Bug#1012613: nftables: upgrade stops but does not start service
On 2022-06-19, at 13:48:59 +0200, Arturo Borrero Gonzalez wrote: > On Fri, 10 Jun 2022 12:21:37 +0200 Christian Göttsche wrote: > > Package: nftables > > Version: 1.0.4-1 > > Severity: serious > > > > Dear Maintainer, > > > > upgrades of nftables stop the service but do not start it (even if the > > service is actually enabled). > > This can lead to lockouts, e.g. when using special rules for ssh access. > > > > > > nft.preinst: > > > > #!/bin/sh > > set -e > > # Automatically added by dh_installsystemd/13.7.1 > > if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d > > /run/systemd/system ] ; then > >deb-systemd-invoke stop 'nftables.service' >/dev/null || true > > fi > > # End automatically added section > > > > > > nft.postinst: > > > > #!/bin/sh > > set -e > > # Automatically added by dh_installsystemd/13.7.1 > > if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = > > "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then > >if deb-systemd-helper debian-installed 'nftables.service'; then > ># This will only remove masks created by d-s-h on package > > removal. > >deb-systemd-helper unmask 'nftables.service' >/dev/null || > > true > > > >if deb-systemd-helper --quiet was-enabled > > 'nftables.service'; then > ># Create new symlinks, if any. > >deb-systemd-helper enable 'nftables.service' > > >/dev/null || true > >fi > >fi > > > ># Update the statefile to add new symlinks (if any), which need to > > be cleaned > ># up on purge. Also remove old symlinks. > >deb-systemd-helper update-state 'nftables.service' >/dev/null || true > > fi > > # End automatically added section > > I confirmed this can be a problem: > > [...] > > @Alberto, @Jeremy, > > It seems to me like we need to play with the dh_installsystemd > --no-restart-after-upgrade option, but don't have time to figure out the > right logic. > > I'm currently unable to handle this. Could you please take a look? Passing `--restart-after-upgrade` does the trick: diff -u nftables_1.0.4-1/postinst nftables_1.0.4-2/postinst --- nftables_1.0.4-1/postinst 2022-06-07 23:59:59.0 +0100 +++ nftables_1.0.4-2/postinst 2022-06-19 18:04:19.0 +0100 @@ -17,3 +17,13 @@ deb-systemd-helper update-state 'nftables.service' >/dev/null || true fi # End automatically added section +# Automatically added by dh_installsystemd/13.7.1 +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then + if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true + if [ -n "$2" ]; then + deb-systemd-invoke try-restart 'nftables.service' >/dev/null || true + fi + fi +fi +# End automatically added section I've pushed that and a few other changes to Salsa. J. signature.asc Description: PGP signature
Bug#1012613: nftables: upgrade stops but does not start service
On 2022-06-19, at 13:48:59 +0200, Arturo Borrero Gonzalez wrote: > On Fri, 10 Jun 2022 12:21:37 +0200 Christian Göttsche wrote: > > Package: nftables > > Version: 1.0.4-1 > > Severity: serious > > > > Dear Maintainer, > > > > upgrades of nftables stop the service but do not start it (even if the > > service is actually enabled). > > This can lead to lockouts, e.g. when using special rules for ssh access. > > > > > > nft.preinst: > > > > #!/bin/sh > > set -e > > # Automatically added by dh_installsystemd/13.7.1 > > if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d > > /run/systemd/system ] ; then > >deb-systemd-invoke stop 'nftables.service' >/dev/null || true > > fi > > # End automatically added section > > > > > > nft.postinst: > > > > #!/bin/sh > > set -e > > # Automatically added by dh_installsystemd/13.7.1 > > if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = > > "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then > >if deb-systemd-helper debian-installed 'nftables.service'; then > ># This will only remove masks created by d-s-h on package > > removal. > >deb-systemd-helper unmask 'nftables.service' >/dev/null || > > true > > > >if deb-systemd-helper --quiet was-enabled > > 'nftables.service'; then > ># Create new symlinks, if any. > >deb-systemd-helper enable 'nftables.service' > > >/dev/null || true > >fi > >fi > > > ># Update the statefile to add new symlinks (if any), which need to > > be cleaned > ># up on purge. Also remove old symlinks. > >deb-systemd-helper update-state 'nftables.service' >/dev/null || true > > fi > > # End automatically added section > > I confirmed this can be a problem: > > [...] > > @Alberto, @Jeremy, > > It seems to me like we need to play with the dh_installsystemd > --no-restart-after-upgrade option, but don't have time to figure out the > right logic. > > I'm currently unable to handle this. Could you please take a look? Yup. J. signature.asc Description: PGP signature
Bug#1012613: nftables: upgrade stops but does not start service
On Fri, 10 Jun 2022 12:21:37 +0200 =?UTF-8?Q?Christian_G=C3=B6ttsche?= wrote: Package: nftables Version: 1.0.4-1 Severity: serious Dear Maintainer, upgrades of nftables stop the service but do not start it (even if the service is actually enabled). This can lead to lockouts, e.g. when using special rules for ssh access. nft.preinst: #!/bin/sh set -e # Automatically added by dh_installsystemd/13.7.1 if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then deb-systemd-invoke stop 'nftables.service' >/dev/null || true fi # End automatically added section nft.postinst: #!/bin/sh set -e # Automatically added by dh_installsystemd/13.7.1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if deb-systemd-helper debian-installed 'nftables.service'; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'nftables.service' >/dev/null || true if deb-systemd-helper --quiet was-enabled 'nftables.service'; then # Create new symlinks, if any. deb-systemd-helper enable 'nftables.service' >/dev/null || true fi fi # Update the statefile to add new symlinks (if any), which need to be cleaned # up on purge. Also remove old symlinks. deb-systemd-helper update-state 'nftables.service' >/dev/null || true fi # End automatically added section I confirmed this can be a problem: === 8< === ⌂0.65 arturo@nostromo:~ $ apt-cache policy nftables nftables: Installed: 1.0.2-1 Candidate: 1.0.4-1 Version table: 1.0.4-1 500 500 http://deb.debian.org/debian sid/main amd64 Packages *** 1.0.2-1 500 500 http://deb.debian.org/debian testing/main amd64 Packages 100 /var/lib/dpkg/status ⌂0.68 arturo@nostromo:~ $ sudo systemctl status nftables ● nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; disabled; vendor preset: enabled) Active: active (exited) since Sun 2022-06-19 13:38:11 CEST; 51s ago Docs: man:nft(8) http://wiki.nftables.org Process: 5537 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS) Main PID: 5537 (code=exited, status=0/SUCCESS) CPU: 13ms Jun 19 13:38:11 nostromo systemd[1]: Starting nftables... Jun 19 13:38:11 nostromo systemd[1]: Finished nftables. ⌂0.70 arturo@nostromo:~ $ sudo nft list ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; iif "lo" accept ct state established,related accept tcp dport 22 ct state new accept ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept counter packets 6 bytes 898 drop } } ⌂0.65 arturo@nostromo:~ $ sudo aptitude install nftables The following packages will be upgraded: libnftables1 nftables 2 packages upgraded, 0 newly installed, 0 to remove and 754 not upgraded. Need to get 365 kB of archives. After unpacking 27.6 kB will be used. Do you want to continue? [Y/n/?] Y Get: 1 http://deb.debian.org/debian sid/main amd64 nftables amd64 1.0.4-1 [71.9 kB] Get: 2 http://deb.debian.org/debian sid/main amd64 libnftables1 amd64 1.0.4-1 [294 kB] Fetched 365 kB in 0s (4,064 kB/s) Reading changelogs... Done (Reading database ... 273043 files and directories currently installed.) Preparing to unpack .../nftables_1.0.4-1_amd64.deb ... Unpacking nftables (1.0.4-1) over (1.0.2-1) ... Preparing to unpack .../libnftables1_1.0.4-1_amd64.deb ... Unpacking libnftables1:amd64 (1.0.4-1) over (1.0.2-1) ... Setting up libnftables1:amd64 (1.0.4-1) ... Setting up nftables (1.0.4-1) ... Processing triggers for man-db (2.10.2-1) ... Processing triggers for libc-bin (2.33-7) ... Current status: 754 (-2) upgradable. ⌂0.78 arturo@nostromo:~ $ sudo nft list ruleset ⌂0.78 arturo@nostromo:~ $ sudo systemctl status nftables ○ nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:nft(8) http://wiki.nftables.org Jun 19 13:38:11 nostromo systemd[1]: Starting nftables... Jun 19 13:38:11 nostromo systemd[1]: Finished nftables. Jun 19 13:39:13 nostromo systemd[1]: Stopping nftables... Jun 19 13:39:13 nostromo systemd[1]: nftables.service: Deactivated successfully. Jun 19 13:39:13 nostromo systemd[1]: Stopped nftables. === 8< === @Alberto, @Jeremy, It seems to me like we need to play with the dh_installsystemd --no-restart-after-upgrade option, but don't have time to figure out the right logic. I'm currently unable to handle this. Could you please take a look? regards.