Synopsis 

The IdP wont start after running the update_idp.sh script.


Overview 

We have identified an issue with our AAF IdP installer configuration when run using the latest version of Ansible (2.5.3) that will cause your IdP to not start. 


The way Ansible processes the files / directories that are links has changed. When Ansible is used to create and manage a symbolic link where the User and Group options are provided, it now assigns the ownership / group members of the destination file. Previously it made no change to the destination file.


The issue occurs when the new version of Ansible when it creates links to the directories /var/log/ jetty and /var/log/shibboleth. The result is these directories have their ownership and group membership set to root. When the Jetty process attempts to write to its log file it fails because of file protection and the process stops. 


When using the update-idp.sh script to make changes to your running IdP, the script may update your system software (yum update) which will upgrade your version of Ansible to version 2.5.3 or later. subsequent runs of the update_idp.sh script will then fail to restart your IdP.


Outcome

Before (correct permissions) running the update_idp.sh script with the latest Ansible installed.


drwxr-xr-x 2 jetty jetty 16384 May 29 11:48 /var/log/jetty


After running update_idp, the permissions changed to


drwx------ 2 root root 16384 May 29 11:48 /var/log/jetty


The jetty process will fail to start as it can not create or write its log files.


Workaround

 

Following files are  affected 


  • /opt/shibboleth-idp-installer/repository/tasks/idp.yml   
  • /opt/shibboleth-idp-installer/repository/tasks/jetty.yml


The following is an example. Currently, these files have  owner: root and group :root
With the latest version Ansible,  owner and group should be jetty.



 /opt/shibboleth-idp-installer/repository/tasks/idp.yml

- name: 'Symlink IdP log directory'

- name: 'Symlink IdP src directory'

- name: 'Symlink IdP instance directory'

- name: 'Symlink jetty log directory'


/opt/shibboleth-idp-installer/repository/tasks/jetty.yml.

- name: 'Symlink jetty to installed distribution'


Re-run the idp_update.sh script which should fix the issue.


Permanent Fix

This issue will be addressed and fixed in the next release of AAF IdP installer.