UCS 4.3 Software update: Update notification

After clean instalation UCS 4.3.err3 I get LSB: Univention Updater error. Any way to fix it?

● univention-maintenance.service - LSB: Univention Updater
   Loaded: loaded (/etc/init.d/univention-maintenance; generated; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2018-03-27 13:12:14 CEST; 2min 26s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1917 ExecStart=/etc/init.d/univention-maintenance start (code=exited, status=1/FAILURE)
      CPU: 369ms

On which server role do you see that problem?

ucr get server/role

You could verify that the system is already joined into your domain, and that all join scripts are executed:

univention-check-join-status
univention-run-join-scripts

The ‘univention-maintenance.service’ is used to install updates and packages by policy. If you are on a system which could not reach the LDAP master, it could be a temporary networking issue. The service itself does not start a daemon process in the background.

To learn more about the cause, it would be helpful to see the logging output of the service:

journalctl -u univention-maintenance.service

My role is:

domaincontroller_master

Join status:

Joined successfully

Join scripts:

Running 01univention-ldap-server-init.inst                 skipped (already executed)
Running 02univention-directory-notifier.inst               skipped (already executed)
Running 03univention-directory-listener.inst               skipped (already executed)
Running 04univention-ldap-client.inst                      skipped (already executed)
Running 05univention-bind.inst                             skipped (already executed)
Running 08univention-apache.inst                           skipped (already executed)
Running 10univention-ldap-server.inst                      skipped (already executed)
Running 11univention-heimdal-init.inst                     skipped (already executed)
Running 11univention-pam.inst                              skipped (already executed)
Running 15univention-directory-notifier-post.inst          skipped (already executed)
Running 15univention-heimdal-kdc.inst                      skipped (already executed)
Running 18python-univention-directory-manager.inst         skipped (already executed)
Running 20univention-directory-policy.inst                 skipped (already executed)
Running 20univention-join.inst                             skipped (already executed)
Running 25univention-dhcp.inst                             skipped (already executed)
Running 26univention-nagios-common.inst                    skipped (already executed)
Running 28univention-nagios-server.inst                    skipped (already executed)
Running 30univention-appcenter.inst                        skipped (already executed)
Running 30univention-nagios-client.inst                    skipped (already executed)
Running 31univention-nagios-s4-connector.inst              skipped (already executed)
Running 31univention-nagios-samba.inst                     skipped (already executed)
Running 33univention-portal.inst                           skipped (already executed)
Running 34univention-management-console-server.inst        skipped (already executed)
Running 35univention-appcenter-docker.inst                 skipped (already executed)
Running 35univention-management-console-module-appcenter.inskipped (already executed)
Running 35univention-management-console-module-diagnostic.iskipped (already executed)
Running 35univention-management-console-module-ipchange.insskipped (already executed)
Running 35univention-management-console-module-join.inst   skipped (already executed)
Running 35univention-management-console-module-lib.inst    skipped (already executed)
Running 35univention-management-console-module-mrtg.inst   skipped (already executed)
Running 35univention-management-console-module-printers.insskipped (already executed)
Running 35univention-management-console-module-quota.inst  skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.insskipped (already executed)
Running 35univention-management-console-module-setup.inst  skipped (already executed)
Running 35univention-management-console-module-sysinfo.instskipped (already executed)
Running 35univention-management-console-module-top.inst    skipped (already executed)
Running 35univention-management-console-module-ucr.inst    skipped (already executed)
Running 35univention-management-console-module-udm.inst    skipped (already executed)
Running 35univention-management-console-module-updater.instskipped (already executed)
Running 35univention-nagios-cups.inst                      skipped (already executed)
Running 35univention-nagios-dansguardian.inst              skipped (already executed)
Running 35univention-nagios-squid.inst                     skipped (already executed)
Running 35univention-server-overview.inst                  skipped (already executed)
Running 36univention-management-console-module-apps.inst   skipped (already executed)
Running 40univention-postgresql.inst                       skipped (already executed)
Running 40univention-virtual-machine-manager-schema.inst   skipped (already executed)
Running 50horde.inst                                       skipped (already executed)
Running 67univention-mail-server.inst                      skipped (already executed)
Running 79univention-printserver.inst                      skipped (already executed)
Running 81univention-nfs-server.inst                       skipped (already executed)
Running 82univention-mail-dovecot.inst                     skipped (already executed)
Running 90univention-bind-post.inst                        skipped (already executed)
Running 91univention-saml.inst                             skipped (already executed)
Running 92univention-fetchmail-schema.inst                 skipped (already executed)
Running 92univention-fetchmail.inst                        skipped (already executed)
Running 92univention-management-console-web-server.inst    skipped (already executed)
Running 96univention-samba4.inst                           skipped (already executed)
Running 97univention-s4-connector.inst                     skipped (already executed)
Running 98univention-pkgdb-tools.inst                      skipped (already executed)
Running 98univention-samba4-dns.inst                       skipped (already executed)
Running 98univention-samba4-saml-kerberos.inst             skipped (already executed)

