[SOLVED] installation on Rocky Linux

[bkeller]

Good morning,

I'm trying to install WAPT on a RockyLinux 8.5 VM, but I'm encountering difficulties:

I followed the documentation here
https://www.wapt.fr/en/doc/wapt-server- ... based.html
The installed prerequisites are as follows

Code: Select all

nginx.x86_64         1:1.21.6-1
postgresql.x86_64         10.17-2

Everything goes well until the "post conf" part; I get the following error message during the execution of the "postconf.py" script

Code: Select all

[root@wapt ~]# /opt/wapt/waptserver/scripts/postconf.sh --force-https
not supported, exiting

Looking at the code (setuphelpers_linux.py) I saw that RockyLinux seems to be well supported

Code: Select all

def type_redhat():
	return linux_distribution is not None and linux_distribution[0].lower() in ('rhel', 'centos', 'fedora', 'oracle','almalinux','rocky linux')

I don't see where the technical prerequisites for nginx and postgresql are specified in the documentation?
Is this a problem with the distribution detection or the distribution version?
Is this a problem with the version of PostgreSQL or Nginx?
Is it possible to debug the "postconf.py" script?

THANKS

[dcardon]

Hello bkeller,

which version of wapt (see forum rules)? This was already corrected some time ago (typo: "rocky linux" vs. just "rocky").
You need a PostgreSQL version >= 9.6 (for JSON support), so the default version in Rocky Linux 8 is fine, no need to upgrade it (conversely, the PostgreSQL version 9.4 provided by CentOS 7 needs to be upgraded). The same applies to nginx.

Regards,

Denis

[bkeller]

Hello Denis,

I missed that, let me correct it:

WAPT version

Code: Select all

[root@wapt ~]# dnf list *wapt*
Last metadata expiration check: 0:29:31 ago on Thu 05 May 2022 12:22:19 PM CEST.
Installed Packages
tis-waptserver.x86_64                   2.2.1.11899-2d82654e.el8           @wapt
tis-waptsetup.noarch                    2.2.1.11899-2d82654e               @wapt
Available Packages
tis-waptagent.x86_64                    2.2.1.11899-2d82654e.el8           wapt
tis-waptsetup-linux-mac.noarch          2.2.1.11899-2d82654e               wapt

OS version

Code: Select all

[root@wapt ~]# uname -a
Linux wapt.sieeen.fr 4.18.0-348.el8.0.2.x86_64 #1 SMP Sun Nov 14 00:51:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@wapt ~]# cat /etc/*release
Rocky Linux release 8.5 (Green Obsidian)
NAME="Rocky Linux"
VERSION="8.5 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.5 (Green Obsidian)"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
ROCKY_SUPPORT_PRODUCT="Rocky Linux"
ROCKY_SUPPORT_PRODUCT_VERSION="8"
Rocky Linux release 8.5 (Green Obsidian)
Rocky Linux release 8.5 (Green Obsidian)
Rocky Linux release 8.5 (Green Obsidian)

Is waptserver 2.2.1.11899 the latest version?


Sincerely

[bkeller]

by modifying lines 71 and 74 of the setuphelpers_linux.py file as follows

Code: Select all

def type_redhat():
    return linux_distribution is not None and linux_distribution[0].lower() in ('rhel', 'centos', 'fedora', 'oracle','almalinux','rocky')

def type_rhel():
    return linux_distribution is not None and linux_distribution[0].lower() in ('rhel', 'centos', 'oracle','almalinux','rocky')

The postconf.py script runs correctly!

[bkeller]

However, at the end of the nginx configuration script, there is a problem

Code: Select all

Traceback (most recent call last):
  File "/opt/wapt/waptserver/scripts/postconf.py", line 648, in main
    print(restart_nginx())
  File "/opt/wapt/waptserver/scripts/postconf.py", line 278, in restart_nginx
    return run('systemctl restart nginx')
  File "/opt/wapt/waptutils.py", line 2123, in run
    raise CalledProcessErrorOutput(proc.returncode, cmd, ''.join(output))
waptutils.CalledProcessErrorOutput: Command b'systemctl restart nginx' returned non-z                                                           ero exit status 1.
Output:Job for nginx.service failed because the control process exited with error cod                                                           e.
See "systemctl status nginx.service" and "journalctl -xe" for details.


