| 2024-04-16 18:53:07 |
Stefan Hammer |
bug |
|
|
added bug |
| 2024-04-16 18:57:47 |
Brian Murray |
nominated for series |
|
Ubuntu Noble |
|
| 2024-04-16 18:57:47 |
Brian Murray |
bug task added |
|
ubuntu-release-upgrader (Ubuntu Noble) |
|
| 2024-04-16 18:57:53 |
Brian Murray |
ubuntu-release-upgrader (Ubuntu Noble): milestone |
|
ubuntu-24.04 |
|
| 2024-04-16 18:58:21 |
Brian Murray |
bug task added |
|
ubuntu-release-notes |
|
| 2024-04-17 13:58:38 |
Fabio Augusto Miranda Martins |
bug |
|
|
added subscriber Fabio Augusto Miranda Martins |
| 2024-04-17 16:19:28 |
Brian Murray |
ubuntu-release-upgrader (Ubuntu Noble): status |
New |
Triaged |
|
| 2024-04-17 19:28:45 |
Nick Rosbrook |
ubuntu-release-upgrader (Ubuntu Noble): status |
Triaged |
In Progress |
|
| 2024-04-17 19:28:48 |
Nick Rosbrook |
ubuntu-release-upgrader (Ubuntu Noble): assignee |
|
Nick Rosbrook (enr0n) |
|
| 2024-04-19 02:34:37 |
Launchpad Janitor |
ubuntu-release-upgrader (Ubuntu Noble): status |
In Progress |
Fix Released |
|
| 2024-04-22 19:48:30 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~enr0n/ubuntu-release-upgrader/+git/ubuntu-release-upgrader/+merge/464775 |
|
| 2024-04-23 19:25:16 |
Nick Rosbrook |
ubuntu-release-upgrader (Ubuntu Noble): status |
Fix Released |
In Progress |
|
| 2024-04-29 10:42:46 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~juliank/ubuntu/+source/ubuntu-release-upgrader/+git/ubuntu-release-upgrader/+merge/465146 |
|
| 2024-04-29 14:49:49 |
Julian Andres Klode |
description |
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
[Impact]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Original bug report]
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
|
| 2024-04-29 14:50:33 |
Julian Andres Klode |
description |
[Impact]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Original bug report]
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
[Impact]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Original bug report]
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
|
| 2024-04-29 14:51:54 |
Julian Andres Klode |
description |
[Impact]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Original bug report]
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
[Impact]
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used.
Noble adds a conflicts from ufw to the persistent packages, but we end up removing the persistent packages rather than the ufw which is wrong - they are in charge.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Original bug report]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
|
| 2024-04-29 15:13:32 |
Nick Rosbrook |
description |
[Impact]
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used.
Noble adds a conflicts from ufw to the persistent packages, but we end up removing the persistent packages rather than the ufw which is wrong - they are in charge.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Original bug report]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
[Impact / Original Description]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration.
[Test Plan]
1. Start a Jammy LXD container and obtain a shell.
$ lxc launch ubuntu-daily:jammy jammy
$ lxc exec jammy bash
2. In the container, install netfilter-persistent and iptables-persistent.
$ apt install netfilter-persistent iptables-persistent -y
3. Run a release upgrade. To test with noble-proposed, the --proposed flag is needed.
$ do-release-upgrade --proposed
4. Answer prompts as needed so that the upgrade runs as expected. After the upgrade has finished, verify that the packages have not been removed.
$ apt policy netfilter-persistent iptables-persistent
5. Check the upgrade log to verify messages are present explaining that these packages are kept.
$ grep "Keeping.*-persistent" /var/log/dist-upgrade/main.log
[Where problems could occur]
This quirk requires manipulating the apt cache. It does so only for the ufw, netfilter-persistent, and iptables-persistent packages. If these package names were misspelled in the code, that would cause the quirk to be wrong. Any problems would most likely be surrounding whether or not these packages are installed. This quirk _should_ do nothing when (a) not upgrading from jammy, (b) ufw is not installed, or (c) neither netfilter-persistent nor iptables-persistent are installed. |
|
| 2024-04-29 15:40:21 |
Mauricio Faria de Oliveira |
description |
[Impact / Original Description]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration.
[Test Plan]
1. Start a Jammy LXD container and obtain a shell.
$ lxc launch ubuntu-daily:jammy jammy
$ lxc exec jammy bash
2. In the container, install netfilter-persistent and iptables-persistent.
$ apt install netfilter-persistent iptables-persistent -y
3. Run a release upgrade. To test with noble-proposed, the --proposed flag is needed.
$ do-release-upgrade --proposed
4. Answer prompts as needed so that the upgrade runs as expected. After the upgrade has finished, verify that the packages have not been removed.
$ apt policy netfilter-persistent iptables-persistent
5. Check the upgrade log to verify messages are present explaining that these packages are kept.
$ grep "Keeping.*-persistent" /var/log/dist-upgrade/main.log
[Where problems could occur]
This quirk requires manipulating the apt cache. It does so only for the ufw, netfilter-persistent, and iptables-persistent packages. If these package names were misspelled in the code, that would cause the quirk to be wrong. Any problems would most likely be surrounding whether or not these packages are installed. This quirk _should_ do nothing when (a) not upgrading from jammy, (b) ufw is not installed, or (c) neither netfilter-persistent nor iptables-persistent are installed. |
[Impact]
ufw and -persistent packages both manage the firewall, hence they conflict but they accidentally had no conflicts in jammy. If both are installed, persistent packages will store and restore firewall configuration, so ufw cannot really be used.
Noble adds a conflicts from ufw to the persistent packages, but we end up removing the persistent packages rather than the ufw which is wrong - they are in charge.
[Test plan]
persistent and netfilter-persistent should remain installed, and ufw removed to preserve user config.
[Where problems could occur]
There may be ufw reverse dependencies that could get removed.
[Other Info]
The fix (released) in 1:24.04.15 is reverted and improved in 1:24.04.17 (upload).
[Original bug report]
Upgrade from Jammy to Noble breaks iptables-persistent and netfilter-persistent firewall configuration if ufw is also installed pre-upgrade., removing them.
from /var/log/dist-upgrade/apt.log:
Broken ufw:amd64 Breaks on iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering iptables-persistent:amd64 -1 as a solution to ufw:amd64 5
Added iptables-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for iptables-persistent but that is not InstVer, ignoring
Broken ufw:amd64 Breaks on netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU >
Considering netfilter-persistent:amd64 0 as a solution to ufw:amd64 5
Added netfilter-persistent:amd64 to the remove list
Conflicts//Breaks against version 1.0.16 for netfilter-persistent but that is not InstVer, ignoring
MarkDelete iptables-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of iptables-persistent:amd64
MarkDelete netfilter-persistent:amd64 < 1.0.16 -> 1.0.20 @ii umU > FU=0
Fixing ufw:amd64 via remove of netfilter-persistent:amd64
ufw 0.36.2-1 add the breaks
$ apt show ufw
Package: ufw
Version: 0.36.2-6
Priority: standard
Section: admin
Origin: Ubuntu
Maintainer: Jamie Strandboge <jdstrand@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 869 kB
Depends: iptables, ucf, python3:any, debconf (>= 0.5) | debconf-2.0
Suggests: rsyslog
Breaks: iptables-persistent, netfilter-persistent
Homepage: https://launchpad.net/ufw
Task: standard
Download-Size: 169 kB
APT-Manual-Installed: no
APT-Sources: http://phx-ad-3.clouds.archive.ubuntu.com/ubuntu noble/main amd64 Packages
Description: program for managing a Netfilter firewall
The Uncomplicated FireWall is a front-end for iptables, to make managing a
Netfilter firewall easier. It provides a command line interface with syntax
similar to OpenBSD's Packet Filter. It is particularly well-suited as a
host-based firewall.
Post do-release-upgrade, iptables-persistent and netfilter-persistent are removed, which breaks any machines that relied on their configuration. |
|
| 2024-04-29 15:40:51 |
Mauricio Faria de Oliveira |
bug |
|
|
added subscriber Nick Rosbrook |
| 2024-04-29 15:41:04 |
Mauricio Faria de Oliveira |
bug |
|
|
added subscriber Julian Andres Klode |
| 2024-04-29 16:01:07 |
Mauricio Faria de Oliveira |
ubuntu-release-upgrader (Ubuntu Noble): status |
In Progress |
Incomplete |
|
| 2024-04-29 16:01:10 |
Mauricio Faria de Oliveira |
bug |
|
|
added subscriber Mauricio Faria de Oliveira |
| 2024-04-29 18:18:52 |
Julian Andres Klode |
ubuntu-release-upgrader (Ubuntu Noble): status |
Incomplete |
Triaged |
|
| 2024-04-29 18:18:58 |
Julian Andres Klode |
ubuntu-release-upgrader (Ubuntu Noble): status |
Triaged |
In Progress |
|
| 2024-04-29 19:23:27 |
Steve Langasek |
ubuntu-release-upgrader (Ubuntu Noble): status |
In Progress |
Fix Committed |
|
| 2024-04-29 19:23:29 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2024-04-29 19:23:32 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2024-04-29 19:23:37 |
Steve Langasek |
tags |
|
verification-needed verification-needed-noble |
|
| 2024-04-30 19:26:52 |
Gabriel Korytiak |
information type |
Public |
Public Security |
|
| 2024-05-01 13:04:07 |
Dylan Uhryniuk |
tags |
verification-needed verification-needed-noble |
verification-done-noble verification-needed |
|
| 2024-05-01 14:51:52 |
Dylan Uhryniuk |
bug |
|
|
added subscriber Dylan Uhryniuk |
| 2024-05-10 09:27:50 |
Timo Aaltonen |
tags |
verification-done-noble verification-needed |
verification-needed verification-needed-noble |
|
| 2024-05-12 00:06:10 |
Timofey Denisov |
bug |
|
|
added subscriber Timofey Denisov |
| 2024-05-16 13:55:35 |
Nick Rosbrook |
tags |
verification-needed verification-needed-noble |
verification-done verification-done-noble |
|
| 2024-05-17 10:12:56 |
burned |
bug |
|
|
added subscriber burned |
| 2024-05-17 13:03:17 |
Launchpad Janitor |
ubuntu-release-upgrader (Ubuntu): status |
In Progress |
Fix Released |
|
| 2024-05-21 01:51:05 |
hatune |
bug |
|
|
added subscriber hatune |