Output of the service:

-- Logs begin at Wed 2018-03-28 08:33:11 CEST, end at Wed 2018-03-28 10:56:52 CEST. --
mar 28 08:33:47 dc1 systemd[1]: Starting LSB: Univention Updater...
mar 28 08:33:52 dc1 univention-maintenance[1959]: Checking network for Univention maintenance...ldap[dc1.xxx.intranet]...repository[updates.
mar 28 08:33:52 dc1 systemd[1]: Started LSB: Univention Updater.
mar 28 08:34:17 dc1 systemd[1]: Stopping LSB: Univention Updater...
mar 28 08:34:22 dc1 univention-maintenance[2534]: Checking network for Univention maintenance...ldap[dc1.xxx.intranet]...repository[updates.
mar 28 08:34:22 dc1 systemd[1]: univention-maintenance.service: Control process exited, code=exited status=1
mar 28 08:34:22 dc1 systemd[1]: Stopped LSB: Univention Updater.
mar 28 08:34:22 dc1 systemd[1]: univention-maintenance.service: Unit entered failed state.
mar 28 08:34:22 dc1 systemd[1]: univention-maintenance.service: Failed with result 'exit-code'.
-- Reboot --
mar 28 08:35:36 dc1 systemd[1]: Starting LSB: Univention Updater...
mar 28 08:35:39 dc1 univention-maintenance[1734]: Checking network for Univention maintenance...ldap[dc1.xxx.intranet]...repository[updates.
mar 28 08:35:40 dc1 systemd[1]: Started LSB: Univention Updater.
mar 28 10:42:13 dc1 systemd[1]: Stopping LSB: Univention Updater...
mar 28 10:42:23 dc1 univention-maintenance[32046]: Checking network for Univention maintenance...ldap[dc1.xxx.intranet]...repository[updates
mar 28 10:42:23 dc1 systemd[1]: univention-maintenance.service: Control process exited, code=exited status=1
mar 28 10:42:23 dc1 systemd[1]: Stopped LSB: Univention Updater.
mar 28 10:42:23 dc1 systemd[1]: univention-maintenance.service: Unit entered failed state.
mar 28 10:42:23 dc1 systemd[1]: univention-maintenance.service: Failed with result 'exit-code'.
-- Reboot --
mar 28 10:45:29 dc1 systemd[1]: Starting LSB: Univention Updater...
mar 28 10:45:29 dc1 univention-maintenance[1897]: Checking network for Univention maintenance...ldap[dc1.xxx.intranet]...repository[updates.
mar 28 10:45:29 dc1 systemd[1]: univention-maintenance.service: Control process exited, code=exited status=1
mar 28 10:45:29 dc1 systemd[1]: Failed to start LSB: Univention Updater.
mar 28 10:45:29 dc1 systemd[1]: univention-maintenance.service: Unit entered failed state.
mar 28 10:45:29 dc1 systemd[1]: univention-maintenance.service: Failed with result 'exit-code'.

I also get annoying information that “An update for UCS is available. Please visit the “Software update” module to install the updates.” while update status is “There are no package updates available.”.

The maintenance service try to reach ldap (which works for you) and than checks if the repository is available (which seems to fail).

Unfortunately, the interesting part is cut off. Please scroll a bit to the right, and check at the line “Checking network for Univention maintenance…”

At my system it looks like

-- Reboot --
Mär 27 10:15:51 master163 systemd[1]: Starting LSB: Univention Updater...
Mär 27 10:15:52 master163 univention-maintenance[1629]: Checking network for Univention maintenance...ldap[master163.ucs.example]...repository[updates.software-univention.de]...done.
Mär 27 10:15:52 master163 systemd[1]: Started LSB: Univention Updater.

