[Touch-packages] [Bug 1988119] Re: systemd-udevd: Run net_setup_link on 'change' uevents to prevent DNS outages on Azure
@mruffell, spinning up a clean Azure 18.04 Bionic VM and following your steps + reproducer, I can confirm DNS and network connectivity work fine: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 18.04.6 LTS Release:18.04 Codename: bionic $ sudo apt-cache policy systemd | grep Installed Installed: 237-3ubuntu10.55 $ sudo udevadm trigger && sudo systemctl restart systemd-networkd $ ping google.com PING google.com (216.58.214.14) 56(84) bytes of data. 64 bytes from lhr26s05-in-f14.1e100.net (216.58.214.14): icmp_seq=1 ttl=112 time=2.46 ms 64 bytes from lhr26s05-in-f14.1e100.net (216.58.214.14): icmp_seq=2 ttl=112 time=2.87 ms 64 bytes from lhr26s05-in-f14.1e100.net (216.58.214.14): icmp_seq=3 ttl=112 time=2.30 ms -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1988119 Title: systemd-udevd: Run net_setup_link on 'change' uevents to prevent DNS outages on Azure Status in systemd package in Ubuntu: Fix Released Status in systemd source package in Bionic: In Progress Bug description: [Impact] A widespread outage was caused on Azure instances earlier today, when systemd 237-3ubuntu10.54 was published to the bionic-security pocket. Instances could no longer resolve DNS queries, breaking networking. For affected users, the following workarounds are available. Use whatever is most convenient. - Reboot your instances - or - - Issue "udevadm trigger -cadd -yeth0 && systemctl restart systemd-networkd" as root The trigger was found to be open-vm-tools issuing "udevadm trigger". Azure has a specific netplan setup that uses the `driver` match to set up networking. If a udevadm trigger is executed, the KV pair that contains this info is lost. Next time netplan is executed, the server loses it's DNS information. This is the same as bug 1902960 experienced on Focal two years ago. The root cause was found to be a bug in systemd, where if we receive a "Remove" action from a change uevent, we need to run net_setup_link(), we need to skip device rename and keep the old name. [Testcase] Start an instance up on Azure, any type. Simply issue udevadm trigger and reload systemd-networkd: $ ping google.com PING google.com (172.253.62.102) 56(84) bytes of data. 64 bytes from bc-in-f102.1e100.net (172.253.62.102): icmp_seq=1 ttl=56 time=1.85 ms $ sudo udevadm trigger && sudo systemctl restart systemd-networkd $ ping google.com ping: google.com: Temporary failure in name resolution To fix a broken instance, you can run: $ sudo udevadm trigger -cadd -yeth0 && sudo systemctl restart systemd- networkd and then install the test packages below: Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf343528-test If you install them, the issue should no longer occur. [Where problems could occur] If a regression were to occur, it would affect systemd-udevd processing 'change' events from network devices, which could lead to network outages. Since this would happen when systemd-networkd is restarted on postinstall, a regression would cause widespread outages due to this SRU being targeted to the security pocket, where unattended-upgrades will automatically install from. Side effects could include incorrect udevd device properties. It is very important that this SRU is well tested before release. [Other info] This was fixed in Systemd 247 with the following commit: commit e0e789c1e97e2cdf1cafe0c6b7d7e43fa054f151 Author: Yu Watanabe Date: Mon, 14 Sep 2020 15:21:04 +0900 Subject: udev: re-assign ID_NET_DRIVER=, ID_NET_LINK_FILE=, ID_NET_NAME= properties on non-'add' uevent Link: https://github.com/systemd/systemd/commit/e0e789c1e97e2cdf1cafe0c6b7d7e43fa054f151 This was backported to Focal's systemd 245.4-4ubuntu3.4 in bug 1902960 two years ago. Focal required a heavy backport, which was performed by Dan Streetman. Focals backport can be found in d/p/lp1902960-udev-re- assign-ID_NET_DRIVER-ID_NET_LINK_FILE-ID_NET.patch, or the below pastebin: https://paste.ubuntu.com/p/K5k7bGt3Wx/ The changes between the Focal backport and the Bionic backport are: - We use udev_device_get_action() instead of device_get_action() - device_action_from_string() is used to get to enum DeviceAction - We return 0 from the "if (a == DEVICE_ACTION_MOVE) " hunk instead of "goto no_rename" - log_device_* has been changed to log_*. See attached debdiff for Bionic backport. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1988119/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1892559] Re: [MIR] ccid opensc pcsc-lite
** Changed in: ccid (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Ray Veldkamp (rayveldkamp) ** Changed in: ccid (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid opensc pcsc-lite Status in ccid package in Ubuntu: In Progress Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: Invalid Status in pcsc-lite package in Ubuntu: New Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems funny all the same. Otherwise appears to satisfy FHS and Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is expected
