/usr/bin/env: ruby: No such file or directory
Closed this issue · 20 comments
Hello,
I'm getting below error message after a successful puppet run and trying to access the dashboard.
/usr/bin/env: ruby: No such file or directory
class { 'openondemand':
manage_logrotate => false,
manage_scl => false,
}
# rpm -qa |grep ondemand
ondemand-nginx-1.17.3-6.p6.0.4.el7.x86_64
ondemand-python-1.7-8.el7.x86_64
ondemand-runtime-1.7-8.el7.x86_64
ondemand-passenger-6.0.4-6.el7.x86_64
ondemand-1.7.14-1.el7.x86_64
ondemand-ruby-1.7-8.el7.x86_64
ondemand-gems-1.7.14-1.7.14-1.el7.x86_64
ondemand-apache-1.7-8.el7.x86_64
ondemand-rubygem-bundler-1.17.3-1.el7.noarch
ondemand-nodejs-1.7-8.el7.x86_64
# scl --list
httpd24
ondemand
rh-nodejs10
rh-ruby25
HTTP://localhost:80 gives
Error -- failed to map user (user)
A manual OnDemand installation works as expected.
Thank you!
Where exactly are you getting the error about /usr/bin/env: ruby: No such file or directory? Is that in Apache logs, Puppet logs, some other logs?
Does the user you logged into OnDemand as exist on the host? Users in OnDemand must exist on the host. If you are using basic auth then whatever you create as basic auth user must exist when you run something like id user. I would not recommend running basic auth in production, it has many security issues. In OnDemand 1.8 we will have a better default from basic auth.
Thank you for a quick response.
An error message is coming from apache logs.
This is a test environment, so authentication is not important. This particular user exists on the server but as part of ldap. I just changed the password with the command:
scl enable ondemand -- htpasswd -c /opt/rh/httpd24/root/etc/httpd/.htpasswd $USER
I used an exact same approach on the test server where I installed everything manually (by rpm) and had no problems.
Thank you.
Quick note. I just realized that my test server with a successful manual install has a local version of ruby installed under /usr/bin/ruby. My puppet running node does not.
You should not need /usr/bin/ruby because we rely on rh-ruby25 SCL and that is loaded by Apache via the file /opt/rh/httpd24/service-environment. That file will contain httpd24 rh-ruby25. That's how Ruby is added to Apache's environment. I'd check that file and make sure it's correctly setup. This is what mine looks like:
HTTPD24_HTTPD_SCLS_ENABLED="httpd24 rh-ruby25"
If that looks correct then you need to do scl enable rh-ruby25 -- which ruby and make sure it prints the path to ruby binary.
For basic auth you'd need to use the basic_auth_users parameter. Something like this:
basic_auth_users => { 'user' => { 'password' => 'changeme' }},
The module does not add any users to basic auth by default.
You can use this module with LDAP but it's still going to use basic auth:
auth_type => 'ldap',
auth_configs => [...]
The values for auth_configs have examples here: https://osc.github.io/ood-documentation/master/installation/add-ldap.html
The examples for auth in docs would go under auth_configs in Puppet.
Yes, sorry I wasn't clear. I realize that apache depends on SCL rh-ruby25, but I just wanted to give you the whole information.
# scl enable rh-ruby25 -- which ruby
/opt/rh/rh-ruby25/root/usr/bin/ruby
I will try your instructions. I was under the assumption that basic auth was there by default.
I will let you know if I am still having problems. Thank you very much.
Sorry to bother you, but it is not clear from your instructions on how to setup LDAP.
AuthLDAPURL - what is an option for that?
I apologize if it's documented somewhere and I am not seeing it. Thank you.
Please disregard my question. It seems that I need to use apache module to setup LDAP. Please let me know if my logic is wrong :) Thank you.
Correct, OnDemand just relies on Apache to handle all authentication so LDAP authentication is done in Apache using Apache's LDAP module.
I believe I am now able to authenticate with ldap, but still getting the same error message in /var/log/httpd24/error:
/usr/bin/env: ruby: No such file or directory
OnDemand_*.log files are now created, but empty.
For some reason, it's just not loading ruby SCL version and I have no idea why.
I would really appreciate your advice.
Thank you.
Does OnDemand load or are you not presented with the web frontend? Double check that /opt/rh/httpd24/service-environment has this line:
HTTPD24_HTTPD_SCLS_ENABLED="httpd24 rh-ruby25"
If the above line is still present then one way to debug where this is failing is to modify /opt/ood/ood_auth_map/bin/ood_auth_map.regex and replace /usr/bin/env ruby with /opt/rh/rh-ruby25/root/usr/bin/ruby but that still might fail without shared libraries getting put into LD_LIBRARY_PATH when loading SCL.
Thank you.
I have checked /opt/rh/httpd24/service-environment before and it's set correctly.
Yep...
/opt/rh/rh-ruby25/root/usr/bin/ruby: error while loading shared libraries: libruby.so.2.5: cannot open shared object file: No such file or directory
I'm going to see if I can figure out a way around it.
Thank you.
If you can think of any other ideas, I'd really appreciate it. Thank you.
I am very curious why this is a problem for you because we've never had reports of this issue on systems where there is no system Ruby. Our production OnDemand hosts have no Ruby outside of SCL Ruby and we are using this Puppet module. Are you running SELinux? That's the only thing I could think would impact this that is not something we are doing at OSC.
Run getenforce for me and let me know what it says.
Possible work around if not running SELinux, you could create a wrapper script like /usr/bin/ondemand-ood_auth_map.regex
#!/bin/bash
SCL_SOURCE=$(command -v scl_source)
[[ "${SCL_SOURCE}" ]] && source "${SCL_SOURCE}" enable ondemand &> /dev/null
/opt/ood/ood_auth_map/bin/ood_auth_map.regex
Then in Puppet set:
user_map_cmd => '/usr/bin/ondemand-ood_auth_map.regex',We usually run SElinux, but I already disabled it just in case (at least for testing). It was enabled while puppet module was getting installed, but not sure if it could be related.
$ getenforce
Permissive
I don't trust SELinux not to screw things up when in permissive. If possible set SELINUX=disabled in /etc/selinux/config and reboot to fully disable SELinux and try again.
Also OnDemand has SELinux support but you have to opt-in by setting selinux => true for Puppet, that will install the ondemand-selinux package. If you were to enable SELinux and still run into problems with that package installed we'd need you to collect information for us to update the custom policies: https://osc.github.io/ood-documentation/master/installation/modify-system-security.html#ood-selinux
So I have decided to start fresh and fully rebuild the server. I also started running puppet after disabling SELinux (and rebooting).
My issue now is LDAP. Before I didn't use apache module and just followed OnDemand instructions. Now I'm using apache and stuck. What is a docroot? I have it at /var/www/ood/public. Is this correct?
I am getting below error message, but not sure if it's related to my incorrect docroot. If not, I will look further in my apache config.
[Thu Jun 11 16:01:56.787169 2020] [autoindex:error] [pid 29495] [client 172.17.26.31:45356] AH01276: Cannot serve directory /var/www/ood/public/: No matching DirectoryIndex (index.html,index.html.var,index.cgi,index.pl,index.php,index.xhtml) found, and server-generated directory index forbidden by Options directive
I now have two apache configs:
ood-portal.conf - created by OnDemand
25-myserver.conf - created by apache
Is this right?
Thank you!
Docroot doesn't matter with OnDemand, it's not needed and should not be set in ood-portal.conf. I don't know what 25-myserver.conf does but it could very likely be causing problems for OnDemand because the file used for OnDemand is ood-portal.conf and unless you enable named based virtual hosting, the 25-myserver.conf file could prevent ood-portal.conf from loading due to ordering.
You will need servername => 'replace' and replace the value with URL you want to use for OnDemand, has to be specific to OnDemand. OnDemand's Apache config is generated from /etc/ood/config/ood_portal.yml values and those values are set by this Puppet module.
I'd start by removing all non-ondemand Apache configs, because it's very easy for one apache config to negate another. If using this Puppet module then that would mean just commenting out the logic that adds the other virtual hosts unless you disable Apache module purging.
Thank you for responding.
Do you know of anyone who successfully setup LDAP authentication with apache module and OnDemand? docroot is required by apache module (getting error message expects a value for parameter 'docroot' otherwise).
The way this module uses Apache module it doesn't call out directly to apache::vhost so you don't need docroot. This module through ood-portal-generator will setup the Apache vhost config so you don't need to. What resources are you adding to Puppet that give you the error about docroot? It should not be ones for OnDemand as those are handled by this module.
Also, you can set docroot => false but again in the context of OnDemand that should not be necessary because this module handles the Apache configuration for you so anything done outside this module will not work.
We have tested the Apache and LDAP setup locally at OSC. We don't use it in production because it's insecure but we've verified it works using both manual configuration and this Puppet module. This is what we used with Puppet (in Hiera):
openondemand::auth_type: ldap
openondemand::auth_configs:
- 'AuthName "Private"'
- 'AuthBasicProvider ldap'
- 'AuthLDAPURL "ldaps://ldap1.infra.osc.edu:636 ldap2.infra.osc.edu:636 ldap3.infra.osc.edu:636/ou=People,dc=osc,dc=edu?uid" SSL'
- 'AuthLDAPGroupAttribute member'
- 'AuthLDAPGroupAttributeIsDN on'
- 'Require valid-user'
- 'RequestHeader unset Authorization'
You will have to adjust AuthLDAPURL, AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN based on your LDAP setup. The above will update /etc/ood/config/ood_portal.yml which will be used to generate your Apache configuration.
I would strongly recommend not adding any manual or Puppet Apache configurations while you try to work out how to get OnDemand working. Let this module handle the Apache configuration for you so keep things as simple as possible while you try to get this working.
Thank you. This is very clear. I guess I misunderstood when you mentioned apache module and was under an impression that apache::vhost must be included.
I really appreciate all your time and help.