Ubuntu
strongswan package

strongswan-starter should conflict with openswan due to shared file /usr/sbin/ipsec

Bug #1755693 reported by Trent Lloyd
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Medium
Trent Lloyd

Bug Description

strongswan-starter and openswan both share the file /usr/sbin/ipsec however there is no Conflicts relationship

$ apt-file search /usr/sbin/ipsec
openswan: /usr/sbin/ipsec
strongswan-starter: /usr/sbin/ipsec

openswan was deprecated in utopic, so trusty installations may wish to migrate to strongswan ahead of a xenial upgrade. In that case, the package upgrade can fail.

This was previously fixed upstream in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740808

For apt operation ordering reasons I don't understand, the issue only appears when something else on the system (such as neutron-vpn-agent) depends on (strongswan | openswan). Just installing strongswan and replacing it with openswan or vica-versa doesn't cause the issue to trigger.

The Conflicts already exists in xenial through bionic, just not in trusty. So the upload would only be required in trusty.

[Impact]

 * Users are unable to replace openswan with strongswan on trusty systems, where the next major Ubuntu release (xenial) dropped support for openswan completely but strongswan exists on both
 * Only users on trusty are affected, once upgraded to xenial this change is already in place

[Test Case]

On a trusty machine (e.g. lxd)

add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan causing the bug to trigger
apt update
apt install neutron-vpn-agent openswan # you can answer no to X509 generation
apt install strongswan

[Regression Potential]

 * I don't believe the conflicts introduces a new issue in terms of a conflict that didn't previously exist, since the packages contain a conflicting file and strongswan-starter depends on strongswan-ike which already has a Conflicts in place. So in terms of the dependency tree they already conflicted, but did not prevent this temporary file conflict.

 * Other regression potential would be package rebuild related -- this package has had security uploads as recently as August 2017 so that risk appears reduced

[Other Info]

 * Same change is already in place from xenial onwards, so no SRU uploads other than trusty are required

See original description
Trent Lloyd (lathiat)
Changed in strongswan (Ubuntu):
status: New → Confirmed
Revision history for this message
Trent Lloyd (lathiat) wrote :

debdiff to fix the issue

tags: added: sts
Trent Lloyd (lathiat)
description: updated
Eric Desrochers (slashd)
Changed in strongswan (Ubuntu Trusty):
assignee: nobody → Trent Lloyd (lathiat)
importance: Undecided → Medium
description: updated
Eric Desrochers (slashd)
Changed in strongswan (Ubuntu Trusty):
status: New → In Progress
Revision history for this message
Eric Desrochers (slashd) wrote :

Sponsored in Trusty.

It is now waiting for the SRU team to approve the upload to start building in trusty-proposed.

- Eric

Eric Desrochers (slashd)
Changed in strongswan (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Trent, or anyone else affected,

Accepted strongswan into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.1.2-0ubuntu2.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in strongswan (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
Revision history for this message
Eric Desrochers (slashd) wrote :

Hi Trent,

Friendly reminder:
Please don't forget to do the verification-done when you have a chance.
As I write this, the package reach it's 28th days in trusty-proposed.

Once verification-done, it'll be eligible for trusty-updates.

- Eric

Revision history for this message
Eric Desrochers (slashd) wrote :
Download full text (4.5 KiB)

I have followed the steps in [Test Case] provided by Trent and reproduce inside a Trusty LXD container.

* I made sure openswan was installed:
ii openswan 1:2.6.38-1 amd64 Internet Key Exchange daemon

* Then installed strongswan as follow:
# apt install strongswan
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  os-prober
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  libstrongswan strongswan-ike strongswan-plugin-openssl strongswan-starter
Suggested packages:
  strongswan-tnc-imcvs network-manager-strongswan strongswan-plugin-agent
  strongswan-plugin-certexpire strongswan-plugin-coupling
  strongswan-plugin-curl strongswan-plugin-dnscert strongswan-plugin-dnskey
  strongswan-plugin-duplicheck strongswan-plugin-error-notify
  strongswan-plugin-ipseckey strongswan-plugin-ldap strongswan-plugin-led
  strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pkcs11
  strongswan-plugin-radattr strongswan-plugin-sql strongswan-plugin-soup
  strongswan-plugin-unity strongswan-plugin-whitelist strongswan-tnc-client
  strongswan-tnc-server
The following packages will be REMOVED:
  openswan
The following NEW packages will be installed:
  libstrongswan strongswan strongswan-ike strongswan-plugin-openssl
  strongswan-starter
0 upgraded, 5 newly installed, 1 to remove and 44 not upgraded.
Need to get 3574 kB of archives.
After this operation, 12.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main libstrongswan amd64 5.1.2-0ubuntu2.8 [1449 kB]
Get:2 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main strongswan all 5.1.2-0ubuntu2.8 [29.8 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main strongswan-starter amd64 5.1.2-0ubuntu2.8 [708 kB]
Get:4 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main strongswan-plugin-openssl amd64 5.1.2-0ubuntu2.8 [189 kB]
Get:5 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main strongswan-ike amd64 5.1.2-0ubuntu2.8 [1199 kB]
Fetched 3574 kB in 2s (1273 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libstrongswan.
(Reading database ... 42962 files and directories currently installed.)
Preparing to unpack .../libstrongswan_5.1.2-0ubuntu2.8_amd64.deb ...
Unpacking libstrongswan (5.1.2-0ubuntu2.8) ...
Selecting previously unselected package strongswan.
Preparing to unpack .../strongswan_5.1.2-0ubuntu2.8_all.deb ...
Unpacking strongswan (5.1.2-0ubuntu2.8) ...
dpkg: openswan: dependency problems, but removing anyway as you requested:
 neutron-vpn-agent depends on strongswan (>= 5.1) | openswan; however:
  Package strongswan is not configured yet.
  Package openswan is to be removed.
(Reading database ... 43088 files and directories currently installed.)
Removing openswan (1:2.6.38-1) ...
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Select...

Read more...

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.1.2-0ubuntu2.8

---------------
strongswan (5.1.2-0ubuntu2.8) trusty; urgency=medium

  * d/control: Add Conflicts from strongswan-starter to openswan to
    avoid file conflict on upgrade. (LP: #1755693)

 -- Trent Lloyd <email address hidden> Wed, 14 Mar 2018 14:50:05 +0800

Changed in strongswan (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for strongswan has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.