search

ronivay / XenOrchestraInstallerUpdater

Xen Orchestra install/update script
GNU General Public License v3.0
1.14k stars 189 forks source link

Installation fails on "waiting for port to be open" #195

Closed swtrse closed 9 months ago

swtrse commented 9 months ago 
          I did run into the same error, so it seams to be back. Running the install script on Debian 12 and RockyLinux 9

On both system I used a user with sudo rights to run the script with `sudo ./xo-install.sh'. The config I used in both OSes is

# Optional user that runs the service
# default: root
# no effect to Xen Orchestra proxy
XOUSER="xoa"

# Optional parameter if running as non privileged user to use sudo when mounting/umounting shares inside Xen Orchest>
# no effect if XOUSER is root
# options true/false
# no effect to Xen Orchestra proxy
USESUDO=true

# Optional parameter to generate sudoers config when missing completely if USESUDO is set to true
# no effect if XOUSER is root
# options true/false
# no effect to Xen Orchestra proxy
GENSUDO=true

# Port number where xen-orchestra service is bound
# no effect to Xen Orchestra proxy
PORT="443"

# Base dir for installation and future updates
INSTALLDIR="/opt/xo"

# Script will update itself if there's a newer version available. This assumes that script inside a git directory an>
# options: true/false
SELFUPGRADE=true

# Xen Orchestra configuration file is stored in XOUSER's home directory ($HOME/.config/xo-server/config.toml) and by>
# You may disable this if you edit configuration by hand and don't want an update to overwrite it. Note that some of>
# options: true/false
# no effect to Xen Orchestra proxy
CONFIGUPDATE=true

# Location of Xen Orchestra repository where source code is fetched
REPOSITORY="https://github.com/vatesfr/xen-orchestra"

# Git branch, tag (append tags/ before the tag name) or individual commit where xen-orchestra sources are fetched.
BRANCH="master"

# Installation log path
# default: ./logs
#LOGPATH=

# Only one PLUGINS variable can be used at a time. Comment out the other one if you change these below. Comment out >

# Comma separated list of plugins to be installed, check README for more information. Note that 3rd party plugins de>
#PLUGINS="xo-server-transport-email,xo-server-usage-report,xo-server-perf-alert"

# (default) all plugins will be installed, including possible 3rd-party plugins if defined.
PLUGINS="all"

# Additional 3rd-party plugins to fetch. Keep the .git suffix.
#ADDITIONAL_PLUGINS="https://github.com/user/repo.git,https://github.com/user/repo2.git"

# NodeJS and Yarn are automatically updated when running update/install. Can be disabled but not recommended (instal>
# Note that if nodejs is updated when script's update feature is used, it might not be possible to use rollback opti>
# options: true/false
AUTOUPDATE=true

# yarn cache can consume a lot of disk space over time. Setting this to true will clear cache after update.
# this can have a negative impact on how long update will take with slower internet connections
# options: true/false
#YARN_CACHE_CLEANUP="false"

# enable/disable OS check. Installation refuses to run on any other than supported OS versions if this is enabled. C>
# options: true/false
OS_CHECK=true

# enable/disable architecture check. Installation refuses to run on any other than x86_64 if enabled. Can be disable>
# options: true/false
ARCH_CHECK=true

# Define the number of previous successful installations you want to keep. Needs to be at least 1. Determines how fa>
PRESERVE="3"

# certificate settings have no effect to Xen Orchestra proxy, it'll generate it's own self-signed certificates always

# Location of pem certificate/key files. Installation will automatically configure HTTPS if these are defined. Remem>
PATH_TO_HTTPS_CERT=$INSTALLDIR/xo.crt
PATH_TO_HTTPS_KEY=$INSTALLDIR/xo.key

# location of CA certificate file.
# define this if your host certificate is issued by a custom CA and you want XO to trust it.
# file can contain multiple certificates
#PATH_TO_HOST_CA=

# If set to true together with cert/key paths, defined pem key/certificate will be created if neither exists.
# options: true/false
AUTOCERT=true

# Enable automatic ACME (eq. Let's Encrypt) certificate creation.
# Setting this to true will configure HTTP and HTTPS listeners to ports 80/443 (overwrites PORT variable),
# enables autocert, sets certificate paths if missing and adds http to https redirect.
#ACME="false"

# ACME domain for which the certificate is generated.
# Domain needs to be pointed towards XO server public ip-address and ports 80 and 443 allowed.
#ACME_DOMAIN=""

# Optional email address to receive notifications related to certificate
#ACME_EMAIL=""

# Optional ACME CA to use. Will default to Let's Encrypt
# Available ones listed here: https://www.npmjs.com/package/acme-client#directory-urls
#ACME_CA="letsencrypt/production"

# If set to true, this will install the rpm/deb repositories necessary for the Xen Orchestra install.
# If set to false, these repositories will not be installed. Also automatic nodejs upgrade will be disabled.
# Note that installation will fail if all needed packages aren't available from configured repositories. See README >
# options: true/false
# default: true
#INSTALL_REPOS="true"

# Send xo-server logs to remote syslog
# syntax is: <protocol>://<target-address>:<port>
# supported protocols are udp and tcp
# example: tcp://syslog.company.lan:514
#SYSLOG_TARGET=""

Originally posted by @swtrse in https://github.com/ronivay/XenOrchestraInstallerUpdater/issues/191#issuecomment-1761539896

swtrse commented 9 months ago

As additional information. I found the reason in my case related to the AUTOCERT setting. The log shows that the XOUSER did not have permission to create the certificates in the INSTALLDIR (/opt/xo in my case since I used the default settings).

However I did get it to work on both systems by replacing

    # Create installation directory if doesn't exist already
    if [[ ! -d "$INSTALLDIR" ]]; then
        echo
        printinfo "Creating missing basedir to $INSTALLDIR"
        runcmd "mkdir -p \"$INSTALLDIR\""
    fi

with

    # Create installation directory if doesn't exist already
    if [[ ! -d "$INSTALLDIR" ]]; then
        echo
        printinfo "Creating missing basedir to $INSTALLDIR"
        runcmd "mkdir -p \"$INSTALLDIR\""
        runcmd "chown $XOUSER:$XOUSER \"$INSTALLDIR\""
    fi

So far everything seems to work perfectly fine. I do not know or have tested if that solution has any side effects in other places or on other distros but my guess is it does not.

Could someone please verify and maybe update the script?

swtrse commented 9 months ago

Also the script is missing a step at least for RockyLinux and I guess RHEL based distros

sudo firewall-cmd --add-service https and sudo firewall-cmd --add-service https`--permanent

has to be called manually since the script did not do it and the firewall service is blocking incoming packages otherwise. This is also be true for http if not using https.

ronivay commented 9 months ago

Hey,

Good that you figured it out. This is mentioned in the wiki if using a non-root user: https://github.com/ronivay/XenOrchestraInstallerUpdater/wiki

Reason why installdir isn't automatically chown'd to the user by the script is that it's a higher level directory and could potentially include something else than XO if so chosen by the user. This could potentially break things or be a security risk. Choose a location to where the non-root has permissions to write.

ronivay commented 9 months ago

Script is also missing firewall modifications by design for security reasons. It tells you in the end of a successful installation to open firewall if needed. It simply cannot know if one wants to open the service to everywhere or only on some interfaces, for range of source ip's etc and it becomes overly complicated so sysadmin managing the server is left in charge.