unattended upgrades removing kerberos and breaking system

Bug #1701726 reported by Anton Piatek
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unattended-upgrades (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Ok, so this may not be a bug specifically in unattended-upgrades, but I can't determine where else it would be.

Having my server broken by unattended upgrades removing the primary login system (kerberos) once might be considered unlucky, or perhaps a typo - but now that it has happened twice it looks like a bug.

The problem seems to be that several krb related packages were removed, along with puppet packages which we use to help maintain the system.
The result was all remote logins (ssh/http/smtp/imap/etc) were broken and serial console had to be used to recover the sysem

Pulling from logs from today:
```Start-Date: 2017-06-30 15:22:20
Commandline: /usr/bin/unattended-upgrade
Upgrade: libisccfg140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), bind9-host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), dnsutils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), libisc160:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), bind9utils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), liblwres141:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), bind9:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), libdns162:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), libisccc140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7), libbind9-140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 1:9.10.3.dfsg.P4-8ubuntu1.7)
Remove: ubuntu-standard:amd64 (1.361), host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6), librarian-puppet:amd64 (2.2.1-2), libapache2-mod-auth-kerb:amd64 (5.4-2.2), krb5-admin-server:amd64 (1.13.2+dfsg-5ubuntu2), krb5-user:amd64 (1.13.2+dfsg-5ubuntu2), libpam-krb5:amd64 (4.7-2), facter:amd64 (2.4.6-1), krb5-kdc:amd64 (1.13.2+dfsg-5ubuntu2), krb5-config:amd64 (2.3), puppet:amd64 (3.8.5-2ubuntu0.1), puppet-common:amd64 (3.8.5-2ubuntu0.1)
End-Date: 2017-06-30 15:22:27

Start-Date: 2017-06-30 15:22:32
Commandline: /usr/bin/unattended-upgrade
Remove: libaugeas0:amd64 (1.4.0-0ubuntu1), libverto-libevent1:amd64 (0.2.4-2.1ubuntu2), virt-what:amd64 (1.14-1), libkadm5clnt-mit9:amd64 (1.13.2+dfsg-5ubuntu2), javascript-common:amd64 (11), ruby-multipart-post:amd64 (1.2.0-2), ruby2.3:amd64 (2.3.1-2~16.04), ruby-safe-yaml:amd64 (1.0.4-1), rake:amd64 (10.5.0-2), ruby-net-telnet:amd64 (0.1.1-2), ruby-thor:amd64 (0.19.1-2), ruby-librarian:amd64 (0.6.3-1), ruby-highline:amd64 (1.7.2-1), augeas-lenses:amd64 (1.4.0-0ubuntu1), ruby-minitar:amd64 (0.5.4-3), libkdb5-8:amd64 (1.13.2+dfsg-5ubuntu2), libjs-jquery:amd64 (1.11.3+dfsg-4), ruby-json:amd64 (1.8.3-1build4), ruby-augeas:amd64 (1:0.5.0-3build4), ruby-shadow:amd64 (2.4.1-1build4), ruby-minitest:amd64 (5.8.4-2), hiera:amd64 (2.0.0-2), ruby-deep-merge:amd64 (1.0.1+gitf9df6fdb-1), libruby2.3:amd64 (2.3.1-2~16.04), ruby-selinux:amd64 (2.4-3build2), ruby:amd64 (1:2.3.0+1), libgssrpc4:amd64 (1.13.2+dfsg-5ubuntu2), libverto1:amd64 (0.2.4-2.1ubuntu2), ruby-rsync:amd64 (1.0.9-1), ruby-faraday-middleware:amd64 (0.10.0-1), ruby-power-assert:amd64 (0.2.7-1), unzip:amd64 (6.0-20ubuntu1), zip:amd64 (3.0-11), ruby-semantic-puppet:amd64 (0.1.1-1), ruby-rgen:amd64 (0.7.0-2), rubygems-integration:amd64 (1.10), fonts-lato:amd64 (2.0-1), ruby-faraday:amd64 (0.9.2-3), ruby-nokogiri:amd64 (1.6.7.2-3build1), libkadm5srv-mit9:amd64 (1.13.2+dfsg-5ubuntu2), ruby-test-unit:amd64 (3.1.7-2), libyaml-0-2:amd64 (0.1.6-3), ruby-puppet-forge:amd64 (2.1.3-1), ruby-did-you-mean:amd64 (1.0.0-2)
End-Date: 2017-06-30 15:22:34
```

And the pervious time it failed in January this year:
```Start-Date: 2017-01-13 02:35:06
Commandline: /usr/bin/unattended-upgrade
Install: host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.4, automatic)
Upgrade: libisccfg140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), bind9-host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), dnsutils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), libisc160:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), bind9utils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), liblwres141:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), bind9:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), libdns162:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), libisccc140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4), libbind9-140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 1:9.10.3.dfsg.P4-8ubuntu1.4)
Remove: ubuntu-standard:amd64 (1.361), librarian-puppet:amd64 (2.2.1-2), libapache2-mod-auth-kerb:amd64 (5.4-2.2), krb5-admin-server:amd64 (1.13.2+dfsg-5), krb5-user:amd64 (1.13.2+dfsg-5), libpam-krb5:amd64 (4.7-2), facter:amd64 (2.4.6-1), krb5-kdc:amd64 (1.13.2+dfsg-5), krb5-config:amd64 (2.3), puppet:amd64 (3.8.5-2), puppet-common:amd64 (3.8.5-2)
End-Date: 2017-01-13 02:35:13```

After the first failure in January the main kerberos and puppet packages were installed manually to get the system going - I thought perhaps that would stop autoremove dropping them but to be extra safe we disabled autoremove from unattended-upgrade at the time. However today the packages were removed anyway.

As I said at the beginning, it could be that it is not unattended-upgrade breaking things, the packages being upgraded do contain some similar names both times (host and bind for instance), but I can't see anything in the dependency relationships which even comes close to suggesting a cause.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: unattended-upgrades 0.90ubuntu0.6
ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67
Uname: Linux 4.4.0-79-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
Date: Fri Jun 30 20:52:16 2017
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
PackageArchitecture: all
SourcePackage: unattended-upgrades
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apt.apt.conf.d.15update-stamp:
 // This file is managed by Puppet. DO NOT EDIT.
 APT::Update::Post-Invoke-Success {"touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";};
mtime.conffile..etc.apt.apt.conf.d.10periodic: 2017-01-02T14:47:31.647417
mtime.conffile..etc.apt.apt.conf.d.15update-stamp: 2017-01-02T14:44:44.264308

Revision history for this message
Anton Piatek (anton-piatek) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unattended-upgrades (Ubuntu):
status: New → Confirmed
Revision history for this message
Anton Piatek (anton-piatek) wrote :

Not sure if this is relevant (I don't really understand what it is telling me):
unattended-upgrades.log :
    While building minimal partition: cache has not allowed changes

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.