[Bug 941922] Re: do-release-upgrade races puppet for file contents

Brian Murray brian at ubuntu.com
Wed Feb 29 15:47:59 UTC 2012 

** Tags added: dist-upgrade

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/941922

Title:
  do-release-upgrade races puppet for file contents

Status in “update-manager” package in Ubuntu:
  New

Bug description:
  This is something of a larger problem with configuration management,
  but if puppet is running while do-release-upgrade runs, puppet may re-
  assert contents of files that the package manager has just changed.

  Puppet allows you to key off of the currently running distro release,
  so one could imagine boot-critical configuration (filesystems, etc)
  being set to e.g. Lucid versions just before a reboot into Precise.
  If the reboot succeeds, puppet would subsequently deliver the Precise
  versions and things could sort themselves out, but the reboot could
  well be stymied by older Lucid versions.

  The canonical-memento puppet manifests include a lot of safety
  features to prevent precisely this scenario: we insist that /etc be
  maintained in bzr, and we halt all configuration management if there
  are uncommitted changes there.  This means that once the package
  manager changes any file in /etc, puppet refuses to run. Not everyone
  will be as careful as we are, and even our system is not atomic.

  This is of course not specific to do-release-upgrade, and it's a
  problem any time you upgrade a package.  It's just most dangerous
  during d-r-u, because of the breadth and depth of changes.

  The upgrade could shut down the puppet agent before upgrading, but
  once puppet itself is upgraded that will trigger a restart.  It's
  probably best to do `puppet agent --disable` before shutting down
  puppet.  Once this is done, it may be worth warning the sysadmin at
  the end (perhaps while advising a reboot) that puppet was running
  before the upgrade, and that something like `puppet agent -t --noop`
  is useful for seeing what changes puppet would make.

  Of course, it's an architectural flaw in puppet that --noop runs still
  upload exported resources to the database, and that's just a hazard of
  puppet administration these days.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/941922/+subscriptions

More information about the foundations-bugs mailing list