Unable to change MPM module with apache2_module

[ansibot]

From @jimmymccrory on 2016-10-20T03:42:35Z

ISSUE TYPE

• Bug Report

COMPONENT NAME

apache2_module module

ANSIBLE VERSION

ansible 2.2.0.0
  config file =
  configured module search path = Default w/o overrides

OS / ENVIRONMENT

Ubuntu 14.04

SUMMARY

The initial check of currently enabled modules performed by apache2ctl can prevent modules from being enabled or disabled.

STEPS TO REPRODUCE

---
- hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - name: install apache2
      apt:
        name: apache2
    - name: Enable apache2 modules
      apache2_module:
        state: "{{ item.state }}"
        name: "{{ item.name }}"
      with_items:
        - { state: absent, name: mpm_event }
        - { state: present, name: mpm_worker }

EXPECTED RESULTS

Modules being successfully enabled and disabled.

ACTUAL RESULTS

failed: [localhost] (item={u'state': u'absent', u'name': u'mpm_event'}) => {
    "failed": true,
    "invocation": {
        "module_args": {
            "force": false,
            "name": "mpm_event",
            "state": "absent"
        },
        "module_name": "apache2_module"
    },
    "item": {
        "name": "mpm_event",
        "state": "absent"
    },
    "msg": "Error executing /usr/sbin/apache2ctl: AH00534: apache2: Configuration error: No MPM loaded.\n"
}
failed: [localhost] (item={u'state': u'present', u'name': u'mpm_worker'}) => {
    "failed": true,
    "invocation": {
        "module_args": {
            "force": false,
            "name": "mpm_worker",
            "state": "present"
        },
        "module_name": "apache2_module"
    },
    "item": {
        "name": "mpm_worker",
        "state": "present"
    },
    "msg": "Error executing /usr/sbin/apache2ctl: AH00534: apache2: Configuration error: No MPM loaded.\n"
}

Flipping the order of the modules also fails.

failed: [localhost] (item={u'state': u'present', u'name': u'mpm_worker'}) => {
    "failed": true,
    "invocation": {
        "module_args": {
            "force": false,
            "name": "mpm_worker",
            "state": "present"
        },
        "module_name": "apache2_module"
    },
    "item": {
        "name": "mpm_worker",
        "state": "present"
    },
    "msg": "Failed to set module mpm_worker to enabled: Considering conflict mpm_event for mpm_worker:\nConsidering conflict mpm_prefork for mpm_worker:\n",
    "rc": 1,
    "stderr": "ERROR: Module mpm_event is enabled - cannot proceed due to conflicts. It needs to be disabled first!\n",
    "stdout": "Considering conflict mpm_event for mpm_worker:\nConsidering conflict mpm_prefork for mpm_worker:\n",
    "stdout_lines": [
        "Considering conflict mpm_event for mpm_worker:",
        "Considering conflict mpm_prefork for mpm_worker:"
    ]
}
failed: [localhost] (item={u'state': u'absent', u'name': u'mpm_event'}) => {
    "failed": true,
    "invocation": {
        "module_args": {
            "force": false,
            "name": "mpm_event",
            "state": "absent"
        },
        "module_name": "apache2_module"
    },
    "item": {
        "name": "mpm_event",
        "state": "absent"
    },
    "msg": "Error executing /usr/sbin/apache2ctl: AH00534: apache2: Configuration error: No MPM loaded.\n"
}

Copied from original issue: ansible/ansible-modules-core#5328

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

@jimmymccrory Thanks for testing and reporting this bug.

Did your playbook work with previous ansible versions?

The usage of with_items is equivalent to 2 separate runs of the module. According to the error messages you posted the issue is that the underlying command does not accept either no mpm module at all or two mpm modules. So the module correctly fails since neither the disabling nor enabling part works by itself.

A potential fix would be to somehow "force" the enable/disable step and ignore the error messages or to try to do both modules simultaneously. Both aspects are not covered by the module so far, so I would call this a feature request and not a bug.

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

@n0trax What's your take on this issue?

[ansibot]

From @jimmymccrory on 2016-10-20T03:42:35Z

@robinro Yes, this worked without issue until 2.2 with ansible/ansible-modules-core@1eac4c5 which changed how checking if a module was already enabled/disabled was done.

[ansibot]

From @n0trax on 2016-10-20T03:42:35Z

@jimmymccrory the test was added to implement the check-mode for the apache module. Versions prior 2.2 does not have this test.

@robinro
How do you think we could enable / disable more than one module in one step?
IMHO it is the best to ignore the error in _module_is_enabled if 'force' is true.

offTopic:
The module check is actually done with apache2 -M, which is an alias for -t -D DUMP_MODULES. -t means "syntax tests for configuration files". I think we should use apache2 -D DUMP_MODULES to check the modules instead of apache2 -M, because we are not interested in correct config files at this point. Am i right?
I will create a seperate PR for this topic.

[ansibot]

From @michaelgugino on 2016-10-20T03:42:35Z

@n0trax
I think the most correct approach would be to replace https://github.com/ansible/ansible-modules-core/blob/stable-2.2/web_infrastructure/apache2_module.py#L78

with a function that provides 'a2query' binary. Proper switch for that module is '-m'.

[ansibot]

From @evrardjp on 2016-10-20T03:42:35Z

Agreed with @michaelgugino there.
Example: http://manpages.ubuntu.com/manpages/xenial/man1/a2query.1.html

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

@n0trax If you don't do the first check, you can't determine the changed state, which kills idempotency. I would then not call it force, but something even more drastic like ignore_previous_state.

Whatever solution we choose, it has to work with all distributions that are supported at the moment. opensuse 42.1 does not have a2query and also apache2 -D DUMP_MODULES does not work. It does provide apache2ctl -D DUMP_MODULES though, so maybe that is a possible way?

I would leave the syntax checking on by default, since it might be helpful to prevent misconfiguration, but we can add an option to disable it.

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

needs_contributor
If someone has a suggestion how to solve this I'm open to it.

[ansibot]

From @michaelgugino on 2016-10-20T03:42:35Z

@robinro

Here's an approach I think will work:

Use a2enmod or a2dismod for the requested action (no pre-check needed).

Check for 'Module already enabled' or 'Module mpm_event already disabled' respectively.

This should cover all use cases, as long as stdout message is the same between distros. I'm happy to cut a patch for this if needed.

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

@michaelgugino
I don't think this approach will work without a lot of extra trouble.

Have a look at the discussion and diff at
https://github.com/ansible/ansible-modules-core/pull/2417/files
and the issues mentioned in the first message there.

It turns out the stdout content depends on the distribution, see e.g. https://github.com/ansible/ansible-modules-core/pull/2091/files

Then for some modules (like cgi) there is special output to deal with...

There was a good reason to check the module list instead. Why not fix that up? See my comment above in ansible/ansible-modules-core#5328 (comment)

[ansibot]

From @michaelgugino on 2016-10-20T03:42:35Z

@robinro
What I'm proposing will not necessarily conflict with existing behavior. The check of condition will still happen, it will just be determined at the time that the module is enabled or disabled.

I think parsing the stdout (not the return code, return code is 0 for already enabled/disabled) is a good compromise if some distros don't ship a2query.

I think adding the re checks to stdout from https://github.com/ansible/ansible-modules-core/pull/2091/files is the correct approach. You can leave the _module_is_enabled function in place as-is for check mode, but don't use it otherwise.

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

@michaelgugino I just wanted to make sure you are aware of the previous issues, so that we don't spend time on regressions.

Please open a PR so we can discuss your suggestions more concretely.
Please also create a test case for this issue (see https://github.com/ansible/ansible/blob/devel/test/integration/targets/apache2_module/tasks/actualtest.yml).

[ansibot]

From @n0trax on 2016-10-20T03:42:35Z

@michaelgugino this sounds interesting. With this idea we have the check mode working and we don't have to deal with this apache error.

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

Please also have a look at #5455 when you try to fix this issue. Maybe we can have a general workaround for broken apache configs/inconsistent state.

[ansibot]

From @michaelgugino on 2016-10-20T03:42:35Z

@robinro It looks like my patch will fix this issue as well, except for when running check_mode. That's probably an edge case that we can live with until ubuntu fixes their packages.

[ansibot]

From @michaelgugino on 2016-10-20T03:42:35Z

Created validation patchset: #18371

[ansibot]

From @robinro on 2016-10-20T03:42:35Z

This is now fixed in devel (one needs to set ignore_configcheck: True) to get to the old behavior.
resolved_by_pr #19355

[ansibot]

cc @berendt
click here for bot help

[biomassives]

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a temporary error. The following address(es) deferred: acmeideal@gmail.com Domain biomassiv.es has exceeded the max emails per hour (105/100 (105%)) allowed. Message will be reattempted later

…

------- This is a copy of the message, including all the headers. ------ Received: from github-smtp2-ext5.iad.github.net ([192.30.252.196]:43413 helo=github-smtp2a-ext-cp1-prd.iad.github.net) by chi-server32.websitehostserver.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <noreply@github.com>) id 1drSst-002RfJ-IZ for greg@biomassiv.es; Mon, 11 Sep 2017 12:52:35 -0500 Date: Mon, 11 Sep 2017 10:51:55 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1505152315; bh=U932gFsm4B4q9WQTXwFJAG4pTT2gDFHBAc/g1TUNaik=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ZCcdGGOk0xcWCfdPDs0Q7oFMaWEsFrAzKJ4qdz1hMQocex6RDUexlrZeCs/2sd5Sr JPxOPJEmzri9qo98KcaJrZkGnSI9iBNYkFsG7IU4KPSbkxHoAzedUcy26KEs6LiksF XKH8iegEOryV2Z7RtwkkD+qMJQ6ccbJTjdpMSDF8= From: ansibot <notifications@github.com> Reply-To: ansible/ansible <reply@reply.github.com> To: ansible/ansible <ansible@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Message-ID: <ansible/ansible/issue/29565/issue_event/1243794318@github.com> In-Reply-To: <ansible/ansible/issues/29565@github.com> References: <ansible/ansible/issues/29565@github.com> Subject: Re: [ansible/ansible] Unable to change MPM module with apache2_module (#29565) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_59b6cd3b29ff5_45173f80e420dc2c161575"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: ansibot X-GitHub-Recipient: biomassives X-GitHub-Reason: subscribed List-ID: ansible/ansible <ansible.ansible.github.com> List-Archive: https://github.com/ansible/ansible List-Post: <mailto:reply@reply.github.com> List-Unsubscribe: <mailto:unsub+0042d4e2d47af1da220cb2926457eeea32e7bbbf1bc34dd592cf0000000115ce8f3b92a169ce0f4d45af@reply.github.com>, <https://github.com/notifications/unsubscribe/AELU4ly6LmNXLbqXeYYAS6AdH4kaLLSVks5shXM7gaJpZM4PTPyJ> X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: greg@biomassiv.es

----==_mimepart_59b6cd3b29ff5_45173f80e420dc2c161575 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Closed #29565.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #29565 (comment) ----==_mimepart_59b6cd3b29ff5_45173f80e420dc2c161575 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <p>Closed <a href="#29565" class="issue-link js-issue-link" data-url="#29565" data-id="256722351" data-error-text="Failed to load issue title" data-permission-text="Issue title is private">#29565</a>.</p> <p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="#29565 (comment)">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AELU4gDEe_Njwj-jffrd366zFu68hd8_ks5shXM7gaJpZM4PTPyJ">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AELU4vcVR4njeA3WZgxDIMSnlKUW5X9yks5shXM7gaJpZM4PTPyJ.gif" width="1" /></p> <div itemscope itemtype="http://schema.org/EmailMessage"> <div itemprop="action" itemscope itemtype="http://schema.org/ViewAction"> <link itemprop="url" href="#29565 (comment)"></link> <meta itemprop="name" content="View Issue"></meta> </div> <meta itemprop="description" content="View this Issue on GitHub"></meta> </div> <script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/ansible/ansible","title":"ansible/ansible","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/ansible/ansible"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Closed #29565."}],"action":{"name":"View Issue","url":"#29565 (comment)"}}}</script> ----==_mimepart_59b6cd3b29ff5_45173f80e420dc2c161575--