[Touch-packages] [Bug 2083612] Re: aa-remove-unknown: I/O error for unconfined profiles
Switching back to "new" since the fix still needs to be added to the Ubuntu package. ** Changed in: apparmor (Ubuntu) Status: Fix Committed => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2083612 Title: aa-remove-unknown: I/O error for unconfined profiles Status in apparmor package in Ubuntu: New Bug description: On a stock ubuntu 24.04.1 install, running sudo aa-remove-unknown logs "/usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error" for every unconfined profile it encounters. I've reproduced this on an Azure stock image with apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3. It matches up with kern.log entries like 2024-10-03T13:10:50.531829+00:00 mp-test-noble kernel: audit: type=1400 audit(1727961050.530:331): apparmor="STATUS" operation="profile_remove" info="profile does not exist" error=-2 profile="unconfined" name=74757865646F2D636F6E74726F6C2D63656E7465722028756E636F6E66696E656429 pid=8272 comm="aa-remove-unkno" Nothing relevant in /var/log/apparmor. Output: $ sudo aa-remove-unknown Removing 'wpcom (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'wike (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'vscode (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error # many times, full output attached Removing 'balena-etcher (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'QtWebEngineProcess (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'MongoDB Compass (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'Discord (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing '1password (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3 ProcVersionSignature: Ubuntu 6.8.0-1015.17-azure 6.8.12 Uname: Linux 6.8.0-1015-azure x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 AzureImageoffer: ubuntu-24_04-lts AzureImagepublisher: canonical AzureImagesku: server AzureImageversion: 24.04.202409260 AzureVmsize: Standard_D2s_v3 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudBuildName: server CloudID: azure CloudName: azure CloudPlatform: azure CloudRegion: uksouth CloudSerial: 20240926 CloudSubPlatform: config-disk (/dev/sr0) Date: Thu Oct 3 13:10:31 2024 ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-1015-azure root=PARTUUID=1a6a002b-5407-43ed-a20a-67c0e584807b ro console=tty1 console=ttyS0 earlyprintk=ttyS0 nvme_core.io_timeout=240 panic=-1 SourcePackage: apparmor Syslog: 2024-10-03T12:49:13.160018+00:00 mp-test-noble dbus-daemon[1044]: [system] AppArmor D-Bus mediation is enabled UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2083612/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2083612] Re: aa-remove-unknown: I/O error for unconfined profiles
This was fixed upstream with https://gitlab.com/apparmor/apparmor/-/merge_requests/1240 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2083612 Title: aa-remove-unknown: I/O error for unconfined profiles Status in apparmor package in Ubuntu: New Bug description: On a stock ubuntu 24.04.1 install, running sudo aa-remove-unknown logs "/usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error" for every unconfined profile it encounters. I've reproduced this on an Azure stock image with apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3. It matches up with kern.log entries like 2024-10-03T13:10:50.531829+00:00 mp-test-noble kernel: audit: type=1400 audit(1727961050.530:331): apparmor="STATUS" operation="profile_remove" info="profile does not exist" error=-2 profile="unconfined" name=74757865646F2D636F6E74726F6C2D63656E7465722028756E636F6E66696E656429 pid=8272 comm="aa-remove-unkno" Nothing relevant in /var/log/apparmor. Output: $ sudo aa-remove-unknown Removing 'wpcom (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'wike (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'vscode (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error # many times, full output attached Removing 'balena-etcher (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'QtWebEngineProcess (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'MongoDB Compass (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing 'Discord (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error Removing '1password (unconfined)' /usr/sbin/aa-remove-unknown: 112: echo: echo: I/O error ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: apparmor 4.0.1really4.0.1-0ubuntu0.24.04.3 ProcVersionSignature: Ubuntu 6.8.0-1015.17-azure 6.8.12 Uname: Linux 6.8.0-1015-azure x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 AzureImageoffer: ubuntu-24_04-lts AzureImagepublisher: canonical AzureImagesku: server AzureImageversion: 24.04.202409260 AzureVmsize: Standard_D2s_v3 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudBuildName: server CloudID: azure CloudName: azure CloudPlatform: azure CloudRegion: uksouth CloudSerial: 20240926 CloudSubPlatform: config-disk (/dev/sr0) Date: Thu Oct 3 13:10:31 2024 ProcEnviron: LANG=C.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-1015-azure root=PARTUUID=1a6a002b-5407-43ed-a20a-67c0e584807b ro console=tty1 console=ttyS0 earlyprintk=ttyS0 nvme_core.io_timeout=240 panic=-1 SourcePackage: apparmor Syslog: 2024-10-03T12:49:13.160018+00:00 mp-test-noble dbus-daemon[1044]: [system] AppArmor D-Bus mediation is enabled UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2083612/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2081692] Re: apparmor profile too restrictive : kernel logs spammed with ~/.cache/mesa_shader_cache_db accesses
Fix submitted for AppArmor upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/1333 Until the fix arrives in Ubuntu, you can add the additional lines to your /etc/apparmor.d/abstractions/mesa or (better) create a file /etc/apparmor.d/abstractions/mesa.d/lp2081692 with the added lines. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2081692 Title: apparmor profile too restrictive : kernel logs spammed with ~/.cache/mesa_shader_cache_db accesses Status in apparmor package in Ubuntu: New Status in xorg-server package in Ubuntu: Invalid Bug description: Hi, I am running Plasma on X11, and Xorg is running in AppArmor complain mode: # aa-status [...] 1 processes are in complain mode. /usr/lib/xorg/Xorg (5903) Xorg The kernel logs are spammed with the following AppArmor messages: # dmesg | grep mesa_shader_cache_db [ 30.513476] audit: type=1400 audit(1727008543.347:433): apparmor="ALLOWED" operation="mknod" class="file" profile="Xorg" name="/home/bonnaudl/.cache/mesa_shader_cache_db/part0/mesa_cache.db" pid=5903 comm="Xorg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [ 30.513562] audit: type=1400 audit(1727008543.347:434): apparmor="ALLOWED" operation="open" class="file" profile="Xorg" name="/home/bonnaudl/.cache/mesa_shader_cache_db/part0/mesa_cache.db" pid=5903 comm="Xorg" requested_mask="rc" denied_mask="rc" fsuid=1000 ouid=1000 [ 30.513584] audit: type=1400 audit(1727008543.347:435): apparmor="ALLOWED" operation="open" class="file" profile="Xorg" name="/home/bonnaudl/.cache/mesa_shader_cache_db/part0/mesa_cache.db" pid=5903 comm="Xorg" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 [ 30.513592] audit: type=1400 audit(1727008543.347:436): apparmor="ALLOWED" operation="mknod" class="file" profile="Xorg" name="/home/bonnaudl/.cache/mesa_shader_cache_db/part0/mesa_cache.idx" pid=5903 comm="Xorg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 I think that the Xorg AppArmor profile should be updated to allow those accesses. ProblemType: Bug DistroRelease: Ubuntu 24.10 Package: xserver-xorg-core 2:21.1.13-2ubuntu1 ProcVersionSignature: Ubuntu 6.11.0-7.7-generic 6.11.0-rc7 Uname: Linux 6.11.0-7-generic x86_64 ApportVersion: 2.30.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CompositorRunning: None CurrentDesktop: KDE Date: Mon Sep 23 09:36:08 2024 DistUpgraded: Fresh install DistroCodename: oracular DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Advanced Micro Devices, Inc. [AMD/ATI] Phoenix1 [1002:15bf] (rev d7) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company Device [103c:8b6e] MachineType: HP HP EliteBook 865 16 inch G10 Notebook PC ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.11.0-7-generic root=/dev/mapper/MonVolume-Racine ro vsyscall=none security=apparmor preempt=full split_lock_detect=warn quiet splash crashkernel=2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M vt.handoff=7 SourcePackage: xorg-server UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 06/18/2024 dmi.bios.release: 5.11 dmi.bios.vendor: HP dmi.bios.version: V82 Ver. 01.05.11 dmi.board.name: 8B6E dmi.board.vendor: HP dmi.board.version: KBC Version 60.2E.60 dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.ec.firmware.release: 96.46 dmi.modalias: dmi:bvnHP:bvrV82Ver.01.05.11:bd06/18/2024:br5.11:efr96.46:svnHP:pnHPEliteBook86516inchG10NotebookPC:pvrSBKPF:rvnHP:rn8B6E:rvrKBCVersion60.2E.60:cvnHP:ct10:cvr:sku70A94AV: dmi.product.family: 103C_5336AN HP EliteBook dmi.product.name: HP EliteBook 865 16 inch G10 Notebook PC dmi.product.sku: 70A94AV dmi.product.version: SBKPF dmi.sys.vendor: HP version.compiz: compiz 1:0.9.14.2+22.10.20220822-0ubuntu12 version.libdrm2: libdrm2 2.4.122-1 version.libgl1-mesa-dri: libgl1-mesa-dri 24.2.2-1ubuntu1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.13-2ubuntu1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.6-2build3 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:22.0.0-1build1 version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-3ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2081692/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2078467] Re: aa-enforce /etc/apparmor.d/* - Error
For reference: This was fixed upstream with https://gitlab.com/apparmor/apparmor/-/merge_requests/1218 in April. Until fixed Ubuntu packages are available, you can manually apply the (simple) patch from that merge request. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2078467 Title: aa-enforce /etc/apparmor.d/* - Error Status in apparmor package in Ubuntu: Confirmed Bug description: Executing "aa-enforce /etc/apparmor.d/*" does not work on Ubuntu 24.04. There is already an upstream fix (https://gitlab.com/apparmor/apparmor/-/merge_requests/1218/diffs?commit_id=6f9e841e74f04cac78da71fd2e8af3f973af94fc). Suspect more will run into this issue now when the CIS Benchmark for Ubuntu 24.04 was released this week. Description:Ubuntu 24.04.1 LTS Release:24.04 --- root@ubuntu2404:/etc/apparmor.d# dpkg -l |grep apparmor ii apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64user-space parser utility for AppArmor ii apparmor-profiles4.0.1really4.0.0-beta3-0ubuntu0.1 all experimental profiles for AppArmor security policies ii apparmor-utils 4.0.1really4.0.0-beta3-0ubuntu0.1 all utilities for controlling AppArmor ii libapparmor1:amd64 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64changehat AppArmor library ii python3-apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 all AppArmor Python3 utility library ii python3-libapparmor 4.0.1really4.0.0-beta3-0ubuntu0.1 amd64AppArmor library Python3 bindings --- --- root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Traceback (most recent call last): File "/usr/sbin/aa-enforce", line 33, in tool.cmd_enforce() File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce for (program, prof_filename, output_name) in self.get_next_for_modechange(): File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) ^^^ TypeError: 'NoneType' object is not callable An unexpected error occurred! For details, see /tmp/apparmor-bugreport-yi5o6kwm.txt Please consider reporting a bug at https://gitlab.com/apparmor/apparmor/-/issues and attach this file. - Workaround is to edit /usr/lib/python3/dist-packages/apparmor/tools.py as the upstream fix suggests. -for (program, _, prof_filename) in self.get_next_to_profile(): +for (program, _ignored, prof_filename) in self.get_next_to_profile(): -for (program, _, prof_filename) in self.get_next_to_profile(): +for (program, _ignored, prof_filename) in self.get_next_to_profile(): Then it works: root@ubuntu2404:/etc/apparmor.d# vim /usr/lib/python3/dist-packages/apparmor/tools.py root@ubuntu2404:/etc/apparmor.d# aa-enforce /etc/apparmor.d/* Setting /etc/apparmor.d/1password to enforce mode. Profile for /etc/apparmor.d/abi not found, skipping Profile for /etc/apparmor.d/abstractions not found, skipping Profile for /etc/apparmor.d/apache2.d not found, skipping Setting /etc/apparmor.d/bin.ping to enforce mode. Setting /etc/apparmor.d/brave to enforce mode. Setting /etc/apparmor.d/buildah to enforce mode. Setting /etc/apparmor.d/busybox to enforce mode. Setting /etc/apparmor.d/cam to enforce mode. Setting /etc/apparmor.d/ch-checkns to enforce mode. Setting /etc/apparmor.d/chrome to enforce mode. Setting /etc/apparmor.d/ch-run to enforce mode. Setting /etc/apparmor.d/code to enforce mode. Setting /etc/apparmor.d/crun to enforce mode. Setting /etc/apparmor.d/devhelp to enforce mode. Profile for /etc/apparmor.d/disable not found, skipping Setting /etc/apparmor.d/Discord to enforce mode. Setting /etc/apparmor.d/element-desktop to enforce mode. Setting /etc/apparmor.d/epiphany to enforce mode. Setting /etc/apparmor.d/evolution to enforce mode. Setting /etc/apparmor.d/firefox to enforce mode. Setting /etc/apparmor.d/flatpak to enforce mode. Profile for /etc/apparmor.d/force-complain not found, skipping Setting /etc/apparmor.d/geary to enforce mode. Setting /etc/apparmor.d/github-desktop to enforce mode. Setting /etc/apparmor.d/goldendict to enforce mode. Setting /etc/apparmor.d/ipa_verify to enforce mode. Setting /etc/apparmor.d/kchmviewer to enforce mode. Setting /etc/apparmor.d/keybase to enforce mode. Setting /etc/apparmor.d/lc-compliance to en
[Touch-packages] [Bug 2068612] Re: Please remove wireless-tools from oracular
Hey Ravi, thanks for driving this! We see progress on the meta packages \o/. Furthermore I was able to process many but not all of the related removals. Therefore it might be time to re-check, summarize and double down on the few tasks that are left to make it in time for beta freeze? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2068612 Title: Please remove wireless-tools from oracular Status in kubuntu-meta package in Ubuntu: Fix Released Status in lubuntu-meta package in Ubuntu: New Status in ubuntu-gnome-meta package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Fix Released Status in wireless-tools package in Ubuntu: Confirmed Bug description: Wireless Extensions support in the kernel has been deprecated[1] for a long time now. wireless-tools[2] userspace utility should be removed. iw[3] is considered as the alternate. See page[4] for comparison between wireless-tools and iw. iw supports everything except deprecated Wireless-Extensions. See page[5] for replacing iwconfig with iw. $ reverse-depends wireless-tools Reverse-Recommends == * broadcom-sta-dkms * hw-probe * laptop-mode-tools * task-laptop * whereami Reverse-Depends === * aircrack-ng [amd64 ppc64el s390x] * kubuntu-desktop [amd64 arm64 armhf ppc64el] * lubuntu-desktop [amd64 arm64 armhf ppc64el s390x] * vanilla-gnome-desktop [amd64 arm64 armhf ppc64el] Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, i386, ppc64el, s390x $ reverse-depends -b wireless-tools Reverse-Build-Depends = * networkd-dispatcher [1] https://wireless.wiki.kernel.org/en/developers/documentation/wireless-extensions [2] https://hewlettpackard.github.io/wireless-tools/Tools.html [3] https://wireless.wiki.kernel.org/en/users/documentation/iw [4] https://wiki.archlinux.org/title/Network_configuration/Wireless#iw_and_wireless_tools_comparison [5] https://wireless.wiki.kernel.org/en/users/documentation/iw/replace-iwconfig To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kubuntu-meta/+bug/2068612/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2077413] Re: apparmor unconfined profile blocks signal sending
> comm="apparmor_signal" requested_mask="receive" denied_mask="receive" signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh" So you get a denial for receiving a signal from peer="/home/ubuntu/apparmor_signal_test_wrap.sh" - which is not surprising because that peer has a profile: > "/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) { This profile has the unconfined _flag_, but the profile name is "/home/ubuntu/apparmor_signal_test_wrap.sh" (_not_ "unconfined"). Note that abstractions/base allows signal (receive) peer=unconfined, - and "unconfined" does not match your profile name. In other words: this looks like normal and expected behaviour to me. You'll need to add a rule signal (receive) peer=/home/ubuntu/apparmor_signal_test_wrap.sh, -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2077413 Title: apparmor unconfined profile blocks signal sending Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: Dear friends, if I'm not missing anything it looks like we have one more bug with unconfined AppArmor profiles. Reproducer description. 1. Create 4 files with the following content: # cat apparmor_signal_test_wrap.sh #!/bin/sh cat /proc/self/attr/apparmor/current ./apparmor_signal_test.sh kill -9 $(cat test.pid) # cat apparmor_signal_test.sh #!/bin/sh cat /proc/self/attr/apparmor/current sleep 1000 & echo $! > test.pid # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap #include "/home/ubuntu/apparmor_signal_test_wrap.sh" flags=(unconfined) { #include capability, dbus, file, network, } # cat /etc/apparmor.d/home.ubuntu.apparmor_signal_test #include "/home/ubuntu/apparmor_signal_test.sh" { #include capability, dbus, file, network, } 2. Load AppArmor profiles: apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test apparmor_parser -r /etc/apparmor.d/home.ubuntu.apparmor_signal_test_wrap 3. run program # ./apparmor_signal_test_wrap.sh /home/ubuntu/apparmor_signal_test_wrap.sh (unconfined) /home/ubuntu/apparmor_signal_test.sh (enforce) ./apparmor_signal_test_wrap.sh: 7: kill: Permission denied 4. check dmesg: [ 4043.092218] audit: type=1400 audit(1724153768.037:191): apparmor="DENIED" operation="signal" class="signal" profile="/home/ubuntu/apparmor_signal_test.sh" pid=10561 comm="apparmor_signal" requested_mask="receive" denied_mask="receive" signal=kill peer="/home/ubuntu/apparmor_signal_test_wrap.sh" Expected behavior: ./apparmor_signal_test_wrap.sh should exit without any errors. This bug affects LXD when we enable a new unconfined mode (in lxd-support snapd interface). Originally, this problem was reported as a comment in another LP bug for AppArmor: https://bugs.launchpad.net/apparmor/+bug/2067900/comments/2 but it looks like problem is deeper in this case. We had to revert: https://github.com/canonical/lxd-pkg-snap/pull/489 because of this and a few other issues. System info: # cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" # uname -a Linux ubuntu 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # apt info apparmor Package: apparmor Version: 4.0.1really4.0.0-beta3-0ubuntu0.1 # apparmor_parser -V AppArmor parser version 4.0.0~beta3 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2018 Canonical Ltd. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2077413/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062138] Re: test-logprof.py from test_utils_testsuite / test_utils_testsuite3 in ubuntu_qrt_apparmor failing on Azure Standard_A2_v2
** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2062138 Title: test-logprof.py from test_utils_testsuite / test_utils_testsuite3 in ubuntu_qrt_apparmor failing on Azure Standard_A2_v2 Status in AppArmor: Fix Released Status in ubuntu-kernel-tests: New Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Mantic: Won't Fix Bug description: This issue can be found on M-generic 6.5.0-34.34 and M-lowlatency 6.5.0-27.28.1 on Azure instance Standard_A2_v2 The test-logprof.py test from ApparmorTestsuites.test_utils_testsuite and test_utils_testsuite3 failed with: $ sudo python3 ./test-logprof.py E == ERROR: test_0 (__main__.TestLogprof.test_0) test 'ping' -- Traceback (most recent call last): File "/tmp/mine/source/mantic/apparmor-4.0.0~alpha2/utils/test/common_test.py", line 90, in stub_test self._run_test(test_data, expected) File "/tmp/mine/source/mantic/apparmor-4.0.0~alpha2/utils/test/./test-logprof.py", line 99, in _run_test self.process.wait(timeout=0.2) File "/usr/lib/python3.11/subprocess.py", line 1264, in wait return self._wait(timeout=timeout) ^^^ File "/usr/lib/python3.11/subprocess.py", line 2038, in _wait raise TimeoutExpired(self.args, timeout) subprocess.TimeoutExpired: Command '['/usr/bin/python3', '../aa-logprof', '--json', '--configdir', './', '-f', './logprof/ping.auditlog', '-d', '/tmp/aa-test-7feu1ddr/profiles', '--no-check-mountpoint']' timed out after 0.2 seconds -- Ran 1 test in 1.831s FAILED (errors=1) The fail rate is almost 100%, 3 successful out of 100 attempts If you bump the timeout to 0.3 and it will pass. We need this patch to be backported to apparmor on Mantic, or keep it as a patch file in q-r-t: https://gitlab.com/apparmor/apparmor/-/commit/dd9b7b358f0dd0887767a5840ed7f7499aa50ee6 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2062138/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2064096] Re: Services fail to start in noble deployed with TPM+FDE
Thanks for the great debug work so far already, I think it is "apparmor or kernel" enough that we should add those packages and subscribe a few folks we know dealing with those details - I'd start with jjohansen as he'd be the best to map us to either knowledge or a known case. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/2064096 Title: Services fail to start in noble deployed with TPM+FDE Status in apparmor package in Ubuntu: New Status in cups package in Ubuntu: Confirmed Status in rsyslog package in Ubuntu: Confirmed Status in sssd package in Ubuntu: Confirmed Bug description: What's known so far: - 24.04 desktop deployed with TPM+FDE shows this bug - services confined with apparmor that need to access something in /run/systemd (like the notify socket) fail to do so, even if the apparmor profile is in complain mode. And the apparmor profile does already have rules to allow that access - only after running aa-disable can the service start fine - paths logged by the apparmor DENIED or ALLOWED messages are missing the "/run" prefix from "/run/systemd/..". - When we add rules to the profile using "/systemd/" (i.e., also dropping the /run prefix), then it works - other access in /run/systemd/ are also blocked, but the most noticeable one is the notify mechanism - comment #2 also states that azure CVM images are also impacted - comment #4 has instructions on how to create such a VM locally with LXD vms Original description follows: This might be related to #2064088 The rsyslog service is continually timing out and restarting. If I use a service drop-in file and change the 'Type' from 'notify' to 'simple', the service starts and appears to work normally. In the journal, I can see the attached apparmor errors. I can't make sense of them, but if it's a similar issue to #2064088, then I suspect apparmor is preventing the systemd notify function from alerting systemd that the service is up and running. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: rsyslog 8.2312.0-3ubuntu9 ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1 Uname: Linux 6.8.0-31-generic x86_64 ApportVersion: 2.28.1-0ubuntu2 Architecture: amd64 CasperMD5CheckMismatches: ./boot/grub/grub.cfg CasperMD5CheckResult: fail CurrentDesktop: ubuntu:GNOME Date: Mon Apr 29 10:37:46 2024 ProcEnviron: LANG=en_GB.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: rsyslog UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1876486] Re: systemd breaks due to old libsecomp libs left on the system
Hi Jeremy > I do not understand why bugs like this cannot get fixed even years after > several people have reported the same issue and the repro steps are clear I understand this might seem frustrating, but the TL;DR is: Because it isn't as clear as it might seem Detail: As you see throughout the discussions many have tried to recreate it with those steps but it was not triggering for further debugging. Just to be sure I did try to recreate again in a new clean system (this time direct upgrades, no do-release-upgrade) upgrading X-B-F => no issues. I also rechecked the libseccomp.so files - always had only those belonging to the current installed version. As you can see the open question is either: a) find the details to the steps to really recreate this or b) finding out where the older files came from as they have in none of the case been part of the system that was upgraded from but from somewhere further in the past. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1876486 Title: systemd breaks due to old libsecomp libs left on the system Status in libseccomp package in Ubuntu: Expired Bug description: Upgraded Ubuntu 18.04 to 20.04. Following the upgrade, booting was not possible. The error messages is: /sbin/init: symbol lookup error: /lib/systemd/libsystemd-shared-245.so: undefined symbol: seccomp_api_get [4.608900] Kernel panic - not syncing: Attempted to kill init! exitcode=0x7f00 See also attached photograph of screen during boot. Upgrade followed steps from here: https://help.ubuntu.com/community/FocalUpgrades/Kubuntu With the excpetion that The -d flag was used for the do-release-upgrade: sudo do-release-upgrade -d -m desktop 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu Prior to upgrade: Ubuntu 18.04.4 After upgrade (but never booted): Ubuntu (Kubuntu) 20.04 Note that Ubuntu had originally be installed, but kubuntu-desktop was recently installed to change to Kubuntu, but no booting problems were experienced before updating to 20.04. 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Unknown -- Package version may have changed when upgrading to 20.04. 3) What you expected to happen Boot without kernel panic. 4) What happened instead Could not boot. Even selecting safe mode from grub could not boot. Had to restore system from backups. Will not attempt upgrade again. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876486/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
FYI the fix and a related cleanup are merged into upstream apparmor and I'd expect the next upload to Ubuntu to then fix this issue. @Martin Thanks for the extra info for completeness, I assume we might find even more if we spend more time (but tat would provide no extra gain). @John Up to you then, I'll assign the apparmor task to you to represent that I'm not driving that part ** Changed in: chrony (Ubuntu) Assignee: (unassigned) => John Johansen (jjohansen) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" Status in apparmor package in Ubuntu: In Progress Status in chrony package in Ubuntu: Won't Fix Status in gnutls28 package in Ubuntu: Won't Fix Status in libvirt package in Ubuntu: Won't Fix Status in apparmor source package in Noble: In Progress Status in chrony source package in Noble: Won't Fix Status in gnutls28 source package in Noble: Won't Fix Status in libvirt source package in Noble: Won't Fix Bug description: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
