus-pdp
● argus-pepd.service - Argus Policy Enforcement Point Server
Loaded: loaded (/usr/lib/systemd/system/argus-pepd.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-09-13 09:48:24 UTC; 6s ago
Process: 7601 ExecStop=/usr/sbin/pepdctl stop (code=exited, status=0/SUCCESS)
Process: 7801 ExecStart=/usr/sbin/pepdctl start (code=exited, status=0/SUCCESS)
Main PID: 7818 (java)
CGroup: /system.slice/argus-pepd.service
└─7818 /usr/bin/java -Dorg.glite.authz.pep.home=/usr/share/argus/pepd -Dorg.glite.authz.pep.confdir=/usr/share/argus/pepd/conf -Dorg.glite....
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: argus-pepd.service: main process exited, code=exited, status=143/n/a
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Stopped Argus Policy Enforcement Point Server.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Unit argus-pepd.service entered failed state.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: argus-pepd.service failed.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Starting Argus Policy Enforcement Point Server...
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Started Argus Policy Enforcement Point Server.
● argus-pap.service - Argus Policy Administration Point server
Loaded: loaded (/usr/lib/systemd/system/argus-pap.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-09-13 09:48:24 UTC; 6s ago
Process: 7602 ExecStop=/usr/sbin/papctl stop (code=exited, status=0/SUCCESS)
Process: 7760 ExecStart=/usr/sbin/papctl start (code=exited, status=0/SUCCESS)
Main PID: 7797 (java)
CGroup: /system.slice/argus-pap.service
└─7797 java -Xmx256m -DPAP_HOME=/usr/share/argus/pap -Djava.endorsed.dirs=/usr/share/argus/pap/lib/endorsed -cp /usr/share/argus/pap/lib/ax...
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Stopped Argus Policy Administration Point server.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Unit argus-pap.service entered failed state.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: argus-pap.service failed.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Starting Argus Policy Administration Point server...
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Started Argus Policy Administration Point server.
● argus-pdp.service - Argus Policy Decision Point server
Loaded: loaded (/usr/lib/systemd/system/argus-pdp.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-09-13 09:48:24 UTC; 6s ago
Process: 7603 ExecStop=/usr/sbin/pdpctl stop (code=exited, status=0/SUCCESS)
Process: 7732 ExecStart=/usr/sbin/pdpctl start (code=exited, status=0/SUCCESS)
Main PID: 7748 (java)
CGroup: /system.slice/argus-pdp.service
└─7748 /usr/bin/java -Dorg.glite.authz.pdp.home=/usr/share/argus/pdp -Dorg.glite.authz.pdp.confdir=/usr/share/argus/pdp/conf -Dorg.glite.au...
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: argus-pdp.service: main process exited, code=exited, status=143/n/a
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Stopped Argus Policy Decision Point server.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Unit argus-pdp.service entered failed state.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: argus-pdp.service failed.
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Starting Argus Policy Decision Point server...
Sep 13 09:48:24 omii005-vm02.cnaf.infn.it systemd[1]: Started Argus Policy Decision Point server.
If the problem persists, could you please send me all your pdp journalctl log? Thanks.
Cheers, Enrico
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Robert Currie
PUBLIC DIARY:
Hi again,
So from re-enabling the beta repo and updating again I get the attached yum_update.log output.
(Keeping self-mangled 117 and an older java versionlock)
Also can confirm I see:
[root@auth2 ~]# rpm -qa | grep voms-api
voms-api-java-3.3.2-1.el7.noarch
And again I see the same problem when I restart argus-pdp, so I've disabled the beta repo again and downgraded.
Thanks for the quick response.
Rob
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Robert Currie
INTERNAL DIARY:
Added attachment yum_update.log
https://ggus.eu/index.php?mode=download&attid=ATT116784
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
Hi,
the problem is with EPEL vs UMD:
In the EPEL version of voms-api-java-3.3.2-1.el7, the jar is located ONLY at
/usr/share/java/voms-api-java/voms-api-java.jar
The UMD-4 version also has it there, but has a symlink pointing to it at
/usr/share/java/voms-api-java.jar
And the error complains about it not being at
/usr/share/java/voms-api-java.jar
So I think you need to install the UMD version, not the EPEL version. Alternatively, you can make the symlink yourself.
The argus-pdp-1.7.1-1.el7 rpm ships its own version at
/var/lib/argus/pdp/lib/provided/voms-api-java-3.3.2.jar
so making a symlink to that one and not install voms-api-java probably also works.
Ideally I think the EPEL version should be the same as the UMD version probably.
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Enrico Vianello
PUBLIC DIARY:
Thanks Mischa. This clarify why I have no issue because my rpm was downloaded from UMD repo and the simlink was there.
In any case I removed all the packages and triied to reinstall again:
# yum install argus-authz
...
=========================================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================================
Installing:
argus-authz noarch 1.7.0-1.el7.centos UMD-4-updates 2.8 k
Installing for dependencies:
argus-pap noarch 1.7.3-1.el7 argus-beta-centos7 20 M
argus-pdp noarch 1.7.1-1.el7 argus-beta-centos7 21 M
argus-pep-server noarch 1.7.4-1.el7 argus-beta-centos7 36 M
voms-api-java noarch 3.3.2-1.el7 UMD-4-updates 147 k
After the installation (with voms-api-java UMD version) I have the following simlink:
# ls -l /usr/share/java/voms-api-java.jar
lrwxrwxrwx 1 root root 23 Sep 13 22:33 /usr/share/java/voms-api-java.jar -> voms-api-java-3.3.2.jar
In the meanwhile, I've just updated beta repo with newest rpms (I realize that pdp was also built with a wrong spec). The testsuite is green at our side so let me kwow if these latest beta rpms work.
Thanks for your patience, Cheers, Enrico
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
Hi Enrico, Robert,
no problem, that's why we need people to test (-;
Concerning EPEL vs UMD: since Argus is an UMD package, other packages also should be taken from the UMD when possible. I can't find a recent link describing this, but the instructions always included the need to set yum priorities with the UMD have e.g. priority=1.
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Joao Pina
PUBLIC DIARY:
Hi,
Since everything tested I will prepare the release of the packages to UMD.
Cheers
Joao pina
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
Just for completion, the instruction on installing UMD packages is at https://repository.egi.eu/UMD/4
(thank to Alessandro Paolini for pointing me to the right page).
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: GGUS SYSTEM
INTERNAL DIARY:
Sent 1st reminder to ticket submitter (d.tr...@qmul.ac.uk) requesting input.
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Robert Currie
PUBLIC DIARY:
Hi,
For my case I had to run a yum reinstall to get yum to pick up the voms-api-java package from UMD. Would it make sense to bump the package release version here (i.e. voms-api-java-3.3.2-2.el7.noarch) to help yum without relying on the yum-priority which is only really helpful during initial deployment/install.
That being said yes moving to pickup the voms package to umd allowed me to install the beta rpm which fixed the problem with the CA and allowed me to remove a versionlock against an old java dependency.
Thanks for the help,
Rob
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Enrico Vianello
PUBLIC DIARY:
That's a good idea Robert, I agree. But really soon a new release for some VOMS components will be done (and there's a voms-api-java v3.3.3 that will be released). I think we'll proceed with this release but in case of delays I'll do the repackage of voms-api-java v3.3.2.
Has anyone tested the Argus beta rpms? Just to have some more feedbacks before officially release them.
Thanks.
Cheers,
Enrico
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Mischa Salle
PUBLIC DIARY:
Hi Enrico,
I think it is probably also a good idea to discuss with Mattias Ellert whether it's possible to synchronise the content of voms-api-java between UMD and EPEL (if possible). That would in the long term be easier than fixing the version numbers, since at some point EPEL will also go to a new version.
help...@ggus.org
Hello,
GGUS ticket #158702 was updated.
REFERENCE LINK: https://ggus.eu/index.php?mode=ticket_info&ticket_id=158702
SUBJECT: can not start argus pepd process after update of IGTF certs
LATEST MODIFICATIONS:
LAST MODIFIER: Maarten Litmaath
PUBLIC DIARY:
Hi all,
the beta rpms are running OK on a QA node
in the site Argus cluster at CERN, cheers!