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/wapt/waptserver/scripts/postconf.py", line 761, in <module>
    main()
  File "/opt/wapt/waptserver/scripts/postconf.py", line 654, in main
    'errno = ' + str(cpe.returncode) + ', output: ' + cpe.output.decode('utf-8')
AttributeError: 'str' object has no attribute 'decode'

and indeed looking at an nginx module version issue

Code: Select all

[root@wapt ~]# nginx -t
nginx: [emerg] module "/usr/lib64/nginx/modules/ngx_http_auth_spnego_module.so" version 1018000 instead of 1021006 in /usr/share/nginx/modules/mod-http-auth-spnego.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@wapt ~]# dnf list *spnego*
Last metadata expiration check: 1:16:01 ago on Thu 05 May 2022 12:22:19 PM CEST.
Installed Packages
nginx-mod-http-auth-spnego.x86_64                                             1.18.0-tis1.1.0                                              @wapt

[dcardon]

Hello bkeller,

your version is correct; I was the one who got confused. For historical reasons, there were two places where the `def type_redhat()` function was defined, and one of them had been corrected. Refactoring is underway, so it should disappear . Thank you for pointing it out; I'll fix it right away.

As for nginx, that's a separate issue; it depends on the selected DNF channel (there are several versions of nginx available in parallel). But it seems that version 1.20 is now the default. Nginx extensions aren't ABI-compatible between versions, and the Kerberos module needs to be recompiled for each available version. I'll look into setting the version to 1.20 in the `.spec` file and uploading the corresponding Kerberos module to avoid the problem. For now, you can disable the Kerberos part (or downgrade nginx to 1.18).

Best regards,

Denis

[dcardon]

Hello again,

just so you know, to downgrade the nginx version you need to:

`dnf remove nginx*` # note: this will also uninstall the wapt server due to dependencies
`dnf module reset nginx -y` `
dnf module enable nginx:1.18 -y`
`dnf install nginx`
`dnf install tis-waptserver`

After that you should be able to activate the Kerberos module.

I'm going to add to the documentation to fix the nginx version to 1.18 until we upload the module compiled for 1.20.

Regards,

Denis

[bkeller]

Thanks for all the information

I wanted to let you know that I activated the nginx module like this

Code: Select all

dnf module enable nginx:mainline

and that this is the version 1.21.x which is installed

Code: Select all

[root@wapt ~]# nginx -v
nginx version: nginx/1.21.6

I know that RH backports security patches to the versions maintained in their repository, but if we can use an up-to-date version...

Will you be offering the package? nginx-mod-http-auth-spnego Compatible with nginx 1.21.x?

THANKS
Sincerely

[dcardon]

Hello bkeller,

we're going to prepare the module for version 1.20. However, I strongly advise against setting nginx:mainline as the DNF module, because with the next OS upgrade you might be updated to 1.22, and then nginx won't restart because the spnego module's ABI will no longer be considered compatible.

Remember that nginx is quite special in this regard; even dynamically loaded modules must be compiled at the same time as the binary itself with exactly (and I mean exactly) the same compilation flags. And this is true even if nothing has actually changed in the ABI...

Best regards,

Denis

[dcardon]

Hello bkeller,

I just checked the documentation, and it is indeed mentioned in [1]

Code: Select all

dnf module enable nginx:1.18 -y

Perhaps that was there for a reason... And I repeat, using nginx:mainline is not good practice if you're using add-on modules (which is the case here with the spnego module). And according to the nginx website[2], "Mainline is the active development branch," which isn't necessarily the best choice for a production server

If you absolutely want/need to have the very latest dev version of nginx, you can recompile the module, the source code is available here [3] (but this is not supported).

Sincerely,

Denis

[1] https://www.wapt.fr/fr/doc/wapt-server- ... based.html
[2] https://www.nginx.com/blog/nginx-1-18-1-19-released/
[3] https://github.com/stnoonan/spnego-http ... inx-module