Univention Bugzilla – Bug 49440
missing patch in insserv - breaks upgrade of libvirt and bind9
Last modified: 2019-06-05 17:13:52 CEST
For UCS-4.3-0 a new version of insserv was imported from Debian, but the process failed to copy our patch to ignore files ending on .debian. This now breaks the upgrade of libvirt, as it has some files diverted by UCR and now that breaks the upgrade process: > insserv: Service libvirtd has to be enabled to start service libvirt-guests > insserv: exiting now! > update-rc.d: error: insserv rejected the script header > dpkg: Fehler beim Bearbeiten des Paketes libvirt-daemon-system (--configure): > Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück > Fehler traten auf beim Bearbeiten von: > libvirt-daemon-system The patch directory was wrongly named "insserv/4.3-0-0-ucs/1.14.0-5.4+b1"
r18571 | Bug #49440: re-patch insserv repo_admin.py --cherrypick -p insserv -r 4.3 --releasedest 4.3 --dest errata4.3-4 Package: insserv Version: 1.14.0-5.4A~4.3.0.201905092020 Branch: ucs_4.3-0 Scope: errata4.3-4 [4.3-4] c1e5f52cf2 Bug #49440: insserv 1.14.0-5.4A~4.3.0.201905092020 doc/errata/staging/insserv.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+)
Please directly assign some QA when resolving a bug. Feel free to reassign as needed.
Reopen: I can not reproduce the problem in the first place. Looking at the patch comment, it seems like it add ignoring of '.debian' files in /etc/init.d. Even when copying all .debian files from a system where the issue can be reproduced, the issue from comment0 does not arise. I also found that insserv on the affected machine is from the unmaintained repository - starting with UCS 4.3 insserv was moved to unmaintained. But i am fine with fixing this issue for an unmaintained package in this case. The reason to reopen this bug is that the build package version is lower than any other insserv package in our 4.x repository, so the updated package will not be installed by default: ~# apt-cache policy insserv ... Versionstabelle: 1.14.0-5.A~4.3.2.201808311349 500 500 https://updates.software-univention.de/4.3/unmaintained 4.3-2/amd64/ Packages 1.14.0-5.7.201408200914 500 500 https://updates.software-univention.de/4.0/maintained 4.0-0/amd64/ Packages 1.14.0-5.4+b1A~4.3.0.201712181357 500 500 https://updates.software-univention.de/4.3/unmaintained 4.3-0/amd64/ Packages 1.14.0-5.4A~4.3.0.201905092020 500 500 http://omar.knut.univention.de/build2 ucs_4.3-0-errata4.3-4/amd64/ Packages
(In reply to Erik Damrose from comment #3) > The reason to reopen this bug is that the build package version is lower > than any other insserv package in our 4.x repository, so the updated package > will not be installed by default: Fixed: [4.3-4] 70e830bd01 Bug #49440: insserv 1.14.0-5.A~4.3.4.201905101844 doc/errata/staging/insserv.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-0] 5c5bf8b9de Bug #49441: insserv 1.14.0-5.A~4.4.0.201905101844 doc/errata/staging/insserv.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) http://xen1.knut.univention.de:8000/packages/source/insserv/
Happened on one of our internal servers, because insserv was installed, whas used to be maintained and is unmaintained now since UCS 4.3. Erik could not reproduce this. Adjusting priority.
