group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1906364] Re: unattended-upgrade still restarts blacklisted daemons

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <1906364@xxxxxxxxxxxxxxxxxx>
Date: Sat, 05 Dec 2020 01:34:26 -0000
Reply-to: Bug 1906364 <1906364@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I'd like to give you all an update and outline our plans for this.

The Canonical server team has made analysis of this issue a top
priority.  We've identified and tested out several possible theories.
Our findings suggest that the breakage involves two distinct issues, one
the BindTo= issue mentioned above, the other caused by a bug in the
docker.io package causing the service to stop on package upgrade; see
specifically the service stop command at the end of
/var/lib/dpkg/info/docker.io.prerm.  We'll use LP: #1870514 to track the
former issue, and #1906364 the latter.  LP: #1658691 gives some past
background for reference.

The tricky part is that unfortunately any change we make to docker.io
requires the running of the prerm script (the version of the script
already present on your system, not the one we'd be installing), and
thus triggers the bug.  In other words, updating your system to prevent
the bug will cause one more docker stop.  Thereafter, the upgrade will
not restart the service when rolling out CVE fixes to either containerd
or docker.io; it may prompt to do so if running interactively (e.g.
https://imgur.com/2Za5dbQ.png), otherwise it should respect the debconf
setting.

We would appreciate feedback, testing and/or review of the proposed fix,
available in this PPA:

   https://launchpad.net/~bryce/+archive/ubuntu/containerd-sru-lp1870514
-docker-dh/


** Also affects: unattended-upgrades (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: docker.io (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: containerd (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: unattended-upgrades (Ubuntu Hirsute)
   Importance: Undecided
       Status: Won't Fix

** Also affects: docker.io (Ubuntu Hirsute)
   Importance: Undecided
       Status: Confirmed

** Also affects: containerd (Ubuntu Hirsute)
   Importance: Undecided
       Status: Confirmed

** Also affects: unattended-upgrades (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: docker.io (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: containerd (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: unattended-upgrades (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: docker.io (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: containerd (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: unattended-upgrades (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: docker.io (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: containerd (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: unattended-upgrades (Ubuntu Groovy)
       Status: New => Won't Fix

** No longer affects: containerd (Ubuntu)

** Changed in: unattended-upgrades (Ubuntu Focal)
       Status: New => Won't Fix

** Changed in: unattended-upgrades (Ubuntu Bionic)
       Status: New => Won't Fix

** Changed in: unattended-upgrades (Ubuntu Xenial)
       Status: New => Won't Fix

** Changed in: docker.io (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: docker.io (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: docker.io (Ubuntu Xenial)
     Assignee: (unassigned) => Bryce Harrington (bryce)

** Changed in: docker.io (Ubuntu Xenial)
   Importance: High => Critical

** Changed in: docker.io (Ubuntu Bionic)
   Importance: Undecided => Critical

** Changed in: docker.io (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: docker.io (Ubuntu Focal)
   Importance: Undecided => Critical

** Changed in: docker.io (Ubuntu Focal)
       Status: New => In Progress

** Changed in: docker.io (Ubuntu Groovy)
   Importance: Undecided => Critical

** Changed in: docker.io (Ubuntu Groovy)
       Status: New => In Progress

** Changed in: docker.io (Ubuntu Hirsute)
   Importance: Undecided => Critical

** Changed in: docker.io (Ubuntu Hirsute)
       Status: Confirmed => In Progress

** Changed in: docker.io (Ubuntu Hirsute)
     Assignee: (unassigned) => Bryce Harrington (bryce)

** No longer affects: containerd (Ubuntu Xenial)

** No longer affects: containerd (Ubuntu Bionic)

** No longer affects: containerd (Ubuntu Focal)

** No longer affects: containerd (Ubuntu Groovy)

** No longer affects: containerd (Ubuntu Hirsute)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1906364

Title:
  unattended-upgrade still restarts blacklisted daemons

Status in docker.io package in Ubuntu:
  In Progress
Status in unattended-upgrades package in Ubuntu:
  Won't Fix
Status in docker.io source package in Xenial:
  In Progress
Status in unattended-upgrades source package in Xenial:
  Won't Fix
Status in docker.io source package in Bionic:
  In Progress
Status in unattended-upgrades source package in Bionic:
  Won't Fix
Status in docker.io source package in Focal:
  In Progress
Status in unattended-upgrades source package in Focal:
  Won't Fix
Status in docker.io source package in Groovy:
  In Progress
Status in unattended-upgrades source package in Groovy:
  Won't Fix
Status in docker.io source package in Hirsute:
  In Progress
Status in unattended-upgrades source package in Hirsute:
  Won't Fix

Bug description:
  Hello,

  Today plenty of our systems running ubuntu 20.04 were restarting the
  docker daemon, even if i blacklisted the docker package. Since docker
  has an dependency on containerd thats the reason why it was restarted.
  IMO the blacklist should also check the full tree of dependencies...
  This should NOT happen!

  From the log you find:

  2020-12-01 06:40:13,881 INFO Starting unattended upgrades script
  2020-12-01 06:40:13,882 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security
  2020-12-01 06:40:13,882 INFO Initial blacklist: docker docker.io
  2020-12-01 06:40:13,882 INFO Initial whitelist (not strict):
  2020-12-01 06:40:19,139 INFO Packages that will be upgraded: containerd qemu-block-extra qemu-kvm qemu-system-common qemu-system-data qemu-system-gui qemu-system-x86 qemu-utils
  2020-12-01 06:40:19,140 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
  2020-12-01 06:40:46,996 INFO All upgrades installed
  2020-12-01 06:40:50,732 INFO Starting unattended upgrades script
  2020-12-01 06:40:50,732 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security
  2020-12-01 06:40:50,733 INFO Initial blacklist: docker docker.io
  2020-12-01 06:40:50,733 INFO Initial whitelist (not strict):

  Also this happened for us on plenty of our servers almost at the same
  (why the unattended updates are not spread over time?), which
  destroyed the second time an production environment.

  This is not how unattended-upgraded should be, sadly this package lost
  our trust and we disable it and schedule the 'unattended updates' now
  on our own.

  PS: Not to say that on some servers the docker daemon did not even
  restart..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1906364/+subscriptions