[Bug 779702] New: Remote Update via "zypper dup" breaks when "openssh" is updated
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c0 Summary: Remote Update via "zypper dup" breaks when "openssh" is updated Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: All OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Update Problems AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: ralf@bj-ig.de QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.25 (KHTML, like Gecko) Version/6.0 Safari/536.25 I'm currently updating a server from Tumbleweed to 12.2 using "zypper dup". I did this via a ssh connection. The update broke when zypper updated openssh because the ssh connection was closed: [...] Installation von: pam_mktemp-1.1.1-2.1.2 [fertig] Installation von: pam_chroot-0.9.2-56.1.2 [fertig] Installation von: openssh-6.0p1-2.3.3 [97%]Connection to xxx closed by remote host. Connection to xxx closed. Reproducible: Always Steps to Reproduce: 1. zypper dup via ssh 2. wait until openssh is updated 3. connection closed, updated failed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c kk zhang <kkzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kkzhang@suse.com AssignedTo|bnc-team-screening@forge.pr |ma@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c Michael Andres <ma@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ma@suse.com |zypp-maintainers@forge.prov | |o.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c1 Michael Andres <ma@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #1 from Michael Andres <ma@suse.com> 2012-09-13 13:36:39 CEST --- There are several reasons why such a remote driven update may fail. Try running zypper in non-interactive mode and use `nohup` to ignore hangup signals. This way zypper should continue even if the connection breaks. That's of course no guaranty that you are able to re-connect to the system, even if the zypper update succeeds. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c2 Ralf Müller <ralf@bj-ig.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | Severity|Normal |Enhancement --- Comment #2 from Ralf Müller <ralf@bj-ig.de> 2012-09-13 14:03:11 UTC --- To be honest - this was not a "zypper does run to its preferred end report", it was a "zypper update openssh closes the remote connection" report. I would not say it is very urged, but at least it is a major difference to its behavior in the last several years. In the past you could _rely_ on the fact, that whatever you do - rcsshd restart, rpm -Uvh openssh, zypper dup - the remote connection was untouched and stable. I think this is a nice feature and I think this feature should be reestablished. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fcrozat@suse.com, | |suse-beta@cboltz.de AssignedTo|zypp-maintainers@forge.prov |pcerny@suse.com |o.novell.com | --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2012-09-14 00:12:06 CEST --- I'd guess this bug is located in the openssh package (and maybe systemd), but not in zypp ;-) I'm therefore reassigning to the openssh maintainer and CC'ing Frederic. The following is something like a wild guess with my understanding of the problem. In openSUSE 12.1, openssh did not contain a systemd service file and therefore the initscript was used. openSUSE 12.2 contains a service file. My _guess_ is: Combine this with the usual behaviour of systemd when stopping a service (which means: kill all processes in the cgroup) and it could explain why your connection is killed. The service file in 12.2 contains a line to avoid killing all processes, but I'd guess the update from the 12.1 init script to the 12.2 service file is the problematic part. I'm not sure if/how it is fixable (an update to add the service file to 12.1 might come to mind, but at the risk to break the ssh connection when installing this update). _If_ I'm right, then the only risk-less solution might be to document this in the 12.2 release notes and recommend to run zypper dup inside screen to let you re-connect easily. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c4 --- Comment #4 from Petr Cerny <pcerny@suse.com> 2012-09-14 13:00:49 UTC --- (In reply to comment #3)
In openSUSE 12.1, openssh did not contain a systemd service file and therefore the initscript was used. openSUSE 12.2 contains a service file.
My _guess_ is: Combine this with the usual behaviour of systemd when stopping a service (which means: kill all processes in the cgroup) and it could explain why your connection is killed.
I believe you are right. Init script by default does not kill existing sshd connections.
_If_ I'm right, then the only risk-less solution might be to document this in the 12.2 release notes and recommend to run zypper dup inside screen to let you re-connect easily.
Very good point. Additionally, when server access is complicated (i.e. no direct access and even no side channel in the form of a remote power control or hw-integrated management facility) having a spare sshd (note necessarily openssh, dropbear suffices) running on a different port (at least during the update) which wouldn't be affected by the update process, is a Good Idea. As it has to be done at some point I believe we could push the service file to 12.1 as well with the next maintenance update accompanied by the release notes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c5 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO CC| |ke@suse.com InfoProvider| |ke@suse.com --- Comment #5 from Christian Boltz <suse-beta@cboltz.de> 2012-09-14 20:47:10 CEST --- (In reply to comment #4)
As it has to be done at some point I believe we could push the service file to 12.1 as well with the next maintenance update
If this means it kills open ssh connections when installing the update, please don't do it. That would be even worse than killing the connection on a distribution upgrade.
accompanied by the release notes.
I propose the following text: When upgrading from openSUSE 12.1 (or older), open SSH connections will be closed when the new openssh package is installed. If you are upgrading with "zypper dup" over SSH, run "zypper dup" inside "screen" so that you can re-connect easily. Karl, can you please add this to the release notes? (Unless Petr wants a different text, of course ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c6 --- Comment #6 from Petr Cerny <pcerny@suse.com> 2012-09-14 22:58:51 UTC --- (In reply to comment #5)
If this means it kills open ssh connections when installing the update, please don't do it. That would be even worse than killing the connection on a distribution upgrade.
Usually. On the other hand, our regular updates usually do not change APIs so interrupted update is IMHO less likely to render the system unusable.
I propose the following text:
I'm fine with your suggestion, although I would probably modify it slightly (mostly because I dislike screen): When upgrading from openSUSE 12.1 (or older), open SSH connections will be closed when the new openssh package is upgraded. If you are upgrading with "zypper dup" over SSH, run "zypper dup" inside a resumable terminal multiplexer (e.g. "screen" or "tmux") so that you can re-connect easily, or at least immune to connection loss (e.g. via "nohup"). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c Karl Eichwalder <ke@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |780719 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c7 Karl Eichwalder <ke@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|ke@suse.com | --- Comment #7 from Karl Eichwalder <ke@suse.com> 2012-09-17 15:48:57 CEST --- Thanks, I'm going to add this snippet: <sect2 id="sec.122.zypper-openssh"> <!-- bnc#779702 --> <title>Remote Update via "zypper dup"</title> <para> When upgrading from openSUSE 12.1 (or older), openSSH connections will be closed when the new openssh package is upgraded. If you are upgrading with "zypper dup" over SSH, run "zypper dup" inside a resumable terminal multiplexer (e.g., "screen" or "tmux") so that you can re-connect easily, or at least immune to connection loss (e.g., via "nohup"). </para> </sect2> ============================================================================== Please, close this bug. I'll publish the release notes with bug 780719. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c8 Petr Cerny <pcerny@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |CLOSED Resolution| |FIXED --- Comment #8 from Petr Cerny <pcerny@suse.com> 2012-09-17 14:15:26 UTC --- Closing as per comment #7. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c9 --- Comment #9 from Swamp Workflow Management <swamp@suse.de> 2012-10-09 10:09:12 UTC --- openSUSE-RU-2012:1318-1: An update that has four recommended fixes can now be installed. Category: recommended (low) Bug References: 779702,780654,781131,781700 CVE References: Sources used: openSUSE 12.2 (src): release-notes-openSUSE-12.2.8-1.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779702 https://bugzilla.novell.com/show_bug.cgi?id=779702#c10 --- Comment #10 from Frederic Crozat <fcrozat@suse.com> 2012-10-10 08:00:08 UTC --- For the record, the situation might improve with future systemd (and upcoming 12.2 maintenance update for systemd) which should not kill ssh session when restarting sshd service (to be tested). But it will only be fixed when sshd is started by the "new/fixed" systemd. see bnc#780966 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com