+ if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~ && [ -n
"$NO_SOCKET_MIGRATION" ]; then
I'm going to ask that we be ultra-conservative here. It is very
difficult in general to un-do in a maintainer script something that we
think we did previously, because the admin may have done who-knows-what
in between and we may be undoing things that weren't actually ours. So
whenever it's possible to detect that it wasn't us that did a thing, we
should avoid trying to undo it.
In the case of this particular failure, the state of the system of a user hit
by this bug will be:
- /etc/systemd/system/ssh.service.d/00-socket.conf and
/etc/systemd/system/ssh.socket.d/addresses.conf both exist
- $2 argument to postinst will be LESS than 1:9.0p1-1ubuntu8~ because the
release version of openssh-server will have failed to configure
So I suggest the following instead:
if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu7~ \
&& [ -e /etc/systemd/system/ssh.socket.d/addresses.conf ] \
&& [ -e /etc/systemd/system/ssh.service.d/00-socket.conf ] \
&& [ -n "$NO_SOCKET_MIGRATION" ]; then
This ensures that if, for any other reason the user has enabled the
ssh.socket unit but our script says NO_SOCKET_MIGRATION, we don't mangle
the systemd units to disable socket activation that might not have been
enabled by us in the first place.
(As a bonus, it will simplify and shorten the de-migration code
overall.)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1993478
Title:
package openssh-server 1:9.0p1-1ubuntu7 failed to install/upgrade:
postinstall script returned 1
Status in openssh package in Ubuntu:
Triaged
Status in openssh source package in Kinetic:
Triaged
Bug description:
[NOTE FOR SRU TEAM]
I would prefer that vorlon review the attached patch before the upload
is accepted. I will remove this note when that has happened.
[Impact]
Users with /etc/ssh/sshd_config's that contain ListenAddress entries
with the port specified will not be migrated to socket-activated ssh
correctly, or may be migrated when they should not be (e.g. if
ListenAddress, with a port number, is specified more than once). This
leaves users with a broken sshd configuration.
[Test Plan]
There are 4 tests that should be used to verify the fix:
1. Upgrade to Kinetic with just one ListenAddress entry, which
specifies port number.
* On a Jammy system, edit /etc/ssh/sshd_config so that it contains the
following:
[...defaults everywhere else...]
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 0.0.0.0:1234
[...defaults everywhere else...]
* Run `systemctl restart ssh.service` and confirm that the new configuration
works as expected.
* Before running the upgrade, make sure -proposed is enabled.
* Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in
/etc/update-manager/release-upgrades if needed).
* On an affected system, ssh.socket will fail with `bad-setting` because
/etc/systemd/system/ssh.socket.d/address.conf contains:
[Socket]
ListenStream=
* On a patched system, ssh.socket will be active/listening, and
/etc/systemd/system/ssh.socket.d/addresses.conf will contain the
following:
[Socket]
ListenStream=
ListenStream=0.0.0.0:1234
2. Upgrade to Kinetic with multiple ListenAddress entries, each
specifying port number.
* On a Jammy system, edit /etc/ssh/sshd_config so that it contains the
following:
[...defaults everywhere else...]
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 0.0.0.0:1234
ListenAddress [::]:4321
[...defaults everywhere else...]
* Run `systemctl restart ssh.service` and confirm that the new configuration
works as expected.
* Before running the upgrade, make sure -proposed is enabled.
* Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in
/etc/update-manager/release-upgrades if needed).
* On an affected system, migration will be attempted despite the multiple
ListenAddress options, and ssh.socket will fail with `bad-setting` because
/etc/systemd/system/ssh.socket.d/address.conf contains:
[Socket]
ListenStream=
* On a patched system, the ListenAddress option will be parsed
correctly, and migration will not be attempted.
3. On a Kinetic system which was migrated, but with errors (e.g. test
case #1, prior to being patched), installing the new package should
correct the ssh.socket configuration.
* On a Jammy system, edit /etc/ssh/sshd_config so that it contains the
following:
[...defaults everywhere else...]
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 0.0.0.0:1234
[...defaults everywhere else...]
* Run `systemctl restart ssh.service` and confirm that the new configuration
works as expected.
* Do NOT enable -proposed before the upgrade.
* Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in
/etc/update-manager/release-upgrades if needed).
* After the openssh-server configuration fails, enable -proposed, and upgrade
openssh-server.
* The ssh.socket configuration should be fixed, and
/etc/systemd/system/ssh.socket.d/addresses.conf should contain:
[Socket]
ListenStream=
ListenStream=0.0.0.0:1234
4. On a Kinetic system which was incorrectly migrated to ssh socket
activation (e.g. test case #2, prior to being patched), installing the
new package reverts to the previous behavior.
* On a Jammy system, edit /etc/ssh/sshd_config so that it contains the
following:
[...defaults everywhere else...]
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 0.0.0.0:1234
ListenAddress [::]:4321
[...defaults everywhere else...]
* Run `systemctl restart ssh.service` and confirm that the new configuration
works as expected.
* Do NOT enable -proposed before the upgrade.
* Run `do-release-upgrade` to upgrade to Kinetic (setting Prompt=normal in
/etc/update-manager/release-upgrades if needed).
* After the openssh-server configuration fails, enable -proposed, and upgrade
openssh-server.
* The socket-activated ssh migration should be reverted, and ssh.service
should be running as before upgrade to Kinetic.
[Where problems could occur]
These changes are in the openssh-server.postinst script, specifically in the
socket-activated ssh migration logic. Regressions would be seen in the
migration logic, for example breaking a previously-working migration scenario.
[Original Description]
update failed...
ProblemType: Package
DistroRelease: Ubuntu 22.10
Package: openssh-server 1:9.0p1-1ubuntu7
ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53
Uname: Linux 5.15.0-48-generic x86_64
NonfreeKernelModules: cpuid tcp_diag inet_diag tls authenc echainiv esp4
xfrm_user xfrm_algo sctp ip6_udp_tunnel udp_tunnel cfg80211 veth nft_chain_nat
xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_tcpudp
nft_counter xt_policy nft_compat nf_tables nfnetlink bridge stp llc
nls_iso8859_1 hid_generic joydev crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel usbhid virtio_net net_failover hid failover i2c_piix4
pata_acpi qemu_fw_cfg floppy sch_fq_codel ipmi_devintf ipmi_msghandler msr
ramoops reed_solomon pstore_blk efi_pstore pstore_zone ip_tables x_tables
autofs4 btrfs blake2b_generic zstd_compress dm_crypt raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c xor
raid6_pq raid1 raid0 multipath linear bochs drm_vram_helper drm_ttm_helper ttm
drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt input_leds
fb_sys_fops cec crypto_simd rc_core psmouse cryptd drm serio_raw virtio_scsi
mac_hid
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Wed Oct 19 08:41:28 2022
ErrorMessage: »installiertes post-installation-Skript des Paketes
openssh-server«-Unterprozess gab den Fehlerwert 1 zurück
InstallationDate: Installed on 2019-08-13 (1162 days ago)
InstallationMedia: Ubuntu-Server 18.04.2 LTS "Bionic Beaver" - Release amd64
(20190210)
Python3Details: /usr/bin/python3.10, Python 3.10.7, python3-minimal, 3.10.6-1
PythonDetails: N/A
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
dpkg 1.21.9ubuntu1
apt 2.5.3
SourcePackage: openssh
Title: package openssh-server 1:9.0p1-1ubuntu7 failed to install/upgrade:
»installiertes post-installation-Skript des Paketes
openssh-server«-Unterprozess gab den Fehlerwert 1 zurück
UpgradeStatus: Upgraded to kinetic on 2022-10-19 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1993478/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