Did you block some protocols? The repository must be resolved and the check for availability is done by ICMP. You could try to reach it by

host updates.software-univention.de
ping -c2 updates.software-univention.de

Are you using a proxy service like squid for http requests? As you said there are package updates, but you can’t see them. You could try to reach it by

wget https://updates.software-univention.de/4.3/maintained/4.3-0/all/Packages.gz -O Packages.gz && md5sum Packages.gz

At my system it looks like
f97c10b409b163bd75001000a7b7d325 Packages.gz

Host updates.software-univention.de is reachable:

updates.software-univention.de has address 176.9.114.147
updates.software-univention.de has IPv6 address 2a01:4f8:151:6489::2

and I can reach it:

PING updates.software-univention.de (176.9.114.147) 56(84) bytes of data.
64 bytes from download2.software-univention.de (176.9.114.147): icmp_seq=1 ttl=50 time=78.6 ms
64 bytes from download2.software-univention.de (176.9.114.147): icmp_seq=2 ttl=50 time=50.8 ms

I have no proxy, no squid.

I have the same:

Packages.gz         100%[===================>] 991,70K  1,77MB/s    in 0,5s
f97c10b409b163bd75001000a7b7d325  Packages.gz

Have no idea why is that. Maybe I’ll try to remove browser cache or smth.

Edit: Nope, still the same.
update-err

Edit: I found an error in KDC service check:
Critical: KDC service check
samba/interfaces does not contain lo, 127.0.0.1 or 0.0.0.0.

But why when it is clean installation?

You already have installed the latest 4.3-0 errata9, see the errata list - by clicking at X the Notification could be discarded.

For the univention-maintenance service I guess there is a routing or networking issue, but you get the latest updates, which is fine.

Changed topic. Error seems to be just about annoying Notification: An update for UCS is available. Please visit…

I checked it again on clean installation. Error appears after fixing problem with samba in System diagnostic. Don’t remember exactly but it was smth about missing UID of user Administrator or smth like that.

EDIT:
I made clean install again. Ment error is:

`samba-tool dbcheck` returned a problem with the local AD database.

STDOUT:
Checking 226 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=xyz,DC=intranet - ;;;;;;;;CN=Administrator,CN=Users,DC=xyz,DC=intranet
Not fixing SID component mismatch
Please use --fix to fix these errors
Checked 226 objects (1 errors)

You can run `samba-tool dbcheck --fix` to fix the issue.

When I fix it annoying update notification will appear.

I’ve just seen the same thing on my newly installed system. Same symptoms, same samba check error.

So I’m not sure that the root issue is here, but I figured out that the web interface code was looking up a UCR variable update/available and on my system that was set to yes. The description for the variable said not to edit it manually, but I tried anyway and it said it was read only and wouldn’t let me change it.

So I tried from the shell logged on as root and it let me change it and now I have no annoying update message. After checking for updates it still says no and the notification has stayed away. Not sure what will happen when an actual update is available, because I have run quite a few updates in the past and that variable apparently stayed yes even after running the updates, so I’ll just have to wait and see what happens.

Today I logged in as Administrator and again had the update notification. I checked for updates, but none were available. Looking at update/available in UCR shows it set back to yes. So something is running and setting that variable to yes, but I don’t know what it is. Does anyone have any idea what is checking for updates and what it is looking at to make the determination that there is an update?

I tracked down the update scripts and ran them in the shell. In the shell an update to the horde container was listed. This update did not show up in the web gui. I ran the upgrade script (univention-upgrade) and let it load the update. Now I don’t have the annoying notification and the UCR variable is set to no so it looks like everything is fine. The problem was simply the web portal not showing the available update.

1 Like

Hi,

you brought me to the right way :slight_smile:
I had same issue with openproject - the gui notifies that updates are available but on gui update page there are no updates shown
ran univention-upgrade from cli the update is shown there and could be installed

rg
Christian

Unfortunately my fix is short lived. Every time I run updates I get the notification again and the Horde container wants to update to the same new version 5.2.17-2. This has happened several times now, and I don’t know why. Seems to be a bug of some sort.

you need icmp ping outside permission!

Mastodon