Bug 43613 - univention-updater should not remove univention-server packages
univention-updater should not remove univention-server packages
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: Update - univention-updater
UCS 5.0
Other Linux
: P5 normal with 8 votes (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
: 40504 46711 (view as bug list)
Depends on: 39092
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-22 15:28 CET by Florian Best
Modified: 2024-02-02 14:59 CET (History)
10 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.200
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
ucs-apt-hook → prevents removal of Univention's meta packages (1.98 KB, text/plain)
2024-02-02 11:00 CET, Sönke Schwardt-Krummrich
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-02-22 15:28:46 CET
Bug #39092 only blocks the release update but doesn't block apt-get dist-upgrade to remove essential packages.
The suggested solution is also not implemented.

The return status of "apt-get -s dist-upgrade" is also not evaluated: Bug #40504

This happened just again to Dirk:
Removing univention-ldap-config:amd64 rather than change slapd:amd64

> > I would like if this would also be prevented on a deeper layer (apt/dpkg) to
> > protect more efficient against this case, as comment #0 suggests. Bug #41215
> > fixed the underlying reason and not that it is not possible anymore:
> > A simple "apt-get install python2.6-dev" on UCS 4.2 will currently trigger
> > this.
> 
> Feel free to create a new one.

+++ This bug was initially created as a clone of Bug #39092 +++

Investigate marking the SP:univention-server BPs (e.g. BP:univention-server-master) as "Essential":

The role-meta-package depends on very many other packages and thus apt-get often thinks the best way to resolve conflicts is removing the role-meta-package. But this is never the correct solution for UCS systems.

As "Essential" packages will never be removed this may point apt in the right direction to solve (or at least stop apt from effectively destroying the system)
Comment 1 Florian Best univentionstaff 2017-02-22 15:29:23 CET
*** Bug 40504 has been marked as a duplicate of this bug. ***
Comment 2 Philipp Hahn univentionstaff 2020-07-29 17:21:37 CEST

*** This bug has been marked as a duplicate of bug 46711 ***
Comment 3 Florian Best univentionstaff 2021-10-12 10:51:19 CEST
*** Bug 46711 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2021-10-12 10:52:00 CEST
(In reply to Nico Stöckigt from Bug #46711 comment #0)
> In the PREUP we check if the update will remove univention-server-m/b/s/m or
> univention-basesystem and cancel if so.
> There are more essential packages they never should be removed.
> 
> e.g. univention-updater, univention-config, univention-config-registry,...
> 
> The list of essential packages should be extended and included to the
> 'fail_if_essential_package_will_be_removed()'.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2021-10-12 10:53:49 CEST
There is a provider of a special Debian distro that ships an apt hook that prevents the uninstallation of their main metapackage. Maybe we should implement something similar as a safety net.
Comment 7 Florian Best univentionstaff 2022-08-18 15:12:54 CEST
This happened again during the Kopano 5.0 upgrade where the kopano repository was somehow not activated leading to a conflict with Apache 2 so that it got removed and then also removed all univention packages.
Comment 8 Florian Best univentionstaff 2022-11-03 13:46:54 CET
Happened again in Bug #55379.
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2023-07-03 12:19:44 CEST
The helper for apt-get could also make sure that not only the UCS metapackage is protected but the metapackages of the installed apps as well.

This is no solution for the actual update problems, but it is a safety net that prevents that suddenly apps are not installed after an UCS update. So it prevents broken systems by preventing the update in case of inconsistencies (at least in theory).

(happened again → update done, and oxguard has been deinstalled silently)
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2024-02-01 18:21:34 CET
Happened again due to a missing dependency
Comment 11 Sönke Schwardt-Krummrich univentionstaff 2024-02-02 11:00:35 CET
Created attachment 11185 [details]
ucs-apt-hook → prevents removal of Univention's meta packages

Proof of concept!

Place the file in /etc/apt/ucs-apt-hook, make it executable and configure apt to use it:

# chmod +x /etc/apt/ucs-apt-hook
# cat > /etc/apt/apt.conf.d/10ucs-apt-hook <<EOF
DPkg::Pre-Install-Pkgs { "/etc/apt/ucs-apt-hook"; };
DPkg::Tools::Options::/etc/apt/ucs-apt-hook "";
DPkg::Tools::Options::/etc/apt/ucs-apt-hook::Version "2";
DPkg::Tools::Options::/etc/apt/ucs-apt-hook::InfoFD "20";
EOF
#

Override the hook via "touch /etc/apt/ucs-apt-hook.override". As long as the file exists, the protection is disabled.

Enable some debug output via "touch /etc/apt/ucs-apt-hook.enable-debug"
Comment 12 Sönke Schwardt-Krummrich univentionstaff 2024-02-02 11:02:37 CET
The output of the attached hook will look like this:

root@pdn100:~# apt-get purge univention-server-master
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bc bind9 bind9utils cifs-utils cups-bsd cups-client dns-root-data dpt-i2o-raidutils heimdal-kdc heimdal-servers libarchive13 libgpgme11 libkdc2-heimdal libodbc1 libopts25 libpam-univentionmailcyrus libpq5 libsmbclient memtest86+
  monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard nagios-nrpe-server netcat-openbsd nfs-kernel-server ntp openbsd-inetd php php-cgi php-cli php-common php-curl php-krb5 php-ldap
  php-memcache php-xml php7.3 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-json php7.3-ldap php7.3-opcache php7.3-readline php7.3-xml postgresql-client-11 postgresql-client-common python3-click python3-colorama
  python3-decorator python3-gdbm python3-genshi python3-mimeparse python3-ply python3-prometheus-client python3-pygresql python3-reportlab python3-reportlab-accel python3-trml2pdf python3-univention-directory-manager-rest
  python3-univention-directory-manager-rest-client python3-univention-directory-reports python3-univention-group-membership-cache python3-univention-pkgdb python3-univention-portal python3-uritemplate samba-common samba-common-bin
  samba-dsdb-modules simplesamlphp slapd smbclient stunnel4 tcpd univention-bind univention-directory-manager-rest univention-directory-notifier univention-directory-reports univention-firewall univention-group-membership-cache
  univention-heimdal-kdc univention-initrd univention-ldap-acl-master univention-ldap-client univention-ldap-config univention-ldap-config-master univention-ldap-overlay-memberof univention-ldap-server univention-license-import
  univention-mail-postfix univention-maintenance univention-management-console-module-ipchange univention-management-console-module-udm univention-management-console-module-welcome univention-monitoring-client
  univention-monitoring-plugins univention-nagios-client univention-nagios-common univention-newsid univention-nfs-server univention-pkgdb-tools univention-portal univention-role-common univention-role-server-common univention-saml
  univention-server-overview update-inetd
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  univention-server-master*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 284 kB disk space will be freed.
Do you want to continue? [Y/n] 
W: ucs-apt-hook: 
W: ucs-apt-hook: !!! ERROR !!!
W: ucs-apt-hook: An attempt was made to uninstall the 'univention-server-master' meta package.
W: ucs-apt-hook: This usually leads to a defective UCS system. The trigger for the
W: ucs-apt-hook: uninstallation attempt can be a problem when resolving automatic
W: ucs-apt-hook: package dependencies or a manual uninstallation attempt.
W: ucs-apt-hook: 
W: ucs-apt-hook: If this message occurred during an app installation/update/uninstall
W: ucs-apt-hook: or a UCS system update, please visit
W: ucs-apt-hook: https://help.univention.de/REPLACEME
W: ucs-apt-hook: for the next steps.
W: ucs-apt-hook: 
E: Sub-process /etc/apt/ucs-apt-hook returned an error code (1)
E: Failure running script /etc/apt/ucs-apt-hook
root@pdn100:~#
Comment 13 Sönke Schwardt-Krummrich univentionstaff 2024-02-02 14:59:19 CET
(In reply to Sönke Schwardt-Krummrich from comment #11)
> Created attachment 11185 [details]
> ucs-apt-hook → prevents removal of Univention's meta packages
> 
> Proof of concept!

The hook does not cover a backup2master scenario at the moment. But
a) it would be possible to detect this in the hook 
   (univention-server-backup=REMOVE & univention-server-master=INSTALL in the same run)
b) use the override for such scenarios