After upgrading a UCS system from 5.0 to 5.2, several essential packages were unexpectedly removed, including *univention-firewall*, *bind9*, and *univention-role-common*. The absence of these components leads to missing configuration files, incomplete service setups, and disrupted network behavior. One practical impact is visible in the *ucsschool-id-connector*: due to the removed firewall package, all associated iptables/NAT rules were lost. As a result, Docker containers—such as the connector container—cannot reach systems outside their own subnet. Starting univention-upgrade. Current UCS version is 5.1-0 errata0 [...] Checking for release updates: found: UCS 5.2-0 Starting update to UCS version 5.2-0 at Sat Oct 4 17:31:59 2025... Starting update to UCS version 5.2-0 [...] Paketlisten werden gelesen… Abhängigkeitsbaum wird aufgebaut… Statusinformationen werden eingelesen… Die folgenden Pakete werden ENTFERNT: bc bind9 bind9-utils libreadline7 memtest86+ nfs-kernel-server python3-gdbm python3-gnupg python3-pygresql python3-univention-group-membership-cache python3-univention-pkgdb python3-univention-portal univention-firewall univention-group-membership-cache univention-initrd univention-maintenance univention-nfs-server univention-pkgdb-tools univention-portal univention-role-common univention-support-info 0 aktualisiert, 0 neu installiert, 21 zu entfernen und 1 nicht aktualisiert. [...] root@backup01:~ # dpkg -l | grep -i firewall rc univention-firewall 13.0.3 all UCS - firewall integration
Please upload log files to bugzilla, because in a pastebin they will vanish at some point.
apt-history shows, that someone had to cleanup boot during update, but this caused univention-role-server-common to get removed. Start-Date: 2025-10-04 17:31:30 Commandline: apt purge linux-image-5.10.0-30-amd64 Install: univention-container-role-server-common:amd64 (16.0.6, automatic), univention-docker-container-mode:amd64 (6.0.1A~5.1.0.202402201049, automatic), univention-cont ainer-role-common:amd64 (16.0.6, automatic) Purge: univention-bind:amd64 (15.0.6), linux-image-5.10.0-30-amd64:amd64 (5.10.218-1), linux-image-amd64:amd64 (5.10.218-1), univention-role-server-common:amd64 (16.0.6) End-Date: 2025-10-04 17:31:36
root@master:~# apt purge linux-image-5.10-amd64 Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bc bind9 bind9utils cifs-utils cups-bsd cups-client dns-root-data dpt-i2o-raidutils heimdal-kdc heimdal-servers ldb-tools libarchive13 libdbi1 libevent-core-2.1-6 libevent-pthreads-2.1-6 libkdc2-heimdal libnet-snmp-perl libodbc1 libopts25 libpam-univentionmailcyrus libradcli4 libsensors-config libsensors5 libsmbclient libsnmp-base libsnmp30 memtest86+ monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard nagios-nrpe-server net-tools netcat-openbsd nfs-kernel-server ntp openbsd-inetd php php-cgi php-cli php-common php-curl php-krb5 php-ldap php-memcache php-webmozart-assert php-xml php7.3 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-json php7.3-ldap php7.3-opcache php7.3-readline php7.3-xml postgresql-client postgresql-client-11 postgresql-client-common python3-click python3-colorama python3-gdbm python3-genshi python3-gnupg python3-mimeparse python3-ply python3-prometheus-client python3-pygresql python3-renderpm python3-reportlab python3-reportlab-accel python3-trml2pdf python3-univention-connector python3-univention-connector-ad python3-univention-directory-manager-rest python3-univention-directory-manager-rest-client python3-univention-directory-reports python3-univention-group-membership-cache python3-univention-pkgdb python3-univention-portal python3-uritemplate samba-common samba-common-bin samba-dsdb-modules simplesamlphp slapd smbclient snmp sntp sqlite3 stunnel4 tcpd univention-directory-manager-rest univention-directory-notifier univention-directory-reports univention-firewall univention-group-membership-cache univention-heimdal-kdc univention-initrd univention-ldap-acl-master univention-ldap-client univention-ldap-config univention-ldap-config-master univention-ldap-overlay-memberof univention-ldap-server univention-license-import univention-mail-postfix univention-maintenance univention-management-console-module-ipchange univention-management-console-module-udm univention-management-console-module-welcome univention-monitoring-ad-connector univention-monitoring-client univention-monitoring-plugins univention-nagios-ad-connector univention-nagios-client univention-nagios-common univention-newsid univention-nfs-server univention-pkgdb-tools univention-portal univention-role-common univention-saml univention-server-overview univention-support-info update-inetd Use 'apt autoremove' to remove them. The following packages will be REMOVED: linux-image-5.10-amd64* univention-ad-connector* univention-bind* univention-management-console-module-adconnector* univention-role-server-common* univention-server-master* 0 upgraded, 0 newly installed, 6 to remove and 0 not upgraded. After this operation, 1.014 kB disk space will be freed. Do you want to continue? [Y/n]
Looks like the customer removed linux-image-5.10.0-30-amd64 due to our pre-update check that showed that the boot partition doesn't have enough space. But as you can see above, that will remove "univention-role-server-common" as well. We should check if we can adjust the dependencies in a way that "univention-role-server-common" is not removed if the kernel is removed. You probably already have enough problems if you remove the default kernel, no need to make it even worse.
One important takeaway for me from this: The updater should check if the packages - univention-role-server-common - univention-role-common - the univention-role package (depending on server/role) are installed, before the update (preup check). If they are not installed, abort the update. Better to not do an update that breaks the system.
please see also: https://help.univention.com/t/problem-checking-disk-space-fail/24418 > You are in a conflictiong situation, that you are updateing from UCS-5.0-10 to 5.2, and stuck with the disk_space check from the preupdate in version 5.1 > You have a new kernel, and the running one. > If you check to remove one of the kernals you see, that univention-server-master will be removed as well.
I agree to Comment 7. Since ad2d88025fc2 For Bug #51655 for UCS 5.0 the "update_check_disk_space" in check.sh in univention-updater explains that "univention-prune-kernels" can be run to free up disk space in /boot, which takes care to not uninstall the currently running kernel.
Year and years, and again and again. We know that univention-server can be removed by certain things and we don't prevent it, while we have the ideas how to do it (1. apt hook; or 2. mark as essential). See Bug #43613, Bug #42966, Bug #46711, Bug #45832, Bug #39481, Bug #39092, Bug #37907, Bug #38009, ...