Univention Bugzilla – Bug 43613
univention-updater should not remove univention-server packages
Last modified: 2024-02-02 14:59:19 CET
Bug #39092 only blocks the release update but doesn't block apt-get dist-upgrade to remove essential packages. The suggested solution is also not implemented. The return status of "apt-get -s dist-upgrade" is also not evaluated: Bug #40504 This happened just again to Dirk: Removing univention-ldap-config:amd64 rather than change slapd:amd64 > > I would like if this would also be prevented on a deeper layer (apt/dpkg) to > > protect more efficient against this case, as comment #0 suggests. Bug #41215 > > fixed the underlying reason and not that it is not possible anymore: > > A simple "apt-get install python2.6-dev" on UCS 4.2 will currently trigger > > this. > > Feel free to create a new one. +++ This bug was initially created as a clone of Bug #39092 +++ Investigate marking the SP:univention-server BPs (e.g. BP:univention-server-master) as "Essential": The role-meta-package depends on very many other packages and thus apt-get often thinks the best way to resolve conflicts is removing the role-meta-package. But this is never the correct solution for UCS systems. As "Essential" packages will never be removed this may point apt in the right direction to solve (or at least stop apt from effectively destroying the system)
*** Bug 40504 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of bug 46711 ***
*** Bug 46711 has been marked as a duplicate of this bug. ***
(In reply to Nico Stöckigt from Bug #46711 comment #0) > In the PREUP we check if the update will remove univention-server-m/b/s/m or > univention-basesystem and cancel if so. > There are more essential packages they never should be removed. > > e.g. univention-updater, univention-config, univention-config-registry,... > > The list of essential packages should be extended and included to the > 'fail_if_essential_package_will_be_removed()'.
There is a provider of a special Debian distro that ships an apt hook that prevents the uninstallation of their main metapackage. Maybe we should implement something similar as a safety net.
This happened again during the Kopano 5.0 upgrade where the kopano repository was somehow not activated leading to a conflict with Apache 2 so that it got removed and then also removed all univention packages.
Happened again in Bug #55379.
The helper for apt-get could also make sure that not only the UCS metapackage is protected but the metapackages of the installed apps as well. This is no solution for the actual update problems, but it is a safety net that prevents that suddenly apps are not installed after an UCS update. So it prevents broken systems by preventing the update in case of inconsistencies (at least in theory). (happened again → update done, and oxguard has been deinstalled silently)
Happened again due to a missing dependency
Created attachment 11185 [details] ucs-apt-hook → prevents removal of Univention's meta packages Proof of concept! Place the file in /etc/apt/ucs-apt-hook, make it executable and configure apt to use it: # chmod +x /etc/apt/ucs-apt-hook # cat > /etc/apt/apt.conf.d/10ucs-apt-hook <<EOF DPkg::Pre-Install-Pkgs { "/etc/apt/ucs-apt-hook"; }; DPkg::Tools::Options::/etc/apt/ucs-apt-hook ""; DPkg::Tools::Options::/etc/apt/ucs-apt-hook::Version "2"; DPkg::Tools::Options::/etc/apt/ucs-apt-hook::InfoFD "20"; EOF # Override the hook via "touch /etc/apt/ucs-apt-hook.override". As long as the file exists, the protection is disabled. Enable some debug output via "touch /etc/apt/ucs-apt-hook.enable-debug"
The output of the attached hook will look like this: root@pdn100:~# apt-get purge univention-server-master Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bc bind9 bind9utils cifs-utils cups-bsd cups-client dns-root-data dpt-i2o-raidutils heimdal-kdc heimdal-servers libarchive13 libgpgme11 libkdc2-heimdal libodbc1 libopts25 libpam-univentionmailcyrus libpq5 libsmbclient memtest86+ monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard nagios-nrpe-server netcat-openbsd nfs-kernel-server ntp openbsd-inetd php php-cgi php-cli php-common php-curl php-krb5 php-ldap php-memcache php-xml php7.3 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-json php7.3-ldap php7.3-opcache php7.3-readline php7.3-xml postgresql-client-11 postgresql-client-common python3-click python3-colorama python3-decorator python3-gdbm python3-genshi python3-mimeparse python3-ply python3-prometheus-client python3-pygresql python3-reportlab python3-reportlab-accel python3-trml2pdf python3-univention-directory-manager-rest python3-univention-directory-manager-rest-client python3-univention-directory-reports python3-univention-group-membership-cache python3-univention-pkgdb python3-univention-portal python3-uritemplate samba-common samba-common-bin samba-dsdb-modules simplesamlphp slapd smbclient stunnel4 tcpd univention-bind univention-directory-manager-rest univention-directory-notifier univention-directory-reports univention-firewall univention-group-membership-cache univention-heimdal-kdc univention-initrd univention-ldap-acl-master univention-ldap-client univention-ldap-config univention-ldap-config-master univention-ldap-overlay-memberof univention-ldap-server univention-license-import univention-mail-postfix univention-maintenance univention-management-console-module-ipchange univention-management-console-module-udm univention-management-console-module-welcome univention-monitoring-client univention-monitoring-plugins univention-nagios-client univention-nagios-common univention-newsid univention-nfs-server univention-pkgdb-tools univention-portal univention-role-common univention-role-server-common univention-saml univention-server-overview update-inetd Use 'apt autoremove' to remove them. The following packages will be REMOVED: univention-server-master* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 284 kB disk space will be freed. Do you want to continue? [Y/n] W: ucs-apt-hook: W: ucs-apt-hook: !!! ERROR !!! W: ucs-apt-hook: An attempt was made to uninstall the 'univention-server-master' meta package. W: ucs-apt-hook: This usually leads to a defective UCS system. The trigger for the W: ucs-apt-hook: uninstallation attempt can be a problem when resolving automatic W: ucs-apt-hook: package dependencies or a manual uninstallation attempt. W: ucs-apt-hook: W: ucs-apt-hook: If this message occurred during an app installation/update/uninstall W: ucs-apt-hook: or a UCS system update, please visit W: ucs-apt-hook: https://help.univention.de/REPLACEME W: ucs-apt-hook: for the next steps. W: ucs-apt-hook: E: Sub-process /etc/apt/ucs-apt-hook returned an error code (1) E: Failure running script /etc/apt/ucs-apt-hook root@pdn100:~#
(In reply to Sönke Schwardt-Krummrich from comment #11) > Created attachment 11185 [details] > ucs-apt-hook → prevents removal of Univention's meta packages > > Proof of concept! The hook does not cover a backup2master scenario at the moment. But a) it would be possible to detect this in the hook (univention-server-backup=REMOVE & univention-server-master=INSTALL in the same run) b) use the override for such scenarios