Bug#1012613: nftables: upgrade stops but does not start service

2022-06-19 Thread Jeremy Sowden 
On 2022-06-19, at 13:48:59 +0200, Arturo Borrero Gonzalez wrote:
> On Fri, 10 Jun 2022 12:21:37 +0200 Christian Göttsche wrote:
> > Package: nftables
> > Version: 1.0.4-1
> > Severity: serious
> >
> > Dear Maintainer,
> >
> > upgrades of nftables stop the service but do not start it (even if the
> > service is actually enabled).
> > This can lead to lockouts, e.g. when using special rules for ssh access.
> >
> >
> > nft.preinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d 
> > /run/systemd/system ] ; then
> >deb-systemd-invoke stop 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
> >
> >
> > nft.postinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = 
> > "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
> >if deb-systemd-helper debian-installed 'nftables.service'; then
> ># This will only remove masks created by d-s-h on package 
> > removal.
> >deb-systemd-helper unmask 'nftables.service' >/dev/null || 
> > true
> >
> >if deb-systemd-helper --quiet was-enabled 
> > 'nftables.service'; then
> ># Create new symlinks, if any.
> >deb-systemd-helper enable 'nftables.service' 
> > >/dev/null || true
> >fi
> >fi
> >
> ># Update the statefile to add new symlinks (if any), which need to 
> > be cleaned
> ># up on purge. Also remove old symlinks.
> >deb-systemd-helper update-state 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
>
> I confirmed this can be a problem:
>
> [...]
>
> @Alberto, @Jeremy,
>
> It seems to me like we need to play with the dh_installsystemd
> --no-restart-after-upgrade option, but don't have time to figure out the
> right logic.
>
> I'm currently unable to handle this. Could you please take a look?

Passing `--restart-after-upgrade` does the trick:

  diff -u nftables_1.0.4-1/postinst nftables_1.0.4-2/postinst
  --- nftables_1.0.4-1/postinst   2022-06-07 23:59:59.0 +0100
  +++ nftables_1.0.4-2/postinst   2022-06-19 18:04:19.0 +0100
  @@ -17,3 +17,13 @@
  deb-systemd-helper update-state 'nftables.service' >/dev/null || true
  fi
  # End automatically added section
  +# Automatically added by dh_installsystemd/13.7.1
  +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = 
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
  +   if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then
  +   systemctl --system daemon-reload >/dev/null || true
  +   if [ -n "$2" ]; then
  +   deb-systemd-invoke try-restart 'nftables.service' 
>/dev/null || true
  +   fi
  +   fi
  +fi
  +# End automatically added section

I've pushed that and a few other changes to Salsa.

J.


signature.asc
Description: PGP signature

Bug#1012613: nftables: upgrade stops but does not start service

2022-06-19 Thread Jeremy Sowden 
On 2022-06-19, at 13:48:59 +0200, Arturo Borrero Gonzalez wrote:
> On Fri, 10 Jun 2022 12:21:37 +0200 Christian Göttsche wrote:
> > Package: nftables
> > Version: 1.0.4-1
> > Severity: serious
> >
> > Dear Maintainer,
> >
> > upgrades of nftables stop the service but do not start it (even if the
> > service is actually enabled).
> > This can lead to lockouts, e.g. when using special rules for ssh access.
> >
> >
> > nft.preinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d 
> > /run/systemd/system ] ; then
> >deb-systemd-invoke stop 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
> >
> >
> > nft.postinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = 
> > "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
> >if deb-systemd-helper debian-installed 'nftables.service'; then
> ># This will only remove masks created by d-s-h on package 
> > removal.
> >deb-systemd-helper unmask 'nftables.service' >/dev/null || 
> > true
> >
> >if deb-systemd-helper --quiet was-enabled 
> > 'nftables.service'; then
> ># Create new symlinks, if any.
> >deb-systemd-helper enable 'nftables.service' 
> > >/dev/null || true
> >fi
> >fi
> >
> ># Update the statefile to add new symlinks (if any), which need to 
> > be cleaned
> ># up on purge. Also remove old symlinks.
> >deb-systemd-helper update-state 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
>
> I confirmed this can be a problem:
>
> [...]
>
> @Alberto, @Jeremy,
>
> It seems to me like we need to play with the dh_installsystemd
> --no-restart-after-upgrade option, but don't have time to figure out the
> right logic.
>
> I'm currently unable to handle this. Could you please take a look?

Yup.