Happens again on a system where unmaintained is enabled: > bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5A~4.4.0.201905131414) wird eingerichtet ... > insserv: Service samba-ad-dc has to be enabled to start service bind9 > insserv: exiting now! > update-rc.d: error: insserv rejected the script header "insserv" was maintained until 4.2, but was updated with 4.3-2 when a new Debian Point Update was imported. After that it got classified as "unmaintained" and is now released as "http://univention-repository.knut.univention.de/4.3/unmaintained 4.3-2/amd64/". First the package looks like it should be maintained due to the following dependency chain: insserv <- sysv-rc <- initscripts <- openjdk-7-jre-headless <- openjdk-7-jre <- openjdk-7-jdk <- univention-dojo-dev But actually u-dojo-dev is not maintained as it is only required for _building_ UCS packages, but it is not a _runtime_ requirement on any UCS system. So this mostly breaks development systems, where unmaintained ist most often enabled and when then later an upgrade is performed. But every customer still having "insserv" installed and "unmaintained" enabled will get into this kind problem when next a package is installed, which still provides an SysV-init script, where "update-rc.d" is call for by "dpkg". With "univention-bind" the issue is slightly different from the original issue with 'libvirt': git:952e11fe0c8 for Bug #43689 changed "conffiles/etc/init.d/bind9" to include the following two lines: +# Required-Start: slapd samba-ad-dc +# Required-Stop: slapd samba-ad-dc This makes "samba-ad-dc" a _hard_ dependency even on systems without "samba4": There "insserv" as invoked through "update-rc.d" will not find any SysV-init-script providing "samba-ad-dc", which will refuse to re-order the scripts and aborts with an error, leading to "bind9.postinst" to fail the upgrade: # update-rc.d bind9 defaults ; echo $? insserv: Service samba-ad-dc has to be enabled to start service bind9 insserv: exiting now! update-rc.d: error: insserv rejected the script header 1 [4.3-4] 1c0a37a9e7 Bug #49440 bind: Copyright 2019 ... [4.3-4] ad191b2995 Bug #49440 bind: Fix init script header services/univention-bind/conffiles/etc/init.d/bind9 | 13 ++++++++++--- services/univention-bind/debian/changelog | 6 ++++++ .../debian/univention-bind.univention-config-registry | 1 + 3 files changed, 17 insertions(+), 3 deletions(-) Package: univention-bind Version: 12.0.2-8A~4.3.0.201905151707 Branch: ucs_4.3-0 Scope: errata4.3-4 [4.3-4] c4f606bb18 Bug #49440: univention-bind 12.0.2-8A~4.3.0.201905151707 doc/errata/staging/univention-bind.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) QA: After the update of 'univention-bind': # update-rc.d bind9 defaults ; echo $? insserv: script bind9.debian: service bind9 already provided! ... 0 After the additional update of 'insserv': # apt install insserv=1.14.0-5.A~4.3.4.201905101844 # update-rc.d bind9 defaults ; echo $? 0 $ ucr get dns/backend ldap $ grep Required /etc/init.d/bind9 # Required-Start: slapd # Required-Stop: slapd $ ucr set dns/backend=samba4 $ grep Required /etc/init.d/bind9 # Required-Start: samba-ad-dc # Required-Stop: samba-ad-dc Reproducer: # UCS 4-3-4 without Samba4 ucr set repository/online/unmaintained=yes univention-install univention-dojo-dev # insserv=1.14.0-5.A~4.3.2.201808311349 cat >/etc/apt/sources.list <<__APT__ deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_4.3-0-errata4.3-4/all/ deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_4.3-0-errata4.3-4/$(ARCH)/ __APT__ univention-install bind9=1:9.10.3.dfsg.P4-12.3+deb9u5A~4.3.0.201905131409 # BUG apt install univention-bind insserv TODO: Cherry-pick the change to errata4.4-0 FYI: Upgrades might still break, as strictly speaking "univention-bind" must be upgraded before "insserv" before "bind9", but that cannot be expressed as inter-package dependencies. So this change actually will make sure the _future_ updates of "bind9" will not break "again".
Already affects customers: <https://help.univention.com/t/frage-zu-bind9-oder-systemd-oder-zu-sysvinit-oder-zu-runit-ich-bin-echt-nicht-sicher/12056>
(In reply to Philipp Hahn from comment #0) > This now > breaks the upgrade of libvirt, as it has some files diverted by UCR and now > that breaks the upgrade process: > > > insserv: Service libvirtd has to be enabled to start service libvirt-guests > > insserv: exiting now! > > update-rc.d: error: insserv rejected the script header Actually on krus it was a different problem: -rwxr-xr-x 1 root root 5600 Jan 19 2017 /etc/init.d/libvirtd.debian.dpkg-dist -rwxr-xr-x 1 root root 16672 Feb 20 2017 /etc/init.d/libvirt-guests A previous update of the conffile could not be installed as the conffile was modified, so dpkg put the new conffile next to the old one with the '.dpkg-dist' suffix. When with Bug #43875 the UCR template for the legacy init script of libvirtd was removed, it "removed" the old file instead of moving the diverted 'libvirtd.debian' file back to 'libvirtd'. Now 'insserv' does not find the service because files ending on '.dpkg-*' are ignored by it. Fixed by 'mv libvirtd.debian.dpkg-dist libvirtd ; dpkg --configure -a'.
Not sure if that has something to do with this bug, but some 4.3-4 update tests are broken currently update from 4.2 to 4.3-4 Setting up bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5A~4.3.0.201905131409) ... insserv: Service samba-ad-dc has to be enabled to start service bind9 insserv: exiting now! update-rc.d: error: insserv rejected the script header dpkg: error processing package bind9 (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: bind9 E: Sub-process /usr/bin/dpkg returned an error code (1) exitcode of apt-get dist-upgrade: 100 ERROR: update failed. Please check /var/log/univention/updater.log
As far as i know, it only occurs on systems that were updated to UCS 4.3, new installations from 4.3 onward are not affected. So that would be the reason why the tests fail.
I found the error while adding debug statements to /usr/sbin/update-rc.d update-rc.d can call insserv with the -f option, that ignores any errors that occur. update-rc.d determines if it should use the -f option by checking if the package 'initscripts' is installed - which is not the case on a UCS fresh 4.3, but we never remove the package when updating from 4.2
Affects two more customers, so I'm "Who will be affected by this bug?".
(In reply to Michael Grandjean from comment #13) > Affects two more customers, so I'm "Who will be affected by this bug?". This should read '[...] so I'm _increasing_ "Who will be affected by this bug?".' see also https://help.univention.com/t/12122
Happens again on a system where unmaintained is enabled: > bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5A~4.4.0.201905131414) wird eingerichtet ... > insserv: Service samba-ad-dc has to be enabled to start service bind9 > insserv: exiting now! > update-rc.d: error: insserv rejected the script header "insserv" was maintained until 4.2, but was updated with 4.3-2 when a new Debian Point Update was imported. After that it got classified as "unmaintained" and is now released as "http://univention-repository.knut.univention.de/4.3/unmaintained 4.3-2/amd64/". First the package looks like it should be maintained due to the following dependency chain: insserv <- sysv-rc <- initscripts <- openjdk-7-jre-headless <- openjdk-7-jre <- openjdk-7-jdk <- univention-dojo-dev But actually u-dojo-dev is not maintained as it is only required for _building_ UCS packages, but it is not a _runtime_ requirement on any UCS system. So this mostly breaks development systems, where unmaintained ist most often enabled and when then later an upgrade is performed. But every customer still having "insserv" and "initscripts" installed and "unmaintained" enabled will get into this kind problem when next a package is installed, which still provides an SysV-init script, where "update-rc.d" is call for by "dpkg". With "univention-bind" the issue is slightly different from the original issue with 'libvirt': git:952e11fe0c8 for Bug #43689 changed "conffiles/etc/init.d/bind9" to include the following two lines: +# Required-Start: slapd samba-ad-dc +# Required-Stop: slapd samba-ad-dc This makes "samba-ad-dc" a _hard_ dependency even on systems without "samba4": There "insserv" as invoked through "update-rc.d" will not find any SysV-init-script providing "samba-ad-dc", which will refuse to re-order the scripts and aborts with an error, leading to "bind9.postinst" to fail the upgrade: # update-rc.d bind9 defaults ; echo $? insserv: Service samba-ad-dc has to be enabled to start service bind9 insserv: exiting now! update-rc.d: error: insserv rejected the script header 1 This is only flagged as an error when the package "initscripts" is still installed: This was the default until UCS-4.2; since then "systemd" is used. But on older systems the package remains installed and is used by "update-rc.d" to decide, if "insserv" is to be invoked with or without the "-f" option to force it to ignore errors. As "bind9" currently contains such an error, this leads to the upgrade failing. [4.3-4] 1c0a37a9e7 Bug #49440 bind: Copyright 2019 ... [4.3-4] ad191b2995 Bug #49440 bind: Fix init script header services/univention-bind/conffiles/etc/init.d/bind9 | 13 ++++++++++--- services/univention-bind/debian/changelog | 6 ++++++ .../debian/univention-bind.univention-config-registry | 1 + 3 files changed, 17 insertions(+), 3 deletions(-) [4.3-4] c83149e793 Bug #49440 bind: Temporarily fix init script header services/univention-bind/debian/changelog | 6 ++++++ services/univention-bind/debian/univention-bind.preinst | 10 ++++++++++ 2 files changed, 16 insertions(+) Package: univention-bind Version: 12.0.2-9A~4.3.0.201905201657 Branch: ucs_4.3-0 Scope: errata4.3-4 [4.3-4] c4f606bb18 Bug #49440: univention-bind 12.0.2-8A~4.3.0.201905151707 doc/errata/staging/univention-bind.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) [4.3-4] 73c1a490e8 Bug #49440: univention-bind 12.0.2-9A~4.3.0.201905201657 doc/errata/staging/insserv.yaml | 2 +- doc/errata/staging/univention-bind.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) QA: 1. Start with UCS-4.3-2 and install "insserv" and "initscripts" 2. run "insserv -n bind9" to verify, that the init-script is broken - 3. then try updating to UCS-4.3-3, where "bind9" will fail. 3. restart with 4.3-2 again and update to 4.3-3 *without* errata by setting ucr set --forced repository/online/component/4.3-3-errata=no 4. Copy the fixed "insserv" and "univention-bind" packages to a separate repository, run "apt-ftparchive packages ." on it and add the to /etc/apt/sources.list: deb [trusted=yes] file:///root/ ./ 5. Re-enable the 4.3-3-errata component and install the errata updated - it should succeed now. FYI: The update must be announced for 4.3-3 and 4.3-4 as the "bind9" update was a security update, which was also released for 4.3-3; therefor the fix must be applied there, too. TODO: Cherry-pick the change to the init-script to errata4.4-0 after QA. FYI: Upgrades might still break, as strictly speaking "univention-bind" must be upgraded before "insserv" before "bind9", but that cannot be expressed as inter-package dependencies. So this change actually will make sure the _future_ updates of "bind9" will not break "again". The hack in "univention-bind.preinst" should be early enough to be applied when the packages are upgraded "in one go", but it will not fix installations which already tried to install the update - there manual actions might be needed.
(In reply to Philipp Hahn from comment #15) > The hack in > "univention-bind.preinst" should be early enough to be applied when the > packages are upgraded "in one go", but it will not fix installations which > already tried to install the update - there manual actions might be needed. How would these manual steps for bind9 look like?
(In reply to Timo Denissen from comment #16) > (In reply to Philipp Hahn from comment #15) > > The hack in > > "univention-bind.preinst" should be early enough to be applied when the > > packages are upgraded "in one go", but it will not fix installations which > > already tried to install the update - there manual actions might be needed. > > How would these manual steps for bind9 look like? rm -f /etc/rcS.d/S??mountkernfs.sh sed -i -e '/^Required-St/s/samba-ad-dc//' /etc/init.d/bind9 dpkg --configure -a
OK: Update from 4.3-3e407 to latest dev packages with fix OK: Update from 4.3-3e504 with broken package state to latest dev packages with fix. OK: dynamically update /etc/init.d/bind9 with UCR dns/backend setting In my tests, it fixes the package state of UCS systems which have the unconfigured bind9 package remaining from updating bind9 in errata 499 Verified
<http://errata.software-univention.de/ucs/4.3/505.html> <http://errata.software-univention.de/ucs/4.3/506.html>