FYI - submitted as https://gitlab.com/apparmor/apparmor/-/merge_requests/1178 @John if merged, would you mind adding a bug-ref to the Ubuntu upload changelog so this bug 2056739 closes? Given that there seems to be some agreement to fix this in apparmor, I'll set the other tasks to "Won't Fix" ** Changed in: libvirt (Ubuntu Noble) Status: New => Won't Fix ** Changed in: gnutls28 (Ubuntu Noble) Status: New => Won't Fix ** Changed in: chrony (Ubuntu Noble) Status: New => Won't Fix ** Changed in: apparmor (Ubuntu Noble) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" Status in apparmor package in Ubuntu: In Progress Status in chrony package in Ubuntu: New Status in gnutls28 package in Ubuntu: New Status in libvirt package in Ubuntu: New Status in apparmor source package in Noble: In Progress Status in chrony source package in Noble: Won't Fix Status in gnutls28 source package in Noble: Won't Fix Status in libvirt source package in Noble: Won't Fix Bug description: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
Suggestion would be something like: --- /etc/apparmor.d/abstractions/crypto.orig2024-03-11 11:05:24.027597234 + +++ /etc/apparmor.d/abstractions/crypto 2024-03-11 11:06:12.035895701 + @@ -24,4 +24,7 @@ /etc/crypto-policies/*/*.txt r, /usr/share/crypto-policies/*/*.txt r, + # Global gnutls config + @{etc_ro}/gnutls/config + include if exists -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" Status in apparmor package in Ubuntu: New Status in chrony package in Ubuntu: New Status in gnutls28 package in Ubuntu: New Status in libvirt package in Ubuntu: New Status in apparmor source package in Noble: New Status in chrony source package in Noble: New Status in gnutls28 source package in Noble: New Status in libvirt source package in Noble: New Bug description: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
There is precedence in /etc/apparmor.d/abstractions/base holding various rules like these $ grep etc_ro /etc/apparmor.d/abstractions/base @{etc_ro}/locale/** r, @{etc_ro}/locale.alias r, @{etc_ro}/localtime r, @{etc_ro}/bindresvport.blacklistr, @{etc_ro}/ld.so.cache mr, @{etc_ro}/ld.so.confr, @{etc_ro}/ld.so.conf.d/{,*.conf}r, @{etc_ro}/ld.so.preload r, @{etc_ro}/ld-musl-*.pathr, I'd think the better fix is to allow it there. Actually, base isn't the best. I think it should go into /etc/apparmor.d/abstractions/crypto (which is included by base) If Adrien knows about similar, "whoever uses it should have read access to that config to restrict it accordingly" config files we might want to add them all in one block there. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056739 Title: apparmor="DENIED" operation="open" class="file" profile="virt-aa- helper" name="/etc/gnutls/config" Status in apparmor package in Ubuntu: New Status in chrony package in Ubuntu: New Status in gnutls28 package in Ubuntu: New Status in libvirt package in Ubuntu: New Status in apparmor source package in Noble: New Status in chrony source package in Noble: New Status in gnutls28 source package in Noble: New Status in libvirt source package in Noble: New Bug description: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056739/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056739] Re: apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config"
** Description changed: + Christian summarizes this after the great reports by Martin: + + gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 + and added more later. + + Due to that anything linked against gnutls while being apparmor isolated + now hits similar denials, preventing the desired effect of the config + change BTW. + + I think for safety we WANT to always allow this access, otherwise people + will subtly not have crypto control about the more important (those + isolated) software. Because after the denial I'd expect this to not + really disable it in the program linked to gnutls (details might vary + depending what they really use gnutls for). + + I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now + fixing a few but leaving this open in some others not spotted. + + I'd therefore suggest, but we need to discuss, to therefore change it in + /etc/apparmor.d/abstractions/base. + + Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug + tasks. + --- --- Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - --- + --- --- Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1480 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 libvirt-daemon 10.0.0-2ubuntu1 apparmor 4.0.0~alpha4-0ubuntu1 libgnutls30:amd64 3.8.3-1ubuntu1 ** Also affects: gnutls28 (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Description changed: Christian summarizes this after the great reports by Martin: gnutls started to ship forceful disables in pkg/import/3.8.1-4ubuntu3 and added more later. Due to that anything linked against gnutls while being apparmor isolated now hits similar denials, preventing the desired effect of the config change BTW. I think for safety we WANT to always allow this access, otherwise people will subtly not have crypto control about the more important (those isolated) software. Because after the denial I'd expect this to not really disable it in the program linked to gnutls (details might vary depending what they really use gnutls for). I do not nkow of a gnutls abstraction to use, but TBH I'm afraid now fixing a few but leaving this open in some others not spotted. I'd therefore suggest, but we need to discuss, to therefore change it in /etc/apparmor.d/abstractions/base. Therefore I'm adding gnutls (and Adrien) as well as apparmor to the bug tasks. - --- - --- - Merely booting current noble cloud image with "chrony" installed causes - this: + --- --- --- --- --- --- --- --- --- --- --- --- + --- --- --- --- --- --- --- --- --- --- --- --- + + + Merely booting current noble cloud image with "chrony" installed causes this: audit: type=1400 audit(1710152842.540:107): apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/chronyd" name="/etc/gnutls/config" pid=878 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - --- - --- - Running any VM in libvirt causes a new AppArmor violation in current - noble. This is a regression, this didn't happen in any previous release. + --- --- --- --- --- --- --- --- --- --- --- --- + --- --- --- --- --- --- --- --- --- --- --- --- + + + Running any VM in libvirt causes a new AppArmor violation in current noble. This is a regression, this didn't happen in any previous release. Reproducer: virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1 (This is the simplest way to create a test VM. But it's form or shape doesn't matter at all). Results in lots of audit: type=1400 audit(1710146677.570:108): apparmor="DENIED" operation="open" class="file" profile=&qu
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
I've added a section to the release notes summing this up and linking back here and to some of the past links. ** Changed in: ubuntu-release-notes Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in cloud-images: New Status in Release Notes for Ubuntu: Fix Released Status in Ubuntu on IBM z Systems: Opinion Status in irqbalance package in Ubuntu: Opinion Status in ubuntu-meta package in Ubuntu: Fix Released Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
FYI: updated ubuntu-meta, now in noble-proposed as version 1.532 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in cloud-images: New Status in Release Notes for Ubuntu: In Progress Status in Ubuntu on IBM z Systems: Opinion Status in irqbalance package in Ubuntu: Opinion Status in ubuntu-meta package in Ubuntu: In Progress Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
FYI: Seed change landed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in cloud-images: New Status in Release Notes for Ubuntu: In Progress Status in Ubuntu on IBM z Systems: Opinion Status in irqbalance package in Ubuntu: Opinion Status in ubuntu-meta package in Ubuntu: In Progress Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
Steve was so kind reviewing and approving my proposal. Doing that now is also helpful as it should make sure it still has quite some exposure and thereby chances for people to report issues (vs if we'd land it much later like after beta freeze). Changes will: - change the seeds in regard to irqbalance, but no change to irqbalance (the package) - need an update of ubuntu-meta - IMHO we also want a release notes entry. - CPC might consider re-enabling it as image customization for some as shown in comment #39 I'm adjusting the bug tasks and state accordingly. ** Also affects: cloud-images Importance: Undecided Status: New ** Also affects: ubuntu-release-notes Importance: Undecided Status: New ** Changed in: ubuntu-release-notes Status: New => In Progress ** Changed in: ubuntu-z-systems Status: Confirmed => Opinion ** Changed in: irqbalance (Ubuntu) Status: Confirmed => Opinion ** Changed in: ubuntu-meta (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in cloud-images: New Status in Release Notes for Ubuntu: In Progress Status in Ubuntu on IBM z Systems: Opinion Status in irqbalance package in Ubuntu: Opinion Status in ubuntu-meta package in Ubuntu: In Progress Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
While there was sadly neither enough time not enough resources to do all the deep dive analysis that could have been done, we succeeded by reaching out to many more parties and got their input as well. Thank you all! Since Noble feature freeze is coming we need to make a call either way. I proposed the underlying seed change [1]. And even once accepted that has to be followed by an update to ubuntu-meta. Furthermore we'd have more follow up, like enabling it in special cases like the AWS images for the reasons Fabio mentioned. Of course this is just a proposal. There are many other options left, from not changing anything to more subtle counters to my proposal like only doing so in 24.10 to give things more time, to holding back until someone found time/resource to gather more data. But for now, I feel "Not enabling it by default, but enabling selectively where identified to be wanted" seems to be the better choice - and that is what I proposed. [1]: https://code.launchpad.net/~paelzer/ubuntu- seeds/+git/platform/+merge/460904 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in Ubuntu on IBM z Systems: Confirmed Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
Interesting, that is more towards irqbalance than I heard so far. thanks Fabio! So we might end up needing to go like "Generally disabled except this list of places [...] where it stays enabled". -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in Ubuntu on IBM z Systems: Confirmed Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
Hey Henry, thanks for chiming in and I agree in general that tech moved on. Myself and others said similar before, thanks for adding more details and voices - that is what such a discussion is about. > they just don't go ping-ponging around between In particular on this aspect, so much has happened with fast devices often not only "not being bottle-necked" but even I/O interaction routing smartly, I mentioned for example rps/xps on here before. Still, there are even today a few workloads - usually high utilization large scale loads that benefit. Thanks @John for carrying a few of them forward to this bug! But the more I read, the more people chime in, ... the more one pattern seems to crystallize (for me). I'll try to summarize my gut-feeling so far... (which is my opinion so far, not more): """ While it seems a few high intensity workloads still can benefit, those are of the kind that are usually hand-optimized and could easily pull-in irqbalance if needed. On the other hand the majority of workloads do not care either way - at least not in an easily provable way. And furthermore most of the need to have it in the past has been replaced by newer I/O architectures. Finally there also have been some cases that suffered from irqbalance being enabled. Those cases in particular seem to be those of end-users, often Desktop end users that might not always tune their system intensely. For consistency between Server and Desktop I'd prefer to change it in both in the same way, while the cases still benefiting all where server'ish there hasn't been a case that would need it by default. Overall that makes me think that we could indeed change it to not be enabled by default anymore in the upcoming Noble release. """ I know that Steve (@vorlon) wanted to comment on this as well, maybe we have sufficient statements, opinions and at least a bit of data so far to have a decision for Noble before Feature freeze? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in Ubuntu on IBM z Systems: Confirmed Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051572] Re: Always preseed core and snapd snap in server seed
On Fri, Feb 16, 2024 at 06:51:46PM -, Philip Roche wrote: > @vorlon @jchittum @paelzer given the above findings are you still -1 on > any snap preseeding? Based on the data, I vote not to preseed any snaps. I was already leaning that way and thank you for adding the data. I agree to not to preseed any snap (in images where no mandatory snaps are present, i.e. not those agent examples you brought up above - these would stay as is right?). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2051572 Title: Always preseed core and snapd snap in server seed Status in ubuntu-meta package in Ubuntu: New Status in ubuntu-meta source package in Noble: New Bug description: In removing the LXD snap from preseeding in the server seed for Ubuntu 24.04 as part LP #2051346 [1] we also removed the snapd snap and the core22 snap. This means that are subsequent snap install, like LXD, will take much longer than expected for a non minimized image. Time taken to install LXD snap using the lxd-installer package without snapd and core22 preinstalled/seeded ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m29.107s user 0m0.006s sys 0m0.005s ``` Time taken to install LXD snap using the lxd-installer package with snapd and core22 already installed. ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m15.034s user 0m0.005s sys 0m0.005s ``` This is a significant difference and for a workload we intend to remain as a core tested and tracked workload. As such I propose we re- introduce core22 and snapd snaps to our seed. LXD do intend to move to the core24 snap as their base as I'm sure snapd does too so when that does happen we need to update the preseeded core snap. This bug is to track the work of making that change in the server seed @ https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/tree/server#n69 [1] https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051346 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051572] Re: Always preseed core and snapd snap in server seed
It was nice to have LXD around and ready for many test/dev workloads, and I feel it was worth it back then. But we already replaced it with lxd-installer in minimal environments and it was fine there too. I never heard someone complaining that LXD takes a bit there, but every second of boot time seems to be valued highly. Now that we had to reduce this to the lxd-installer everywhere (Due to LP #2051346) it is really worth to be re-revaluated. Thank you for driving this Phil! IMHO now that your first LXD command will take a bit longer already (due to fetching LXD snap), the exact amount of that "a bit longer" (as being more by also fetching snapd and base) seems almost irrelevant as long as it is in the same ballpark. On one hand those dev/test environments that use it most, can easily be made to tolerate the bit of extra time - they usually start with a barrage of other "install this" anyway that has the same "wait for network and install" characteristic. On the other hand reducing size and the initialization effort of it will save transfer and startup time for everyone - the guessed 3-5 seconds mentioned/assumed above would be totally worth it IMHO. --- Furthermore as Simon showed (thanks), by snapd being a baseless snap we'd not even gain something by having that around already for the latter fetch of lxd by lxd-installer. --- I further appreciate John's comment that we should back up some of our current assumptions (how much will this slow down lxc interactions, how much will the boot speed gain) with some actual data. But if that data will not totally upset what we expect, then I very much agree with Steve in comment #1 and would not optimize for it at the cost of all others and thereby I'd be fine to not preseed the other bits there. --- P.S. I wanted to mention that our perception might also be biased. I believe (no data) that the closer to Ubuntu development itself you are, the more likely you use LXD heavily in testing. But that same ratio likely does not apply to any user of Ubuntu images in the world. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2051572 Title: Always preseed core and snapd snap in server seed Status in ubuntu-meta package in Ubuntu: New Status in ubuntu-meta source package in Noble: New Bug description: In removing the LXD snap from preseeding in the server seed for Ubuntu 24.04 as part LP #2051346 [1] we also removed the snapd snap and the core22 snap. This means that are subsequent snap install, like LXD, will take much longer than expected for a non minimized image. Time taken to install LXD snap using the lxd-installer package without snapd and core22 preinstalled/seeded ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m29.107s user 0m0.006s sys 0m0.005s ``` Time taken to install LXD snap using the lxd-installer package with snapd and core22 already installed. ``` ubuntu@cloudimg:~$ time sudo lxd --version Installing LXD snap, please be patient. 5.19 real 0m15.034s user 0m0.005s sys 0m0.005s ``` This is a significant difference and for a workload we intend to remain as a core tested and tracked workload. As such I propose we re- introduce core22 and snapd snaps to our seed. LXD do intend to move to the core24 snap as their base as I'm sure snapd does too so when that does happen we need to update the preseeded core snap. This bug is to track the work of making that change in the server seed @ https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/tree/server#n69 [1] https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051346 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/2051572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
FYI, multiple parties and people promised me more input, but so far none has arrived over the last weeks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in Ubuntu on IBM z Systems: Confirmed Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Please consider no more having irqbalance enabled by default (per image/use-case/TBD)
Since the discussion is no more only covering Desktop I updated the title (thanks Seb128 for suggesting) ** Summary changed: - Consider removing irqbalance from default install on desktop images + Please consider no more having irqbalance enabled by default (per image/use-case/TBD) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Please consider no more having irqbalance enabled by default (per image/use-case/TBD) Status in Ubuntu on IBM z Systems: Confirmed Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi Etanay, I realize I maybe wrote too much :-/ So I start with a TL;DR: AFAICS you are right in all you say, but I think there can not be "one right answer" anyway. Hence I'm trying to leave all parties their freedom of defining what is important to them and try to learn from them what impact irqbalance has to that. > Yes I was not arguing strictly against irqbalance, just trying > to ascertain some discussion parameters as well as parameters for data > collection. Yeah, I see that and didn't intend to rebut your statements either. Just push them a bit into potential context and POV of others. > I have not yet seen a coherent philosophy on what it means to "optimize > performance" with default settings that serve the greatest capacity of > server or desktop scenarios. That is true, but the reason for that is that you can only optimize for something like a workload or particular HW. The defaults are usually trying to be not too crappy for any possible thing that might happen on e.g. Ubuntu which is quite a scope. > In my humble opinion, data collection is useless without this > framework of understanding what it is we are trying to achieve > and why in terms of system performance. To me this is the deeper > unresolved issue, perhaps. I can see your point and would not even argue against. But this is (this is opinion and a bit of experience, not scientific proven truth) only the problem if we'd try to solve the singular global and always valid "is irqbalance good or bad" question. Thinking about it I think I'm even of the same opinion than you, but instead of standardizing excatly what we are trying to achieve (which to me feels like selecting a workload or HW as optimization target) I was trying to reach out to as many groups as possible so we can see what HW/workloads are important to them and how irqbalance might help or interfere with that. A bit like the old case where some clouds brought it up that it is conflicting in virtio-net on their substrate and to be disabled by default there (see Debian and also some Ubuntu cloud images). I have personally no hope in reaching a general "this is good / bad" without considering it per workload or HW environment. Hence my hope is that if we manage to get this variety of preferences of different parties and only then the impact of irqbalance to that we can make compartmentalized decisions. For example as some suggested, making it no more the default in Desktop, but keeping it in other cases. And this is just me trying to be helpful and drive this from being a dormant case to something useful, I do not pretend to have the masterplan or the solution yet :-) > I fear that systems are currently optimized by default for throughput. For > users, responsiveness (which can include but is not limited to throughput) > and latency may be more important psychologically Can I just say yes here, you go into lengths explaining (thanks) but I already agreed here :-) Yet - as true as that is - it is true for a set of workloads and hardware, but not for all that Ubuntu can be (as I outlined above neither decision could be true for all) > And power saving is important in global terms, as even small gains > multiplied over hundreds or thousands of deployments can have a > significant impact True as well, yet - again - most servers are often split by some virt solution to pay off by their price running at high utilization. There to reach density often people are ok to forfeit some latency for overall throughput and thereby density which saves power by having x% less systems active at all. P.S. I'm now waiting for further input by all of you that found the thread so far as well as hopefully some of all the teams, hardware manufacturers and clouds that I have connected to please think about this question. P.P.S. I'm drifting away of seeing a big deja-vu into my decade of Linux on mainframe performance - and density and performance and interfering workloads that invalidated all you knew when looking at just one ... and you know what the answer always was and still is: "it depends" as any performance engineer will love to tell you :-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in Ubuntu on IBM z Systems: New Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Pings done, in a perfect world (if all reply) that would cover more than we ever need, but then there is 0% guarantee they even have time or care about this at the moment :-) If anyone has connections as well, please ask them to participate too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
I want to try to avoid that this becomes too stale, so I wondered what we can do from here. Two things came to my mind. On one hand I will try to use some indirect relations to pull in some HW manufacturer experts. They often have large performance teams tracking things like that against different workloads. And on the other hand, due to the request seemingly to close in on "please consider not making it the default on desktop" (server is more likely to have these large scaling workloads that are more likely to benefit) we need to pull in someone from Desktop a bit more. I'll do a few direct pings for that as well to ensure to get their voice too. Doing so now ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi Paride > Back in the day I asked upstream their take on irqbalance usefulness with > newer kernels, here is their reply: > https://github.com/Irqbalance/irqbalance/issues/151 Thanks for this and the other extra pointers. The Debian bug was referenced before, AFAIC it is mostly around a) the kernel got smarter in many cases (true) b) bad in virtual environments (we already removed it from those) And in that discussion the upstream comments (it is good to see that they are still convinced of their code) revolved around: c) There should be no conflict with running irqbalance (with the new kernel) d) The kernel policy is driver centric (irqbalance has a full picture) Both - as I read them - are more arguments to keep it than to remove. But as all other, not with enough data to make it a clear yes/no. As I said much earlier in this case, I feel this is system and workload dependent and hence there will never be a clear generic yes/no. The best we can achieve is finding sets (like images used in virtual environments - or as suggested desktop systems) and drop it being the default there. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi Dough > If irqbalance is to be included by default, then there should be due > diligence to demonstrate a clear benefit. You are right that we should have that as well. But this would be even more ture if this would be about "making it the default when it was not before". Right now (purely opinion) the lack of data can IMHO neither be used to keep it nor to remove it - which sadly locks this up a bit. > The results were: I want to thank you a lot, this won't be enough but it is a masterpiece demonstration of dedicating time to start providing such data. Thank you. I do not know the ping pong test, but on iperf, I think that is in the noise range as far as I remember. If you'd just re-run that as-is what is the delta on your test box? Hoping that this will be extended by more contributing different workloads on different systems let me ask, what kind of system (cpu, size, nodes, ...) was that. I know you are good at writing up things, you might set the standard how others might report to this :-) Your results show no change or minimal degradation while at the same time losing a bit of power. Have you also had a chance to try the powerthresh argument that Steve mentioned above? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi Mike > SUSE ... says that the first step to get there is to disable irqbalance I've read the same, IMHO that is just "if you want to manually tune, disable it" which does not imply that it is bad to have it. But this is how I read it, I have not talked to the authors to get their underlaying reasoning. > Applications vendors ... currently recommend removing irqbalance The only one that does so AFAICS is cpufreq and everyone else just links to their reasoning and follows. And even some statements there like "If you are still running irqbalance, you are not getting the maximum performance your system is capable of!" are hard to believe as a general statement - especially without data across a wide variety of system types and workload. As we have seen as well in the references linked, irqbalance helps just as much for "maximum performance" in many other cases. > I found this blog (https://blogs.oracle.com/linux/post/irqbalance- design-and-internals) Thanks, every extra background we find will only help (except for those joining later to read more). > The question I have is, if Ubuntu is Debian Branch, and we long ago went > from having different kernels for desktop & server in ubuntu-base, but do > have ubuntu-server packages and ubuntu-desktop packages, where things could > be different, why is this still a broad sweep as a default install "for all"? Because there was no well-funded conclusion like "it really is bad for environment X" to remove it. You are right that there are no technical blockers to make it e.g. kept in servers but no more the default in Desktop. After all it is already dropped in cloud-images used in virtual environemnts as it had a more clear reasoning and argument there. And there are also cases where irqbalance missing caused performance impact and bug reports like the already mentioned [1] (clearly high scale server though) > I am happy that this is getting discussed properly now so that we can > relook at this, and what it means to us today. Ack, that is why I tried to compile all I've found into one place. [1]: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/2038573 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi Ethanay > All I can find is a recommendation not to use it on CPUs with 2 or fewer > cores as the overhead is said to be too high This isn't a real problem anyway, the service will stop immediately if only running on one core - even if running on multiple cores with the same cache (as the intended benefit is due to cache hotness by having all I/O hitting the same cache). > I can imagine it might still add undesirable or even critical latency in > applications that are highly latency sensitive I understand your line of thought, but it might even improve latency. If there is no bottleneck on the cores assigned to handle an IRQ then the improved cache hit rate will make even latency better. And if there is a strong bottleneck, then some drivers without IRQbalance would end up locked on one cpu - so again these might gain lower latency. But I have no data on this either (just like no one seems to have on almost any of this). Just like others I'd personally more expect the drawback to be on a potential lack of power saving. > This website gave me some clarity on the theory and purpose: > https://www.baeldung.com/linux/irqbalance-modern-hardware Hah, didn't find this one yet - thank you! But to me it only underlines the "it can help as much or even more often" expectation. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi Steve, > I see a lot of strong opinions ... I would want any decision to remove > irqbalance from the desktop to be based on evidence, not conjecture. I agree that there is plenty of opinion (often backing up each other with cyclic links) and not much data. Hence my compilation of the history to make it somehwat consumable. I wasn't entirely sure on my own but I agree that we'd need data to back up changes, thanks for empowering that branch of the decision tree. Yet on the other hand, that most likely means not much will move quickly. Which is fine, but also makes it unlikely to conclude before Noble freezes. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
After all the history I was looking at where we are right now: - irqbalance already is not in ubuntu-cloud-minimal images - irqbalance is in normal cloud images and installed systems via the dep from ubuntu-server -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
I subscribed a few people directly to get their input. @Steve I've subscribed you after trying to find, refer and summarize all of the past to allow you and anyone else to read into this in one go. I think I'll need your input as Architect and as participant of these discussions right from when they started 14 years ago. @Phil/@John Some past discussions, especially the backpedaling of Debian referred to virtual environments and/or large cloud providers. Is irqbalance anything you got asked to disable (or keep) for their environment? No need to share names, but reasoning or data points would be helpful :-) @Dimitri Is there a more clear "this is what userspace should do in regard to this in 2024" form the kernel? I couldn#t find it, but maybe you know or know who'd know ... @Sebastien Since most problems reported have been around Desktops (to be fair, that could be an coincidence because that is where people do more experiments and have more diverse special cases). But I think it is fair to ask you if requests or discussion like the above have come up towards Desktop that are worth to refer here? Maybe one of you has more details that help to make the decision more clear and easy. Or a gut feeling that is even stronger than mine, strong enough even to pick one of the options? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
# Summary This discussion was seeminly easier to make the more dedicated to a singluar use case you are - as then you have less "but what if" cases to consider. That wide usage is great for Ubuntu but sometimes delays decisions. List of reasons to remove it from the default dependencies: - Seems to cause issues more often on Desktop environments - cpufreq, thermald and similar struggle to save energy - Impacts due to unepexcted throttling - Conflicts with enabling/disabling threads/cores - Problematic in virtual environments - It is mostly an x86 thing but we pull it in everywhere - It conflicts with manually fine tuned IRQ affinity e.g. in ultra low latency setups - It is less useful on cpus with large and wide shared caches as well as in virtual environments without fix pinning List of reasons to keep it in the set of default dependencies: - Benefits seem mostly for large scale servers - lacking irqbalance can be a performance degradation in some large scale high traffic cases I think from all I've found - old and new - it seems it still has its purpose in some scenarios, but the HW/SW world evolved and it is nowadays less often useful and more often harmful than it was in the past. On the other hand there is almost no clear cut "it is bad and that is why", most issues were individual issues and special cases, nothing that would apply to everyone. And irqbalance still has is purpose, so we should surely keep it around. In a perfect worlds this would have half a year of time or more and two people to run all kinds of workloads on all kinds of HW to compare. But let us be honest that will not happen and that would then also be not be worth the effort. We'll have to decide with what we have. Have the others that switched have more time to evaluate in depth, I do not know. But usually once a significant amount of the ecosystems changed and you lack better data it is better to also follow or common hints and optimizations will no more apply due to being the one outlier in regard to behavior. To me this seems to be a perfect case for a few special images/deployments known to match the workload profile that needs this to enable it. It is also more likely that a professional admin of such a large scale machine (or cluster thereof) can make the opt-in decision and evaluation better than expectint every user of Ubuntu to think about an opt-out. --- Options IMHO: A) Change it from an opt-out to an opt-in and remove the dependency from ubuntu-standard B) Remove it from ubuntu-standard to get rid of it in Desktops and images used in virtual environments. But try to keep it in a place that is mostly used for bare metal which tend to be closer to the kind that benefits more C) Do nothing, keep it as is D) Any of the above, but let us not touch Noble more than half way through the cycle, but do that early in 24.10 to have enough exposure before a release in an LTS. My gut feeling (and it can't be much more without much more time for much deeper investigations) would be (A). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior:
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
# Actions by Others Times have changes, as mentioned above the kernel learned many new tricks. More new I/O hardware virtual or physical appeared that tries to be smart and thereby sometimes conflict with what irqbalance does. Some are mostly based on the links referred above, the Debian disucssion was more about it being harmful (or at least not helpful) in virtual environments and hence removed from cloud images (we close in on workload specific again). Indeed many projects already removed it from the default - https://github.com/pop-os/iso/pull/288 - https://github.com/ValveSoftware/Proton/issues/3243 - https://lists.debian.org/debian-cloud/2019/04/msg00040.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
Hi, this was overlooked for too long but came up in bug 2046470 again which made me see this for the first time. I'd wish we'd have had that even a bit earlier e.g. to release it with mantic and not half way through noble, but still now is the time to still change the next LTS. I needed to make up my mind on this to come to a conclusion and so I wrote a summary mostly for myself, but also for others that I want to ack to the decision as well as for anyone to later be able to understand what changed and why. I must admit that I'm slightly biased, having looked at it ages ago, even before I was more active in Ubuntu development and already wondering if that should be used by default. And yes, some people had a stronger wish to get it out of the default. So as already reported, many have already asked to remove it. I'll try to break up my answers to be more easily referable. ** Also affects: irqbalance (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
# Referred Arguments An argument that might not have been so strong more than a decade ago but is much more today is power savings and that is an aspect that comes up over and over. It also had reports of conflicts with power saving [10] and e.g. dynamically disabling/enabling cores which is much more a thing nowadays as long ago this was only reliably working on mainframes anyway. I don't buy the "games need 100%" as even games need their I/O to happen, but OTOH irqbalance just doesn't help much nowadays either as the kernel learned many more tricks to do well - like to name just one all the traffic aware and potentially offloaded rps/xps [2]. And irqbalance is not mutually exclusive with most of those technologies not with RSS [18] nor with kernel policies [15]. Some report about conflicting with their custom tweaking of IRQs [8][16]. It is actually a common conflict between irqbalance being smart [9] and other things like a particular device firmware being smart leading to a conflict of interest. => But TBH that is why it is removable for such rare cases. On one hand it clearly has some impact and various cases of bad impacts by it have come up as well for frame rates [11], stuttering [14] or even network traffic [12]. But on the other hand, there have been reports and cases where a broken irqbalance led to impacted high-performance network traffic [7], so it is not that it is clearly always bad [13]. While we never know how outdated any such source might be, it proves that it is most likely workload and system dependent. Many documentations also sitll refer to it only older RH, Arch [19], ... you'll find it everywhere. It is an interesting case, and the workload dependency leads many discussions to even be contradicting - in one case it saves cpu power in the other it makes it worse. In one it helps traffic in the other is degrades it. That is all a consqeuence of it being workload and system dependent. This back and forther is perfectly encapsulated in this phornix thread [15]. Which quotes interesting other POVs like kernel solutions often being "driver centric" optimizing throughput, but maybe not always the best as policy for the full system as irqbalance pilicies and tunables are configurable. An interim summary might be: """ It could cause rare issues or conflicts, especially on Desktop, but might be still wanted on Servers especially those with a high rate of I/O """ Which is interestingly quite close to the arguments floating around when it was added more than a decade ago (see further below). [2]: https://www.kernel.org/doc/html/latest/networking/scaling.html [7]: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/2038573 [8]: https://groups.google.com/g/gce-discussion/c/Ns8hgOUW9GY [9]: https://docs.xilinx.com/r/en-US/ug1523-x3522-user/Interrupt-Affinity [10]: https://konkor.github.io/cpufreq/faq/#irqbalance-detected [11]: https://askubuntu.com/questions/1067866/ubuntu-18-04-steam-games-frame-rate-drop [12]: https://serverfault.com/questions/410928/irqbalance-on-linux-and-dropped-packets [13]: https://bookofzeus.com/harden-ubuntu/server-setup/disable-irqbalance/ [14]: https://www.reddit.com/r/linux_gaming/comments/emnu3k/removing_irqbalance_fixed_major_stuttering_in/ [15]: https://www.phoronix.com/forums/forum/hardware/processors-memory/1335986-amd-zen-1-linux-performance-hit-from-retbleed-accumulated-cpu-mitigation-impact/page4 [16]: https://documentation.suse.com/sbp/server-linux/pdf/SBP-performance-tuning_en.pdf [18]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rss [19]: https://wiki.archlinux.org/title/Improving_performance#irqbalance ** Bug watch added: Debian Bug tracker #577788 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577788 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status
[Touch-packages] [Bug 1833322] Re: Consider removing irqbalance from default install on desktop images
# Integration and maintenance Despite some saying it is for the past only, it is regularly updated and has multiple releases per year throughout all the time [4]. Those updates flow well into Debian and Ubuntu - so it is not a classic "old and outdated" case. And while not much changes in those updates, it means it still learns like about thermal events in 1.9.1 or about isolcpus in 1.0.9. I'm not saying it is super modern doing it all, but it gets updates. Currently this is seeded in ubuntu-standard [1], which is what makes it default installed everywhere. But it is intentionally only a recommends, so the set of people that want to remove it can do so. It was added a long time ago [3] back when multi-core was a rare thing at least for Desktop systems. This was based on a discussion [5] and was related to the kernel [6] actively delegating this to userspace. Debian did a similar change a bit later [17] for the same reasons. But again this was the time of single-core being common. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/tree/standard?h=noble#n19 [3]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/commit/?h=noble&id=dcd02266953547e11221979eb17eb740a76a62b5 [4]: https://github.com/Irqbalance/irqbalance/tags [5]: https://lists.ubuntu.com/archives/ubuntu-devel/2010-January/029939.html [6]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b8e8c1bf7275eca859fe551dfa484134eaf013b [17]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577788 ** Bug watch added: github.com/ValveSoftware/Proton/issues #3243 https://github.com/ValveSoftware/Proton/issues/3243 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1833322 Title: Consider removing irqbalance from default install on desktop images Status in irqbalance package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: as per https://github.com/pop-os/default-settings/issues/60 Distribution (run cat /etc/os-release): $ cat /etc/os-release NAME="Pop!_OS" VERSION="19.04" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Pop!_OS 19.04" VERSION_ID="19.04" HOME_URL="https://system76.com/pop"; SUPPORT_URL="http://support.system76.com"; BUG_REPORT_URL="https://github.com/pop-os/pop/issues"; PRIVACY_POLICY_URL="https://system76.com/privacy"; VERSION_CODENAME=disco UBUNTU_CODENAME=disco Related Application and/or Package Version (run apt policy $PACKAGE NAME): $ apt policy irqbalance irqbalance: Installed: 1.5.0-3ubuntu1 Candidate: 1.5.0-3ubuntu1 Version table: *** 1.5.0-3ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu disco/main amd64 Packages 100 /var/lib/dpkg/status $ apt rdepends irqbalance irqbalance Reverse Depends: Recommends: ubuntu-standard gce-compute-image-packages Issue/Bug Description: as per konkor/cpufreq#48 and http://konkor.github.io/cpufreq/faq/#irqbalance-detected irqbalance is technically not needed on desktop systems (supposedly it is mainly for servers), and may actually reduce performance and power savings. It appears to provide benefits only to server environments that have relatively-constant loading. If it is truly a server- oriented package, then it shouldn't be installed by default on a desktop/laptop system and shouldn't be included in desktop OS images. Steps to reproduce (if you know): This is potentially an issue with all default installs. Expected behavior: n/a Other Notes: I can safely remove it via "sudo apt purge irqbalance" without any apparent adverse side-effects. If someone is running a situation where they need it, then they always have the option of installing it from the repositories. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1833322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Hey, while passing by I admit I only looked at the test plan and tried to get this moving by executing it. Thanks for hinting at these further things to check ... I still had the environment around root@Jdnsmasq:~# apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.4 Candidate: 2.86-1.1ubuntu0.4 That resolved well, asking the configured dns (8.8.8.8 in my case) and returning a proper answer. root@Jdnsmasq:~# dig +short A www.thekelleys.org.uk @127.0.0.1 thekelleys.org.uk. 85.119.82.65 root@Jdnsmasq:~# dig +short A www.thekelleys.org.uk @127.0.0.1 thekelleys.org.uk. 85.119.82.65 root@Jdnsmasq:~# dig +short A www.thekelleys.org.uk @127.0.0.1 thekelleys.org.uk. 85.119.82.65 Since the original issue was about repeating queries (in other context and situation) I ran it a few times. The log (we still have verbose logging enabled from the first test) shows the forward resolving just as expected: Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: query[A] www.thekelleys.org.uk from 127.0.0.1 Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: forwarded www.thekelleys.org.uk to 8.8.8.8 Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: reply www.thekelleys.org.uk is Jan 05 07:32:56 Jdnsmasq dnsmasq[255]: reply thekelleys.org.uk is 85.119.82.65 --- Now dnsmasqs version of a static entry root@Jdnsmasq:~# echo "address=/domain/1.2.3.4" >> /etc/dnsmasq.conf root@Jdnsmasq:~# systemctl restart dnsmasq root@Jdnsmasq:~# dig +short A domain 1.2.3.4 --- Since I had that running over night I also see in the verbose logs all kind of expected background action and all that worked as well. Like: Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.54 Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.59 Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.58 Jan 05 07:30:43 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is 185.125.188.55 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: query[] canonical-bos01.cdn.snapcraftcontent.com from 127.0.0.1 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: forwarded canonical-bos01.cdn.snapcraftcontent.com to 8.8.8.8 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: query[A] canonical-bos01.cdn.snapcraftcontent.com from 127.0.0.1 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: forwarded canonical-bos01.cdn.snapcraftcontent.com to 8.8.8.8 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: reply canonical-bos01.cdn.snapcraftcontent.com is NODATA-IPv6 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: reply canonical-bos01.cdn.snapcraftcontent.com is 91.189.91.43 Jan 05 07:30:44 Jdnsmasq dnsmasq[255]: reply canonical-bos01.cdn.snapcraftcontent.com is 91.189.91.42 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: query[] api.snapcraft.io from 127.0.0.1 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: cached api.snapcraft.io is NODATA-IPv6 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: query[A] api.snapcraft.io from 127.0.0.1 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: forwarded api.snapcraft.io to 8.8.8.8 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.58 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.55 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.54 Jan 05 07:30:51 Jdnsmasq dnsmasq[255]: reply api.snapcraft.io is 185.125.188.59 ... Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 185.125.190.39 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 91.189.91.81 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 91.189.91.83 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4000:1::16 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4002:1::103 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4002:1::102 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4000:1::19 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply archive.ubuntu.com is 2620:2d:4002:1::101 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 185.125.190.36 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 91.189.91.81 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 91.189.91.83 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 91.189.91.82 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 185.125.190.39 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4000:1::16 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4002:1::101 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4002:1::103 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4000:1::19 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: reply security.ubuntu.com is 2620:2d:4002:1::102 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: query[SRV] _https._tcp.motd.ubuntu.com from 127.0.0.1 Jan 05 07:38:29 Jdnsmasq dnsmasq[765]: forwarded _https._tcp.motd.ubuntu.com to
[Touch-packages] [Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again
** Tags removed: server-triage-discuss ** Changed in: openssh (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2037703 Title: dpkg-reconfigure openssh-server doesn't ask questions again Status in openssh package in Ubuntu: New Bug description: openssh-server does provide a couple of configuration options: [~]$ sudo debconf-get-selections |grep openssh-server openssh-serveropenssh-server/listenstream-may-failerror openssh-serveropenssh-server/password-authentication boolean true openssh-serveropenssh-server/permit-root-loginboolean true I want to change those options now interactively but nothing I tried worked and showed a dialog: [~]$ sudo dpkg-reconfigure -p low openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. But the documentation (https://manpages.debian.org/testing/debconf- doc/debconf.7.en.html#Reconfiguring_packages) does state that those commands should ask those questions again. p.s. also tried with a lxc debian-sid container and had the same problem there. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: openssh-server 1:9.3p1-1ubuntu3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Sep 29 10:35:33 2023 InstallationDate: Installed on 2023-05-10 (142 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: openssh UpgradeStatus: Upgraded to mantic on 2023-07-19 (71 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2037703/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047719] Re: package slapd 2.4.49+dfsg-2ubuntu1.9 failed to install/upgrade: new slapd package pre-installation script subprocess returned error exit status 1
Thank you for taking the time to report bugs and help make Ubuntu better. This looks like a local configuration issue rather than a bug in the software itself. Please check your configuration to make sure it's correct. If you need help configuring, you can get community support in the Ubuntu channels on libera.chat, or in http://www.ubuntu.com/support/community I'm marking this "Invalid" because it doesn't appear to be a bug, but if I'm wrong, please change it back to "New" and add some more info to point me in the right direction. Use this link as a guide: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2047719 Title: package slapd 2.4.49+dfsg-2ubuntu1.9 failed to install/upgrade: new slapd package pre-installation script subprocess returned error exit status 1 Status in openldap package in Ubuntu: Incomplete Bug description: Happened while upgrading ubuntu distro ProblemType: Package DistroRelease: Ubuntu 22.04 Package: slapd 2.4.49+dfsg-2ubuntu1.9 ProcVersionSignature: Ubuntu 5.15.0-1053.61~20.04.1-azure 5.15.131 Uname: Linux 5.15.0-1053-azure x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Fri Dec 29 23:55:31 2023 ErrorMessage: new slapd package pre-installation script subprocess returned error exit status 1 ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-5.15.0-1053-azure root=UUID=b9df59e6-c806-4851-befa-12402bca5828 ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 Python3Details: /usr/bin/python3.10, Python 3.10.12, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.1ubuntu2.2 apt 2.4.11 SourcePackage: openldap Title: package slapd 2.4.49+dfsg-2ubuntu1.9 failed to install/upgrade: new slapd package pre-installation script subprocess returned error exit status 1 UpgradeStatus: Upgraded to jammy on 2023-12-29 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2047719/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047719] Re: package slapd 2.4.49+dfsg-2ubuntu1.9 failed to install/upgrade: new slapd package pre-installation script subprocess returned error exit status 1
Hi and thanks for the report, it seems that the automatic "try to backup and upgrade" failed. That is usually due to local config that does not behave well as it needs knowledge or assumptions the package can't have. Or at other times by using features that have been removed. The log output is actually quite clear on what it tried, and that it suggests to the admin to overcome this to continue. """ Preparing to unpack .../20-slapd_2.5.16+dfsg-0ubuntu0.22.04.1_amd64.deb ... Saving current slapd configuration to /var/backups/slapd-2.4.49+dfsg-2ubuntu1.9... Dumping to /var/backups/slapd-2.4.49+dfsg-2ubuntu1.9: - directory dc=1tmfm1mfbauutnso5ahdvmpnma,dc=gx,dc=internal,dc=cloudapp,dc=ne... slapcat: slap_init no backend for "dc=1tmfm1mfbauutnso5ahdvmpnma,dc=gx,dc=internal,dc=cloudapp,dc=ne" failed. [?1049h[?1h=[1;43r[4l[?25l[m[37m[40m[1;43r[H[J[1;1H[1m[37m[45m [2;1H [3;1H [4;1H [5;1H [6;1H [7;1H [8;1H [9;1H [10;1H [11;1H [12;1H [13;1H [14;1H [15;1H [16;1H [17;1H [18;1H [19;1H [20;1H [21;1H
[Touch-packages] [Bug 2047082] Re: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it.
** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naïve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2047082/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again
** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2037703 Title: dpkg-reconfigure openssh-server doesn't ask questions again Status in openssh package in Ubuntu: New Bug description: openssh-server does provide a couple of configuration options: [~]$ sudo debconf-get-selections |grep openssh-server openssh-serveropenssh-server/listenstream-may-failerror openssh-serveropenssh-server/password-authentication boolean true openssh-serveropenssh-server/permit-root-loginboolean true I want to change those options now interactively but nothing I tried worked and showed a dialog: [~]$ sudo dpkg-reconfigure -p low openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. But the documentation (https://manpages.debian.org/testing/debconf- doc/debconf.7.en.html#Reconfiguring_packages) does state that those commands should ask those questions again. p.s. also tried with a lxc debian-sid container and had the same problem there. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: openssh-server 1:9.3p1-1ubuntu3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Sep 29 10:35:33 2023 InstallationDate: Installed on 2023-05-10 (142 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: openssh UpgradeStatus: Upgraded to mantic on 2023-07-19 (71 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2037703/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2015562] Re: [SRU] Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
Verifying according to the instructions - Before the update I got this as expected: root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; no servers could be reached Jan 02 11:13:01 Jdnsmasq systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Jan 02 11:13:01 Jdnsmasq systemd[1]: dnsmasq.service: Failed with result 'core-dump'. --- Upgrade ... Preparing to unpack .../12-dnsmasq-base_2.86-1.1ubuntu0.4_amd64.deb ... Unpacking dnsmasq-base (2.86-1.1ubuntu0.4) over (2.86-1.1ubuntu0.3) ... Preparing to unpack .../13-dnsmasq_2.86-1.1ubuntu0.4_all.deb ... Unpacking dnsmasq (2.86-1.1ubuntu0.4) over (2.86-1.1ubuntu0.3) ... ... worked without issues --- root@Jdnsmasq:~# systemctl status dnsmasq ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-01-02 11:18:03 UTC; 3s ago Process: 4327 ExecStartPre=/etc/init.d/dnsmasq checkconfig (code=exited, status=0/SUCCESS) Process: 4335 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS) Process: 4344 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS) Main PID: 4343 (dnsmasq) Tasks: 1 (limit: 38247) Memory: 588.0K CPU: 45ms CGroup: /system.slice/dnsmasq.service └─4343 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bb> Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for netflix.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: reading /etc/resolv.conf Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using nameserver 8.8.8.8#53 Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: ignoring nameserver 127.0.0.1 - local interface Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for example.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for nflxext.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for netflix.net Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: using standard nameservers for netflix.com Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: read /etc/hosts - 7 addresses Jan 02 11:18:03 Jdnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. --- Trying the issue trigger again: root@Jdnsmasq:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.29 185.125.190.20 185.125.190.21 root@Jdnsmasq:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::27 2620:2d:4000:1::28 2620:2d:4000:1::26 root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63180 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;netflix.com. IN A ;; ANSWER SECTION: netflix.com.60 IN A 18.200.8.190 netflix.com.60 IN A 54.155.246.232 netflix.com.60 IN A 54.73.148.110 ;; Query time: 16 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Jan 02 11:18:36 UTC 2024 ;; MSG SIZE rcvd: 88 root@Jdnsmasq:~# dig A netflix.com @127.0.0.1 ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> A netflix.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29034 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;netflix.com. IN A ;; ANSWER SECTION: netflix.com.52 IN A 54.73.148.110 netflix.com.52 IN A 54.155.246.232 netflix.com.52 IN A 18.200.8.190 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Jan 02 11:18:44 UTC 2024 ;; MSG SIZE rcvd: 88 --- working fine now, no segfault log only has the start: Jan 02 11:18:03 Jdnsmasq dnsmasq[4343]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile --- Setting as verified ** Tags removed: verification-needed verification-needed-jammy ** Tags added: verification-done verification-done-jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launc
[Touch-packages] [Bug 2046624] Re: apparmor breaks surfshark vpn
> with the new apparmor Candidate: 4.0.0~alpha2-0ubuntu7 > DistroRelease: Ubuntu 24.04 This bug smells like a userns issue - programs using userns (often used for sandboxing) now _must have_ an AppArmor profile. Can you please save the following as /etc/apparmor.d/surfshark? (Adjust the path to surfshark to the real path - /PATH/TO/ is for sure incorrect ;-) abi , include profile surfshark /PATH/TO/surfshark flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } Note: If I get comment #5 right, the actual executable might be /usr/bin/gjs. You can use this path in the profile _for testing_, but the real solution is to have a profile specific to surfshark, possibly with AppArmorProfile=surfshark in the systemd unit. After creating the profile, reload the AppArmor profiles to enable the new profile. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046624 Title: apparmor breaks surfshark vpn Status in apparmor package in Ubuntu: New Bug description: with the new apparmor Candidate: 4.0.0~alpha2-0ubuntu7 Breaks my VPN *surfshark [33104:1216/072144.904027:FATAL:credentials.cc(127)] Check failed: . : Permission denied (13) Trace/breakpoint trap It will work with --no-sandbox "surfshark --no-sandbox" not ideal. I removed apparmor for proof *apt policy apparmor apparmor: Installed: (none) Candidate: 4.0.0~alpha2-0ubuntu7 Version table: 4.0.0~alpha2-0ubuntu7 500 500 http://us.archive.ubuntu.com/ubuntu noble/main amd64 Packages Now my VPN works as expected, spent 2 hrs this morning with surfshark support, they will get back to me in a day or two, but they can't find anything wrong on their end. So far it points to apparmor ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: apparmor (not installed) ProcVersionSignature: Ubuntu 6.5.0-9.9-generic 6.5.3 Uname: Linux 6.5.0-9-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia zfs ApportVersion: 2.27.0-0ubuntu6 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Sat Dec 16 10:40:00 2023 InstallationDate: Installed on 2023-12-10 (6 days ago) InstallationMedia: Xubuntu 24.04 "Noble Numbat" - Daily amd64 (20231127) SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.default.apport: # set this to 0 to disable apport, or to 1 to enable it # you can temporarily override this with # sudo service apport start force_start=1 enabled=0 mtime.conffile..etc.default.apport: 2023-12-12T09:43:48.905263 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046624/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045577] Re: Demote isc-dhcp-server to universe
I've discussed with MAAS and Dimitri, we moved it to the community-maas seed. => https://code.launchpad.net/~paelzer/ubuntu-seeds/+git/platform/+merge/457339 Thereby it should (tm) no more be in component mismatches. The other AAs haven't replied yet if they'd need something else, that answer might only happen in 2024. But after the seed updates we should already be much better, demoting again. Right now there is only 4.4.3-P1-4ubuntu1 in noble, nothing in proposed - maybe the former loss was due to that not correctly being carried over when moving to -release? Override component to universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble amd64: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble arm64: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble armhf: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble ppc64el: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble riscv64: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble s390x: main/net/optional/100% -> universe Override [y|N]? y 6 publications overridden. ** Changed in: isc-dhcp (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/2045577 Title: Demote isc-dhcp-server to universe Status in isc-dhcp package in Ubuntu: Fix Released Bug description: Following up on the isc-kea promotion (LP: #2002861) as the new supported DHCP server, it is now time to demote isc-dhcp-server. All the packages that are in. While we are not ready to demote all isc-dhcp packages (there are still packages in main that reverse depend/recommend isc-dhcp-client), we are ready to demote isc-dhcp-server. $ reverse-depends isc-dhcp-server Reverse-Recommends == * fai-server Reverse-Depends === * fai-quickstart * isc-dhcp-server-ldap [amd64 arm64 armhf ppc64el s390x] Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, i386, ppc64el, s390x $ reverse-depends -b isc-dhcp-server Reverse-Testsuite-Triggers == * chrony * dracut As shown there are no reverse dependencies for isc-dhcp-server in main. There are Reverse-Testsuite-Triggers in main, but these should not be considered for demotion matters here. The seeds at https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/platform/tree/?h=noble contain 2 entries for isc-dhcp- server: $ grep -r isc-dhcp-server * supported-maas: * isc-dhcp-server supported-misc-servers: * isc-dhcp-server I will proceed with removing the supported-misc-servers entry. Once this is removed from supported-maas, the package will no longer be seeded (we should then get a component mismatch) and can be safely demoted to universe. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2045577/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045771] Re: [MIR] isc-dhcp-server
** Description changed: + This isn't really MIR, but a reminder found by the tooling that tells us + why it is no more in main >=Noble. + + --- + This was demoted due to LP: #2045577. This will keep showing in component mismatches as needed from MAAS (just like ipmitool did for years) for now. MAAS is no more part of the Archive and planned to move off of using isc-dhcp in PF-3898, that has had some changes over time (not committed in last cycle, changed the approach this cycle) - but either way they will move off of it and we are no more holding it in main in Ubuntu just like that. Please, do not move it back to main for the time being. See LP: #2045577 for further reference. ** Description changed: This isn't really MIR, but a reminder found by the tooling that tells us why it is no more in main >=Noble. --- This was demoted due to LP: #2045577. This will keep showing in component mismatches as needed from MAAS (just like ipmitool did for years) for now. - MAAS is no more part of the Archive and planned to move off of using - isc-dhcp in PF-3898, that has had some changes over time (not committed - in last cycle, changed the approach this cycle) - but either way they - will move off of it and we are no more holding it in main in Ubuntu just - like that. + MAAS is no more part of the Archive and planned to move off of using isc-dhcp in PF-3898, that has had some changes over time (communicated in late 2022, filed as a need in 23.04, changed the approach while in 24.04). + But either way they will move off of it and we are no more holding it in main in Ubuntu just for that (there are good reasons it is demoted). Please, do not move it back to main for the time being. See LP: #2045577 for further reference. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/2045771 Title: [MIR] isc-dhcp-server Status in isc-dhcp package in Ubuntu: Won't Fix Bug description: This isn't really MIR, but a reminder found by the tooling that tells us why it is no more in main >=Noble. --- This was demoted due to LP: #2045577. This will keep showing in component mismatches as needed from MAAS (just like ipmitool did for years) for now. MAAS is no more part of the Archive and planned to move off of using isc-dhcp in PF-3898, that has had some changes over time (communicated in late 2022, filed as a need in 23.04, changed the approach while in 24.04). But either way they will move off of it and we are no more holding it in main in Ubuntu just for that (there are good reasons it is demoted). Please, do not move it back to main for the time being. See LP: #2045577 for further reference. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2045771/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045771] Re: [MIR] isc-dhcp-server
** Description changed: - This was demoted due to LP: #2045577. This will keep showing in - component mismatches as ipmitool for now. + This was demoted due to LP: #2045577. + + This will keep showing in component mismatches as needed from MAAS (just + like ipmitool did for years) for now. + + MAAS is no more part of the Archive and planned to move off of using + isc-dhcp in PF-3898, that has had some changes over time (not committed + in last cycle, changed the approach this cycle) - but either way they + will move off of it and we are no more holding it in main in Ubuntu just + like that. Please, do not move it back to main for the time being. See LP: #2045577 for further reference. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/2045771 Title: [MIR] isc-dhcp-server Status in isc-dhcp package in Ubuntu: Won't Fix Bug description: This was demoted due to LP: #2045577. This will keep showing in component mismatches as needed from MAAS (just like ipmitool did for years) for now. MAAS is no more part of the Archive and planned to move off of using isc-dhcp in PF-3898, that has had some changes over time (not committed in last cycle, changed the approach this cycle) - but either way they will move off of it and we are no more holding it in main in Ubuntu just like that. Please, do not move it back to main for the time being. See LP: #2045577 for further reference. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2045771/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045577] Re: Demote isc-dhcp-server to universe
Hi Athos, agreed: According to [1] all that is holding it back is MAAS still referrring to it. But I'm afraid of doing the demotion last minute as a surprise to the wider Ubuntu. The MAAS team has been involved in planning and preparing for this. They have committed to get rid of their dependency. And then OTOH the supported-maas seed also does depend and show imptools all the time and it was left open. So ack, we want to demote this right now to make sure everyone, and not just MAAS, is more even more aware. The source can not yet move as Foundations works on letting the client fully go. Demoted in proposed and will go to noble in full once 4.4.3-P1-4ubuntu1 migrates. Override component to universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble amd64: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble arm64: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble armhf: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble ppc64el: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble riscv64: main/net/optional/100% -> universe isc-dhcp-server 4.4.3-P1-4ubuntu1 in noble s390x: main/net/optional/100% -> universe Override [y|N]? y 6 publications overridden @Athos - please create a MIR bug saying "Won't Fix" and some reference to this and the rest of the history. To be found by component mismatches, otherwise another friendly archive admin will just re-promote it. [1]: https://ubuntu-archive-team.ubuntu.com/germinate- output/ubuntu.jammy/rdepends/isc-dhcp/isc-dhcp-server ** Changed in: isc-dhcp (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/2045577 Title: Demote isc-dhcp-server to universe Status in isc-dhcp package in Ubuntu: Fix Released Bug description: Following up on the isc-kea promotion (LP: #2002861) as the new supported DHCP server, it is now time to demote isc-dhcp-server. All the packages that are in. While we are not ready to demote all isc-dhcp packages (there are still packages in main that reverse depend/recommend isc-dhcp-client), we are ready to demote isc-dhcp-server. $ reverse-depends isc-dhcp-server Reverse-Recommends == * fai-server Reverse-Depends === * fai-quickstart * isc-dhcp-server-ldap [amd64 arm64 armhf ppc64el s390x] Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, i386, ppc64el, s390x $ reverse-depends -b isc-dhcp-server Reverse-Testsuite-Triggers == * chrony * dracut As shown there are no reverse dependencies for isc-dhcp-server in main. There are Reverse-Testsuite-Triggers in main, but these should not be considered for demotion matters here. The seeds at https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/platform/tree/?h=noble contain 2 entries for isc-dhcp- server: $ grep -r isc-dhcp-server * supported-maas: * isc-dhcp-server supported-misc-servers: * isc-dhcp-server I will proceed with removing the supported-misc-servers entry. Once this is removed from supported-maas, the package will no longer be seeded (we should then get a component mismatch) and can be safely demoted to universe. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/2045577/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039294] Re: apparmor docker
Slightly related: > /usr/sbin/runc flags=(unconfined) { Shouldn't that nowadays be(come) profile runc /usr/sbin/runc flags=(unconfined) { Ideally please fix this now, so that the upstream docker profile can use peer=runc -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker Status in docker: New Status in apparmor package in Ubuntu: Incomplete Bug description: No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 23.10 Release:23.10 Codename: mantic Docker version 24.0.5, build 24.0.5-0ubuntu1 Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all signals?) doesn't reach the target process. Works when apparmor is uninstalled. [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172626 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc" [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172633 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc" To manage notifications about this bug go to: https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2030684] Re: tzname[1] empty after tzset() with env TZ="UTC"
This bug is no more an issue marking fixed ** Changed in: python-django (Ubuntu) Status: New => Fix Released ** Changed in: django-mailman3 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tzdata in Ubuntu. https://bugs.launchpad.net/bugs/2030684 Title: tzname[1] empty after tzset() with env TZ="UTC" Status in django-mailman3 package in Ubuntu: Fix Released Status in php8.2 package in Ubuntu: Triaged Status in postgresql-15 package in Ubuntu: Fix Committed Status in python-django package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Invalid Status in tzdata package in Ubuntu: Fix Released Status in tzdata package in Debian: Fix Released Bug description: The following program prints different output when run with tzdata 2023c-7ubuntu1 from mantic, versus tzdata 2023c-8ubuntu1 from mantic- proposed: root@mantic:~# cat bug.c #include #include #include #include #include int main(void) { int r; r = setenv("TZ", ":UTC", 1); if (r < 0) { printf("Failed to set TZ env var: %s\n", strerror(errno)); return 1; } tzset(); printf("timezone = %lu, daylight = %d\n", timezone, daylight); printf("tzname[0] = %s, tzname[1] = %s\n", tzname[0], tzname[1]); } root@mantic:~# gcc bug.c root@mantic:~# ./a.out timezone = 0, daylight = 0 tzname[0] = UTC, tzname[1] = UTC root@mantic:~# apt-cache policy tzdata tzdata: Installed: 2023c-7ubuntu1 Candidate: 2023c-7ubuntu1 Version table: *** 2023c-7ubuntu1 500 500 http://archive.ubuntu.com/ubuntu mantic/main amd64 Packages 100 /var/lib/dpkg/status If I install tzdata from mantic-proposed, I get different output: root@mantic:~# vi /etc/apt/sources.list root@mantic:~# apt update && apt install tzdata Hit:1 http://archive.ubuntu.com/ubuntu mantic InRelease Hit:2 http://security.ubuntu.com/ubuntu mantic-security InRelease Get:3 http://archive.ubuntu.com/ubuntu mantic-proposed InRelease [118 kB] Hit:4 http://archive.ubuntu.com/ubuntu mantic-updates InRelease Hit:5 http://archive.ubuntu.com/ubuntu mantic-backports InRelease Get:6 http://archive.ubuntu.com/ubuntu mantic-proposed/main amd64 Packages [35.9 kB] Get:7 http://archive.ubuntu.com/ubuntu mantic-proposed/main Translation-en [14.8 kB] Get:8 http://archive.ubuntu.com/ubuntu mantic-proposed/main amd64 DEP-11 Metadata [2376 B] Get:9 http://archive.ubuntu.com/ubuntu mantic-proposed/main amd64 c-n-f Metadata [1004 B] Get:10 http://archive.ubuntu.com/ubuntu mantic-proposed/restricted amd64 Packages [15.9 kB] Get:11 http://archive.ubuntu.com/ubuntu mantic-proposed/restricted Translation-en [3564 B] Get:12 http://archive.ubuntu.com/ubuntu mantic-proposed/restricted amd64 c-n-f Metadata [336 B] Fetched 192 kB in 1s (324 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 72 packages can be upgraded. Run 'apt list --upgradable' to see them. root@mantic:~# apt install tzdata=2023c-8ubuntu1 Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: libefiboot1 libefivar1 Use 'apt autoremove' to remove them. The following packages will be upgraded: tzdata 1 upgraded, 0 newly installed, 0 to remove and 72 not upgraded. Need to get 269 kB of archives. After this operation, 142 kB disk space will be freed. Get:1 http://archive.ubuntu.com/ubuntu mantic-proposed/main amd64 tzdata all 2023c-8ubuntu1 [269 kB] Fetched 269 kB in 0s (867 kB/s) Preconfiguring packages ... (Reading database ... 39935 files and directories currently installed.) Preparing to unpack .../tzdata_2023c-8ubuntu1_all.deb ... Unpacking tzdata (2023c-8ubuntu1) over (2023c-7ubuntu1) ... Setting up tzdata (2023c-8ubuntu1) ... Current default time zone: 'Etc/UTC' Local time is now: Mon Aug 7 21:18:35 UTC 2023. Universal Time is now: Mon Aug 7 21:18:35 UTC 2023. Run 'dpkg-reconfigure tzdata' if you wish to change it. Scanning processes... Scanning candidates... Restarting services... Service restarts being deferred: systemctl restart systemd-logind.service systemctl restart unattended-upgrades.s
[Touch-packages] [Bug 2033569] Re: suddenly choked on multiseat config in a way that survives reboots and even purging it
Found a solution. There were two separate issues: FIRST ISSUE Apparently systemd likes to start up lightdm early, so early that on a reasonably fast system the GPU driver won't be ready in time ... (I thought this was what systemd's dependency handling was for, but never mind.) This seems to be a long-standing issue; it's neither multiseat- nor GPU- driver-specific. And considering this is just a budget AMD box, albeit a new one, it's going to bite more and more people in future. My hypothesis re. why the first few boots with lightdm worked is that I was still in the middle of setting up the box, i.e. a lot changed from one boot to the next. Either one of those changes triggered the timing issue, or "clean" boots are faster per se. The workarounds detailed in the Arch Wiki (https://wiki.archlinux.org/title/LightDM#LightDM_does_not_appear_or_monitor_only_displays_TTY_output) both work, to wit: 1) Add [LightDM] logind-check-graphical=true in /etc/lightdm/lightdm.conf - OR - 2) Enable early KMS by adding your GPU driver module to /etc/initramfs- tools/modules and running update-initramfs -k all -u. SECOND ISSUE: At some point while trying to fix this I deleted /var/lib/lightdm as well, which is lightdm's home directory. Since purging lightdm does not remove the lightdm user, reinstalling it will not (re)create this directory. Unfortunately the symptoms are the same as above--lightdm goes into a restart loop, then gives up. Now, the second issue probably isn't a bug, though the postinst script could at least print a warning if the home directory isn't present and writeable, but the first one is, IMHO. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/2033569 Title: suddenly choked on multiseat config in a way that survives reboots and even purging it Status in lightdm package in Ubuntu: New Bug description: I have a bog-standard loginctl multiseat setup, using lightdm because of #2033323. Except for the lack of session locking, it worked beautifully, across multiple reboots. Until it didn't. Box woke from suspend, and to be fair was acting strangely even then (Steam suddenly tried to launch using the iGPU), so suspend may well be broken on this box, but if so, that's a separate issue. Anyway, I rebooted, no lightdm greeter to be seen, the screen on seat1 was black. I did not have easy access to seat0 at the time. The journal has, looping: systemd[1]: Failed to start Detect the available GPUs and deal with any system changes. systemd[1]: lightdm.service: Start request repeated too quickly. token systemd[1]: lightdm.service: Failed with result 'exit-code'. token systemd[1]: Failed to start Light Display Manager. The first line is from gpu-manager.service, whose log contains Vendor/Device Id: 1002:164e BusID "PCI:110@0:0:0" Is boot vga? no Error: can't access /sys/bus/pci/devices/:6e:00.0/driver The device is not bound to any driver. Vendor/Device Id: 1002:73ff BusID "PCI:3@0:0:0" Is boot vga? yes Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri x-0 log has vesa: Ignoring device with a bound kernel driver vesa: Ignoring device with a bound kernel driver (EE) Fatal server error: (EE) no screens found(EE) Scary. Thing is, both the iGPU and the dGPU are claimed by amdgpu, their "driver" symlink is accessible just fine. Switch back to gdm via dpkg- reconfigure, it boots up fine again. It's just lightdm that's hosed. I tried purging lightdm and lightdm-gtk-greeter, along with and /var/lib/lightdm, and reinstalling the packages, but no dice. What does work is starting lightdm.service manually over ssh: It takes about 1-4 tries for both gpu-manager and lightdm to successfully launch and bring up both greeters. Reboot, and it fails again. Some kind of race condition due to too lax timing and/or dependencies in the lightdm service file? Something unrelated changed the order and or speed at which systemd executes the service files, i.e. it worked by accident before and now it doesn't? ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: lightdm 1.30.0-0ubuntu5 Uname: Linux 6.4.12-060412-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass Date: Thu Aug 31 03:16:56 2023 InstallationDate: Installed on 2023-08-25 (5 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/2033569/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsu
[Touch-packages] [Bug 2033569] Re: suddenly choked on multiseat config in a way that survives reboots and even purging it
gpu-manager.service is probably a red herring, or a separate bug. I (sometimes?) get "Error: can't access /sys/bus/pci/devices/:6e:00.0/driver \ The device is not bound to any driver." when booting with gdm as well; yet gpu-manager.service doesn't fail, and gdm comes up normally. I -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/2033569 Title: suddenly choked on multiseat config in a way that survives reboots and even purging it Status in lightdm package in Ubuntu: New Bug description: I have a bog-standard loginctl multiseat setup, using lightdm because of #2033323. Except for the lack of session locking, it worked beautifully, across multiple reboots. Until it didn't. Box woke from suspend, and to be fair was acting strangely even then (Steam suddenly tried to launch using the iGPU), so suspend may well be broken on this box, but if so, that's a separate issue. Anyway, I rebooted, no lightdm greeter to be seen, the screen on seat1 was black. I did not have easy access to seat0 at the time. The journal has, looping: systemd[1]: Failed to start Detect the available GPUs and deal with any system changes. systemd[1]: lightdm.service: Start request repeated too quickly. token systemd[1]: lightdm.service: Failed with result 'exit-code'. token systemd[1]: Failed to start Light Display Manager. The first line is from gpu-manager.service, whose log contains Vendor/Device Id: 1002:164e BusID "PCI:110@0:0:0" Is boot vga? no Error: can't access /sys/bus/pci/devices/:6e:00.0/driver The device is not bound to any driver. Vendor/Device Id: 1002:73ff BusID "PCI:3@0:0:0" Is boot vga? yes Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri x-0 log has vesa: Ignoring device with a bound kernel driver vesa: Ignoring device with a bound kernel driver (EE) Fatal server error: (EE) no screens found(EE) Scary. Thing is, both the iGPU and the dGPU are claimed by amdgpu, their "driver" symlink is accessible just fine. Switch back to gdm via dpkg- reconfigure, it boots up fine again. It's just lightdm that's hosed. I tried purging lightdm and lightdm-gtk-greeter, along with and /var/lib/lightdm, and reinstalling the packages, but no dice. What does work is starting lightdm.service manually over ssh: It takes about 1-4 tries for both gpu-manager and lightdm to successfully launch and bring up both greeters. Reboot, and it fails again. Some kind of race condition due to too lax timing and/or dependencies in the lightdm service file? Something unrelated changed the order and or speed at which systemd executes the service files, i.e. it worked by accident before and now it doesn't? ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: lightdm 1.30.0-0ubuntu5 Uname: Linux 6.4.12-060412-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass Date: Thu Aug 31 03:16:56 2023 InstallationDate: Installed on 2023-08-25 (5 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/2033569/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2033569] [NEW] suddenly choked on multiseat config in a way that survives reboots and even purging it
