Upgrade profile with "security" enabled marks kernel packages as manually installed

Did you check if 'unattended-upgrades' was enabled ? (By default it is)

While there might be a bug in Landscape (will leave the call to Simon on that portion) ...
If 'uu' is enabled, did it failed to attempt to remove unused kernel version ?

In theory, 'uu' should be able to take care of that when it runs.

On each iteration of my comparison I installed from ISO (so I would have an old kernel that needs to be upgraded) and selected the option for "no automatic updates" in the installer.

I've spoken to Simon about this bug in #landscape-squad (he was the one that told me to open it). He has a reasonable idea of what might be happening.

https://github.com/CanonicalLtd/landscape-client/pull/85

while there could be some conflicts with unattended upgrades, this is definitely an incorrect landscape (or python-apt) behaviour, where applying an update marks a package as manual. There are a few ways to trigger this and a few ways to avoid triggering this.

For instance, a lot of operations act on all updates, which leaves apt to do its job correctly.

Operations selecting specific updates (either through manual selection or a profile) drop the auto flag from installed packages. The proposed fix tries to resolve this by carrying the auto flag on packages which are already installed. Thus

1. new packages installed explicitly (not as dependencies) are always manual
2. installing a new version of an installed package explicitly keeps the auto flag, if set.
3. the way to mark a new version of an auto package as manual would be to remove it and add it again, or hold it.

This should keep things autoremovable through updates and appears to match the behaviour of command-line apt.

Now, I'm not sure how some kernels got to be marked manual, as they never are updated explicitly. (only the metapackage linux-image-generic should be updated, which pulls versions as auto dependencies) Unless a kernel version got selected manually, landscape shouldn't try to install those directly.

Do you want me to give you exact steps to reproduce the manually installed kernels, Simon?

Please do, John! It'll come in handy.

Hi Daniel,

From the case:

apt-mark showmanual |grep linux-

Base ISO install:

linux-base
linux-generic
linux-headers-generic

After apt upgrade:

linux-base
linux-generic
linux-headers-generic

After custom Landscape upgrade profile with autoremove:

linux-base
linux-firmware
linux-generic
linux-headers-generic
linux-image-generic

After request all upgrades from Landscape:

linux-base
linux-firmware
linux-generic
linux-headers-4.15.0-99
linux-headers-4.15.0-99-generic
linux-headers-generic
linux-image-4.15.0-99-generic
linux-image-generic
linux-modules-extra-4.15.0-99-generic

After custom Landscape upgrade profile with autoremove + security:

linux-base
linux-firmware
linux-generic
linux-headers-4.15.0-99
linux-headers-4.15.0-99-generic
linux-headers-generic
linux-image-4.15.0-99-generic
linux-image-generic
linux-modules-extra-4.15.0-99-generic

So, either "request all upgrades" or having an upgrade profile with autoremove + security, will create this issue.

Please let me know if you need more detail.

Hi Daniel - is there any further movement on this bug?

Regards,

John.

Request from customer:

2020-10-07 13:36 UTC-
-Hi

Are there any news on this issue?
We delete kernels every Monday manually. And I think we can come up with something more automatic.

The issue is "When we have autoremove and security updates enabled in landscape. New kernels are installed as manual and autoremove does not remove them"
Some of the servers that is updated from 14.04 are only having 256 MB /boot partition.
if you are having a smarter suggestion we will be glad to hear.

Kind Regards
Martin Lind Mortensen
Aarhus University

I still have a case open regarding this bug. I would like to be able to close it, although the customer hasn't pinged for some time.

Status changed to 'Confirmed' because the bug affects multiple users.

Just going through old cases - any update on this bug?

This bug was fixed in the package landscape-client - 23.02-0ubuntu1

---------------
landscape-client (23.02-0ubuntu1) lunar; urgency=medium

  * New upstream release 23.02:
    - Preventing the generation of large messages and logs that can overwhelm
      Landscape Server (LP: #1995775)
    - Improved MOTD slowdown on machines with many tap network interfaces
      (LP: #2006396)
    - No longer using deprecated apt-key when storing trusted GPG keys
      (LP: #1973202)
    - Fixed issue recognising Parallels VMs as Virtual Machine clients
      (LP: #1827909)
    - Fixes for incorrect logfile rotation config (LP: #1968189)
    - Client-side backoff handling to moderate traffic to Landscape Server
      during high load (LP: #1947399)
    - Avoid sending empty messages when catching up to expected next message
      (LP: #1917540)
    - --is-registered CLI option to quickly check if client is registered
      (LP: #1912516)
    - Can now report Ubuntu Pro attachment information if the version of
      Landscape Server it is registered to supports this (LP: #2006401)
    - Packages installed as dependencies as part of package profiles are now
      appropriately autoremovable (LP: #1878957)
    - Registration timeouts give an error instead of timing out (LP: #1889464)
    - RHEV hypervisor VMs are now recognized as virtual machines (LP: #1884116)
    - Doing a Landscape-driven release upgrade from a release running python 2
      to one running python 3 no longer hangs forever (LP: #1943291)

 -- Mitch Burton <email address hidden> Wed, 08 Feb 2023 10:23:31 -0800