Can't restart apache, due to /var/lock/apache2 ACL issue

[dennyzhang]

Hi there

Below is the error message of running chef update.
I've checked the code, /var/lock/apache2 is changed to root on purpose.
Do you know what's the problem? My OS is Ubuntu 12.04.

---- Begin output of /etc/init.d/apache2 start ----
STDOUT: * Starting web server apache2
/var/lock/apache2 already exists but is not a directory owned by www-data.
Please fix manually. Aborting.
...fail!
STDERR:
---- End output of /etc/init.d/apache2 start ----
Ran /etc/init.d/apache2 start returned 1

[drpebcak]

This doesn't happen when just running the apache2 cookbook. Can you post the full output of your chef run? Likely the nagios3 cookbook is doing something that apache2 does not expect.

[dennyzhang]

@drpebcak

https://github.com/viverae-cookbooks/apache2/blob/master/recipes/default.rb#L115-L125
115 %W(
116 #{node['apache']['dir']}/ssl
117 #{node['apache']['cache_dir']}
118 #{node['apache']['lock_dir']}
119 ).each do |path|
120 directory path do
121 mode '0755'
122 owner 'root'
123 group node['apache']['root_group']
124 end
125 end

If I comment off Line 118 about lock_dir, I won't have the issue.
Above code change the ownership of /var/lock/apache2 to root, instead of www-data.

This looks like to be the root cause.

[joshuacox]

I'm getting the same error, now don't laugh at the sprunge url that really did come back:

http://sprunge.us/FLaW

[drpebcak]

Huh, I take it back. This must be something that has changed recently. I'm going to check if this also happens with apache2.4

[drpebcak]

Looks like this only happens with apache2.2

[svanzoest]

This got set because of #296.

Related Directives:

• Apache 2.4: Mutex
• Apache 2.2: LockFile

[joshuacox]

after reading through #296 I'm a bit confused as this was working just fine a few months ago?

Just to check I threw this in my default attributes:

    "apache": {
      "user": "www-data",
      "group": "www-data"
    },

No, good. For now, I'm just implementing @dennyzhang 's suggestion, but that does not seem like the long term solution.

[dennyzhang]

@joshuacox
It's currently a blocking issue of this cookbook in some scenario.
It would be nice, if we can resolve this asap.

I'm wondering why we set the ownership as "root", instead of "www-data"?
https://github.com/viverae-cookbooks/apache2/blob/master/recipes/default.rb#L122-L123
122 owner 'root'
123 group node['apache']['root_group']

[joshuacox]

@dennyzhang agreed on this being a blocker, I've got a temporary fork up, that merely deletes the line 118 you mentioned here:

https://github.com/joshuacox/apache2

and I'll work on a more permanent solution and post a pull request as soon as I find it.

[joshuacox]

ok, here on debian jessie, if I install apache2 from repos I have:

$ ls -lh /var/lock/|grep apache
drwxr-xr-x 2 www-data root 40 Jan 23 11:20 apache2

is there any consensus on best practice here? reading the link

Apache 2.2: LockFile

it does specifically note that you want to limit access to this lock directory, but it does not state that you should limit it to root only. As you can see I've got a possible fix at joshuacox@a2e20dc

but I'm thinking of removing the group line entirely to match what I got above from the repos. Any thoughts?

[drpebcak]

Fixed with #312

[drpebcak]

We can check back in on this if we find that other platforms require the same fix.

[dennyzhang]

Verified. It works now.

Thanks guys.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.