Opsiconfd läuft nicht mehr nach Update

[cargox]

Die Freude währte leider nicht lange: "configed" meldet inzwischen erneut "Keine Verbindung", und dahinter steckt offenbar abermals ein Ausfall von redis, obwohl manuell in den letzten 8 Wochen nichts verändert wurde. Eine manuelle Aktualisierung gestern (apt und opsi-package-updater) brachte keine Veränderung. Stand ist:

Code: Alles auswählen

$ dpkg -l | grep redis
ii  redis-server                                  5:6.0.16-1ubuntu1                          amd64        Persistent key-value database with network interface
ii  redis-timeseries                              1.6.16.2-1                                 amd64        RedisTimeSeries is a Redis Module adding a Time Series data structure to Redis.
ii  redis-tools                                   5:6.0.16-1ubuntu1                          amd64        Persistent key-value database with network interface (client)

Im syslog findet sich

Code: Alles auswählen

Feb 20 14:29:58 a_server opsiconfd[127367]: redis.exceptions.ConnectionError: Error 111 connecting to localhost:6379. Connection refused.

Eine Firewall ist aktiv, doch blockiert den redis-Port nicht:

Code: Alles auswählen

...
6379                       ALLOW       Anywhere                  
...
6379 (v6)                  ALLOW       Anywhere (v6)    

Im Standalone-Modus läßt sich der redis-server auch starten und verwendet den Port:

Code: Alles auswählen

13128:C 21 Feb 2023 08:34:57.907 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
13128:C 21 Feb 2023 08:34:57.908 # Redis version=6.0.16, bits=64, commit=00000000, modified=0, pid=13128, just started
13128:C 21 Feb 2023 08:34:57.908 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf
13128:M 21 Feb 2023 08:34:57.909 * Increased maximum number of open files to 10032 (it was originally set to 1024).
                _._                                                  
           _.-``__ ''-._                                             
      _.-``    `.  `_.  ''-._           Redis 6.0.16 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._                                   
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 13128

... und die redis.conf ist seit 20.12.22 unverändert, fällt als Fehlerursache damit ebenfalls aus.

Code: Alles auswählen

$ ps -ef | grep redis
a_user    13097   13081  0 08:26 pts/0    00:00:00 grep --color=auto redis
$ sudo netstat -tulpen | grep redis
tcp        0      0 0.0.0.0:6379            0.0.0.0:*               LISTEN      1001       121211     13133/redis-server  
tcp6       0      0 :::6379                 :::*                    LISTEN      1001       121210     13133/redis-server  
$

Startet man nach diesem manuell gestarteten redis-server auch den service opsiconfd neu, so läuft dieser:

Code: Alles auswählen

$ ps -ef | grep opsi
root        1626       1  0 Feb20 ?        00:00:51 ./opsipxeconfd start
opsicon+   14003       1 27 08:40 ?        00:00:02 ./opsiconfd start --log-level-stderr=0
opsicon+   14017   14003  3 08:40 ?        00:00:00 /usr/lib/opsiconfd/opsiconfd -B -S -E -s -c from multiprocessing.resource_tracker import main;main(19)
opsicon+   14018   14003 36 08:40 ?        00:00:02 /usr/lib/opsiconfd/opsiconfd --multiprocessing-fork tracker_fd=20 pipe_handle=22

doch configed meldet trotzdem "Keine Verbindung - Internal Server Error".
[/code]

Weitere Vorschläge zur Störungsbeseitigung mangels weiterer Ideen wären sehr willkommen!

[fkalweit]

Hallo,

wie sieht denn die Redis Service Datei aus? (systemctl edit redis / redis-server)
Und was steht in der Redis Konfiguration?

Viele Grüße
Fabian

[cargox]

Hallo Fabian,
$ sudo systemctl cat redis

Code: Alles auswählen

# /lib/systemd/system/redis-server.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis

[Install]
WantedBy=multi-user.target
Alias=redis.service

# /run/systemd/generator/-.mount
# Automatically generated by systemd-fstab-generator

[Unit]
Documentation=man:fstab(5) man:systemd-fstab-generator(8)
SourcePath=/etc/fstab
Before=local-fs.target
After=blockdev@dev-disk-by\x2duuid-84c9d76c\x2dbc8b\x2d4474\x2d9956\x2dcf70217abcc5.target

[Mount]
Where=/
What=/dev/disk/by-uuid/84c9d76c-bc8b-4474-9956-cf70217abcc5
Type=ext4
Options=errors=remount-ro

# /lib/systemd/system/redis-server.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis

[Install]
WantedBy=multi-user.target
Alias=redis.service

$ sudo systemctl cat redis-server

Code: Alles auswählen

# /lib/systemd/system/redis-server.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWritePaths=-/var/lib/redis
ReadWritePaths=-/var/log/redis
ReadWritePaths=-/var/run/redis

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis

[Install]
WantedBy=multi-user.target
Alias=redis.service

$ sudo grep -r ^[^#].* /etc/redis/redis.conf

Code: Alles auswählen

loadmodule /usr/lib/redis/modules/redistimeseries.so
loadmodule /usr/lib/opsiconfd/libssl.so.1.1
bind 127.0.0.1 ::1
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /var/run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
rdb-del-sync-files no
dir /var/lib/redis
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-diskless-load disabled
repl-disable-tcp-nodelay no
replica-priority 100
acllog-max-len 128
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
lazyfree-lazy-user-del no
oom-score-adj no
oom-score-adj-values 0 200 800
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
jemalloc-bg-thread yes

[fkalweit]

Hallo,

bitte mal die Zeile: loadmodule /usr/lib/opsiconfd/libssl.so.1.1 aus der redis.conf entfernen und den Service neu starten.

Viele Grüße
Fabian Kalweit

[cargox]

Volltreffer! configed startet wieder.

Herzlichen Dank abermals, bei der conf-Fülle und ohne Erfahrung mit redis kommt man da eher nicht drauf :-/