[Bug 1990863] Re: conversion from sshd service to socket is too bumpy

Steve Langasek 1990863 at bugs.launchpad.net
Sun Oct 2 05:45:15 UTC 2022 

I don't have a complete solution to this, but I do have several points.

- debconf prompts on upgrade are not, in general, good UX.  It disrupts
the flow of the upgrade.  Sometimes it's necessary, but if all it's
doing is telling the user they *may* have a broken config after
upgrading, well, if every package for which that's true did that
upgrades would be very slow indeed.  And for users upgrading a large
number of systems, that becomes one more nuisance.  So no, I don't think
we should add a prompt on upgrade for this.  (There's also the practical
problem that if we introduced such a prompt at this point in the release
cycle, it would not realistically get translated, reducing accessibility
for our users vs communicating this in other ways that could be
localized out-of-band.)

- As Robie pointed out in comment #4, there is no guarantee that ansible playbooks work consistently across releases.  Regardless of whether we made changes that would have allowed the migration of settings in your case, if you had had to reinstall kinetic instead of upgrading from jammy, those changes in the openssh-server maintainer scripts would not have taken effect.  Your ansible playbook is therefore buggy wrt kinetic, and should be fixed, which is out of scope for Ubuntu and the bug tracker.  But the following contents in a file named /etc/systemd/system/ssh.socket.d/addresses.conf should set you on the right path:
  [Socket]
  ListenStream=
  ListenStream=$portnum

- I have long been displeased with ucf's three-way-merge support.  In
particular, when identical content exists both in the user's version and
in the new version but not in the base version, ucf will treat this as a
merge conflict.  This is awful, and specifically caused problems for
upgrades from all cloud images when the user had not modified the sshd
config at all (LP: #1990863).  I've applied a workaround for this in
openssh 1ubuntu7 (currently in the unapproved queue) that's specific to
the cloud image case and ensures clean upgrades without prompting for
users that have not modified sshd_config.  I could generalize this to
all users with modified configs, resulting in two prompts on upgrade but
a better chance of successful three-way merging.  Do you think that
would be an improvement over the status quo?

- Finally, there is some code I'm evaluating landing that would add a
systemd generator for the listenstream settings.  This would only take
effect at boot, but would make it possible for users to continue
managing their port/listenaddress settings in sshd.conf as before.
However, we would not land this in time for the kinetic release, but
would instead consider it for the next release to improve our LTS-to-LTS
compatibility.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1990863

Title:
  conversion from sshd service to socket is too bumpy

Status in openssh package in Ubuntu:
  New

Bug description:
  During upgrade from Jammy to Kinetic, I get asked what to do because
  my sshd_config has been modified. I say to do a 3-way merge. It says
  3-way merge fails. I shrug, figure I'll just restore my customizations
  with Ansible after the upgrade like I always do, and tell it to use
  the vendor version of the file. This removes my custom Port settings,
  so they are not migrated over to the ssh.socket settings like
  https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation-
  ubuntu-22-10-and-later/30189 says they would be. I subsequently run my
  Ansible which restores the customizations and enables the ssh service,
  but now ssh.service and ssh.socket are enabled at the same time, sshd
  isn't listening on my specified ports, and everything is a mess. I've
  never used socket-based activation before and have no idea how to
  configure it so now I have to go reading man pages, Googling all over
  the place, and generally struggle to figure out what the heck is going
  wrong.

  I don't know what the right answer is here, but I really feel like
  some effort needs to be put into figuring out a smoother transition
  for people who are upgrading to Kinetic.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.10
  Package: openssh-server 1:9.0p1-1ubuntu6
  ProcVersionSignature: Ubuntu 5.19.0-15.15-generic 5.19.0
  Uname: Linux 5.19.0-15-generic x86_64
  ApportVersion: 2.23.0-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Sep 26 11:41:58 2022
  InstallationDate: Installed on 2019-08-16 (1136 days ago)
  InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
  SourcePackage: openssh
  UpgradeStatus: Upgraded to kinetic on 2022-09-24 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1990863/+subscriptions

More information about the foundations-bugs mailing list