Project

General

Profile

Bug #15419

Detect earlier in the dev process if we're breaking automatic upgrades

Added by intrigeri 6 months ago. Updated 21 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Build system
Target version:
Start date:
06/28/2018
Due date:
% Done:

100%

Estimated time:
0.50 h
QA Check:
Pass
Feature Branch:
bugfix/15419-detect-uid-and-gid-changes
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Upgrader

Description

At least twice we had to disable automatic upgrade paths because they would create a broken Tails system:

  • upgrading to 3.0.1 (#13426)
  • upgrading to 3.6

The first time this happened we added a manual test (eca3d1001236570cc6a26fd2a961710a0e151ca2) to ensure we would detect that during our QA. But as 3.6 shows, this was not enough to avoid releasing something broken so let's ensure we detect such matters as early as possible, before we've invested too much time into QA: this will increase the chances we have time to fix the problem and release something that can be upgraded to automatically.

My plan has three parts:

  1. Implement something that checks the UID and GID of the debian-tor user at ISO build time and aborts the build if any of them has changed. This is what this ticket is about. I'll do the same for the Upgrader's users as I suspect they might be affected by the same problem.
  2. Find out what's going on with Exim: it's been involved in this problem twice and I think we could do something cheap in order to decrease the chances such problems happen. That's #15418 and the follow-up is #15690.
  3. Implement a better solution in Tails 4.0, needed, depending on the timing of #8415 vs. #15281. See #15407 for details.

Related issues

Related to Tails - Bug #15407: Prevent system user uid:s and gid:s from changing between releases Resolved 06/28/2018
Related to Tails - Bug #15418: Find out what's going on with Exim in our ISO build process Resolved 03/16/2018
Related to Tails - Bug #15424: Use fixed UID and GID for debian-tor Rejected 03/16/2018
Blocks Tails - Bug #15690: Stop installing all "Priority: standard" packages only to remove some of them later In Progress 06/29/2018
Blocked by Tails - Bug #15695: Avoid breaking automatic upgrades to Tails 3.9 Resolved 06/30/2018

Associated revisions

Revision 46c028aa (diff)
Added by intrigeri 3 months ago

Abort the build if /etc/{passwd,group} has changed (refs: #15419).

Such changes can break automatic upgrades, as seen on #13426 and more
recently during the 3.6 release.

The /usr/share/tails/build/{passwd,group} added here come straight from the
Tails 3.8 ISO.

Revision 6f146037 (diff)
Added by intrigeri 3 months ago

Add more debug output (refs: #15419).

Revision b19084e6 (diff)
Added by intrigeri about 1 month ago

Abort the build if /etc/{passwd,group} has changed (refs: #15419).

Such changes can break automatic upgrades, as seen on #13426 and more
recently during the 3.6 release.

The /usr/share/tails/build/{passwd,group} added here come straight from the
Tails 3.8 ISO.

Revision 4f229bab (diff)
Added by intrigeri about 1 month ago

Add more debug output (refs: #15419).

Revision a158c465
Added by intrigeri about 1 month ago

Merge remote-tracking branch 'kibi/bugfix/15695-avoid-breaking-automatic-upgrades-to-tails-3-9' into devel (Fix-committed: #15695, #15407, #15419)

History

#1 Updated by intrigeri 6 months ago

  • Related to Bug #15407: Prevent system user uid:s and gid:s from changing between releases added

#2 Updated by intrigeri 6 months ago

  • Related to Bug #15418: Find out what's going on with Exim in our ISO build process added

#3 Updated by segfault 6 months ago

  • Related to Bug #15424: Use fixed UID and GID for debian-tor added

#4 Updated by intrigeri 6 months ago

  • Target version changed from Tails_3.6.1 to Tails_3.7

#5 Updated by intrigeri 6 months ago

  • Target version changed from Tails_3.7 to Tails_3.8

My initial plan probably won't work (#15424#note-12) and after almost a month I still haven't logs for #15418 => let's discuss timing/relevance on #15407.

#6 Updated by intrigeri 3 months ago

  • Target version changed from Tails_3.8 to Tails_3.9

#7 Updated by intrigeri 3 months ago

Regarding exim4, I've completed the research: #15418#note-16.

#8 Updated by intrigeri 3 months ago

  • Status changed from Confirmed to In Progress

Implement something that checks the UID and GID of the debian-tor user at ISO build time and aborts the build if any of them has changed. This is what this ticket is about. I'll do the same for the Upgrader's users as I suspect they might be affected by the same problem.

On #15424 we tried to implement something more elaborate and failed but I think we should at least implement the detection part, even if we can't implement the more elaborate, "automatically use a fixed UID/GID" part. I'll keep tracking this here.

Find out what's going on with Exim: it's been involved in this problem twice and I think we could do something cheap in order to decrease the chances such problems happen. That's #15418.

Done. To avoid such problems, I think our best option is to stop passing --tasks standard to lb config and explicitly list the packages we want to install in config/chroot_local-packageslists/*.list. And then every time we upgrade to a new version of Debian, we create a ticket to update that list, based on the current set of Priority: standard packages in that version of Debian. Using a separate file will make this clearer and easier to maintain. I'll create a dedicated ticket about it.

Implement a better solution in Tails 4.0: that's #15407.

… might not be needed, depending on the timing of #8415 vs. #15281. See #15407 for details.

#9 Updated by intrigeri 3 months ago

  • Related to Bug #15690: Stop installing all "Priority: standard" packages only to remove some of them later added

#10 Updated by intrigeri 3 months ago

intrigeri wrote:

Done. To avoid such problems, I think our best option is to stop passing --tasks standard to lb config and explicitly list the packages we want to install in config/chroot_local-packageslists/*.list. And then every time we upgrade to a new version of Debian, we create a ticket to update that list, based on the current set of Priority: standard packages in that version of Debian. Using a separate file will make this clearer and easier to maintain. I'll create a dedicated ticket about it.

That's now #15690.

#11 Updated by intrigeri 3 months ago

  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15690-stop-installing-all-priority-standard-packages

#12 Updated by intrigeri 3 months ago

  • Related to deleted (Bug #15690: Stop installing all "Priority: standard" packages only to remove some of them later)

#13 Updated by intrigeri 3 months ago

  • Blocks Bug #15690: Stop installing all "Priority: standard" packages only to remove some of them later added

#14 Updated by intrigeri 3 months ago

  • Feature Branch changed from bugfix/15690-stop-installing-all-priority-standard-packages to bugfix/15419-detect-uid-and-gid-changes

#15 Updated by intrigeri 3 months ago

Interestingly, the check I've added identified GID differences (monkeysphere, debian-tor) between 3.8 and current devel. The good news is that it's a useful test. The bad news is that we need to fix that before 3.9 is released.

#16 Updated by intrigeri 3 months ago

  • Related to Bug #15695: Avoid breaking automatic upgrades to Tails 3.9 added

#17 Updated by intrigeri 3 months ago

  • Description updated (diff)

#18 Updated by intrigeri 3 months ago

  • % Done changed from 10 to 50

I'm happy with the current state of this branch but we can't merge it until #15695 is fixed, otherwise devel will FTBFS.

#19 Updated by intrigeri 3 months ago

  • Related to deleted (Bug #15695: Avoid breaking automatic upgrades to Tails 3.9)

#20 Updated by intrigeri 3 months ago

  • Blocked by Bug #15695: Avoid breaking automatic upgrades to Tails 3.9 added

#21 Updated by intrigeri about 1 month ago

  • Assignee changed from intrigeri to segfault
  • Estimated time set to 0.50 h
  • QA Check set to Ready for QA

This branch is included in the one for #15695 but you might want to review it first, which could make it slightly easier to understand what #15695 is about.

#22 Updated by intrigeri about 1 month ago

  • Assignee changed from segfault to CyrilBrulebois

#23 Updated by intrigeri about 1 month ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (CyrilBrulebois)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#24 Updated by intrigeri about 1 month ago

  • Status changed from Fix committed to In Progress

#25 Updated by intrigeri about 1 month ago

  • Status changed from In Progress to Fix committed

#26 Updated by intrigeri 21 days ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF