[Touch-packages] [Bug 1770290] Re: package openssh-server 1:7.6p1-4 failed to install/upgrade: installed openssh-server package post-installation script subprocess was killed by signal (Broken pipe)

[ChristianEhrhardt]

Thank you for taking the time to report this bug and helping to make
Ubuntu better.

On upgrading a service this service has to be restarted to pick up the fixes.
Rather rarely a real issue occurs that the newer version does e.g. fail with 
the formerly working configuration.
But most of the time what happens is, that a service was installed, but stays 
unconfigured or experimented with but left in a broken state.

Now on any update of the related packages that service has to be restarted, but 
since its config is incomplete/faulty it fails to restart.
Therefore the update of that package has to consider itself incomplete.

Depending on your particular case there are two solutions:
- either remove the offending package if you don't want to continue using it.
- Or if you do want to keep it please fix the configuration so that re-starting 
the service will work.

Since it seems likely to me that this is a local configuration problem,
rather than a bug in Ubuntu, I'm marking this bug as Incomplete.

If indeed this is a local configuration problem, you can find pointers
to get help for this sort of problem here:
http://www.ubuntu.com/support/community

Or if you believe that this is really a bug, then you may find it
helpful to read "How to report bugs effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then provide a more complete description of the problem,
explain why you believe this is a bug in Ubuntu rather than a problem
specific to your system, and then change the bug status back to New.

** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1770290

Title:
  package openssh-server 1:7.6p1-4 failed to install/upgrade: installed
  openssh-server package post-installation script subprocess was killed
  by signal (Broken pipe)

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  bug

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: openssh-server 1:7.6p1-4
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Thu May 10 05:37:21 2018
  DuplicateSignature:
   package:openssh-server:1:7.6p1-4
   Setting up openssh-server (1:7.6p1-4) ...
   dpkg: error processing package openssh-server (--configure):
installed openssh-server package post-installation script subprocess was 
killed by signal (Broken pipe)
  ErrorMessage: installed openssh-server package post-installation script 
subprocess was killed by signal (Broken pipe)
  InstallationDate: Installed on 2018-02-17 (81 days ago)
  InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 
(20170801)
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3
  PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 
2.7.15~rc1-1
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2
   apt  1.6.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 1: 
/etc/ssh/sshd_config: No such file or directory
  SourcePackage: openssh
  Title: package openssh-server 1:7.6p1-4 failed to install/upgrade: installed 
openssh-server package post-installation script subprocess was killed by signal 
(Broken pipe)
  UpgradeStatus: Upgraded to bionic on 2018-05-08 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1770290/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1770290] Re: package openssh-server 1:7.6p1-4 failed to install/upgrade: installed openssh-server package post-installation script subprocess was killed by signal (Broken pipe)

[ChristianEhrhardt]

/etc/ssh/sshd_config: No such file or directory

This file is essential to ssh, if you have deleted it the service won't work.
That means you either have to remove the service or re-fix it's configuration.

To restore that you can find a default in /usr/share/openssh/sshd_config

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1770290

Title:
  package openssh-server 1:7.6p1-4 failed to install/upgrade: installed
  openssh-server package post-installation script subprocess was killed
  by signal (Broken pipe)

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  bug

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: openssh-server 1:7.6p1-4
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Thu May 10 05:37:21 2018
  DuplicateSignature:
   package:openssh-server:1:7.6p1-4
   Setting up openssh-server (1:7.6p1-4) ...
   dpkg: error processing package openssh-server (--configure):
installed openssh-server package post-installation script subprocess was 
killed by signal (Broken pipe)
  ErrorMessage: installed openssh-server package post-installation script 
subprocess was killed by signal (Broken pipe)
  InstallationDate: Installed on 2018-02-17 (81 days ago)
  InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 
(20170801)
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3
  PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 
2.7.15~rc1-1
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2
   apt  1.6.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 1: 
/etc/ssh/sshd_config: No such file or directory
  SourcePackage: openssh
  Title: package openssh-server 1:7.6p1-4 failed to install/upgrade: installed 
openssh-server package post-installation script subprocess was killed by signal 
(Broken pipe)
  UpgradeStatus: Upgraded to bionic on 2018-05-08 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1770290/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

1. Upgrade from proposed - this is the same for all associated bugs, so
I only documented details in bug 1741390

2. This bug in particular
Running a few restarts and checking
$ systemctl status -l open-vm-tools.service
This checks if the service rules avoid the issue on these systems with older 
systemd (older than Bionic where these extra constraints are not needed)

Artful: did not expose the issue in 5/5 retries
Xenial: did not expose the issue in 5/5 retries

Per above (and the extensive precheck on the content-equal ppa by
VMWare) - setting to verified

** Tags removed: verification-needed verification-needed-artful 
verification-needed-xenial
** Tags added: verification-done verification-done-artful 
verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Fix Committed
Status in systemd source package in Xenial:
  New
Status in open-vm-tools source package in Artful:
  Fix Committed
Status in open-vm-tools package in Debian:
  Fix Released

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

1.190-2 is in cosmic-proposed, but right now some tests still fail for 
18.10/Cosmic not being fully open (e.g. no autotest/cloud images or missing 
18.10 in postgres common.
So I have to beg your pardon to wait a bit more :-/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed
Status in netcat-openbsd package in Debian:
  Fix Released

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1747411] Re: Change of default database file format to SQL

[ChristianEhrhardt]

** Merge proposal linked:
   https://code.launchpad.net/~paelzer/ubuntu/+source/nss/+git/nss/+merge/345213

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1747411

Title:
  Change of default database file format to SQL

Status in certmonger package in Ubuntu:
  Fix Released
Status in corosync package in Ubuntu:
  New
Status in dogtag-pki package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Fix Released
Status in libapache2-mod-nss package in Ubuntu:
  Won't Fix
Status in nss package in Ubuntu:
  New

Bug description:
  nss in version 3.35 in upstream changed [2] the default file format [1] (if 
no explicit one is specified).
  For now we reverted that change in bug 1746947 until all packages depending 
on it are ready to work with that correctly.

  This bug here is about to track when the revert can be dropped.
  Therefore we list all known-to-be-affected packages and once all are resolved 
this can be dropped.

  [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
  [2]: 
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1747411] Re: Change of default database file format to SQL

[ChristianEhrhardt]

Corosync is actually a sync for Cosmic, with all Delta dropped:

  * Merge with Debian unstable (LP: #1747411). Remaining changes:

  * Dropped Changes:
- Properly restart corosync and pacemaker together (LP: #1740892)
  d/rules: pass --restart-after-upgrade to dh_installinit.
  (this is default in compat >=10, and the package is 11)
- d/control: indicate this version breaks all older pacemaker, to
  force an upgrade of pacemaker. (Upgrades have gone through Bionic,
  so we can drop this now)
- d/corosync.postinst: if flagged to do so by pacemaker, start
  pacemaker on upgrade. (Can be dropped after Bionic)
- New upstream release 2.4.3 (now in Debian)
- Drop upstreamed patches and refresh others. (now in Debian)

To get a second opinion on that I opened:
https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184

** Merge proposal linked:
   
https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1747411

Title:
  Change of default database file format to SQL

Status in certmonger package in Ubuntu:
  Fix Released
Status in corosync package in Ubuntu:
  New
Status in dogtag-pki package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Fix Released
Status in libapache2-mod-nss package in Ubuntu:
  Won't Fix
Status in nss package in Ubuntu:
  New

Bug description:
  nss in version 3.35 in upstream changed [2] the default file format [1] (if 
no explicit one is specified).
  For now we reverted that change in bug 1746947 until all packages depending 
on it are ready to work with that correctly.

  This bug here is about to track when the revert can be dropped.
  Therefore we list all known-to-be-affected packages and once all are resolved 
this can be dropped.

  [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
  [2]: 
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1747411] Re: Change of default database file format to SQL

[ChristianEhrhardt]

For corosync the affected components are corosync-qnetd.

I checked and without adaption on install they would be fine as they
initialize a new DB and nowhere does anyone specify the type. But as
with some other tools on an upgrade we have to assume that the old DBM
format will be tried to be read as SQL and then fail.

Worth to notice is that Fedora who started all of this in [1] in their
NSS build still uses DBM as default :-)

corosync 2.4.4-1 of 20th of April made corosync compatible with the nss change.
They prefix all calls with dbm to stay compat until the upgrade is handled by 
upstream.
So a merge of this or latter version will address this for corosync.
Afterwards nss can be merged dropping the change of the default.

[1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1747411

Title:
  Change of default database file format to SQL

Status in certmonger package in Ubuntu:
  Fix Released
Status in corosync package in Ubuntu:
  New
Status in dogtag-pki package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Fix Released
Status in libapache2-mod-nss package in Ubuntu:
  Won't Fix
Status in nss package in Ubuntu:
  New

Bug description:
  nss in version 3.35 in upstream changed [2] the default file format [1] (if 
no explicit one is specified).
  For now we reverted that change in bug 1746947 until all packages depending 
on it are ready to work with that correctly.

  This bug here is about to track when the revert can be dropped.
  Therefore we list all known-to-be-affected packages and once all are resolved 
this can be dropped.

  [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
  [2]: 
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

@Tim - Could you check the ntp apparmor profile if it has the change that was 
made in 1:4.2.8p10+dfsg-5ubuntu4 ?
It is a conffile so if depending on your former changes it might have been not 
updated by default.

Essentially if /etc/apparmor.d/usr.sbin.ntpd has
flags=(attach_disconnected) ?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Invalid
Status in ntp source package in Zesty:
  Invalid
Status in ntp source package in Artful:
  Fix Released
Status in ntp source package in Bionic:
  Fix Released

Bug description:
  [Impact]

   * NTP has new isolation features which makes it trigger apparmor issues.
   * Those apparmor issues not only clutter the log and make other things
     less readable, they also prevent ntp from reporting its actual
     messages.
   * Fix is opening the apparmor profile to follow ntp through the
     disconnect by the isolation feature.

  [Test Case]

   * This is hard to trigger, but then also not. Which means it is not
     entirely sorted out when it triggers and when not, but the following
     does trigger it in tests of Pitti and also mine (while at the same time
     sometimes it does not - mabye I had other guests or kvm instead of lxd)

   * First install ntp in Artful (or above unless fixed)
     * Install ntp and check demsg for denies
     * Once an issue triggers instead of the error in syslog you'll see the
   apparmor Deny like:
     apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
     disconnected path" error=-13 profile="/usr/sbin/ntpd"
     name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
     requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  [Regression Potential]

   * We are slightly opening up the apparmor profile which is far lower risk
     than adding more constraints. So safe from that POV.

   * OTOH one could think this might be a security issue, but in fact this
     isn't a new suggestion if you take a look at [1] with an ack by Seth of
     the Security Team.

  [Other Info]

   * n/a

  [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html

  

  Merely installing and starting ntp.service in Ubuntu 17.10 now causes
  this AppArmor violation:

  audit: type=1400 audit(1508915894.215:25): apparmor="DENIED"
  operation="sendmsg" info="Failed name lookup - disconnected path"
  error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
  pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  (many times). This hasn't happened in earlier Ubuntu releases yet.

  This was spotted by Cockpit's integration tests, as our "ubuntu-
  stable" image now moved to 17.10 after its release.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  ApportVersion: 2.20.7-0ubuntu3
  Architecture: amd64
  Date: Wed Oct 25 03:19:34 2017
  SourcePackage: ntp
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

[ChristianEhrhardt]

Per bug 1763427 this is Fix released since 4.15.0-18.19

** Changed in: apparmor (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in The Ubuntu-power-systems project:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

Fix is now available in [1].
But needs to be picked up for 18.10 (once archive is open in a few days) and 
then prepped as 18.04 SRU.

[1]: https://salsa.debian.org/debian/netcat-
openbsd/commit/338b1fa7c3db9bd791095f51325b3287330dac7d

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed
Status in netcat-openbsd package in Debian:
  Fix Committed

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

Debian bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897020

** Bug watch added: Debian Bug tracker #897020
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897020

** Also affects: netcat-openbsd (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897020
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed
Status in netcat-openbsd package in Debian:
  Unknown

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

I'm not an expert on netcat but I hope this initial triage helps the
next that will look at it.

I reported to Debian as well as they are also affected.
Especially since the change came from Guilhem - it might be best to think about 
a solution together.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed
Status in netcat-openbsd package in Debian:
  Unknown

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

In gdb I see it gets to read -s

case 's':
sflag = optarg;
break;

It realizes no more options are there and then ends at
} else if (argv[0] && argv[1]) {
host = argv[0];
uport = [1];
if (pflag || sflag)
usage(1);

And sflag is set, so it reports usage and exits.
The particular check in this path of pflag/sflag didn't exist back then.

I found this comes in via a patch
  debian/patches/misc-failures-and-features.patch
That was in Debian and Ubuntu since late 2016

This patch was modified by:
commit 2ebffb014c830e49f6fad600c59cc1b82fe356a4
Author: Guilhem Moulin 
Date:   Sun Dec 3 22:58:11 2017 +0100

Allow usage of -s with -l for consistency with netcat-traditional.

Since then this is also in Debian.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

Even the example from the manpage fails:
$ nc -s 10.1.2.3 host.example.com 42

** Changed in: netcat-openbsd (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767283] Re: nc doesn't support "-s IP" option

[ChristianEhrhardt]

-t in description (typo) mislead me - fixed the description

** Description changed:

  Hey,
  
- netcat shows a usage error if i try to use the "-t" option:
+ netcat shows a usage error if i try to use the "-s" option:
  
  Example in Bionic:
  
- $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null 
+ $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
- [-m minttl] [-O length] [-P proxy_username] [-p source_port]
- [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
- [-X proxy_protocol] [-x proxy_address[:port]]   [destination] 
[port]
- 
+    [-m minttl] [-O length] [-P proxy_username] [-p source_port]
+    [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
+    [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]
  
  Example in Xenial:
  
- netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null 
+ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
  
- 
- Manpage shows that the option is still availible and should work. Both 
systems use openbsd netcat.
+ Manpage shows that the option is still availible and should work. Both
+ systems use openbsd netcat.
  
  $ type netcat
  netcat is hashed (/bin/netcat)
- $ ls -lah /bin/netcat 
+ $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd
  
  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
-  gcc-8-base 8-20180414-1ubuntu2
-  libbsd0 0.8.7-1
-  libc6 2.27-3ubuntu1
-  libgcc1 1:8-20180414-1ubuntu2
+  gcc-8-base 8-20180414-1ubuntu2
+  libbsd0 0.8.7-1
+  libc6 2.27-3ubuntu1
+  libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
-  TERM=xterm
-  PATH=(custom, no user)
-  XDG_RUNTIME_DIR=
-  LANG=en_US.UTF-8
-  SHELL=/bin/bash
+  TERM=xterm
+  PATH=(custom, no user)
+  XDG_RUNTIME_DIR=
+  LANG=en_US.UTF-8
+  SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu.
https://bugs.launchpad.net/bugs/1767283

Title:
  nc doesn't support "-s IP" option

Status in netcat-openbsd package in Ubuntu:
  Confirmed

Bug description:
  Hey,

  netcat shows a usage error if i try to use the "-s" option:

  Example in Bionic:

  $ netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
     [-m minttl] [-O length] [-P proxy_username] [-p source_port]
     [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w 
timeout]
     [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]

  Example in Xenial:

  netcat -s 127.0.0.1 127.0.0.1 22 < /dev/null
  SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  Manpage shows that the option is still availible and should work. Both
  systems use openbsd netcat.

  $ type netcat
  netcat is hashed (/bin/netcat)
  $ ls -lah /bin/netcat
  lrwxrwxrwx 1 root root 24 Apr 25 21:56 /bin/netcat -> /etc/alternatives/netcat
  $ ls -lah /etc/alternatives/netcat
  lrwxrwxrwx 1 root root 15 Apr 25 21:56 /etc/alternatives/netcat -> 
/bin/nc.openbsd

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: netcat-openbsd 1.187-1
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Apr 27 13:41:20 2018
  Dependencies:
   gcc-8-base 8-20180414-1ubuntu2
   libbsd0 0.8.7-1
   libc6 2.27-3ubuntu1
   libgcc1 1:8-20180414-1ubuntu2
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: netcat-openbsd
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/1767283/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1766939] Re: dnsmasq won't start [Ubuntu 18.04]

[ChristianEhrhardt]

Hi Nataraj,
glad you found the config issue and resolved it yourself.

For the open question how to control the dnsmasq - this is a formatting 
question.
Sure if you happen to now how to configure dnsmasq you are fine also to use 
very special options.
But the same could be said about controlling different hypervisors.
Therefore libvirt provides you [1] for networking to control that via xml or 
libvirt api's and will generate the dnmasq conf for you. I'd not right away 
know of a way to fully allow editing the geenrated conf (for the generate step 
overwriting it as you realized).

Setting "invalid" to reflect that you resolved your issue, I hope the
above helps to understand the case better.

[1]: https://libvirt.org/formatnetwork.html

** Also affects: libvirt (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: libvirt (Ubuntu)
   Status: New => Invalid

** Changed in: dnsmasq (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/1766939

Title:
  dnsmasq won't start [Ubuntu 18.04]

Status in dnsmasq package in Ubuntu:
  Invalid
Status in libvirt package in Ubuntu:
  Invalid

Bug description:
  
  System: Ubuntu 18.04 All updates: Current
  Could also be a libvirt problem.

  When libvirtd tries to start dnsmasq, I get the following error and dnsmasq 
fails to start:
  libvirtd[2125]: 2018-04-24 20:38:47.073+: 2178: error : 
virNetDevIPAddrAdd:223 : Failed to add IP address 1
  error: Failed to add IP address 10.1.2.1/24 bcast 10.1.2.255 to virbr0

  This was previously working. If I edit
  /etc/libvirt/qemu/networks/default.xml and change the name of the
  interface to virbr1 dnsmasq starts up correctly, change the name back
  to virbr0 and it fails. Tried a find on the filesystem of '*virbr*' to
  see if there were any files left that shouldn't be there, but found
  only a couple of flag files (don't remember the name), 1 under
  /var/run and the other I think was in /var/lib/libvirt/dnsmasq.
  Deleted those but stll doesn't work. I have also shutdown any other
  services that were binding to the virbr0 interface while testing this.

  How can I edit /var/lib/libvirt/dnsmasq/default.conf, or in some other
  way pass my own config parameters to dnsmasq? Instructions inside the
  file say to use "virsh net-edit default", but that edits
  /etc/libvirt/qemu/networks/default.xml which is a different file? If I
  edit default.conf with a normal editor, it gets overwritten by
  libvirtd.

  It appears that the dnsmasq config file is generated automaticlly by
  libvirtd and then dnsmasq is started by libvirtd, so I can't see
  anywhere to put my own config options, short of rebuilding libvirtd
  from source. According to the man page adding the option 'port=0' to
  the dnsmasq configuration will disable dns so that dnsmasq will no
  longer listen on port 53. This is what I would like to do.

  It would be nice to know how to create the virtual NIC needed to route 
traffic from the VM's onto my network. Don't want to bridge onto LAN interface, 
because system is connected to multiple vlans and wireless when traveling.
  I can handle DNS and DHCP using bind9 and isc-dhcp-server and would prefer to 
run 1 instance of these servers for both the host and all guest VM's. Seems to 
defeat the purpose of a cache to run a seperate caching dns server for the host 
and for the VM's, and then another if you have multiple virtual network 
interfaces for different VM's. If I could do this easily, then I wouldn't need 
dnsmasq at all.

  Thank You
  Natu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1766939/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1765844] Re: openssh private key exposed due to change in permissions

[ChristianEhrhardt]

Hmm, that would be odd and very bad.
I can't immediately think of anything that would do the change.

So for now I tried to recreate:
1. get X system and create some keys
-rw--- 1 root root0 Apr 20 08:44 authorized_keys
-rw--- 1 root root 1679 Apr 24 10:36 id_rsa
-rw-r--r-- 1 root root  388 Apr 24 10:36 id_rsa.pub
2. do-release-upgrade -d
3. check keys again
They are still ok in my example.

So it is none of the base packages that caused this.

@Phreed - could you report the list of installed packages on your system so one 
can retry with the same set installed?
You can get this with:
 $ dpkg --get-selections

** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1765844

Title:
  openssh private key exposed due to change in permissions

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  Following upgrading from 16.04 to 18.04 my ability to push to github stopped 
working.
  I checked the permissions on my .ssh folders files and found that the 
permissions had changed.

  $ ls -l ~/.ssh
  total 24
  -rw-r--r-- 1 fred fred  782 Mar 29  2016 authorized_keys
  -rw-r--r-- 1 fred fred 1766 Mar 29  2016 id_rsa
  -rw-r--r-- 1 fred fred  405 Mar 29  2016 id_rsa.pub
  -rw-r--r-- 1 fred fred 9732 Jul  1  2016 known_hosts

  I do not know which package actually caused this change.
  Upon resetting the permissions

  chmod +600 ~/.ssh/*

  Normal ssh function was restored.

  $ ls -ltr ~/.ssh
  total 24
  -rw--- 1 fred fred  405 Mar 29  2016 id_rsa.pub
  -rw--- 1 fred fred 1766 Mar 29  2016 id_rsa
  -rw--- 1 fred fred  782 Mar 29  2016 authorized_keys
  -rw--- 1 fred fred 9732 Jul  1  2016 known_hosts

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: ssh (not installed)
  ProcVersionSignature: Ubuntu 4.15.0-15.16-generic 4.15.15
  Uname: Linux 4.15.0-15-generic x86_64
  ApportVersion: 2.20.9-0ubuntu5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Apr 20 16:10:17 2018
  InstallationDate: Installed on 2017-04-05 (380 days ago)
  InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release amd64 
(20170215.2)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: openssh
  UpgradeStatus: Upgraded to bionic on 2018-04-20 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1765844/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

This will only "become" an issue for Xenial/Artful with the backport.
But lets do it right for tracking - so I added/modified tasks for these 
releases which allows me to refer changes and changelog to here.

That way with the backport it will "be an issue" for the former
releases, but also instantly be closed for them.

For SRU consideration, due to the newer systemd in >=Bionic it is not
affected - so it is "invalid" there. But for SRU considerations this is
ok, as the "most recent release has to be fixed" is covered, there won't
be an upgrade regression as when going e.g. Xenial->Bionic.

In the queue for SRU review now - main bug 1741390

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Triaged
Status in systemd source package in Xenial:
  New
Status in open-vm-tools source package in Artful:
  Triaged
Status in open-vm-tools package in Debian:
  Fix Released

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

** Also affects: open-vm-tools (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: systemd (Ubuntu Artful)
   Importance: Undecided
   Status: New

** No longer affects: systemd (Ubuntu Artful)

** Changed in: open-vm-tools (Ubuntu Xenial)
   Status: Invalid => Triaged

** Changed in: open-vm-tools (Ubuntu Artful)
   Status: New => Triaged

** Changed in: open-vm-tools (Ubuntu)
   Status: Fix Released => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Triaged
Status in systemd source package in Xenial:
  New
Status in open-vm-tools source package in Artful:
  Triaged
Status in open-vm-tools package in Debian:
  Fix Released

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1718227] Re: replacement of ifupdown with netplan needs integration for /etc/network/if{up, down}.d scripts

[ChristianEhrhardt]

Fix for chrony (following networkd-dispatcher change in bug 1765152)
uploaded to bionic-unapproved as 3.2-4ubuntu4

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1718227

Title:
  replacement of ifupdown with netplan needs integration for
  /etc/network/if{up,down}.d scripts

Status in aiccu package in Ubuntu:
  Invalid
Status in aoetools package in Ubuntu:
  New
Status in avahi package in Ubuntu:
  New
Status in bind9 package in Ubuntu:
  Invalid
Status in chrony package in Ubuntu:
  Confirmed
Status in clamav package in Ubuntu:
  Triaged
Status in controlaula package in Ubuntu:
  New
Status in epoptes package in Ubuntu:
  New
Status in ethtool package in Ubuntu:
  New
Status in guidedog package in Ubuntu:
  New
Status in htpdate package in Ubuntu:
  New
Status in ifenslave package in Ubuntu:
  Won't Fix
Status in ifmetric package in Ubuntu:
  Won't Fix
Status in ifupdown-multi package in Ubuntu:
  New
Status in ifupdown-scripts-zg2 package in Ubuntu:
  Invalid
Status in isatapd package in Ubuntu:
  New
Status in lprng package in Ubuntu:
  New
Status in miredo package in Ubuntu:
  New
Status in mythtv package in Ubuntu:
  New
Status in nplan package in Ubuntu:
  New
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in openresolv package in Ubuntu:
  Won't Fix
Status in openssh package in Ubuntu:
  New
Status in openvpn package in Ubuntu:
  New
Status in openvswitch package in Ubuntu:
  New
Status in postfix package in Ubuntu:
  New
Status in quicktun package in Ubuntu:
  New
Status in resolvconf package in Ubuntu:
  New
Status in sendmail package in Ubuntu:
  New
Status in shorewall-init package in Ubuntu:
  New
Status in sidedoor package in Ubuntu:
  New
Status in slrn package in Ubuntu:
  New
Status in tinc package in Ubuntu:
  New
Status in ubuntu-fan package in Ubuntu:
  Fix Released
Status in ucarp package in Ubuntu:
  New
Status in uml-utilities package in Ubuntu:
  New
Status in uruk package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  Won't Fix
Status in vzctl package in Ubuntu:
  Triaged
Status in wide-dhcpv6 package in Ubuntu:
  New
Status in wpa package in Ubuntu:
  New

Bug description:
  when network is configured with ifupdown, scripts in
  /etc/network/ifup.d/ were called on network being brought up and
  /etc/network/ifdown.d were called on network being brought down.

  Any packages that shipped these hooks need to be verified to have the
  same functionality under a netplan configured system.

  # binpkgs=$(apt-file search /etc/network/if-up | sed 's,: .*,,' | sort -u)
  # for i in $binpkgs; do
src=$(apt-cache show $i | awk '$1 == "Source:" { print $2; exit(0); }');
[ -z "$src" ] && src="$i"; echo $src; done | sort -u

  aiccu
  aoetools
  avahi
  bind9
  chrony
  clamav
  controlaula
  epoptes
  ethtool
  guidedog
  htpdate
  ifenslave
  ifmetric
  ifupdown-extra
  ifupdown-multi
  ifupdown-scripts-zg2
  isatapd
  lprng
  miredo
  mythtv-backend
  nss-pam-ldapd
  ntp
  openntpd
  openresolv
  openssh
  openvpn
  postfix
  quicktun
  resolvconf
  sendmail
  shorewall-init
  sidedoor
  slrn
  tinc
  ubuntu-fan
  ucarp
  uml-utilities
  uruk
  vlan
  vzctl
  wide-dhcpv6
  wpa

  
  Related bugs:
   * bug 1718227: replacement of ifupdown with netplan needs integration for 
/etc/network/if{up,down}.d scripts 
   * bug 1713803: replacement of resolvconf with systemd needs integration 
   * bug 1717983: replacement of isc-dhcp-client with with systemd-networkd for 
dhclient needs integration

  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: netplan (not installed)
  ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
  Uname: Linux 4.12.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu1
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Tue Sep 19 10:53:08 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2015-07-23 (789 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150722.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: plan
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aiccu/+bug/1718227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1718227] Re: replacement of ifupdown with netplan needs integration for /etc/network/if{up, down}.d scripts

[ChristianEhrhardt]

Tested on chrony which has a NetworkManager dispatch script that also
works as a hook for networkd-dispatcher.

Works fine by just dropping the links for now.
Changes visible when these hooks are in place

1. when sources get unreachable it detects offlining immediately (instead of 
trying all the time)
2. when a network drops but sources stay reachable nothing happens (no 
accidental offline)
3. when sources are offline and network is attached without connecting to 
anything they stay offline
4. when sources are offline and a connecting network is attached they all 
become online immediately
5. when a network is lost that was connecting to just to some sources only 
those get set offline.

P.S. most of these cases can be well tested with virsh attach-device /
detach-device with multiple network cards (one that connects to network
and one that does not for example)

The biggest issue is that reusing that is very nice, but OTOH dangerous if it 
gets NM only code.
I'll start discussing that upstream before using it in any way.
That happened post 3.2 in
  b563048 "examples: ignore non-up/down events in nm-dispatcher script"

I'm now doing:
1. discussing upstream how we want to do it
2. bring that upstream for networkd-dispatcher
3. backport the change to Bionic chrony package
4. place the files to trigger the callbacks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1718227

Title:
  replacement of ifupdown with netplan needs integration for
  /etc/network/if{up,down}.d scripts

Status in aiccu package in Ubuntu:
  Invalid
Status in aoetools package in Ubuntu:
  New
Status in avahi package in Ubuntu:
  New
Status in bind9 package in Ubuntu:
  Invalid
Status in chrony package in Ubuntu:
  Confirmed
Status in clamav package in Ubuntu:
  Triaged
Status in controlaula package in Ubuntu:
  New
Status in epoptes package in Ubuntu:
  New
Status in ethtool package in Ubuntu:
  New
Status in guidedog package in Ubuntu:
  New
Status in htpdate package in Ubuntu:
  New
Status in ifenslave package in Ubuntu:
  Won't Fix
Status in ifmetric package in Ubuntu:
  Won't Fix
Status in ifupdown-multi package in Ubuntu:
  New
Status in ifupdown-scripts-zg2 package in Ubuntu:
  Invalid
Status in isatapd package in Ubuntu:
  New
Status in lprng package in Ubuntu:
  New
Status in miredo package in Ubuntu:
  New
Status in mythtv package in Ubuntu:
  New
Status in nplan package in Ubuntu:
  New
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in openresolv package in Ubuntu:
  Won't Fix
Status in openssh package in Ubuntu:
  New
Status in openvpn package in Ubuntu:
  New
Status in openvswitch package in Ubuntu:
  New
Status in postfix package in Ubuntu:
  New
Status in quicktun package in Ubuntu:
  New
Status in resolvconf package in Ubuntu:
  New
Status in sendmail package in Ubuntu:
  New
Status in shorewall-init package in Ubuntu:
  New
Status in sidedoor package in Ubuntu:
  New
Status in slrn package in Ubuntu:
  New
Status in tinc package in Ubuntu:
  New
Status in ubuntu-fan package in Ubuntu:
  Fix Released
Status in ucarp package in Ubuntu:
  New
Status in uml-utilities package in Ubuntu:
  New
Status in uruk package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  Won't Fix
Status in vzctl package in Ubuntu:
  Triaged
Status in wide-dhcpv6 package in Ubuntu:
  New
Status in wpa package in Ubuntu:
  New

Bug description:
  when network is configured with ifupdown, scripts in
  /etc/network/ifup.d/ were called on network being brought up and
  /etc/network/ifdown.d were called on network being brought down.

  Any packages that shipped these hooks need to be verified to have the
  same functionality under a netplan configured system.

  # binpkgs=$(apt-file search /etc/network/if-up | sed 's,: .*,,' | sort -u)
  # for i in $binpkgs; do
src=$(apt-cache show $i | awk '$1 == "Source:" { print $2; exit(0); }');
[ -z "$src" ] && src="$i"; echo $src; done | sort -u

  aiccu
  aoetools
  avahi
  bind9
  chrony
  clamav
  controlaula
  epoptes
  ethtool
  guidedog
  htpdate
  ifenslave
  ifmetric
  ifupdown-extra
  ifupdown-multi
  ifupdown-scripts-zg2
  isatapd
  lprng
  miredo
  mythtv-backend
  nss-pam-ldapd
  ntp
  openntpd
  openresolv
  openssh
  openvpn
  postfix
  quicktun
  resolvconf
  sendmail
  shorewall-init
  sidedoor
  slrn
  tinc
  ubuntu-fan
  ucarp
  uml-utilities
  uruk
  vlan
  vzctl
  wide-dhcpv6
  wpa

  
  Related bugs:
   * bug 1718227: replacement of ifupdown with netplan needs integration for 
/etc/network/if{up,down}.d scripts 
   * bug 1713803: replacement of resolvconf with systemd needs integration 
   * bug 1717983: replacement of isc-dhcp-client with with systemd-networkd for 
dhclient needs integration

  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: netplan (not 

[Touch-packages] [Bug 1719579] Re: [Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in /var/tmp folder using virsh save

[ChristianEhrhardt]

TBH - I haven't taken the former comment as a call for further action.
It was more of a summary how docs and output could be better.

Let me answer:

1. document that --bypass-cache would help

Yeah it might be nice, but then it is just such a general thing.
It only affects apparmor users (not all libvirt users).
It only affects /tmp wi
I wonder how such a hint might look like.
Checking the doc there is a Note on disk corruption for virsh restore - maybe 
there as another Note entry.
But I'm still not all in for this.

2. on older releases "error out or warn in Libvirt when performing save
in denial paths"

It is not really possible to predetect and differentiate if such a denial was 
the reason.
Looking into the future I think we might use per-guest overrides.


I was thinking on that more, the fact that all other but /tmp (for the explicit 
deny) just work, like:
 $ virsh save xenial-testshutdown-0 /var/anythingbuttmp.state
 $ virsh restore /var/anythingbuttmp.state
That annoys me a lot.

I'd suggest otherwise, we keep the past as it is without modifying man pages or 
anything like it (after all it is no regression I can SRU and a very special 
case choosing /tmp only).
But I want to make it better thinking forward.
I thought about it again and again, and revisited the old bug that added those 
deny rules.
I think it is time to take them out in the next release.

That would mean it would generally work, and even if there is a deny it would 
at least be in the log.
See also:
- https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/comments/6
- https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1403648/comments/12

I think the old assumptions don't hold true.
So for the current and stable-releases we keep it as is, to not regress anyone 
(with too much logs).
But forward I'd drop the deny rules and then all of this (and similar things 
where users WANT e.g. images in /tmp) would work.

Part of it would be to check (way more modern and recent) openstack that
it no more has those issues and if it has as part of the fix look for
something better e.g. adapt how openstack sets the ceph config to no
more trigger /tmp /tmp/var access.

There are also rules like owner /tmp/pulse-*/ rw, in the meantime which get 
trumped by the deny.
TL;DR - taking out the deny and making the save/restore case of this bug no 
more a special case would be much better IMHO.

If you are ok with that I'd create a new bug to:
1. take out the deny rules to /tmp early in Ubuntu 18.10
2. do an analysis with recent openstack+ceph if they still trigger access there

So are you ok with that approach?

P.S. If you really really (...really*) want/need a man page entry for
this special case we could work something out, but I think that would
not qualify as an SRU [1] so thinking forward is much better anyway.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1719579

Title:
  [Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in
  /var/tmp folder using virsh save

Status in The Ubuntu-power-systems project:
  Fix Released
Status in apparmor package in Ubuntu:
  Invalid
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  == Comment: #1 - SEETEENA THOUFEEK  - 2017-01-17 
00:09:16 ==
  Bala, Please mail me the machine information.

  == Comment: #3 - SEETEENA THOUFEEK  - 2017-01-17 
02:14:06 ==
  2017-01-16 12:09:37.707+: 7024: info : 
virSecurityDACRestoreFileLabelInternal:388 : Restoring DAC user and group on 
'/var/tmp/bala'
  2017-01-16 12:09:37.707+: 7024: info : 
virSecurityDACSetOwnershipInternal:290 : Setting DAC user and group on 
'/var/tmp/bala' to '0:0'
  2017-01-16 12:09:37.707+: 7024: warning : qemuDomainSaveImageStartVM:6750 
: failed to restore save state label on /var/tmp/bala
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: debug : qemuDomainObjEndAsyncJob:1848 : 
Stopping async job: start (vm=0x3fff4ca535c0 name=virt-tests-vm1-bala)
  2017-01-16 12:09:37.707+: 7024: info : virObjectRef:296 : OBJECT_REF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca535c0
  2017-01-16 12:09:37.707+: 7024: debug : virThreadJobClear:121 : Thread 
7024 (virNetServerHandleJob) finished job remoteDispatchDomainRestore with 
ret=-1
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff7c002c10
  2017-01-16 12:09:37.707+: 7024: debug : virNetServerProgramSendError:153 
: prog=536903814 ver=1 proc=54 type=1 serial=4 msg=0x100133d2590 
rerr=0x3fffa59be3c0
  2017-01-16 

[Touch-packages] [Bug 1719579] Re: [Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in /var/tmp folder using virsh save

[ChristianEhrhardt]

** Changed in: libvirt (Ubuntu)
 Assignee: ChristianEhrhardt (paelzer) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1719579

Title:
  [Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in
  /var/tmp folder using virsh save

Status in The Ubuntu-power-systems project:
  Fix Released
Status in apparmor package in Ubuntu:
  Invalid
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  == Comment: #1 - SEETEENA THOUFEEK <sthou...@in.ibm.com> - 2017-01-17 
00:09:16 ==
  Bala, Please mail me the machine information.

  == Comment: #3 - SEETEENA THOUFEEK <sthou...@in.ibm.com> - 2017-01-17 
02:14:06 ==
  2017-01-16 12:09:37.707+: 7024: info : 
virSecurityDACRestoreFileLabelInternal:388 : Restoring DAC user and group on 
'/var/tmp/bala'
  2017-01-16 12:09:37.707+: 7024: info : 
virSecurityDACSetOwnershipInternal:290 : Setting DAC user and group on 
'/var/tmp/bala' to '0:0'
  2017-01-16 12:09:37.707+: 7024: warning : qemuDomainSaveImageStartVM:6750 
: failed to restore save state label on /var/tmp/bala
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: debug : qemuDomainObjEndAsyncJob:1848 : 
Stopping async job: start (vm=0x3fff4ca535c0 name=virt-tests-vm1-bala)
  2017-01-16 12:09:37.707+: 7024: info : virObjectRef:296 : OBJECT_REF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca535c0
  2017-01-16 12:09:37.707+: 7024: debug : virThreadJobClear:121 : Thread 
7024 (virNetServerHandleJob) finished job remoteDispatchDomainRestore with 
ret=-1
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff7c002c10
  2017-01-16 12:09:37.707+: 7024: debug : virNetServerProgramSendError:153 
: prog=536903814 ver=1 proc=54 type=1 serial=4 msg=0x100133d2590 
rerr=0x3fffa59be3c0
  2017-01-16 12:09:37.707+: 7024: debug : virNetMessageEncodePayload:376 : 
Encode length as 172
  2017-01-16 12:09:37.707+: 7024: debug : 
virNetServerClientSendMessageLocked:1399 : msg=0x100133d2590 proc=54 len=172 
offset=0
  2017-01-16 12:09:37.707+: 7024: info : 
virNetServerClientSendMessageLocked:1407 : RPC_SERVER_CLIENT_MSG_TX_QUEUE: 
client=0x100133d23c0 len=172 prog=536903814 vers=1 proc=54 type=1 status=1 
serial=4
  2017-01-16 12:09:37.707+: 7024: debug : 
virNetServerClientCalculateHandleMode:157 : tls=(nil) hs=-1, rx=0x100133d0670 
tx=0x100133d2590
  2017-01-16 12:09:37.707+: 7024: debug : 
virNetServerClientCalculateHandleMode:192 : mode=3
  2017-01-16 12:09:37.707+: 7024: info : virEventPollUpdateHandle:152 : 
EVENT_POLL_UPDATE_HANDLE: watch=417 events=3
  2017-01-16 12:09:37.707+: 7024: debug : virEventPollInterruptLocked:727 : 
Interrupting
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff7c002c10
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x100133caea0
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x100133d23c0
  .
  2017-01-16 12:14:28.445+: 7019: info : qemuMonitorJSONIOProcessLine:201 : 
QEMU_MONITOR_RECV_EVENT: mon=0x3fff94004d90 event={"timestamp": {"seconds": 
1484568868, "microseconds": 444620}, "event": "MIGRATION", "data": {"status": 
"failed"}}
  2017-01-16 12:14:28.445+: 7019: debug : qemuMonitorJSONIOProcessEvent:147 
: mon=0x3fff94004d90 obj=0x100133b5670
  2017-01-16 12:14:28.445+: 7019: debug : virJSONValueToString:1762 : 
object=0x100133a8000
  2017-01-16 12:14:28.445+: 7019: debug : virJSONValueToStringOne:1691 : 
object=0x100133a8000 type=0 gen=0x100133d1160
  2017-01-16 12:14:28.445+: 7019: debug : virJSONValueToStringOne:1691 : 
object=0x100133d2a80 type=2 gen=0x100133d1160
  2017-01-16 12:14:28.445+: 7019: debug : virJSONValueToString:1795 : 
result={"status":"failed"}
  2017-01-16 12:14:28.445+: 7019: debug : qemuMonitorEmitEvent:1218 : 
mon=0x3fff94004d90 event=MIGRATION
  2017-01-16 12:14:28.445+: 7019: info : virObjectRef:296 : OBJECT_REF: 
obj=0x3fff94004d90
  2017-01-16 12:14:28.445+: 7019: debug : qemuProcessHandleEvent:629 : 
vm=0x3fff4ca535c0
  2017-01-16 12:14:28.445+: 7019: info : virObjectNew:202 : OBJECT_NEW: 
obj=0x100133d2870 classname=virDomainQemuMonitorEvent
  2017-01-16 12:14:28.445+: 7019: debug : virObjectEventNew:645 : 
obj=0x100133d2870
  2017-01-16 12:14:28.445+: 7019: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x100133d2870
  2017-01-16 12:14:28.445+: 7019: info : virObjectUnref:261 : 
OB

[Touch-packages] [Bug 1764715] [NEW] /dev/pts/0 access detected as /0

[ChristianEhrhardt]

Public bug reported:

Hi,
while debugging bug 1764373 I found this (distracting me at first).
But I realized those are two different issues.

So I'm filing the apparmor issue here.

Testcase:
0. get two LXD containers with Bionic
1. create KVM guest with uvtool

When the guest is spawning it tries to open /dev/pts/0 (and similar) for its 
console.
Here an strace:
 0.34 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 
0), ...}) = 0 <0.17>
 0.52 openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 11 <0.19>
 0.000330 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0 
<0.000105>
 0.000139 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0 
<0.10>
 0.34 ioctl(11, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig 
-icanon -echo ...}) = 0 <0.13>
 0.37 ioctl(11, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0 
<0.10>
 0.34 ioctl(10, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0 
<0.11>
 0.33 ioctl(10, TIOCGPTN, [0]) = 0 <0.10>
 0.33 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 
0), ...}) = 0 <0.16>
 0.45 close(11) = 0 <0.13>

The only Permission denied thou (at all) is on /dev/pts/0 with this call:
0.55 ioctl(10, TIOCGPTPEER, 0x102) = -1 EACCES (Permission denied) 
<0.25>

But this is blocked by Apparmor according to dmesg:
audit: type=1400 audit(1523957176.480:37835): apparmor="DENIED"
namespace="root//lxd-testkvm-bionic-tononshared_"
pid=8721 comm="qemu-system-x86"
fsuid=64055 ouid=64055
profile="libvirt-1c67131a-7177-4f49-9840-f1092310890d"
denied_mask="wr"
  operation="open"
  name="/0"
  requested_mask="wr"

Now I wonder about two things:
1. it should be allowed as the profile has
#include 
And that has:
 /dev/pts/[0-9]* rw,
2. I think it misses parts of the path as it is a mount point
   devpts on /dev/pts type devpts 
(rw,nosuid,noexec,relatime,mode=620,ptmxmode=666,max=1024)

I think apparmor should process this as /dev/pts/0 still and then allow
it.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1764715

Title:
  /dev/pts/0 access detected as /0

Status in apparmor package in Ubuntu:
  New

Bug description:
  Hi,
  while debugging bug 1764373 I found this (distracting me at first).
  But I realized those are two different issues.

  So I'm filing the apparmor issue here.

  Testcase:
  0. get two LXD containers with Bionic
  1. create KVM guest with uvtool

  When the guest is spawning it tries to open /dev/pts/0 (and similar) for its 
console.
  Here an strace:
   0.34 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 
0), ...}) = 0 <0.17>
   0.52 openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 11 <0.19>
   0.000330 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0 
<0.000105>
   0.000139 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0 
<0.10>
   0.34 ioctl(11, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig 
-icanon -echo ...}) = 0 <0.13>
   0.37 ioctl(11, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0 
<0.10>
   0.34 ioctl(10, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0 
<0.11>
   0.33 ioctl(10, TIOCGPTN, [0]) = 0 <0.10>
   0.33 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 
0), ...}) = 0 <0.16>
   0.45 close(11) = 0 <0.13>

  The only Permission denied thou (at all) is on /dev/pts/0 with this call:
  0.55 ioctl(10, TIOCGPTPEER, 0x102) = -1 EACCES (Permission denied) 
<0.25>

  But this is blocked by Apparmor according to dmesg:
  audit: type=1400 audit(1523957176.480:37835): apparmor="DENIED"
  namespace="root//lxd-testkvm-bionic-tononshared_"
  pid=8721 comm="qemu-system-x86"
  fsuid=64055 ouid=64055
  profile="libvirt-1c67131a-7177-4f49-9840-f1092310890d"
  denied_mask="wr"
operation="open"
name="/0"
requested_mask="wr"

  Now I wonder about two things:
  1. it should be allowed as the profile has
  #include 
  And that has:
   /dev/pts/[0-9]* rw,
  2. I think it misses parts of the path as it is a mount point
 devpts on /dev/pts type devpts 
(rw,nosuid,noexec,relatime,mode=620,ptmxmode=666,max=1024)

  I think apparmor should process this as /dev/pts/0 still and then
  allow it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1764715/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1763182] Re: remove landscape-common from minimal image

[ChristianEhrhardt]

The seed change (to make it only a recommends) is pushed, thanks for the Ack!
Regenerated ubuntu-meta and pushed ubuntu-meta_1.416 to Bionic.

It is waiting in unapproved [1] atm.

https://launchpad.net/ubuntu/bionic/+queue?queue_state=1_text
=ubuntu-meta

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/1763182

Title:
  remove landscape-common from minimal image

Status in livecd-rootfs package in Ubuntu:
  New
Status in ubuntu-meta package in Ubuntu:
  In Progress

Bug description:
  The stated goal of minimal image is to strip out packages useful only
  to humans so that a smaller base can be used to build smaller
  applications running in clouds and in containers.

  To this end, please remove landscape-common as it pulls in a few
  python3 deps, and its goal is only to provide an entry in the dynamic
  MOTD that shows system statistics (disk usage, memory usage, etc) that
  a human would look at when logging in interactively.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1763182/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

[ChristianEhrhardt]

Tested the interim version from [1]
TL;DR: with that it is working

base: 4.15.0-13
proposed fix: 4.15.0.16.17

## Base ##
$virsh attach-device cpaelzer-bionic hp512.xml
error: Failed to attach device from hp512.xml
error: cannot limit locked memory of process 10121 to 96468992: Permission 
denied

DMESG:
[1031564.759963] audit: type=1400 audit(1523946413.082:15731): 
apparmor="DENIED" operation="setrlimit" info="cap_sys_resource" error=-13 
profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock 
value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"
[1031564.760010] audit: type=1400 audit(1523946413.082:15732): 
apparmor="DENIED" operation="setrlimit" info="cap_sys_resource" error=-13 
profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock 
value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"

## proposed fixed kernel ##
$ virsh attach-device cpaelzer-bionic hp512.xml
Device attached successfully

No denies in log.
Guest log on attach:
[   48.652358] pseries-hotplug-mem: Attempting to hot-add 2 LMB(s) at index 
8008
[   48.652996] lpar: Attempting to resize HPT to shift 21
[   48.771485] lpar: Hash collision while resizing HPT
[   48.771491] Unable to resize hash page table to target order 21: -28
[   48.785406] Built 1 zonelists, mobility grouping on.  Total pages: 28174
[   48.785409] Policy zone: Normal
[   48.785951] lpar: Attempting to resize HPT to shift 21
[   48.898213] lpar: Hash collision while resizing HPT
[   48.898218] Unable to resize hash page table to target order 21: -28
[   48.906304] pseries-hotplug-mem: Memory at 8000 (drc index 8008) was 
hot-added
[   48.906305] pseries-hotplug-mem: Memory at 9000 (drc index 8009) was 
hot-added

[1]: https://launchpad.net/~canonical-kernel-
team/+archive/ubuntu/unstable/+packages

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in The Ubuntu-power-systems project:
  In Progress
Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

[ChristianEhrhardt]

Test kernel somewhere that supports PPC64?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in The Ubuntu-power-systems project:
  In Progress
Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1718227] Re: replacement of ifupdown with netplan needs integration for /etc/network/if{up, down}.d scripts

[ChristianEhrhardt]

Lets break this into use cases in Bionic:

I was not sure who should win in each case.
We might either want the clear "order" chrony > ntp > openntp > 
systemd-timesyncd
Or we might want a "last installed" approach, but that is hard as upgrades to 
not count here only real "install". What would "--reinstall" be in these cases?
Maybe we should stick with the clear order, that at least seems more 
deterministic.
Cases 4-6 try to cover testing that order invariancy.

This is an "ideal world" approach, not sure if we can achieve that in the short 
term.
After the "=>" assignment is the service that should run (and only this one).

0. default install - systemd-timesyncd

1. default install - install chrony => Chrony
1b.- remove chrony => systemd-timesyncd

2. default install - install ntp  => NTP
2b.- remove ntp => systemd-timesyncd

3. default install - install openntp => openntp
3b.- remove openntp => systemd-timesyncd

4. default install - install ntp, install chrony => Chrony
4b.  remove chrony => NTP
4c.  remove NTP => systemd-timesyncd

5. default install - install chrony, install NTP => Chrony
5b.  remove Chrony => NTP
5c.  remove NTP => systemd-timesyncd

6. default install - install openntp => openntp
6b.  install NTP => NTP
6c.  install chrony => chrony
6d.  remote NTP & Chrony => openntp
6e.  remove openntp => systemd-timesyncd

7. xenial with ntp - upgrade to B => NTP

8. xenial with ntp - upgrade to B, install chrony => Chrony

9. xenial with ntp - upgrade to B, remove NTP => systemd-timesyncd

10. xenial without ntp - upgrade to B => systemd-timesyncd

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1718227

Title:
  replacement of ifupdown with netplan needs integration for
  /etc/network/if{up,down}.d scripts

Status in aiccu package in Ubuntu:
  Invalid
Status in aoetools package in Ubuntu:
  New
Status in avahi package in Ubuntu:
  New
Status in bind9 package in Ubuntu:
  Invalid
Status in chrony package in Ubuntu:
  Confirmed
Status in clamav package in Ubuntu:
  Triaged
Status in controlaula package in Ubuntu:
  New
Status in epoptes package in Ubuntu:
  New
Status in ethtool package in Ubuntu:
  New
Status in guidedog package in Ubuntu:
  New
Status in htpdate package in Ubuntu:
  New
Status in ifenslave package in Ubuntu:
  Won't Fix
Status in ifmetric package in Ubuntu:
  Won't Fix
Status in ifupdown-multi package in Ubuntu:
  New
Status in ifupdown-scripts-zg2 package in Ubuntu:
  Invalid
Status in isatapd package in Ubuntu:
  New
Status in lprng package in Ubuntu:
  New
Status in miredo package in Ubuntu:
  New
Status in mythtv package in Ubuntu:
  New
Status in nplan package in Ubuntu:
  New
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in openresolv package in Ubuntu:
  Won't Fix
Status in openssh package in Ubuntu:
  New
Status in openvpn package in Ubuntu:
  New
Status in openvswitch package in Ubuntu:
  New
Status in postfix package in Ubuntu:
  New
Status in quicktun package in Ubuntu:
  New
Status in resolvconf package in Ubuntu:
  New
Status in sendmail package in Ubuntu:
  New
Status in shorewall-init package in Ubuntu:
  New
Status in sidedoor package in Ubuntu:
  New
Status in slrn package in Ubuntu:
  New
Status in tinc package in Ubuntu:
  New
Status in ubuntu-fan package in Ubuntu:
  Fix Released
Status in ucarp package in Ubuntu:
  New
Status in uml-utilities package in Ubuntu:
  New
Status in uruk package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  Won't Fix
Status in vzctl package in Ubuntu:
  Triaged
Status in wide-dhcpv6 package in Ubuntu:
  New
Status in wpa package in Ubuntu:
  New

Bug description:
  when network is configured with ifupdown, scripts in
  /etc/network/ifup.d/ were called on network being brought up and
  /etc/network/ifdown.d were called on network being brought down.

  Any packages that shipped these hooks need to be verified to have the
  same functionality under a netplan configured system.

  # binpkgs=$(apt-file search /etc/network/if-up | sed 's,: .*,,' | sort -u)
  # for i in $binpkgs; do
src=$(apt-cache show $i | awk '$1 == "Source:" { print $2; exit(0); }');
[ -z "$src" ] && src="$i"; echo $src; done | sort -u

  aiccu
  aoetools
  avahi
  bind9
  chrony
  clamav
  controlaula
  epoptes
  ethtool
  guidedog
  htpdate
  ifenslave
  ifmetric
  ifupdown-extra
  ifupdown-multi
  ifupdown-scripts-zg2
  isatapd
  lprng
  miredo
  mythtv-backend
  nss-pam-ldapd
  ntp
  openntpd
  openresolv
  openssh
  openvpn
  postfix
  quicktun
  resolvconf
  sendmail
  shorewall-init
  sidedoor
  slrn
  tinc
  ubuntu-fan
  ucarp
  uml-utilities
  uruk
  vlan
  

[Touch-packages] [Bug 1718227] Re: replacement of ifupdown with netplan needs integration for /etc/network/if{up, down}.d scripts

[ChristianEhrhardt]

Nice summary, but wrong bug - sorry for the noise here :-/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1718227

Title:
  replacement of ifupdown with netplan needs integration for
  /etc/network/if{up,down}.d scripts

Status in aiccu package in Ubuntu:
  Invalid
Status in aoetools package in Ubuntu:
  New
Status in avahi package in Ubuntu:
  New
Status in bind9 package in Ubuntu:
  Invalid
Status in chrony package in Ubuntu:
  Confirmed
Status in clamav package in Ubuntu:
  Triaged
Status in controlaula package in Ubuntu:
  New
Status in epoptes package in Ubuntu:
  New
Status in ethtool package in Ubuntu:
  New
Status in guidedog package in Ubuntu:
  New
Status in htpdate package in Ubuntu:
  New
Status in ifenslave package in Ubuntu:
  Won't Fix
Status in ifmetric package in Ubuntu:
  Won't Fix
Status in ifupdown-multi package in Ubuntu:
  New
Status in ifupdown-scripts-zg2 package in Ubuntu:
  Invalid
Status in isatapd package in Ubuntu:
  New
Status in lprng package in Ubuntu:
  New
Status in miredo package in Ubuntu:
  New
Status in mythtv package in Ubuntu:
  New
Status in nplan package in Ubuntu:
  New
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in openresolv package in Ubuntu:
  Won't Fix
Status in openssh package in Ubuntu:
  New
Status in openvpn package in Ubuntu:
  New
Status in openvswitch package in Ubuntu:
  New
Status in postfix package in Ubuntu:
  New
Status in quicktun package in Ubuntu:
  New
Status in resolvconf package in Ubuntu:
  New
Status in sendmail package in Ubuntu:
  New
Status in shorewall-init package in Ubuntu:
  New
Status in sidedoor package in Ubuntu:
  New
Status in slrn package in Ubuntu:
  New
Status in tinc package in Ubuntu:
  New
Status in ubuntu-fan package in Ubuntu:
  Fix Released
Status in ucarp package in Ubuntu:
  New
Status in uml-utilities package in Ubuntu:
  New
Status in uruk package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  Won't Fix
Status in vzctl package in Ubuntu:
  Triaged
Status in wide-dhcpv6 package in Ubuntu:
  New
Status in wpa package in Ubuntu:
  New

Bug description:
  when network is configured with ifupdown, scripts in
  /etc/network/ifup.d/ were called on network being brought up and
  /etc/network/ifdown.d were called on network being brought down.

  Any packages that shipped these hooks need to be verified to have the
  same functionality under a netplan configured system.

  # binpkgs=$(apt-file search /etc/network/if-up | sed 's,: .*,,' | sort -u)
  # for i in $binpkgs; do
src=$(apt-cache show $i | awk '$1 == "Source:" { print $2; exit(0); }');
[ -z "$src" ] && src="$i"; echo $src; done | sort -u

  aiccu
  aoetools
  avahi
  bind9
  chrony
  clamav
  controlaula
  epoptes
  ethtool
  guidedog
  htpdate
  ifenslave
  ifmetric
  ifupdown-extra
  ifupdown-multi
  ifupdown-scripts-zg2
  isatapd
  lprng
  miredo
  mythtv-backend
  nss-pam-ldapd
  ntp
  openntpd
  openresolv
  openssh
  openvpn
  postfix
  quicktun
  resolvconf
  sendmail
  shorewall-init
  sidedoor
  slrn
  tinc
  ubuntu-fan
  ucarp
  uml-utilities
  uruk
  vlan
  vzctl
  wide-dhcpv6
  wpa

  
  Related bugs:
   * bug 1718227: replacement of ifupdown with netplan needs integration for 
/etc/network/if{up,down}.d scripts 
   * bug 1713803: replacement of resolvconf with systemd needs integration 
   * bug 1717983: replacement of isc-dhcp-client with with systemd-networkd for 
dhclient needs integration

  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: netplan (not installed)
  ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
  Uname: Linux 4.12.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu1
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Tue Sep 19 10:53:08 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2015-07-23 (789 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150722.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: plan
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aiccu/+bug/1718227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1759573] Re: vlan on top of untagged network won't start

[ChristianEhrhardt]

Thanks Dan for pointing to the right solution.
Would you make this bug a dup then and add tasks for xenial (this is what this 
bug is reported as) if needed to the target bug?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ifupdown in Ubuntu.
https://bugs.launchpad.net/bugs/1759573

Title:
  vlan on top of untagged network won't start

Status in ifupdown package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  New

Bug description:

  Due to an upgrade (of probably of the ifupdown or vlan package), this 
specific network configuration no longer comes up automatically:
  1) Two or more network interfaces bonded
  2) An untagged network configured on that bond
  3) A vlan on top of that untagged network

  What does come up automatically:
  1) A single (e.g. unbonded) network interface with an untagged network 
configured and a vlan on top of that network
  2) Two or more network interfaces bonded with a vlan on top of that untagged 
bond

  An exact example of the configuration that doesn't work is provided
  below. It fails to come up correctly, both during boot and manually.
  The problem seems to be a blocking dependency loop between the bond
  and the vlan.

  As recommended in
  https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1636708/comments/13
  we added dependency ordering using ifup@.service systemd units for all
  4 interfaces, but this did not affect the behaviour in any way.

  Perhaps related to LP bug 1573272 or bug 1636708 ?

  ==
  Interface configuration
  ==

  auto eno1
  iface eno1 inet manual
 mtu 1500
 bond-master bond1
 bond-primary eno1

  auto eno2
  iface eno2 inet manual
 mtu 1500
 bond-master bond1

  auto bond1
  iface bond1 inet static
 mtu 1500
 address 10.10.10.3
 bond-miimon 100
 bond-mode active-backup
 bond-slaves none
 bond-downdelay 0
 bond-updelay 0
 dns-nameservers 10.10.10.1
 gateway 10.10.10.1
 netmask 255.255.0.0

  auto bond1.2
  iface bond1.2 inet static
 mtu 1500
 address 10.11.10.3
 netmask 255.255.0.0
 vlan-raw-device bond1

  ==
  When bringing up the bond
  ==

  # ifup bond1 &
  Waiting for a slave to join bond1 (will timeout after 60s)
  # ps afx
  (...)
  ifup bond1
   \_ /bin/sh -c /bin/run-parts --exit-on-error /etc/network/if-pre-up.d
   \_ /bin/run-parts --exit-on-error /etc/network/if-pre-up.d
   \_ /bin/sh /etc/network/if-pre-up.d/ifenslave
  (...)
  /lib/systemd/systemd-udevd
   \_ /lib/systemd/systemd-udevd
   \_ /bin/sh /lib/udev/vlan-network-interface
   \_ /bin/sh /etc/network/if-pre-up.d/vlan
   \_ ifup bond1
  (...)

  ==> After waiting 60 seconds:

  # ip link | grep -E 'eno[1|2]|bond1*'
  eno1:  mtu 1500 qdisc mq state DOWN mode DEFAULT group 
default qlen 1000
  eno2:  mtu 1500 qdisc mq state DOWN mode DEFAULT group 
default qlen 1000
  bond1:  mtu 1500 qdisc noqueue 
state DOWN mode DEFAULT group default qlen 1000
  bond1.2@bond1:  mtu 1500 qdisc noqueue 
state LOWERLAYERDOWN mode DEFAULT group default qlen 1000

  ==
  When bringing up a slave
  ==

  # ifup eno1
  Waiting for bond master bond1 to be ready
  # ps afx
  (...)
  /lib/systemd/systemd-udevd
   \_ /lib/systemd/systemd-udevd
   \_ /bin/sh /lib/udev/vlan-network-interface
   \_ /bin/sh /etc/network/if-pre-up.d/vlan
   \_ ifup bond1
   \_ /bin/sh -c /bin/run-parts --exit-on-error 
/etc/network/if-pre-up.d
   \_ /bin/run-parts --exit-on-error 
/etc/network/if-pre-up.d
   \_ /bin/sh /etc/network/if-pre-up.d/ifenslave
   \_ /bin/sh /lib/udev/vlan-network-interface
   \_ /bin/sh /etc/network/if-pre-up.d/vlan
   \_ ifup bond1
  (...)
  # ip link | grep -E 'eno[1|2]|bond1*'
  eno1:  mtu 1500 qdisc mq master bond1 
state UP mode DEFAULT group default qlen 1000
  eno2:  mtu 1500 qdisc mq state DOWN mode DEFAULT group 
default qlen 1000
  bond1:  mtu 1500 qdisc noqueue state 
UP mode DEFAULT group default qlen 1000

  ==
  Only workaround that works
  ==

  # ifup eno1
  Waiting for bond master bond1 to be ready
  # kill $(ps -ef | grep 'ifup bond1' | sed -n 2p | 

[Touch-packages] [Bug 1763182] Re: remove landscape-common from minimal image

[ChristianEhrhardt]

@Steve - just to be sure, in https://bazaar.launchpad.net/~vorlon
/livecd-rootfs/lp.1763182/revision/1662 when removing landscape-common
for minimization, would you need something like an apt autoremove to get
rid of the dependencies it brought in before?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/1763182

Title:
  remove landscape-common from minimal image

Status in livecd-rootfs package in Ubuntu:
  New
Status in ubuntu-meta package in Ubuntu:
  In Progress

Bug description:
  The stated goal of minimal image is to strip out packages useful only
  to humans so that a smaller base can be used to build smaller
  applications running in clouds and in containers.

  To this end, please remove landscape-common as it pulls in a few
  python3 deps, and its goal is only to provide an entry in the dynamic
  MOTD that shows system statistics (disk usage, memory usage, etc) that
  a human would look at when logging in interactively.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1763182/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1763182] Re: remove landscape-common from minimal image

[ChristianEhrhardt]

MP for seeds to make it a recommends at
https://code.launchpad.net/~paelzer/ubuntu-seeds/18.04-remove-landscape-
from-min/+merge/343063

If that is agreed and germinate ran once I can do a follow on
ubuntu-meta bump which will make it the recommends as you need it.

** Branch linked: lp:~paelzer/ubuntu-seeds/18.04-remove-landscape-from-
min

** Changed in: ubuntu-meta (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/1763182

Title:
  remove landscape-common from minimal image

Status in livecd-rootfs package in Ubuntu:
  New
Status in ubuntu-meta package in Ubuntu:
  In Progress

Bug description:
  The stated goal of minimal image is to strip out packages useful only
  to humans so that a smaller base can be used to build smaller
  applications running in clouds and in containers.

  To this end, please remove landscape-common as it pulls in a few
  python3 deps, and its goal is only to provide an entry in the dynamic
  MOTD that shows system statistics (disk usage, memory usage, etc) that
  a human would look at when logging in interactively.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1763182/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 857651] Re: Unable to hide users from login screen / user switcher

[ChristianEhrhardt]

** Tags added: bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/857651

Title:
  Unable to hide users from login screen / user switcher

Status in accountsservice:
  Confirmed
Status in accountsservice package in Ubuntu:
  Triaged
Status in lightdm package in Ubuntu:
  Triaged

Bug description:
  Users that I have appended to the 'hidden-users' field in
  /etc/lightdm/users.conf are not actually hidden. They are still listed
  on the login screen and in Unity's user switching menu.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: lightdm 0.9.7-0ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-11.18-generic 3.0.4
  Uname: Linux 3.0.0-11-generic x86_64
  ApportVersion: 1.23-0ubuntu1
  Architecture: amd64
  Date: Fri Sep 23 11:44:29 2011
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Beta amd64 (20110413)
  SourcePackage: lightdm
  UpgradeStatus: Upgraded to oneiric on 2011-09-23 (0 days ago)
  mtime.conffile..etc.lightdm.users.conf: 2011-09-23T08:46:55.039175

To manage notifications about this bug go to:
https://bugs.launchpad.net/accountsservice/+bug/857651/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

[ChristianEhrhardt]

Example Deny:
[  774.341606] audit: type=1400 audit(1522915593.238:42): apparmor="DENIED" 
operation="setrlimit" info="cap_sys_resource" error=-13 
profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock 
value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"

Source: libvirt
Target: qemu process libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3
Action: change rlimits

TL;DR to re-summarize:
- certain actions let libvirt change the rlimit of the qemu guest
  - such actions are memory hotplug on ppc
  - pci hotplug of some devices
- libvirtd apparmor profile allows cap_sys_resource
- there is no rlimit rule restricting that in the profile
- a bug in the kernel part of apparmor blocks this and breaks the use-case
- as prechecked by jjohansen he seems to have an idea how to fix (see comment 
#16)
  - but for yet unknown reasons activity fell silent since a few months
- finding that mem hotplug is also affected bumps the priority

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in The Ubuntu-power-systems project:
  In Progress
Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

[ChristianEhrhardt]

FYI: Test case of the mem hotplug in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153/comments/7

Only triggers on powerpc as they lock some memory while doing so (x86
does not).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in The Ubuntu-power-systems project:
  In Progress
Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1718227] Re: replacement of ifupdown with netplan needs integration for /etc/network/if{up, down}.d scripts

[ChristianEhrhardt]

I heard people talk about it, but realized the tracker is missing a Task for 
openvswitch:
/etc/network/if-post-down.d/openvswitch
/etc/network/if-pre-up.d/openvswitch

IIRC all the discussions correctly that was one of the harder cases due
to "Pre" not really being a defined thing anymore.

The question is how much OVS relies on that to work as PRE, or if it can
be later (or totally ignored).

I'll ping Jamespage about this for his OVS experience.

P.S. sorry if I duplicate some work here, but I can't find it in the bug
at all, so better twice than missed.

** Also affects: openvswitch (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1718227

Title:
  replacement of ifupdown with netplan needs integration for
  /etc/network/if{up,down}.d scripts

Status in aiccu package in Ubuntu:
  Invalid
Status in aoetools package in Ubuntu:
  New
Status in avahi package in Ubuntu:
  New
Status in bind9 package in Ubuntu:
  Invalid
Status in chrony package in Ubuntu:
  Confirmed
Status in clamav package in Ubuntu:
  Triaged
Status in controlaula package in Ubuntu:
  New
Status in epoptes package in Ubuntu:
  New
Status in ethtool package in Ubuntu:
  New
Status in guidedog package in Ubuntu:
  New
Status in htpdate package in Ubuntu:
  New
Status in ifenslave package in Ubuntu:
  Won't Fix
Status in ifmetric package in Ubuntu:
  Won't Fix
Status in ifupdown-multi package in Ubuntu:
  New
Status in ifupdown-scripts-zg2 package in Ubuntu:
  Invalid
Status in isatapd package in Ubuntu:
  New
Status in lprng package in Ubuntu:
  New
Status in miredo package in Ubuntu:
  New
Status in mythtv package in Ubuntu:
  New
Status in nplan package in Ubuntu:
  New
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in openresolv package in Ubuntu:
  Won't Fix
Status in openssh package in Ubuntu:
  New
Status in openvpn package in Ubuntu:
  New
Status in openvswitch package in Ubuntu:
  New
Status in postfix package in Ubuntu:
  New
Status in quicktun package in Ubuntu:
  New
Status in resolvconf package in Ubuntu:
  New
Status in sendmail package in Ubuntu:
  New
Status in shorewall-init package in Ubuntu:
  New
Status in sidedoor package in Ubuntu:
  New
Status in slrn package in Ubuntu:
  New
Status in tinc package in Ubuntu:
  New
Status in ubuntu-fan package in Ubuntu:
  Fix Released
Status in ucarp package in Ubuntu:
  New
Status in uml-utilities package in Ubuntu:
  New
Status in uruk package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  Won't Fix
Status in vzctl package in Ubuntu:
  Triaged
Status in wide-dhcpv6 package in Ubuntu:
  New
Status in wpa package in Ubuntu:
  New

Bug description:
  when network is configured with ifupdown, scripts in
  /etc/network/ifup.d/ were called on network being brought up and
  /etc/network/ifdown.d were called on network being brought down.

  Any packages that shipped these hooks need to be verified to have the
  same functionality under a netplan configured system.

  # binpkgs=$(apt-file search /etc/network/if-up | sed 's,: .*,,' | sort -u)
  # for i in $binpkgs; do
src=$(apt-cache show $i | awk '$1 == "Source:" { print $2; exit(0); }');
[ -z "$src" ] && src="$i"; echo $src; done | sort -u

  aiccu
  aoetools
  avahi
  bind9
  chrony
  clamav
  controlaula
  epoptes
  ethtool
  guidedog
  htpdate
  ifenslave
  ifmetric
  ifupdown-extra
  ifupdown-multi
  ifupdown-scripts-zg2
  isatapd
  lprng
  miredo
  mythtv-backend
  nss-pam-ldapd
  ntp
  openntpd
  openresolv
  openssh
  openvpn
  postfix
  quicktun
  resolvconf
  sendmail
  shorewall-init
  sidedoor
  slrn
  tinc
  ubuntu-fan
  ucarp
  uml-utilities
  uruk
  vlan
  vzctl
  wide-dhcpv6
  wpa

  
  Related bugs:
   * bug 1718227: replacement of ifupdown with netplan needs integration for 
/etc/network/if{up,down}.d scripts 
   * bug 1713803: replacement of resolvconf with systemd needs integration 
   * bug 1717983: replacement of isc-dhcp-client with with systemd-networkd for 
dhclient needs integration

  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: netplan (not installed)
  ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
  Uname: Linux 4.12.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu1
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Tue Sep 19 10:53:08 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2015-07-23 (789 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150722.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: plan
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:

[Touch-packages] [Bug 1732030] Re: 'apt update' dies with seccomp error

[ChristianEhrhardt]

Something seems broken on your config, all those basic things should be
allowed IMHO (and they are, or I'd hit them as well).

You could iterate on this with [1] which for this would let you also add 
"connect".
But I doubt that will eventually resolve your issue.
The question is why does it break on you at all while it is working for others 
in general.

If you iterate adding more and more excuses you might come back with the list 
that you needed.
But I'm pretty sure connect and socket would have been allowed already if 
everything would be right.

[1]: https://filippo.io/linux-syscall-table/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1732030

Title:
  'apt update' dies with seccomp error

Status in apt package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  $ apt-get update
  0% [Working]
    Seccomp prevented execution of syscall 78 on architecture amd64 

  Reading package lists... Done
  E: Method mirror has died unexpectedly!
  E: Sub-process mirror returned an error code (31)

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apt 1.6~alpha5
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu4
  Architecture: amd64
  Date: Mon Nov 13 23:10:57 2017
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/zsh
  SourcePackage: apt
  UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1732030] Re: 'apt update' dies with seccomp error

[ChristianEhrhardt]

:-)
Oh I see the line break added by LP in my example lead Jimmy the wrong way.
Obviously for the config to work it needs to be there :-)

@Jimmy - Please retry, and check the file content with e.g. cat after
the echo.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1732030

Title:
  'apt update' dies with seccomp error

Status in apt package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  $ apt-get update
  0% [Working]
    Seccomp prevented execution of syscall 78 on architecture amd64 

  Reading package lists... Done
  E: Method mirror has died unexpectedly!
  E: Sub-process mirror returned an error code (31)

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apt 1.6~alpha5
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu4
  Architecture: amd64
  Date: Mon Nov 13 23:10:57 2017
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/zsh
  SourcePackage: apt
  UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1732030] Re: 'apt update' dies with seccomp error

[ChristianEhrhardt]

On Wed, Apr 4, 2018 at 10:12 AM, Jimmy Olsen  wrote:

> It`still giving me same error:
>
> marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo
> tee
> [sudo] password for marcos:
> apt::sandbox::seccomp::allow { "socket" };
> marcos@marcos:~$ sudo apt update
>
[...]

>   Seccomp prevented execution of syscall 41 on architecture
> amd64 
>

Hmm, maybe my override isn't perfect - yet since I can't reproduce to
improve it I have to wait for Julian to take a look at this.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1732030

Title:
  'apt update' dies with seccomp error

Status in apt package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  $ apt-get update
  0% [Working]
    Seccomp prevented execution of syscall 78 on architecture amd64 

  Reading package lists... Done
  E: Method mirror has died unexpectedly!
  E: Sub-process mirror returned an error code (31)

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apt 1.6~alpha5
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu4
  Architecture: amd64
  Date: Mon Nov 13 23:10:57 2017
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/zsh
  SourcePackage: apt
  UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1732030] Re: 'apt update' dies with seccomp error

[ChristianEhrhardt]

On Wed, Apr 4, 2018 at 8:29 AM, Jimmy Olsen  wrote:

> Hi Christian. I tried to run this command but it didnt work:
>
> marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' >
> /etc/apt/apt.conf.d/99seccomp
> bash: /etc/apt/apt.conf.d/99seccomp: Permission denied
>

The path this gets placed in is only writable by root.
So you either need to "sudo su" before you do the above.
Or you can use sudo to write with permissions through tee, like:

 $ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo tee
/etc/apt/apt.conf.d/99seccomp

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1732030

Title:
  'apt update' dies with seccomp error

Status in apt package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  $ apt-get update
  0% [Working]
    Seccomp prevented execution of syscall 78 on architecture amd64 

  Reading package lists... Done
  E: Method mirror has died unexpectedly!
  E: Sub-process mirror returned an error code (31)

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apt 1.6~alpha5
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu4
  Architecture: amd64
  Date: Mon Nov 13 23:10:57 2017
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/zsh
  SourcePackage: apt
  UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1732030] Re: 'apt update' dies with seccomp error

[ChristianEhrhardt]

Hmm,
0041 should be sys_socket

With the error present (in your case ppa enabled), could you add this
and retry:

echo 'apt::sandbox::seccomp::allow { "socket" };' >
/etc/apt/apt.conf.d/99seccomp

If it works with that it really was the socket call, and Julian can
consider adding it.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879814#15 has listed
0041 as well, and I thought it is done, but your check will help Julian
for sure.


** Bug watch added: Debian Bug tracker #879814
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879814

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1732030

Title:
  'apt update' dies with seccomp error

Status in apt package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  $ apt-get update
  0% [Working]
    Seccomp prevented execution of syscall 78 on architecture amd64 

  Reading package lists... Done
  E: Method mirror has died unexpectedly!
  E: Sub-process mirror returned an error code (31)

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apt 1.6~alpha5
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu4
  Architecture: amd64
  Date: Mon Nov 13 23:10:57 2017
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/zsh
  SourcePackage: apt
  UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

[ChristianEhrhardt]

We have another hit of this by memory hot plug (when locked I assume).
I asked the reporters to chime in here.

But even for the former case we had given the time we wait already I want to 
bump the prio.
This is really important to some use cases.

** Changed in: apparmor (Ubuntu)
   Importance: High => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in apparmor package in Ubuntu:
  In Progress

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1758841] Re: virt-manager: Light grey menu items on light grey background are barely readable

[ChristianEhrhardt]

Setting virt-manager low, until we have a reason to assume that a fix it
would be better than a fix in the Theme (that would also fix anything
else that is affected).

This is too deep in /usr/share/themes/Ambiance for me to spot all the
right and wrong entries.

And sorry, the theme I meant obviously is Ambiance (with an a).

Since this is part of ubuntu-themes and a task already is filed against
that we can wait for the Desktop/Theme folks to comment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-themes in Ubuntu.
https://bugs.launchpad.net/bugs/1758841

Title:
  virt-manager: Light grey menu items on light grey background are
  barely readable

Status in Ubuntu theme:
  New
Status in ubuntu-themes package in Ubuntu:
  New
Status in virt-manager package in Ubuntu:
  Confirmed

Bug description:
  With latest update of ubuntu-theme (16.10+18.04.20180322.3-0ubuntu1) menu 
items in the toolbar are barely readable (cf screenshot)
  Background should be dark. virt-manager is the only application I found with 
this issue so far.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: virt-manager 1:1.5.0-0ubuntu1
  ProcVersionSignature: Ubuntu 4.15.0-12.13-generic 4.15.7
  Uname: Linux 4.15.0-12-generic x86_64
  ApportVersion: 2.20.8-0ubuntu10
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Mar 26 09:50:17 2018
  InstallationDate: Installed on 2014-07-15 (1349 days ago)
  InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140520)
  PackageArchitecture: all
  SourcePackage: virt-manager
  UpgradeStatus: Upgraded to bionic on 2018-03-24 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-themes/+bug/1758841/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1758841] Re: virt-manager: Light grey menu items on light grey background are barely readable

[ChristianEhrhardt]

At least I can confirm the issue with a KVM install of
http://cdimage.ubuntu.com/daily-live/current/bionic-desktop-amd64.iso

Tried virt-manager in there, and see the reported readbility issue.

But I installed gnome-tweaks and ALL themes except ambience work juts fine.
So the default of Adwaita, good, any as I said all else good.

For I'd much more consider it an issue in the latest "Ambience" Theme than 
virt-manager.
It might use a more uncommon thing, but since all others work it should be the 
theme right?

** Changed in: virt-manager (Ubuntu)
   Status: New => Confirmed

** Changed in: virt-manager (Ubuntu)
   Importance: Medium => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-themes in Ubuntu.
https://bugs.launchpad.net/bugs/1758841

Title:
  virt-manager: Light grey menu items on light grey background are
  barely readable

Status in Ubuntu theme:
  New
Status in ubuntu-themes package in Ubuntu:
  New
Status in virt-manager package in Ubuntu:
  Confirmed

Bug description:
  With latest update of ubuntu-theme (16.10+18.04.20180322.3-0ubuntu1) menu 
items in the toolbar are barely readable (cf screenshot)
  Background should be dark. virt-manager is the only application I found with 
this issue so far.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: virt-manager 1:1.5.0-0ubuntu1
  ProcVersionSignature: Ubuntu 4.15.0-12.13-generic 4.15.7
  Uname: Linux 4.15.0-12-generic x86_64
  ApportVersion: 2.20.8-0ubuntu10
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Mar 26 09:50:17 2018
  InstallationDate: Installed on 2014-07-15 (1349 days ago)
  InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140520)
  PackageArchitecture: all
  SourcePackage: virt-manager
  UpgradeStatus: Upgraded to bionic on 2018-03-24 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-themes/+bug/1758841/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1732030] Re: 'apt update' dies with seccomp error

[ChristianEhrhardt]

The actual seccomp fail is important.
Eventually it is a sandbox and we want to add exceptions after we know it has a 
valid use case.
As the above libvirt nss case which we added.

Trying the ppa you mentioned I can run just fine - so something is
special in your setup.

Please the exact details are important to Julian - see comment #17 - if
it is the same you could also try the suggested workaround via config in
comment #19.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1732030

Title:
  'apt update' dies with seccomp error

Status in apt package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  $ apt-get update
  0% [Working]
    Seccomp prevented execution of syscall 78 on architecture amd64 

  Reading package lists... Done
  E: Method mirror has died unexpectedly!
  E: Sub-process mirror returned an error code (31)

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apt 1.6~alpha5
  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
  Uname: Linux 4.13.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu4
  Architecture: amd64
  Date: Mon Nov 13 23:10:57 2017
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/zsh
  SourcePackage: apt
  UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1758841] Re: virt-manager: Light grey menu items on light grey background are barely readable

[ChristianEhrhardt]

I (for virt-manager) are not GTKxperienced enough to even know what to try :-/
If I understand you correctly it is picking up the change to the font color but 
not the background color - is that right?

virt-manager mostly uses gir from "Source: gtk+3.0" for display.
But that should be working.

If there are experienced desktop tips what should be tried please let me
know.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-themes in Ubuntu.
https://bugs.launchpad.net/bugs/1758841

Title:
  virt-manager: Light grey menu items on light grey background are
  barely readable

Status in Ubuntu theme:
  New
Status in ubuntu-themes package in Ubuntu:
  New
Status in virt-manager package in Ubuntu:
  New

Bug description:
  With latest update of ubuntu-theme (16.10+18.04.20180322.3-0ubuntu1) menu 
items in the toolbar are barely readable (cf screenshot)
  Background should be dark. virt-manager is the only application I found with 
this issue so far.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: virt-manager 1:1.5.0-0ubuntu1
  ProcVersionSignature: Ubuntu 4.15.0-12.13-generic 4.15.7
  Uname: Linux 4.15.0-12-generic x86_64
  ApportVersion: 2.20.8-0ubuntu10
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Mar 26 09:50:17 2018
  InstallationDate: Installed on 2014-07-15 (1349 days ago)
  InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Alpha amd64 (20140520)
  PackageArchitecture: all
  SourcePackage: virt-manager
  UpgradeStatus: Upgraded to bionic on 2018-03-24 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-themes/+bug/1758841/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1718227] Re: replacement of ifupdown with netplan needs integration for /etc/network/if{up, down}.d scripts

[ChristianEhrhardt]

Any update on the integration of networkd-dispatcher or a similar
technology to allow the dependent packages to use that?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1718227

Title:
  replacement of ifupdown with netplan needs integration for
  /etc/network/if{up,down}.d scripts

Status in aiccu package in Ubuntu:
  Invalid
Status in aoetools package in Ubuntu:
  New
Status in avahi package in Ubuntu:
  New
Status in bind9 package in Ubuntu:
  New
Status in chrony package in Ubuntu:
  Confirmed
Status in clamav package in Ubuntu:
  New
Status in controlaula package in Ubuntu:
  New
Status in epoptes package in Ubuntu:
  New
Status in ethtool package in Ubuntu:
  New
Status in guidedog package in Ubuntu:
  New
Status in htpdate package in Ubuntu:
  New
Status in ifenslave package in Ubuntu:
  New
Status in ifmetric package in Ubuntu:
  New
Status in ifupdown-multi package in Ubuntu:
  New
Status in ifupdown-scripts-zg2 package in Ubuntu:
  New
Status in isatapd package in Ubuntu:
  New
Status in lprng package in Ubuntu:
  New
Status in miredo package in Ubuntu:
  New
Status in mythtv package in Ubuntu:
  New
Status in nplan package in Ubuntu:
  New
Status in nss-pam-ldapd package in Ubuntu:
  New
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in openresolv package in Ubuntu:
  New
Status in openssh package in Ubuntu:
  New
Status in openvpn package in Ubuntu:
  New
Status in postfix package in Ubuntu:
  New
Status in quicktun package in Ubuntu:
  New
Status in resolvconf package in Ubuntu:
  New
Status in sendmail package in Ubuntu:
  New
Status in shorewall-init package in Ubuntu:
  New
Status in sidedoor package in Ubuntu:
  New
Status in slrn package in Ubuntu:
  New
Status in tinc package in Ubuntu:
  New
Status in ubuntu-fan package in Ubuntu:
  Fix Committed
Status in ucarp package in Ubuntu:
  New
Status in uml-utilities package in Ubuntu:
  New
Status in uruk package in Ubuntu:
  New
Status in vlan package in Ubuntu:
  New
Status in vzctl package in Ubuntu:
  New
Status in wide-dhcpv6 package in Ubuntu:
  New
Status in wpa package in Ubuntu:
  New

Bug description:
  when network is configured with ifupdown, scripts in
  /etc/network/ifup.d/ were called on network being brought up and
  /etc/network/ifdown.d were called on network being brought down.

  Any packages that shipped these hooks need to be verified to have the
  same functionality under a netplan configured system.

  # binpkgs=$(apt-file search /etc/network/if-up | sed 's,: .*,,' | sort -u)
  # for i in $binpkgs; do
src=$(apt-cache show $i | awk '$1 == "Source:" { print $2; exit(0); }');
[ -z "$src" ] && src="$i"; echo $src; done | sort -u

  aiccu
  aoetools
  avahi
  bind9
  chrony
  clamav
  controlaula
  epoptes
  ethtool
  guidedog
  htpdate
  ifenslave
  ifmetric
  ifupdown-extra
  ifupdown-multi
  ifupdown-scripts-zg2
  isatapd
  lprng
  miredo
  mythtv-backend
  nss-pam-ldapd
  ntp
  openntpd
  openresolv
  openssh
  openvpn
  postfix
  quicktun
  resolvconf
  sendmail
  shorewall-init
  sidedoor
  slrn
  tinc
  ubuntu-fan
  ucarp
  uml-utilities
  uruk
  vlan
  vzctl
  wide-dhcpv6
  wpa

  
  Related bugs:
   * bug 1718227: replacement of ifupdown with netplan needs integration for 
/etc/network/if{up,down}.d scripts 
   * bug 1713803: replacement of resolvconf with systemd needs integration 
   * bug 1717983: replacement of isc-dhcp-client with with systemd-networkd for 
dhclient needs integration

  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: netplan (not installed)
  ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
  Uname: Linux 4.12.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.7-0ubuntu1
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Tue Sep 19 10:53:08 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2015-07-23 (789 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150722.1)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: plan
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aiccu/+bug/1718227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1756846] Re: bridge-utils incompatible with ifupdown on bionic

[ChristianEhrhardt]

I was looking at the test fail in proposed migration.

I realized it fails on ppc64 since 14th August 2017 (and since then it
always fails, confirmed by a retry and [1] - even in Artful it fails
since then).

It unfortunately fails without any message.

I found in hints-ubuntu/vorlon
# regressed in release; maybe related to resolved/netplan.  
 
force-badtest ifupdown/0.8.16ubuntu2/ppc64el

I tried to recreate that in a VM on ppc.
1. installing ifupdown gives a valid /e/n/i to run the test
2. Test exec reproduces the issue we see in CI
   Verbose log
+ IFACE=sdtest42
+ [ -e /sys/class/net/sdtest42 ]
+ grep -q source-directory .*interfaces.d /etc/network/interfaces
+ grep -q source .*interfaces.d.*cfg /etc/network/interfaces
+ IFACE_CFG=/etc/network/interfaces.d/sdtest42.cfg
+ cat
+ ip link add name sdtest42 type veth peer name vsdtest42
+ trap ip link del dev sdtest42; rm /etc/network/interfaces.d/sdtest42.cfg EXIT 
INT QUIT PIPE
+ sleep 3
+ ifquery --state sdtest42
+ ip link del dev sdtest42
+ rm /etc/network/interfaces.d/sdtest42.cfg

That means the ifquery fails, and the set -e triggers the trap
=> No message, buu RC=1


Comparing x86/ppc on this in detail
1. VM fresh from cloud image (20180321)
   => no /etc/network/interfaces

2. installed (current) ifupdown
   $ cat /etc/network/interfaces
   # interfaces(5) file used by ifup(8) and ifdown(8)
   # Include files from /etc/network/interfaces.d:
   source-directory /etc/network/interfaces.d

3. purged ifupdown
   leaves e/n/i

4. reinstall from proposed
   still the same e/n/i
=> Until here all is fine, and if installing ifupdown (on a fresh system) drops 
/e/n/i that explains why no test goes to the SKIP condition.

5. Set up prep steps as the test does
IFACE_CFG=/etc/network/interfaces.d/sdtest42.cfg
IFACE=sdtest42
cat < $IFACE_CFG
allow-hotplug $IFACE
iface $IFACE inet static
address 192.168.234.129
netmask 255.255.255.0
EOF
=> check status (before adding dev via IP)
$ systemctl status -l ifup@sdtest42.service; ifquery -l --allow=hotplug; 
ifquery sdtest42;
● ifup@sdtest42.service - ifup for sdtest42
   Loaded: loaded (/lib/systemd/system/ifup@.service; static; vendor preset: 
enabled)
   Active: inactive (dead)
Unknown interface sdtest42
# The same on x86 and ppc64

6. add dev (comment says: these should trigger uevents and ifup@.service)
$ ip link add name $IFACE type veth peer name v$IFACE
Check status again shows it is still as dead as before.
# systemctl status -l ifup@sdtest42.service; ifquery -l --allow=hotplug; 
ifquery sdtest42;
● ifup@sdtest42.service - ifup for sdtest42
   Loaded: loaded (/lib/systemd/system/ifup@.service; static; vendor preset: 
enabled)
   Active: inactive (dead)
Unknown interface sdtest42

The device itself is there after the add
$ ll /sys/class/net/sdtest42
lrwxrwxrwx 1 root root 0 Mär 22 07:20 /sys/class/net/sdtest42 -> 
../../devices/virtual/net/sdtest42/

ifquery does not find the device config (here as it should look like on xenial):
$ ifquery sdtest42
address: 192.168.234.129
netmask: 255.255.255.0
broadcast: 192.168.234.255


7. I tried to fix via enabling old style networking
$ systemctl disable systemd-networkd.socket
$ systemctl stop systemd-networkd
$ systemctl restart networking

But it is still behaving the same.
It should fail on all architecture targets just the same.

Currently I assume that the non-x86 CI-test targets have some setup done to let 
them behave more like they did in the past.
I can't see it yet in my clean test environment, so no fix for today.

Instead for now lets bump the test hint (and add a bugno to this one so that 
the next taking a look has this pre-check available).
MP with that change available at [2].

[1]: http://autopkgtest.ubuntu.com/packages/ifupdown/bionic/ppc64el
[2]: 
https://code.launchpad.net/~paelzer/britney/hints-ubuntu-ifupdown-18.04/+merge/341883

** Branch linked: lp:~paelzer/britney/hints-ubuntu-ifupdown-18.04

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ifupdown in Ubuntu.
https://bugs.launchpad.net/bugs/1756846

Title:
  bridge-utils incompatible with ifupdown on bionic

Status in ifupdown package in Ubuntu:
  Fix Committed

Bug description:
  $ apt-cache policy ifupdown bridge-utils
  ifupdown:
Installed: (none)
Candidate: 0.8.16ubuntu2
Version table:
   0.8.16ubuntu2 500
  500 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  100 /var/lib/dpkg/status
  bridge-utils:
Installed: 1.5-15ubuntu1
Candidate: 1.5-15ubuntu1
Version table:
   *** 1.5-15ubuntu1 500
  500 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  100 /var/lib/dpkg/status

  $ sudo apt-get install ifupdown
  Reading package lists... Done
  Building dependency tree   
  Reading state information... Done
  Suggested packages:
rdnssd
  The following packages will be REMOVED
bridge-utils
  The 

[Touch-packages] [Bug 1756846] Re: bridge-utils incompatible with ifupdown on bionic

[ChristianEhrhardt]

Yes andreas, this is the issue I mentioned on IRC.
AFAIK I think foundations is on that.

I'm subscribing the few that I've seen mentioning it for awareness.
So that they can dup it if they have another bug for that already.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bridge-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1756846

Title:
  bridge-utils incompatible with ifupdown on bionic

Status in bridge-utils package in Ubuntu:
  Confirmed

Bug description:
  $ apt-cache policy ifupdown bridge-utils
  ifupdown:
Installed: (none)
Candidate: 0.8.16ubuntu2
Version table:
   0.8.16ubuntu2 500
  500 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  100 /var/lib/dpkg/status
  bridge-utils:
Installed: 1.5-15ubuntu1
Candidate: 1.5-15ubuntu1
Version table:
   *** 1.5-15ubuntu1 500
  500 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  100 /var/lib/dpkg/status

  $ sudo apt-get install ifupdown
  Reading package lists... Done
  Building dependency tree   
  Reading state information... Done
  Suggested packages:
rdnssd
  The following packages will be REMOVED
bridge-utils
  The following NEW packages will be installed
ifupdown
  0 to upgrade, 1 to newly install, 1 to remove and 0 not to upgrade.
  Need to get 55.2 kB of archives.
  After this operation, 119 kB of additional disk space will be used.
  Do you want to continue? [Y/n] y
  Get:1 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 ifupdown amd64 
0.8.16ubuntu2 [55.2 kB]
  Fetched 55.2 kB in 0s (1,280 kB/s)  
  (Reading database ... 251311 files and directories currently installed.)
  Removing bridge-utils (1.5-15ubuntu1) ...
  Selecting previously unselected package ifupdown.
  (Reading database ... 251286 files and directories currently installed.)
  Preparing to unpack .../ifupdown_0.8.16ubuntu2_amd64.deb ...
  Unpacking ifupdown (0.8.16ubuntu2) ...
  Setting up ifupdown (0.8.16ubuntu2) ...
  Processing triggers for ureadahead (0.100.0-20) ...
  ureadahead will be reprofiled on next reboot
  Processing triggers for systemd (237-3ubuntu4) ...
  Processing triggers for man-db (2.8.2-1) ...

  $ sudo apt-get install bridge-utils
  Reading package lists... Done
  Building dependency tree   
  Reading state information... Done
  Suggested packages:
ifupdown
  The following packages will be REMOVED
ifupdown
  The following NEW packages will be installed
bridge-utils
  0 to upgrade, 1 to newly install, 1 to remove and 0 not to upgrade.
  Need to get 0 B/30.1 kB of archives.
  After this operation, 119 kB disk space will be freed.
  Do you want to continue? [Y/n] y
  (Reading database ... 251318 files and directories currently installed.)
  Removing ifupdown (0.8.16ubuntu2) ...
  Selecting previously unselected package bridge-utils.
  (Reading database ... 251286 files and directories currently installed.)
  Preparing to unpack .../bridge-utils_1.5-15ubuntu1_amd64.deb ...
  Unpacking bridge-utils (1.5-15ubuntu1) ...
  Setting up bridge-utils (1.5-15ubuntu1) ...
  Processing triggers for man-db (2.8.2-1) ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bridge-utils/+bug/1756846/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1756987] Re: chrony install does not stop systemd-timesyncd

[ChristianEhrhardt]

The way the newer versions solve this is to have a native systemd
service and in there there is:

Conflicts=systemd-timesyncd.service openntpd.service

That ensures only one of these can be started.

Xenial has no systemd service at all, it has sysV and uses the systemd 
generator.
So there is no "just add the line" fix available.

Xenial as-is
$ timedatectl status
 Network time on: yes
NTP synchronized: yes
 RTC in local TZ: no
systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; 
vendor preset: enabled)
  Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
   └─disable-with-time-daemon.conf
   Active: active (running) since Wed 2018-03-21 16:00:19 UTC; 1min 30s ago

This isn't even fully protected if you install ntp (not chrony) as it
was the ntp server back in Xenial. (Right after install it still runs).

What stops it there for NTPd is that this uses a config dir which pulls in:
  /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf

So any further starts will be blocked:
# don't run timesyncd if we have another NTP daemon installed
ConditionFileIsExecutable=!/usr/sbin/ntpd
ConditionFileIsExecutable=!/usr/sbin/openntpd
ConditionFileIsExecutable=!/usr/sbin/chronyd
ConditionFileIsExecutable=!/usr/sbin/VBoxService

You see that if you check systemd-timesyncd.service:
$ systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; 
vendor preset: enabled)
  Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
   └─disable-with-time-daemon.conf
   Active: inactive (dead)
Condition: start condition failed at Wed 2018-03-21 16:06:42 UTC; 44s ago
   ConditionFileIsExecutable=!/usr/sbin/ntpd was not met

After installing Chrony this is the same:

Condition: start condition failed at Wed 2018-03-21 16:11:37 UTC; 1s ago
   ConditionFileIsExecutable=!/usr/sbin/chronyd was not met

That is good (no special issue to chrony) and bad (actually all
timeservers "collide" right after install).

A reboot or restart will pick that up.
OTOH it is discouraged to start/stop/restart other packages services form a 
postinst - as the first thought would be to do refresh for that condition after 
installing any of these.

Given that there was not a single complaint about it in 2 years of
Xenial other than us now looking for it in detail I'd rate it low, but
it is a valid issue.

** Also affects: ntp (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: openntpd (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: ntp (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: ntp (Ubuntu Xenial)
   Importance: Undecided => Low

** Changed in: chrony (Ubuntu Bionic)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1756987

Title:
  chrony install does not stop systemd-timesyncd

Status in chrony package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  New
Status in openntpd package in Ubuntu:
  New
Status in chrony source package in Xenial:
  New
Status in ntp source package in Xenial:
  Confirmed
Status in openntpd source package in Xenial:
  New
Status in chrony source package in Artful:
  New
Status in ntp source package in Artful:
  New
Status in openntpd source package in Artful:
  New
Status in chrony source package in Bionic:
  Fix Released
Status in ntp source package in Bionic:
  New
Status in openntpd source package in Bionic:
  New

Bug description:
  1.
  root@ubuntu:~# lsb_release -rd
  Description:  Ubuntu 16.04.4 LTS
  Release:  16.04

  root@ubuntu:~# uname -a
  Linux ubuntu 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

  2. 
  root@ubuntu:~# apt-cache policy systemd
  systemd:
Installed: 229-4ubuntu21.1
Candidate: 229-4ubuntu21.1
Version table:
   *** 229-4ubuntu21.1 500
  500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   229-4ubuntu4 500
  500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  root@ubuntu:~# apt-cache policy chrony
  chrony:
Installed: 2.1.1-1
Candidate: 2.1.1-1
Version table:
   *** 2.1.1-1 500
  500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
  100 /var/lib/dpkg/status

  3. installing chrony should stop systemd-timesyncd so they both don't
  try to adjust time

  4. after chrony is installed both systemd-timesyncd and chronyd are
  running.

  root@ubuntu:~# ps aux | egrep "(chrony|timesync)"
  systemd+  1086  

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

Note: When we do the Xenial backport of the new version of open-vm-tools
(which we plan to do) this becomes an issue. In the same upload I intend
to fix it right away, so it should never effectively exist in the field
(keep invalid, but there might be a fix-released update to open-vm-tools
here at some point).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Invalid
Status in systemd source package in Xenial:
  New
Status in open-vm-tools package in Debian:
  Fix Released

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1756031] Re: openssh-server doesn't accept aes256-cbc key

[ChristianEhrhardt]

AFAIK build time:
  sshkey.h:49:#define SSH_RSA_MINIMUM_MODULUS_SIZE1024

And those short keys are really considered insecure, which is the reason
they went from deprecated to no more accepted.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1756031

Title:
  openssh-server doesn't accept aes256-cbc key

Status in openssh package in Ubuntu:
  Confirmed

Bug description:
  I am using putty connection with RSA key cached in pageant and want to
  login without password.

  Private key on windows:
  PuTTY-User-Key-File-2: ssh-rsa
  Encryption: aes256-cbc
  ...

  On ubuntu there is public key in .ssh/authorized_keys
  ssh-rsa B3Nz...JBjQ== palo@winpgnotas

  This key works well in ubuntu versions 14.04...17.10
  When I tried 18.04 beta, I am getting sshd error:
  mar 15 10:26:21 ubox sshd[5205]: error: userauth_pubkey: could not parse key: 
Invalid key length [preauth]
  and I have to provide password.

  I've found that aes256-cbc is not in the list of allowed ciphers by default, 
so I added
  Ciphers +aes256-cbc
  to /etc/ssh/sshd_config
  (and verified with nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1)
  but the sshd error remains.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: openssh-server 1:7.6p1-4
  ProcVersionSignature: Ubuntu 4.15.0-10.11-generic 4.15.3
  Uname: Linux 4.15.0-10-generic x86_64
  ApportVersion: 2.20.8-0ubuntu10
  Architecture: amd64
  Date: Thu Mar 15 10:03:14 2018
  InstallationDate: Installed on 2018-03-12 (2 days ago)
  InstallationMedia: Xubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 
(20180306.1)
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1756031/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1756081] Re: journald is unable to attribute messages incoming from processes that exited their cgroup

[ChristianEhrhardt]

On the bright side messages are in journal, but not if you use -u to filter.
And if a service looks like this:
  service[123]: good
  service[123]: good
  service[123]: 

People wonder, until they look in an unfiltered journal to find the following 
it take some time and confusion.
  service[123]: good
  service[123]: good
  service[123]: failing because of XYZ
  service[123]: 

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1756081

Title:
  journald is unable to attribute messages incoming from processes that
  exited their cgroup

Status in systemd:
  Unknown
Status in systemd package in Ubuntu:
  New

Bug description:
  This is mostly an FYI and a tracker to link Upstream to Ubuntu.

  Background:
  I wondered why some of my services are missing just the most interesting 
"last" messages before dying.
  Unfortunately I found this is a known race and there seems to be no good fix 
yet.

  But I think this is important, so I wanted to make you aware.
  Especially the last few messages before a service is dying are important.

  If you see any way to fix this in Ubuntu as an interim solution until
  upstream has found "the right thing" to eventually solve it that would
  be great.

  Upstream issue (many dups onto this): 
https://github.com/systemd/systemd/issues/2913
  One approach that was tried (but not accepted): 
https://lwn.net/Articles/580150/

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1756081/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1756081] [NEW] journald is unable to attribute messages incoming from processes that exited their cgroup

[ChristianEhrhardt]

Public bug reported:

This is mostly an FYI and a tracker to link Upstream to Ubuntu.

Background:
I wondered why some of my services are missing just the most interesting "last" 
messages before dying.
Unfortunately I found this is a known race and there seems to be no good fix 
yet.

But I think this is important, so I wanted to make you aware.
Especially the last few messages before a service is dying are important.

If you see any way to fix this in Ubuntu as an interim solution until
upstream has found "the right thing" to eventually solve it that would
be great.

Upstream issue (many dups onto this): 
https://github.com/systemd/systemd/issues/2913
One approach that was tried (but not accepted): https://lwn.net/Articles/580150/

** Affects: systemd
 Importance: Unknown
 Status: Unknown

** Affects: systemd (Ubuntu)
 Importance: Undecided
 Status: New

** Bug watch added: github.com/systemd/systemd/issues #2913
   https://github.com/systemd/systemd/issues/2913

** Also affects: systemd via
   https://github.com/systemd/systemd/issues/2913
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1756081

Title:
  journald is unable to attribute messages incoming from processes that
  exited their cgroup

Status in systemd:
  Unknown
Status in systemd package in Ubuntu:
  New

Bug description:
  This is mostly an FYI and a tracker to link Upstream to Ubuntu.

  Background:
  I wondered why some of my services are missing just the most interesting 
"last" messages before dying.
  Unfortunately I found this is a known race and there seems to be no good fix 
yet.

  But I think this is important, so I wanted to make you aware.
  Especially the last few messages before a service is dying are important.

  If you see any way to fix this in Ubuntu as an interim solution until
  upstream has found "the right thing" to eventually solve it that would
  be great.

  Upstream issue (many dups onto this): 
https://github.com/systemd/systemd/issues/2913
  One approach that was tried (but not accepted): 
https://lwn.net/Articles/580150/

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1756081/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 40189] Re: [SRU] [xenial] autofs needs to be restarted to pick up some shares

[ChristianEhrhardt]

Thanks for the ping on this lnog standing bug @Tronde.
I updated the state accordingly.

If there is a change to be identified since Xenial->Bionic one could try to SRU 
fix it in Xenial.
But I took a (quick) look and found nothing obvious.
There are major changes like going from sysV init in /etc/init.d/autofs to a 
native systemd service in /lib/systemd/system/autofs.service.
One would need to debug if there is something that can be brought into the 
systemV init to fix it.

I appreciate your former steps to reproduce, but they failed for me :-/
Without having more time debugging why I can't reproduce atm I'd need to ask 
you (or others) to debug what the missing new bit might be to fix up xenial.

** Also affects: autofs (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: upstart (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: autofs5 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: autofs (Ubuntu)
   Status: Confirmed => Fix Released

** No longer affects: autofs5 (Ubuntu Xenial)

** No longer affects: upstart (Ubuntu Xenial)

** Changed in: autofs (Ubuntu Xenial)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/40189

Title:
  [SRU] [xenial] autofs needs to be restarted to pick up some shares

Status in autofs package in Ubuntu:
  Fix Released
Status in autofs5 package in Ubuntu:
  Invalid
Status in upstart package in Ubuntu:
  Invalid
Status in autofs source package in Xenial:
  Incomplete

Bug description:
  I am using autofs to access shares on a Windows XP machine from a
  Kubuntu AMD64 machine.  The problems applies in both Breezy and
  Dapper.

  EDIT:  confirmed with similar configuration on Intrepid with a NetApp
  filer hosting NFS.  Server OS removed from summary.

  When I first try to access the mount point via cd or in Konqueror it
  does not exist.  However,  if I then restart autofs
  (/etc/init.d/autofs restart) everythin then works OK.  My config files
  are:

  auto.master

  #
  # $Id: auto.master,v 1.3 2003/09/29 08:22:35 raven Exp $
  #
  # Sample auto.master file
  # This is an automounter map and it has the following format
  # key [ -mount-options-separated-by-comma ] location
  # For details of the format look at autofs(5).
  #/misc/etc/auto.misc --timeout=60
  #/misc/etc/auto.misc
  #/net /etc/auto.net

  /petunia /etc/petunia.misc --timeout=60

  
  petunia.misc

  #
  # $Id: auto.misc,v 1.2 2003/09/29 08:22:35 raven Exp $
  #
  # This is an automounter map and it has the following format
  # key [ -mount-options-separated-by-comma ] location
  # Details may be found in the autofs(5) manpage

  cd  -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom

  tony  -fstype=smbfs,defaults,password=xxx,fmask=777,dmask=777 
://192.168.1.2/tony
  chris -fstype=smbfs,defaults,password=xxx,fmask=777,dmask=777 
://192.168.1.2/chris
  shared-fstype=smbfs,defaults,password=xxx,fmask=777,dmask=777 
://192.168.1.2/SharedDocs
  linuxbackups  -fstype=smbfs,defaults,password=xxx,fmask=777,dmask=777 
://192.168.1.2/linuxbackups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/40189/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1754472] Re: autopkgtest: systemd-fsck test is flaky on s390x, lets skip it there

[ChristianEhrhardt]

(untested) debdiff as suggestion.
I think this is trivial and will make the other tests more meaningful as a 
flaky test is more or less worth nothing (and consumed time on CI and of 
people).

** Patch added: "fix-systemd-flaky-fsck.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1754472/+attachment/5073591/+files/fix-systemd-flaky-fsck.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1754472

Title:
  autopkgtest: systemd-fsck test is flaky on s390x, lets skip it there

Status in systemd package in Ubuntu:
  New

Bug description:
  The test really seems to be triggered all of the time to resolve a flaky test.
  That is just not worth the test.
  But it provides goo coverage, so an override in britney would loose all that.

  Lets skip the offending test on the arch it is known to be flaky
  (s390x).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1754472/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1754472] [NEW] autopkgtest: systemd-fsck test is flaky on s390x, lets skip it there

[ChristianEhrhardt]

Public bug reported:

The test really seems to be triggered all of the time to resolve a flaky test.
That is just not worth the test.
But it provides goo coverage, so an override in britney would loose all that.

Lets skip the offending test on the arch it is known to be flaky
(s390x).

** Affects: systemd (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1754472

Title:
  autopkgtest: systemd-fsck test is flaky on s390x, lets skip it there

Status in systemd package in Ubuntu:
  New

Bug description:
  The test really seems to be triggered all of the time to resolve a flaky test.
  That is just not worth the test.
  But it provides goo coverage, so an override in britney would loose all that.

  Lets skip the offending test on the arch it is known to be flaky
  (s390x).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1754472/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 715141] Re: Default NTP servers do not have AAAA records

[ChristianEhrhardt]

@Paul - I wondered do we converge onto providing ipv6 on all 4 ubuntu pool 
addresses?
For bug 1754358 in chrony it would be really helpful to reach an optimal 
default configuration if all ubuntu pools would provide ipv6.

I'm sure you know best what is planned (or could be done), so I'd be
happy if you could let us know.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/715141

Title:
  Default NTP servers do not have  records

Status in ntp package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: ntp

  When installing ntp on an IPv6 only host, the kindly provided ntp.ubuntu.com 
does not work, because it does not have a  record. 
  Please provide IPv6 connectivity for this host.
  This affects all releases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/715141/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

For open-vm-tools this issue will only exist with the planned backport of the 
newer version.
Since we will not ship the broken backport as we found it in pre-checks the 
correct state for open-vm-tools in xenial is invalid.

** Changed in: open-vm-tools (Ubuntu Xenial)
   Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Invalid
Status in systemd source package in Xenial:
  New
Status in open-vm-tools package in Debian:
  Incomplete

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1752705] Re: installation of mysql-server fails because postinst fails to shut down server

[ChristianEhrhardt]

ubuntu@b-test:~$ sudo systemd-nspawn -D testmysql --bind /etc/resolv.conf 
/bin/bash
Spawning container testmysql on /home/ubuntu/testmysql.
Press ^] three times within 1s to kill container.
Host and machine ids are equal (92544cb0ba5946158c7c4f9b57691fe3): refusing to 
link journals
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell

Ok, in there with a shell

Ok, it takes a long time but works:
Setting up mysql-server-5.7 (5.7.21-1ubuntu1) ...
invoke-rc.d: could not determine current runlevel
 * Stopping MySQL database server mysqld
   [ OK ] 
update-alternatives: using /etc/mysql/mysql.cnf to provide /etc/mysql/my.cnf 
(my.cnf) in auto mode
Renaming removed key_buffer and myisam-recover options (if present)
Created symlink /etc/systemd/system/multi-user.target.wants/mysql.service → 
/lib/systemd/system/mysql.service.
invoke-rc.d: could not determine current runlevel

So this likely needs debug on your system why it fails for you.
Adding systemd task for being nspawn related.

** Also affects: systemd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1752705

Title:
  installation of mysql-server fails because postinst fails to shut down
  server

Status in mysql-5.7 package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New

Bug description:
  Creating a fresh Bionic directory with `debootstrap` and then
  attempting to install `mysql-server` inside a `systemd-nspawn`
  container fails with the following message:

  Setting up mysql-server-5.7 (5.7.21-1ubuntu1) ...
  invoke-rc.d: could not determine current runlevel
   * Stopping MySQL database server mysqld [ OK 
]
  update-alternatives: using /etc/mysql/mysql.cnf to provide /etc/mysql/my.cnf 
(my.cnf) in auto mode
  Renaming removed key_buffer and myisam-recover options (if present)
  Error: Unable to shut down server with process id 532
  dpkg: error processing package mysql-server-5.7 (--configure):
   installed mysql-server-5.7 package post-installation script subprocess 
returned error exit status 1

  
  Steps to reproduce:
  1. debootstrap bionic testmysql
  2. rm testmysql/etc/resolv.conf
  2. systemd-nspawn -D testmyql --bind /etc/resolv.conf /bin/bash -c 'apt 
update && apt install mysql-server'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1752705/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

With the former update in mind I retried Xenial/Bionic again.
All of it is racy (as we knew), but it never triggered for Bionic.

Xenial (19/33 fails)
Bionic (0/37 fails)

So for now we continue to assume that it is fixed there (by systemd) and
revert our added dependency.

Note: as with the simple job in comment #12 and comment #14 this is Hipervisor 
agnostic.
You can even test the open-vm-tools service in KVM by removing the condition on 
vmware.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Triaged
Status in systemd source package in Xenial:
  New
Status in open-vm-tools package in Debian:
  Incomplete

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

Thanks Scott for your cross check.
I wonder why my former test failed on each of my tests without writing, but 
never the less your extended example is great for the systemd issue that 
remains.

Although all of this is still a race, for example with the job above on a 
Xenial container I could not trigger it in several retries (5/5 worked).
Doing the same in a Xenial KVM guest instead triggered it right away, but still 
not on every reboot (3/5 failed).

I hope that helps everybody trying to reproduce this.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Triaged
Status in systemd source package in Xenial:
  New
Status in open-vm-tools package in Debian:
  Incomplete

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

I'Ll likely revert the Binonic change tmrw morning as we have discussed.
local-fs.target is actually >> the implicit dependency.

But that does not solve the Xenial issue outlined in the former comment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Triaged
Status in systemd source package in Xenial:
  New
Status in open-vm-tools package in Debian:
  Incomplete

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1750780/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750780] Re: Race with local file systems can make open-vm-tools fail to start

[ChristianEhrhardt]

Installed another Xenial and Bionic in vmware to take a deper look.
- Xenial (with backported open-vm-tools): affected
- Bionic (with the interim fix reverted): no hit in several retries, 
explanation below

Systemd fixed it (via our assumed implicit dependency).
In Bionic the PrivateTmp gives it a dependency on systemd-tmpfile-setup.service 
(seen in systemd analyze, there might be more but not on crit path).
This is configured by default to include /var/tmp in 
/usr/lib/tmpfiles.d/tmp.conf.

In regard to your thoughts about later on changing cloud-init ordering
that won't help you, as the dependency is there (implicit or explicit
doesn't matter).

For the xenial case where I reliably hit the issue instead of stracing I cut 
things short.
A service with the following exposes exactly the same error:
[Unit]
Description=foo
DefaultDependencies=no

[Service]
PrivateTmp=yes
ExecStart=/bin/true

[Install]
WantedBy=multi-user.target

So back on Xenial it is privateTmp + too early that breaks it.

Xenial vs Bionic critical-chain according to "systemd-analyze critical-
chain open.vm-tools.service"

Xenial with fix:
open-vm-tools.service @3.482s
└─local-fs.target @3.460s
  └─local-fs-pre.target @3.460s
└─systemd-remount-fs.service @3.442s +9ms
  └─system.slice @220ms
└─-.slice @204m

Xenial without fix:
└─run-vmblock\x2dfuse.mount @6.076s +390ms
  └─sys-fs-fuse-connections.mount @5.510s +375ms
└─systemd-modules-load.service @1.996s +75ms
  └─system.slice @1.984s
└─-.slice @1.966s

Bionic
open-vm-tools.service @3.566s
└─systemd-tmpfiles-setup.service @3.421s +100ms
  └─systemd-journal-flush.service @3.054s +342ms
└─systemd-journald.service @825ms +2.219s
  └─syslog.socket @808ms
└─system.slice @621ms
  └─-.slice @613ms

To Summarize, we can:
- revert the fix for Bionic (or later) - just make it a sync when convenient 
down the road, it doesn't hurt for now as it is (almost) the same as the 
implicit dependency)
- add a xenials systemd bug task (probably too complex to fix as -upstream)
- until said systemd bug is fixed a backport of open-vm-tools needs this fix


** Also affects: systemd (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: open-vm-tools (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: systemd (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: open-vm-tools (Ubuntu Xenial)
   Status: New => Triaged

** Changed in: systemd (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1750780

Title:
  Race with local file systems can make open-vm-tools fail to start

Status in cloud-init:
  Invalid
Status in open-vm-tools package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Fix Released
Status in open-vm-tools source package in Xenial:
  Triaged
Status in systemd source package in Xenial:
  New
Status in open-vm-tools package in Debian:
  Incomplete

Bug description:
  Since the change in [1] open-vm-tools-service starts very (very) early.
  Not so much due to the 
  Before=cloud-init-local.service
  But much more by
  DefaultDependencies=no

  That can trigger an issue that looks like
  root@ubuntuguest:~# systemctl status -l open-vm-tools.service
  ● open-vm-tools.service - Service for virtual machines hosted on VMware
 Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: resources)

  
  As it is right now open-vm-tools can race with the other early start and then 
fail.
  In detail one can find a message like:
open-vm-tools.service: Failed to run 'start' task: Read-only file system"

  This is due to privtaeTmp=yes which is also set needing a writable
  /var/tmp [2]

  To ensure this works PrivateTmp would have to be removed (not good) or some 
after dependencies added that make this work reliably.
  I added
  After=local-fs.target
  which made it work for me in 3/3 tests.

  I' like to have an ack by the cloud-init Team that this does not totally kill 
the originally intended Before=cloud-init-local.service
  I think it does not as local-fs can complete before cloud-init-local, then 
open-vm-tools can initialize and finally cloud-init-local can pick up the data.

  To summarize:
  # cloud-init-local #
  DefaultDependencies=no
  Wants=network-pre.target
  After=systemd-remount-fs.service
  Before=NetworkManager.service
  Before=network-pre.target
  Before=shutdown.target
  Before=sysinit.target
  Conflicts=shutdown.target
  RequiresMountsFor=/var/lib/cloud

  # open-vm-tools #
  DefaultDependencies=no
  Before=cloud-init-local.service

  Proposed is to add to the latter:
  After=local-fs.target

  [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859677
  [2]: https://github.com/systemd/systemd/issues/5610

To 

[Touch-packages] [Bug 1750754] Re: package openssh-server 1:7.5p1-10ubuntu0.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[ChristianEhrhardt]

Thank you for taking the time to report this bug and helping to make
Ubuntu better.

On upgrading a service this service has to be restarted to pick up the fixes.
Rather rarely a real issue occurs that the newer version does e.g. fail with 
the formerly working configuration.
But most of the time what happens is, that a service was installed, but stays 
unconfigured or experimented with but left in a broken state.

Now on any update of the related packages that service has to be restarted, but 
since its config is incomplete/faulty it fails to restart.
Therefore the update of that package has to consider itself incomplete.

Depending on your particular case there are two solutions:
- either remove the offending package if you don't want to continue using it.
- Or if you do want to keep it please fix the configuration so that re-starting 
the service will work.

Since it seems likely to me that this is a local configuration problem,
rather than a bug in Ubuntu, I'm marking this bug as Incomplete.

If indeed this is a local configuration problem, you can find pointers
to get help for this sort of problem here:
http://www.ubuntu.com/support/community

Or if you believe that this is really a bug, then you may find it
helpful to read "How to report bugs effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then provide a more complete description of the problem,
explain why you believe this is a bug in Ubuntu rather than a problem
specific to your system, and then change the bug status back to New.

** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1750754

Title:
  package openssh-server 1:7.5p1-10ubuntu0.1 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  Not much to report there was an error when this package as to install
  in the background

  Description:  Ubuntu 17.10
  Release:  17.10

  
  openssh-server:
Installed: 1:7.5p1-10ubuntu0.1
Candidate: 1:7.5p1-10ubuntu0.1
Version table:
   *** 1:7.5p1-10ubuntu0.1 500
  500 http://au.archive.ubuntu.com/ubuntu artful-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu artful-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1:7.5p1-10 500
  500 http://au.archive.ubuntu.com/ubuntu artful/main amd64 Packages

  This was automatically being updated and the error occurred

  ProblemType: Package
  DistroRelease: Ubuntu 17.10
  Package: openssh-server 1:7.5p1-10ubuntu0.1
  ProcVersionSignature: Ubuntu 4.13.0-32.35-generic 4.13.13
  Uname: Linux 4.13.0-32-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.7-0ubuntu3.7
  AptOrdering:
   chromium-codecs-ffmpeg-extra:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  Date: Wed Feb 21 18:47:43 2018
  DpkgHistoryLog:
   Start-Date: 2018-02-21  18:47:41
   Commandline: /usr/bin/unattended-upgrade
   Upgrade: chromium-codecs-ffmpeg-extra:amd64 (64.0.3282.140-0ubuntu0.17.10.1, 
64.0.3282.167-0ubuntu0.17.10.1)
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2016-11-03 (474 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  Python3Details: /usr/bin/python3.6, Python 3.6.3, python3-minimal, 
3.6.3-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.14, python-minimal, 
2.7.14-2ubuntu1
  RelatedPackageVersions:
   dpkg 1.18.24ubuntu1
   apt  1.5.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 
255: Missing privilege separation directory: /run/sshd
  SourcePackage: openssh
  Title: package openssh-server 1:7.5p1-10ubuntu0.1 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: Upgraded to artful on 2017-12-22 (61 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1750754/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750754] Re: package openssh-server 1:7.5p1-10ubuntu0.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[ChristianEhrhardt]

Hi,
from your log:
SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 255: 
Missing privilege separation directory: /run/sshd

Log:
Feb 21 18:47:43 turagit01 sshd[3829]: error: Bind to port 22 on 192.168.1.15 
failed: Cannot assign requested address.
Feb 21 18:47:43 turagit01 sshd[3829]: fatal: Cannot bind any address.
Feb 21 18:47:43 turagit01 systemd[1]: ssh.service: Main process exited, 
code=exited, status=255/n/a

Those seem to be two separate issues, the one thing they share is that
they seem to be cusotm configuration that has gone wrong.

sshd -T is the "test my config" before it starts.
If you fix the configuration of your ssh server I'm pretty sure the upgrade 
will succeed.

See [1] for an example how to restore a conffile to the original version
if you don't want to edit your changes manually, but just revert.

[1]: https://askubuntu.com/questions/66533/how-can-i-restore-
configuration-files

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1750754

Title:
  package openssh-server 1:7.5p1-10ubuntu0.1 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  Not much to report there was an error when this package as to install
  in the background

  Description:  Ubuntu 17.10
  Release:  17.10

  
  openssh-server:
Installed: 1:7.5p1-10ubuntu0.1
Candidate: 1:7.5p1-10ubuntu0.1
Version table:
   *** 1:7.5p1-10ubuntu0.1 500
  500 http://au.archive.ubuntu.com/ubuntu artful-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu artful-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1:7.5p1-10 500
  500 http://au.archive.ubuntu.com/ubuntu artful/main amd64 Packages

  This was automatically being updated and the error occurred

  ProblemType: Package
  DistroRelease: Ubuntu 17.10
  Package: openssh-server 1:7.5p1-10ubuntu0.1
  ProcVersionSignature: Ubuntu 4.13.0-32.35-generic 4.13.13
  Uname: Linux 4.13.0-32-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.7-0ubuntu3.7
  AptOrdering:
   chromium-codecs-ffmpeg-extra:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  Date: Wed Feb 21 18:47:43 2018
  DpkgHistoryLog:
   Start-Date: 2018-02-21  18:47:41
   Commandline: /usr/bin/unattended-upgrade
   Upgrade: chromium-codecs-ffmpeg-extra:amd64 (64.0.3282.140-0ubuntu0.17.10.1, 
64.0.3282.167-0ubuntu0.17.10.1)
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2016-11-03 (474 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  Python3Details: /usr/bin/python3.6, Python 3.6.3, python3-minimal, 
3.6.3-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.14, python-minimal, 
2.7.14-2ubuntu1
  RelatedPackageVersions:
   dpkg 1.18.24ubuntu1
   apt  1.5.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 
255: Missing privilege separation directory: /run/sshd
  SourcePackage: openssh
  Title: package openssh-server 1:7.5p1-10ubuntu0.1 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: Upgraded to artful on 2017-12-22 (61 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1750754/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750717] Re: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[ChristianEhrhardt]

Look at https://askubuntu.com/questions/66533/how-can-i-restore-
configuration-files for an example to restore conffiles - hope that
helps.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1750717

Title:
  package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  sshd issue

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.4
  ProcVersionSignature: Ubuntu 4.13.0-32.35~16.04.1-generic 4.13.13
  Uname: Linux 4.13.0-32-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.15
  Architecture: amd64
  Date: Tue Feb 20 06:34:34 2018
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2017-07-25 (210 days ago)
  InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release amd64 
(20170215.2)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.3
   apt  1.2.25
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.init.ssh.conf: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1750717/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750717] Re: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[ChristianEhrhardt]

Thank you for taking the time to report this bug and helping to make
Ubuntu better.

On upgrading a service this service has to be restarted to pick up the fixes.
Rather rarely a real issue occurs that the newer version does e.g. fail with 
the formerly working configuration.
But most of the time what happens is, that a service was installed, but stays 
unconfigured or experimented with but left in a broken state.

Now on any update of the related packages that service has to be restarted, but 
since its config is incomplete/faulty it fails to restart.
Therefore the update of that package has to consider itself incomplete.

Depending on your particular case there are two solutions:
- either remove the offending package if you don't want to continue using it.
- Or if you do want to keep it please fix the configuration so that re-starting 
the service will work.

Since it seems likely to me that this is a local configuration problem,
rather than a bug in Ubuntu, I'm marking this bug as Incomplete.

If indeed this is a local configuration problem, you can find pointers
to get help for this sort of problem here:
http://www.ubuntu.com/support/community

Or if you believe that this is really a bug, then you may find it
helpful to read "How to report bugs effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then provide a more complete description of the problem,
explain why you believe this is a bug in Ubuntu rather than a problem
specific to your system, and then change the bug status back to New.

** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1750717

Title:
  package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  sshd issue

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.4
  ProcVersionSignature: Ubuntu 4.13.0-32.35~16.04.1-generic 4.13.13
  Uname: Linux 4.13.0-32-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.15
  Architecture: amd64
  Date: Tue Feb 20 06:34:34 2018
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2017-07-25 (210 days ago)
  InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release amd64 
(20170215.2)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.3
   apt  1.2.25
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.init.ssh.conf: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1750717/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1750717] Re: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[ChristianEhrhardt]

Hi,
from your logs:
modified.conffile..etc.init.ssh.conf: [deleted]

That will make the server fail to restart.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1750717

Title:
  package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  sshd issue

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.4
  ProcVersionSignature: Ubuntu 4.13.0-32.35~16.04.1-generic 4.13.13
  Uname: Linux 4.13.0-32-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.15
  Architecture: amd64
  Date: Tue Feb 20 06:34:34 2018
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2017-07-25 (210 days ago)
  InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release amd64 
(20170215.2)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.3
   apt  1.2.25
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.init.ssh.conf: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1750717/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1748063] Re: package clamav-base 0.99.3+addedllvm-0ubuntu0.14.04.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 128

[ChristianEhrhardt]

Hi,
Thank you for taking the time to report this bug and helping to make Ubuntu 
better.

I also can't see any hack evidence in the data shared.

What I can see in your log is:
Setting up clamav-base (0.99.3+addedllvm-0ubuntu0.14.04.1) ...
Use of uninitialized value $reply in scalar chomp at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 66.
Use of uninitialized value $reply in concatenation (.) or string at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 67.
Use of uninitialized value $reply in split at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 68.
Use of uninitialized value $reply in scalar chomp at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 66.
Use of uninitialized value $reply in concatenation (.) or string at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 67.
Use of uninitialized value $reply in split at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 68.
Use of uninitialized value $reply in scalar chomp at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 66.
Use of uninitialized value $reply in concatenation (.) or string at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 67.
Use of uninitialized value $reply in split at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 68.
Use of uninitialized value $ret in string eq at 
/usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 109.
dpkg: error processing package clamav-base (--configure):
 subprocess installed post-installation script returned error exit status 128


That seems to be a reoccuring, but not yet solved issue.
See bug 442941 and bug 1679435 for details.
Fixes for those are relased, but there is a lot detail solved there.

I hope the bugs will help you find your issue.
If you have had a particular security issue in mind please outline it so that 
we can adress it.

Since there isn't enough information in your report to differentiate
between a local configuration problem and a bug in Ubuntu, I'm marking
this bug as Incomplete.

If indeed this is a local configuration problem, you can find pointers
to get help for this sort of problem here:
http://www.ubuntu.com/support/community

Or if you believe that this is really a bug, then you may find it
helpful to read "How to report bugs effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then provide a more complete description of the problem,
explain why you believe this is a bug in Ubuntu rather than a problem
specific to your system, and then change the bug status back to New.


** Changed in: clamav (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to debconf in Ubuntu.
https://bugs.launchpad.net/bugs/1748063

Title:
  package clamav-base 0.99.3+addedllvm-0ubuntu0.14.04.1 failed to
  install/upgrade: subprocess installed post-installation script
  returned error exit status 128

Status in clamav package in Ubuntu:
  Incomplete
Status in debconf package in Ubuntu:
  New

Bug description:
  My computer used to continually freeze after about thirty (30) seconds
  or so such that neither my mouse nor my keyboard worked because they
  froze, which required me to repeatedly restart my computer, but not
  first without disconnecting my computer from its internet connection,
  given that my understanding is and/or was that there are or were
  security problems in permitting the grub loader to be seen and,
  therefore, its key to be read by eavesdropper(s) on the other end of
  the internet cable.  Nevertheless, it also appears, after having
  reviewed my computer's files and folder that criminal hacker(s) have
  and continue to attempt to infiltrate my computer by means of two (2)
  known files, Namely, .pki and .esd_auth .  Given that my computer was
  hacked a day or two ago, thereby rendering it useless to the point of
  my computer being unable to boot, I assert and maintain that these
  vulnerabilities ought to be addressed to prevent further security
  breaches in an otherwise excellent operating system.

  ProblemType: Package
  DistroRelease: Ubuntu 14.04
  Package: clamav-base 0.99.3+addedllvm-0ubuntu0.14.04.1
  ProcVersionSignature: Ubuntu 3.2.0-121.164-generic-pae 3.2.79
  Uname: Linux 3.2.0-121-generic-pae i686
  ApportVersion: 2.14.1-0ubuntu3.27
  Architecture: i386
  Date: Wed Feb  7 20:46:24 2018
  DuplicateSignature: 
package:clamav-base:0.99.3+addedllvm-0ubuntu0.14.04.1:subprocess installed 
post-installation script returned error exit status 128
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 128
  InstallationDate: Installed on 2017-02-16 (356 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 
(20120423)
  PackageArchitecture: all
  ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-3.2.0-121-generic-pae 
root=UUID=120b07c7-e971-4a45-bc46-a15f8eefc5e1 ro quiet splash vt.handoff=7
  

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

Xenial as is on ntp restart:
[2618636.253807] audit: type=1400 audit(1519220834.240:5311): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-x_" 
profile="/usr/sbin/ntpd" name="/run/systemd/journal/stdout" pid=24452 
comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=100 ouid=100
[2618636.253817] audit: type=1400 audit(1519220834.240:5312): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-x_" 
profile="/usr/sbin/ntpd" name="/run/systemd/journal/stdout" pid=24452 
comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=100 ouid=100

With updates from proposed
# sudo apt install apparmor
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'sudo apt autoremove' to remove it.
Suggested packages:
  apparmor-profiles apparmor-profiles-extra apparmor-docs apparmor-utils
The following packages will be upgraded:
  apparmor
1 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
Need to get 450 kB of archives.
After this operation, 1024 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 apparmor 
amd64 2.10.95-0ubuntu2.9 [450 kB]
Fetched 450 kB in 0s (2291 kB/s)
Preconfiguring packages ...
(Reading database ... 25611 files and directories currently installed.)
Preparing to unpack .../apparmor_2.10.95-0ubuntu2.9_amd64.deb ...
Unpacking apparmor (2.10.95-0ubuntu2.9) over (2.10.95-0ubuntu2.8) ...
Processing triggers for systemd (229-4ubuntu21.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up apparmor (2.10.95-0ubuntu2.9) ...
Installing new version of config file /etc/apparmor.d/abstractions/base ...
update-rc.d: warning: start and stop actions are no longer supported; falling 
back to defaults
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd


# No issues anymore when restarting the service.
Also found no other apparmor related issues restarting a few services that I 
had on there.

** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

   * The base abstraction in xenial  misses some ways programs can push 
 logs to journald

   * Backport the fix form Artful to:
 1. get rid of the Denies making logs less readable
 2. get users to see the actual log entries will help to unbreak many 
other cases

  [Test Case]

   * Install one of the affected packages (in a xenial container is enough)
   * For the case of ntp just install and then run
 systemctl restart ntp
   * in Dmesg you'll see apparmor Denies like
   apparmor="DENIED"
   operation="file_inherit"
   profile="/usr/sbin/ntpd" 
   name="/run/systemd/journal/stdout"
   * Each case is different, in this (ntp) case also some log entries are 
 missed due to the block
   * After installing the fixed package there is no Deny anymore and 
 programs are able to correctly log.

  [Regression Potential]

   * The change is in ubuntu as-is since artful and we are only opening up, 
 but not limiting the access - so there should be nothing that is denied 
 after the update that was not before.
 Vice versa there could be changes due to things now working correcrly, 
 but I'd not see that as a regression.

  [Other Info]
   
   * affects many packages ntp, tor - I even heard examples of mysql.
 But the fix is in apparmor through base abstraction

  ---

  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" 

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

- Tested 2.10.95-0ubuntu2.9 from PPA (working as expected
- Added SRU Template
- Uploaded for consideration by the SRU team

** Description changed:

+ [Impact]
+ 
+  * The base abstraction in xenial  misses some ways programs can push 
+logs to journald
+ 
+  * Backport the fix form Artful to:
+1. get rid of the Denies making logs less readable
+2. get users to see the actual log entries will help to unbreak many 
+   other cases
+ 
+ [Test Case]
+ 
+  * Install one of the affected packages (in a xenial container is enough)
+  * For the case of ntp just install and then run
+systemctl restart ntp
+  * in Dmesg you'll see apparmor Denies like
+  apparmor="DENIED"
+  operation="file_inherit"
+  profile="/usr/sbin/ntpd" 
+  name="/run/systemd/journal/stdout"
+  * Each case is different, in this (ntp) case also some log entries are 
+missed due to the block
+  * After installing the fixed package there is no Deny anymore and 
+programs are able to correctly log.
+ 
+ [Regression Potential]
+ 
+  * The change is in ubuntu as-is since artful and we are only opening up, 
+but not limiting the access - so there should be nothing that is denied 
+after the update that was not before.
+Vice versa there could be changes due to things now working correcrly, 
+but I'd not see that as a regression.
+ 
+ [Other Info]
+  
+  * affects many packages ntp, tor - I even heard examples of mysql.
+But the fix is in apparmor through base abstraction
+ 
+ ---
+ 
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:
  
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.
  
  There are two AppArmor denials in the kernel log:
  
  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10
  
  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10
  
  Workaround: add the following two lines to /etc/apparmor.d/system_tor:
  
  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,
  
  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.
  
  I haven't checked to see if only one or other rule is actually required.
  
  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  [Impact]

   * The base abstraction in xenial  misses some ways programs can push 
 logs to journald

   * Backport the fix form Artful to:
 1. get rid of the Denies making logs less readable
 2. get users to see the actual log entries will help to unbreak many 
other cases

  [Test Case]

   * Install one of the affected packages (in a xenial container is enough)
   * For the case of ntp just install and then run
 systemctl restart ntp
   * in Dmesg you'll see apparmor Denies like
   apparmor="DENIED"
   operation="file_inherit"
   profile="/usr/sbin/ntpd" 
   name="/run/systemd/journal/stdout"
   * Each case is different, in this (ntp) case also some log entries are 
 missed due to the block
   * After installing the fixed package there is no Deny anymore and 
 programs are able to correctly log.

  [Regression Potential]

   * The change is in ubuntu as-is since artful and we are only opening up, 
 but not limiting the access - so there should be nothing that is denied 
 after the update that was not before.
 Vice versa there could be changes due to things now working correcrly, 
 but 

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

Thanks Jamie, I'm now testing the fix from https://launchpad.net/~ci-
train-ppa-service/+archive/ubuntu/3169 before pushing as SRU.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

More or less adirect backport of Jamies changes in Artful.
Only opening up rules slightly, so regression risk low.
But I clearly want a security Team ack/review before sponsoring it.

** Patch added: "Backport of 2.11.0-2ubuntu5 fix to Xenial to fix 1670408"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1670408/+attachment/5058995/+files/xenial-base-journald-updates.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

This is already fixed as backport in other releases - here apparmor
2.11.0-2ubuntu5 in Artful

apparmor (2.11.0-2ubuntu5) artful; urgency=medium   
 

 
  * debian/patches/base-journald-updates.patch: update base abstraction for 
 
additional journald sockets 
 

 
 -- Jamie Strandboge   Thu, 27 Apr 2017 16:09:50 +

We can use that as it already has some adaption for backports don (like
var, run)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

@jdstrand - I subscribed you and would ask for your review of the
proposed debdiff.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1719579] Re: [Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in /var/tmp folder using virsh save

[ChristianEhrhardt]

Thanks for the full dmesg.
It seems to me that:
"unable to set AppArmor profile 'libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442'"
means there is an issue in loading the profile after your change.

That matches:
 audit: type=1400 audit(1519028363.683:12417): apparmor="DENIED" 
operation="change_profile" info="label not found" error=-2 
profile="/usr/sbin/libvirtd" 
name="libvirt-81b387d9-1dfc-4f55-8b98-0318f1f94442" pid=12949 comm="libvirtd"

It is not getting to the actual restore, it is failing when spawning the
guest to to the changes in the apparmor profile.

I tried to check what you hit:
$ virsh save bionic-test --file /var/tmp/bionic-test.save --verbose
Guest is shut-off and I have
-rw--- 1 root root 527808329 Feb 19 12:34 /var/tmp/bionic-test.save
The restore hits the (silent) denial we discussed.
   #deny /tmp/{,**} r,  
  
   #deny /var/tmp/{,**} r,
Changed the two lines above to a comment.
Then restored again, just worked:
$ virsh restore /var/tmp/bionic-test.save
Domain restored from /var/tmp/bionic-test.save

To quote jdstrand from bug 1403648:
"We should not allow access to /tmp and /var/tmp as that breaks application 
isolation."

That said we are in the following situation:
1. /tmp and /var/tmp are not allowed to be read (apparmor default for app 
isolation)
2. read denies there are silenced via explicit denies in 
/etc/apparmor.d/abstractions/libvirt-qemu
3. I see your point:
3.1 on save libvirt writes to that place (libvirt is allowed to do so, while 
qemu is not)
3.2 on restore qemu wants to read it and is denied.

And you wonder about the asymetric behavior of 3.1 and 3.2.
I agree that it is somewhat unexpected, but wonder what would be better
1. We could also deny /var /tmp for the lbivirt daemon (which intentionally has 
a rather lenient apparmor profile). Then already on the save people would be 
denied, maybe for a new release - but not as an SRU to not break people relying 
on that access working.
2. And on the new release we already have the --bypass-cache fixes you referred 
to to get the restore working there as a workaround - so the benefit of 
preventing libvirt to access there isn't too big either. So forbidding the 
access on "save" for libvirt there would make that useless.

I'm unsure how to continue. To better brain-storm with you on how to
proceed do you have a clear preferred solution (other than the already
included bypass-cache fixes) or is it just "not nice in general" that
the denial should be consistent for save/restore?


Separate to the discussion above:
To find how your modified apparmor profile breaks your guest start you could 
share it - as I mentioned it worked for me right away (no need to restart 
libvirt after changing btw, the one we change it loaded on guest load).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1719579

Title:
  [Ubuntu 18.04] [libvirt] virsh restore fails from state file saved in
  /var/tmp folder using virsh save

Status in The Ubuntu-power-systems project:
  Fix Released
Status in apparmor package in Ubuntu:
  Invalid
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  == Comment: #1 - SEETEENA THOUFEEK  - 2017-01-17 
00:09:16 ==
  Bala, Please mail me the machine information.

  == Comment: #3 - SEETEENA THOUFEEK  - 2017-01-17 
02:14:06 ==
  2017-01-16 12:09:37.707+: 7024: info : 
virSecurityDACRestoreFileLabelInternal:388 : Restoring DAC user and group on 
'/var/tmp/bala'
  2017-01-16 12:09:37.707+: 7024: info : 
virSecurityDACSetOwnershipInternal:290 : Setting DAC user and group on 
'/var/tmp/bala' to '0:0'
  2017-01-16 12:09:37.707+: 7024: warning : qemuDomainSaveImageStartVM:6750 
: failed to restore save state label on /var/tmp/bala
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: debug : qemuDomainObjEndAsyncJob:1848 : 
Stopping async job: start (vm=0x3fff4ca535c0 name=virt-tests-vm1-bala)
  2017-01-16 12:09:37.707+: 7024: info : virObjectRef:296 : OBJECT_REF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca62b00
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff4ca535c0
  2017-01-16 12:09:37.707+: 7024: debug : virThreadJobClear:121 : Thread 
7024 (virNetServerHandleJob) finished job remoteDispatchDomainRestore with 
ret=-1
  2017-01-16 12:09:37.707+: 7024: info : virObjectUnref:259 : OBJECT_UNREF: 
obj=0x3fff7c002c10
  2017-01-16 12:09:37.707+: 7024: debug : virNetServerProgramSendError:153 
: prog=536903814 ver=1 proc=54 type=1 serial=4 msg=0x100133d2590 
rerr=0x3fffa59be3c0
  2017-01-16 12:09:37.707+: 7024: debug : virNetMessageEncodePayload:376 : 
Encode 

[Touch-packages] [Bug 1748709] Re: Upgrade from xenial to bionic wants to replace moduli

[ChristianEhrhardt]

Thanks Seth for securities POV on this and essentially confirming what I
assumed.

That said, I think the bug is for now "incomplete" in the sense of breaking the 
initial report into two things:
A) I see this on upgrade on one machine, which is unexpected.
B) If this file is generated by each machine, why would we ship a default?

B - is solved - it is not generated and we want to ship a default as we
do right now.

A - is incomplete - as it is not clear yet why you have got the
"Modified (by you or by a script) since installation"

Note: I test upgraded xenial to bionic and got a no notification upgrade
from 0075fd4b72a421f909af9809d0dd3bdc to
fe5be9e1b2ad5c55132a3521ecaadcdd

So I repeat my question to @Mark:
1. I'd assume you had not changed your file - if you had modified it then all 
is correct.
   Had you modified it?
2. If you have not modified it there are two options:
2.1. someone/something tampered with your moduli
2.2 Or we have a bug somewhere in the generic upgrade paths misdetecting old 
content as unchanged.

If there still is a /etc/ssh/moduli.dpkg-old version of it what is the
checksum (Xenial was 0075fd4b72a421f909af9809d0dd3bdc)?


** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1748709

Title:
  Upgrade from xenial to bionic wants to replace moduli

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  I see this on upgrade on one machine, which is unexpected. If this
  file is generated by each machine, why would we ship a default?

  Configuration file '/etc/ssh/moduli'
   ==> Modified (by you or by a script) since installation.
   ==> Package distributor has shipped an updated version.
 What would you like to do about it ?  Your options are:
  Y or I  : install the package maintainer's version
  N or O  : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
   The default action is to keep your current version.
  *** moduli (Y/I/N/O/D/Z) [default=N] ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1748709/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1748709] Re: Upgrade from xenial to bionic wants to replace moduli

[ChristianEhrhardt]

Hi Mark,
the file is installed from the build, not generated on install.
Install is by debian/openssh-client.install

It also is considered a conffile for the sense ot change tracking.
$ dpkg --status openssh-client
[...]
Conffiles:
 /etc/ssh/moduli 0075fd4b72a421f909af9809d0dd3bdc

A quick check showed that they are the same on all xenial systems I ever 
touched even across architectures.
oO lets hope this is not a comeback of the "same key on all systems" issue :-/

A check across distributions and releases showed me:
1. at least in a given Ubuntu release all systems have the same file
2. Debian is the same, e.g. buster/bionic match
3. all Fedora are the same, but different to Ubuntu/Debian
4. if removing the version tracking header on Fedora it is the same as 
Ubuntu/Debian

Hmm, either this is broken everywhere or this doesn't have to be that
unique.

The file is actually provided by upstream, that is the reason why the
only change found is on upgrading versions if e.g. upstream deprecated
some. E.g. after the Snowden leaks those with less than 2k were removed.

There are articles mentioning that it might be useful to regenerate that
like [1][2], but no hard requirement to do so it seems.

So it seems a hardening action, but not a hard requirement to be unique.
Note: a regen run takes quite a few cpu cycles and time - I measured the two 
steps to be:
- ssh-keygen -G took 8:57.55 with 534.61 seconds cpu load
- ssh-keygen -T I aborted this at 33% at 30:31.67 with 1816.35 seconds cpu load
Lets assume it is 1-2 hours, not even thinking about raspi's and such.
That is clearly too much for an instance instantiation, even too much for a 
default package install later on.

Furthermore I'd like to quote this from [3] which might be a good reason it is 
even less important these days than we thought at first.
"Regardless, the moduli file is only used when using the Diffie-Hellman Group 
Exchange method, which isn’t the default key exchange."

>From man sshd_config in Bionic the current order seems:
curve25519-sha256,curve25519-sha...@libssh.org, 
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1


So maybe (but only maybe) a ssh-extra-security package doing so as suggests or 
helper tool bundled to openssh that would do the update might be a nice 
security addition.
I'm adding the security Team to weight in on opinions:
- should it be unique per system?
- if so, preferred delivery mechanism
- might an individual generated moduli file decrease security compared to a 
"curated and reviewed" shared one? There are mentions of "Ssh-keygen’s 
primality tests are statistical tests and can lead to false positives." that 
make me think so.


@Mark - all that does not explain why you got the upgrade message thou. I'd 
assume you had not changed your file - so it should have silently be upgraded 
to the new version IMHO.
Have you custom generated your's in the past?
If there still is a dpkg-old version of it what is the checksum (Xenial was 
0075fd4b72a421f909af9809d0dd3bdc)?


[1]: https://stribika.github.io/2015/01/04/secure-secure-shell.html
[2]: 
https://security.stackexchange.com/questions/79043/is-it-considered-worth-it-to-replace-opensshs-moduli-file
[3]: https://entropux.net/article/openssh-moduli

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1748709

Title:
  Upgrade from xenial to bionic wants to replace moduli

Status in openssh package in Ubuntu:
  New

Bug description:
  I see this on upgrade on one machine, which is unexpected. If this
  file is generated by each machine, why would we ship a default?

  Configuration file '/etc/ssh/moduli'
   ==> Modified (by you or by a script) since installation.
   ==> Package distributor has shipped an updated version.
 What would you like to do about it ?  Your options are:
  Y or I  : install the package maintainer's version
  N or O  : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
   The default action is to keep your current version.
  *** moduli (Y/I/N/O/D/Z) [default=N] ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1748709/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1747619] Re: package samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.12 failed to install/upgrade: subprocess installed post-installation script returned error exit status 10

[ChristianEhrhardt]

Sorry Sergio, this seems like some total apt breakage on your system and I fail 
to see how to resolve :-/
I'll add a bug task for apt and subscribe juliank for his expertise.

** Also affects: apt (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1747619

Title:
  package samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.12 failed to
  install/upgrade: subprocess installed post-installation script
  returned error exit status 10

Status in apt package in Ubuntu:
  New
Status in samba package in Ubuntu:
  Incomplete

Bug description:
  installation of a new package impossible

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.12
  ProcVersionSignature: Ubuntu 4.4.0-112.135-generic 4.4.98
  Uname: Linux 4.4.0-112-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.15
  Architecture: amd64
  Date: Tue Feb  6 10:22:06 2018
  DuplicateSignature:
   package:samba-common:2:4.3.11+dfsg-0ubuntu0.16.04.12
   Setting up grub-pc (2.02~beta2-36ubuntu3.16) ...
   dpkg: error processing package grub-pc (--configure):
subprocess installed post-installation script returned error exit status 10
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 10
  InstallationDate: Installed on 2014-04-24 (1383 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  PackageArchitecture: all
  RelatedPackageVersions:
   nautilus 1:3.18.4.is.3.14.3-0ubuntu6
   gvfs 1.28.2-1ubuntu1~16.04.2
  SambaClientRegression: No
  SourcePackage: samba
  Title: package samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.12 failed to 
install/upgrade: subprocess installed post-installation script returned error 
exit status 10
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1747619/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1670408] Re: apparmor base abstraction needs backport of rev 3658 to fix several denies (tor, ntp, ...)

[ChristianEhrhardt]

** Changed in: apparmor (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: tor (Ubuntu)
   Status: Invalid => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749247] Re: Spurious SEGV running inside kvm

[ChristianEhrhardt]

Ok, this is just at the memcopy above.
I see in this trace that the AC_MEMCPY got mapped to __memmove_ssse3 of 
../sysdeps/x86_64/multiarch/memcpy-ssse3.S

Lets assume (for the sake of trying something until you have a simplified 
reproducer) that sse3 might be broken in KVM on your system.
I'd expect that the compile time detection switched to memmove and the runtime 
feature detection found sse3 and used that.
We could do two things to try here:
1. we could modify your guest to not expose sse3 and retest in there (-cpu 
qemu64/qemu32 will be without sse3 and without a lot other special HW features 
- if you run with -cpu host you can do "-enable-kvm -cpu host,-sse3" to just 
kill this feature). How do you start your KVM guest (commandline, libvirt, 
other - so we know how to help you modify?
2. we could try to influence the build to not use memmove but memcpy or bcopy 
instead and check if that makes it work.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1749247

Title:
  Spurious SEGV running inside kvm

Status in openldap package in Ubuntu:
  Confirmed
Status in qemu package in Ubuntu:
  Incomplete

Bug description:
  Running a continuous stream of operations against OpenLDAP slapd
  eventually causes a SEGV in liblber, in a segment of code that cannot
  fail:

   gdb /opt/symas/lib64/slapd CoreDump 
  GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
  Copyright (C) 2016 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .
  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from /opt/symas/lib64/slapd...done.
  [New LWP 5472]
  [New LWP 5468]
  [New LWP 5524]
  [New LWP 5471]
  [New LWP 5469]
  [New LWP 5507]
  [New LWP 5510]
  [New LWP 5470]
  [New LWP 5506]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `/opt/symas/lib64/slapd -u root -g root -h ldap:///'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x7f4e2c9f0160 in ber_dupbv_x (dst=0x196b268, src=0x7f25f8001070, 
ctx=0x0) at /home/build/git/sold-master/openldap/libraries/liblber/memory.c:513
  513 new->bv_val[src->bv_len] = '\0';
  [Current thread is 1 (Thread 0x7f260e242700 (LWP 5472))]
  (gdb) l 500
  495 if(( new = ber_memalloc_x( sizeof(struct berval), ctx 
)) == NULL ) {
  496 return NULL;
  497 }
  498 }
  499
  500 if ( src->bv_val == NULL ) {
  501 new->bv_val = NULL;
  502 new->bv_len = 0;
  503 return new;
  504 }
  (gdb) 
  505
  506 if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == 
NULL ) {
  507 if ( !dst )
  508 ber_memfree_x( new, ctx );
  509 return NULL;
  510 }
  511
  512 AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
  513 new->bv_val[src->bv_len] = '\0';
  514 new->bv_len = src->bv_len;
  (gdb) p *new
  $1 = {bv_len = 0, bv_val = 0x0}
  (gdb) p *src
  $2 = {bv_len = 36, bv_val = 0x7f268ccc7bee }
  (gdb) 

  
  At line 506 we allocate some memory and check for a failure (returning NULL) 
and leave the function at line 509 if there was a failure. The allocation is 
for 37 bytes of memory and a memcpy into that memory succeeds on line 512. The 
SEGV occurs at line 513 and the pointer that was just returned from the 
allocator is NULL at this point. There are no other active threads that could 
be stomping on memory, there's no stack overrun or any other misbehavior that 
can account for it. Also, the identical test sequence completes without 
incident when running on the host OS instead of under kvm.
  (The src->bv_val pointer points to valid data at the time of the crash; it's 
just residing in a mmap'd file and that mapping isn't preserved in the 
coredump. So ignore gdb's error there.)

  Something in kvm is writing zeroes over a field of memory after we
  already checked that it was non-zero.

  This is on 
  Linux anvil1 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

  Both the host and the guest VM are on identical 

[Touch-packages] [Bug 1741227] Re: apparmor denial to several paths to binaries

[ChristianEhrhardt]

Verification of Proposed:
[2020342.769272] audit: type=1400 audit(1518622578.674:4871): apparmor="DENIED" 
operation="open" namespace="root//lxd-artful-test_" 
profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=16638 comm="ntpd" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2020342.769282] audit: type=1400 audit(1518622578.674:4872): apparmor="DENIED" 
operation="open" namespace="root//lxd-artful-test_" 
profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=16638 comm="ntpd" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0


After upgrade from proposed:
- 1:4.2.8p10+dfsg-5ubuntu3.2

The messages above are gone - so verified

** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
 of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
 changes poses a security risk so regression potential on it's own
 should be close to zero.

   * we discussed if this would be a security risk but came to the 
 conclusion that r-only should be ok (the same content anyone can grab 
 from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

Verification of proposed:
xenial/artful as is on restart:
[2020349.483870] audit: type=1400 audit(1518622585.386:4875): apparmor="DENIED" 
operation="file_inherit" 
namespace="root//lxd-xenial-test_" 
profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16784 comm="ntpd" 
requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[2020342.768379] audit: type=1400 audit(1518622578.674:4870): apparmor="DENIED" 
operation="file_inherit" 
namespace="root//lxd-artful-test_" 
profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16638 comm="ntpd" 
requested_mask="w" denied_mask="w" fsuid=0 ouid=0

After upgrade from proposed:
- 1:4.2.8p4+dfsg-3ubuntu5.8
- 1:4.2.8p10+dfsg-5ubuntu3.2

The messages above are gone - so verified

** Tags removed: verification-needed verification-needed-artful 
verification-needed-xenial
** Tags added: verification-done verification-done-artful 
verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1741227] Re: apparmor denial to several paths to binaries

[ChristianEhrhardt]

Bionic - ok
SRU Template - ok
Debdiff for X/T checked - ok
Tested A upload from ppa - ok.
(This issue in particular doesn't apply to Xenial, so dropping this task)

** No longer affects: ntp (Ubuntu Xenial)

** Changed in: ntp (Ubuntu Artful)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
 of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
 changes poses a security risk so regression potential on it's own
 should be close to zero.

   * we discussed if this would be a security risk but came to the 
 conclusion that r-only should be ok (the same content anyone can grab 
 from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1670408] Re: Missing apparmor rules cause tor to fail to start

[ChristianEhrhardt]

** Changed in: ntp (Ubuntu)
   Importance: Undecided => High

** Summary changed:

- Missing apparmor rules cause tor to fail to start
+ apparmor base abstraction needs backport of rev 3658 to fix several denies 
(tor, ntp, ...)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Invalid
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1741227] Re: apparmor denial to several paths to binaries

[ChristianEhrhardt]

fix in SRU queue (Artful) for review by the SRU Team

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
 of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
 changes poses a security risk so regression potential on it's own
 should be close to zero.

   * we discussed if this would be a security risk but came to the 
 conclusion that r-only should be ok (the same content anyone can grab 
 from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

fix in SRU queue (Atrful/Xenial) for review by the SRU Team

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

Bionic - ok
SRU Template - ok
Debdiff for X/T checked - ok
Tested X/A upload from ppa - ok.

I Identified another issue in the log as bug 1670408 which needs a fix in 
apparmor - not ntp.
That means this is ok to be uploaded (not gated by that finding).

** Description changed:

  [Impact]
  
-  * Apparmor denies access to lock it shares with ntpdate to ensure no 
-issues due to concurrent access
+  * Apparmor denies access to lock it shares with ntpdate to ensure no
+    issues due to concurrent access
  
  [Test Case]
  
-  1. get a container of target release
-  2. install ntp
- apt install ntp
-  3. watch dmesg on container-host
- dmesg -w 
-  4. restart ntp in container
- systemctl restart ntp
-  => see (or no more after fix) apparmor denie:
- apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
+  1. get a container of target release
+  2. install ntp
+ apt install ntp
+  3. watch dmesg on container-host
+ dmesg -w
+  4. restart ntp in container
+ systemctl restart ntp
+  => see (or no more after fix) apparmor denie:
+ apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
+ Note: to not be mislead, on xenial there is a remaining stdout appamor 
+ issue which is bug 1670408
  
  [Regression Potential]
  
-  * we are only slightly opening up the apparmor profile, but none of the 
-changes poses a security risk so regression potential on it's own 
-should be close to zero.
+  * we are only slightly opening up the apparmor profile, but none of the
+    changes poses a security risk so regression potential on it's own
+    should be close to zero.
  
-  * There is a potential issue if the locking (that now can succeed) would 
-e.g. no more be freed up or the action behind the locking would cause 
-issues.
+  * There is a potential issue if the locking (that now can succeed) would
+    e.g. no more be freed up or the action behind the locking would cause
+    issues.
  
  [Other Info]
-  
-  * n/a
  
+  * n/a
  
- On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.
+ On start/restart nto has an error in apparmor due to the locking it
+ tries to avoid issues running concurrently with ntpdate.
  
  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  
  The rule we need is:
  /run/lock/ntpdate wk,

** Changed in: ntp (Ubuntu Xenial)
   Status: Triaged => In Progress

** Changed in: ntp (Ubuntu Artful)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Fix Committed
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no
     issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  Note: to not be mislead, on xenial there is a remaining stdout appamor 
  issue which is bug 1670408

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would
     e.g. no more be freed up or the action behind the locking would cause
     issues.

  [Other Info]

   * n/a

  On start/restart nto has an error in apparmor due to the locking it
  tries to avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1670408] Re: Missing apparmor rules cause tor to fail to start

[ChristianEhrhardt]

Correctly added a bug task for ntp to also be affected.
Dropping Artful (EOL)

** Also affects: ntp (Ubuntu)
   Importance: Undecided
   Status: New

** No longer affects: apparmor (Ubuntu Yakkety)

** Changed in: apparmor (Ubuntu Xenial)
   Status: New => Triaged

** Changed in: ntp (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1670408

Title:
  apparmor base abstraction needs backport of rev 3658 to fix several
  denies (tor, ntp, ...)

Status in apparmor package in Ubuntu:
  Fix Released
Status in ntp package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Invalid
Status in apparmor source package in Xenial:
  Triaged

Bug description:
  Using tor 0.2.9.9-1ubuntu1 with Linux 4.10.0-9-generic on Zesty, tor
  fails to start after installing the tor package. "systemctl status
  tor@default" reports:

  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Main process exited, 
code=killed, status=11/SEGV
  Mar 06 16:04:00 zesty systemd[1]: Failed to start Anonymizing overlay network 
for TCP.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Unit entered failed 
state.
  Mar 06 16:04:00 zesty systemd[1]: tor@default.service: Failed with result 
'signal'.

  There are two AppArmor denials in the kernel log:

  Mar  6 15:53:12 zesty-test kernel: [  102.699647] audit: type=1400
  audit(1488815592.268:35): apparmor="DENIED" operation="file_inherit"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/run/systemd/journal/stdout" pid=3520 comm="tor"
  requested_mask="wr" denied_mask="wr" fsuid=10 ouid=10

  Mar  6 15:53:12 zesty-test kernel: [  102.702418] audit: type=1400
  audit(1488815592.272:37): apparmor="DENIED" operation="file_mmap"
  namespace="root//lxd-zesty_" profile="system_tor"
  name="/usr/bin/tor" pid=3520 comm="tor" requested_mask="m"
  denied_mask="m" fsuid=10 ouid=10

  Workaround: add the following two lines to /etc/apparmor.d/system_tor:

  /usr/bin/tor m,
  /run/systemd/journal/stdout rw,

  I couldn't remember how to that that profile reloaded, so I rebooted,
  and after the reboot tor does start up successfully. "systemctl
  tor@default" reports it as running.

  I haven't checked to see if only one or other rule is actually
  required.

  Importance -> High since this bug makes the package unusable in its
  default configuration on Zesty. Since the AppArmor profile comes from
  Debian's 0.2.9.9-1, this should probably be fixed in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1670408/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

Missed the right format in changelog :-/, but this is fixed in Bionic by
https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu7

** Changed in: ntp (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

auto profile replace on upgrade - ok
restart without apparmor issues - ok

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749247] Re: Spurious SEGV running inside kvm

[ChristianEhrhardt]

Eventually as you already found the question is how did bv_val get 0x0?

If the test can't be passed to me, but is reproducible, could you try to step 
live from line 506.
1. is new->bv_val really assigned some pointer (and which one)
2. when does that pointer get lost between 506 and 513

Also the memcopy seems to work (no crash on that line).
If you can modify and retest you could take a look to check if AC_MEMCPY in 
your case actually is memmove, bcopy or memcpy - maybe even iterate between 
those to be sure.

All of the copies return a pointer to dest which should still be what
was assigned to new->bv_val, so is it still the same or did it return
something else?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1749247

Title:
  Spurious SEGV running inside kvm

Status in openldap package in Ubuntu:
  Confirmed
Status in qemu package in Ubuntu:
  Incomplete

Bug description:
  Running a continuous stream of operations against OpenLDAP slapd
  eventually causes a SEGV in liblber, in a segment of code that cannot
  fail:

   gdb /opt/symas/lib64/slapd CoreDump 
  GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
  Copyright (C) 2016 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .
  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from /opt/symas/lib64/slapd...done.
  [New LWP 5472]
  [New LWP 5468]
  [New LWP 5524]
  [New LWP 5471]
  [New LWP 5469]
  [New LWP 5507]
  [New LWP 5510]
  [New LWP 5470]
  [New LWP 5506]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `/opt/symas/lib64/slapd -u root -g root -h ldap:///'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x7f4e2c9f0160 in ber_dupbv_x (dst=0x196b268, src=0x7f25f8001070, 
ctx=0x0) at /home/build/git/sold-master/openldap/libraries/liblber/memory.c:513
  513 new->bv_val[src->bv_len] = '\0';
  [Current thread is 1 (Thread 0x7f260e242700 (LWP 5472))]
  (gdb) l 500
  495 if(( new = ber_memalloc_x( sizeof(struct berval), ctx 
)) == NULL ) {
  496 return NULL;
  497 }
  498 }
  499
  500 if ( src->bv_val == NULL ) {
  501 new->bv_val = NULL;
  502 new->bv_len = 0;
  503 return new;
  504 }
  (gdb) 
  505
  506 if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == 
NULL ) {
  507 if ( !dst )
  508 ber_memfree_x( new, ctx );
  509 return NULL;
  510 }
  511
  512 AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
  513 new->bv_val[src->bv_len] = '\0';
  514 new->bv_len = src->bv_len;
  (gdb) p *new
  $1 = {bv_len = 0, bv_val = 0x0}
  (gdb) p *src
  $2 = {bv_len = 36, bv_val = 0x7f268ccc7bee }
  (gdb) 

  
  At line 506 we allocate some memory and check for a failure (returning NULL) 
and leave the function at line 509 if there was a failure. The allocation is 
for 37 bytes of memory and a memcpy into that memory succeeds on line 512. The 
SEGV occurs at line 513 and the pointer that was just returned from the 
allocator is NULL at this point. There are no other active threads that could 
be stomping on memory, there's no stack overrun or any other misbehavior that 
can account for it. Also, the identical test sequence completes without 
incident when running on the host OS instead of under kvm.
  (The src->bv_val pointer points to valid data at the time of the crash; it's 
just residing in a mmap'd file and that mapping isn't preserved in the 
coredump. So ignore gdb's error there.)

  Something in kvm is writing zeroes over a field of memory after we
  already checked that it was non-zero.

  This is on 
  Linux anvil1 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

  Both the host and the guest VM are on identical OS revision.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1749247/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net

[Touch-packages] [Bug 1749247] Re: Spurious SEGV running inside kvm

[ChristianEhrhardt]

How reproducible is this - everytime or just once in a number of retry loops?
Could you share the minimal simplified setup+loop code to retrigger this over 
here?


** Changed in: qemu (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1749247

Title:
  Spurious SEGV running inside kvm

Status in openldap package in Ubuntu:
  Confirmed
Status in qemu package in Ubuntu:
  Incomplete

Bug description:
  Running a continuous stream of operations against OpenLDAP slapd
  eventually causes a SEGV in liblber, in a segment of code that cannot
  fail:

   gdb /opt/symas/lib64/slapd CoreDump 
  GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
  Copyright (C) 2016 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .
  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from /opt/symas/lib64/slapd...done.
  [New LWP 5472]
  [New LWP 5468]
  [New LWP 5524]
  [New LWP 5471]
  [New LWP 5469]
  [New LWP 5507]
  [New LWP 5510]
  [New LWP 5470]
  [New LWP 5506]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `/opt/symas/lib64/slapd -u root -g root -h ldap:///'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x7f4e2c9f0160 in ber_dupbv_x (dst=0x196b268, src=0x7f25f8001070, 
ctx=0x0) at /home/build/git/sold-master/openldap/libraries/liblber/memory.c:513
  513 new->bv_val[src->bv_len] = '\0';
  [Current thread is 1 (Thread 0x7f260e242700 (LWP 5472))]
  (gdb) l 500
  495 if(( new = ber_memalloc_x( sizeof(struct berval), ctx 
)) == NULL ) {
  496 return NULL;
  497 }
  498 }
  499
  500 if ( src->bv_val == NULL ) {
  501 new->bv_val = NULL;
  502 new->bv_len = 0;
  503 return new;
  504 }
  (gdb) 
  505
  506 if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == 
NULL ) {
  507 if ( !dst )
  508 ber_memfree_x( new, ctx );
  509 return NULL;
  510 }
  511
  512 AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
  513 new->bv_val[src->bv_len] = '\0';
  514 new->bv_len = src->bv_len;
  (gdb) p *new
  $1 = {bv_len = 0, bv_val = 0x0}
  (gdb) p *src
  $2 = {bv_len = 36, bv_val = 0x7f268ccc7bee }
  (gdb) 

  
  At line 506 we allocate some memory and check for a failure (returning NULL) 
and leave the function at line 509 if there was a failure. The allocation is 
for 37 bytes of memory and a memcpy into that memory succeeds on line 512. The 
SEGV occurs at line 513 and the pointer that was just returned from the 
allocator is NULL at this point. There are no other active threads that could 
be stomping on memory, there's no stack overrun or any other misbehavior that 
can account for it. Also, the identical test sequence completes without 
incident when running on the host OS instead of under kvm.
  (The src->bv_val pointer points to valid data at the time of the crash; it's 
just residing in a mmap'd file and that mapping isn't preserved in the 
coredump. So ignore gdb's error there.)

  Something in kvm is writing zeroes over a field of memory after we
  already checked that it was non-zero.

  This is on 
  Linux anvil1 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

  Both the host and the guest VM are on identical OS revision.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1749247/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749247] Re: Spurious SEGV running inside kvm

[ChristianEhrhardt]

Setting qemu(Ubuntu) which is the right package for the question of "the
identical test sequence completes without incident when running on the
host OS instead of under kvm".

Although that could just be timing and doesn't "have to be" a kvm memory
clobbering.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1749247

Title:
  Spurious SEGV running inside kvm

Status in openldap package in Ubuntu:
  Confirmed
Status in qemu package in Ubuntu:
  Incomplete

Bug description:
  Running a continuous stream of operations against OpenLDAP slapd
  eventually causes a SEGV in liblber, in a segment of code that cannot
  fail:

   gdb /opt/symas/lib64/slapd CoreDump 
  GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
  Copyright (C) 2016 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .
  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from /opt/symas/lib64/slapd...done.
  [New LWP 5472]
  [New LWP 5468]
  [New LWP 5524]
  [New LWP 5471]
  [New LWP 5469]
  [New LWP 5507]
  [New LWP 5510]
  [New LWP 5470]
  [New LWP 5506]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `/opt/symas/lib64/slapd -u root -g root -h ldap:///'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x7f4e2c9f0160 in ber_dupbv_x (dst=0x196b268, src=0x7f25f8001070, 
ctx=0x0) at /home/build/git/sold-master/openldap/libraries/liblber/memory.c:513
  513 new->bv_val[src->bv_len] = '\0';
  [Current thread is 1 (Thread 0x7f260e242700 (LWP 5472))]
  (gdb) l 500
  495 if(( new = ber_memalloc_x( sizeof(struct berval), ctx 
)) == NULL ) {
  496 return NULL;
  497 }
  498 }
  499
  500 if ( src->bv_val == NULL ) {
  501 new->bv_val = NULL;
  502 new->bv_len = 0;
  503 return new;
  504 }
  (gdb) 
  505
  506 if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == 
NULL ) {
  507 if ( !dst )
  508 ber_memfree_x( new, ctx );
  509 return NULL;
  510 }
  511
  512 AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
  513 new->bv_val[src->bv_len] = '\0';
  514 new->bv_len = src->bv_len;
  (gdb) p *new
  $1 = {bv_len = 0, bv_val = 0x0}
  (gdb) p *src
  $2 = {bv_len = 36, bv_val = 0x7f268ccc7bee }
  (gdb) 

  
  At line 506 we allocate some memory and check for a failure (returning NULL) 
and leave the function at line 509 if there was a failure. The allocation is 
for 37 bytes of memory and a memcpy into that memory succeeds on line 512. The 
SEGV occurs at line 513 and the pointer that was just returned from the 
allocator is NULL at this point. There are no other active threads that could 
be stomping on memory, there's no stack overrun or any other misbehavior that 
can account for it. Also, the identical test sequence completes without 
incident when running on the host OS instead of under kvm.
  (The src->bv_val pointer points to valid data at the time of the crash; it's 
just residing in a mmap'd file and that mapping isn't preserved in the 
coredump. So ignore gdb's error there.)

  Something in kvm is writing zeroes over a field of memory after we
  already checked that it was non-zero.

  This is on 
  Linux anvil1 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

  Both the host and the guest VM are on identical OS revision.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1749247/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749247] Re: Spurious SEGV running inside kvm

[ChristianEhrhardt]

slapd is part of the openldap package - assigning this makes more sense
I think.

** Package changed: kvm (Ubuntu) => openldap (Ubuntu)

** Also affects: qemu (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1749247

Title:
  Spurious SEGV running inside kvm

Status in openldap package in Ubuntu:
  Confirmed
Status in qemu package in Ubuntu:
  Incomplete

Bug description:
  Running a continuous stream of operations against OpenLDAP slapd
  eventually causes a SEGV in liblber, in a segment of code that cannot
  fail:

   gdb /opt/symas/lib64/slapd CoreDump 
  GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
  Copyright (C) 2016 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "x86_64-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .
  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from /opt/symas/lib64/slapd...done.
  [New LWP 5472]
  [New LWP 5468]
  [New LWP 5524]
  [New LWP 5471]
  [New LWP 5469]
  [New LWP 5507]
  [New LWP 5510]
  [New LWP 5470]
  [New LWP 5506]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `/opt/symas/lib64/slapd -u root -g root -h ldap:///'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x7f4e2c9f0160 in ber_dupbv_x (dst=0x196b268, src=0x7f25f8001070, 
ctx=0x0) at /home/build/git/sold-master/openldap/libraries/liblber/memory.c:513
  513 new->bv_val[src->bv_len] = '\0';
  [Current thread is 1 (Thread 0x7f260e242700 (LWP 5472))]
  (gdb) l 500
  495 if(( new = ber_memalloc_x( sizeof(struct berval), ctx 
)) == NULL ) {
  496 return NULL;
  497 }
  498 }
  499
  500 if ( src->bv_val == NULL ) {
  501 new->bv_val = NULL;
  502 new->bv_len = 0;
  503 return new;
  504 }
  (gdb) 
  505
  506 if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == 
NULL ) {
  507 if ( !dst )
  508 ber_memfree_x( new, ctx );
  509 return NULL;
  510 }
  511
  512 AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
  513 new->bv_val[src->bv_len] = '\0';
  514 new->bv_len = src->bv_len;
  (gdb) p *new
  $1 = {bv_len = 0, bv_val = 0x0}
  (gdb) p *src
  $2 = {bv_len = 36, bv_val = 0x7f268ccc7bee }
  (gdb) 

  
  At line 506 we allocate some memory and check for a failure (returning NULL) 
and leave the function at line 509 if there was a failure. The allocation is 
for 37 bytes of memory and a memcpy into that memory succeeds on line 512. The 
SEGV occurs at line 513 and the pointer that was just returned from the 
allocator is NULL at this point. There are no other active threads that could 
be stomping on memory, there's no stack overrun or any other misbehavior that 
can account for it. Also, the identical test sequence completes without 
incident when running on the host OS instead of under kvm.
  (The src->bv_val pointer points to valid data at the time of the crash; it's 
just residing in a mmap'd file and that mapping isn't preserved in the 
coredump. So ignore gdb's error there.)

  Something in kvm is writing zeroes over a field of memory after we
  already checked that it was non-zero.

  This is on 
  Linux anvil1 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

  Both the host and the guest VM are on identical OS revision.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1749247/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

Fix is trivial, but you never know - tetsing the bionic change in
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3144

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny

[ChristianEhrhardt]

Note: When we open up a SRU for ntp apparmor we should include the minot
(bot on its own not SRu worthy) fix of bug 1741227

** Description changed:

- On start/restart nto has an error in apparmor due to the locking it
- tries to avoid issues running concurrently with ntpdate.
+ [Impact]
+ 
+  * Apparmor denies access to lock it shares with ntpdate to ensure no 
+issues due to concurrent access
+ 
+ [Test Case]
+ 
+  1. get a container of target release
+  2. install ntp
+ apt install ntp
+  3. watch dmesg on container-host
+ dmesg -w 
+  4. restart ntp in container
+ systemctl restart ntp
+  => see (or no more after fix) apparmor denie:
+ apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
+ 
+ [Regression Potential]
+ 
+  * we are only slightly opening up the apparmor profile, but none of the 
+changes poses a security risk so regression potential on it's own 
+should be close to zero.
+ 
+  * There is a potential issue if the locking (that now can succeed) would 
+e.g. no more be freed up or the action behind the locking would cause 
+issues.
+ 
+ [Other Info]
+  
+  * n/a
+ 
+ 
+ On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.
  
  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"
  
  The rule we need is:
  /run/lock/ntpdate wk,

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1741227] Re: apparmor denial to several paths to binaries

[ChristianEhrhardt]

** Description changed:

+ [Impact]
+ 
+  * Apparmor denies access to bin directories which the option parsing code 
+of ntp touches.
+ 
+ [Test Case]
+ 
+  1. get a container of target release
+  2. install ntp
+ apt install ntp
+  3. watch dmesg on container-host
+ dmesg -w
+  4. restart ntp in container
+ systemctl restart ntp
+  => see (or no more after fix) apparmor denie:
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
+ 
+ [Regression Potential]
+ 
+  * we are only slightly opening up the apparmor profile, but none of the
+changes poses a security risk so regression potential on it's own
+should be close to zero.
+ 
+  * we discussed if this would be a security risk but came to the 
+conclusion that r-only should be ok (the same content anyone can grab 
+from the archive by installing the packages)
+ 
+ [Other Info]
+ 
+  * n/a
+ 
  Issue shows up (non fatal) as:
-  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
-  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
+  apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  
  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
 of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
 changes poses a security risk so regression potential on it's own
 should be close to zero.

   * we discussed if this would be a security risk but came to the 
 conclusion that r-only should be ok (the same content anyone can grab 
 from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1749389] [NEW] ntpdate lock apparmor deny

[ChristianEhrhardt]

Public bug reported:

[Impact]

 * Apparmor denies access to lock it shares with ntpdate to ensure no 
   issues due to concurrent access

[Test Case]

 1. get a container of target release
 2. install ntp
apt install ntp
 3. watch dmesg on container-host
dmesg -w 
 4. restart ntp in container
systemctl restart ntp
 => see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

[Regression Potential]

 * we are only slightly opening up the apparmor profile, but none of the 
   changes poses a security risk so regression potential on it's own 
   should be close to zero.

 * There is a potential issue if the locking (that now can succeed) would 
   e.g. no more be freed up or the action behind the locking would cause 
   issues.

[Other Info]
 
 * n/a


On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

The rule we need is:
/run/lock/ntpdate wk,

** Affects: ntp (Ubuntu)
 Importance: Medium
 Status: Triaged

** Affects: ntp (Ubuntu Xenial)
 Importance: Medium
 Status: Triaged

** Affects: ntp (Ubuntu Artful)
 Importance: Medium
 Status: Triaged

** Also affects: ntp (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: ntp (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: ntp (Ubuntu Xenial)
   Status: New => Triaged

** Changed in: ntp (Ubuntu Artful)
   Status: New => Triaged

** Changed in: ntp (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Artful)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  Triaged
Status in ntp source package in Artful:
  Triaged

Bug description:
  [Impact]

   * Apparmor denies access to lock it shares with ntpdate to ensure no 
 issues due to concurrent access

  [Test Case]

   1. get a container of target release
   2. install ntp
  apt install ntp
   3. watch dmesg on container-host
  dmesg -w 
   4. restart ntp in container
  systemctl restart ntp
   => see (or no more after fix) apparmor denie:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the 
 changes poses a security risk so regression potential on it's own 
 should be close to zero.

   * There is a potential issue if the locking (that now can succeed) would 
 e.g. no more be freed up or the action behind the locking would cause 
 issues.

  [Other Info]
   
   * n/a

  
  On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

  That looks like:
  apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

  The rule we need is:
  /run/lock/ntpdate wk,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp