[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: File checkin hook work; http checkin hooks don't work : AW: SELInux disabled !AW: Problem with subversion hooks scripts under Linux Apache Dav

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Sat, 28 Jun 2014 10:40:00 -0400

On Fri, Jun 27, 2014 at 9:42 AM, Korte, Michael Johannes
<michael.korte_at_zeiss.com> wrote:
> Hello Nico Kadel-Garcia,
>
> I still could not fix the problem. I did the following checks:
> I did a checkout in the server with user "www-data" on file level:
> www-data_at_artifactory:/tmp/Michael/co_www-data/sbox/trunk$ svn co file:///var/subversion/repos17/sbox/trunk

I'm sorry I don't have a good hint for you. I don't have Ubuntu
environments in hand to play with, Can I assume that your httpd is
the basic one from Ubuntu for your release? And there's also a point
where one might say "I'm suspicious of this server, let me try it on a
cleanly built host". I recommend reading "The Cuckoo's Egg" by
Clifford Stoll, to show where noticing a small bug can lead you.

You know, can you test it with svn+ssh access, or svnserve access,
even if it's only from the localhost? That would help verify the issue
as tied to HTTPD and mod_dav_svn, possibly even to the "serf" library
now used. Can you reproduce the issue with an older, perhaps
subversion-1.7, from before the switch to 'serf'? I'm personally a
strong supporter of the "use svn+ssh because https clients often store
the password in clear text in $HOME/.subversion", If it solves your
problem to switch, perhaps you should consider it and get the
potential security benefit on the side

Also. Can you try a post-commit that is simply a link to /bin/true? No
interpretation, no permissions issues, no output, just a link?

> Then the checkin can start the hook script (post-commit) wirh any problem.
>
> But when I do checkout via http Url (usinge Apache WebDav) (of course also on the server
> root@artifactory:/tmp/Michael/co_http/sbox/trunk# svn co http://172.25.22.94/sbox/trunk/
>
> During the checkin no hook scripts can be called:
> root_at_artifactory:/tmp/Michael/co_http/sbox/trunk/trunk# svn ci -m "aaa"
> Anmeldebereich: <http://172.25.22.94:80> Subversion Sandbox Repository
> Passwort für »michael.korte«:
> Sende Test_commit.txt
> Ãbertrage Daten .
> Revision 308 übertragen.
>
> Warnung: Failed to start '/var/subversion/repos17/sbox/hooks/post-commit' hook
>
> It seems that the hook script can not be executed, when it is started via apache server, if it has execute permission and owner www-data.
>
> Is there any possibility to specify that apache can execute a script?
>
> I linked the subversion Repository under /var/www/subversion/repos17/sbox but also this didn't help (Failed to start '/var/www/subversion/repos17/sbox/hooks/post-commit' hook).
>
> I tried also with oder deny, allow in the apache Konfiguration file but also this didn't help. Is there any possibility to trace/debug how subversion calls a hook script exactly.
>
> That's all for today. May be I have on Monday a good idea.
>
> Best regards
> Michael
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Korte, Michael Johannes
> Gesendet: Freitag, 27. Juni 2014 09:40
> An: 'Nico Kadel-Garcia'
> Cc: users_at_subversion.apache.org; Kocsis, Zoltan; Seelaender, Robin; von Schoenebeck, Florian
> Betreff: AW: SELInux disabled !AW: Problem with subversion hooks scripts under Linux Apache Dav
>
> Hello Nico Kadel-Gracia,
>
> thanks a lot for your investigations and tips.
> I doing these things in a test environment. Our plan is to switch the subversion server from a Windows sever to a Ubuntu Linux system. Therefore I'm doing the test now in a Linux test environment and only after everything is fine I will switch the Live-System to the Linux-Environment. So I can do in this test environment any testing/trace which could help to find the real reason for this curious problem.
> Since yesterday afternoon I have put the hook-scripts for the first time into subversion.
>
> But the day before yesterday when the hook scripts were working at least sporadically I noticed the following. As I was wondering that it worked sometimes and sometimes not, I did the following. When it worked I tried several commits without any change and I saw the following:
> - Once only one commit was successful and all following failed with "failed to start ... hook"
> - Once two or three commits were successful and only then all following failed with " failed to start ... hook"
>
> After it failed a couple of times, I changed the hooks script and then I changed the hook script back and then it worked (sometimes) again for one or two tries.
>
> Therefore I first thought it is really a memory problem, but as I told you restart of apache server and even reboot did not solve the problem.
>
> I also thought inbetween it may be a problem that the repository was created by svnsync. But I checked also with a new created empty repository and got the same problem.
>
> My biggest hope was that I can switch on some trace/additional logging to get some more detailed information why "Failed to start '/var/subversion/repos17/sbox/hooks/post-commit' hook" occurs.
>
> I also deleted the *.tmp extension of the template hooks (*.tmp) and set the execute bit, but the result was the same "failed to start..."., when I tried with these template hooks. If the hook script itself has an error I would get a more detailed error message. I saw this the day before yesterday when the scripts worked at least sporadically. But why do I get now permanent failed to start.....
>
> Can you please give me any hint which kind of further test I could do/try.
>
> I tried also to change the entries in apache2.conf for StartServers and ThreadsPerChild but I had no success. To say the truth I'm here not sure what are really correct values. Or is it anywhere else possible to define some additional memory values for Apache WebDAV.
>
> Thanks in advance.
>
> Best regards Michael
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Nico Kadel-Garcia [mailto:nkadel_at_gmail.com]
> Gesendet: Freitag, 27. Juni 2014 03:38
> An: Korte, Michael Johannes
> Cc: users_at_subversion.apache.org; Kocsis, Zoltan; Seelaender, Robin; von Schoenebeck, Florian
> Betreff: Re: SELInux disabled !AW: Problem with subversion hooks scripts under Linux Apache Dav
>
> On Thu, Jun 26, 2014 at 8:16 AM, Korte, Michael Johannes <michael.korte_at_zeiss.com> wrote:
>> Hello Nico Kadel-Gracia,
>>
>> thanks for this promising hint. But I fear this is not the reason .
>>
>> I checked for SELinux and got disabled:
>>
>> selinuxenabled && echo enabled || echo disabled disabled
>>
>> Do you have any further idea?
>>
>> Especially how/where to check get any further log/trace information.
>>
>> And especially the very curious thing, that yesterday ythe hook scripts were working in this environment at least sporadically.
>>
>> Best regards
>> Michael
>
>
> That.... Now that makes me really nervous. Can you, or have you, put your hook scripts themselves under source control so that you can record changes between what works and what does not? It can sometimes be very handy to Subversion repository scripts and configurations, themselves, under RCS or git source control on the local host while you work this sort of thing out.
>
> That this worked a little while ago makes me very nervous about underlying system changes on the server itself, potentially including someone cracking your server. Can you start over in a test environment?
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Nico Kadel-Garcia [mailto:nkadel_at_gmail.com]
>> Gesendet: Donnerstag, 26. Juni 2014 13:47
>> An: Korte, Michael Johannes
>> Cc: users_at_subversion.apache.org; Kocsis, Zoltan; Seelaender, Robin;
>> von Schoenebeck, Florian
>> Betreff: Re: Problem with subversion hooks scripts under Linux Apache
>> Dav
>>
>> On Thu, Jun 26, 2014 at 4:20 AM, Korte, Michael Johannes <michael.korte_at_zeiss.com> wrote:
>>> Hello all,
>>>
>>>
>>>
>>> I have a very strange problem with subVersion Hook scripts under
>>> Ubuntu Linux (Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-64-generic
>>> x86_64))., when accessing the repository via Apache2 WebDav. I’m using subversion 1.7.9 .
>>>
>>>
>>>
>>> The WebDav Configuration is as follows:
>>>
>>> <Location /sbox>
>>>
>>> DAV svn
>>>
>>> SVNPath /var/subversion/repos17/sbox
>>
>> Hmmm. This might be a hint. Do you have SELinux running? Can you test with it turned off? According to the Linux File System Hierarchy, I'd expect this material to be in "/var/www".
>>
>> Nico Kadel-Garcia
>>
>>
>>> AuthType Basic
>>>
>>> AuthName "Subversion Sandbox Repository"
>>>
>>> AuthUserFile /etc/subversion/etc/svn-auth-file
>>>
>>> Require valid-user
>>>
>>> AuthzSVNAccessFile /etc/subversion/etc/svn-acl
>>>
>>> </Location>
>>>
>>>
>>>
>>>
>>>
>>> I tried with a post-commit hook (I wanted Trac to be informed about
>>> commits
>>> : /usr/bin/trac-admin /var/lib/trac/YourProject changeset added "$1"
>>> "$2") but the same problem occurs also for all other hook scripts, no
>>> difference what I use as content of the script.
>>>
>>>
>>>
>>> Let me explain my problem:
>>>
>>>
>>>
>>> I used a Tortoise Client on a remote Windows machine and tried there
>>> a commit. I always got the error message:
>>>
>>> Failed to start '/var/subversion/repos17/sbox/hooks/post-commit' hook
>>>
>>>
>>>
>>> I tried all possible changes at my hook script and at the end it
>>> consists only of the following two lines:
>>>
>>> #!/bin/sh
>>>
>>> /bin/echo "Dies ist ein Test fuer Pre-Commit."
>>>
>>>
>>>
>>> But I got still the same error message.
>>>
>>> The execute bit was set for the script and the file owner was www-data .
>>>
>>>
>>>
>>> A local call of the script works perfect:
>>>
>>> sudo -u www-data env - ./post-commit /var/subversion/repos17/sbox/
>>> 175
>>>
>>>
>>>
>>> When I do a direct commit on the subVersion server (without apache
>>> Dav
>>> access: ) the post-commit script works fine. I could verify this
>>> because after such a commit, the Trac shows the new changeset.
>>>
>>>
>>>
>>> The very strange thing was, that when I did the tests yesterday the
>>> hook script (even called via Apache DAV from Tortoise at a remote
>>> client) sporadically was executed but it also failed sporadically
>>> without any changes in the script.
>>>
>>> I checked in google for similar problems and the only helpful hint I
>>> found was an entry from 2008 :
>>> http://www.wandisco.com/svnforum/threads/31927-Hook-does-not-work-%28
>>> a nd-yes-absolute-paths-are-used-*g*%29;
>>> : The reason for this was, that the system only has limited resources
>>> available, such as main memory.
>>> After reducing the number of server processes and/or threads created
>>> by Apache at startup, the SVN post-commit hook worked fine when
>>> committing to the repository. )
>>>
>>>
>>>
>>> I restarted apache service but it didn’t help. Also a reboot of the
>>> complete machine did not help. htop showed that memory is still available:
>>>
>>> Mem : 125 /3954 MB
>>>
>>> Swp : 65 / 3068
>>>
>>>
>>>
>>> I checked also the apache log but I found no relevant error message,
>>> even when I used LogLevel debug in the apache2.conf .
>>>
>>>
>>>
>>> Can you please give me any hint what is wrong.
>>>
>>>
>>>
>>> Can I see in any log /trace why the hook script can not be started?
>>>
>>>
>>>
>>> Thanks in advance.
>>>
>>>
>>>
>>> Best regards Michael
>>>
>>>
Received on 2014-06-28 16:40:30 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.