Bug#1057220: Looks like the systemctl links are gone but not the pm-utils ones
Helmut Grohne
helmut at subdivi.de
Tue Dec 12 14:08:49 GMT 2023
Control: tags -1 + patch
On Fri, Dec 01, 2023 at 05:50:29PM +0100, Helmut Grohne wrote:
> I am very sorry to break this promise. It's complicated.
Almost two weeks later, I'm back with what I hope is a solution.
> So there will be no patch for now, because there still are unsolved
> problems. While looking into Emilio's problem and fixing the version
> constraints, I figured that test cases are failing. In particular, there
> are situations where dpkg unpacks systemd-sysv from unstable at a time
> where molly-guard from bookworm is still unpacked. This causes files
> from systemd-sysv to be irrevocably lost. I fear we're going back to the
> drawing board. If you want details, try #1057199, but I caution that
> it's not for the faint of heart and I already have apt and dpkg
> developers assist, which is awesome.
This has also resulted in systemd-sysv bug #1057220. I've considered the
options forwards and backwards. Since this loss scenario does not
involve a trixie molly-guard at all, it needs a solution in systemd
only. Discussions have resulted in two key insights:
* If working with apt (rather than dpkg directly), this scenario can
only happen if molly-guard and systemd-sysv have a mutual conflict
(or breaks). We should avoid this, see below.
* We cannot really prevent this from happening otherwise as the unpack
of the lost file and the loss happen in the same unpack phase.
At the time of this writing, my preferred solution is restoring the lost
files in postinst. Fortunately, they are all symlinks in the case of
systemd-sysv, so restoring them is a rather simple matter. And this is
what the attached systemd patch does.
> Among the ideas circulated by multiple DDs, the one that seems most
> promising to me was from Julian Andres Klode. He suggests that we add a
> "barrier" package "usrmerge-support". It would have versioned Conflicts
> with molly-guard and systemd-sysv would declare Pre-Depends on
> usrmerge-support. This approach can be used to emulate the semantics
> that I hoped to get from Conflicts, because Pre-Depends imply that at
> the time usrmerge-support.postinst runs, molly-guard must be removed or
> upgraded and systemd-sysv is not yet unpacked. Totally untested though.
>
> I fear there is not much you can do at this point.
This is not the option I'm going for now. Rather, given that systemd can
paper over the loss we can make the loss very unlikely by having
molly-guard not declare Breaks against systemd-sysv. As a result, apt no
longer sees a mutual conflict and no longer schedules temporary removal.
Thus, the loss scenario (usually) does not happen (though systemd-sysv
still mitigates it).
Not having Breaks comes at a cost though. Now the trixie molly-guard
must work with the bookworm systemd-sysv that still places the diverted
files in /sbin rather than /sbin. Remember that we earlier learned that
the diversion targets must differ in more than aliasing, so molly-guard
must now deal with locating diverted tools in two distinct locations,
which kinda is ugly, but practically works.
This also implies that the duplicated diversions are not as temporary as
we wished. We cannot just delete the aliased ones in postinst. We have
to keep them throughout the trixie release. Without loss of generality,
we'll divert tools like this:
/usr/sbin/halt -> /usr/sbin/halt.no-molly-guard
/sbin/halt -> /sbin/halt.no-molly-guard.usr-is-merged
The latter of these can be removed after trixie and the former is
permanent.
Emilio noticed that we must call the diverted tools by their true name.
While systemd uses strstr and this happens to work, sysvinit-core uses
strcmp, so we need to provide the exact argv[0]. Unfortunately "exec -a"
is as bash feature not supported by POSIX shells such as dash. I've
refrained from changing the shell interpreter from sh to bash and
instead invoke bash for the purpose of performing that "exec -a".
Changing it to become a bash script would also work.
Testing. I've significantly improved my earlier tests to understand many
of the situations. I've also significantly changed the test scenarios
(given that we also have to test a changed systemd-sysv now). All of
these pass now. None of the tests invoke the systemd mitigation (as
expected since molly-guard no longer Breaks). I've run molly-guard
through piuparts and installed it into a VM and manually performed these
tests:
* local poweroff
* poweroff via ssh asks for hostname
* poweroff --help # verified output
* poweroff --invalidarg # proper error message
* poweroff '--invalid --arg' # no accidental word splitting
Finally, I ran the reproducer from #1057220 and verified that the
mitigation in systemd-sysv actually is invoked and works.
