[Jammy] NetworkManager-openconnect 1.2.6 not compatible with openconnect 8.20

Upstream has identified the bug and solved it in 1.2.9+:

https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/31

Status changed to 'Confirmed' because the bug affects multiple users.

We considered this a regression in OpenConnect and it is fixed in the 9.01 release.

We also made NetworkManager more resilient but don't wait for that.

Status changed to 'Confirmed' because the bug affects multiple users.

I created a fix here:

https://launchpad.net/~ernstp/+archive/ubuntu/ppa/+packages?field.name_filter=&field.status_filter=published&field.series_filter=jammy

(new version with fixed lp: # changelog.)

Thanks Ernst -- let me test that.

(Just a nit, one thing to keep in mind though is that the version number you used for the package matches the version in the 22.04 LTS release; I think best practice for PPAs (it's been a while) is that you should change the suffix to something unique. But regardless thanks so much for the build)

It worked fine. As I use split networking, there's one thing I had to do which was to mark the "never-default" checkbox in the NetworkManager config, but as I'm upgrading from 20.04 LTS there was perhaps a behavior change that I hadn't noticed. The rest, split DNS etc works as expected. Thanks again!

This is the .diff.gz converted to .debdiff format and with the changelog fixed.

I just uploaded a patched version with an additional changelog entry to my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/test-builds. Do not add this PPA to your system. Instead, download the package from the entry for the package under the "View package details" menu and install it with
  sudo apt install ./<relative path to .deb>
or
  sudo apt install /<absolute path to .deb>

I have reviewed the debdiff, the proposed changes are sane and I was able to find the original change in the upstream repository. I'll sponsor it to the Unapproved queue, but before this can be reviewed and accepted as an SRU, me (and possibly other SRU members) would like to know:

 * What is the regression potential of this change? The [Where problems could occur] section needs to be filled in with regression analysis.
 * Related to the point above, since this fix basically reverts a bugfix, how big of an impact will this have on the users? Was the bug a very frequently encountered one? Seems more like an edge-case though? I'd like this info included in the bug description as well.

Thanks.

* since this fix basically reverts a bugfix, how big of an impact will this have on the users?

It's not really a bugfix that's being reverted, more of an optional feature. The patch enabled NetworkManager to override the server provided configuration for "split" VPN. But since it also is incompatible with the current version of NetworkManager-openconnect it wasn't a useful feature.

For those using GlobalProtect VPN which this relates to, this revert helps a 100% occurrence issue with a very common configuration.

The package was sponsored into the Unapproved queue on Tuesday (UTC), but the queue is generally processed from oldest to newest, there are 31 earlier items in the queue and the queue is soft-frozen for the release of 22.04.1, that is expected to occur on August 11.

I think what I'm missing in reviewing this is some high-level description of what the patch does, and how it relates to the interaction of openconnect & network-manager-openconnect.

In the SRU team we get asked to review packages from all over the archive; the uploader presumably has a significantly deeper understanding of the package and how it fits into its immediate dependencies than we do. We might be missing system-level context that seems obvious to the uploader, so it's often useful for them to provide such context.

From the diff, it seems that the changes are in how translates the netmask option in the "config xml" into VPN config. But I don't know where the "config XML" comes from (is it NetworkManager? Is it sent over the wire from the VPN server? Is it read from an openconnect-specific config file, not set by anything else?).

From an SRU perspective, a significant concern of ours is “will this disrupt anyone's working system”. NetworkManager is not the only way to configure openconnect, right? How likely is it that a non-NetworkManager configuration could be using this feature? Since the bug seems to entirely break common NetworkManager/openconnect configurations, users are likely to have tried work-arounds. *Are* there any work-arounds for this bug, and how would they be affected by this revert? These are the sorts of questions we want answered in the [Where problems could occur] section.

You can read more about the developers reasoning for the revert in openconnect here:
https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/36

"Handle default routes in split excludes
We attempted to 'fix' OpenConnect not to send these and to set the netmask
on the interface to 0 instead, but that caused compatibility problems which
we had to work around in commit 84e279cb ("src/helper: handle openconnect
8.20 netmask values.")
We want to revert that from the OpenConnect side as it's a regression, so
let's find a better way to achieve the original objective. Scan the split
includes to see if they include a default route. If they do, drop it from
the list we pass to NM explicitly, but don't set the never-default flag.
That should allow NM to honour the 'Use only for resources on this
connection' setting while still doing the right thing in other cases."

Pointing to the upstream discussion is helpful, but upstream's priorities and reasoning doesn't necessarily apply to us. A fix can be absolutely correct in the upstream context but unacceptable as an SRU.

Here, we know this changes the interface openconnect presents to the rest of the system. This change is clearly fine for NetworkManager, but we want to know what *other* things this interface change might affect. Does connman interface with openconnect, and if it does, how will this affect VPNs set up with connman? Users can invoke openconnect directly, right? How will this change affect that? Might this break scripts users have set up to work around this bug? What would that look like?

This is the sort of analysis we want in the [Where problems could occur] section.

I'm still thinking about something to write regarding standalone openconnect and connman+openconnect...

However we can say this commit was very short lived and it was a bit of bad luck that it snuck into Ubuntu 22.04 LTS. It only exists in 8.20 and was reverted in the next release.

Maybe upstream developer @dwmw2 can explain more himself?

Here's more notes on upstreams thoughts:
https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/63#note_1437353

"No problem. Apologies for the regression. I think this is the best way forward — we revert the offending change in OpenConnect, and make NetworkManager-openconnect recognise the default route in the split includes and handle it accordingly. If we're going to have to update NM-openconnect anyway, we shouldn't have broken the compatibility in the first place. So this is what I'd like to merge into both projects:"

I have filed a nearly-empty main inclusion report (MIR) for these two packages (bug #1986592), referencing this bug report.

The commit may have been short-lived upstream, and it is bad luck that 22.04 happened to pick it up, but that means that it's now the stable behaviour of the 22.04 release. Which doesn't make it *impossible* to do the revert, but it *does* mean we need to know the possible ramifications of the behaviour change on end-users who may¹ have setups which depend on this behaviour.

¹: Working out what “may” means here is basically the question I'm asking. ☺

Marking incomplete based on last comment from Chris.

I filed bug #1987707 to get OpenConnect support preinstalled in Ubuntu Desktop (and all other Ubuntu flavors; Kubuntu and Ubuntu Studio already have it).

Just to chime in here as a user who is affected by this bug:

Me (and some of my colleagues using Ubuntu) have upgraded from 21.10 to 22.04 shortly after its release. Right after upgrading, we noticed that we could no longer connect to the company VPN as we did before (using openconnect with a GlobalProtect VPN).

Workarounds we are using since:
1. Reverting to and pinning of libopenconnect5=8.10-2build1 openconnect=8.10-2build1 network-manager-openconnect=1.2.6-1 network-manager-openconnect-gnome=1.2.6-1 from Impish
2. Using the offical GlobalProtect VPN client
3. Using TeamViewer to work on a PC that sits inside of the company network

Hoping this upstream fix will make it into stable soon.

@nsgundy Can you test that the https://launchpad.net/~luis220413/+archive/ubuntu/test-builds/+build/24235590 build solves the issue for you also, and doesn't have any regressions?

My MIRs for network-manager-openconnect and its dependencies are ready.

For the .dsc file and for the changes file for a clean build of the new version, Lintian produces the following output:

W: openconnect-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/7d/a995cf6bde8d118080489aebfebeeb66a280f5.debug]
N: 1 hint overridden (1 error); 0 unused overrides

The elf-error warning is due to bug #1977883.

> The patch enabled NetworkManager to override the server provided configuration for "split" VPN. But since it also is incompatible with the current version of NetworkManager-openconnect it wasn't a useful feature.

Like Chris, I'm concerned about what happens to users who may be relying on this feature, for example by configuring it directly, without Network Manager. Is it possible that there are users in this situation? What will happen to them if this revert lands in Jammy?

I think this update remains blocked until someone performs this analysis.

> @nsgundy Can you test that the https://launchpad.net/~luis220413/+archive/ubuntu/test-builds/+build/24235590 build solves the issue for you also, and doesn't have any regressions?

My company is trying out GlobalProtect, and I've run into this bug while testing things on Ubuntu 22.04. I can confirm that the builds from https://launchpad.net/~luis220413/+archive/ubuntu/test-builds/+build/24235590 solve the issue here and I was able to connect to the GlobalProtect gateway via Network Manager.

For the record, only invoking openconnect directly was working before, and it continues to with this patch.

Connecting to a Cisco Firepower router with the stock Openconnect in Jammy via Gnome, I get a "timeout was reached"; openconnect at the commandline works fine, but nmcli or the Gnome graphical connector fail. This worked fine on Ubuntu 18.

The attached build at https://launchpad.net/~luis220413/+archive/ubuntu/test-builds/+build/24235590 fixes this problem for me.

An upload of openconnect to jammy-proposed has been rejected from the upload queue for the following reason: "unanswered questions about regression potential for > 2 months".

