noble: needrestart triggering SIGTERM of cloud-final.service preventing apt packages from being installed when cloud-init is also being upgraded
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Noble |
Won't Fix
|
Undecided
|
Unassigned | ||
needrestart (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Noble |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Recent downstream ubuntu-specific changes in needrestart version 3.6-7ubuntu1 [1] set Ubuntu into autorestart mode when non-interactive apt-get dist-upgrade is being performed.
This causes an acute issue for cloud-init when #cloud-config user-data tries to perform apt-get dist-upgrade and package installs via user-data[2] like the following:
#cloud-config
package_update: true
package_upgrade: true
packages: [sl]
Since cloud-init runs apt-get dist-upgrade in cloud-final.service in non-interactive mode, Ubuntu's behavior looks to set the default "opt_r" mode to "a" (automatic). This causes problems when cloud-init package is also being upgraded by dist-upgrade as needrestart will collect the currently running cloud-final.service and determine it is a target for automtic restart.
The immediate SIGTERM of cloud-final.service prevents cloud-init from completing any of the remaining config modules in the cloud-final boot stage, notably, the additional package installs requested by the `packages:` directive in user data.
Given that cloud-final.service is a oneshot service, that can spawn apt-get dist-upgrade. I'd propose that minimally Ubuntu initially carries a downstream patch to skip automated restart of cloud-final.
References:
[1] Ubuntu needrestart setting automatic restart mode when non-interactive on Ubuntu https:/
[2] Upstream cloud-init bug: cloud-final.service getting sigterm before installing packages https:/
[3] downstream packaging proposal: https:/
Related branches
- Athos Ribeiro (community): Approve
- Brett Holman (community): Approve
- Simon Chopin: Pending requested
-
Diff: 59 lines (+37/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-avoid-restart-cloud-final.patch (+28/-0)
tags: | added: foundations-todo |
description: | updated |
Changed in cloud-init (Ubuntu): | |
status: | Confirmed → Invalid |
I believe the patch referenced above causes other bad behaviors.
Specifically, it causes systemd-networkd to be restarted without any sort of prompt whenever a library it links with receives a security update. In my experience restarting systemd-networkd can break active WireGuard tunnels and can cause chronyd to stop polling IPv6 servers.
I think the change at issue is adding the flags "-m u" to apt-pinvoke in /etc/apt/ apt.conf. d/99needrestart , which also means needrestart now ignores a setting of "NEEDRESTART_ MODE=l" in the environment when run from apt.
I've started to add systemd-networkd to my needrestart ignore list, but perhaps that should be a default setting, as it is for NetworkManager.
I'm testing with Noble in a LXD VM with an image from the ubuntu-daily repository.
Thanks.