vmbuilder fails with dist-upgrade with release xenial; remove vm-builder from zesty

Bug #1618899 reported by André Freitas on 2016-08-31
56
This bug affects 11 people
Affects Status Importance Assigned to Milestone
auto-upgrade-testing (Ubuntu)
Undecided
Unassigned
sandbox-upgrader (Ubuntu)
Undecided
Unassigned
vm-builder (Ubuntu)
Low
Unassigned

Bug Description

lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04

---------

apt-cache policy python-vm-builder
python-vm-builder:
  Installed: 0.12.4+bzr494-0ubuntu1
  Candidate: 0.12.4+bzr494-0ubuntu1
  Version table:
 *** 0.12.4+bzr494-0ubuntu1 500
        500 http://pt.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        500 http://pt.archive.ubuntu.com/ubuntu xenial/universe i386 Packages
        100 /var/lib/dpkg/status

---------

When creating a guest with the release xenial, the creation fails in dist-upgrade, because /etc/sudoers has been changed. With release trusty, the creation works.

The output is attached in log.txt

André Freitas (andre-freitas) wrote :
Joshua Powers (powersj) on 2016-09-01
Changed in vm-builder (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Technical Contact (adm5n) wrote :

Hi, this bug affecting me on Trusty too. I've found a workaround solution here:
http://askubuntu.com/questions/819844/kvm-vmbuilder-fails

patch /usr/lib/python2.7/dist-packages/VMBuilder/plugins/ubuntu/dapper.py<<EOT
@@ -72,7 +72,7 @@
             self.call_hook('fix_ownership', manifest)

     def update(self):
- self.run_in_target('apt-get', '-y', '--force-yes', 'dist-upgrade',
+ self.run_in_target('apt-get', '-y', '--force-yes', '--option=Dpkg::Options::=--force-confnew', 'dist-upgrade',
                            env={ 'DEBIAN_FRONTEND' : 'noninteractive' })

     def install_authorized_keys(self):
EOT
Or edit it manually and add --option=Dpkg::Options::=--force-confnew' option.

Adam Conrad (adconrad) wrote :

confnew isn't the answer here. If vmbuilder is mangling sudoers (and sshd_config too, it looks like?), then replacing it with the new conffile will undo that. If the new conffile works, then the mangling didn't need to happen in the first place. If the new conffile doesn't work, then confnew will break the end result.

In the case of sudoers, the answer is probably to use sudoers.d instead. sshd_config has no similar mechanism, however.

Adam Conrad (adconrad) wrote :

Oh, sshd_config isn't a conffile, so it doesn't suffer the same issue that sudoers has. So, indeed, moving the sudoers bit to a snippet in sudoers.d would fix this bug.

Nish Aravamudan (nacc) wrote :

To close the loop based upon IRC discussion(s) today:

12:15 < infinity> nacc: So, anyway, short story from my investigation:
                  sudoers.tmpl in vm-builder is wildly out of date anyway, and
                  sudo in both trusty and xenial supports sudoers.d, so drop
                  the sudoers templates, add a template for
                  /etc/sudoers.d/ubuntu that includes just the bottom bit of
                  the template, test, win.
...
12:16 < infinity> nacc: And by all means, also file a removal request for
                  vm-builder from zesty if no one cares to maintain it and
                  gaughen is sure it's not being used in zesty.
12:16 < gaughen> nacc, we can double check with Odd_Bloke so we're 200% sure
12:43 < gaughen> nacc, will send a note and cc you.
...

Waiting to hear back from the CPC org on their use of vm-builder.

Tim Landscheidt (scfc) wrote :

I encounter the same bug on Trusty; for reference, the diff between sudo's and python-vm-builder's sudoers seems to be:

| scfc@vmbuilder-scfc:~/sudo-1.8.9p5$ diff -u debian/sudoers /etc/vmbuilder/ubuntu/sudoers.tmpl
| --- debian/sudoers 2016-10-10 08:10:26.000000000 +0000
| +++ /etc/vmbuilder/ubuntu/sudoers.tmpl 2008-09-18 09:11:09.000000000 +0000
| @@ -1,14 +1,14 @@
| +# /etc/sudoers
| #
| # This file MUST be edited with the 'visudo' command as root.
| #
| -# Please consider adding local content in /etc/sudoers.d/ instead of
| -# directly modifying this file.
| -#
| # See the man page for details on how to write a sudoers file.
| -#
| -Defaults env_reset
| -Defaults mail_badpass
| -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
| +# Defaults
| +
| +Defaults !lecture,tty_tickets,!fqdn
| +
| +# Uncomment to allow members of group sudo to not need a password
| +# %sudo ALL=NOPASSWD: ALL
|
| # Host alias specification
|
| @@ -17,14 +17,7 @@
| # Cmnd alias specification
|
| # User privilege specification
| -root ALL=(ALL:ALL) ALL
| +root ALL=(ALL) ALL
|
| # Members of the admin group may gain root privileges
| %admin ALL=(ALL) ALL
| -
| -# Allow members of group sudo to execute any command
| -%sudo ALL=(ALL:ALL) ALL
| -
| -# See sudoers(5) for more information on "#include" directives:
| -
| -#includedir /etc/sudoers.d
| scfc@vmbuilder-scfc:~/sudo-1.8.9p5$

There is also /etc/vmbuilder/ec2/sudoers.tmpl where the diff is:

| scfc@vmbuilder-scfc:~/sudo-1.8.9p5$ diff -u debian/sudoers /etc/vmbuilder/ec2/sudoers.tmpl
| --- debian/sudoers 2016-10-10 08:10:26.000000000 +0000
| +++ /etc/vmbuilder/ec2/sudoers.tmpl 2009-09-23 15:58:32.000000000 +0000
| @@ -1,14 +1,11 @@
| +# /etc/sudoers
| #
| # This file MUST be edited with the 'visudo' command as root.
| #
| -# Please consider adding local content in /etc/sudoers.d/ instead of
| -# directly modifying this file.
| -#
| # See the man page for details on how to write a sudoers file.
| #
| +
| Defaults env_reset
| -Defaults mail_badpass
| -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
|
| # Host alias specification
|
| @@ -17,14 +14,16 @@
| # Cmnd alias specification
|
| # User privilege specification
| -root ALL=(ALL:ALL) ALL
| +root ALL=(ALL) ALL
| +
| +# Uncomment to allow members of group sudo to not need a password
| +# (Note that later entries override this, so you might need to move
| +# it further down)
| +# %sudo ALL=NOPASSWD: ALL
|
| # Members of the admin group may gain root privileges
| %admin ALL=(ALL) ALL
|
| -# Allow members of group sudo to execute any command
| -%sudo ALL=(ALL:ALL) ALL
| -
| -# See sudoers(5) for more information on "#include" directives:
| -
| -#includedir /etc/sudoers.d
| +# ubuntu user is default user in ec2-images.
| +# It needs passwordless sudo functionality.
| +ubuntu ALL=(ALL) NOPASSWD:ALL
| scfc@vmbuilder-scfc:~/sudo-1.8.9p5$

@nacc, are you working on this? I'd be willing to test new packages.

Nish Aravamudan (nacc) wrote :

@Tim, yep, I'll work on this now that the holidays are over :)

I think for zesty, we're going to remove package and then I can SRU fixes back based upon Adam's advice.

Changed in vm-builder (Ubuntu):
assignee: nobody → Nish Aravamudan (nacc)
Nish Aravamudan (nacc) wrote :

So there are two revdeps for src:vm-builder

Reverse-Recommends
==================
* auto-upgrade-tester (for ubuntu-vm-builder)
 - I think this can simply be dropped

Reverse-Depends
===============
* sandbox-upgrader (for ubuntu-vm-builder)
 - This package has not been updated since Trusty, would it also be a candidate for removal?

summary: - vmbuilder fails with dist-upgrade with release xenial
+ vmbuilder fails with dist-upgrade with release xenial; remove vm-builder
+ from zesty
Chris Puttick (cputtick) wrote :

Off topic note: we'll be fixing vmbuilder for Xenial & beyond at a fork over here:

https://github.com/newroco/vmbuilder

Contributors welcome!

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in auto-upgrade-testing (Ubuntu):
status: New → Confirmed
Changed in sandbox-upgrader (Ubuntu):
status: New → Confirmed
Andrew Bogott (andrewbogott) wrote :

I would appreciate a hotfix for this in the meantime... presumably just an updated sudoers.tmpl?

Runar Jensen (emning) wrote :

Updating sudoers.tmpl causes templating problems with Cheetah instead, unfortunately.

What has worked for me is to patch vmbuilder to not touch /etc/sudoers at all. There seems to be no need for it to do so, and you end up with the proper version of sudoers in the vm - no template required.

Patch attached to fix a running system, tested on trusty. It simply comments out one line in this file:
/usr/lib/python2.7/dist-packages/VMBuilder/plugins/ubuntu/dapper.py

The attachment "vmbuilder_sudo.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Techedemic (hendri-i) wrote :

I just want to confirm this as well.

Host OS: Ubuntu 14.04 all patches/upgrades installed.

Using ubuntu-vm-builder with the following command:

-------------------------
sudo ubuntu-vm-builder kvm trusty --domain mydomain.com --dest sin-cpt-sl-lincluster-host005 --hostname sin-cpt-sl-lincluster-host005 --arch amd64 --mem 512 --cpus 1 --user techedemic --pass my_pass --bridge br0 --ip 10.0.4.229 --mask 255.255.255.0 --net 10.0.4.0 --bcast 10.0.4.255 --gw 10.0.4.1 --dns 10.2.1.2 --proxy=http://10.1.1.10:3142/ --components main,universe --addpkg acpid --addpkg bash-completion --addpkg vim --addpkg aptitude --addpkg openssh-server --addpkg snmpd --addpkg snmp --addpkg linux-image-generic --libvirt qemu:///system ;
-------------------------

Results in:
-------------------------
Configuration file '/etc/sudoers'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing package sudo (--configure):
 EOF on stdin at conffile prompt
Errors were encountered while processing:
 sudo
E: Sub-process /usr/bin/dpkg returned an error code (1)

-------------------------

Steve Langasek (vorlon) wrote :

> * sandbox-upgrader (for ubuntu-vm-builder)
> - This package has not been updated since Trusty, would it also be a candidate for removal?

You tell us, please. Marking this incomplete for now, until someone determines whether sandbox-upgrader should be removed.

Changed in sandbox-upgrader (Ubuntu):
status: Confirmed → Incomplete
assignee: nobody → Nish Aravamudan (nacc)

Dupping onto the older same issue to resolve the new way to go there.

Changed in sandbox-upgrader (Ubuntu):
assignee: Nish Aravamudan (nacc) → nobody
Changed in vm-builder (Ubuntu):
assignee: Nish Aravamudan (nacc) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers