apt-get autoremove may remove current kernel

Bug #1615381 reported by Jarno Suni on 2016-08-21
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Undecided
Unassigned
unattended-upgrades (Ubuntu)
High
Unassigned
Trusty
Low
Unassigned
Xenial
High
Unassigned
Artful
High
Unassigned

Bug Description

This may happen, if you boot one of the older kernels, that is not protected by /etc/apt/apt.conf.d/01autoremove-kernels

Workaround: run
/etc/kernel/postinst.d/apt-auto-removal
during each boot (e.g. by using cron).
Note: The workaround breaks autoremoving feature of new unneeded kernels in unattended-upgrades i.e. the setting 'Unattended-Upgrade::Remove-New-Unused-Dependencies "true"' (which is default in 16.04 unless 'Unattended-Upgrade::Remove-Unused-Dependencies "true"' is set in '/etc/apt/apt.conf.d/50unattended-upgrades'.

In shell:

$ uname -r
4.4.0-22-generic
$ apt-get -s autoremove
NOTE: This is only a simulation!
      apt-get needs root privileges for real execution.
      Keep also in mind that locking is deactivated,
      so don't depend on the relevance to the real current situation!
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  linux-headers-4.4.0-21 linux-headers-4.4.0-21-generic linux-headers-4.4.0-22
  linux-headers-4.4.0-22-generic linux-headers-4.4.0-31-generic
  linux-image-4.4.0-21-generic linux-image-4.4.0-22-generic
  linux-image-4.4.0-31-generic linux-image-extra-4.4.0-21-generic
  linux-image-extra-4.4.0-22-generic linux-image-extra-4.4.0-31-generic
0 upgraded, 0 newly installed, 11 to remove and 13 not upgraded.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apt 1.2.12~ubuntu16.04.1
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Aug 21 16:11:27 2016
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-04-28 (114 days ago)
InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: apt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.kernel.postinst.d.apt-auto-removal: [modified]
mtime.conffile..etc.kernel.postinst.d.apt-auto-removal: 2016-07-30T12:15:32.706300

Jarno Suni (jarnos) wrote :
information type: Private Security → Public Security
Jarno Suni (jarnos) wrote :

I suppose this may happen with unattended-upgrades, too, if user has configured removing of old kernels.

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Public Security → Public
Jarno Suni (jarnos) on 2016-09-22
description: updated
Julian Andres Klode (juliank) wrote :

This should not happen...

# Mark as not-for-autoremoval those kernel packages that are:
# - the currently booted version
# - the kernel version we've been called for
# - the latest kernel version (as determined by debian version number)
# - the second-latest kernel version

Not sure what went wrong there...

Jarno Suni (jarnos) wrote :

Julian, it protects the kernel currently booted at the time of running /etc/kernel/postinst.d/apt-auto-removal. If you later boot another kernel that is not protected, it may be removed. Not a likely case, though.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Doug Smythies (dsmythies) wrote :

In my case autoremove wants to delete the second-latest regular kernel version. Maybe because I have a bunch of mainline kernels installed also.

Robie Basak (racb) on 2017-10-14
tags: added: kernel-autoremove
Balint Reczey (rbalint) wrote :

In default configuration booted kernel does not become newly unused, but when u-u is configured to remove all autoremovable packages the booted kernel can be removed in case it was not running when was run.

Balint Reczey (rbalint) wrote :

... /etc/kernel/postinst.d/apt-auto-removal was run.

Changed in unattended-upgrades (Ubuntu):
status: New → Confirmed
Balint Reczey (rbalint) on 2018-02-22
Changed in unattended-upgrades (Ubuntu):
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.0ubuntu1

---------------
unattended-upgrades (1.0ubuntu1) bionic; urgency=medium

  * Merge from Debian unstable
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Run upgrade-between-snapshots only on amd64.
        The test exercises only unattented-upgrade's Python code and uses
        dependencies from the frozen Debian snapshot archive thus running
        it on all architectures would provide little benefit.

unattended-upgrades (1.0) unstable; urgency=medium

  [ Simon Arlott ]
  * Revert sending mails on WARNINGS when in MailOnlyOnError mode"
  * Consider conffile prompts to be errors (Closes: #852465)
    Flag packages that have to be upgraded manually because of a conffile
    prompt and consider this to be an error when sending email or exiting.

  [ Simon McVittie ]
  * Add python, python3, setuptools, DistutilsExtra to Build-Depends.
    They are needed for `clean`, so Build-Depends-Indep is not enough.
  * Add .gitignore and debian/.gitignore
  * Remove bzr configuration.
    This is unnecessary now that u-u is in git.

  [ Michael Vogt ]
  * unattended-upgrades: tweak mail-on-warnings PR
  * unattended-upgrade: extract is_autoremove_valid helper

  [ Balint Reczey ]
  * Run upgrade-between-snapshots only on amd64.
    The test exercises only unattented-upgrade's Python code and uses
    dependencies from the frozen Debian snapshot archive thus running
    it on all architectures would provide little benefit.
  * Clean up processes started for getting md5 sums
  * Don't keep /var/lib/dpkg/status open multiple times
  * Adjust candidates in UnattendedUpgradesCache.open()
  * Perform autoremovals in minimal steps, too.
    Also add check to remove only the set of packages selected for autoremoval.
    Without that check unattended-upgrades when (by default) configured to
    remove newly unused packages could also remove auto removable packages
    which were unused before starting starting the upgrade step.
  * Remove unused automatically installed kernel packages
    (LP: #1357093, #1624644, #1675079, #1698159)
  * Stop including Python syntax in the report (Closes: #876796)
  * Do not auto remove packages related to the running kernel (LP: #1615381)
  * Check packages to be autoremoved against blacklists, whitelists.
    Also check if the packages are held.
  * Report package removals in the summary email (Closes: #876797)
  * Run upgrade-between-snapshots test with debugging enabled
  * Don't create new UnattendedUpgradesCache for checking for autoremovals
    .open() refreshes the state in each cache_commit(), this is enough
  * Update .pot and .po files
  * Update .travis.yml to actually build and test u-u from the repo
  * Run only a simple installation test on Travis, the system upgrade
    test was always failing

 -- Balint Reczey <email address hidden> Thu, 01 Mar 2018 17:29:33 +0700

Changed in unattended-upgrades (Ubuntu):
status: In Progress → Fix Released
Eric Desrochers (slashd) wrote :

Any particular reason why the fix hasn't been SRU'd ? I'll start looking at SRU'ing it into the rest of Stable Release.

From what I read the reporter first filed the bug against Xenial 16.04 LTS. Anyone still affected by this issue on Xenial or Artful ?

On Thu, May 24, 2018 at 1:24 PM, Eric Desrochers
<email address hidden> wrote:
> Any particular reason why the fix hasn't been SRU'd ? I'll start looking
> at SRU'ing it into the rest of Stable Release.
>
> >From what I read the reporter first filed the bug against Xenial 16.04
> LTS. Anyone still affected by this issue on Xenial or Artful ?

The reason is that many additional fixes were needed in u-u.
1.2ubuntu1 which I uploaded yesterday seem to have fixed all serious
regressions and I'm about SRU it.

Eric Desrochers (slashd) wrote :

Thanks for the heads-up Balint.

I saw the "full backport" discussion in the ML, thanks !

For now, I'm setting Xenial as 'high' priority as it has been brought to my attention that 'uu' in Xenial removed a running kernel recently :

/var/log/unattended-upgrades/unattended-upgrades-dpkg.log
...
Removing linux-image-4.13.0-39-generic (4.13.0-39.44~16.04.1) ...^M
WARN: Proceeding with removing running kernel image.^M
...

Changed in unattended-upgrades (Ubuntu Xenial):
importance: Undecided → High
status: New → Confirmed
Changed in apt (Ubuntu):
status: Confirmed → Won't Fix
Changed in apt (Ubuntu Trusty):
status: New → Won't Fix
Changed in apt (Ubuntu Xenial):
status: New → Won't Fix
Eric Desrochers (slashd) on 2018-05-24
Changed in apt (Ubuntu Artful):
status: New → Won't Fix
Eric Desrochers (slashd) on 2018-05-31
tags: added: sts
Balint Reczey (rbalint) on 2018-11-08
Changed in unattended-upgrades (Ubuntu Artful):
status: New → Won't Fix

Hello Jarno, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Jarno, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Łukasz Zemczak (sil2100) wrote :

Hello Jarno, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu):
importance: Undecided → High
Changed in unattended-upgrades (Ubuntu Artful):
importance: Undecided → High
Changed in unattended-upgrades (Ubuntu Trusty):
importance: Undecided → Low
Balint Reczey (rbalint) wrote :

Verified 1.1ubuntu1.18.04.7~16.04.2 on Xenial.

Installed a few linux packages, marked them auto-installed, ran /etc/kernel/postinst.d/apt-auto-removal , then booted to a old kernel.
Apt would have removed it, but u-u did not. (The -34- kernel.)

ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ uname -a
Linux ubuntu-Standard-PC-i440FX-PIIX-1996 4.15.0-34-generic #37~16.04.1-Ubuntu SMP Tue Aug 28 10:44:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ yes no | apt autoremove
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?
ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ yes no | sudo apt autoremove
[sudo] password for ubuntu:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  linux-image-4.15.0-34-generic linux-image-4.15.0-36-generic linux-image-4.15.0-38-generic linux-modules-4.15.0-34-generic linux-modules-4.15.0-36-generic
  linux-modules-4.15.0-38-generic
0 upgraded, 0 newly installed, 6 to remove and 9 not upgraded.
After this operation, 223 MB disk space will be freed.
Do you want to continue? [Y/n] Abort.
ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ sudo unattended-upgrade --dry-run --verbose
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
Removing unused kernel packages: linux-modules-4.15.0-36-generic linux-image-4.15.0-36-generic linux-modules-4.15.0-38-generic linux-image-4.15.0-38-generic
Keeping auto-removable linux-modules-4.15.0-36-generic package(s) because it would also remove the following packages which should be kept in this step: libpam-systemd libsmbclient libsystemd0 libudev1 libwbclient0 samba-libs systemd systemd-sysv udev
Packages that were successfully auto-removed:
Packages that are kept back: linux-modules-4.15.0-36-generic
ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ dpkg -l unattended-upgrades | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==========================-============-===========================================
ii unattended-upgrades 1.1ubuntu1.18.04.7~16.04.2 all automatic installation of security upgrades

