Bug#560416: New version alters server configuration

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#560416: New version alters server configuration

Joey Schulze
Package: munin
Version: 1.4.1-1

[resent as bug report as requested]

Hi,

after installing a new version of munin (I assume it was 1.4.1-1 or -2)
I noticed a link in /etc/apache2/conf.d: munin -> ../../munin/apache.conf
that suddenly (a) adds /munin/ to all virtual hosts and (b) uses a new
directory for /munin/ and (c) disables remote access and (c) enables
password-less access from localhost.

I am not exactly sure this is the desired behaviour.

Notes:

/var/cache/munin/www is fine for new installations.  For upgrading
existing installations it's questionable to use a directory without
prior checking the current configuration, since users could have
configured a different one in /etc/munin/munin.conf.

Please don't get me wrong, I'm more or less fine with this as
initial configuration, but I have some problems with altering
an existing configuration that way.

Regards,

        Joey

--
Still can't talk about what I can't talk about.  Sorry.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#560416: New version alters server configuration

Tom Feiner
Hi Joey,

Thanks for raising this issue.

This change was needed because the munin package up to 1.4-x  used
/var/www/munin/ which is not FHS complaint. Recently debian has raised the bar
on a list of lintian warnings/errors, causing any package which is uploaded
with one of the lintian warnings/errors to be autorejected [2]. This raised
bug #553555 [1] requiring us to change /var/www/munin/ to something FHS complaint.

Regarding your points:
> a. The package adds /etc/apache2/conf.d: munin -> ../../munin/apache.conf,
which adds /munin/ to all virtual hosts.

The munin package cannot create this configuration in the default site only,
as it's risky and will cause upgrade problems in the future. The only thing we
can do is secure the default configuration in conf.d/munin as much as
possible, which is why access is only allowed from localhost (and basic
authentication is there in the config file, commented, making enabling it a
breeze). So even if it is appearing in all of the virtual hosts, it's not
accessible from outside.

According to the apache2 debian readme, placing package configuration in
conf.d looks like the right place (and gives administrators an option on what
to do to avoid packages activating their default configurations):

From /usr/share/doc/apache2/README.Debian.gz:
---
conf.d/

       Files in this directory are included by this line in
       apache2.conf:

       # Include generic snippets of statements
       Include /etc/apache2/conf.d

       This is a good place to add additional configuration
       directives. Packages should not use configuration
       files that start with 'local-' or end with '.local'.
       The local administrator can use these filenames to make
       sure that there are no conflicts with files provided by
       packages.

       If the local administrator is not comfortable with packages
       activating their config files by default, it is possible
       to change the 'Include /etc/apache2/conf.d/' in apache2.conf
       into 'Include /etc/apache2/conf.d.enabled/' and create that
       directory. He can then put symlinks to the files in conf.d
       which he wants to enable into conf.d.enabled.
---

Using conf.d is also what phpmyadmin package in debian uses, and probably
other packages as well.

If someone knows better ways to do this, please share :)

> b. uses a new directory for /munin/.

Yes, /var/cache/munin/www/ was used instead of /var/www/munin, as using
/var/www/ is prohibited by the FHS. You can see the details on why /var/cache
was chosen in [1]. And there was also a discussion about this in debian-devel
(warning: it's long) [3].

> c. disables remote access

This was the case previously and is a sane default behavior.

> d. enables password-less access from localhost

This too was the case earlier and is a sane default behavior.

> /var/cache/munin/www is fine for new installations.  For upgrading
> existing installations it's questionable to use a directory without
> prior checking the current configuration, since users could have
> configured a different one in /etc/munin/munin.conf.

Unfortunately, we don't have any automatic way to do this, and for upgrading,
the user will need to change /etc/munin/munin.conf htmldir to the new location
(/var/cache/munin/www) weather they used the default in 1.2.6 or changed it.
Note that this is documented in
/usr/share/doc/munin/NEWS.Debian.gz.

Which problem exactly did you have when altering the existing configuration?


Regards,
    Tom Feiner

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553555
[2] http://lists.debian.org/debian-devel-announce/2009/10/msg00004.html
[3] http://lists.debian.org/debian-devel/2009/09/msg00915.html


signature.asc (852 bytes) Download Attachment