J.


signature.asc
Description: PGP signature

Bug#1012613: nftables: upgrade stops but does not start service

2022-06-19 Thread Arturo Borrero Gonzalez 
On Fri, 10 Jun 2022 12:21:37 +0200 =?UTF-8?Q?Christian_G=C3=B6ttsche?= 
 wrote:

Package: nftables
Version: 1.0.4-1
Severity: serious

Dear Maintainer,

upgrades of nftables stop the service but do not start it (even if the
service is actually enabled).
This can lead to lockouts, e.g. when using special rules for ssh access.


nft.preinst:

#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d
/run/systemd/system ] ; then
   deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section


nft.postinst:

#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.7.1
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" =
"abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
   if deb-systemd-helper debian-installed 'nftables.service'; then
   # This will only remove masks created by d-s-h on
package removal.
   deb-systemd-helper unmask 'nftables.service' >/dev/null || true

   if deb-systemd-helper --quiet was-enabled
'nftables.service'; then
   # Create new symlinks, if any.
   deb-systemd-helper enable 'nftables.service'
>/dev/null || true
   fi
   fi

   # Update the statefile to add new symlinks (if any), which need
to be cleaned
   # up on purge. Also remove old symlinks.
   deb-systemd-helper update-state 'nftables.service' >/dev/null || true
fi
# End automatically added section




I confirmed this can be a problem:

=== 8< ===
⌂0.65 arturo@nostromo:~ $ apt-cache policy nftables
nftables:
  Installed: 1.0.2-1
  Candidate: 1.0.4-1
  Version table:
 1.0.4-1 500
500 http://deb.debian.org/debian sid/main amd64 Packages
 *** 1.0.2-1 500
500 http://deb.debian.org/debian testing/main amd64 Packages
100 /var/lib/dpkg/status
⌂0.68 arturo@nostromo:~ $ sudo systemctl status nftables
● nftables.service - nftables
 Loaded: loaded (/lib/systemd/system/nftables.service; disabled; 
vendor preset: enabled)

 Active: active (exited) since Sun 2022-06-19 13:38:11 CEST; 51s ago
   Docs: man:nft(8)
 http://wiki.nftables.org
Process: 5537 ExecStart=/usr/sbin/nft -f /etc/nftables.conf 
(code=exited, status=0/SUCCESS)

   Main PID: 5537 (code=exited, status=0/SUCCESS)
CPU: 13ms

Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
⌂0.70 arturo@nostromo:~ $ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept
ct state established,related accept
tcp dport 22 ct state new accept
		ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, 
nd-neighbor-solicit, nd-neighbor-advert } accept

counter packets 6 bytes 898 drop
}
}
⌂0.65 arturo@nostromo:~ $ sudo aptitude install nftables
The following packages will be upgraded:
  libnftables1 nftables
2 packages upgraded, 0 newly installed, 0 to remove and 754 not upgraded.
Need to get 365 kB of archives. After unpacking 27.6 kB will be used.
Do you want to continue? [Y/n/?] Y
Get: 1 http://deb.debian.org/debian sid/main amd64 nftables amd64 
1.0.4-1 [71.9 kB]
Get: 2 http://deb.debian.org/debian sid/main amd64 libnftables1 amd64 
1.0.4-1 [294 kB]

Fetched 365 kB in 0s (4,064 kB/s)
Reading changelogs... Done
(Reading database ... 273043 files and directories currently installed.)
Preparing to unpack .../nftables_1.0.4-1_amd64.deb ...
Unpacking nftables (1.0.4-1) over (1.0.2-1) ...
Preparing to unpack .../libnftables1_1.0.4-1_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.4-1) over (1.0.2-1) ...
Setting up libnftables1:amd64 (1.0.4-1) ...
Setting up nftables (1.0.4-1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.33-7) ...

Current status: 754 (-2) upgradable.
⌂0.78 arturo@nostromo:~ $ sudo nft list ruleset
⌂0.78 arturo@nostromo:~ $ sudo systemctl status nftables
○ nftables.service - nftables
 Loaded: loaded (/lib/systemd/system/nftables.service; disabled; 
vendor preset: enabled)

 Active: inactive (dead)
   Docs: man:nft(8)
 http://wiki.nftables.org

Jun 19 13:38:11 nostromo systemd[1]: Starting nftables...
Jun 19 13:38:11 nostromo systemd[1]: Finished nftables.
Jun 19 13:39:13 nostromo systemd[1]: Stopping nftables...
Jun 19 13:39:13 nostromo systemd[1]: nftables.service: Deactivated 
successfully.

Jun 19 13:39:13 nostromo systemd[1]: Stopped nftables.
=== 8< ===

@Alberto, @Jeremy,

It seems to me like we need to play with the dh_installsystemd 
--no-restart-after-upgrade option, but don't have time to figure out the 
right logic.


I'm currently unable to handle this. Could you please take a look?

regards.