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Jarno Suni (jarnos) wrote :

I do not understand why u-u keeps linux-modules-4.15.0-36-generic. How do those packages depend on that?

Balint Reczey (rbalint) wrote :

@jarnos, this is a separate issue fixed later, calculating upgradable packages leaves the upgradable packages in the cache, and u-u counts them as the reverse dependencies of the first kernel to be removed.
This keeps the first kernel on the system, but when there are no upgradable packages in a later run this kernel can be removed, too.

See:
https://github.com/mvo5/unattended-upgrades/commit/93d43fbcd53c5df5ce69a16b26a981bf06ce3085
https://github.com/mvo5/unattended-upgrades/commit/654898b05c933047ca8c97df655743aab0898db1
https://github.com/mvo5/unattended-upgrades/commit/1a39eb257ad786902de11add212879241919be44

Launchpad Janitor (janitor) wrote :
Download full text (33.9 KiB)

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.2

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.2) xenial; urgency=medium

  * Don't check blacklist too early and report updates from not allowed origins
    as kept back. (LP: #1781176)
  * test/test_blacklisted_wrong_origin.py: Fix and enable test
  * Filter out progress indicator from dpkg log (LP: #1599646)
  * Clear cache when autoremoval fails (LP: #1779157)
  * Find autoremovable kernel packages using the patterns in APT's way
    (LP: #1815494)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.1) xenial; urgency=medium

  * Start service after systemd-logind.service to be able to take inhibition
    lock (LP: #1806487)
  * Handle gracefully when logind is down (LP: #1806487)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.0) xenial; urgency=medium

  * Backport to Xenial (LP: #1702793)
  * Revert to build-depending on debhelper (>= 9~) and dh-systemd
  * Revert configuration example changes to avoid triggering a debconf question
  * debian/postinst: Update recovery to be triggered on Xenial's package versions

unattended-upgrades (1.1ubuntu1.18.04.7) bionic; urgency=medium

  * Trigger unattended-upgrade-shutdown actions with PrepareForShutdown()
    Performing upgrades in service's ExecStop did not work when the upgrades
    involved restarting services because systemd blocked other stop/start
    actions making maintainer scripts time out and be killed leaving a broken
    system behind.
    Running unattended-upgrades.service before shutdown.target as a oneshot
    service made it run after unmounting filesystems and scheduling services
    properly on shutdown is a complex problem and adding more services to the
    mix make it even more fragile.
    The solution of monitoring PrepareForShutdown() signal from DBus
    allows Unattended Upgrade to run _before_ the jobs related to shutdown are
    queued thus package upgrades can safely restart services without
    risking causing deadlocks or breaking part of the shutdown actions.
    Also ask running unattended-upgrades to stop when shutdown starts even in
    InstallOnShutdown mode and refactor most of unattended-upgrade-shutdown to
    UnattendedUpgradesShutdown class. (LP: #1778219)
  * Increase logind's InhibitDelayMaxSec to 30s. (LP: #1778219)
    This allows more time for unattended-upgrades to shut down gracefully
    or even install a few packages in InstallOnShutdown mode, but is still a
    big step back from the 30 minutes allowed for InstallOnShutdown previously.
    Users enabling InstallOnShutdown node are advised to increase
    InhibitDelayMaxSec even further possibly to 30 minutes.
    - Add NEWS entry about increasing InhibitDelayMaxSec and InstallOnShutdown
      changes
  * Ignore "W503 line break before binary operator"
    because it will become the best practice and breaks the build
  * Stop using ActionGroups, they interfere with apt.Cache.clear()
    causing all autoremovable packages to be handled as newly autoremovable
    ones and be removed by default. Dropping ActionGroup usage does not slow
    down the most frequent case of not having anything to upgrade a...

Changed in unattended-upgrades (Ubuntu Xenial):
status: Fix Committed → Fix Released
no longer affects: apt (Ubuntu Artful)
no longer affects: apt (Ubuntu Xenial)
no longer affects: apt (Ubuntu Trusty)
no longer affects: apt (Ubuntu)
Changed in unattended-upgrades (Ubuntu Trusty):
status: New → Won't Fix
Balint Reczey (rbalint) wrote :

@mathew-hodson apt still does that.

Changed in apt (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers