Missing pattern for linux-image-unsigned keeps autoremovable kernels on the system

Bug #1821640 reported by Balint Reczey on 2019-03-25
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Status tracked in Eoan
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
Low
Unassigned

Bug Description

[Impact]
Unattended-upgrades keeps versioned kernel packages because they don't match known kernel package patterns:

...
Keeping auto-removable linux-modules-4.18.0-14-generic package(s) because it would also remove the following packages which should be kept in this step: linux-image-unsigned-4.18.0-14-generic
...

For reproduction see LP: #1795696, but running u-u with --verbose.

And APT does not apply proper kernel-version based protection to it.

[Test case]
linux-image-unsigned should popup in the same list in 01autoremove-kernels as linux-signed-image, and should be autoremovable iff it's signed counterpart is autoremovable.

[Regression potential]
Not really any, it's just an additional string in the entry. The only difference really possible therefore is that the set of autoremovable packages changes and unattended-upgrades and friends might autoremove different sets of them.

Julian Andres Klode (juliank) wrote :

Hmm, but linux-image-unsigned-$foo should not be installed in the first place.

Changed in apt (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Balint Reczey (rbalint) wrote :

Why should not it be installed?

Julian Andres Klode (juliank) wrote :

I mean, usually people should have linux-image-<version> installed, not linux-image-unsigned - they are basically only artifacts used for building the signed kernel images that are installed by the metapackages.

Since there is no metapackage that pulls in unsigned kernels, there is no reason to add unsigned kernels to that list, as they'll be manually installed anyway.

Balint Reczey (rbalint) wrote :

I agree that -unsigned- kernel packages are unlikely to pile up in /boot, but they are still versioned kernel packages and handling those uniformly helps in maintainence.
I also added linux-buildinfo to the patterns and an autopkgtest to detect new kernel packages not covered by patterns, thus we can catch the next variant of LP: #1698159 earlier.

Balint Reczey (rbalint) wrote :

IMO adding two patterns than keeping the rule of not adding patterns that would only cover versioned kernel packages that could not be installed by installing meta packages from the archive is worth it due to the reduced complexity.
Alternatively I can add exceptions for those patterns in the autopackagetest to ignore the covered packages.

description: updated
description: updated

Hello Balint, or anyone else affected,

Accepted apt into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Disco):
status: New → Fix Committed
tags: added: verification-needed verification-needed-disco
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.8.1+19.10

---------------
apt (1.8.1+19.10) eoan; urgency=medium

  * Upload to eoan

apt (1.8.1) unstable; urgency=medium

  * Add test case for local-only packages pinned to never
  * Prevent shutdown while running dpkg (LP: #1820886)
  * Add linux-{buildinfo,image-unsigned,source} versioned kernel pkgs
    (LP: #1821640)

 -- Julian Andres Klode <email address hidden> Mon, 06 May 2019 11:26:17 +0200

Changed in apt (Ubuntu Eoan):
status: Triaged → Fix Released
Julian Andres Klode (juliank) wrote :

Installed 1.8.1, running reboot as a user is inhibited:

$ reboot
Operation inhibited by "APT" (PID 3208 "apt", user root), reason is "APT is installing or removing packages".
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'systemctl reboot -i'.

As root it obviously is not, as inhibitors are ignored, nothing we can do about that now.

tags: added: verification-done-disco
removed: verification-needed-disco
Julian Andres Klode (juliank) wrote :

Oops, commented wrong bug, here's the right one. I installed apt 1.8.1 and linux-image-unsigned-5.0.0-15-generic. With apt 1.8.0, the unsigned kernel was not protected, with 1.8.1 it was; so the pattern was properly recognized.

Changed in apt (Ubuntu Cosmic):
status: New → In Progress
Changed in apt (Ubuntu Bionic):
status: New → In Progress
Changed in apt (Ubuntu Xenial):
status: New → In Progress
tags: added: id-5ca77e29a04a8142d5a182be
Steve Langasek (vorlon) wrote :

I am not convinced that this change is appropriate. No metapackages depend on linux-image-unsigned-$ver, this is NOT expected to be installed on end user systems (it's an implementation detail of our kernel signing process) and I don't think it's necessary to handle it specially for apt autoremoval because it should NEVER be present on the system as a dependency of another package.

So why does any actual user have this package installed except by manual user action that they can also revert manually?

If this *is* needed, then please include a complete step-by-step test case for verification of the fix.

Changed in apt (Ubuntu Cosmic):
status: In Progress → Incomplete
Balint Reczey (rbalint) wrote :

@vorlon: I tried to explain the advantages of handling versioned kernel packages uniformly in:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1821640/comments/5

U-u and update-manager use the patterns not just for removal but also for _protecting_ the running kernel and not autoremoving it, thus having accurate patterns helps not breaking the system as well.

I'm adding an autopkgtest in u-u to check if every versioned kernel pattern is covered to not miss any and prevent bugs like LP: #1698159:

https://github.com/mvo5/unattended-upgrades/pull/199

Julian Andres Klode (juliank) wrote :

vorlon: Even if it's not technically needed on the apt side, because there is no meta package, it does help to have the list consistent. For eoan, we'll even move to just ^linux-.*$ (to avoid having to add new kernels when they appear), so it will be covered anyway.

On the other hand, it does have the advantage that if you do install unsigned kernels for some reason, they'll get automatically removed by unattended-upgrades with the pattern being present if they are outdated as part of the normal versioned kernel removal.

Changed in apt (Ubuntu Cosmic):
status: Incomplete → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.8.1

---------------
apt (1.8.1) unstable; urgency=medium

  * Add test case for local-only packages pinned to never
  * Prevent shutdown while running dpkg (LP: #1820886)
  * Add linux-{buildinfo,image-unsigned,source} versioned kernel pkgs
    (LP: #1821640)

 -- Julian Andres Klode <email address hidden> Mon, 06 May 2019 10:41:52 +0200

Changed in apt (Ubuntu Disco):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Balint, or anyone else affected,

Accepted apt into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.7.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed-cosmic
Changed in apt (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Balint, or anyone else affected,

Accepted apt into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.6.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Balint, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.32 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Julian Andres Klode (juliank) wrote :

1.6.11/bionic: I installed linux-image-unsigned-5.0.0-15-generic; and I see ^linux-image-unsigned-5\.0\.0-15-generic$" in the NeverAutoRemove list.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Julian Andres Klode (juliank) wrote :

1.7.5/cosmic: Same, but I played with 4.18-20 kernel

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Julian Andres Klode (juliank) wrote :

1.2.32/xenial: Same, but I played with 4.15-51 kernel :)

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Julian Andres Klode (juliank) wrote :

For 1.7.5/cosmic:

Regression in autopkgtest for autopkgtest (i386): test log

This also happens with other runs, seems to be spurious.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.7.5

---------------
apt (1.7.5) cosmic; urgency=medium

  * Add test case for local-only packages pinned to never
  * Prevent shutdown while running dpkg (LP: #1820886)
  * Add linux-{buildinfo,image-unsigned,source} versioned kernel pkgs
    (LP: #1821640)

 -- Julian Andres Klode <email address hidden> Tue, 07 May 2019 11:04:15 +0200

Changed in apt (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.6.11

---------------
apt (1.6.11) bionic; urgency=medium

  * Add test case for local-only packages pinned to never
  * Prevent shutdown while running dpkg (LP: #1820886)
  * Add linux-{buildinfo,image-unsigned,source} versioned kernel pkgs
    (LP: #1821640)

 -- Julian Andres Klode <email address hidden> Tue, 07 May 2019 11:19:29 +0200

Changed in apt (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.2.32

---------------
apt (1.2.32) xenial; urgency=medium

  * Add test case for local-only packages pinned to never
  * Prevent shutdown while running dpkg (LP: #1820886)
  * Add linux-{buildinfo,image-unsigned,source} versioned kernel pkgs
    (LP: #1821640)

 -- Julian Andres Klode <email address hidden> Tue, 07 May 2019 12:57:03 +0200

Changed in apt (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers