Issue after upgrade to 8.8.15 with zmfixperms

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
mfehr
Advanced member
Advanced member
Posts: 72
Joined: Fri Sep 12, 2014 11:25 pm

Issue after upgrade to 8.8.15 with zmfixperms

Post by mfehr »

Hi,

July 26, I upgraded from 8.8.11 to 8.8.15 on Ubuntu 16.04.

The installation went well. All services worked fine after I performed the upgrade. 2 days later, I noticed that the zmmailboxdmgr service was down. I restarted Zimbra. A few days later, Zimbra was down again. Most times, the zmmailboxdmgr was down. Once, the zmconfigd server was down.

I noticed that the following files in /opt/zimbra/log were owned by root:
  • trace_log.<date>
    gc.log
    nginx.pid
    zmmailboxd_manager.pid
    zmmailboxd_java.pid
There might be reasons for these files to be owned by root but I did not recall to have seen this in the past (I run Zimbra OSE since version 6 or so). I remembered that a good practice is always to run zmfixperms - Not with 8.8.15!

After I applied /opt/zimbra/zmfixperms, my Zimbra instance does no more restart at all. A forum entry viewtopic.php?f=15&t=61135&p=274123&hil ... rm#p274123 recommends to run

Code: Select all

/opt/zimbra/bin/postfix set-permissions
/opt/zimbra/bin/postfix check
as this was a previous bug in the zmfixperms command. The postfix check command listed a lot of files not owned by root or postfix...

Code: Select all

/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/retcode.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_sock.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/noopsrch.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/dyngroup-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/valsort-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_relay-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/dynlist-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_monitor-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/translucent-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/dds-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/dds.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_dnssrv-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/deref.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/translucent.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/unique.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/sssvlv.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_mdb-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_null.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_mdb.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/accesslog.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/constraint.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/pw-sha2.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_dnssrv.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/syncprov.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/memberof-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/unique-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/memberof.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/refint.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/collect-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_relay.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_null-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/auditlog.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/dyngroup.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/auditlog-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/deref-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/rwm.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/retcode-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/pcache.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/syncprov-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/dynlist.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_monitor.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_ldap-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_sock-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/ppolicy-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/seqmod.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/ppolicy.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_ldap.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/pw-sha2.so.0
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/refint-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_meta-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_passwd.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_meta.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/collect.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/seqmod-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/constraint-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/accesslog-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/noopsrch.so.0
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/rwm-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/pcache-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/valsort.so
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/back_passwd-2.4.so.2
/postfix-script: warning: not owned by root: /opt/zimbra/common/libexec/./openldap/sssvlv-2.4.so.2
/postfix-script: warning: not owned by postfix: /opt/zimbra/data/postfix/data/./master.lock
/postfix-script: warning: not owned by postfix: /opt/zimbra/data/postfix/data/./prng_exch
/postfix-script: warning: not owned by postfix: /opt/zimbra/data/postfix/data/./postscreen_cache.lmdb
I manually changed the ownership for all of these files

In this procedure, I also removed all zimbra specific log files in /var/log as well as /opt/zimbra/log - In order to successfully start zimbra, I had to touch and chown zimbra:zimbra /var/log/zimbra-stats.log to get zmlogswatchctl starting. Finally, zmcontrol start was successful.

However, zmcontrol status reported that zmswatch is not running. /opt/zimbra/log/zmswatch.out claimed not being able to open /var/log/zimbra.log - This file was created as user syslog:adm - Various processes successfully logged to zimbra.log - After I chown'ed /var/log/zimbra to zimbra:zimbra, zimbra reports no errors through zmcontrol command.

Code: Select all

Aug  5 23:42:00 mail zmconfigd[22141]:   File "/opt/zimbra/common/lib/jylibs/state.py", line 816, in rewriteConfig     os.unlink(to)
Aug  5 23:42:00 mail zmconfigd[22141]: Rewrite failed: [Errno 1] Operation not permitted: '/opt/zimbra/common/conf/tag_as_originating.re' ([Errno 1] Operation not permitted: '/opt/zimbra/common/conf/tag_as_originating.re')
Aug  5 23:42:00 mail zmconfigd[22141]:   File "/opt/zimbra/common/lib/jylibs/state.py", line 816, in rewriteConfig     os.unlink(to)
Aug  5 23:42:00 mail zmconfigd[22141]: Rewrite failed: [Errno 1] Operation not permitted: '/opt/zimbra/common/conf/tag_as_foreign.re' ([Errno 1] Operation not permitted: '/opt/zimbra/common/conf/tag_as_foreign.re')
Aug  5 23:42:00 mail zmconfigd[22141]:   File "/opt/zimbra/common/lib/jylibs/state.py", line 816, in rewriteConfig     os.unlink(to)
Aug  5 23:42:00 mail zmconfigd[22141]: Rewrite failed: [Errno 1] Operation not permitted: '/opt/zimbra/common/conf/master.cf' ([Errno 1] Operation not permitted: '/opt/zimbra/common/conf/master.cf')
The file permissions for the reported files are as follows:

Code: Select all

-rw-r--r-- 1 root   zimbra 8560 Aug  5 21:54 /opt/zimbra/common/conf/master.cf
-r--r----- 1 zimbra zimbra   42 Aug  5 21:54 /opt/zimbra/common/conf/tag_as_foreign.re
-r--r----- 1 zimbra zimbra   42 Aug  5 21:54 /opt/zimbra/common/conf/tag_as_originating.re
Questions:
  • What is wrong with zmfixperms? It used to work fine in the earlier versions. The current version seems to mix up a lot...
    What should the proper file ownerships be for zimbra specific log files in /var/log
    Any idea why some files in /opt/zimbra/log are owned by root?
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Issue after upgrade to 8.8.15 with zmfixperms

Post by pup_seba »

Hi mate,

That command was quite usefull in the past. I stopped using it maybe 2 o 3 years ago (don't trust me on this one) after I screwed up a production enviromenment as the command instead of fixing permissions, it messed them all up. It looks like even in 8.8.15 is still broken. To this day, when I see some problems with owners, I just manually change them (like recently I had to do with some ldap related files).

With this said, I see in a 8.8.15 (working fine) that root:root are:
gc.log.00 (01,02, etc, are all zimbra:zimbra. this "00" is the only one with root:root).
.hotspot_compiler
nginx.pid
zmmailboxd_java.pid
zmmailboxd_manager.pid

The rest, are all zimbra:zimbra

Regards,
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Issue after upgrade to 8.8.15 with zmfixperms

Post by pup_seba »

Hi mate,

That command was quite usefull in the past. I stopped using it maybe 2 o 3 years ago (don't trust me on this one) after I screwed up a production enviromenment as the command instead of fixing permissions, it messed them all up. It looks like even in 8.8.15 is still broken. To this day, when I see some problems with owners, I just manually change them (like recently I had to do with some ldap related files).

With this said, I see in a 8.8.15 (working fine) that root:root are:
gc.log.00 (01,02, etc, are all zimbra:zimbra. this "00" is the only one with root:root).
.hotspot_compiler
nginx.pid
zmmailboxd_java.pid
zmmailboxd_manager.pid

The rest, are all zimbra:zimbra

Regards,
Post Reply