So now I am attaching the result of my work. I invite people to review
it (even though I understand that this is a complex matter). In
particular, I am also interested in what kind of tests I should be
performing in addition. I also encourage you to upload these changes to
experimental (both molly-guard and systemd) to ease testing them.
For systemd-sysv, I think we can move to unstable relatively quickly,
because the chance of introducing difficult upgrade scenarios is fairly
low. On the other hand, I'd like to have molly-guard remain in
experimental for at least a week such that we can get feedback from
actual molly-guard users how this affects their use.
If you have any questions about this, please let me know.
Helmut
-------------- next part --------------
diff -Nru systemd-255/debian/changelog systemd-255/debian/changelog
--- systemd-255/debian/changelog 2023-12-06 22:24:09.000000000 +0100
+++ systemd-255/debian/changelog 2023-12-11 12:32:20.000000000 +0100
@@ -1,3 +1,11 @@
+systemd (255-1.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Restore diverted symlinks that may be lost to in /usr-merge.
+ (Closes: #1057220)
+
+ -- Helmut Grohne <helmut at subdivi.de> Mon, 11 Dec 2023 12:32:20 +0100
+
systemd (255-1) unstable; urgency=medium
* New upstream version 255. For a full list of changes, see:
diff -Nru systemd-255/debian/systemd-sysv.postinst systemd-255/debian/systemd-sysv.postinst
--- systemd-255/debian/systemd-sysv.postinst 2023-11-06 22:59:20.000000000 +0100
+++ systemd-255/debian/systemd-sysv.postinst 2023-12-11 12:32:20.000000000 +0100
@@ -2,6 +2,22 @@
set -e
+# begin-remove-after: released:trixie
+if [ "$1" = "configure" ]; then
+ for n in halt poweroff shutdown; do
+ fn=$(dpkg-divert --truename "/usr/sbin/$n")
+ if ! test -h "$fn"; then
+ if test "$fn" = "/usr/sbin/$n"; then
+ echo "/usr/sbin/$n vanished in /usr-merge upgrade. Restoring."
+ else
+ echo "/usr/sbin/$n (diverted to $fn) vanished in /usr-merge upgrade. Restoring."
+ fi
+ ln -sf ../bin/systemctl "$fn"
+ fi
+ done
+fi
+# end-remove-after
+
# update grub on first install, so that the alternative init system boot
# entries get updated
if [ "$1" = configure ] && [ -z "$2" ] && [ -e /boot/grub/grub.cfg ] && command -v update-grub >/dev/null; then
-------------- next part --------------
diff -Nru molly-guard-0.8.1/debian/changelog molly-guard-0.8.2/debian/changelog
--- molly-guard-0.8.1/debian/changelog 2023-11-11 23:02:55.000000000 +0100
+++ molly-guard-0.8.2/debian/changelog 2023-11-20 09:18:25.000000000 +0100
@@ -1,3 +1,9 @@
+molly-guard (0.8.2) UNRELEASED; urgency=medium
+
+ * Attempt to fix the /usr-merge fallout. (Closes: #1056279)
+
+ -- Helmut Grohne <helmut at subdivi.de> Mon, 20 Nov 2023 09:18:25 +0100
+
molly-guard (0.8.1) unstable; urgency=medium
* Upload to unstable
diff -Nru molly-guard-0.8.1/debian/molly-guard.postrm molly-guard-0.8.2/debian/molly-guard.postrm
--- molly-guard-0.8.1/debian/molly-guard.postrm 2023-11-11 23:02:55.000000000 +0100
+++ molly-guard-0.8.2/debian/molly-guard.postrm 2023-11-20 09:18:25.000000000 +0100
@@ -16,22 +16,14 @@
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
-
case "$1" in
remove)
- for cmd in halt poweroff reboot shutdown coldreboot ; do
- dpkg-divert --package molly-guard --no-rename --remove /sbin/$cmd
- dpkg-divert --package molly-guard --no-rename --remove "/usr/sbin/$cmd"
- if test -e "/usr/lib/molly-guard/$cmd"; then
- mv "/usr/lib/molly-guard/$cmd" "/usr/sbin/$cmd"
- fi
+ for cmd in halt poweroff reboot shutdown coldreboot; do
+ dpkg-divert --package molly-guard --rename --remove "/sbin/$cmd"
done
-
- for cmd in pm-hibernate pm-suspend pm-suspend-hybrid ; do
- dpkg-divert --package molly-guard --rename --remove /usr/sbin/$cmd
+ for cmd in halt poweroff reboot shutdown coldreboot pm-hibernate pm-suspend pm-suspend-hybrid ; do
+ dpkg-divert --package molly-guard --rename --remove "/usr/sbin/$cmd"
done
-
- (test -d /lib/molly-guard && rmdir --ignore-fail-on-non-empty /lib/molly-guard) || true
;;
purge|upgrade|failed-upgrade|abort-upgrade|abort-install|disappear)
diff -Nru molly-guard-0.8.1/debian/molly-guard.preinst molly-guard-0.8.2/debian/molly-guard.preinst
--- molly-guard-0.8.1/debian/molly-guard.preinst 2023-11-11 23:02:55.000000000 +0100
+++ molly-guard-0.8.2/debian/molly-guard.preinst 2023-11-20 09:18:25.000000000 +0100
@@ -14,34 +14,49 @@
case "$1" in
install|upgrade)
- mkdir -p /usr/lib/molly-guard
-
# Cleanup erroneous diversions added in 0.6.0
for cmd in pm-hibernate pm-suspend pm-suspend-hybrid ; do
dpkg-divert --package molly-guard --rename --remove /sbin/$cmd
done
for cmd in halt poweroff reboot shutdown coldreboot ; do
- dpkg-divert --package molly-guard --divert "/usr/lib/molly-guard/$cmd" --no-rename --add "/usr/sbin/$cmd"
- # DEP17 M18 duplicated diversion. Can be removed after trixie.
- dpkg-divert --package molly-guard --divert "/lib/molly-guard/$cmd" --no-rename --add "/sbin/$cmd"
- # Avoid --rename as long as we need duplicated diversions.
- if test "$1" = install; then
- if test -e "/usr/sbin/$cmd"; then
- mv "/usr/sbin/$cmd" "/usr/lib/molly-guard/$cmd"
+ truenameusr="$(dpkg-divert --truename "/usr/sbin/$cmd")"
+ truenamealias="$(dpkg-divert --truename "/sbin/$cmd")"
+ rename_flag=--no-rename
+ if test "$truenameusr" = "/usr/sbin/$cmd" && test "$truenamealias" = "/sbin/$cmd"; then
+ rename_flag=--rename
+ fi
+ if test "$truenameusr" = "/usr/sbin/$cmd"; then
+ dpkg-divert --package molly-guard --divert "/usr/sbin/$cmd.no-molly-guard" "$rename_flag" --add "/usr/sbin/$cmd"
+ elif test "$truenameusr" != "/usr/sbin/$cmd.no-molly-guard"; then
+ dpkg-divert --package molly-guard --no-rename --remove "/usr/sbin/$cmd"
+ dpkg-divert --package molly-guard --no-rename --divert "/usr/sbin/$cmd.no-molly-guard" --add "/usr/sbin/$cmd"
+ if test -e "$truenameusr" || test -h "$truenameusr"; then
+ mv "$truenameusr" "/usr/sbin/$cmd.no-molly-guard"
fi
- if test -e "/sbin/$cmd"; then
- mv "/sbin/$cmd" "/usr/lib/molly-guard/$cmd"
+ fi
+ if test "$truenamealias" = "/sbin/$cmd"; then
+ # DEP17 M18 duplicated diversion. Can be --removed after trixie.
+ dpkg-divert --package molly-guard --divert "/sbin/$cmd.no-molly-guard.usr-is-merged" "$rename_flag" --add "/sbin/$cmd"
+ elif test "$truenamealias" != "/sbin/$cmd.no-molly-guard.usr-is-merged"; then
+ dpkg-divert --package molly-guard --no-rename --remove "/sbin/$cmd"
+ dpkg-divert --package molly-guard --no-rename --divert "/sbin/$cmd.no-molly-guard.usr-is-merged" --add "/sbin/$cmd"
+ if test -e "$truenamealias" || test -h "$truenamealias"; then
+ mv "$truenamealias" "/sbin/$cmd.no-molly-guard.usr-is-merged"
fi
fi
done
for cmd in pm-hibernate pm-suspend pm-suspend-hybrid ; do
- if test "$(dpkg-divert --truename "/usr/sbin/$cmd")" = "/lib/molly-guard/$cmd"; then
- dpkg-divert --package molly-guard --divert "/lib/molly-guard/$cmd" --no-rename --remove "/usr/sbin/$cmd"
- dpkg-divert --package molly-guard --divert "/usr/lib/molly-guard/$cmd" --no-rename --add "/usr/sbin/$cmd"
- else
- dpkg-divert --package molly-guard --divert "/usr/lib/molly-guard/$cmd" --rename "/usr/sbin/$cmd"
+ truename="$(dpkg-divert --truename "/usr/sbin/$cmd")"
+ if test "$truename" = "/usr/sbin/$cmd"; then
+ dpkg-divert --package molly-guard --divert "/usr/sbin/$cmd.no-molly-guard" --rename "/usr/sbin/$cmd"
+ elif test "$truename" != "/usr/sbin/$cmd.no-molly-guard"; then
+ dpkg-divert --package molly-guard --no-rename --remove "/usr/sbin/$cmd"
+ dpkg-divert --package molly-guard --divert "/usr/sbin/$cmd.no-molly-guard" --no-rename --add "/usr/sbin/$cmd"
+ if test -e "$truename" -o -h "$truename"; then
+ mv "$truename" "/usr/sbin/$cmd.no-molly-guard"
+ fi
fi
done
;;
diff -Nru molly-guard-0.8.1/shutdown.in molly-guard-0.8.2/shutdown.in
--- molly-guard-0.8.1/shutdown.in 2023-11-11 23:02:55.000000000 +0100
+++ molly-guard-0.8.2/shutdown.in 2023-11-20 09:18:25.000000000 +0100
@@ -13,13 +13,14 @@
SCRIPTSDIR="@cfgdir@/run.d"
CMD="${0##*/}"
-EXEC="@REALPATH@/$CMD"
case "$CMD" in
halt|reboot|shutdown|poweroff|coldreboot|pm-hibernate|pm-suspend|pm-suspend-hybrid)
- if [ ! -f $EXEC ]; then
- echo "E: not a regular file: $EXEC" >&2
- exit 4
+ if ! EXEC=$(command -v "$CMD.no-molly-guard"); then
+ if ! EXEC=$(command -v "$CMD.no-molly-guard.usr-is-merged"); then
+ echo "E: not a regular file: $EXEC" >&2
+ exit 4
+ fi
fi
if [ ! -x $EXEC ]; then
echo "E: not an executable: $EXEC" >&2
@@ -65,7 +66,7 @@
(*-molly-guard-do-nothing) DO_NOTHING=1;;
(*-help)
usage 2>&1
- eval $EXEC --help 2>&1
+ ( exec bash -c 'exec -a "$0" "$@"' "$CMD" "$EXEC" --help 2>&1 )
exit 0
;;
--) END_OF_ARGS=1;;
@@ -89,7 +90,7 @@
echo "$ME: would run: $EXEC $CMDARGS"
exit 0
else
- eval exec $EXEC "$CMDARGS"
+ eval exec bash -c "'"'exec -a "$0" "$@"'"'" "'$CMD'" "'$EXEC'" "$CMDARGS"
fi
}
-------------- next part --------------
TESTS= \
-_molly \
-_systemd \
molly_molly \
molly_systemd \
sidmolly_molly \
sidmolly_systemd \
newmolly_rmmolly \
newmolly_systemd \
newmolly_sysvinit \
sysvinit_molly \
systemd_molly \
systemd_systemd \
newsystemd_molly \
molly-systemd_molly \
molly-systemd_systemd \
molly-sysvinit_molly \
sidmolly-systemd_molly \
sidmolly-systemd_systemd \
newmolly-newsystemd_rmmolly \
newmolly-newsystemd_rmsystemd \
newmolly-newsystemd_sysvinit \
newmolly-sysvinit_rmmolly \
newmolly-sysvinit_systemd \
all: $(foreach t,$(TESTS),testout/$(t))
testout/%:
./testcase.sh "$(firstword $(subst _, ,$*))" "$(lastword $(subst _, ,$*))" >"$@" 2>&1; echo $$? >> "$@"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: testcase.sh
Type: application/x-sh
Size: 4781 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20231212/93daba79/attachment.sh>
More information about the Pkg-systemd-maintainers
mailing list