Public bug reported: I have a bog-standard loginctl multiseat setup, using lightdm because of #2033323. Except for the lack of session locking, it worked beautifully, across multiple reboots. Until it didn't. Box woke from suspend, and to be fair was acting strangely even then (Steam suddenly tried to launch using the iGPU), so suspend may well be broken on this box, but if so, that's a separate issue. Anyway, I rebooted, no lightdm greeter to be seen, the screen on seat1 was black. I did not have easy access to seat0 at the time. The journal has, looping: systemd[1]: Failed to start Detect the available GPUs and deal with any system changes. systemd[1]: lightdm.service: Start request repeated too quickly. token systemd[1]: lightdm.service: Failed with result 'exit-code'. token systemd[1]: Failed to start Light Display Manager. The first line is from gpu-manager.service, whose log contains Vendor/Device Id: 1002:164e BusID "PCI:110@0:0:0" Is boot vga? no Error: can't access /sys/bus/pci/devices/:6e:00.0/driver The device is not bound to any driver. Vendor/Device Id: 1002:73ff BusID "PCI:3@0:0:0" Is boot vga? yes Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri x-0 log has vesa: Ignoring device with a bound kernel driver vesa: Ignoring device with a bound kernel driver (EE) Fatal server error: (EE) no screens found(EE) Scary. Thing is, both the iGPU and the dGPU are claimed by amdgpu, their "driver" symlink is accessible just fine. Switch back to gdm via dpkg- reconfigure, it boots up fine again. It's just lightdm that's hosed. I tried purging lightdm and lightdm-gtk-greeter, along with and /var/lib/lightdm, and reinstalling the packages, but no dice. What does work is starting lightdm.service manually over ssh: It takes about 1-4 tries for both gpu-manager and lightdm to successfully launch and bring up both greeters. Reboot, and it fails again. Some kind of race condition due to too lax timing and/or dependencies in the lightdm service file? Something unrelated changed the order and or speed at which systemd executes the service files, i.e. it worked by accident before and now it doesn't? ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: lightdm 1.30.0-0ubuntu5 Uname: Linux 6.4.12-060412-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass Date: Thu Aug 31 03:16:56 2023 InstallationDate: Installed on 2023-08-25 (5 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: lightdm (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy third-party-packages -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/2033569 Title: suddenly choked on multiseat config in a way that survives reboots and even purging it Status in lightdm package in Ubuntu: New Bug description: I have a bog-standard loginctl multiseat setup, using lightdm because of #2033323. Except for the lack of session locking, it worked beautifully, across multiple reboots. Until it didn't. Box woke from suspend, and to be fair was acting strangely even then (Steam suddenly tried to launch using the iGPU), so suspend may well be broken on this box, but if so, that's a separate issue. Anyway, I rebooted, no lightdm greeter to be seen, the screen on seat1 was black. I did not have easy access to seat0 at the time. The journal has, looping: systemd[1]: Failed to start Detect the available GPUs and deal with any system changes. systemd[1]: lightdm.service: Start request repeated too quickly. token systemd[1]: lightdm.service: Failed with result 'exit-code'. token systemd[1]: Failed to start Light Display Manager. The first line is from gpu-manager.service, whose log contains Vendor/Device Id: 1002:164e BusID "PCI:110@0:0:0" Is boot vga? no Error: can't access /sys/bus/pci/devices/:6e:00.0/driver The device is not bound to any driver. Vendor/Device Id: 1002:73ff BusID "PCI:3@0:0:0" Is boot vga? yes Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri Error : Failed to open /dev/dri x-0 log has vesa: Ignoring device with a bound kernel driver vesa: Ignoring device with a bound kernel driver (EE) Fatal server error: (EE) no screens found(EE) Scary. Thing is, both the iGPU and the dGPU are claimed by amdgpu, their "driver" symlink is accessible just fine. Switch back to gdm via dpkg- reconfigure, it boots up fine again. It's just lightdm that's hosed. I tried purging lightdm and lightdm-gtk-greeter, along with and /var/lib/lightdm, and reinstalling the packages, but no dice. What does wor
[Touch-packages] [Bug 2004551] Re: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover
@Steve Since the machines original use case is blocked until we know if we can go on. Is the above enough for your to have a deeper look together with us? If so please let Miriam know when once she can reset the machine to go on with the MRE verifications that this was supposed to do :-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2004551 Title: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover Status in openssh package in Ubuntu: New Bug description: Hi, I just upgraded a system from Jammy to Lunar and openssh-server refuses to upgrade well. Setting up openssh-server (1:9.0p1-1ubuntu8) ... Replacing config file /etc/ssh/sshd_config with new version Replacing config file /etc/ssh/sshd_config with new version Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable ssh rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 Processing triggers for man-db (2.11.2-1) ... Processing triggers for libc-bin (2.36-0ubuntu4) ... Errors were encountered while processing: openssh-server Error: Timeout was reached needrestart is being skipped since dpkg has failed E: Sub-process /usr/bin/dpkg returned an error code (1) I'm not sure what exactly it is. This output complains about rescue-ssh.target and indeed that can not be started even directly. $ sudo systemctl start rescue-ssh.target A dependency job for rescue-ssh.target failed. See 'journalctl -xe' for details. And in postinst is a try to start it: $ grep rescue /var/lib/dpkg/info/openssh-server.postinst deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true But I think the underlying issue is that ssh is already on, and I'm logged in via it. And that makes the service restart of the ssh socket which was added break. Feb 02 10:40:56 node-horsea systemd[104560]: ssh.socket: Failed to create listening socket ([::]:22): Address already in use Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to receive listening socket ([::]:22): Input/output error Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to listen on sockets: Input/output error Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed with result 'resources'. Now, whichever it is, it is hard to resolve. The only way to get the socket to own it would be rebooting so that sshd lets go and systemd can take over. I could reboot, but that is not the point. What if I'd want to get the service and upgrade completed before reboot. Because as of now dpkg considers the system unhappy, and that would usually be a sign for "better not reboot before being resolved" to me. One thing though, I have not upgraded with do-release-upgrade - would we / do we have magic there to make the ssh socket activation transition smoother? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2004551/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2027712] Re: Switch from usrmerge to usr-is-merged
FYI Change of the way this shall be tackled. Per Steves very helpful comment in the MR to the seeds: "I don't think we want either of these packages in main. They are transitional packages; while the transition is still ongoing in Debian, in Ubuntu the transition completed two LTS cycles ago. We should just patch init-system-helpers in Ubuntu to drop the dependency which is no longer needed." @Foundations I'm adding a task for init-system-helpers to represent the work for that change. @CPC The cloud-image tasks can stay to eventually verify that the image builds (after that change to init-system-helpers) really have neither installed. ** Also affects: init-system-helpers (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to init-system-helpers in Ubuntu. https://bugs.launchpad.net/bugs/2027712 Title: Switch from usrmerge to usr-is-merged Status in cloud-images: Confirmed Status in init-system-helpers package in Ubuntu: New Bug description: Last year in Debian we added the 'usr-is-merged' binary package to the 'usrmerge' source package. Its purpose is to be an empty metapackage that simply asserts that the system is usr-merged. This is done via the postinst. Contrary to usrmerge, it doesn't ship any additional code, perform any additional action or have any additional dependencies. In Debian, we have an essential package (init-system-helpers) that depends on usrmerge | usr-is-merged, so that on upgrade for already installed images usrmerge is pulled in and all systems are forcibly merged. But for new images being built, the boostrap (eg: debootstrap) process will instead pull in usr-is-merged, which will save space and reduce the overall code footprint. The problem in Ubuntu is that while usrmerge is in main, usr-is-merged is in universe, so unless the bootstrap tool enables universe for the initial bootstrap phase, usrmerge is always pulled in. Refs: https://packages.ubuntu.com/mantic/usr-is-merged https://packages.ubuntu.com/mantic/usrmerge https://packages.ubuntu.com/mantic/init-system-helpers To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/2027712/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1815101] Re: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted)
** Changed in: keepalived (Ubuntu Xenial) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) ** Changed in: keepalived (Ubuntu Bionic) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) ** No longer affects: keepalived (Ubuntu Xenial) ** Changed in: keepalived (Ubuntu Focal) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1815101 Title: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted) Status in netplan: Triaged Status in heartbeat package in Ubuntu: Won't Fix Status in keepalived package in Ubuntu: In Progress Status in systemd package in Ubuntu: Fix Released Status in systemd source package in Xenial: Won't Fix Status in keepalived source package in Bionic: Confirmed Status in systemd source package in Bionic: Fix Released Status in systemd source package in Disco: Won't Fix Status in systemd source package in Eoan: Fix Released Status in keepalived source package in Focal: Confirmed Status in systemd source package in Focal: Fix Released Bug description: [impact] - ALL related HA software has a small problem if interfaces are being managed by systemd-networkd: nic restarts/reconfigs are always going to wipe all interfaces aliases when HA software is not expecting it to (no coordination between them. - keepalived, smb ctdb, pacemaker, all suffer from this. Pacemaker is smarter in this case because it has a service monitor that will restart the virtual IP resource, in affected node & nic, before considering a real failure, but other HA service might consider a real failure when it is not. [test case] - comment #14 is a full test case: to have 3 node pacemaker, in that example, and cause a networkd service restart: it will trigger a failure for the virtual IP resource monitor. - other example is given in the original description for keepalived. both suffer from the same issue (and other HA softwares as well). [regression potential] - this backports KeepConfiguration parameter, which adds some significant complexity to networkd's configuration and behavior, which could lead to regressions in correctly configuring the network at networkd start, or incorrectly maintaining configuration at networkd restart, or losing network state at networkd stop. - Any regressions are most likely to occur during networkd start, restart, or stop, and most likely to involve missing or incorrect ip address(es). - the change is based in upstream patches adding the exact feature we needed to fix this issue & it will be integrated with a netplan change to add the needed stanza to systemd nic configuration file (KeepConfiguration=) [other info] original description: --- Configure netplan for interfaces, for example (a working config with IP addresses obfuscated) network: ethernets: eth0: addresses: [192.168.0.5/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth2: addresses: - 12.13.14.18/29 - 12.13.14.19/29 gateway4: 12.13.14.17 dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth3: addresses: [10.22.11.6/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth4: addresses: [10.22.14.6/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth7: addresses: [9.5.17.34/29] dhcp4: false optional: true nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] version: 2 Configure keepalived (again, a working config with IP addresses obfuscated) global_defs # Block id { notification_email { sysadm...@blah.com } notification_email_from keepali...@system3.hq.blah.com smtp_server 10.22.11.7 # IP smtp_connect_timeout 30 # integer, seconds router_id system3 # string identifying the machine, # (doesn't have to be hostname). vrrp_mcast_group4 224.0.0.18 # opti
[Touch-packages] [Bug 1993370] Re: Cannot install proprietary Broadcom WiFi drivers on Ubuntu Studio Jammy 22.04.2 and Kinetic
As https://bugs.launchpad.net/ubuntu/+source/kubuntu-driver- manager/+bug/1994035 is marked a duplicate and just affected me twice in a month, I believe this to be still open. In my case, it was the VirtualBox extensions and Nvidia drivers that got trashed by an automatic system kernel update. What happened? • System installed updates, including a new kernel. • After updates, on the next boot with eGPU, X11 didn't load, and I got an error message during boot that the VirtualBox kernel extensions couldn't be loaded. What workaround helped? • Boot without eGPU. • uname -a to check the kernel version • sudo apt-get install linux-headers-… matching the kernel version • reboot -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/1993370 Title: Cannot install proprietary Broadcom WiFi drivers on Ubuntu Studio Jammy 22.04.2 and Kinetic Status in software-properties package in Ubuntu: Fix Committed Status in software-properties source package in Jammy: Confirmed Status in software-properties source package in Kinetic: Fix Committed Bug description: Hardware: HP Elitebook 8570p, 16 GB RAM, 120 GB SSD, 3rd Gen Intel Core i5, UEFI, no secure boot, Broadcom WiFi. OS: Ubuntu Studio Kinetic, Final ISO Steps to reproduce: 1. Boot the Ubuntu Studio ISO on a system with Broadcom WiFi, and install the system normally. (No encryption, allow Internet access during installation using some method of connectivity other than WiFi.) 2. Reboot and log into the newly installed system. 3. Open a terminal and run "sudo software-properties-kde". 4. Click "Additional Drivers" in the window that pops up. 5. Click "Using Broadcom 802.11 Linux STA wireless driver source from bcmwl-kernel-source (proprietary)". Expected result: The Apply Changes button should become clickable, allowing the user to install the driver. Actual result: The button remains grayed out, and the following error message is printed in the terminal: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/softwareproperties/qt/SoftwarePropertiesQt.py", line 1063, in on_driver_selection_changed modules_package_obj = self.apt_cache[modules_package] TypeError: Expected a string or a pair of strings ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: software-properties-qt 0.99.27 ProcVersionSignature: Ubuntu 5.19.0-1007.7-lowlatency 5.19.7 Uname: Linux 5.19.0-1007-lowlatency x86_64 ApportVersion: 2.23.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Oct 18 21:33:51 2022 InstallationDate: Installed on 2022-10-19 (0 days ago) InstallationMedia: Ubuntu-Studio 22.10 "Kinetic Kudu" - Release amd64 (20221017.1) PackageArchitecture: all SourcePackage: software-properties UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1993370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1815101] Re: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted)
** Changed in: keepalived (Ubuntu) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1815101 Title: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted) Status in netplan: Triaged Status in heartbeat package in Ubuntu: Won't Fix Status in keepalived package in Ubuntu: In Progress Status in systemd package in Ubuntu: Fix Released Status in keepalived source package in Xenial: Confirmed Status in systemd source package in Xenial: Won't Fix Status in keepalived source package in Bionic: Confirmed Status in systemd source package in Bionic: Fix Released Status in systemd source package in Disco: Won't Fix Status in systemd source package in Eoan: Fix Released Status in keepalived source package in Focal: Confirmed Status in systemd source package in Focal: Fix Released Bug description: [impact] - ALL related HA software has a small problem if interfaces are being managed by systemd-networkd: nic restarts/reconfigs are always going to wipe all interfaces aliases when HA software is not expecting it to (no coordination between them. - keepalived, smb ctdb, pacemaker, all suffer from this. Pacemaker is smarter in this case because it has a service monitor that will restart the virtual IP resource, in affected node & nic, before considering a real failure, but other HA service might consider a real failure when it is not. [test case] - comment #14 is a full test case: to have 3 node pacemaker, in that example, and cause a networkd service restart: it will trigger a failure for the virtual IP resource monitor. - other example is given in the original description for keepalived. both suffer from the same issue (and other HA softwares as well). [regression potential] - this backports KeepConfiguration parameter, which adds some significant complexity to networkd's configuration and behavior, which could lead to regressions in correctly configuring the network at networkd start, or incorrectly maintaining configuration at networkd restart, or losing network state at networkd stop. - Any regressions are most likely to occur during networkd start, restart, or stop, and most likely to involve missing or incorrect ip address(es). - the change is based in upstream patches adding the exact feature we needed to fix this issue & it will be integrated with a netplan change to add the needed stanza to systemd nic configuration file (KeepConfiguration=) [other info] original description: --- Configure netplan for interfaces, for example (a working config with IP addresses obfuscated) network: ethernets: eth0: addresses: [192.168.0.5/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth2: addresses: - 12.13.14.18/29 - 12.13.14.19/29 gateway4: 12.13.14.17 dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth3: addresses: [10.22.11.6/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth4: addresses: [10.22.14.6/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth7: addresses: [9.5.17.34/29] dhcp4: false optional: true nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] version: 2 Configure keepalived (again, a working config with IP addresses obfuscated) global_defs # Block id { notification_email { sysadm...@blah.com } notification_email_from keepali...@system3.hq.blah.com smtp_server 10.22.11.7 # IP smtp_connect_timeout 30 # integer, seconds router_id system3 # string identifying the machine, # (doesn't have to be hostname). vrrp_mcast_group4 224.0.0.18 # optional, default 224.0.0.18 vrrp_mcast_group6 ff02::12 # optional, default ff02::12 enable_traps # enable SNMP traps } vrrp_sync_group collection { group {
[Touch-packages] [Bug 2022927] Re: Busybox mount fails to mount Snaps
This is somewhat opinion, so I'm happy to be convinced, but without either - upstream progress to merge it there or - a good explanation why you think that wouldn't lock us in into hard to maintain delta and issues to users => This won't be uploaded IMHO. When that upstream response or explanation is ready please post it and subscribe ubuntu-sponsors again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/2022927 Title: Busybox mount fails to mount Snaps Status in busybox package in Ubuntu: New Bug description: Snapd tries to mount squashfs Snaps with non-standard mount flags like "x-gdu.hide" and "x-gvfs-hide", both of which are used to indicate to userspace programs that a given mount should not be shown in a list of mounted partitions/filesystems. Busybox does not support these flags, and so fails with "Invalid argument". $ sudo busybox mount -t tmpfs -o x-gdu-hide test /tmp/test mount: mounting test on /tmp/test failed: Invalid argument These flags can likely be be safely ignored, as they don't actually affect the functionality of the mount. This goes for all mount options starting with "x-", as these generally denote non-standard mount option "extensions". I've created a patch against Busybox which adds an optional configuration item to ignore all mount options beginning with "x-". An additional verbose option has also been added to enable the ability to report that the mount flags have been ignored, rather than silently ignoring them. This is a requirement for a customer project, where we are limited to using Busybox (due to coreutils' GPL-3.0 licence) but would also require using Snaps like checkbox for testing and verification. This was posted on the Busybox mailing list a few months ago (http://lists.busybox.net/pipermail/busybox/2023-March/090202.html) but patch acceptance there seems to take quite a long time, and we need this for the customer. A PPA containing the patched Busybox version is available on the project's Launchpad team: https://launchpad.net/~nemos- team/+archive/ubuntu/ppa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/2022927/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2022927] Re: Busybox mount fails to mount Snaps
Debian is at 1.36 already, but without your change landing upstream that doesn't help us :-/ (This was released before on January 2023 anyway) The upstream contribubution was nice, but stalled with http://lists.busybox.net/pipermail/busybox/2023-March/090211.html It didn't come up again in April-June :-/ Was there any follow up to avoid this being Ubuntu delta forever? Especially with something that changes behavior so that e.g. guides and howtos would behave differently between linux variants you'd usually want upstreams buy-in to avoid maintenance nightmare. Would you mind following up with them and summarizing here about that progress to get it upstream? P.S. by now you might want to set "mantic" in your debdiff changelog stanza as that is what someone will eventually sponsor it to. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/2022927 Title: Busybox mount fails to mount Snaps Status in busybox package in Ubuntu: New Bug description: Snapd tries to mount squashfs Snaps with non-standard mount flags like "x-gdu.hide" and "x-gvfs-hide", both of which are used to indicate to userspace programs that a given mount should not be shown in a list of mounted partitions/filesystems. Busybox does not support these flags, and so fails with "Invalid argument". $ sudo busybox mount -t tmpfs -o x-gdu-hide test /tmp/test mount: mounting test on /tmp/test failed: Invalid argument These flags can likely be be safely ignored, as they don't actually affect the functionality of the mount. This goes for all mount options starting with "x-", as these generally denote non-standard mount option "extensions". I've created a patch against Busybox which adds an optional configuration item to ignore all mount options beginning with "x-". An additional verbose option has also been added to enable the ability to report that the mount flags have been ignored, rather than silently ignoring them. This is a requirement for a customer project, where we are limited to using Busybox (due to coreutils' GPL-3.0 licence) but would also require using Snaps like checkbox for testing and verification. This was posted on the Busybox mailing list a few months ago (http://lists.busybox.net/pipermail/busybox/2023-March/090202.html) but patch acceptance there seems to take quite a long time, and we need this for the customer. A PPA containing the patched Busybox version is available on the project's Launchpad team: https://launchpad.net/~nemos- team/+archive/ubuntu/ppa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/2022927/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1815101] Re: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted)
Marking todo to recheck how the situation is today. ** Tags removed: server-triage-discuss ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1815101 Title: [master] Restarting systemd-networkd breaks keepalived, heartbeat, corosync, pacemaker (interface aliases are restarted) Status in netplan: Triaged Status in heartbeat package in Ubuntu: Won't Fix Status in keepalived package in Ubuntu: In Progress Status in systemd package in Ubuntu: Fix Released Status in keepalived source package in Xenial: Confirmed Status in systemd source package in Xenial: Won't Fix Status in keepalived source package in Bionic: Confirmed Status in systemd source package in Bionic: Fix Released Status in systemd source package in Disco: Won't Fix Status in systemd source package in Eoan: Fix Released Status in keepalived source package in Focal: Confirmed Status in systemd source package in Focal: Fix Released Bug description: [impact] - ALL related HA software has a small problem if interfaces are being managed by systemd-networkd: nic restarts/reconfigs are always going to wipe all interfaces aliases when HA software is not expecting it to (no coordination between them. - keepalived, smb ctdb, pacemaker, all suffer from this. Pacemaker is smarter in this case because it has a service monitor that will restart the virtual IP resource, in affected node & nic, before considering a real failure, but other HA service might consider a real failure when it is not. [test case] - comment #14 is a full test case: to have 3 node pacemaker, in that example, and cause a networkd service restart: it will trigger a failure for the virtual IP resource monitor. - other example is given in the original description for keepalived. both suffer from the same issue (and other HA softwares as well). [regression potential] - this backports KeepConfiguration parameter, which adds some significant complexity to networkd's configuration and behavior, which could lead to regressions in correctly configuring the network at networkd start, or incorrectly maintaining configuration at networkd restart, or losing network state at networkd stop. - Any regressions are most likely to occur during networkd start, restart, or stop, and most likely to involve missing or incorrect ip address(es). - the change is based in upstream patches adding the exact feature we needed to fix this issue & it will be integrated with a netplan change to add the needed stanza to systemd nic configuration file (KeepConfiguration=) [other info] original description: --- Configure netplan for interfaces, for example (a working config with IP addresses obfuscated) network: ethernets: eth0: addresses: [192.168.0.5/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth2: addresses: - 12.13.14.18/29 - 12.13.14.19/29 gateway4: 12.13.14.17 dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth3: addresses: [10.22.11.6/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth4: addresses: [10.22.14.6/24] dhcp4: false nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] eth7: addresses: [9.5.17.34/29] dhcp4: false optional: true nameservers: search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com, phone.blah.com] addresses: [10.22.11.1] version: 2 Configure keepalived (again, a working config with IP addresses obfuscated) global_defs # Block id { notification_email { sysadm...@blah.com } notification_email_from keepali...@system3.hq.blah.com smtp_server 10.22.11.7 # IP smtp_connect_timeout 30 # integer, seconds router_id system3 # string identifying the machine, # (doesn't have to be hostname). vrrp_mcast_group4 224.0.0.18 # optional, default 224.0.0.18 vrrp_mcast_group6 ff02::12 # optional, default ff02::12 enable_traps # enable SNMP traps } vrrp_sync_group collecti
[Touch-packages] [Bug 1892559] Re: [MIR] ccid opensc pcsc-lite
There has been not further update for too long, for now we consider it invalid. Feel free to re-open if there is effort backing it up and motivation to bring it to main. ** Changed in: opensc (Ubuntu) Status: Incomplete => Invalid ** Changed in: pcsc-lite (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid opensc pcsc-lite Status in ccid package in Ubuntu: In Progress Status in opensc package in Ubuntu: Invalid Status in pam-pkcs11 package in Ubuntu: Invalid Status in pcsc-lite package in Ubuntu: Invalid Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems funny all the same. Otherwise appears to satis
[Touch-packages] [Bug 2015562] Re: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream)
** Merge proposal linked: https://code.launchpad.net/~mirespace/ubuntu/+source/dnsmasq/+git/dnsmasq/+merge/442007 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2015562 Title: Segfault in dnsmasq when using certain static domain entries + DoH (bugfix possibly exists upstream) Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: In Progress Bug description: Hi folks, I've been using dnsmasq for my home DNS needs, which includes returning null entries for certain domain queries. The specific case in which I found this segfault was returning null records for Netflix (to ensure Netflix does not try to use my IPv6 tunnel to egress traffic through). I've been using very simple configuration snippet to achieve this, this is attached as netflix-nov6.conf (the full file contains more entries). Ever since I've upgraded from Ubuntu 20.04 to 22.04, dnsmasq kept segfaulting at random occasions. I also attempted do an apt update&&upgrade, but there are no newer versions of this package available. Further research into this issue showed that a surefire way to trigger this segfault was to go to a website blocked via this method (for testing purposes, a dig query works quite well). The segfault can be reproduced reliably, and always occurs after one or a few queries towards the "blocked" domain entries. I found a commit in the upstream dnsmasq git repo which seems to fix this issue, the fix made it into 2.87: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=de372d6914ae20a1f9997815f258efbf3b14c39b Would it be possible to backport this into the version used in the current LTS Ubuntu release? Thanks! -- $ lsb_release -d Description: Ubuntu 22.04.2 LTS $ apt-cache policy dnsmasq dnsmasq: Installed: 2.86-1.1ubuntu0.2 Candidate: 2.86-1.1ubuntu0.2 Version table: *** 2.86-1.1ubuntu0.2 500 500 http://de.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages 100 /var/lib/dpkg/status 2.86-1.1ubuntu0.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages 2.86-1.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages -- Excerpt from the dnsmasq logs, with debugging enabled, after I loaded fast.com: Apr 07 13:47:41 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 13:47:42 budgie dnsmasq[109976]: query[type=65] fast.dradis.netflix.com from 192.168.10.82 Apr 07 13:47:42 budgie dnsmasq[109976]: config error is REFUSED (EDE: network error) Apr 07 13:47:43 budgie dnsmasq[109976]: query[type=65] ichnaea-web.netflix.com from 192.168.10.82 Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 13:47:43 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. Core dump is also attached. Reproduction steps: - 1. Install dnsmasq on Ubuntu 22.04 (or any Ubuntu release using dnsmasq 2.86) - 1.5. Configure one or multiple DNS servers for dnsmasq - 2. Copy netflix-nov6.conf into /etc/dnsmasq.d/ - 3. Restart/reload dnsmasq - 3.5 Verify that dnsmasq resolves domains correctly: root@budgie:~# dig +short -tA ubuntu.com @127.0.0.1 185.125.190.21 185.125.190.20 185.125.190.29 root@budgie:~# dig +short -t ubuntu.com @127.0.0.1 2620:2d:4000:1::28 2620:2d:4000:1::26 2620:2d:4000:1::27 - 4. Perform a type65 / HTTPS recordtype query for netflix.com towards the dnsmasq server once or twice: root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 root@budgie:~# dig +short -tTYPE65 netflix.com @127.0.0.1 ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; no servers could be reached - 5. Check logs to verify segfault: Apr 07 14:03:28 budgie systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Apr 07 14:03:32 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:32 budgie dnsmasq[111585]: config error is REFUSED (EDE: network error) Apr 07 14:03:33 budgie dnsmasq[111585]: query[type=65] netflix.com from 127.0.0.1 Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Main process exited, code=dumped, status=11/SEGV Apr 07 14:03:33 budgie systemd[1]: dnsmasq.service: Failed with result 'core-dump'. -- netflix-nov6.conf: # Null response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/
[Touch-packages] [Bug 2019424] Re: Heimdal can be synced
@Steve / @Vorlon As outlined above we still can't see the diff in dependencies due to LTO. But I'm sure you have seen it or you wouldn't have said so and we want to spot where in our work the mistake was ... Therefore let me ask - was that a local build that you did or is that somewhere we could have a look at for comparison? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2019424 Title: Heimdal can be synced Status in heimdal package in Ubuntu: Confirmed Bug description: After heimdal merge process, I was trying to figure out if the delta that is still not dropped is required or not. So, to test it, I have created 2 PPAs, one in which lto is disabled, and the second one, where the lto is enabled. I have built them and downloaded the debs for i386 and amd64. Then I have compared amd64 deb from PPA1 with amd64 deb from PPA2. The same story with i386. The binary dependencies were identical. There is no difference between the files. So in that case, the delta can possibly be dropped. The package has already been merged again, with the change: heimdal (7.8.git20221117.28daf24+dfsg-2ubuntu1) mantic; urgency=low * Merge from Debian unstable. Remaining changes: - d/rules: Disable lto, to regain dep on roken, otherwise dependencies on amd64 are different than i386 resulting in different files on amd64 and i386. -- Steve Langasek Tue, 02 May 2023 09:56:10 +0200 heimdal (7.8.git20221117.28daf24+dfsg-1ubuntu1) lunar; urgency=low * Merge from Debian unstable. Remaining changes: - d/rules: Disable lto, to regain dep on roken, otherwise dependencies on amd64 are different than i386 resulting in different files on amd64 and i386. (LP #1934936) -- Steve Langasek Tue, 24 Jan 2023 19:14:54 -0800 Due to this, syncpackage doesn't run. The package can be sync'd next time it comes up. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2019424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019424] Re: Heimdal can be synced
Hmm - odd, Michal has checked the files and the build logs as he outlined above. And in addition to all those checks being done, if we just grep for all final dependencies and compare there is no difference (other than a glibc min version level). I know names are not too helpful: - ~ppa1 = LTO-off - ~ppa2 = LTO-on This compares amd64 vs i386 without LTO enabled $ grep "Depends" buildlog_ubuntu-lunar-amd64.heimdal_7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2_BUILDING.txt > amd64.deps $ grep "Depends" buildlog_ubuntu-lunar-i386.heimdal_7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2_BUILDING.txt > i386.deps $ diff -Naur amd64.deps i386.deps --- amd64.deps 2023-05-16 10:18:49.754334825 +0200 +++ i386.deps 2023-05-16 10:18:51.106344323 +0200 @@ -8,10 +8,10 @@ Depends: debconf (>= 0.5.00) | debconf-2.0, heimdal-clients, krb5-config, lsb-base, openbsd-inetd | inet-superserver, libasn1-8-heimdal (>= 1.4.0+git20110226), libc6 (>= 2.34), libcap-ng0 (>= 0.7.9), libgssapi3-heimdal (>= 1.4.0+git20110226), libhcrypto5-heimdal (>= 1.4.0+git20110226), libhdb9-heimdal (>= 1.6~git20131117), libheimntlm0-heimdal (>= 1.4.0+git20110226), libkadm5srv8-heimdal (>= 7.8.git20221115.a6cf945+dfsg), libkdc2-heimdal (>= 1.4.0+git20110226), libkrb5-26-heimdal (>= 1.7~git20160418), libroken19-heimdal (>= 1.7~git20150920), libsl0-heimdal (>= 1.4.0+git20110226) Depends: comerr-dev, libasn1-8-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libgssapi3-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libhcrypto5-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libhdb9-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libheimbase1-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libhx509-5-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libkadm5clnt7-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libkadm5srv8-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libkafs0-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libkdc2-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libkrb5-26-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libwind0-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libotp0-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libsl0-heimdal (= 7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libroken19-heimdal (>= 1.4.0+git20110226) Depends: krb5-config, openbsd-inetd | inet-superserver, libc6 (>= 2.34), libkrb5-26-heimdal (>= 1.4.0+git20110226), libroken19-heimdal (>= 1.4.0+git20110226) - Depends: libc6 (>= 2.14), libcom-err2 (>= 1.43.9), libroken19-heimdal (>= 1.4.0+git20110226) + Depends: libc6 (>= 2.8), libcom-err2 (>= 1.43.9), libroken19-heimdal (>= 1.4.0+git20110226) Depends: libasn1-8-heimdal (>= 1.4.0+git20110226), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libhcrypto5-heimdal (>= 1.4.0+git20110226), libheimntlm0-heimdal (>= 1.4.0+git20110226), libkrb5-26-heimdal (>= 1.6~git20131117), libroken19-heimdal (>= 1.7~git20150920) Depends: libasn1-8-heimdal (>= 1.4.0+git20110226), libc6 (>= 2.36), libheimbase1-heimdal (>= 1.4.0+git20110226), libroken19-heimdal (>= 1.7~git20150920) - Depends: libasn1-8-heimdal (>= 1.6~git20120311g), libc6 (>= 2.14), libcom-err2 (>= 1.43.9), libdb5.3, libkrb5-26-heimdal (>= 1.7~git20161112), libldap2 (>= 2.6.2), libroken19-heimdal (>= 1.7~git20150920), libsqlite3-0 (>= 3.5.9) + Depends: libasn1-8-heimdal (>= 1.6~git20120311g), libc6 (>= 2.8), libcom-err2 (>= 1.43.9), libdb5.3, libkrb5-26-heimdal (>= 1.7~git20161112), libldap2 (>= 2.6.2), libroken19-heimdal (>= 1.7~git20150920), libsqlite3-0 (>= 3.5.9) Depends: libc6 (>= 2.34) Depends: libc6 (>= 2.4), libhcrypto5-heimdal (>= 1.4.0+git20110226), libkrb5-26-heimdal (>= 1.4.0+git20110226), libroken19-heimdal (>= 1.7~git20150920), libwind0-heimdal (>= 1.4.0+git20110226) Depends: libasn1-8-heimdal (>= 1.4.0+git20110226), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libhcrypto5-heimdal (>= 1.4.0+git20110226), libheimbase1-heimdal (>= 1.6~git20131117), libroken19-heimdal (>= 1.7~git20150920), libwind0-heimdal (>= 1.4.0+git20110226) @@ -23,4 +23,4 @@ Depends: libc6 (>= 2.33), libdb5.3, libhcrypto5-heimdal (>= 1.4.0+git20110226) Depends: libc6 (>= 2.36), libcrypt1 (>= 1:4.1.0) Depends: libc6 (>= 2.11), libedit2 (>= 2.11-20080614-0) - Depends: libc6 (>= 2.14), libcom-err2 (>= 1.43.9) + Depends: libc6 (>= 2.4), libcom-err2 (>= 1.43.9) And checking the PPAs build if LTO was really back on I indeed see "... -ffat-lto-objects ..." used in https://launchpadlibrarian.net/646899573/buildlog_ubuntu-lunar-amd64.heimdal_7.8.git20221117.28daf24+dfsg-1ubuntu1~ppa2_BUILDING.txt.gz -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2019424 Title: Heimdal can be synced Status in heimdal package in Ubuntu: Confirmed Bug description: After heimd
[Touch-packages] [Bug 2017990] Re: package linux-image-5.15.0-71-generic 5.15.0-71.78~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Warum /root 0 bit vorhanden? Festplatte zeigt über 90 G frei. LG Christian -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2017990 Title: package linux-image-5.15.0-71-generic 5.15.0-71.78~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: Confirmed Bug description: None ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-image-5.15.0-71-generic 5.15.0-71.78~20.04.1 ProcVersionSignature: Ubuntu 5.15.0-69.76~20.04.1-generic 5.15.87 Uname: Linux 5.15.0-69-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.26 Architecture: amd64 CasperMD5CheckResult: skip Date: Fri Apr 28 07:53:45 2023 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 InstallationDate: Installed on 2021-12-16 (497 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3.2 apt 2.0.9 SourcePackage: initramfs-tools Title: package linux-image-5.15.0-71-generic 5.15.0-71.78~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2017990/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1641272] Re: Debug symbols package doesnt exist
Jorge very likely doesn't work on this anymore, so much time has passed. The assignment created wrong expectations, let us unassign it to reflect that. Also this isn't ubuntu specific, if tackled it should be done together with Debian which has this bug as well https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844989 ** Bug watch added: Debian Bug tracker #844989 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844989 ** Changed in: dnsmasq (Ubuntu) Assignee: Jorge Niedbalski (niedbalski) => (unassigned) ** Also affects: dnsmasq (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844989 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1641272 Title: Debug symbols package doesnt exist Status in dnsmasq package in Ubuntu: New Status in dnsmasq package in Debian: Unknown Bug description: On Yakkety with ddebs repos enabled there is no debug packages for dnsmasq To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1641272/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838151] Re: Poor quality audio with modern Bluetooth headsets in HSP/HFP. Missing wide band speech support (Bluetooth A2DP codecs).
Thank you for your response Konrad. I followed the docs for replacing pulseaudio with pipewire which worked well. Now the bluetooth app offers more codecs to use. I figured out "mSBC" offers the best quality. Compared to A2DP it still sucks and sounds horrible. You dont want to accept this if you bought a bluetooth headset for 250 EUR with brilliant audio capabilities. So I ended up to use a separate mic from my webcam. Hope this will be fixed soon. Thank you so far. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/1838151 Title: Poor quality audio with modern Bluetooth headsets in HSP/HFP. Missing wide band speech support (Bluetooth A2DP codecs). Status in PulseAudio: Fix Released Status in bluez package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in pulseaudio package in Ubuntu: Fix Released Status in Arch Linux: New Bug description: Bluetooth HSP/HFP audio quality is poor on Ubuntu comparative to all other major platforms (Windows, MacOS, ChromeOS, Android, iOS). Modern Bluetooth headsets (such as the Bose QC series headphones, many others) are capable of using HFP 1.6 with mSBC 16kHz audio encoding. As it currently stands, Ubuntu defaults to only supporting HSP headsets using 8kHz CVSD, and is incapable of supporting HFP 1.6 at this time. The ChromiumOS team recently tackled this issue - https://bugs.chromium.org/p/chromium/issues/detail?id=843048 Their efforts may assist in bringing this to Ubuntu, however it appears that there are quite a lot of differences considering they have developed their own audio server solution etc. The Bluetooth Telephony Working Group published the HFP 1.6 spec in May 2011 - https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=238193 Patches have been proposed in the past for this issue to the kernel and PulseAudio: PulseAudio: https://patchwork.freedesktop.org/patch/245272/ Kernel: https://www.spinics.net/lists/linux-bluetooth/msg76982.html It appears that the Chromium OS team applied the same kernel patch: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/77dd0cb94c1713a8a12f6e392955dfa64c430e54 ProblemType: Bug DistroRelease: Ubuntu 19.04 Package: pulseaudio 1:12.2-2ubuntu3 ProcVersionSignature: Ubuntu 5.0.0-20.21-generic 5.0.8 Uname: Linux 5.0.0-20-generic x86_64 ApportVersion: 2.20.10-0ubuntu27.1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jnappi 2777 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Sat Jul 27 11:08:29 2019 EcryptfsInUse: Yes InstallationDate: Installed on 2017-11-04 (629 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: pulseaudio UpgradeStatus: Upgraded to disco on 2019-07-18 (9 days ago) dmi.bios.date: 06/07/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET67W (2.07 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FW000TUS dmi.board.vendor: LENOVO dmi.board.version: SDK0J40705 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias: dmi:bvnLENOVO:bvrR07ET67W(2.07):bd06/07/2016:svnLENOVO:pn20FW000TUS:pvrThinkPadT460p:rvnLENOVO:rn20FW000TUS:rvrSDK0J40705WIN:cvnLENOVO:ct10:cvrNone: dmi.product.family: ThinkPad T460p dmi.product.name: 20FW000TUS dmi.product.sku: LENOVO_MT_20FW_BU_Think_FM_ThinkPad T460p dmi.product.version: ThinkPad T460p dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1838151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838151] Re: Poor quality audio with modern Bluetooth headsets in HSP/HFP. Missing wide band speech support (Bluetooth A2DP codecs).
Hi, now it's 2023 and I still have this problem. Using Mint 21.1 and Teams for Linux. When I switch to A2DP I cannot use the headset mic. When I switch to HFP the sound in conversations is horrible. Would appreciate a fix here. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/1838151 Title: Poor quality audio with modern Bluetooth headsets in HSP/HFP. Missing wide band speech support (Bluetooth A2DP codecs). Status in PulseAudio: Fix Released Status in bluez package in Ubuntu: Fix Released Status in linux package in Ubuntu: Fix Released Status in pulseaudio package in Ubuntu: Fix Released Status in Arch Linux: New Bug description: Bluetooth HSP/HFP audio quality is poor on Ubuntu comparative to all other major platforms (Windows, MacOS, ChromeOS, Android, iOS). Modern Bluetooth headsets (such as the Bose QC series headphones, many others) are capable of using HFP 1.6 with mSBC 16kHz audio encoding. As it currently stands, Ubuntu defaults to only supporting HSP headsets using 8kHz CVSD, and is incapable of supporting HFP 1.6 at this time. The ChromiumOS team recently tackled this issue - https://bugs.chromium.org/p/chromium/issues/detail?id=843048 Their efforts may assist in bringing this to Ubuntu, however it appears that there are quite a lot of differences considering they have developed their own audio server solution etc. The Bluetooth Telephony Working Group published the HFP 1.6 spec in May 2011 - https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=238193 Patches have been proposed in the past for this issue to the kernel and PulseAudio: PulseAudio: https://patchwork.freedesktop.org/patch/245272/ Kernel: https://www.spinics.net/lists/linux-bluetooth/msg76982.html It appears that the Chromium OS team applied the same kernel patch: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/77dd0cb94c1713a8a12f6e392955dfa64c430e54 ProblemType: Bug DistroRelease: Ubuntu 19.04 Package: pulseaudio 1:12.2-2ubuntu3 ProcVersionSignature: Ubuntu 5.0.0-20.21-generic 5.0.8 Uname: Linux 5.0.0-20-generic x86_64 ApportVersion: 2.20.10-0ubuntu27.1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: jnappi 2777 F pulseaudio CurrentDesktop: ubuntu:GNOME Date: Sat Jul 27 11:08:29 2019 EcryptfsInUse: Yes InstallationDate: Installed on 2017-11-04 (629 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: pulseaudio UpgradeStatus: Upgraded to disco on 2019-07-18 (9 days ago) dmi.bios.date: 06/07/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET67W (2.07 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FW000TUS dmi.board.vendor: LENOVO dmi.board.version: SDK0J40705 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias: dmi:bvnLENOVO:bvrR07ET67W(2.07):bd06/07/2016:svnLENOVO:pn20FW000TUS:pvrThinkPadT460p:rvnLENOVO:rn20FW000TUS:rvrSDK0J40705WIN:cvnLENOVO:ct10:cvrNone: dmi.product.family: ThinkPad T460p dmi.product.name: 20FW000TUS dmi.product.sku: LENOVO_MT_20FW_BU_Think_FM_ThinkPad T460p dmi.product.version: ThinkPad T460p dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1838151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2012298] Re: PasswordAuthenticaion in sshd_config.d
FYI: might be related (or even dup) of bug 2002994 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2012298 Title: PasswordAuthenticaion in sshd_config.d Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Confirmed Bug description: The stanza Match User PasswordAuthentication no in /etc/ssh/sshd_config works as expected. The same stanza in /etc/ssh/sshd_config.d/username.conf does not work. The Include in /etc/ssh/sshd_config is not commented out, and /usr/sbin/sshd -D -ddd shows the username.config file being parsed. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210 Uname: Linux 5.4.0-131-generic x86_64 NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713 ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Mar 20 13:34:14 2023 InstallationDate: Installed on 2022-11-04 (136 days ago) InstallationMedia: SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2012298/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000739] Re: Window actions (like maximize) no more work in wayland for QEMU using GTK backend once the guest UI is intialized.
** Also affects: gtk+3.0 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/2000739 Title: Window actions (like maximize) no more work in wayland for QEMU using GTK backend once the guest UI is intialized. Status in gtk+3.0 package in Ubuntu: New Status in qemu package in Ubuntu: Confirmed Bug description: Window actions (like maximize) no more work in wayland for QEMU using GTK backend once the guest UI is intialized. This can be seen by running an installed or even a trial Ubuntu from an ISO like: $ qemu-system-x86_64 \ -boot d \ -cdrom ubuntu-22.04.1-desktop-amd64.iso \ -m 4096M \ -machine type=q35,accel=kvm \ -cpu host \ -smp 2 \ -device qxl-vga The GTK UI of qemu has a feature called "fullscreen" which disables the screen decorations and sets the window to maximize. The decorations go away, but maximize doesn't work. The following details were found so far: - running with GDK_BACKEND=x11 works - using sdl instead of gtk backend works - using the old qemu of Focal, or the newest from upstream git in jammy all fails (no qemu change AFAICS) - host UI widgets (the square at the window top) do not work either - hotkeys (super-up) do not work either It seems that once the guest has enabled the desktop something changes and the maximize/minimize/... actions are no more processed. Not sure were to debug next in regard to the gnome/wayland UI handling of this - any idea? P.S. We can reproduce this in git builds of qemu, so we can debug of modify the code as needed. The code for this is mostly in [1] [1]: https://gitlab.com/qemu-project/qemu/-/blob/master/ui/gtk.c --- original report --- Running QEMU version 4.2.1 on Ubuntu 20.04 via qemu-system-x86_64 \ -boot d \ -cdrom ubuntu-22.04.1-desktop-amd64.iso \ -m 4096M \ -machine type=q35,accel=kvm \ -cpu host \ -smp 2 \ -device qxl-vga and pressing ctrl+alt+f after booting the Ubuntu 22.04 live ISO and adjusting the display resolution to match the native resolution, works as expected, i.e., the VM screen is correctly displayed in fullscreen. However, after running the same command for QEMU version 6.2.0 on Ubuntu 22.04 and pressing ctrl+alt+f after making the resolution adjustment, yields a fullscreen view where the space occupied by the GNOME top bar (top panel with date in center) of the host is not used. The top bar itself is not visible but instead the purple background is shown where the top bar resides. The problem also occurs when replacing '-device qxl-vga' by '-device VGA,vgamem_mb=64'. The problem however does not occur when using '-device virtio-vga'. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/2000739/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1967593] Re: kernel modules going missing after reboot
** Changed in: cloud-initramfs-tools (Ubuntu) Assignee: (unassigned) => Dave Jones (waveform) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1967593 Title: kernel modules going missing after reboot Status in cloud-initramfs-tools package in Ubuntu: Confirmed Status in linux-kvm package in Ubuntu: New Status in linux-lowlatency package in Ubuntu: New Status in ubuntu-meta package in Ubuntu: New Bug description: EDIT: There are no accurate results in the package search, but it is for the kernel shown below Linux 5.15.0-23-generic x86_64. Also for the low latency kernel and other versions 5.4, 5.13, 5.14, 5.17. So it is not kernel specific. It must be a problem with configuration, but reinstalling doesnt fix it. EDIT2: it turns out this is caused by the cloud-initramfs-copymods package mounting over modules locations. Removed it and reinstalled kernel modules package (extras didnt seem necessary, but probably prudent too). This affects several different kernels I've tried in 22.04. This post basically sums it up: https://unix.stackexchange.com/questions/405146/removed-lib-modules-folder-after-every-reboot detailed answer: https://unix.stackexchange.com/a/499580/346155 And this one from upgrading from 20.04 to 22.04: https://askubuntu.com/questions/1400470/kernel-module-not-getting-installed-after-upgrade Basically, for some reason the kernel modules are being mounted over after reboot. My image was built on top of a cloud-init image, but removing the recommeded package "cloud-initramfs-copymods" that mounts over modules didnt work for me. Adding the snd_hda_intel module to the boot config /etc/initramfs-tools/modules did fix my issue for this module. But how many others will not be available? --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: user 2189 F pulseaudio CasperMD5CheckResult: unknown CurrentDesktop: KDE DistroRelease: Ubuntu 22.04 IwConfig: lono wireless extensions. enp1s0no wireless extensions. virbr0no wireless extensions. Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 04.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M /: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/6p, 480M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 480M MachineType: QEMU Standard PC (Q35 + ICH9, 2009) Package: linux (not installed) ProcFB: 0 virtio_gpudrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-23-generic root=UUID=5d51cbd2-a1de-48f6-b8b6-00709c787fa0 ro ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 RelatedPackageVersions: linux-restricted-modules-5.15.0-23-generic N/A linux-backports-modules-5.15.0-23-generic N/A linux-firmware 20220329.git681281e4-0ubuntu1 RfKill: Tags: jammy uec-images Uname: Linux 5.15.0-23-generic x86_64 UpgradeStatus: Upgraded to jammy on 2022-04-01 (1 days ago) UserGroups: libvirt sudo WifiSyslog: _MarkForUpload: True dmi.bios.date: 04/01/2014 dmi.bios.release: 0.0 dmi.bios.vendor: SeaBIOS dmi.bios.version: 1.13.0-1ubuntu1.1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-q35-4.2 dmi.modalias: dmi:bvnSeaBIOS:bvr1.13.0-1ubuntu1.1:bd04/01/2014:br0.0:svnQEMU:pnStandardPC(Q35+ICH9,2009):pvrpc-q35-4.2:cvnQEMU:ct1:cvrpc-q35-4.2:sku: dmi.product.name: Standard PC (Q35 + ICH9, 2009) dmi.product.version: pc-q35-4.2 dmi.sys.vendor: QEMU --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: user 2189 F pulseaudio CasperMD5CheckResult: unknown CurrentDesktop: KDE DistroRelease: Ubuntu 22.04 IwConfig: lono wireless extensions. enp1s0no wireless extensions. virbr0no wireless extensions. Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 04.Port 1: Dev 1, Class=root
[Touch-packages] [Bug 1981697] Re: KDC: weak crypto in default settings
** Changed in: krb5 (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1981697 Title: KDC: weak crypto in default settings Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Jammy: Triaged Status in krb5 source package in Kinetic: Fix Released Status in krb5 package in Debian: Fix Released Bug description: Default setting in /etc/krb5kdc/kdc.conf, as installed from krb5-kdc in Ubuntu 22.04 Server: master_key_type = des3-hmac-sha1 3DES was deprecated by NIST in 2017, i.e. give years ago! Reference: https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation- of-TDEA . This should not be a default since a very long time, and particularly not for new installations. If a compatibility with out- of-date installations is necessary, this should be explicitly made be the administrator. SHA-1 was deprecated as well, in 2011, i.e. eleven years ago! Reference: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf . A reasonable default would probably be: master_key_type = aes256-cts-hmac-sha384-192 ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: krb5-kdc 1.19.2-2 ProcVersionSignature: Ubuntu 5.15.0-40.43-generic 5.15.35 Uname: Linux 5.15.0-40-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass Date: Thu Jul 14 12:34:22 2022 InstallationDate: Installed on 2022-05-30 (45 days ago) InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_IE.UTF-8 SHELL=/bin/bash SourcePackage: krb5 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1981697/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1993387] Re: Merge bridge-utils from Debian unstable for lunar
This was done by Graham Inggs in https://launchpad.net/ubuntu/+source/bridge-utils/1.7.1-1ubuntu1 and no other merge was needed. bridge-utils | 1.7.1-1ubuntu1 | lunar | source, amd64, arm64, armhf, ppc64el, riscv64, s390x => Done (and thanks Graham) ** Changed in: bridge-utils (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bridge-utils in Ubuntu. https://bugs.launchpad.net/bugs/1993387 Title: Merge bridge-utils from Debian unstable for lunar Status in bridge-utils package in Ubuntu: Fix Released Bug description: Scheduled-For: ubuntu-22.12 Upstream: 1.7.1 Debian: 1.7-2 Ubuntu: 1.7-1ubuntu3 ### New Debian Changes ### bridge-utils (1.7-2) unstable; urgency=medium * Add BRIDGE_DISABLE_LINKLOCAL_IPV6_ALSO_PHYS to /etc/default/bridge-utils to stop disabling IPv6 on physical interfaces of vlan ports if set to no. Closes: #989162. * Update interfaces man page, IPv6 works with STP on after DAD was fixed. Closes: #980507. * Treat vlan ports the same as ifupdown, avoid octal vlans. Closes: #995627. * Update NEWS file to fix us blaming the kernel for the MAC address selection that is really overridden by systemd. -- Santiago García Mantiñán Mon, 03 Oct 2022 23:11:46 +0200 ### Old Ubuntu Delta ### bridge-utils (1.7-1ubuntu3) jammy; urgency=medium * No-change rebuild for ppc64el baseline bump. -- Łukasz 'sil2100' Zemczak Wed, 23 Mar 2022 10:44:35 +0100 bridge-utils (1.7-1ubuntu2) impish; urgency=medium * No-change rebuild to build packages with zstd compression. -- Matthias Klose Thu, 07 Oct 2021 12:09:41 +0200 bridge-utils (1.7-1ubuntu1) impish; urgency=low * Merge from Debian unstable. Remaining changes: - Don't call ifup from bridge-network-interface, instead just call brctl and let udev/upstart bring the interface up. - debian/ifupdown.sh: Handle bridge params which use port and value - debian/bridge-utils-interface.5: + Update max, default value for path cost + Update unsettable gcint value for newer kernels -- Steve Langasek Wed, 17 Mar 2021 12:32:22 -0700 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bridge-utils/+bug/1993387/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008465] Re: apt repository broken when having only jammy and jammy-security apt-repos enabled
Hey, it turns out this worked for most people but if you go into enough detail they start to disagree. This was discussed [1], got "no it is not supported" [2] and people saying "yes we do" [3] and some people stating what I'd have expected [4] to be related to only-auto-update. But no matter which is entirely true, this needs to be sorted out and documented better. As well as then been made part of some testing and more considerations. I'll try to organize a meeting at the next sprint with the right people. Until then this isn't really an openldap question, it is more a release- team tasks on documentation. Depending where the discussion ends it might be something entirely else eventually, but for now that at least represents the state better. [1]: https://irclogs.ubuntu.com/2023/03/01/%23ubuntu-release.html#t18:33 [2]: https://irclogs.ubuntu.com/2023/03/01/%23ubuntu-release.html#t18:38 [3]: https://irclogs.ubuntu.com/2023/03/01/%23ubuntu-release.html#t18:49 [4]: https://irclogs.ubuntu.com/2023/03/01/%23ubuntu-release.html#t19:05 ** Also affects: ubuntu-docs Importance: Undecided Status: New ** Tags removed: server-triage-discuss ** Changed in: ubuntu-docs Assignee: (unassigned) => Ubuntu Release Team (ubuntu-release) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2008465 Title: apt repository broken when having only jammy and jammy-security apt- repos enabled Status in Ubuntu: New Bug description: Having installed Ubuntu 22 server from server-live-cd https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso (md5sum e8d2a77c51b599c10651608a5d8c286f) without network connection to internet (so no connection to ubuntu apt repositories). After offline installation completed, we remove the "jammy-updates" from the /etc/apt/sources.list so it looks like so: # cat /etc/apt/sources.list deb http://de.archive.ubuntu.com/ubuntu jammy main restricted universe multiverse deb http://de.archive.ubuntu.com/ubuntu jammy-security main restricted universe multiverse Now we give the host network access and do "apt update" to refresh the apt repository. We assume that the installed package libldap-2.5-0 version 2.5.12+dfsg-0ubuntu0.22.04.1 was installed from the ubuntu installer cd which is a version from jammy-updates. Now we are unable to install package "ldap-utils" because that depends on package libldap-2.5-0 version 2.5.11+dfsg-1~exp1ubuntu3.1 (which is older than the offline installed version 2.5.12+dfsg-0ubuntu0.22.04.1) # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 22.04.1 LTS Release:22.04 Codename: jammy # apt-cache policy libldap-2.5-0 libldap-2.5-0: Installed: 2.5.12+dfsg-0ubuntu0.22.04.1 Candidate: 2.5.12+dfsg-0ubuntu0.22.04.1 Version table: *** 2.5.12+dfsg-0ubuntu0.22.04.1 100 100 /var/lib/dpkg/status 2.5.11+dfsg-1~exp1ubuntu3.1 500 500 http://de.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages 2.5.11+dfsg-1~exp1ubuntu3 500 500 http://de.archive.ubuntu.com/ubuntu jammy/main amd64 Packages # apt install --simulate ldap-utils Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: ldap-utils : Depends: libldap-2.5-0 (= 2.5.11+dfsg-1~exp1ubuntu3.1) but 2.5.12+dfsg-0ubuntu0.22.04.1 is to be installed E: Unable to correct problems, you have held broken packages. -- The problem is solved when adding line deb http://de.archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse to /etc/apt/sources.list But we want _only_ security updates, to keep the updates minimal. Other workaround is "apt remove libldap-2.5-0", then when installing ldap-utils that fetches the older libldap-2.5-0 version 2.5.11+dfsg-1~exp1ubuntu3.1 and repo is consistent. Questions: - Can you confirm that the package version from the server-live-cd see above is the version from the jammy-updates repository? - Do you agree that when the above question is answered yes, having jammy-updates apt-repository is mandatory? - if jammy-updates repo should be mandatory should this be documented? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2008465/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch
[Touch-packages] [Bug 2007837] Re: Regression in stderr handling in 3.2.3 breaks BackupPc on 22.04; fix available in 3.2.4
** Changed in: rsync (Ubuntu Jammy) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/2007837 Title: Regression in stderr handling in 3.2.3 breaks BackupPc on 22.04; fix available in 3.2.4 Status in rsync package in Ubuntu: Fix Released Status in rsync source package in Jammy: Triaged Status in rsync package in Debian: Unknown Bug description: rsync 3.2.3 (packaged in Ubuntu 22.04) changes stderr handling, leading another bug in libfile-rsyncp-perl (in Ubuntu 18.04 and 20.04) to surface [1]. It practically makes using BackupPC 3 impossible with clients using rsync 3.2.3, as is packaged for 22.04. The fact that BackupPC on 20.04 can't be used to back up machines with 22.04 is rather surprising and has bitten other users [2]. It's unclear whether the bug will be fixed in 18.04's and 20.04's libfile-rsyncp-perl package (for status, see [3]). Because of this, the rsync maintainer has included a patch in 3.2.4 that fixes this regression [4] (even though not strictly an rsync bug). As a result, rsync 3.2.3 is the only affected version, which happens to be the one packaged in 22.04. This report is to request backporting that fix [4] to Ubuntu 22.04, so that things don't silently break in scenarios where the backup server is left at 20.04, and some backup clients happen to upgrade to 22.04. I'm not sure what the criteria for security releases are, but as the issue causes backup denial of service and has easy mitigation, I think it would make sense to put it through the security channel. [1]: https://github.com/WayneD/rsync/issues/95#issuecomment-699185358 [2]: https://www.mail-archive.com/backuppc-users@lists.sourceforge.net/msg32673.html [3]: https://bugs.launchpad.net/ubuntu/+source/libfile-rsyncp-perl/+bug/2007833 [4]: https://github.com/WayneD/rsync/commit/4adfdaaf12db26c348b4d6150119b377f9b622c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/2007837/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide
** Tags removed: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide Status in ca-certificates package in Ubuntu: Confirmed Status in firefox package in Ubuntu: Confirmed Status in nss package in Ubuntu: Confirmed Status in p11-kit package in Ubuntu: Fix Released Status in sssd package in Ubuntu: Confirmed Status in thunderbird package in Ubuntu: Confirmed Bug description: When I install a corporate CA trust root with update-ca-certificates, it doesn't seem to work everywhere. Various things like Firefox, Evolution, Chrome, etc. all fail to trust the newly-installed trusted CA. This ought to work, and does on other distributions. In p11-kit there is a module p11-kit-trust.so which can be used as a drop-in replacement for NSS's own libnssckbi.so trust root module, but which reads from the system's configured trust setup instead of the hard- coded version. This allows us to install the corporate CAs just once, and then file a bug against any package that *doesn't* then trust them. See https://fedoraproject.org/wiki/Features/SharedSystemCertificates for some of the historical details from when this feature was first implemented, but this is all now supported upstream and not at all distribution-specific. There shouldn't be any significant work required; it's mostly just a case of configuring and building it to make use of this functionality. (With 'alternatives' to let you substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004551] Re: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover
Thank you Steve, documenting what kind of debug data you'd expect helps me or anyone else who might run into this next time. Once I'm done with my current tasks on this system I'll try to redeploy and re-upgrade to check if it happens again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2004551 Title: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover Status in openssh package in Ubuntu: Incomplete Bug description: Hi, I just upgraded a system from Jammy to Lunar and openssh-server refuses to upgrade well. Setting up openssh-server (1:9.0p1-1ubuntu8) ... Replacing config file /etc/ssh/sshd_config with new version Replacing config file /etc/ssh/sshd_config with new version Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable ssh rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 Processing triggers for man-db (2.11.2-1) ... Processing triggers for libc-bin (2.36-0ubuntu4) ... Errors were encountered while processing: openssh-server Error: Timeout was reached needrestart is being skipped since dpkg has failed E: Sub-process /usr/bin/dpkg returned an error code (1) I'm not sure what exactly it is. This output complains about rescue-ssh.target and indeed that can not be started even directly. $ sudo systemctl start rescue-ssh.target A dependency job for rescue-ssh.target failed. See 'journalctl -xe' for details. And in postinst is a try to start it: $ grep rescue /var/lib/dpkg/info/openssh-server.postinst deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true But I think the underlying issue is that ssh is already on, and I'm logged in via it. And that makes the service restart of the ssh socket which was added break. Feb 02 10:40:56 node-horsea systemd[104560]: ssh.socket: Failed to create listening socket ([::]:22): Address already in use Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to receive listening socket ([::]:22): Input/output error Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to listen on sockets: Input/output error Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed with result 'resources'. Now, whichever it is, it is hard to resolve. The only way to get the socket to own it would be rebooting so that sshd lets go and systemd can take over. I could reboot, but that is not the point. What if I'd want to get the service and upgrade completed before reboot. Because as of now dpkg considers the system unhappy, and that would usually be a sign for "better not reboot before being resolved" to me. One thing though, I have not upgraded with do-release-upgrade - would we / do we have magic there to make the ssh socket activation transition smoother? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2004551/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004551] Re: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover
As expected, on reboot all is fine for the service status ubuntu@node-horsea:~$ systemctl status ssh.service ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; preset: enabled) Drop-In: /etc/systemd/system/ssh.service.d └─00-socket.conf Active: active (running) since Thu 2023-02-02 10:54:40 UTC; 12min ago TriggeredBy: ● ssh.socket Docs: man:sshd(8) man:sshd_config(5) Process: 2689 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 2690 (sshd) Tasks: 1 (limit: 38220) Memory: 5.3M CPU: 894ms CGroup: /system.slice/ssh.service └─2690 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" Feb 02 11:06:27 node-horsea sshd[14629]: Accepted publickey for ubuntu from 10.172.196.173 port 47348 ssh2: RSA SHA256:KyONnhWWzlbscZNTHPZ25GWCXDQY5u/UD72EtQcwtqU Feb 02 11:06:27 node-horsea sshd[14629]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by (uid=0) Feb 02 11:06:27 node-horsea sshd[14629]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 02 11:06:58 node-horsea sshd[14735]: Accepted publickey for ubuntu from 10.172.196.173 port 55016 ssh2: RSA SHA256:KyONnhWWzlbscZNTHPZ25GWCXDQY5u/UD72EtQcwtqU Feb 02 11:06:58 node-horsea sshd[14735]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by (uid=0) Feb 02 11:06:59 node-horsea sshd[14735]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 02 11:07:03 node-horsea sshd[14796]: Accepted publickey for ubuntu from 10.172.196.173 port 57034 ssh2: RSA SHA256:KyONnhWWzlbscZNTHPZ25GWCXDQY5u/UD72EtQcwtqU Feb 02 11:07:03 node-horsea sshd[14796]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by (uid=0) Feb 02 11:07:03 node-horsea sshd[14796]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 02 11:07:03 node-horsea sshd[14796]: pam_unix(sshd:session): session closed for user ubuntu ubuntu@node-horsea:~$ systemctl status ssh.socket ● ssh.socket - OpenBSD Secure Shell server socket Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; preset: enabled) Active: active (running) since Thu 2023-02-02 10:54:21 UTC; 12min ago Until: Thu 2023-02-02 10:54:21 UTC; 12min ago Triggers: ● ssh.service Listen: [::]:22 (Stream) Tasks: 0 (limit: 38220) Memory: 8.0K CPU: 894us CGroup: /system.slice/ssh.socket Feb 02 10:54:21 node-horsea systemd[1]: Listening on OpenBSD Secure Shell server socket. And out of this condition it can even complete the package configuration. ubuntu@node-horsea:~$ sudo dpkg-reconfigure openssh-server /usr/sbin/dpkg-reconfigure: openssh-server is broken or not fully installed ubuntu@node-horsea:~$ sudo apt-get install --fix-broken Reading package lists... Done Building dependency tree... Done Reading state information... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Setting up openssh-server (1:9.0p1-1ubuntu8) ... Replacing config file /etc/ssh/sshd_config with new version Replacing config file /etc/ssh/sshd_config with new version Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable ssh Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. ubuntu@node-horsea:~$ echo $? 0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2004551 Title: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover Status in openssh package in Ubuntu: New Bug description: Hi, I just upgraded a system from Jammy to Lunar and openssh-server refuses to upgrade well. Setting up openssh-server (1:9.0p1-1ubuntu8) ... Replacing config file /etc/ssh/sshd_config with new version Replacing config file /etc/ssh/sshd_config with new version Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable ssh rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 Processing triggers for man-db (2.11.2-1) ... Processing triggers for libc-bin (2.36-0ubuntu4) ... Errors were encountered while processing: openssh-server Error: Timeout was reached needrestart is being skipped since dpkg has failed E: Sub-process /usr/bin/dpkg r
[Touch-packages] [Bug 2004551] [NEW] upgrade to lunar fails due to rescue-ssh.target or port 22 takeover
Public bug reported: Hi, I just upgraded a system from Jammy to Lunar and openssh-server refuses to upgrade well. Setting up openssh-server (1:9.0p1-1ubuntu8) ... Replacing config file /etc/ssh/sshd_config with new version Replacing config file /etc/ssh/sshd_config with new version Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable ssh rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 Processing triggers for man-db (2.11.2-1) ... Processing triggers for libc-bin (2.36-0ubuntu4) ... Errors were encountered while processing: openssh-server Error: Timeout was reached needrestart is being skipped since dpkg has failed E: Sub-process /usr/bin/dpkg returned an error code (1) I'm not sure what exactly it is. This output complains about rescue-ssh.target and indeed that can not be started even directly. $ sudo systemctl start rescue-ssh.target A dependency job for rescue-ssh.target failed. See 'journalctl -xe' for details. And in postinst is a try to start it: $ grep rescue /var/lib/dpkg/info/openssh-server.postinst deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true But I think the underlying issue is that ssh is already on, and I'm logged in via it. And that makes the service restart of the ssh socket which was added break. Feb 02 10:40:56 node-horsea systemd[104560]: ssh.socket: Failed to create listening socket ([::]:22): Address already in use Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to receive listening socket ([::]:22): Input/output error Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to listen on sockets: Input/output error Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed with result 'resources'. Now, whichever it is, it is hard to resolve. The only way to get the socket to own it would be rebooting so that sshd lets go and systemd can take over. I could reboot, but that is not the point. What if I'd want to get the service and upgrade completed before reboot. Because as of now dpkg considers the system unhappy, and that would usually be a sign for "better not reboot before being resolved" to me. One thing though, I have not upgraded with do-release-upgrade - would we / do we have magic there to make the ssh socket activation transition smoother? ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2004551 Title: upgrade to lunar fails due to rescue-ssh.target or port 22 takeover Status in openssh package in Ubuntu: New Bug description: Hi, I just upgraded a system from Jammy to Lunar and openssh-server refuses to upgrade well. Setting up openssh-server (1:9.0p1-1ubuntu8) ... Replacing config file /etc/ssh/sshd_config with new version Replacing config file /etc/ssh/sshd_config with new version Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable ssh rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 Processing triggers for man-db (2.11.2-1) ... Processing triggers for libc-bin (2.36-0ubuntu4) ... Errors were encountered while processing: openssh-server Error: Timeout was reached needrestart is being skipped since dpkg has failed E: Sub-process /usr/bin/dpkg returned an error code (1) I'm not sure what exactly it is. This output complains about rescue-ssh.target and indeed that can not be started even directly. $ sudo systemctl start rescue-ssh.target A dependency job for rescue-ssh.target failed. See 'journalctl -xe' for details. And in postinst is a try to start it: $ grep rescue /var/lib/dpkg/info/openssh-server.postinst deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true But I think the underlying issue is that ssh is already on, and I'm logged in via it. And that makes the service restart of the ssh socket which was added break. Feb 02 10:40:56 node-horsea systemd[104560]: ssh.socket: Failed to create listening socket ([::]:22): Address already in use Feb 02 10:40:56 node-horsea systemd[1]: ssh.socket: Failed to receive listening socket ([::]:22): Input/output error Feb 02 10:40:56 node
[Touch-packages] [Bug 2002994] Re: sshd_config makes some changes awkward
I agree as well, it is great that we have .d function at all, but it could be better. As reported there is no control yet at what goes early or late and that would be a great enhancement. Just including it late isn't an easy option either as you might unintentionally to a different section that was at the end of the former config. A bit of history: - initially added via - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845315 - https://salsa.debian.org/ssh-team/openssh/-/commit/cb37f2bf1 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862316 (unclosed, but in theory adressed by the above) - having some troubles to work - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961007 - https://bugzilla.mindrot.org/show_bug.cgi?id=3122 - good but not yet as good as other .d config inclusions - this bug - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954965 Overall a problem that I see after going through all those is that some settings seem to be "the earliest set wins" so including at the top is good. And others are "overwritten by later statements" which asks for an inclusion at the end of the file. This needs to be analyzed, maybe the behavior changed over time or there are different categories of settings? To do so I recommend to read through those bugs, some have more examples and how to debug them. Once that check is done one can propose a solution and it might very well be what Kevin suggested here which is to put the main config into the .d directory as well and include them in numerical order. That might not solve/address the behavior of different statements, but at least it would give full control to the admin without touching the package owned config file. Either way this is worth having a look, but needs more time than a usual bug fix. Therefore I've added it to a set of ideas that we pick the most important ones from each Ubuntu release cycle. If anyone else wants to tackle this before we get to it - great, keep the bug updated in that case. ** Bug watch added: Debian Bug tracker #845315 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845315 ** Bug watch added: Debian Bug tracker #862316 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862316 ** Bug watch added: Debian Bug tracker #961007 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961007 ** Bug watch added: OpenSSH Portable Bugzilla #3122 https://bugzilla.mindrot.org/show_bug.cgi?id=3122 ** Bug watch added: Debian Bug tracker #998834 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998834 ** Bug watch added: Debian Bug tracker #954965 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954965 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2002994 Title: sshd_config makes some changes awkward Status in openssh package in Ubuntu: Confirmed Bug description: As distribted, the file sshd_config has apparently been modified from an upstream version -- those lines that are NOT comments. There is no good way for me to change any of them, even though there is a sshd_config.d directory for my changes. That is because the files in the sshd_config.d directory are invoked early, and the uncommented lines in the sshd_config file override them. I would have to modify the sshd_config file which defeats the purpose of having the directory. I suggest to adopt a method that I have seen elsewhere: put all of your changes in a file and put the file in the .d directory. Start the filename with something like '50' so that it can sort before or after any file contributed by the local admin. Keep the sshd_config file as you get it from upstream. This is, after all, the reason that the .d directories exist. In this way, admins do not have to modify distributed files, which avoids awkwardness when the package is updated. The same applies to ssh_config. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-122.138-generic 5.4.192 Uname: Linux 5.4.0-122-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: XFCE Date: Mon Jan 16 06:29:16 2023 SourcePackage: openssh UpgradeStatus: Upgraded to focal on 2021-02-19 (696 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2002994/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2002994] Re: sshd_config makes some changes awkward
** Tags removed: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2002994 Title: sshd_config makes some changes awkward Status in openssh package in Ubuntu: Confirmed Bug description: As distribted, the file sshd_config has apparently been modified from an upstream version -- those lines that are NOT comments. There is no good way for me to change any of them, even though there is a sshd_config.d directory for my changes. That is because the files in the sshd_config.d directory are invoked early, and the uncommented lines in the sshd_config file override them. I would have to modify the sshd_config file which defeats the purpose of having the directory. I suggest to adopt a method that I have seen elsewhere: put all of your changes in a file and put the file in the .d directory. Start the filename with something like '50' so that it can sort before or after any file contributed by the local admin. Keep the sshd_config file as you get it from upstream. This is, after all, the reason that the .d directories exist. In this way, admins do not have to modify distributed files, which avoids awkwardness when the package is updated. The same applies to ssh_config. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-122.138-generic 5.4.192 Uname: Linux 5.4.0-122-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: XFCE Date: Mon Jan 16 06:29:16 2023 SourcePackage: openssh UpgradeStatus: Upgraded to focal on 2021-02-19 (696 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2002994/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
> # new python script to create vim profiles with > > python create-apparmor.vim.py For the records: create-apparmor.vim.py exists since years, and ... > # generates a new file called apparmor.vim.in ... it uses apparmor.vim.in as _input_ and generates the apparmor.vim file (syntax highlighting for vim), but (unless the Ubuntu packaging does this) this file does _not_ get installed in a location where vim finds it. (In openSUSE, I regularly submit it to the vim package manually. No idea if/how this is handled in Ubuntu.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1964636 Title: Incorrect handling of apparmor `bpf` capability Status in apparmor package in Ubuntu: In Progress Status in snapd package in Ubuntu: Incomplete Status in apparmor source package in Focal: Fix Committed Bug description: [ Impact ] The apparmor_parser before the 3.0 release would build its capability list from the installed kernel headers. The apparmor_parser was built against a kernel without support for cap 'bpf' This was fixed in 3.0 by having a static caps list (with full mapping info) and the dynamic auto-generated list (against the kernel headers) that is used to check that the static list has not become stale. In addition the parser can pull kernel supported caps straight from the apparmor kernel module (it will however be missing the mapping info). Backporting the patches from 3.0 fixes the issue. [ Test Plan ] Before the fix, the following profile fails loading: # echo "profile foo { capability bpf, }" | apparmor_parser -Q AppArmor parser error, in stdin line 1: Invalid capability bpf. # echo $? 1 After the fix, it works as expected: # echo "profile foo { capability bpf, }" | apparmor_parser -Q # echo $? 0 [ Where problems could occur ] With these changes, the parser can change its behavior based on a few things. 1. the kernel its built against. This would not change behavior when run in a container vs at system level. 2. If a feature-file is specified, via --features-file, --policy- features, or --kernel-features. This allows overriding the normal policy and kernel examination that the parser does when compiling policy. 3. If /sys/kernel/security/apparmor/features is not available. The parser will fallback to an old set of features available in a kernel before the kernel module started exporting what the kernel module supports on the running kernel. [ Other Info ] The patches for focal (apparmor-2.13) can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ As mentioned before, these patches are already running on apparmor-3.0. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964636/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2000739] Re: Window actions (like maximize) no more work in wayland for QEMU using GTK backend once the guest UI is intialized.
