FreeRADIUS stopped working after a recent upgrade on RHEL 8

[yann-soubeyrand]

Hi,

After a FreeRADIUS upgrade on RHEL 8 (freeradius-3.0.20-3.module+el8.3.0+7597+67902674.x86_64), FreeRADIUS stopped working with this error in the logs:

Systemd start for radiusd failed!
journalctl log for radiusd:
-- Logs begin at Tue 2020-12-29 04:36:26 CET, end at Tue 2021-01-12 18:22:30 CET. --
Jan 12 18:22:30 <redacted> systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Jan 12 18:22:30 <redacted> sh[1960192]: /bin/sh: /etc/raddb/certs/bootstrap: No such file or directory
Jan 12 18:22:30 <redacted> systemd[1]: radiusd.service: Control process exited, code=exited status=127
Jan 12 18:22:30 <redacted> systemd[1]: radiusd.service: Failed with result 'exit-code'.
Jan 12 18:22:30 <redacted> systemd[1]: Failed to start FreeRADIUS high performance RADIUS server..

I guess this is due to

puppet-freeradius/manifests/init.pp

Line 88 in e1dec8c

purge => true,

What would be the best solution, keeping this file, or dropping a systemd override to prevent the service from calling this script as part of its ExecStartPre command?

[nward]

Hi @yann-soubeyrand

I think that a systemd override is the best solution here. Bootstrap running in systemd like this automatically generates certs in /etc/raddb/certs, which conflicts with this module. The alternative would be to allow bootstrap created certificates to exist, however I think we should be managing everything there, and not letting the OS generate its own data.

Does FreeRADIUS run in the default configuration without a certificate? Certificates are of course not required in all RADIUS use cases.

[djjudas21]

In the spirit of making it work out of the box (even if not usefully), would it be wise to include some logic that knows whether or not the distro systemd generates snake oil at startup? If the system generates it, we can thereafter manage what was generated, otherwise we generate it ourselves.

At least then it will always start up without having to do anything complex and won't make the module appear broken.

[yann-soubeyrand]

I think I'm not sufficiently familiar with both this module and our setup (I'm just the guy reporting an issue which a colleague found and which I found a solution for on a bugzilla report :-P) to participate in the thinking about the best solution.

For the record, I deployed the following systemd override to solve our problem:

[Service]
ExecStartPre=
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/usr/sbin/radiusd -C

[djjudas21]

Thanks @yann-soubeyrand, understood. We're just trying to understand the bug and discuss the best solution for all distros. I think we've got all the info we need from you now, until we manage to ship a fix. Hopefully in the meantime, other people will be able to find your workaround on here more easily than on bugzilla.

Cheers,
Jonathan