#11 fixed the issue on Ubuntu 22.04.1 (bumping libopenconnect5 and openconnect to version 8.20-1ubuntu0.1~ppa1 over 8.20-1 from the Ubuntu repos). Without that fix, or a downgrade, OpenConnect was not usable within NetworkManager for any of my VPN endpoints.

Hi everybody,

can anybody please provide a status update on this bug ?
I have been following it since the beginning but also with 22.04.2 it still seem to be there.
Thank you very much,

The attachment "openconnect_8.20-1_8.20-1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Sorry to have not responded when I was asked to, somehow missed that. When Ubuntu 22.10 got released, I upgraded to that and it's versions for openconnect and with that the problem was solved for me, no regressions. I have since moved to 23.04 and all is still good.

An SRU of this bug was rejected from the queue due to the lack of analysis here of the potential for regression. I am unsubscribing the ubuntu-sponsors team since there is at the moment nothing to sponsor, until those questions are addressed.

When the bug description has been updated with this information, please subscribe the ubuntu-sponsors team again.

I can report that this is still a problem on Ubuntu 23.04, and im a little bit confused on how that is possible.

Presently, you cannot use openconnect through networkmanager, due to the no valid prefix.

libopenconnect5/lunar,now 9.01-3 amd64 [installed,automatic]
network-manager-openconnect-gnome/lunar,now 1.2.8-3 amd64 [installed]
network-manager-openconnect/lunar,now 1.2.8-3 amd64 [installed]
openconnect/lunar,now 9.01-3 amd64 [installed]

I was able to grab some more recent 1.2.10-1 that made it so connections would work, but it broke other things.

So as of present, Ubuntu 23.04 fully up to date, is unable to use openconnect to establish VPN connections for me through the GUI due to this bug.

I see that the [Where problems could occur] section was updated with a regression analysis.
And I agree with comment #13 about the debdiff being reasonable.

So I'm sponsoring it into the Jammy queue again, so the SRU team can have another look into it.

PS: I also ran the "update-maintainer" script on the source packge before uploading. Unsubscribing ~ubuntu-sponsors.

@kennocha Is this a problem in Ubuntu 23.10? If yes, this is a blocker for the SRU, because the SRU policy (https://wiki.ubuntu.com/StableReleaseUpdates) requires that a bug to be fixed via an SRU be fixed in the development release first.

"This bug only affects the specific combination of network-manager-openconnect and openconnect that ended up in Jammy."

@luis220413 It was solved straight away in Kinetic 22.10 when it got openconnect 9.01.

@kennocha I would guess you have another problem, feel free to open a new bug report.

> I see that the [Where problems could occur] section was updated with a regression analysis.
And I agree with comment #13 about the debdiff being reasonable.

> So I'm sponsoring it into the Jammy queue again, so the SRU team can have another look into it.

That section plainly does not address the questions raised above in the bug comments by Chris and by myself. For example, it does not consider scenarios where users might have configured direct use of functionality that you now propose to remove.

I am once again marking this bug incomplete.

It was marked 'confirmed' again after a set of changes to the bug description. But still, NOWHERE IN THE BUG HAS THE QUESTION BEEN ANSWERED:

Could a user, who has configured openconnect directly rather than using NetworkManager-openconnect, have a configuration which relies on the current (incorrect) behavior, and that configuration will then be broken as a result of this SRU?

That question needs a clear yes or no answer. If the answer is yes, then there either needs to be mitigation of this as part of a patch, or a rationale for why it's somehow acceptable to break the user's VPN configuration on upgrade (such as: that config wouldn't actually work and would be buggy in other ways).

It has wasted a lot of SRU Team time trying to get an answer to this question. If I find that this bug has been set back to 'confirmed' again without this question being clearly answered, I am going to reject the SRU.

@vorlon The answer to your question is: Yes, but it is extremely unlikely for a user to have such a configuration.

> If the answer is yes, then there either needs to be mitigation of this as part of a patch, or a rationale for why it's somehow acceptable to break the user's VPN configuration on upgrade (such as: that config wouldn't actually work and would be buggy in other ways).

Sorry, "unlikely" is insufficient as an excuse to break users in a stable update, so I'm rejecting this upload. Perhaps a suitable mitigation is still possible, but those interested in driving this bug seem disinterested in that. Realistically it seems likely that this bug will therefore be fixed, so I'm setting this bug as Won't Fix to reflect this.

If somebody prepares a suitable patch and an Ubuntu developer considers this case suitably mitigated, then you can re-upload.

We are very interested in driving this, that's why I was very quick to file this only a few days after the Ubuntu 22.04 release.
However it's very hard to _guarantee_ that _nobody_ will be affected.

But the setup in Ubuntu 22.04 is clearly a mistake, confirmed by the upstream developers. At least we have a new LTS release around the corner now...