The IdP wont start after running the script.


We have identified an issue with our AAF IdP installer configuration when run using the latest version of Ansible (2.5.3) that will cause your IdP to not start. 

The way Ansible processes the files / directories that are links has changed. When Ansible is used to create and manage a symbolic link where the User and Group options are provided, it now assigns the ownership / group members of the destination file. Previously it made no change to the destination file.

The issue occurs when the new version of Ansible when it creates links to the directories /var/log/ jetty and /var/log/shibboleth. The result is these directories have their ownership and group membership set to root. When the Jetty process attempts to write to its log file it fails because of file protection and the process stops. 

When using the script to make changes to your running IdP, the script may update your system software (yum update) which will upgrade your version of Ansible to version 2.5.3 or later. subsequent runs of the script will then fail to restart your IdP.


Before (correct permissions) running the script with the latest Ansible installed.

drwxr-xr-x 2 jetty jetty 16384 May 29 11:48 /var/log/jetty

After running update_idp, the permissions changed to

drwx------ 2 root root 16384 May 29 11:48 /var/log/jetty

The jetty process will fail to start as it can not create or write its log files.



Following files are  affected 

  • /opt/shibboleth-idp-installer/repository/tasks/idp.yml   
  • /opt/shibboleth-idp-installer/repository/tasks/jetty.yml

The following is an example. Currently, these files have  owner: root and group :root
With the latest version Ansible,  owner and group should be jetty.


- name: 'Symlink IdP log directory'

- name: 'Symlink IdP src directory'

- name: 'Symlink IdP instance directory'

- name: 'Symlink jetty log directory'


- name: 'Symlink jetty to installed distribution'

Re-run the script which should fix the issue.

Permanent Fix

This issue will be addressed and fixed in the next release of AAF IdP installer.