Ubuntu Server team update - 24 June 2019

Hi everyone, below you will find the updates of the Ubuntu Server team members from the last week. If you are interested in discussing a topic please start a thread in the Server area of this Discourse site.

@ahasenack

• sg3-utils merge (updated to 1.44)
• #1781991 SRU verification (sssd)
• #1831292 cifs-utils update to 6.9
• freeipmi 1.6.3 merge (updated to 1.6.3, dropping a lot of delta with Debian). A bit complicated in the sense that ubuntu had been carrying a delta which was merged upstream with a slight change (two symbols were changed to a singular name, but kept the code as is)
• #1798786 fetchmail regression fix due to openssl update
• introduced the git ubuntu merge workflow to @rafaeldtinoco, our new team member. Used the bind9 merge for that
• reviews for others in the team
  Also hit an interesting case with dpkg-maintscript-helper and the removal of an obsolete configuration file via rm_conffile. It was doing the right thing in preinst, by renaming the file to .dpkg-remove, but the postinst was not removing that renamed file. Turns out the previous package was not fully installed, due to an error in its postinst, and therefore the upgraded package’s postinst didn’t act as if this was an upgrade, and left the .dpkg-remove file there.

• cloud-init
  • Merge tools/build-on-freebsd: update to python3
  • LP: #1833264 Fix cloud-init-generator path to ds-identify for redhat/centos builds
  • WIP python3 capable redhat/centos/fedora specfile Create python3 version of cloud-init for Fedora29+, RHEL8
  • LP: #1821102 Add support for rfc3442 classless static routes to EphermeralDHCP context manager.
  • POC Add async disk_setup/fs_setup of ephemeral disks using systemd-makefs to reduce time to sshd launching.
  • Review VMWare/OVF Fix post-script execution
• curtin
  • Add s390x zkey support: Use hardware encryption if available for dm_crypt devices.

curtin

• Spent some time getting to the point of being able to run the vmtests on my local machine
  • This was prompted by a code review of some of Paride’s vmtests work
• Submitted and landed a couple of changes to the vmtests code, mostly around rationalising our use of environment variables

ubuntu-advantage-client

• Added the --no-auto-attach option to ua enable (landed #615 and #632, fixing #366)
• Refactored the entitlement tests to reduce duplication of test code (landed #634)
• Fixed a bug where FIPS would show as enabled when FIPS Updates was enabled (landed #637, fixing #635)
• Cleaned up unused Debian packaging-related scripts (landed #627, filed #631 for reintroducing make deps and fixed that by landing #633)
• Plenty of code review for Chad and others

Miscellaneous

• Rebuilt the jenkins-job-linter snap for security updates in the archive
• Various code reviews of Jenkins job and boot speed measurement tooling changes

VIRTUALIZATION

QEMU HW mitigations support (ARCH_CAPABILITIES)
LP: #1828495 | PPA: #1828495 | MERGE: #1828495
Backported ARCH_CAPABILITIES MSR functionality AND {Ice,Cascade}Lake CPU support to QEMU 2.11 (Ubuntu Bionic). With this features, guest can now report not being susceptible to a specific side-channel vulnerability. For this particular case, by supporting IA32_ARCH_CAPABILITIES MSR we are able to provide the same MSR to a KVM/QEMU guest, informing its kernel about HW support for:

• IBRS_ALL (enhanced IBRS support)
• SKIP_L1DFL_VMENTRY (L1D flush is needed on VMENTRY)
• RDCL_NO (HW is vulnerable to Rogue Data Cache Load)
• Foreshadow-NG (OS) vuln. (L1 terminal fault, OS)
• Foreshadow-NG (VMM) vuln. (L1 terminal fault, VMM)

and making it to take better decisions on which mitigation to use, if one is needed (leveraging guest performance for those CPUs).

Note: Tested the backport in a Cascade Lake system and was able to make the Spectre and Meltdown mitigation detection tool to identify correctly the IA32_ARCH_CAPABILITIES and activate (or deactivate) mitigations in order to have a better performance. Libvirt support for {Ice,Cascade}Lake CPUs might be needed now.

UBUNTU HA

Creating a list of High Availability packages to be tested, customized, merged (if needed) and documented properly so Ubuntu Server has better HA support. Packages from ClusterLabs will be investigated if not included in Debian/Ubuntu.

CTDB NFS HA Enablement
LP: #722201 | BP: #722201 | PPA: #722201 | MR: #722201
Enabling Samba CTDB for NFS HA: After having pushed an initial tought on how to better enable CTDB for a NFS HA configuration, in this case on top of a GlusterFS, @ahasenack has discussed with me a better way to provide configuration examples so I need to move config examples from /etc to /usr/share/doc. There is a blueprint explaining the changes and how to use CTDB for NFS HA.

OTHER

• Learned how to use git-ubuntu tool for merges.
• Pushed a merge request for bind9.

I’ve been working on the upcoming MySQL 8 transition.

Virtualization

• A fixup we made for libvirt packaging in regard to libxl got merged in Debian MP #28
• Created several custom qemu/libvirt and other virtualization-stack component builds
• Libvirt UI issue in eoan in regard to apparmor peer detection in bug 1833040 got debugged fixed and brought upstream as well as fixed in Eoan eventually
• Continued my work on the merge of spice 14.2 which implies spice-protocol and spice-gtk uploads with all needing some minor cleanups. Not complete yet, but upstream accepted my fix for arm64 and ppc64el that broke us.
• Again another report of bug 1797581 crashing kernels on ipxe boot, continuing to try to get the artifacts needed to trigger this outside of maas.

Misc

• Analyzed bug 1832915 and fixed in numad PR #3 a related crash in numad on systems with sparse nodeid
• Analyzed issues with libvirt-guest shutdown dependencies for bug 1832859. This seemed correct at first, but looking deeper identified an issue in LVM2 which continues upstream at issue #18
• Continued to work with @powersj to clean our package subscriptions/ownership to reduce noise on triage and clarify responsibilities in some cases
• introduced @rafaeldtinoco into docs/tools/tests/projects used in the context of our virtualization stack
• Packaged and tested postgresql for the sudden release of fixes for CVE-2019-10164
• bug 1830094 resolved bochs vodoo support completed for Eoan

SRUs

• open-vm-tools minor release updated for bug 1822204 got all tests completed and released
• openvpn bug 1828771 around capabilities for script usage
• libvirt (ongoing exceptions massage successful)
• two passed on the pending-sru page to clear flaky tests affecting the Teams uploads
• Xenial qemu fixes for bug 1828288 (AMD warning) and bug 1829380 (vhost user) got released

Reviews

• multiple rounds of review for the cascade lake qemu patch stack - see bug 1828495
• smaller reviews for freeipmi, rabbitmq , iproute and a few other packages I forgot

P.S. Sorry to lack links, but thanks to my user being considered too new I had to unformat things when posting :-/

curtin

• Initial work for enabling curtin vmtests on arm64 and ppc
• Reviewed @Odd_Bloke’s curtin branch implementing CURTIN_VMTEST_APT_PROXY

performance metrics

• Ongoing work on a set of scripts and jobs that will allow collecting boot speed data of Ubuntu Server in different environments (clouds and devices), with the goal of evaluating performance over time.
• Added some new functions to pycloudlib to ease working with cloud instances:
  • released_image(): Allow working with cloud images from the “releases” channel
  • image_serial(): Lookup the Ubuntu image serial given its cloud image ID
  • When restarting an images allow for waiting for the instance to complete the reboot process

packaging

• Reviewed @ahasenack’s MPs for sg3-utils and ubuntu-advantage-client

behind the scenes

• Redeployed the server-team main Jenkins node with Bionic

Like Christian I hit the link limit per post for new users :-/

Packaging

• fetchmail
  • merge (updated to 6.4.0~beta4-3).
  • Added dep8 tests.
  • Included several patches from upstream.
  • Retriaged all fetchmail bug reports.
• php
  • Started working on php 7.3 transition. Set up a PPA to run tests in, did a lot of background reading on past work.
• LP: #1822776 SRU bash - accepted to proposed
• LP: #1819074 SRU keepalived - identified next steps for testers
• LP: #1773324 SRU rabbitmq-server - sponsored
• Reviews for others in the team: bind9, sg3-utils

Development

• git-ubuntu
  • Poked around in git-ubuntu’s internals while attempting to debug various errors with the build-source/lint commands.
• Wrote new launchpadapi script, usmerges, to list merges for the server team. This is aimed at maybe improving the current server team merges page.

Miscellaneous

• Attended the Portland “Knitting Circle”. A bunch of local Canonicallers, ex-Canonicallers, and others in the Portland, Oregon tech community get together for a co-working event about once a month. This time we met at Google’s Portland offices. I picked Steve Langasek’s brain regarding support for PHP “long tail” apps, and I finally got to meet Pat Gaughen in person.

ubuntu-advantage-tools

• updated unreleased client to reduce apt-helper timeout from 2 mins to 20 seconds on inaccessible APT repo
• catch dpkg lock contention and provide cleaner UserFacingErrors
• update debian/changelog for upcoming v.19.5 release
• spec review for series-specific overrides modeling from contracts API team
• add Ubuntu series-specific overrides to not auto-enable livepatch on trusty during attach
• spec work for supporting multiple contracts

cloud-init

• add region and availability zone instance metadata for Azure from IMDS.
  cloud-init query --format '{{region}} {{availability_zone}}' Now works on Azure
• active merge proposal review and bug triage
• host cloud-init status meeting on Freednode in #cloud-init
• investigation into discourse post utility to streamline some of cloud-init publishing

curtin

• Review @raharper’s s390 zkey support branch