Bug#905177: bind9: prompting due to modified conffiles which were not modified by the user: /etc/bind/named.conf.options
Followup-For: Bug #905177 Hi, the situation is a bit tricky for upgrades that had bind9 from squeeze or older installed: there /etc/bind/named.conf.options was a conffile. Which is something dpkg remembers (with an outdated md5sum). The content of the file have been updated over time s.t. we don't need to handle md5sums in the preinst depending on whether the first installation happened in lenny or wheezy :-) We cannot move the file aside in case dpkg knows it as a conffile: Setting up bind9 (1:9.11.5.P4+dfsg-1) ... Installing new version of config file /etc/apparmor.d/usr.sbin.named ... Installing new version of config file /etc/bind/bind.keys ... Installing new version of config file /etc/bind/named.conf.default-zones ... Configuration file '/etc/bind/named.conf.options' ==> Deleted (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** named.conf.options (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing package bind9 (--configure): end of file on stdin at conffile prompt Processing triggers for systemd (241-1) ... Processing triggers for libc-bin (2.28-8) ... Errors were encountered while processing: bind9 That's from squeeze -> wheezy -> jessie -> stretch -> buster. Notice the "Deleted (by you or by a script) since installation." My proposed solution you can find in the attached patch. It passes my tests starting from lenny as well as starting from wheezy. I create a backup as .dpkg-old and then edit the file in-place to match the content of the yet-to-be-installed-conffile. In that case dpkg does not see a content conflicht, does not prompt about it and updates the md5sum of the conffile to the new version in its database. Andreas >From a714533a17508d0f5f2084c15a42801458f7eeeb Mon Sep 17 00:00:00 2001 From: Andreas Beckmann Date: Sun, 24 Mar 2019 22:51:53 +0100 Subject: [PATCH] bind9.preinst: cope with ancient conffile named.conf.options In squeeze and earlier /etc/bind/named.conf.options was a conffile. On upgrades from such a version dpkg will remember it as an obsolete conffile with an outdated md5sum. Therefore we must not move it aside in this case (which dpkg would take as a deletion by the local admin), instead we edit it in place to match the to-be-installed version in order to avoid prompting and make dpkg update the md5sum. Closes: #905177 --- debian/bind9.preinst | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/debian/bind9.preinst b/debian/bind9.preinst index 464ffc627..66b06abaa 100644 --- a/debian/bind9.preinst +++ b/debian/bind9.preinst @@ -20,7 +20,15 @@ case "$1" in theirs=$(md5sum /etc/bind/named.conf.options | sed 's/ .*$//') mine=56919cbc0d819c9a303a8bdeb306b5f1 if [ "$mine" = "$theirs" ]; then - mv /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old + if [ -n "$(dpkg-query -f '${Conffiles}' -W bind9 | grep /etc/bind/named.conf.options)" ]; then + # dpkg knows /etc/bind/named.conf.options as a conffile (from squeeze or older) + # cannot move the outdated file aside to avoid dpkg noticing deleted-by-local-admin + # therefore edit it in place to make it match the to-be-installed version + cp -p /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old + sed -i '26{/^$/d}; 23{/auth-nxdomain no;/d}' /etc/bind/named.conf.options + else + mv /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old + fi fi fi ;; -- 2.11.0 bind9_1:9.11.5.P4+dfsg-1.log.gz Description: application/gzip
Bug#905177: bind9: prompting due to modified conffiles which were not modified by the user: /etc/bind/named.conf.options
Control: tags -1 help Am 01.08.2018 um 18:56 schrieb Andreas Beckmann: Hi, > Suggestion: In the preinst check whether you are upgrading from << > 9.11.2+dfsg-6 and whether the file matches the version installed in > stretch (md5sum/...) and move it aside (maybe there were more possible > files installed by older versions, check for all of them). In the > postinst delete the backup. Restore it on failed-upgrade. > > If the file was manually modified (i.e. does not match any known hash), > do nothing and let dpkg prompt the user. > > I don't mind reviewing some patches. Thanks for the suggestion, sounds like a plan. I'll see what I can come up with. Not really much time at the moment though, so any takers would be welcome. Bernhard
Bug#905177: bind9: prompting due to modified conffiles which were not modified by the user: /etc/bind/named.conf.options
On 2018-08-01 18:05, Bernhard Schmidt wrote: > So the file is there and not marked as conffile, because it has been > created in postinst. Now in Buster the file is properly shipped as > conffile (since commit 9ddbb41a71236815d246180b454850ec4ef7862d, > included in 9.11.2+dfsg-6. > > It is only appearing now because the named.conf.options has now been > changed from the version contained in Stretch in 9.11.4+dfsg-2. > But the > underlying bug is in Stretch. Not really. There is nothing wrong with the handling in stretch. Using conffiles is just superior :-) You just need to migrate properly ... > I have no idea how to properly deal with this. Suggestion: In the preinst check whether you are upgrading from << 9.11.2+dfsg-6 and whether the file matches the version installed in stretch (md5sum/...) and move it aside (maybe there were more possible files installed by older versions, check for all of them). In the postinst delete the backup. Restore it on failed-upgrade. If the file was manually modified (i.e. does not match any known hash), do nothing and let dpkg prompt the user. I don't mind reviewing some patches. Andreas
Bug#905177: bind9: prompting due to modified conffiles which were not modified by the user: /etc/bind/named.conf.options
Am 01.08.2018 um 12:00 schrieb Andreas Beckmann: Hi, I can reproduce this in a container upgrading Stretch to Buster. Configuration file '/etc/bind/named.conf.options' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** named.conf.options (Y/I/N/O/D/Z) [default=N] ? d --- /etc/bind/named.conf.options2018-08-01 15:40:01.840772576 + +++ /etc/bind/named.conf.options.dpkg-new 2018-07-16 18:49:50.0 + @@ -20,7 +20,5 @@ // dnssec-validation auto; - auth-nxdomain no;# conform to RFC1035 listen-on-v6 { any; }; }; - AFAICT this is caused by the version in Stretch, which did not ship /etc7bind/named.conf.options at all, but created it in postinst === if [ -f /etc/bind/named.conf.options ]; then [...] else cp /usr/share/bind9/named.conf.options /etc/bind/named.conf.options chmod 644 /etc/bind/named.conf.options fi === So the file is there and not marked as conffile, because it has been created in postinst. Now in Buster the file is properly shipped as conffile (since commit 9ddbb41a71236815d246180b454850ec4ef7862d, included in 9.11.2+dfsg-6. It is only appearing now because the named.conf.options has now been changed from the version contained in Stretch in 9.11.4+dfsg-2. But the underlying bug is in Stretch. I have no idea how to properly deal with this. Best Regards, Bernhard
Bug#905177: bind9: prompting due to modified conffiles which were not modified by the user: /etc/bind/named.conf.options
Package: bind9 Version: 1:9.11.4+dfsg-2 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed the piuparts upgrade test because dpkg detected a conffile as being modified and then prompted the user for an action. As there is no user input, this fails. But this is not the real problem, the real problem is that this prompt shows up in the first place, as there was nobody modifying this conffile at all, the package has just been installed and upgraded... This is a violation of policy 10.7.3, see https://www.debian.org/doc/debian-policy/#behavior, which says "[These scripts handling conffiles] must not ask unnecessary questions (particularly during upgrades), and must otherwise be good citizens." https://wiki.debian.org/DpkgConffileHandling should help with figuring out how to do this properly. In https://lists.debian.org/debian-devel/2009/08/msg00675.html and followups it has been agreed that these bugs are to be filed with severity serious. >From the attached log (scroll to the bottom...): Setting up bind9 (1:9.11.4+dfsg-2) ... Installing new version of config file /etc/apparmor.d/usr.sbin.named ... Installing new version of config file /etc/bind/bind.keys ... Configuration file '/etc/bind/named.conf.options' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** named.conf.options (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing package bind9 (--configure): end of file on stdin at conffile prompt Processing triggers for libc-bin (2.27-5) ... Errors were encountered while processing: bind9 cheers, Andreas bind9_1:9.11.4+dfsg-2.log.gz Description: application/gzip