"oom" change in 1:5.3p1-3ubuntu5 causes "operation not permitted"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Invalid
|
Medium
|
Unassigned |
Bug Description
WHAT RECENTLY CHANGED
Recently, a security update was pushed out for the openssh-server package.
The package changes:
-openssh-client 1:5.3p1-3ubuntu4
-openssh-server 1:5.3p1-3ubuntu4
-openssl 0.9.8k-7ubuntu8.4
+openssh-client 1:5.3p1-3ubuntu5
+openssh-server 1:5.3p1-3ubuntu5
+openssl 0.9.8k-7ubuntu8.5
The upgrade makes a change to the /etc/init/ssh.conf file:
$ diff before/
10d9
< expect fork
15c14
< #oom never
---
> oom never
27c26
< exec /usr/sbin/sshd
---
> exec /usr/sbin/sshd -D
THE PROBLEM
I have a virtual machine at Tektonic.net. This service is a virtuozzo VM. After upgrading to the new 1:5.3p1-3ubuntu5 package, I could no longer SSH into the VM. I rebooted the machine, and SSH never allowed a connection ("connection refused").
I found this in my /var/log/syslog. The timestamp corresponds to when I did the upgrade (and I forget whether I manually did a "service ssh restart").
Jan 23 16:04:23 satu init: ssh main process (32282) terminated with status 255
Jan 23 16:04:23 satu init: Failed to spawn ssh pre-start process: unable to set oom adjustment: Operation not
permitted
WORK-AROUND
I booted the VM in "recovery mode", which allows me to directly modify the files on the VM's disk image. I reverted the /etc/init/ssh.conf to the way it was in version 1:5.3p1-3ubuntu4 (removing the "-D" and the "oom never" and adding back the "expect fork"). When I rebooted, the machine came up normally and I was able to SSH in again.
SYSTEM INFORMATION
I know that Virtuozzo machines are a little different than normal machines... they are more like a "chroot jail" than a normal machine. And I am not sure if those differences are what caused SSH to not respond. But I have installed the same upgrade on native machines and on Xen VM's with no problems.
If you need more information about this Virtuozzo VM, I am happy to provide details.
$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
$ apt-cache policy openssh-server
openssh-server:
Installed: 1:5.3p1-3ubuntu5
Candidate: 1:5.3p1-3ubuntu5
Version table:
*** 1:5.3p1-3ubuntu5 0
500 http://
100 /var/lib/
1:
500 http://
Changed in openssh (Ubuntu): | |
status: | New → Opinion |
importance: | Undecided → Medium |
Looking a little deeper, it looks like OpenSSH has had this "oom never" line ever since Ubuntu 10.04 came out, and that Virtuozzo containers have had to modify this file all along. I never saw it before because my Virtuozzo provider had a pristine 10.04 image that they deployed -- I assume, with the "oom never" line commented out. So this was the first time that the package had been upgraded on my system, and it asked me if I wanted to "keep my changes" or "install the package maintainer's version".
So maybe this is not so much of a bug in OpenSSH as it is a quirk in Virtuozzo (that I did not know about at the time of upgrade). Not knowing what this "oom never" option is all about, I can not make that call.
Alan Porter