FRR deb packaging regression
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
frr (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Focal |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Kinetic |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[ Impact ]
Due to the previous frr bug #1958162, or perhaps other reasons, some users might have chosen to handle frr logging in a different way. If that change includes removing the syslog user from the system, then the current frr package will have a failure in postinst when it tries to adjust the ownership of log files to this syslog user.
The fix here is to gate that postinst chown action on the existence of the syslog user. If this user does not exist, we assume that this system is handling logging in some other way and won't attempt to change ownership of logfiles to syslog.
The added change is a valid sanity check, and is minimal in nature in the sense that it doesn't try to further complicate the logging adjustments in postinst. It should have been done in the previous change, but it was thought to be a corner case to not have the syslog user installed. Turns out it's quite possible and doable. One could argue it's still an exceptional case, but since the consequences are really bad (package fails to install), it's worth it fixing.
[ Test Plan ]
The test plan is a bit destructive, as it includes removing the syslog user.
a) Specific test for this bug
# remove rsyslog
sudo apt update && sudo apt remove rsyslog -y
# remove the syslog user
sudo userdel syslog
# install frr
# without the fix, the installation will fail:
sudo apt install frr -y
(...)
Adding new user `frr' (UID 103) with group `frr' ...
Not creating home directory `/nonexistent'.
chown: invalid user: ‘syslog:adm’
(...)
Installing the fixed package will work.
b) Regression test
Let's also make sure we are not regressing bug #1958162.
b1) Upgrade
# On a fresh system, install frr from updates (i.e., not the version from proposed):
sudo apt update && sudo apt install frr -y
# restart frr to trigger some logging
sudo systemctl restart frr
ls -lah /var/log/
-rw-r----- 1 syslog adm 1.4K Oct 28 17:41 /var/log/
Now upgrade to the package in proposed and repeat the steps above (restart and check for updates in the log file):
$ sudo systemctl restart frr
$ l /var/log/
-rw-r----- 1 syslog adm 2.8K Oct 28 17:43 /var/log/
b2) Fresh install of proposed package
# On a fresh system, install frr from *proposed*:
sudo apt update && sudo apt install frr -y
# restart frr to trigger some logging
sudo systemctl restart frr
$ l /var/log/
-rw-r----- 1 syslog adm 1.4K Oct 28 17:45 /var/log/
[ Where problems could occur ]
We are now *not* taking action if the syslog user does not exist. That user not existing is a strong indication of local user changes, and this is probably the safest action. There is no guarantee that frr logging will be working in this case.
There might still be other ways out there users figured to adjust the logging of frr. Trying to cope with all of them can quickly become a complicated rabbit hole. We need to have the default install of ubuntu working well, and not break users who have added their own customizations.
[ Other Info ]
None at this time.
[Original Description]
Ubuntu released a few weeks ago version 7.2.1-1ubuntu0.1 of Frr for Focal.
It's a minor change that attempts to fix a permission issue due to the inability of rsyslog to write within /var/log/frr, owned by the user frr, whereas the user syslog own's the rsyslog's process.
In our setup, we replaced rsyslog with syslog-ng, whose process runs as root and we removed the user syslog.
The new Frr package fails the postinstall script while performing the chown of the /var/log/frr and its content, breaking apt and leaving the package half installed.
When our config mgmt system tries to fix the issue, it fails because apt returns a non-zero code and doesn't apply the configuration needed by Frr to work correctly.
This issue is valid not only for Focal but also for Ubuntu Jammy.
Related branches
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 69 lines (+30/-20)2 files modifieddebian/changelog (+8/-0)
debian/frr.postinst (+22/-20)
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 69 lines (+30/-20)2 files modifieddebian/changelog (+8/-0)
debian/frr.postinst (+22/-20)
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 69 lines (+30/-20)2 files modifieddebian/changelog (+8/-0)
debian/frr.postinst (+22/-20)
- git-ubuntu bot: Approve
- Lucas Kanashiro (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 69 lines (+30/-20)2 files modifieddebian/changelog (+8/-0)
debian/frr.postinst (+22/-20)
Changed in frr (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Triaged → In Progress |
description: | updated |
Changed in frr (Ubuntu Focal): | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
Changed in frr (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in frr (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in frr (Ubuntu Focal): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in frr (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in frr (Ubuntu Kinetic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
At first glance, I suspect the simplest fix here is to check if the syslog user exists, before attempting to change ownership, and if that user does not exist, do nothing, assuming the local administrator handled it already in some other way.