[Bug 1701726] [NEW] unattended upgrades removing kerberos and breaking system

Anton Piatek Fri, 30 Jun 2017 13:11:52 -0700

Public bug reported:

Ok, so this may not be a bug specifically in unattended-upgrades, but I
can't determine where else it would be.


Having my server broken by unattended upgrades removing the primary
login system (kerberos) once might be considered unlucky, or perhaps a
typo - but now that it has happened twice it looks like a bug.

The problem seems to be that several krb related packages were removed, along 
with puppet packages which we use to help maintain the system.
The result was all remote logins (ssh/http/smtp/imap/etc) were broken and 
serial console had to be used to recover the sysem


Pulling from logs from today:
```Start-Date: 2017-06-30  15:22:20
Commandline: /usr/bin/unattended-upgrade
Upgrade: libisccfg140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), bind9-host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), dnsutils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), libisc160:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), bind9utils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), liblwres141:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), bind9:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), libdns162:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), libisccc140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7), libbind9-140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.6, 
1:9.10.3.dfsg.P4-8ubuntu1.7)
Remove: ubuntu-standard:amd64 (1.361), host:amd64 
(1:9.10.3.dfsg.P4-8ubuntu1.6), librarian-puppet:amd64 (2.2.1-2), 
libapache2-mod-auth-kerb:amd64 (5.4-2.2), krb5-admin-server:amd64 
(1.13.2+dfsg-5ubuntu2), krb5-user:amd64 (1.13.2+dfsg-5ubuntu2), 
libpam-krb5:amd64 (4.7-2), facter:amd64 (2.4.6-1), krb5-kdc:amd64 
(1.13.2+dfsg-5ubuntu2), krb5-config:amd64 (2.3), puppet:amd64 
(3.8.5-2ubuntu0.1), puppet-common:amd64 (3.8.5-2ubuntu0.1)
End-Date: 2017-06-30  15:22:27

Start-Date: 2017-06-30  15:22:32
Commandline: /usr/bin/unattended-upgrade
Remove: libaugeas0:amd64 (1.4.0-0ubuntu1), libverto-libevent1:amd64 
(0.2.4-2.1ubuntu2), virt-what:amd64 (1.14-1), libkadm5clnt-mit9:amd64 
(1.13.2+dfsg-5ubuntu2), javascript-common:amd64 (11), ruby-multipart-post:amd64 
(1.2.0-2), ruby2.3:amd64 (2.3.1-2~16.04), ruby-safe-yaml:amd64 (1.0.4-1), 
rake:amd64 (10.5.0-2), ruby-net-telnet:amd64 (0.1.1-2), ruby-thor:amd64 
(0.19.1-2), ruby-librarian:amd64 (0.6.3-1), ruby-highline:amd64 (1.7.2-1), 
augeas-lenses:amd64 (1.4.0-0ubuntu1), ruby-minitar:amd64 (0.5.4-3), 
libkdb5-8:amd64 (1.13.2+dfsg-5ubuntu2), libjs-jquery:amd64 (1.11.3+dfsg-4), 
ruby-json:amd64 (1.8.3-1build4), ruby-augeas:amd64 (1:0.5.0-3build4), 
ruby-shadow:amd64 (2.4.1-1build4), ruby-minitest:amd64 (5.8.4-2), hiera:amd64 
(2.0.0-2), ruby-deep-merge:amd64 (1.0.1+gitf9df6fdb-1), libruby2.3:amd64 
(2.3.1-2~16.04), ruby-selinux:amd64 (2.4-3build2), ruby:amd64 (1:2.3.0+1), 
libgssrpc4:amd64 (1.13.2+dfsg-5ubuntu2), libverto1:amd64 (0.2.4-2.1ubuntu2), 
ruby-rsync:amd64 (1.0.9-1), ruby-faraday-m
 iddleware:amd64 (0.10.0-1), ruby-power-assert:amd64 (0.2.7-1), unzip:amd64 
(6.0-20ubuntu1), zip:amd64 (3.0-11), ruby-semantic-puppet:amd64 (0.1.1-1), 
ruby-rgen:amd64 (0.7.0-2), rubygems-integration:amd64 (1.10), fonts-lato:amd64 
(2.0-1), ruby-faraday:amd64 (0.9.2-3), ruby-nokogiri:amd64 (1.6.7.2-3build1), 
libkadm5srv-mit9:amd64 (1.13.2+dfsg-5ubuntu2), ruby-test-unit:amd64 (3.1.7-2), 
libyaml-0-2:amd64 (0.1.6-3), ruby-puppet-forge:amd64 (2.1.3-1), 
ruby-did-you-mean:amd64 (1.0.0-2)
End-Date: 2017-06-30  15:22:34
```


And the pervious time it failed in January this year:
```Start-Date: 2017-01-13  02:35:06
Commandline: /usr/bin/unattended-upgrade
Install: host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.4, automatic)
Upgrade: libisccfg140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), bind9-host:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), dnsutils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), libisc160:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), bind9utils:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), liblwres141:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), bind9:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), libdns162:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), libisccc140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4), libbind9-140:amd64 (1:9.10.3.dfsg.P4-8ubuntu1.3, 
1:9.10.3.dfsg.P4-8ubuntu1.4)
Remove: ubuntu-standard:amd64 (1.361), librarian-puppet:amd64 (2.2.1-2), 
libapache2-mod-auth-kerb:amd64 (5.4-2.2), krb5-admin-server:amd64 
(1.13.2+dfsg-5), krb5-user:amd64 (1.13.2+dfsg-5), libpam-krb5:amd64 (4.7-2), 
facter:amd64 (2.4.6-1), krb5-kdc:amd64 (1.13.2+dfsg-5), krb5-config:amd64 
(2.3), puppet:amd64 (3.8.5-2), puppet-common:amd64 (3.8.5-2)
End-Date: 2017-01-13  02:35:13```

After the first failure in January the main kerberos and puppet packages
were installed manually to get the system going - I thought perhaps that
would stop autoremove dropping them but to be extra safe we disabled
autoremove from unattended-upgrade at the time. However today the
packages were removed anyway.

As I said at the beginning, it could be that it is not unattended-
upgrade breaking things, the packages being upgraded do contain some
similar names both times (host and bind for instance), but I can't see
anything in the dependency relationships which even comes close to
suggesting a cause.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: unattended-upgrades 0.90ubuntu0.6
ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67
Uname: Linux 4.4.0-79-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
Date: Fri Jun 30 20:52:16 2017
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] 
failed with exit code 1: Hint: You are currently not seeing messages from other 
users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
PackageArchitecture: all
SourcePackage: unattended-upgrades
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apt.apt.conf.d.15update-stamp:
 // This file is managed by Puppet. DO NOT EDIT.
 APT::Update::Post-Invoke-Success {"touch 
/var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";};
mtime.conffile..etc.apt.apt.conf.d.10periodic: 2017-01-02T14:47:31.647417
mtime.conffile..etc.apt.apt.conf.d.15update-stamp: 2017-01-02T14:44:44.264308

** Affects: unattended-upgrades (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1701726

Title:
  unattended upgrades removing kerberos and breaking system

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1701726/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1701726] [NEW] unattended upgrades removing kerberos and breaking system

Reply via email to