HIPL

starting of daemons from binary packages when they are down

Bug #795848 reported by Miika Komu on 2011-06-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HIPL	Fix Released	Medium	David Martin

Bug Description

It appears that the init.d scripts don't work anymore as they used to. When a daemon is down, a package upgrade fails:

Preparing to replace hipl-dnsproxy 1.0.6-2 (using .../hipl-dnsproxy_1.0.6-5964_amd64.deb) ...
* Stopping DNS proxy for HIP hipdnsproxy
   ...fail!
invoke-rc.d: initscript hipl-dnsproxy, action "stop" failed.
dpkg: warning: old pre-removal script returned error exit status 1
dpkg - trying script from the new package instead ...
* Stopping DNS proxy for HIP hipdnsproxy
   ...fail!
invoke-rc.d: initscript hipl-dnsproxy, action "stop" failed.
dpkg: error processing /var/cache/apt/archives/hipl-dnsproxy_1.0.6-5964_amd64.deb (--unpack):
subprocess new pre-removal script returned error exit status 1
* Starting DNS proxy for HIP hipdnsproxy
   ...done.
Preparing to replace hipl-firewall 1.0.6-2 (using .../hipl-firewall_1.0.6-5964_amd64.deb) ...
* Stopping HIP firewall hipfw
invoke-rc.d: initscript hipl-firewall, action "stop" failed.
dpkg: warning: old pre-removal script returned error exit status 2
dpkg - trying script from the new package instead ...
* Stopping HIP firewall hipfw
invoke-rc.d: initscript hipl-firewall, action "stop" failed.
dpkg: error processing /var/cache/apt/archives/hipl-firewall_1.0.6-5964_amd64.deb (--unpack):
subprocess new pre-removal script returned error exit status 2
* Starting HIP firewall hipfw
Warning: timeouts (-t) have no effect with connection
         tracking disabled (-F)
   ...done.

Upgrading the package when the daemon is up and running succeeds, but nevertheless even this case should be working (as it used to be). Please note also the warning about the firewall (somebody changed the flags?).

Miika Komu (miika-iki) on 2011-06-11

Changed in hipl:
importance:	Undecided → Medium

René Hummen (rene-hummen) on 2011-06-12

Changed in hipl:
assignee:	nobody → David Martin (martin-lp)

David Martin (martin-lp) on 2011-06-15

Changed in hipl:
status:	New → Confirmed

Revision history for this message

David Martin (martin-lp) wrote on 2011-06-15:

Hi,
it is interesting that this worked before. When you say "don't work anymore as they used to", when was the last time you tested it? I have introduced some changes on the stop action for the hipl-daemon script which works without problems. I did not bring these changes over to the other scripts and will do so to fix this issue.

PS: Do you use the hipdsnproxy?
PPS: The firewall flag problem should be unrelated to the package install issue. René do you know more of any changes with the flags?

Revision history for this message

Miika Komu (miika-iki) wrote on 2011-06-16:

It worked before changing the packaging system from debian / ubuntu (it was based on "debbuild" script).

Yes, I use DNS proxy. And yes, the flag problem with firewall is not really related to this bug.

Revision history for this message

David Martin (martin-lp) wrote on 2011-06-21:

There have been two problems with the scripts:

> 1.0.6-5964_amd64.deb) ...
> * Stopping DNS proxy for HIP hipdnsproxy
> ...fail!
> invoke-rc.d: initscript hipl-dnsproxy, action "stop" failed.
> dpkg: warning: old pre-removal script returned error exit status 1

In this case start-stop-daemon which is used to stop the daemon returns 1 if the daemon is not running and it is treated as an error during installation. Using the option --oknodo fixes this.

> Preparing to replace hipl-firewall 1.0.6-2 (using .../hipl-firewall_1.0.6-5964_amd64.deb) ...
> * Stopping HIP firewall hipfw
> invoke-rc.d: initscript hipl-firewall, action "stop" failed.
> dpkg: warning: old pre-removal script returned error exit status 2

In this case it's the flushing of the firewall rules which returns status 2. We are using 'set -e' so any unchecked command returning nonzero exits the script. Checking the return value of the flush_iptables function fixes this problem.

I have committed the changes in trunk revisions 5968 and 5969 and on my machine it works without problems. Can you check if it's the same for you Miika?

PS: The flags notice of the firewall seems to be just a warning and no error. We are using the option -F to accept all HIP traffic. This means we are not dealing with authentications and this is why specifying any timeouts for them won't have an effect.

Revision history for this message

Miika Komu (miika-iki) wrote on 2011-06-21:

Good work! Works perfectly. While being down, upgrade of hipd, hipfw and DNS proxy was successful. All daemons started properly.

What about removing the -t flag from firewall init.d scripts (both Fedora and Debian, possibly OpenWRT)? Since this it what the warning is telling us:

Warning: timeouts (-t) have no effect with connection
tracking disabled (-F)

Changed in hipl:
status:	Confirmed → Fix Committed

Revision history for this message

David Martin (martin-lp) wrote on 2011-06-21: Re: [Bug 795848] Re: starting of daemons from binary packages when they are down

Hi,

On Tue, Jun 21, 2011 at 4:11 PM, Miika Komu <email address hidden> wrote:
> What about removing the -t flag from firewall init.d scripts (both
> Fedora and Debian, possibly OpenWRT)? Since this it what the warning is
> telling us:
>
> Warning: timeouts (-t) have no effect with connection
> tracking disabled (-F)

We are not using the -t option. The condition for printing the warning
is wrong in the firewall code. It simply checks whether the timeout is
greater than zero which it is by default. I've committed a fix in
trunk revision 5971. It should be working as it is supposed to now.

David

René Hummen (rene-hummen) on 2011-07-20

Changed in hipl:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.