[Bug 2139418] [NEW] apt-get update stalls infinitely if DNS resolution fails

Philipp Hahn 2139418 at bugs.launchpad.net
Fri Jan 30 12:29:35 UTC 2026 

Public bug reported:

Landscape-package-reporter resp. `apt.systemd.daily` trigger a `apt-get
update`. As my company uses a VPN and some of my APT sources are hosted
inside the VPN, DNS resolution of those hosts sometimes fail, especially
after suspend-to-disk/ram after which the VPN does no longer work until
I re-login.

If `apt-get update` then runs it looks like the first DNS lookup fails
and APT schedules the repository for retry. After 2 more failures `apt-
transport-http` gives up and stops trying, but `apt-get` (the parent
process) still sees one outstanding request and waits forever.


With 'Debug::pkgAcquire "true"' and 'Debug::phgAcquire::Worker "true"' and a wrapper around '/usr/bin/apt-get' I was finally able to capture a log-output showing the issue:

-> https:600 URI Acquire
URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/InRelease
Filename: /var/lib/apt/lists/partial/packages.XXX.de_XXX-core_ubuntu_dists_noble_InRelease
Target-Type: index
Target-Release: noble
Target-Repo-URI: https://packages.XXX.de/XXX-core/ubuntu/
Target-Base-URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/
Target-Site: https://packages.XXX.de/XXX-core/ubuntu
Index-File: true
Maximum-Size: 10000000
Last-Modified: Tue, 09 Dec 2025 07:41:33 GMT
Fail-Ignore: true
Signed-By: …

<- https:102 Status
Message: Connecting tot packages.XXX.de
URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/InRelease

<- https:400 URI Failure
Transient-Failure: true
FailReason: ResolveFailure
Message: Could not resolve 'packages.XXX.de'
URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/InRelease


Landscape resp. APT then hangs there forever until I do a `sudo pkill apt-get`. No updates – including any security updates – are installed until then.

I have found 2 suspect location in the APT source code:

1.    https://salsa.debian.org/apt-team/apt/-/blob/main/apt-pkg/acquire-item.cc?ref_type=heads#L915-921 puts the worker into an idle state to wait for the next retry. Maybe the worker should exit here instead if the last retry failed?
2.    https://salsa.debian.org/apt-team/apt/-/blob/main/apt-pkg/acquire-worker.cc?ref_type=heads#L686-765 handles the retries. Is the `Owner->Retries != 0` there wrong or is a fall-through in case of an error missing, when all retries failed?


I have been unable to force this bug by disabling the VPN and running `apt-get update` manually, so one important condition might be missing from my report. Any advise on how to continue debugging here is also appreciated.

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: ubuntu-release-upgrader-core 1:24.04.27
ProcVersionSignature: Ubuntu 6.8.0-90.91-generic 6.8.12
Uname: Linux 6.8.0-90-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: pass
CrashDB: ubuntu
CurrentDesktop: ubuntu:GNOME
Date: Fri Jan 30 13:08:08 2026
InstallationDate: Installed on 2025-01-31 (364 days ago)
InstallationMedia: Ubuntu 22.04.5 LTS "Jammy Jellyfish" - Release amd64 (20240911)
PackageArchitecture: all
SourcePackage: ubuntu-release-upgrader
Symptom: dist-upgrade
UpgradeStatus: No upgrade log present (probably fresh install)
VarLogDistupgradeTermlog:

** Affects: ubuntu-release-upgrader (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug dist-upgrade noble

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2139418

Title:
  apt-get update stalls infinitely if DNS resolution fails

Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  Landscape-package-reporter resp. `apt.systemd.daily` trigger a `apt-
  get update`. As my company uses a VPN and some of my APT sources are
  hosted inside the VPN, DNS resolution of those hosts sometimes fail,
  especially after suspend-to-disk/ram after which the VPN does no
  longer work until I re-login.

  If `apt-get update` then runs it looks like the first DNS lookup fails
  and APT schedules the repository for retry. After 2 more failures
  `apt-transport-http` gives up and stops trying, but `apt-get` (the
  parent process) still sees one outstanding request and waits forever.

  
  With 'Debug::pkgAcquire "true"' and 'Debug::phgAcquire::Worker "true"' and a wrapper around '/usr/bin/apt-get' I was finally able to capture a log-output showing the issue:

  -> https:600 URI Acquire
  URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/InRelease
  Filename: /var/lib/apt/lists/partial/packages.XXX.de_XXX-core_ubuntu_dists_noble_InRelease
  Target-Type: index
  Target-Release: noble
  Target-Repo-URI: https://packages.XXX.de/XXX-core/ubuntu/
  Target-Base-URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/
  Target-Site: https://packages.XXX.de/XXX-core/ubuntu
  Index-File: true
  Maximum-Size: 10000000
  Last-Modified: Tue, 09 Dec 2025 07:41:33 GMT
  Fail-Ignore: true
  Signed-By: …

  <- https:102 Status
  Message: Connecting tot packages.XXX.de
  URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/InRelease

  <- https:400 URI Failure
  Transient-Failure: true
  FailReason: ResolveFailure
  Message: Could not resolve 'packages.XXX.de'
  URI: https://packages.XXX.de/XXX-core/ubuntu/dists/noble/InRelease

  
  Landscape resp. APT then hangs there forever until I do a `sudo pkill apt-get`. No updates – including any security updates – are installed until then.

  I have found 2 suspect location in the APT source code:

  1.    https://salsa.debian.org/apt-team/apt/-/blob/main/apt-pkg/acquire-item.cc?ref_type=heads#L915-921 puts the worker into an idle state to wait for the next retry. Maybe the worker should exit here instead if the last retry failed?
  2.    https://salsa.debian.org/apt-team/apt/-/blob/main/apt-pkg/acquire-worker.cc?ref_type=heads#L686-765 handles the retries. Is the `Owner->Retries != 0` there wrong or is a fall-through in case of an error missing, when all retries failed?

  
  I have been unable to force this bug by disabling the VPN and running `apt-get update` manually, so one important condition might be missing from my report. Any advise on how to continue debugging here is also appreciated.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: ubuntu-release-upgrader-core 1:24.04.27
  ProcVersionSignature: Ubuntu 6.8.0-90.91-generic 6.8.12
  Uname: Linux 6.8.0-90-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.1-0ubuntu3.8
  Architecture: amd64
  CasperMD5CheckResult: pass
  CrashDB: ubuntu
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Jan 30 13:08:08 2026
  InstallationDate: Installed on 2025-01-31 (364 days ago)
  InstallationMedia: Ubuntu 22.04.5 LTS "Jammy Jellyfish" - Release amd64 (20240911)
  PackageArchitecture: all
  SourcePackage: ubuntu-release-upgrader
  Symptom: dist-upgrade
  UpgradeStatus: No upgrade log present (probably fresh install)
  VarLogDistupgradeTermlog:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/2139418/+subscriptions

More information about the foundations-bugs mailing list