Plesk Panel: Upgrading to version 12
Monday, July 28. 2014
All the nerds like me (escpecially me!) love new versions of software.
Backup
I got new toys for my Parallels Plesk Panel box and went for the automated upgrade. I attempted to do the mandatory full backup first:
/usr/local/psa/bin/pleskbackup server \
--output-file=/Backups/pre-12.0.18.backup.tar -v -v
... just to make sure, that I have something to roll back to if it hits the fan. But it kept failing on me. Any domains having PostgreSQL databases failed to backup properly. I got log entries like:
Failed to execute backup database
Failed to pack files backup_hqcs_blog_1407141359 in /dumps/domains/hqcodeshop.fi/databases/hqcs_blog [ 115057410048 bytes free of 158532106240 bytes total on mount point 0]
Totally puzzling. Didn't make any sense at all! Looking at the detailed XML-log of the backup revealed following:
<?xml version="1.0" encoding="UTF-8"?>
<object name="server" type="server">
<object name="hqcodeshop.fi" type="domain" uuid="domain#hqcodeshop.fi">
<object name="hqcs_blog" type="postgresql">
<message id="e6d718ef-5b52-49af-8c4f-4473393b30bd" severity="error" code="msgtext">
<description>Failed to execute backup database</description>
</message>
<message id="d5e6cfd1-fa94-45d4-89b6-a47a0627134a" severity="warning" code="msgtext">
<description>sh: AB12: command not found
sh: AB12: command not found
sh: AB12: command not found
sh: AB12: command not found
sh: AB12: command not found
sh: AB12: command not found
</description>
</message>
</object>
</object>
</object>
What command not found!? After a few puzzling moments later I realized it, that is the end of my panel admin's password! In the original form the password was [lot of characters here]>AB12. Somebody at the Parallels goofed! What would happen if your password has special characters. What if some of those characters were special in your command prompt? Not very solid backup code, huh!
The next thing was to change the password to one not containing any of these characters £$<>()&;"'`, they have special meaning on *nix command prompt. I always use randomly generated passwords and during my quests I regularily bump into systems that do not sanitize user input properly. I find that the ones from the number keys with shift are especially nasty. During registration process it is very easy to input a proper random passwod, but the system botches something and don't let me log in, or does something nasty like Parallels Plesk did.
Unfortunately changing the admin password didn't make the backup succeed! Apparently PostgreSQL password is stored somewhere else. I did do a:
/usr/local/psa/bin/admin --show-password
... to confirm, that system knows what the new password was. The thing is, that PostgreSQL password needs to be changed manually. I found the knowledge base article about that KB 120262 - How to update password for PostgreSQL admin user in Plesk? Running:
# plesk bin database-server --update-server localhost:5432 \
-type postgresql \
-passwd `/usr/local/psa/bin/admin --show-password`
SUCCESS: Server localhost:5432 is successfully updated.
... did solve it. Then I managed to get backups.
Upgrade
There were no issues during upgrade. The web-upgrader took a while and then it said everything was done. There really was nothing special about this part.
During my checkings I found a really good knowledge base article about system settings. This is something that Parallels didn't have for previous versions. This is really good stuff: Parallels Plesk Panel for Linux services logs and configuration files. I kept going back to that one a lot.
Testing
When the new version was running, I naturally wanted to see that all my services were running properly. Things I found to be broken were POP3 and IMAP SSL-certificates. Also the Presence Builder didn't upgrade properly.
The funny thing about Courier IMAP/POP3 was, that upgrade reset my certificate settings back to something really stupid. I went to /etc/courier-imap/ to check the imapd-ssl and pop3d-ssl. I changed both of them to contain:
TLS_PROTOCOL=TLS1
That was done to reflect the setting I have in my /etc/postfix/main.cf:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
My policy is, that if you're running something that does not support TLSv1, v1.1 nor v1.2 then you should use somebody else's services. It simply is insane to rely on SSL!
The Web Presence Builder said this on startup:
File: /usr/local/sb/include/Base/ORM/Object.php; Line: 249
Message: Undefined property "controlPanelLink" in object "SB_ORM_TokenAccess".; Code: 0
Luckily, that issue is covered by knowledge base article KB 119875: Cannot open a site in Web Presence Builder: "Undefined property "controlPanelLink" in object "SB_ORM_TokenAccess". A simple SQL-command:
ALTER TABLE `token_access` ADD `control_panel_link` VARCHAR( 255 ) NULL DEFAULT '' AFTER `skin_code`;
did do the fix.
Life after the upgrade
My system has been running as usual. There hasn't been any complaints from the users or I have not encountered anything else that didn't work.
Un Disclosed on :
seems like you found a code execution overflow accidentially.....
that's amazing how paid solutions get shitted like that.