SRU: Backport 2.4.3-1ubuntu3 from groovy to focal/eoan/bionic/xenial for newer syscalls for core20 base and test suite robustness

The attachment "groovy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Status changed to 'Confirmed' because the bug affects multiple users.

FYI, I copied xenial-focal from the security-proposed ppa to -proposed. Borrowing from the ubuntu-sru team's SRU verification text:

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-<release> to verification-done-<release>. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-<release>. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified on xenial/bionic/eoan/focal as follows:

# install seccomp
$ apt install seccomp

# try resolving getrlimit for aarch64
$ scmp_sys_resolver -a aarch64 getrlimit

# on the current focal version this fails to resolve correctly and returns -10180
# on other releases this succeeds as expected

# enable -proposed
$ cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# update libseccomp2 and seccomp from -proposed
$ apt install seccomp/$(lsb_release -cs)-proposed libseccomp2/$(lsb_release -cs)-proposed

# verify the installed version number is as expected from -proposed
$ dpkg -l seccomp libseccomp2

# try resolving getrlimit on aarch64 again
$ scmp_sys_resolver -a aarch64 getrlimit
163

Successful test log for seccomp 2.4.3-1ubuntu3.16.04.2 from xenial-proposed

Successful test log for seccomp 2.4.3-1ubuntu3.18.04.2 from bionic-proposed

Successful test log for seccomp 2.4.3-1ubuntu3.19.10.2 from eoan-proposed

Successful test log for seccomp 2.4.3-1ubuntu3.20.04.2 from focal-proposed

All autopkgtests for the newly accepted libseccomp (2.4.3-1ubuntu3.16.04.2) for xenial have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/229-4ubuntu21.28 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted libseccomp (2.4.3-1ubuntu3.18.04.2) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

apt/1.6.12ubuntu0.1 (arm64)
chrony/3.2-4ubuntu4.4 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted libseccomp (2.4.3-1ubuntu3.20.04.2) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/unknown (armhf)
systemd/245.4-4ubuntu3.1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted libseccomp (2.4.3-1ubuntu3.19.10.2) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/242-7ubuntu3.9 (i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#libseccomp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

FYI, I reran the xenial autopkgtests and there are now no regressions.

FYI, I reran the bionic and eoan autopkgtests and there are now no regressions.

Sorry, I reran bionic and *focal* autopkgtests and there are now no regressions. Running eoan again.

I can reproduce the systemd eoan/i386 autopkgtest failure locally - this is similar to LP #1853852 - testing a rebuild of systemd 242-7ubuntu3.9 with the patch from that bug backported.

I have confirmed the attached debdiff for systemd resolves this failure on i386 with libseccomp 2.4.3 - see attached for the autopkgtest log of a local run.

@jdstrand - could you please review and sponsor the systemd debdiff to eoan-proposed?

@jdstrand - thanks but unfortunately that version FTBFS on arm64 - I've uploaded an updated verion (ubuntu3.11 - https://launchpadlibrarian.net/484321608/systemd_242-7ubuntu3.11_source.changes) to the security-proposed PPA with an additional upstream fix for the arm64 FTBFS - this is currently undergoing autopkgtests (https://people.canonical.com/~platform/security-britney/current/security_eoan_excuses.html#systemd) - will report back with results once complete.

systemd-242-7ubuntu3.11 passes autopkgtest for eoan/i386 and resolves the FTBFS for arm64 - https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan-ubuntu-security-proposed-ppa/eoan/i386/s/systemd/20200615_102850_82300@/log.gz

@jdstrand can you please sponsor this to -proposed in the archive? (unless I am confused about the next steps of the process for this - if so, please let me know what should happen next to progress this).

I see this libseccomp upload has been built in the security proposed PPA - does it mean it should go into both -updates and -security?

Yes, like previous libseccomp updates, we plan to publish this to both -security and -updates.

Thanks for the info! Another question in this case: since this bugfix is verified, does this mean the packages currently in -proposed are good to be released? I wouldn't want to release a package that isn't 'ready' by accident.

The systemd update for eoan is not in -proposed but the libseccomp updates (for all releases) are - the systemd update for eoan needs to be released in conjunction with the libseccomp update as it fixes a regression in systemd/eoan/i386 when used in conjunction with the libseccomp updates.

The systemd/eoan update is on only in the security-proposed PPA as I don't have upload rights and so needs to be sponsored.

I believe the packages are ready to be released - all autopkgtests are passing now for all releases of libseccomp - except systemd/eoan/i386 (hence the additional update for it).

The autopkgtests from the security-proposed PPA for systemd https://people.canonical.com/~platform/security-britney/current/security_eoan_excuses.html#systemd look pretty good.

openssh is failing - but this version 1:8.0p1-6build1 is failing already - see http://autopkgtest.ubuntu.com/packages/o/openssh/eoan/amd64 for instance where this version also failed in the same manner recently a number of times.

pds, prometheus and stunnel4 are also failing but again these same versions are already failing for the regular autopkgtests - http://autopkgtest.ubuntu.com/packages/p/pdns/eoan/amd64 http://autopkgtest.ubuntu.com/packages/p/prometheus/eoan/amd64 http://autopkgtest.ubuntu.com/packages/s/stunnel4/eoan/amd64

snapd is failing for i386 but again is already failing for the same version at http://autopkgtest.ubuntu.com/packages/s/snapd/eoan/i386

And similarly ubuntu-drivers-common is also failing for i386 but is already failing for this same version - http://autopkgtest.ubuntu.com/packages/u/ubuntu-drivers-common/eoan/i386

So I am confident this is ready to be released.

First, systemd 242-7ubuntu3.11 needs to be sponsored from the ubuntu-security-proposed PPA to -proposed and then we can look at promoting all the libseccomp updates and this systemd update for eoan to -updates (and the security team can publish to -security and issue a USN once all are in -updates).

Ping @jdstrand / @sil2100 - I am not sure what more I need to do to try and progress this SRU - I believe the systemd/eoan update still needs to be sponsored from the security-proposed PPA - but I don't have permission to upload this myself - could one of you please do that on my behalf? Also if there is anything else you need from me please let me know.

Hey Alex! Sorry for not tackling this on Thursday, got distracted with other things. So let me actually release it for all the series as-is. Usually a regression in autopkgtests is a rather serious issue and I'd appreciate having the systemd upload in -proposed at least. That being said, this time is a bit special, since the affected series is eoan. 19.10 is going EOL next month so I think that blocking on autopkgtest issues there makes no sense.

Thanks!

This bug was fixed in the package libseccomp - 2.4.3-1ubuntu3.20.04.2

---------------
libseccomp (2.4.3-1ubuntu3.20.04.2) focal; urgency=medium

  * Updated to new upstream 2.4.3 version for updated syscalls support
    and test-suite robustness
    - d/p/add-5.4-local-syscall-headers.patch: Add local copy of the
      architecture specific header files which specify system call numbers
      from linux-libc-dev in focal to ensure unit tests pass on older
      releases where the linux-libc-dev package does not have the required
      system calls defined and use these during compilation of unit tests
    - d/p/db-properly-reset-attribute-state.patch: Drop this patch since
      is now upstream
    - LP: #1876055
  * Add missing aarch64 system calls
    - d/p/fix-aarch64-syscalls.patch
    - LP: #1877633

 -- Alex Murray <email address hidden> Tue, 02 Jun 2020 14:11:45 +0930

The verification of the Stable Release Update for libseccomp has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package libseccomp - 2.4.3-1ubuntu3.19.10.2

---------------
libseccomp (2.4.3-1ubuntu3.19.10.2) eoan; urgency=medium

  * Updated to new upstream 2.4.3 version for updated syscalls support
    and test-suite robustness
    - d/p/add-5.4-local-syscall-headers.patch: Add local copy of the
      architecture specific header files which specify system call numbers
      from linux-libc-dev in focal to ensure unit tests pass on older
      releases where the linux-libc-dev package does not have the required
      system calls defined and use these during compilation of unit tests
    - d/p/fix-python-module-install-path.patch: Revert upstream change to
      the python module install path location
    - d/p/db-properly-reset-attribute-state.patch: Drop this patch since
      is now upstream
    - LP: #1876055
  * Add missing aarch64 system calls
    - d/p/fix-aarch64-syscalls.patch
    - LP: #1877633

 -- Alex Murray <email address hidden> Tue, 02 Jun 2020 14:10:11 +0930

This bug was fixed in the package libseccomp - 2.4.3-1ubuntu3.18.04.2

---------------
libseccomp (2.4.3-1ubuntu3.18.04.2) bionic; urgency=medium

  * Updated to new upstream 2.4.3 version for updated syscalls support
    and test-suite robustness
    - d/p/add-5.4-local-syscall-headers.patch: Add local copy of the
      architecture specific header files which specify system call numbers
      from linux-libc-dev in focal to ensure unit tests pass on older
      releases where the linux-libc-dev package does not have the required
      system calls defined and use these during compilation of unit tests
    - d/p/db-properly-reset-attribute-state.patch: Drop this patch since
      is now upstream
    - LP: #1876055
  * Add missing aarch64 system calls
    - d/p/fix-aarch64-syscalls.patch
    - LP: #1877633

 -- Alex Murray <email address hidden> Tue, 02 Jun 2020 14:09:28 +0930

This bug was fixed in the package libseccomp - 2.4.3-1ubuntu3.16.04.2

---------------
libseccomp (2.4.3-1ubuntu3.16.04.2) xenial; urgency=medium

  * Updated to new upstream 2.4.3 version for updated syscalls support
    and test-suite robustness
    - d/p/add-5.4-local-syscall-headers.patch: Add local copy of the
      architecture specific header files which specify system call numbers
      from linux-libc-dev in focal to ensure unit tests pass on older
      releases where the linux-libc-dev package does not have the required
      system calls defined and use these during compilation of unit tests
    - d/p/db-properly-reset-attribute-state.patch: Drop this patch since
      is now upstream
    - LP: #1876055
  * Add missing aarch64 system calls
    - d/p/fix-aarch64-syscalls.patch
    - LP: #1877633
  * Re-enable build failure on unit test failure

 -- Alex Murray <email address hidden> Tue, 02 Jun 2020 14:16:21 +0930

Hello Alex, or anyone else affected,

Accepted systemd into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/242-7ubuntu3.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

This bug was fixed in the package systemd - 242-7ubuntu3.11

---------------
systemd (242-7ubuntu3.11) eoan; urgency=medium

  * fix arm64 ftbfs with libseccomp 2.4.3 (LP: #1876055)
    - d/p/fix-arm64-ftbfs-after-seccomp-upgrade.patch: backport from upstream

systemd (242-7ubuntu3.10) eoan; urgency=medium

  * fix issues with muliplexed shmat calls and libseccomp 2.4.3 (LP: #1876055)
    - d/p/lp-1853852-*: add backports based on the patches from LP #1853852

 -- Alex Murray <email address hidden> Mon, 15 Jun 2020 12:12:40 +0930