** Description changed: + Window actions (like maximize) no more work in wayland for QEMU using + GTK backend once the guest UI is intialized. + + This can be seen by running an installed or even a trial Ubuntu from an + ISO like: + + $ qemu-system-x86_64 \ + -boot d \ + -cdrom ubuntu-22.04.1-desktop-amd64.iso \ + -m 4096M \ + -machine type=q35,accel=kvm \ + -cpu host \ + -smp 2 \ + -device qxl-vga + + The GTK UI of qemu has a feature called "fullscreen" which disables the + screen decorations and sets the window to maximize. The decorations go + away, but maximize doesn't work. + + + The following details were found so far: + - running with GDK_BACKEND=x11 works + - using sdl instead of gtk backend works + - using the old qemu of Focal, or the newest from upstream git in jammy all fails (no qemu change AFAICS) + - host UI widgets (the square at the window top) do not work either + - hotkeys (super-up) do not work either + + It seems that once the guest has enabled the desktop something changes + and the maximize/minimize/... actions are no more processed. Not sure + were to debug next in regard to the gnome/wayland UI handling of this - + any idea? + + P.S. We can reproduce this in git builds of qemu, so we can debug of + modify the code as needed. The code for this is mostly in [1] + + [1]: https://gitlab.com/qemu-project/qemu/-/blob/master/ui/gtk.c + + --- original report --- + Running QEMU version 4.2.1 on Ubuntu 20.04 via qemu-system-x86_64 \ - -boot d \ - -cdrom ubuntu-22.04.1-desktop-amd64.iso \ - -m 4096M \ - -machine type=q35,accel=kvm \ - -cpu host \ - -smp 2 \ - -device qxl-vga + -boot d \ + -cdrom ubuntu-22.04.1-desktop-amd64.iso \ + -m 4096M \ + -machine type=q35,accel=kvm \ + -cpu host \ + -smp 2 \ + -device qxl-vga and pressing ctrl+alt+f after booting the Ubuntu 22.04 live ISO and adjusting the display resolution to match the native resolution, works as expected, i.e., the VM screen is correctly displayed in fullscreen. However, after running the same command for QEMU version 6.2.0 on Ubuntu 22.04 and pressing ctrl+alt+f after making the resolution adjustment, yields a fullscreen view where the space occupied by the GNOME top bar (top panel with date in center) of the host is not used. The top bar itself is not visible but instead the purple background is shown where the top bar resides. The problem also occurs when replacing '-device qxl-vga' by '-device VGA,vgamem_mb=64'. The problem however does not occur when using '-device virtio-vga'. ** Also affects: wayland (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to wayland in Ubuntu. https://bugs.launchpad.net/bugs/2000739 Title: Window actions (like maximize) no more work in wayland for QEMU using GTK backend once the guest UI is intialized. Status in qemu package in Ubuntu: Confirmed Status in wayland package in Ubuntu: New Bug description: Window actions (like maximize) no more work in wayland for QEMU using GTK backend once the guest UI is intialized. This can be seen by running an installed or even a trial Ubuntu from an ISO like: $ qemu-system-x86_64 \ -boot d \ -cdrom ubuntu-22.04.1-desktop-amd64.iso \ -m 4096M \ -machine type=q35,accel=kvm \ -cpu host \ -smp 2 \ -device qxl-vga The GTK UI of qemu has a feature called "fullscreen" which disables the screen decorations and sets the window to maximize. The decorations go away, but maximize doesn't work. The following details were found so far: - running with GDK_BACKEND=x11 works - using sdl instead of gtk backend works - using the old qemu of Focal, or the newest from upstream git in jammy all fails (no qemu change AFAICS) - host UI widgets (the square at the window top) do not work either - hotkeys (super-up) do not work either It seems that once the guest has enabled the desktop something changes and the maximize/minimize/... actions are no more processed. Not sure were to debug next in regard to the gnome/wayland UI handling of this - any idea? P.S. We can reproduce this in git builds of qemu, so we can debug of modify the code as needed. The code for this is mostly in [1] [1]: https://gitlab.com/qemu-project/qemu/-/blob/master/ui/gtk.c --- original report --- Running QEMU version 4.2.1 on Ubuntu 20.04 via qemu-system-x86_64 \ -boot d \ -cdrom ubuntu-22.04.1-desktop-amd64.iso \ -m 4096M \ -machine type=q35,accel=kvm \ -cpu host \ -smp 2 \ -device qxl-vga and pressing ctrl+alt+f after booting the Ubuntu 22.04 live ISO and adjusting the display resolution to match the native resolution, works as expected, i.e., the VM screen is correctly displayed in fullscreen. However, after running the same command for QEMU version 6.2.0 on Ubun
[Touch-packages] [Bug 2000817] [NEW] Wrong SHA256-value computed on kinetic
Public bug reported: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Patch added: "openldap-contrib-sha2.patch" https://bugs.launchpad.net/bugs/2000817/+attachment/5638696/+files/openldap-contrib-sha2.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: New Bug description: The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict-aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description:Ubuntu 22.10 Release:22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926802] Re: qt5-default package is missed in 21.04
But the package name says `qt5-*`. Are the `qt6-*` packages for Qt 5 ?!? ** Also affects: unity-linux Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtbase-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/1926802 Title: qt5-default package is missed in 21.04 Status in qtbase-opensource-src package in Ubuntu: Invalid Status in Unity Linux: New Bug description: Previous 20.10 version has the qt5-default package in place (see https://packages.ubuntu.com/groovy/qt5-default ). Please upload the qt5-default package for 21.04 Ubuntu version. What is interesting - all its dependencies can be simply installed with `sudo apt-get install qtbase5-dev qtchooser qt5-qmake qtbase5-dev-tools` . To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1926802/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1999018] [NEW] Firefox updated via snap eventhough ppa with higher priority is present
Public bug reported: As I use KeePassXC-Browser integration I had to switch to plain firefox. To achive that I followed the instructions https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt- ubuntu-22-04. Every now and then my firefox get's replaced with the snap package even though I properly assigned priorites to the PPA repository: $ cat /etc/apt/preferences.d/mozilla-firefox Package: * Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 This is a bit annoying as I have to remove firefox via apt and snap and install it again. Then I get back the PPA packages. I am unsure if it is a issue with apt or snapd. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.8 ProcVersionSignature: Ubuntu 5.17.0-1021.22-oem 5.17.15 Uname: Linux 5.17.0-1021-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: XFCE Date: Wed Dec 7 09:32:41 2022 InstallationDate: Installed on 2021-07-22 (503 days ago) InstallationMedia: Xubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-08-26 (102 days ago) ** Affects: apt (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1999018 Title: Firefox updated via snap eventhough ppa with higher priority is present Status in apt package in Ubuntu: New Bug description: As I use KeePassXC-Browser integration I had to switch to plain firefox. To achive that I followed the instructions https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt- ubuntu-22-04. Every now and then my firefox get's replaced with the snap package even though I properly assigned priorites to the PPA repository: $ cat /etc/apt/preferences.d/mozilla-firefox Package: * Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 This is a bit annoying as I have to remove firefox via apt and snap and install it again. Then I get back the PPA packages. I am unsure if it is a issue with apt or snapd. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.8 ProcVersionSignature: Ubuntu 5.17.0-1021.22-oem 5.17.15 Uname: Linux 5.17.0-1021-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: XFCE Date: Wed Dec 7 09:32:41 2022 InstallationDate: Installed on 2021-07-22 (503 days ago) InstallationMedia: Xubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-08-26 (102 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1999018/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1995260] Re: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug
FYI proposed migration tests should be happy as soon as the migration- reference run for ubuntu-fan completed (but queues are long) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1995260 Title: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Focal: Fix Committed Bug description: [SRU] [ Impact ] Sometimes dnsmasq is incorrectly returning NODATA instead of NXDOMAIN. This can lead to erroneous actions by clients who need to determine whether a domain name exists or not. [ Test Plan ] In a focal VM, install dnsmasq (apt install dnsmasq) if it wasn't installed yet. #0 Disabling systemd-resolved service and enabling resolution through dnsmasq. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 8.8.8.8 __EOF__ # systemctl start dnsmasq.service #1 Bad case # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record test.foo has no TXT record test.foo has no SRV record #2 Good case #2.1 Installing new package # ls -1 *.deb dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb dnsmasq_2.80-1.1ubuntu1.6_all.deb # dpkg -i *.deb (Reading database ... 32073 files and directories currently installed.) Preparing to unpack dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-base (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Selecting previously unselected package dnsmasq-utils. Preparing to unpack dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-utils (2.80-1.1ubuntu1.6) ... Preparing to unpack dnsmasq_2.80-1.1ubuntu1.6_all.deb ... Unpacking dnsmasq (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Setting up dnsmasq-base (2.80-1.1ubuntu1.6) ... Setting up dnsmasq-utils (2.80-1.1ubuntu1.6) ... Setting up dnsmasq (2.80-1.1ubuntu1.6) ... Processing triggers for dbus (1.12.16-2ubuntu2.3) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.18) ... # dpkg -l | grep dnsmasq ii dnsmasq2.80-1.1ubuntu1.6 all Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-base 2.80-1.1ubuntu1.6 amd64 Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-utils 2.80-1.1ubuntu1.6 amd64 Utilities for manipulating DHCP leases #2.2 Testing OK # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) [ Where problems could occur ] It changes the program's behaviour by classifying as NXDOMAIN what used to be NODATA in some situations, so if a user had a workaround for this (in the form of a script or other kind of automatization) it will probably start to malfunction. The last rebuilding of the package for Focal was in May, so if any new dependencies or libs have been upgraded on this Ubuntu series this can impact the new rebuild. [ Other Info ] The patch is applied upstream and originated from a bug filed on Fedora side: https://bugzilla.redhat.com/show_bug.cgi?id=1674067 [Original Report] --- We upgraded our openstack containers which host dnsmasq services from bionic to focal. With this we got an update of dnsmasq from 2.79 to 2.80 which introduced a bug in our setup where dnsmasq returns NODATA instead of NXDOMAIN. This is already fixed upstream with the following commit [1]. The Ubuntu dnsmasq 2.80 package should get a backport with a release for the focal packages which includes this bug fix. [1] https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1995260/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1995260] Re: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug
@SRU team - please consider accepting and merging the test hint [1] to resolve the current blocker for this SRU. [1]: https://code.launchpad.net/~paelzer/britney/+git/hints- ubuntu/+merge/433770 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1995260 Title: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Focal: Fix Committed Bug description: [SRU] [ Impact ] Sometimes dnsmasq is incorrectly returning NODATA instead of NXDOMAIN. This can lead to erroneous actions by clients who need to determine whether a domain name exists or not. [ Test Plan ] In a focal VM, install dnsmasq (apt install dnsmasq) if it wasn't installed yet. #0 Disabling systemd-resolved service and enabling resolution through dnsmasq. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 8.8.8.8 __EOF__ # systemctl start dnsmasq.service #1 Bad case # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record test.foo has no TXT record test.foo has no SRV record #2 Good case #2.1 Installing new package # ls -1 *.deb dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb dnsmasq_2.80-1.1ubuntu1.6_all.deb # dpkg -i *.deb (Reading database ... 32073 files and directories currently installed.) Preparing to unpack dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-base (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Selecting previously unselected package dnsmasq-utils. Preparing to unpack dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-utils (2.80-1.1ubuntu1.6) ... Preparing to unpack dnsmasq_2.80-1.1ubuntu1.6_all.deb ... Unpacking dnsmasq (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Setting up dnsmasq-base (2.80-1.1ubuntu1.6) ... Setting up dnsmasq-utils (2.80-1.1ubuntu1.6) ... Setting up dnsmasq (2.80-1.1ubuntu1.6) ... Processing triggers for dbus (1.12.16-2ubuntu2.3) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.18) ... # dpkg -l | grep dnsmasq ii dnsmasq2.80-1.1ubuntu1.6 all Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-base 2.80-1.1ubuntu1.6 amd64 Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-utils 2.80-1.1ubuntu1.6 amd64 Utilities for manipulating DHCP leases #2.2 Testing OK # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) [ Where problems could occur ] It changes the program's behaviour by classifying as NXDOMAIN what used to be NODATA in some situations, so if a user had a workaround for this (in the form of a script or other kind of automatization) it will probably start to malfunction. The last rebuilding of the package for Focal was in May, so if any new dependencies or libs have been upgraded on this Ubuntu series this can impact the new rebuild. [ Other Info ] The patch is applied upstream and originated from a bug filed on Fedora side: https://bugzilla.redhat.com/show_bug.cgi?id=1674067 [Original Report] --- We upgraded our openstack containers which host dnsmasq services from bionic to focal. With this we got an update of dnsmasq from 2.79 to 2.80 which introduced a bug in our setup where dnsmasq returns NODATA instead of NXDOMAIN. This is already fixed upstream with the following commit [1]. The Ubuntu dnsmasq 2.80 package should get a backport with a release for the focal packages which includes this bug fix. [1] https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1995260/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1995260] Re: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug
Great finding Miriam, I've looked into it and fully agree. Since I had all the data at that moment I filed bug 1998184 for ubuntu-fan. Based on that we need to mask the tests and we can ignore them here in regard to this SRU (until fixed in ubuntu-fan). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1995260 Title: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Focal: Fix Committed Bug description: [SRU] [ Impact ] Sometimes dnsmasq is incorrectly returning NODATA instead of NXDOMAIN. This can lead to erroneous actions by clients who need to determine whether a domain name exists or not. [ Test Plan ] In a focal VM, install dnsmasq (apt install dnsmasq) if it wasn't installed yet. #0 Disabling systemd-resolved service and enabling resolution through dnsmasq. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 8.8.8.8 __EOF__ # systemctl start dnsmasq.service #1 Bad case # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record test.foo has no TXT record test.foo has no SRV record #2 Good case #2.1 Installing new package # ls -1 *.deb dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb dnsmasq_2.80-1.1ubuntu1.6_all.deb # dpkg -i *.deb (Reading database ... 32073 files and directories currently installed.) Preparing to unpack dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-base (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Selecting previously unselected package dnsmasq-utils. Preparing to unpack dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-utils (2.80-1.1ubuntu1.6) ... Preparing to unpack dnsmasq_2.80-1.1ubuntu1.6_all.deb ... Unpacking dnsmasq (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Setting up dnsmasq-base (2.80-1.1ubuntu1.6) ... Setting up dnsmasq-utils (2.80-1.1ubuntu1.6) ... Setting up dnsmasq (2.80-1.1ubuntu1.6) ... Processing triggers for dbus (1.12.16-2ubuntu2.3) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.18) ... # dpkg -l | grep dnsmasq ii dnsmasq2.80-1.1ubuntu1.6 all Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-base 2.80-1.1ubuntu1.6 amd64 Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-utils 2.80-1.1ubuntu1.6 amd64 Utilities for manipulating DHCP leases #2.2 Testing OK # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) [ Where problems could occur ] It changes the program's behaviour by classifying as NXDOMAIN what used to be NODATA in some situations, so if a user had a workaround for this (in the form of a script or other kind of automatization) it will probably start to malfunction. The last rebuilding of the package for Focal was in May, so if any new dependencies or libs have been upgraded on this Ubuntu series this can impact the new rebuild. [ Other Info ] The patch is applied upstream and originated from a bug filed on Fedora side: https://bugzilla.redhat.com/show_bug.cgi?id=1674067 [Original Report] --- We upgraded our openstack containers which host dnsmasq services from bionic to focal. With this we got an update of dnsmasq from 2.79 to 2.80 which introduced a bug in our setup where dnsmasq returns NODATA instead of NXDOMAIN. This is already fixed upstream with the following commit [1]. The Ubuntu dnsmasq 2.80 package should get a backport with a release for the focal packages which includes this bug fix. [1] https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1995260/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.
[Touch-packages] [Bug 1997224] Re: [NUC12WSKi5, Realtek ALC269VB, Green Headphone Out, Left] Playback problem with startup applications
I managed to get audio output going using amixer: amixer sset Master mute unmute 1- 1+ Both parts are necessary (mute/unmute and volume adjustment). Just muting/unmuting or adjusting the volume does not bring back audio output. I can put it in my start script without adding any possibly insufficient delay prior to it. I still don't understand why this is needed. If playback is delayed long enough, the "audio system" (I don't know which component) seems to do something similar internally and it magically works. However, this is not how it is supposed to work, because a user (or a start script) can not know how long the delay actually needs to be. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/1997224 Title: [NUC12WSKi5, Realtek ALC269VB, Green Headphone Out, Left] Playback problem with startup applications Status in alsa-driver package in Ubuntu: New Bug description: I am starting an audio application (a.g. aplay, paplay, any media player) automatically after login (through the "Startup Applications"). I can see that the app is playing some audio through PulseAudio by checking pavucontrol. However, no sound is output to the speaker. When I delay the startup of the app a couple of seconds (e.g. via sleep 5), the sound is played as expected. We tried to analyze the issue here: https://answers.launchpad.net/ubuntu/+question/703840 It seems that there is something wrong with the mixer when audio apps are launched very early after boot (or login?): The "Master Playback Volume" is set to 0 at the ALSA level, and it seems that PulseAudio is not able to raise it if audio playback is started so early. Attempts to automatically raise the "Master Playback Volume" through amixer also failed. The "Master Playback Volume" stays at 0. As mentioned above, when the start of the playback is delayed a bit, the "Master Playback Volume" is at 100 as expected. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: alsa-base 1.0.25+dfsg-0ubuntu7 ProcVersionSignature: Ubuntu 5.15.0-53.59-generic 5.15.64 Uname: Linux 5.15.0-53-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: kiosk 1081 F pulseaudio /dev/snd/pcmC0D0c: kiosk 1081 F...m pulseaudio /dev/snd/pcmC0D0p: kiosk 1081 F...m pulseaudio CasperMD5CheckResult: pass Date: Mon Nov 21 10:35:48 2022 InstallationDate: Installed on 2022-11-21 (0 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) PackageArchitecture: all SourcePackage: alsa-driver Symptom: audio Symptom_AlsaPlaybackTest: ALSA playback test through plughw:PCH successful Symptom_Card: Built-in Audio - HDA Intel PCH Symptom_Jack: Green Headphone Out, Left Symptom_PulsePlaybackTest: PulseAudio playback test successful Symptom_Type: None of the above Title: [NUC12WSKi5, Realtek ALC269VB, Green Headphone Out, Left] Playback problem UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/18/2022 dmi.bios.release: 5.26 dmi.bios.vendor: Intel Corp. dmi.bios.version: WSADL357.0085.2022.0718.1739 dmi.board.name: NUC12WSBi5 dmi.board.vendor: Intel Corporation dmi.board.version: M46425-302 dmi.chassis.type: 35 dmi.chassis.vendor: Intel Corporation dmi.chassis.version: 2.0 dmi.modalias: dmi:bvnIntelCorp.:bvrWSADL357.0085.2022.0718.1739:bd07/18/2022:br5.26:svnIntel(R)ClientSystems:pnNUC12WSKi5:pvrM46708-302:rvnIntelCorporation:rnNUC12WSBi5:rvrM46425-302:cvnIntelCorporation:ct35:cvr2.0:skuNUC12WSKi5000: dmi.product.family: WS dmi.product.name: NUC12WSKi5 dmi.product.sku: NUC12WSKi5000 dmi.product.version: M46708-302 dmi.sys.vendor: Intel(R) Client Systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1997224/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1892559] Re: [MIR] ccid opensc pcsc-lite
** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid opensc pcsc-lite Status in ccid package in Ubuntu: In Progress Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: Invalid Status in pcsc-lite package in Ubuntu: Incomplete Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems funny all the same. Otherwise appears to satisfy FHS and Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] Dependency of pcsc-tools; thi
[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible
Hi Marius, > What actually is the effect of the denial? Will qemu not use more than one > CPU, > or is it something less harmful? Since the new interface is arch specific and new the code does fall back tot he old way. 226 /* On some architectures it is possible to distinguish between configured 227and active cpus. */ 228 int 229 __get_nprocs_conf (void) 230 { 231 int result = read_sysfs_file ("/sys/devices/system/cpu/possible"); 232 if (result != 0) 233 return result; 234 235 /* Fall back to /proc/stat and sched_getaffinity. */ 236 return get_nprocs_fallback (); 237 } Due to that, even when denied it gets the right number (as it had before). Once with and without isolation blocking access. ubuntu@k2:/tmp$ ./testsysconf _SC_NPROCESSORS_CONF 3 ubuntu@k2:/tmp$ sudo aa-exec -p test -- ./testsysconf _SC_NPROCESSORS_CONF 3 It only has a real difference on systems where the new code was needed in the first place. Those are usually rather massive systems which start at lower cpu counts but might hot-plug them later - on those with the denial falling back you'd only get a lower than the real potential max number. The code that hits this in your case is libnuma on initialization, unless you are very deep into numa control on very huge systems using cpu hotplug you won't see any effect. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989073 Title: AppArmor DENIES reading of /sys/devices/system/cpu/possible Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Kinetic: Confirmed Bug description: libvirt 8.6.0-0ubuntu1 apparmor 3.0.7-1ubuntu1 Creating a VM with virt-install produces this AppAmore denial: AVC apparmor="DENIED" operation="open" profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc" name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu- system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Creation of the VM is successful. This is with nested virtualization. This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor 3.0.7-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible
Submitted upstream: https://lists.ubuntu.com/archives/apparmor/2022-November/012528.html Once discussed and accepted there I suggest a backport to Kinetic. I hope this debug and patch helps, but to manage expectations, I'd hope/expect that someone usually looking after apparmor does that follow on step then. Could someone please agree to take it over from here and comment on this bug? P.S. I mostly want to avoid stepping on someones toes, if you want me to upload it to kinetic I can do so, let me know. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989073 Title: AppArmor DENIES reading of /sys/devices/system/cpu/possible Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Kinetic: Confirmed Bug description: libvirt 8.6.0-0ubuntu1 apparmor 3.0.7-1ubuntu1 Creating a VM with virt-install produces this AppAmore denial: AVC apparmor="DENIED" operation="open" profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc" name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu- system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Creation of the VM is successful. This is with nested virtualization. This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor 3.0.7-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible
Reported upstream at https://gitlab.com/apparmor/apparmor/-/issues/283 ** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #283 https://gitlab.com/apparmor/apparmor/-/issues/283 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989073 Title: AppArmor DENIES reading of /sys/devices/system/cpu/possible Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Kinetic: Confirmed Bug description: libvirt 8.6.0-0ubuntu1 apparmor 3.0.7-1ubuntu1 Creating a VM with virt-install produces this AppAmore denial: AVC apparmor="DENIED" operation="open" profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc" name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu- system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Creation of the VM is successful. This is with nested virtualization. This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor 3.0.7-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible
That is the commit causing the change [1] in behavior. That is pretty low level (in libc6) and will probably hit anything that links against libnuma. I think the fix should therefore go into /etc/apparmor.d/abstractions/base Today it has: # glibc's sysconf(3) routine to determine free memory, etc @{PROC}/meminfor, @{PROC}/stat r, @{PROC}/cpuinfor, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/online r, And due to [1] I think this needs to get: @{sys}/devices/system/cpu/possible r, That is still missing in upstreams [2] current base profile. Gladly it isn't too fatal, but still bad. Retargetting this to the apparmor package. [1]: https://sourceware.org/git/?p=glibc.git;a=commit;h=97a912f7a832a6 [2]: https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/base#L98 ** Package changed: libvirt (Ubuntu) => apparmor (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989073 Title: AppArmor DENIES reading of /sys/devices/system/cpu/possible Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Kinetic: Confirmed Bug description: libvirt 8.6.0-0ubuntu1 apparmor 3.0.7-1ubuntu1 Creating a VM with virt-install produces this AppAmore denial: AVC apparmor="DENIED" operation="open" profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc" name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu- system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Creation of the VM is successful. This is with nested virtualization. This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor 3.0.7-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp