update-manager doesn't prevent restart of slapd on system using ldap auth, resulting in hung update

Bug #572105 reported by Craig Ringer on 2010-04-30
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-ldap (Ubuntu)
Medium
Unassigned
openldap (Ubuntu)
Medium
Unassigned
update-manager (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: update-manager

The following version info is from AFTER the upgrade:

root@access:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04 LTS
Release: 10.04
Codename: lucid

At several points during an upgrade from Ubuntu karmic to lucid, many services are restarted. Unfortunately, update-manager appears to make no effort to protect services currently required for core system functionality from being stopped, and it can hang at these points until those services are manually restarted by the admin.

In my case, the problem service is slapd, because the system being upgraded is the LDAP master and it uses libpam-ldap and libnss-ldap (via the ldap-auth-client package) to do local authentication. If slapd is stopped, things tend to go very pear-shaped very fast with long timeouts and/or failures on system calls involving the nss subsystem.

The same issue probably arises with other authentication mechanisms that rely on daemons that may be running locally.

I noticed the upgrade "hang" after udev was updated and after libstdc++ was upgraded. In both cases ssh became non-responsive as did most other things. I had a local root console already open for just this situation, so I was able to restart slapd and get on with the install, but if I hand't been things could've been rather problematic

I'm sure there are other packages that may restart things at inopportune times, or stop them and expect something else to start them well down the track rather than restarting them on the spot.

One possible solution to this is to give the nss-ldap and nss-pam packages a way to protect slapd from being stopped during package installation, so it's only restarted momentarily at the end of the upgrade and when it its self is upgraded.

Alternately, disabling ldap etc auth via nssswitch.conf during the upgrade would work. update-manager would need to make sure that the core system users and groups were still in /etc/passwd and /etc/group though, as if the admin's moved them to the external auth source then disabling that auth source would not go well.

More package info:

root@access:~# apt-cache policy libpam-ldap libnss-ldap slapd ldap-auth-config ldap-auth-client update-manager update-manager-core
libpam-ldap:
  Installed: 184-8ubuntu1
  Candidate: 184-8.2ubuntu1
  Version table:
     184-8.2ubuntu1 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
 *** 184-8ubuntu1 0
        100 /var/lib/dpkg/status
libnss-ldap:
  Installed: 261-2.1ubuntu4
  Candidate: 264-2ubuntu2
  Version table:
     264-2ubuntu2 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
 *** 261-2.1ubuntu4 0
        100 /var/lib/dpkg/status
slapd:
  Installed: 2.4.21-0ubuntu5
  Candidate: 2.4.21-0ubuntu5
  Version table:
 *** 2.4.21-0ubuntu5 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
ldap-auth-config:
  Installed: 0.5.2
  Candidate: 0.5.2
  Version table:
 *** 0.5.2 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
ldap-auth-client:
  Installed: 0.5.2
  Candidate: 0.5.2
  Version table:
 *** 0.5.2 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status
update-manager:
  Installed: (none)
  Candidate: 1:0.134.7
  Version table:
     1:0.134.7 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
update-manager-core:
  Installed: 1:0.126.9
  Candidate: 1:0.134.7
  Version table:
     1:0.134.7 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ lucid/main Packages
        500 http://au.archive.ubuntu.com/ubuntu/ lucid/main Packages
 *** 1:0.126.9 0
        100 /var/lib/dpkg/status

Michael Vogt (mvo) on 2010-04-30
Changed in update-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Chuck Short (zulcss) on 2010-05-05
Changed in libpam-ldap (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Craig Ringer (ringerc) wrote :

This issue is closely related to issue 356256.

Craig Ringer (ringerc) wrote :

... which is https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/356256, since LP didn't feel like auto-linking it.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers