Bug #1396787 “checking trust of archives eats a lot of cpu” : Bugs : unattended-upgrades package : Ubuntu

Revision history for this message

Ernst Kloppenburg (ernst-kloppenburg) wrote on 2014-11-26:

#1

Dependencies.txt Edit (1.8 KiB, text/plain; charset="utf-8")

Revision history for this message

Trent Waddington (qg) wrote on 2015-08-25:

#2

Is there a generic bug or effort for the obtrusiveness of unattended-upgrades?

Revision history for this message

umiyosh (yumino99) wrote on 2016-04-20:

#3

dstat result Edit (132.9 KiB, text/plain)

I have same problem on GCP VM(n1-standard-2 and g1-small).
a result of dstat indicate that xz and python3 consume most of cpu time on the task.
I think this is fatal thing on small core machine.

Revision history for this message

Swistak (swistakers) wrote on 2017-12-28:

#4

unatended-upgrade-profile Edit (9.9 KiB, text/plain)

I've hit the same bug and did some investigation. I profiled the unattended-upgrade script with python's cProfile and attached the result.

I've run:
sudo python3 -m cProfile -s time /usr/bin/unattended-upgrade -d -v
on Ubuntu 16.04.3 booted from live cd after uncommenting the "${distro_id}:${distro_codename}-security"; line in /etc/apt/apt.conf.d/50unattended-upgrades. Otherwise no packages are selected for an upgrade and the issue doesn't reproduce.

It turns out that several functions in apt's cache are called millions of times. I tracked it down to the quadratic nature of the algorithm, which appears to come from the very initial version of the script:
https://github.com/mvo5/unattended-upgrades/blob/0ec001874ad48300199565f8591818ca75bc5f9f/unattended.py#L47

The check_changes_for_sanity() function loops over all packages in the cache. This function is called for every package marked for upgrade.

The problem appears on systems with many packages to upgrade (in my case it was 169). It makes the initial unattended-upgrades run ridiculously slow. Also, on systems configured to only perform security updates, but not other updates there's always a considerable list of packages to upgrade. It renders unattended-upgrades almost unusable on such systems.

I think this is a serious issue and the algorithm should be overhauled. Doing so many checks seems unnecessary.

Revision history for this message

Swistak (swistakers) wrote on 2017-12-28:

#5

After digging a bit deeper I found out that that the default configuration of /etc/apt/apt.conf.d/50unattended-upgrades is exactly the same as I had in my experiment i.e.
- the ${distro_id}:${distro_codename}-security origin is ENABLED
- the ${distro_id}:${distro_codename}-updates and others origin are DISABLED

The consequences are the following. A fresh install of Ubuntu LTS e.g. 16.04 keeps installing the *-security updates, but not the *-updates ones. The number of packages with new versions in *-updates repository keeps growing unless somebody installs them manually. It is a couple of clicks, but still many people never do it. As the list of upgradable packages grows, unattended-upgrades get slower and slower to the point that it may take hours to complete. Effectively, the automatic updates may no longer work at all depending on how a given system is used. Also the user experience gets worse with CPU busy executing the unattended-upgrades script.

All in all, I consider it a serious issue that requires attention.

Revision history for this message

Balint Reczey (rbalint) wrote on 2017-12-28:

#6

Please note that latest unattended-upgrades contain several speed improvements which are planned to be back-ported to Xenial (and Trusty).

Francis Ginther (fginther) on 2018-07-04

tags:

added: id-5acfd3863b9f75d6e6f2a6df

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-06:

#7

This bug was fixed in the package unattended-upgrades - 1.4ubuntu1

---------------
unattended-upgrades (1.4ubuntu1) cosmic; urgency=medium

  * Merge from Debian unstable
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Stop rewriting test apt.conf in test_untrusted.py.
      - Fix test_on_battery on Ubuntu development releases

unattended-upgrades (1.4) unstable; urgency=medium

  * Skip starting init.d script in debhelper-generated postinst part
    (LP: #1778800)
  * Use "deb-systemd-invoke start" instead of "systemctl start" in postinst.
    It is used only in a workaround applied for a Debian bug and for upgrading
    from pre-bionic versions.
  * Clear cache when autoremoval is invalid for a package set marked for
    removal (LP: #1779157)
  * Clear cache after failed commits to return from a possibly invalid state
  * Unlock for dpkg operations with apt_pkg.pkgsystem_unlock_inner() when it
    is available, also stop running when reacquiring the lock fails.
    Thanks to to Julian Andres Klode for original partial patch
  * Use fully qualified domain name in email subject.
  * Send email about all failures and crashes (Closes: #898607)
  * Add short textual summary of the results in the summary email
  * Recommend overriding configuration in a separate file.
    This can be better than changing /etc/apt/apt.conf.d/50unattended-upgrades
    because package updates don't conflict with local changes this way.
  * Adjust candidates only for packages to be possibly installed
    (Closes: #892028, #899366) (LP: #1396787)
  * Add Unattended-Upgrade::OnlyOnACPower config file example for all
    distributions
  * debian/control: Drop redundant Testsuite: autopkgtest field to keep Lintian
    happy
  * Bump Standards-Version to 4.1.4
  * Add debian/tests/upgrade-all-security to install all current security
    updates. On development releases this tests latest stable, on stable
    releases it tests the release itself.
  * Skip updates on metered connections (Closes: #855570)
  * Quote shell variables in autopkgtest
  * Stop u-u early when it should stop later anyway
  * Measure time for --dry-run and after all updates are installed in
    autopkgtests
  * Filter out packages cheaper when they are not from allowed origins
  * Collect autoremovable packages, too, when looking for upgradable ones

-- Balint Reczey <email address hidden> Fri, 06 Jul 2018 13:33:29 +0200

This bug was fixed in the package unattended-upgrades - 1.4ubuntu1

---------------
unattended-upgrades (1.4ubuntu1) cosmic; urgency=medium

* Merge from Debian unstable
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Stop rewriting test apt.conf in test_untrusted.py.
      - Fix test_on_battery on Ubuntu development releases

unattended-upgrades (1.4) unstable; urgency=medium

* Skip starting init.d script in debhelper-generated postinst part
    (LP: #1778800)
  * Use "deb-systemd-invoke start" instead of "systemctl start" in postinst.
    It is used only in a workaround applied for a Debian bug and for upgrading
    from pre-bionic versions.
  * Clear cache when autoremoval is invalid for a package set marked for
    removal (LP: #1779157)
  * Clear cache after failed commits to return from a possibly invalid state
  * Unlock for dpkg operations with apt_pkg.pkgsystem_unlock_inner() when it
    is available, also stop running when reacquiring the lock fails.
    Thanks to to Julian Andres Klode for original partial patch
  * Use fully qualified domain name in email subject.
  * Send email about all failures and crashes (Closes: #898607)
  * Add short textual summary of the results in the summary email
  * Recommend overriding configuration in a separate file.
    This can be better than changing /etc/apt/apt.conf.d/50unattended-upgrades
    because package updates don't conflict with local changes this way.
  * Adjust candidates only for packages to be possibly installed
    (Closes: #892028, #899366) (LP: #1396787)
  * Add Unattended-Upgrade::OnlyOnACPower config file example for all
    distributions
  * debian/control: Drop redundant Testsuite: autopkgtest field to keep Lintian
    happy
  * Bump Standards-Version to 4.1.4
  * Add debian/tests/upgrade-all-security to install all current security
    updates. On development releases this tests latest stable, on stable
    releases it tests the release itself.
  * Skip updates on metered connections (Closes: #855570)
  * Quote shell variables in autopkgtest
  * Stop u-u early when it should stop later anyway
  * Measure time for --dry-run and after all updates are installed in
    autopkgtests
  * Filter out packages cheaper when they are not from allowed origins
  * Collect autoremovable packages, too, when looking for upgradable ones

-- Balint Reczey <rbalint@ubuntu.com>  Fri, 06 Jul 2018 13:33:29 +0200

Changed in unattended-upgrades (Ubuntu):
status:	New → Fix Released

Balint Reczey (rbalint) on 2018-07-11

description:

updated

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2018-07-12: Please test proposed package

#8

Hello Ernst, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unattended-upgrades (Ubuntu Bionic):
status:	New → Fix Committed
tags:	added: verification-needed verification-needed-bionic

Revision history for this message

Steve Langasek (vorlon) wrote on 2018-07-12:

#9

Hello Ernst, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2018-07-13:

#10

Hello Ernst, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message

Balint Reczey (rbalint) wrote on 2018-07-18:

#11

With 1.1ubuntu1.18.04.3 u-u runs in ~3s when no package should be updated but there are upgradable packages in -updates.

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/u/unattended-upgrades/20180713_084216_9f8ee@/log.gz :
...
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
No packages found that can be upgraded unattended and no pending auto-removals
2.71user 0.12system 0:02.84elapsed 99%CPU (0avgtext+0avgdata 78924maxresident)k
0inputs+7736outputs (0major+22416minor)pagefaults 0swaps
...

The test for 1.1ubuntu1.18.04.4 was most likely run on a slower system where the same run takes ~5s.

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/u/unattended-upgrades/20180713_124827_de117@/log.gz :
...
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
No packages found that can be upgraded unattended and no pending auto-removals
5.01user 0.14system 0:05.16elapsed 99%CPU (0avgtext+0avgdata 78992maxresident)k
0inputs+7736outputs (0major+22427minor)pagefaults 0swaps
...

tags:

added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-19:

#12

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.4

---------------
unattended-upgrades (1.1ubuntu1.18.04.4) bionic; urgency=medium

* Redirect stderr output in upgrade-between-snapshots, too, otherwise it
breaks the test sometimes (LP: #1781446)

unattended-upgrades (1.1ubuntu1.18.04.3) bionic; urgency=medium

* Redirect stderr output in upgrade-all-security, otherwise it breaks the
test (LP: #1781446)

unattended-upgrades (1.1ubuntu1.18.04.2) bionic; urgency=medium

  [ Balint Reczey ]
  * Clear cache when autoremoval is invalid for a package set marked for
    removal and clear cache after failed commits to return from a possibly
    invalid state (LP: #1779157)
  * Don't start or gracefully stop upgrade on battery (LP: #1773033)
  * Skip updates on metered connections (Closes: #855570) (LP: #1781183)
  * Add debian/tests/upgrade-all-security to install all current security updates.
    On development releases this tests latest stable, on stable releases it tests
    the release itself.
  * Speed up unattended-upgrade (Closes: #892028, #899366) (LP: #1396787)
    - Adjust candidates only for packages to be possibly installed
    - Filter out packages cheaper when they are not from allowed origins
    - Collect autoremovable packages, too, when looking for upgradable ones
    - Measure time of running with --dry-run in autopkgtests
  * Skip starting init.d script in debhelper-generated postinst part
    (LP: #1778800)

  [ Ivan Kurnosov ]
  * Fixed is_pkgname_in_blacklist to be side-effect free. (LP: #1781176)
    Otherwise 'is_pkgname_in_blacklist' mutates the 'pkgs_kept_back' and
    'unattended-upgrades' treats the package as a blacklisted candidate

-- Balint Reczey <email address hidden> Fri, 13 Jul 2018 10:36:23 +0200

Changed in unattended-upgrades (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2018-07-19: Update Released

#13

The verification of the Stable Release Update for unattended-upgrades has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Brian Murray (brian-murray) wrote on 2018-12-03: Please test proposed package

#14

Hello Ernst, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu Xenial):
status:	New → Fix Committed
tags:	added: verification-needed verification-needed-xenial removed: verification-done

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2018-12-13:

#15

Hello Ernst, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message

Balint Reczey (rbalint) wrote on 2019-02-07:

#16

Download full text (4.2 KiB)

Tested with 1.1ubuntu1.18.04.7~16.04.1:

On the autopkgtest infrastructure u-u runs for 20s when all packages are installed from xenial-security but none from xenial-updates:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/u/unattended-upgrades/20181213_182038_2962e@/log.gz
...
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
Packages that will be upgraded:
19.18user 1.17system 0:20.53elapsed 99%CPU (0avgtext+0avgdata 77720maxresident)k
0inputs+123512outputs (0major+38986minor)pagefaults 0swaps
...

On a 2012 MacBook Air inside a KVM qemu vm autopkgtest runner it is ~8s:
...
adt-2.log-Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
adt-2.log-Packages that will be upgraded:
adt-2.log:7.64user 0.31system 0:08.00elapsed 99%CPU (0avgtext+0avgdata 76516maxresident)k
..

This is basically the same speed as with 0.90ubuntu0.10.
There is a 12% speed regression when testing in qemu with kvm on a 19.04 host:

...
adt-1549534420.log-Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
adt-1549534420.log-Packages that will be upgraded:
adt-1549534420.log:6.72user 0.30system 0:07.07elapsed 99%CPU (0avgtext+0avgdata 77812maxresident)k
...
vs.
..
adt-2.log-Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
adt-2.log-Packages that will be upgraded:
adt-2.log:7.64user 0.31system 0:08.00elapsed 99%CPU (0avgtext+0avgdata 76516maxresident)k
...

Or a 24% speedup with a smaller set of upgradable packages measured in two 16.04 lxc containers running on the same 19.04 development system:

ii unattended-upgrades 0.90ubuntu0.10 all automatic installation of security upgrades

# for i in $(seq 5); do time unattended-upgrade --dry-run; done

real 0m4.326s
user 0m4.245s
sys 0m0.043s

real 0m4.309s
user 0m4.239s
sys 0m0.070s
...
# apt list --upgradable
Listing... Done
cloud-init/xenial-proposed 18.5-21-g8ee294d5-0ubuntu1~16.04.1 all [upgradable from: 18.4-0ubuntu1~16.04.2]
kmod/xenial-proposed 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5.1]
libc-bin/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
libc6/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
libkmod2/xenial-proposed 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5.1]
locales/xenial-proposed 2.23-0ubuntu11 all [upgradable from: 2.23-0ubuntu10]
multiarch-support/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
python-apt-common/xenial-proposed 1.1.0~beta1ubuntu0.16.04.3 all [upgradable from: 1.1.0~beta1ubuntu0.16.04.2]
python3-apt/xenial-proposed 1.1.0~beta1ubuntu0.16.04.3 amd64 [upgradable from: 1.1.0~beta1ubuntu0.16.04.2]
snapd/xenial-proposed 2.37.1 amd64 [upgradable from: 2.34.2]
ubuntu-core-launcher/xenial-proposed 2.37.1 amd64 [upgradable from: 2.34.2]
unattended-upgrades/xenial-proposed 1.1ubuntu1.18.04.7~16.04.1 all [upgradable from: 0.90ubuntu0.10]
#

vs.

ii unattended-upgrades 1.1ubuntu1.18.04.7~16.04.1 all automatic installation of security upgr...

Tested with 1.1ubuntu1.18.04.7~16.04.1:

On the autopkgtest infrastructure u-u runs for 20s when all packages are installed from xenial-security but none from xenial-updates:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/u/unattended-upgrades/20181213_182038_2962e@/log.gz
...
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
Packages that will be upgraded: 
19.18user 1.17system 0:20.53elapsed 99%CPU (0avgtext+0avgdata 77720maxresident)k
0inputs+123512outputs (0major+38986minor)pagefaults 0swaps
...

On a 2012 MacBook Air inside a KVM qemu vm autopkgtest runner it is ~8s:
...
adt-2.log-Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
adt-2.log-Packages that will be upgraded: 
adt-2.log:7.64user 0.31system 0:08.00elapsed 99%CPU (0avgtext+0avgdata 76516maxresident)k
..

This is basically the same speed as with 0.90ubuntu0.10.
There is a 12% speed regression when testing in qemu with kvm on a 19.04 host:

...
adt-1549534420.log-Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
adt-1549534420.log-Packages that will be upgraded: 
adt-1549534420.log:6.72user 0.30system 0:07.07elapsed 99%CPU (0avgtext+0avgdata 77812maxresident)k
...
vs.
..
adt-2.log-Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
adt-2.log-Packages that will be upgraded: 
adt-2.log:7.64user 0.31system 0:08.00elapsed 99%CPU (0avgtext+0avgdata 76516maxresident)k
...

Or a 24% speedup with a smaller set of upgradable packages measured in two 16.04 lxc containers running on the same 19.04 development system:

ii  unattended-upgrades 0.90ubuntu0.10 all          automatic installation of security upgrades

# for i in $(seq 5); do time unattended-upgrade --dry-run; done

real	0m4.326s
user	0m4.245s
sys	0m0.043s

real	0m4.309s
user	0m4.239s
sys	0m0.070s
...
# apt list --upgradable 
Listing... Done
cloud-init/xenial-proposed 18.5-21-g8ee294d5-0ubuntu1~16.04.1 all [upgradable from: 18.4-0ubuntu1~16.04.2]
kmod/xenial-proposed 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5.1]
libc-bin/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
libc6/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
libkmod2/xenial-proposed 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5.1]
locales/xenial-proposed 2.23-0ubuntu11 all [upgradable from: 2.23-0ubuntu10]
multiarch-support/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
python-apt-common/xenial-proposed 1.1.0~beta1ubuntu0.16.04.3 all [upgradable from: 1.1.0~beta1ubuntu0.16.04.2]
python3-apt/xenial-proposed 1.1.0~beta1ubuntu0.16.04.3 amd64 [upgradable from: 1.1.0~beta1ubuntu0.16.04.2]
snapd/xenial-proposed 2.37.1 amd64 [upgradable from: 2.34.2]
ubuntu-core-launcher/xenial-proposed 2.37.1 amd64 [upgradable from: 2.34.2]
unattended-upgrades/xenial-proposed 1.1ubuntu1.18.04.7~16.04.1 all [upgradable from: 0.90ubuntu0.10]
#

vs.

ii  unattended-upgrades 1.1ubuntu1.18.04.7~16.04.1 all          automatic installation of security upgrades

# for i in $(seq 5); do time unattended-upgrade --dry-run; done

real	0m3.269s
user	0m3.194s
sys	0m0.076s

real	0m3.277s
user	0m3.135s
sys	0m0.115s
...
root@x-uu-ref:~# apt list --upgradable 
Listing... Done
cloud-init/xenial-proposed 18.5-21-g8ee294d5-0ubuntu1~16.04.1 all [upgradable from: 18.4-0ubuntu1~16.04.2]
kmod/xenial-proposed 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5.1]
libc-bin/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
libc6/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
libkmod2/xenial-proposed 22-1ubuntu5.2 amd64 [upgradable from: 22-1ubuntu5.1]
locales/xenial-proposed 2.23-0ubuntu11 all [upgradable from: 2.23-0ubuntu10]
multiarch-support/xenial-proposed 2.23-0ubuntu11 amd64 [upgradable from: 2.23-0ubuntu10]
python-apt-common/xenial-proposed 1.1.0~beta1ubuntu0.16.04.3 all [upgradable from: 1.1.0~beta1ubuntu0.16.04.2]
snapd/xenial-proposed 2.37.1 amd64 [upgradable from: 2.34.2]
ubuntu-core-launcher/xenial-proposed 2.37.1 amd64 [upgradable from: 2.34.2]
root@x-uu-ref:~#

tags:

added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2019-02-28:

#17

Hello Ernst, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags:

added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial

Revision history for this message

Balint Reczey (rbalint) wrote on 2019-03-13:

#18

Verified with 1.1ubuntu1.18.04.7~16.04.2, measured times are similar to .1, verified previously.

https://objectstorage.prodstack4-5.canonical.com
/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/u/unattended-upgrades/20190228_150449_11313@/log.gz

...
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
Packages that will be upgraded:
4.62user 0.16system 0:04.83elapsed 99%CPU (0avgtext+0avgdata 78264maxresident)k
0inputs+124024outputs (0major+38540minor)pagefaults 0swaps
new packages marked as manually installed (should be none)
...

tags:

added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

Revision history for this message

Pavel (spvkgn) wrote on 2019-04-14:

#19

top-screenshot.png Edit (41.7 KiB, image/png)

After update to 1.1ubuntu1.18.04.10 on Bionic "unattended-upgrades --download-only" using up 100% CPU and hangs. I tried to install previous version 1.1ubuntu1.18.04.9 and this issue is gone.

Revision history for this message

Balint Reczey (rbalint) wrote on 2019-04-15:

#20

@spvkgn Could you please collect the logs of the upgrade where u-u 1.1ubuntu1.18.04.10 got stuck?
Did you have any special origin or local package configured?
If you could downgrade the packages which got upgraded could you please run 1.1ubuntu1.18.04.10 with --debug --verbose --download-only to see where it got stuck?

Revision history for this message

Pavel (spvkgn) wrote on 2019-04-15:

#21

uu.zip Edit (51.4 KiB, application/zip)

@rbalint I've collect logs from both u-u packages. Latest u-u stucks in a loop. Please see zip attached.

I have hold packages

$ apt-mark showhold
linux-generic
linux-headers-generic
linux-image-generic
linux-libc-dev
papirus-icon-theme

Revision history for this message

Balint Reczey (rbalint) wrote on 2019-04-15:

#22

@spvkgn Thanks!

From the log it seems this is not a loop, just applying the very high cost fallback for each held package:
...
Checking: linux-generic ([<Origin component:'main' archive:'bionic-updates' origin:'Ubuntu' label:'Ubuntu' site:'ru.archive.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-security' origin:'Ubuntu' label:'Ubuntu' site:'ru.archive.ubuntu.com' isTrusted:True>])
package linux-generic upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
falling back to marking linux-generic, then adjusting changes
package linux-generic upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
falling back to adjusting all packages
adjusting candidate version: 2ping=4.1-1
...
package linux-generic upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
sanity check failed for: set()
Checking: linux-headers-generic ([<Origin component:'main' archive:'bionic-updates' origin:'Ubuntu' label:'Ubuntu' site:'ru.archive.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-security' origin:'Ubuntu' label:'Ubuntu' site:'ru.archive.ubuntu.com' isTrusted:True>])
package linux-headers-generic upgradable but fails to be marked for upgrade (E:Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.)
falling back to marking linux-headers-generic, then adjusting changes
package linux-headers-generic upgradable but fails to be marked for upgrade (E:Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.)
falling back to adjusting all packages
...

This is still a serious problem and opened a separate bug for it, but seems much better than an infinite loop.
Can you please confirm that finally u-u finishes processing the packages?

Revision history for this message

Balint Reczey (rbalint) wrote on 2019-04-15:

#23

The new bug: LP: #1824804

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-04-25:

#24

Download full text (33.9 KiB)

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.2

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.2) xenial; urgency=medium

  * Don't check blacklist too early and report updates from not allowed origins
    as kept back. (LP: #1781176)
  * test/test_blacklisted_wrong_origin.py: Fix and enable test
  * Filter out progress indicator from dpkg log (LP: #1599646)
  * Clear cache when autoremoval fails (LP: #1779157)
  * Find autoremovable kernel packages using the patterns in APT's way
    (LP: #1815494)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.1) xenial; urgency=medium

  * Start service after systemd-logind.service to be able to take inhibition
    lock (LP: #1806487)
  * Handle gracefully when logind is down (LP: #1806487)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.0) xenial; urgency=medium

  * Backport to Xenial (LP: #1702793)
  * Revert to build-depending on debhelper (>= 9~) and dh-systemd
  * Revert configuration example changes to avoid triggering a debconf question
  * debian/postinst: Update recovery to be triggered on Xenial's package versions

unattended-upgrades (1.1ubuntu1.18.04.7) bionic; urgency=medium

  * Trigger unattended-upgrade-shutdown actions with PrepareForShutdown()
    Performing upgrades in service's ExecStop did not work when the upgrades
    involved restarting services because systemd blocked other stop/start
    actions making maintainer scripts time out and be killed leaving a broken
    system behind.
    Running unattended-upgrades.service before shutdown.target as a oneshot
    service made it run after unmounting filesystems and scheduling services
    properly on shutdown is a complex problem and adding more services to the
    mix make it even more fragile.
    The solution of monitoring PrepareForShutdown() signal from DBus
    allows Unattended Upgrade to run _before_ the jobs related to shutdown are
    queued thus package upgrades can safely restart services without
    risking causing deadlocks or breaking part of the shutdown actions.
    Also ask running unattended-upgrades to stop when shutdown starts even in
    InstallOnShutdown mode and refactor most of unattended-upgrade-shutdown to
    UnattendedUpgradesShutdown class. (LP: #1778219)
  * Increase logind's InhibitDelayMaxSec to 30s. (LP: #1778219)
    This allows more time for unattended-upgrades to shut down gracefully
    or even install a few packages in InstallOnShutdown mode, but is still a
    big step back from the 30 minutes allowed for InstallOnShutdown previously.
    Users enabling InstallOnShutdown node are advised to increase
    InhibitDelayMaxSec even further possibly to 30 minutes.
    - Add NEWS entry about increasing InhibitDelayMaxSec and InstallOnShutdown
      changes
  * Ignore "W503 line break before binary operator"
    because it will become the best practice and breaks the build
  * Stop using ActionGroups, they interfere with apt.Cache.clear()
    causing all autoremovable packages to be handled as newly autoremovable
    ones and be removed by default. Dropping ActionGroup usage does not slow
    down the most frequent case of not having anything to upgrade a...

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.2

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.2) xenial; urgency=medium

* Don't check blacklist too early and report updates from not allowed origins
    as kept back. (LP: #1781176)
  * test/test_blacklisted_wrong_origin.py: Fix and enable test
  * Filter out progress indicator from dpkg log (LP: #1599646)
  * Clear cache when autoremoval fails (LP: #1779157)
  * Find autoremovable kernel packages using the patterns in APT's way
    (LP: #1815494)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.1) xenial; urgency=medium

* Start service after systemd-logind.service to be able to take inhibition
    lock (LP: #1806487)
  * Handle gracefully when logind is down (LP: #1806487)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.0) xenial; urgency=medium

* Backport to Xenial (LP: #1702793)
  * Revert to build-depending on debhelper (>= 9~) and dh-systemd
  * Revert configuration example changes to avoid triggering a debconf question
  * debian/postinst: Update recovery to be triggered on Xenial's package versions

unattended-upgrades (1.1ubuntu1.18.04.7) bionic; urgency=medium

* Trigger unattended-upgrade-shutdown actions with PrepareForShutdown()
    Performing upgrades in service's ExecStop did not work when the upgrades
    involved restarting services because systemd blocked other stop/start
    actions making maintainer scripts time out and be killed leaving a broken
    system behind.
    Running unattended-upgrades.service before shutdown.target as a oneshot
    service made it run after unmounting filesystems and scheduling services
    properly on shutdown is a complex problem and adding more services to the
    mix make it even more fragile.
    The solution of monitoring PrepareForShutdown() signal from DBus
    allows Unattended Upgrade to run _before_ the jobs related to shutdown are
    queued thus package upgrades can safely restart services without
    risking causing deadlocks or breaking part of the shutdown actions.
    Also ask running unattended-upgrades to stop when shutdown starts even in
    InstallOnShutdown mode and refactor most of unattended-upgrade-shutdown to
    UnattendedUpgradesShutdown class. (LP: #1778219)
  * Increase logind's InhibitDelayMaxSec to 30s. (LP: #1778219)
    This allows more time for unattended-upgrades to shut down gracefully
    or even install a few packages in InstallOnShutdown mode, but is still a
    big step back from the 30 minutes allowed for InstallOnShutdown previously.
    Users enabling InstallOnShutdown node are advised to increase
    InhibitDelayMaxSec even further possibly to 30 minutes.
    - Add NEWS entry about increasing InhibitDelayMaxSec and InstallOnShutdown
      changes
  * Ignore "W503 line break before binary operator"
    because it will become the best practice and breaks the build
  * Stop using ActionGroups, they interfere with apt.Cache.clear()
    causing all autoremovable packages to be handled as newly autoremovable
    ones and be removed by default. Dropping ActionGroup usage does not slow
    down the most frequent case of not having anything to upgrade and when
    there are packages to upgrade the gain is small compared to the actual
    package installation.
    Also collect autoremovable packages before adjusting candidates because that
    also changed .is_auto_removable attribute of some of them. (LP: #1803749)
    (Closes: #910874)

unattended-upgrades (1.1ubuntu1.18.04.6) bionic; urgency=medium

* Unlock for dpkg operations with apt_pkg.pkgsystem_unlock_inner() when it is
    available. Also stop running when reacquiring the lock fails.
    Thanks to Julian Andres Klode for original partial patch (LP: #1789637)
  * Skip rebuilding python-apt in upgrade autopkgtests.
    Python-apt has a new build dependency making the rebuilding as is failing
    and the reference handling issue is worked around in unattended-upgrades
    already. (LP: #1781586)
  * Stop trying when no adjustment could be made and adjust package candidates
    only to lower versions (LP: #1785093)
  * Skip already adjusted packages from being checked for readjusting.
    This makes it clearer that the recursion ends and can also be a bit quicker.
    (LP: #1785093)

unattended-upgrades (1.1ubuntu1.18.04.5) bionic; urgency=medium

* Stop updating the system when reacquiring the dpkg system lock fails.
    (LP: #1260041)

unattended-upgrades (1.1ubuntu1.18.04.4) bionic; urgency=medium

* Redirect stderr output in upgrade-between-snapshots, too, otherwise it
    breaks the test sometimes (LP: #1781446)

unattended-upgrades (1.1ubuntu1.18.04.3) bionic; urgency=medium

* Redirect stderr output in upgrade-all-security, otherwise it breaks the
    test (LP: #1781446)

unattended-upgrades (1.1ubuntu1.18.04.2) bionic; urgency=medium

[ Balint Reczey ]
  * Clear cache when autoremoval is invalid for a package set marked for
    removal and clear cache after failed commits to return from a possibly
    invalid state (LP: #1779157)
  * Don't start or gracefully stop upgrade on battery (LP: #1773033)
  * Skip updates on metered connections (Closes: #855570) (LP: #1781183)
  * Add debian/tests/upgrade-all-security to install all current security updates.
    On development releases this tests latest stable, on stable releases it tests
    the release itself.
  * Speed up unattended-upgrade (Closes: #892028, #899366) (LP: #1396787)
    - Adjust candidates only for packages to be possibly installed
    - Filter out packages cheaper when they are not from allowed origins
    - Collect autoremovable packages, too, when looking for upgradable ones
    - Measure time of running with --dry-run in autopkgtests
  * Skip starting init.d script in debhelper-generated postinst part
    (LP: #1778800)

[ Ivan Kurnosov ]
  * Fixed is_pkgname_in_blacklist to be side-effect free. (LP: #1781176)
    Otherwise 'is_pkgname_in_blacklist' mutates the 'pkgs_kept_back' and
    'unattended-upgrades' treats the package as a blacklisted candidate

unattended-upgrades (1.1ubuntu1.18.04.1) bionic; urgency=medium

[ Michael Vogt ]
  * unattended-upgrades: fix Unlocked context manager. (LP: #1602536)
    The Unlocked context manager did correctly unlock but did not
    reacquire the lock which means that in minimal-upgrade step
    mode it is possible to run apt code without a lock. If something
    else (like landscape, apt, synaptic, packagekit) locks the cache
    in the meantime this will work and u-u will get dpkg errors
    because dpkg will not be able to perform its operations. It is
    less of an issue in non-minimal mode, but even then the auto-remove
    step may fail in this way.

[ Balint Reczey ]
  * Fix adjusting candidates (LP: #1775292)
  * Relock apt lock before reopening the cache (LP: #1602536)
  * Fix crashing while adjusting candidates and save candidates to adjust only
    in first sweep run, not emptying the set later
    (Closes: #901258) (LP: #1775307)

unattended-upgrades (1.1ubuntu1) bionic; urgency=medium

* Merge from Debian unstable (LP: #1764797)
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Rename d/NEWS.Debian to d/NEWS to have it shipped
      - Fix typo in NEWS file
      - d/rules: Exclude mypy cache from source package.

unattended-upgrades (1.1) unstable; urgency=medium

[ cgail914 ]
  * Update 50unattended-upgrades.Raspbian
    added a semi-column sign on line 86 to facilitate uncommenting the line
    for users and not end up with an error message when running
    unattended-upgrades. And make the whole file consistent.

[ Tobias Bannert ]
  * completed german translation

[ Simon McVittie ]
  * d/rules: Exclude mypy cache from source package.

[ Julian Andres Klode ]
  * Do not reuse old apt.Version objects after reopening cache (LP: #1737441)

[ Balint Reczey ]
  * Rename d/NEWS.Debian to d/NEWS to have it shipped
  * Fix typo in NEWS file
  * Add missing semicolon to commented-out Remove-Unused-Kernel-Packages option
  * Set UnattendedUpgradesCache.allowed_origins before calling
    apt.Cache.__init__()
  * Find package candidates to adjust sweeping through all packages only once.
    Later reuse the list candidates and filter out packages installed in the
    meantime. Thanks to Julian Andres Klode for the original patch
  * Use updated python-apt in upgrade-between-snapshots test
  * upgrade-between-snapshots: Mount /proc, too, in the chroot.
    Also clean up chroot properly on exit.
  * upgrade-between-snapshots: Use http_proxy environment variable in chroot,
    too
  * upgrade-between-snapshots: Remove packages installed as the side-effect of
    updating apt and python-apt
  * Ignore errors from compiling backported packages
  * Make is_autoremove_valid() nondestructive.
    Also fix autoremoval of packages when one package can't be removed and
    keeps back other package removals due to missing cache.clear()
  * Fix tracking removed packages
  * Suggest default-mta | mail-transport-agent to keep Lintian happy

[ Michael Vogt ]
  * unattanded-upgrades: refactor get_candidates_to_adjust() to
    adjust_candidates()

unattended-upgrades (1.0ubuntu2) bionic; urgency=medium

[ Balint Reczey ]
  * Rename d/NEWS.Debian to d/NEWS to have it shipped
  * Fix typo in NEWS file

[ Simon McVittie ]
  * d/rules: Exclude mypy cache from source package.

unattended-upgrades (1.0ubuntu1) bionic; urgency=medium

* Merge from Debian unstable
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Run upgrade-between-snapshots only on amd64.
        The test exercises only unattented-upgrade's Python code and uses
        dependencies from the frozen Debian snapshot archive thus running
        it on all architectures would provide little benefit.

unattended-upgrades (1.0) unstable; urgency=medium

[ Simon Arlott ]
  * Revert sending mails on WARNINGS when in MailOnlyOnError mode"
  * Consider conffile prompts to be errors (Closes: #852465)
    Flag packages that have to be upgraded manually because of a conffile
    prompt and consider this to be an error when sending email or exiting.

[ Simon McVittie ]
  * Add python, python3, setuptools, DistutilsExtra to Build-Depends.
    They are needed for `clean`, so Build-Depends-Indep is not enough.
  * Add .gitignore and debian/.gitignore
  * Remove bzr configuration.
    This is unnecessary now that u-u is in git.

[ Michael Vogt ]
  * unattended-upgrades: tweak mail-on-warnings PR
  * unattended-upgrade: extract is_autoremove_valid helper

[ Balint Reczey ]
  * Run upgrade-between-snapshots only on amd64.
    The test exercises only unattented-upgrade's Python code and uses
    dependencies from the frozen Debian snapshot archive thus running
    it on all architectures would provide little benefit.
  * Clean up processes started for getting md5 sums
  * Don't keep /var/lib/dpkg/status open multiple times
  * Adjust candidates in UnattendedUpgradesCache.open()
  * Perform autoremovals in minimal steps, too.
    Also add check to remove only the set of packages selected for autoremoval.
    Without that check unattended-upgrades when (by default) configured to
    remove newly unused packages could also remove auto removable packages
    which were unused before starting starting the upgrade step.
  * Remove unused automatically installed kernel packages
    (LP: #1357093, #1624644, #1675079, #1698159)
  * Stop including Python syntax in the report (Closes: #876796)
  * Do not auto remove packages related to the running kernel (LP: #1615381)
  * Check packages to be autoremoved against blacklists, whitelists.
    Also check if the packages are held.
  * Report package removals in the summary email (Closes: #876797)
  * Run upgrade-between-snapshots test with debugging enabled
  * Don't create new UnattendedUpgradesCache for checking for autoremovals
    .open() refreshes the state in each cache_commit(), this is enough
  * Update .pot and .po files
  * Update .travis.yml to actually build and test u-u from the repo
  * Run only a simple installation test on Travis, the system upgrade
    test was always failing

unattended-upgrades (0.99ubuntu2) bionic; urgency=medium

* Run upgrade-between-snapshots only on amd64.
    The test exercises only unattented-upgrade's Python code and uses
    dependencies from the frozen Debian snapshot archive thus running
    it on all architectures would provide little benefit.

unattended-upgrades (0.99ubuntu1) bionic; urgency=medium

* Merge from Debian unstable (LP: #1722426)
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Fix version of test package in test_remove_unused_dependencies
      - Do not touch reboot-required on linux-image-extra removal
      - unattended-upgrades: Do not reboot during a dry-run.

unattended-upgrades (0.99) unstable; urgency=medium

[ Peter Nowee ]
  * Fix Raspbian default config codename matching.
    Using `archive=${distro_codename}` does not match, at least not in
    Raspbian Stretch anymore. Changing it to `codename=${distro_codename}`.
    I tested that it now works and did not notice any regressions.
    Same change was made to the Debian-specific configuration 3 years ago,
    see commit 9a2afa5.
  * Enable RPi-specific upgrades on Raspbian.
    In addition to the Raspbian repository, Raspbian images distributed by
    the Raspberry Pi Foundation (RPF) depend on the RPF repository for
    kernel and firmware updates.
    This commit adds a pattern matching line for packages from the RPF
    repository to the Raspbian config file for unattended-upgrades.

[ Alexandre Detiste ]
  * Drop unused dependency on apt-utils (Closes: #876425)

[ Frans Spiesschaert ]
  * Dutch translation update

[ Chris Leick ]
  * German translation update

[ Ben Wong ]
  * Fix configuration file examples (Closes: #877395)

[ Balint Reczey ]
  * Test for running systemd on Debian, too, when applying workaround for it
  * Fix calling dh_installinit during build
  * Tidy up d/control using cme fix
  * Fix log file location in man page.
    Thanks to Jaakov for the bug report (Closes: #817974)
  * Build-depend on debhelper (>= 9.20160709) instead of dh-systemd
  * Link unattended-upgrades.8 to unattended-upgrade.8 man page
  * Add Auto-Submitted header to email report (LP: #1230246)
  * Exit with error when package installation failed or u-u is signalled to
    stop (Closes: #838368)
  * Process packages needing smaller upgrade sets earlier in generating
    minimal upgrade sets.
    Inspired by Michael Vogt's partition pre-calculation code
  * Exit with printing error when apt errors prevent initialization
    (LP: #1737442)
  * Mark invalid UTF-8 characters in dpkg's log, but don't crash
    (LP: #1737635)
  * Try upgrading packages replacing configuration dir with configuration file
    (LP: #1737637)
  * Make unattended-upgrade-shutdown exit with error when apt config is
    invalid (LP: #1737717)
  * Exit when an apt error prevents checking a package for conffile prompt
  * Install upgrades from ${distro_codename}, label=Debian by default.
    This enables updates from stable point releases but also lets testing
    and sid being updated with the package updates.
    Fixes #33. (Closes: #787945, #597061)
  * Fix debian/NEWS.Debian's format
  * Add NEWS item about unattended-uprades installing stable/all updates
  * Stop asking debconf question about Origins-Pattern.
    50unattended-upgrades now contains multiple origins by default and setting
    them from debconf can't be made really easy. Users should change the
    configuration file itself instead. (LP: #1577215)
  * Update PO files about debconf templates
  * Don't log exceptions which did not happen
  * Add autopkgtest for upgrading unstable between two snapshots from
    snapshot.d.o
  * Remove tabs from Debian's configuration file
  * Catch SystemError instead of apt_pkg.Error for backwards compatibility
  * Check in autopkgtest if unattended-upgrades mark additional packages as
    manually installed
  * Test upgrading a full system with desktop packages in autopkgtest.
    Also pick different shapshots with which does not contain
    broken packages.
  * Test sending email after upgrading a full system
  * Show "please don't turn off the computer" while installing updates on
    shutdown.
    This is more informational for users than the original "sleeping for 5s".
    Thanks to Mario Loderer for the suggestion (LP: #1741579)
  * Use eatmydata for system upgrade autopkgtest
  * Run upgrade-between-snapshots autopkgtest even on other distros
  * Apt install built u-u in snapshot upgrade test
  * Update .pot file
  * Fix version of test package in test_remove_unused_dependencies
    (Closes: #886803)
  * Refresh cache after committing changes to avoid reinstalling packages
    (Closes: #875383)
  * Relax calculating truly minimal sets to sets expected to be minimal.
    This speeds up calculation by making it from ~O(n^2) to ~O(n) at the
    expense of creating slightly bigger sets in rare cases.

[ Evilham ]
  * Add Devuan support.

[ Brian Murray ]
  * unattended-upgrades: Do not reboot during a dry-run (LP: #1269177)

[ Michael Vogt ]
  * enable pep484 test
  * mypy fixes
  * add two missing return values
  * tests: cleanup test_mail.py to use proper tmpdirs

[ Julian Andres Klode ]
  * Do not touch reboot-required on linux-image-extra removal (LP: #1458204)

[ Sjoerd Job Postmus ]
  * Adjust candidate version of packages to be newly installed (LP: #1446552)

unattended-upgrades (0.98ubuntu4) bionic; urgency=medium

* Cherry pick from git:
    - Fix version of test package in test_remove_unused_dependencies (Closes: #886803)

unattended-upgrades (0.98ubuntu3) bionic; urgency=medium

*  Do not touch reboot-required on linux-image-extra removal (LP: #1458204)

unattended-upgrades (0.98ubuntu2) bionic; urgency=medium

* unattended-upgrades: Do not reboot during a dry-run. (LP: #1269177)

unattended-upgrades (0.98ubuntu1) artful; urgency=medium

* Merge from Debian unstable (LP: #1722426)
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Use lsb_release instead of dpkg-vendor in postinst

unattended-upgrades (0.98) unstable; urgency=medium

* Rename test to test_non_minimal_steps_upgrade to reflect content
  * Catch SystemError while keeping apt lock unlocked (LP: #1632361)
  * Add --stop-only option to unattended-upgrade-shutdown and use it on
    hibernation. This prevents starting unattended-upgrades right before
    hibernating when Unattended-Upgrade::InstallOnShutdown is true.
    (Closes: #610333)
  * Stop already running unattended-upgrades before hibernation even with
    systemd (LP: #1455097)
  * Use lsb_release instead of dpkg-vendor in postinst (LP: #1719630)
  * Update README.md with the fact that unattended=upgrades is enabled
    by default (Closes: #865519)

unattended-upgrades (0.97ubuntu2) artful; urgency=medium

* Use lsb_release instead of dpkg-vendor in postinst (LP: #1719630)

unattended-upgrades (0.97ubuntu1) artful; urgency=medium

* Merge from Debian unstable (LP: #1718419)
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Recover from broken dh_installinit override in versions < 0.93.1ubuntu3

unattended-upgrades (0.97) unstable; urgency=medium

* Handle recovering from broken dh_installinit override on Ubuntu, too
  * Declare needs-reboot for autopkgtests
  * Clean up more test artifacts
  * Run u-u-s only when running on AC power
  * Catch SystemError from fetcher.run(), too
  * Default to MinimalSteps=True in most tests to excercise default setting
  * Check only changed packages in check_changes_for_sanity()
  * Store candidate versions to adjust in UnattendedUpgradesCache()'s constructor

unattended-upgrades (0.96ubuntu1) artful; urgency=low

* Merge from Debian unstable (LP: #1714019)
    - Remaining changes:
      - Recover from broken dh_installinit override in versions < 0.93.1ubuntu3
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Cherry-pick 2e5deed, f26edb4 from upstream to add support for a
        --download-only option, enabling us to download updates at a random
        time of day by default but apply them predictably in the 6am-7am
        window.
      - Fix PEP8 failures (replace except: with except Exception:)
      - unattended-upgrades: Provide some information and create a log entry
        when there is a failure to parse the allowed origins.
      - Add UbuntuESM to the list of sources automatically upgraded from by
        default.
      - Complete the solution for the unattended-upgrades.service unit not
        correctly working
      - d/rules : Remove the override_dh_installinit. The stop option is no
        longer available so the command falls back to default. This is the
        normal behavior so the override is not required
      - d/unattended-upgrades.init : Add Default-Start runlevels, otherwise
        the unattended-upgrades.service unit cannot be enabled on boot
      - d/postinst : Cleanup the stop symlinks created by the wrong
        override_dh_installinit. Without that, the systemd unit cannot be
        enabled correctly.
        Force disable the service before deb-systemd-helper runs so the old
        symlink is not left dangling (workaround for Debian Bug #797108).
        Force enable and start of the systemd unit to work around Debian Bug
        #797108 which fails to enable systemd units correctly when
        WantedBy= statement is changed which is the case here.
      - d/unattended-upgrades.service : Fix the service so it runs correctly on
        shutdown :
        - Remove DefaultDependencies=no : Breaks normal shutdown dependencies
        - Set After= to network.target and local-fs.target. Since our service
          is now ExecStop, it will run before network and local-fs become
          unavailable.
        - Add RequiresMountsFor=/var/log /var/run /var/lib /boot : Necessary if
          /var is a separate file system. Set WantedBy= to multi-user.target
      - Add DEP8 tests to verify the following :
        - Verify that the unattended-upgrades.service unit is enabled and
          started.
        - Verify that InstallOnShutdown works when configured.
      - The systemd unit needs to be an ExecStop since it is is activated on
        shutdown. Otherwise, it will get scheduled after completion of
        the local-fs.target. In the case where /var is a separate
        filesystem, unattended-upgrade-shutdown will hang until timeout
        since /var/run is expected but no longer there
      - When performing a sanity check for packages to install or upgrade
        return false when either there are no packages in the cache or the
        package to upgrade is not in the change set.
      - Do not mark packages for deletion / autoremoval if unattended-upgrades
        is being run in dry-run mode.
      - Store delay command line option as an int not a string since we do
        maths with it.

unattended-upgrades (0.96) unstable; urgency=medium

* Use test/aptroot instead of / as APT root directory in tests
    (Closes: #873079)

unattended-upgrades (0.95) unstable; urgency=medium

[ Michael Vogt ]
  * fix some type hints

[ Balint Reczey ]
  * Increase timeout to 30 minutes for u-u-s to finish before killing it.
    Soft timeout until u-u-s is considered to be finished properly
    is also increased to 25 minutes from 10 minutes.
  * Update the signal used to SIGTERM in the documentation
  * Default to performing upgrades in minimal steps
  * Use same progress logfile when performing upgrades in minimal steps.
    This allows u-u-s to always show the progress.
  * Joining maintaining the package as an uploader
  * Log when not all upgrades could be installed
  * Fix incorrect example for Update-Days.
  * Add Debian backports example to Origins-Pattern.
  * Don't restart unattended-upgrades when the package is upgraded
  * Silence lintinan warning  init.d-script-possible-missing-stop
  * Update .pot and .po file

unattended-upgrades (0.94) unstable; urgency=medium

[ Brian Murray ]
  * Add apt history log to apport reports
  * unattended-upgrades: Provide some information and create a log entry when
    there is a failure to parse the allowed origins. (LP: #1680599)
  * improve the changes sanity check to cache more insane cases
  * Do not mark packages for deletion / autoremoval if unattended-upgrades
    is being run in dry-run mode.

[ Louis Bouchard ]
  * Fix --delay type in unattended-upgrade-shutdown (Closes: #837161)

[ Balint Reczey ]
  * ACK NMU
  * Fix indentation in test-systemd.py
  * Keep apt's partial dir in tests.
    This fixes make -C test in a clean repository
  * Clean up all generated files in override_dh_auto_clean
  * Update debhelper compat level to 9
  * Move acquiring shutdown_lock earlier in u-u to cover dpkg --configure step
  * Start handling SIGUSR1 gracefully earlier in unattended-upgrade
    (LP: #1690980)
  * Handle SIGTERM instead of SIGUSR1 as a graceful shutdown signal
  * Place unattended-upgrade pid file early and remove it on exit.
  * Override maintainer-script-calls-systemctl lintian warnings
  * Don't start package downloads when shutdown has already started
  * Let unattended-upgrade run uninterrupted in shutdown mode until timeout
  * Fix indentation in test-systemd.py

[ Julian Andres Klode ]
  * Add a --download-only option (Closes: #863911) (LP: #1686470)
  * Fix PEP8 failures (replace except: with except Exception:)
    (Closes: #865897)

[ Steve Langasek ]
  * Add UbuntuESM to the list of sources automatically upgraded from by default
    (LP: #1687129)

[ Jonatan Nyberg ]
  * Update Swedish debconf strings (Closes: #855361)

[ Peter Lewis ]
  * Multiple typo fixes

[ Michael Vogt ]
  * add HACKING.md
  * add pep484 type hints
  * add spread test
  * Enable updates on Raspbian

[ John Horne ]
  * Blacklisted packages are now added to the pkgs_kept_back list.
  * Reduced instance of line too long.
  * Some typos corrected in the README file.
  * Fix for pep8 - closing bracket missing visual indentation
  * Added tests that blacklisted packages are mentioned in email messages.
  * Updated argument type comment for is_pkgname_in_blacklist function.

[ nachoparker ]
  * There is noRaspbian-Security label

unattended-upgrades (0.93.1+nmu2) unstable; urgency=medium

* Non-maintainer upload.
  * Fix PEP8 failures (replace except: with except Exception:)
    (Closes: #865897)

unattended-upgrades (0.93.1+nmu1) unstable; urgency=medium

* Non-maintainer upload.

[ Louis Bouchard ]
  * Fix the unattended-upgrades.service unit not correctly working:
    - d/rules : Remove the override_dh_installinit. The stop option is no longer
      available so the command falls back to default. This is the normal
      behavior so the override is not required
    - d/unattended-upgrades.init : Add Default-Start runlevels, otherwise the
      unattended-upgrades.service unit cannot be enabled on boot
    - d/postinst : Cleanup the stop symlinks created by the wrong
      override_dh_installinit. Without that, the systemd unit cannot be
      enabled correctly.
      Force disable the service before deb-systemd-helper runs so the old
      symlink is not left dangling (workaround for Debian Bug #797108).
      Force enable and start of the systemd unit to work around Debian Bug
      #797108 which fails to enable systemd units correctly when WantedBy=
      statement is changed which is the case here.
    - d/unattended-upgrades.service : Fix the service so it runs correctly on
      shutdown :
        Remove DefaultDependencies=no : Breaks normal shutdown dependencies
        Set After= to network.target and local-fs.target. Since our service is
        now ExecStop, it will run before network and local-fs become
        unavailable. Add RequiresMountsFor=/var/log /var/run /var/lib /boot :
        Necessary if /var is a separate file system. Set WantedBy= to
        multi-user.target
    - Add DEP8 tests to verify the following :
      Verify that the unattended-upgrades.service unit is enabled and started.
      Verify that InstallOnShutdown works when configured.
    (Closes: #809669)

unattended-upgrades (0.93.1ubuntu8) artful; urgency=medium

[ Steve Langasek ]
  * Cherry-pick 2e5deed, f26edb4 from upstream to add support for a
    --download-only option, enabling us to download updates at a random time
    of day by default but apply them predictably in the 6am-7am window.
    LP: #1686470.

unattended-upgrades (0.93.1ubuntu7) artful; urgency=medium

* Fix PEP8 failures (replace except: with except Exception:)

unattended-upgrades (0.93.1ubuntu6) artful; urgency=medium

* unattended-upgrades: Do not automatically upgrade the development release
    of Ubuntu unless Unattended-Upgrade::DevRelease is true. (LP: #1649709)

unattended-upgrades (0.93.1ubuntu5) artful; urgency=medium

* unattended-upgrades: Provide some information and create a log entry when
    there is a failure to parse the allowed origins. (LP: #1680599)

unattended-upgrades (0.93.1ubuntu4) artful; urgency=medium

* Add UbuntuESM to the list of sources automatically upgraded from by
    default.  LP: #1687129.

unattended-upgrades (0.93.1ubuntu3) artful; urgency=medium

* Complete the solution for the unattended-upgrades.service unit not
    correctly working (LP: #1654600):
    - d/rules : Remove the override_dh_installinit. The stop option is no longer
      available so the command falls back to default. This is the normal
      behavior so the override is not required
    - d/unattended-upgrades.init : Add Default-Start runlevels, otherwise the
      unattended-upgrades.service unit cannot be enabled on boot
    - d/postinst : Cleanup the stop symlinks created by the wrong
      override_dh_installinit. Without that, the systemd unit cannot be
      enabled correctly.
      Force disable the service before deb-systemd-helper runs so the old
      symlink is not left dangling (workaround for Debian Bug #797108).
      Force enable and start of the systemd unit to work around Debian Bug #797108
      which fails to enable systemd units correctly when WantedBy= statement
      is changed which is the case here.
    - d/unattended-upgrades.service : Fix the service so it runs correctly on
      shutdown :
        Remove DefaultDependencies=no : Breaks normal shutdown dependencies
        Set After= to network.target and local-fs.target. Since our service is
        now ExecStop, it will run before network and local-fs become unavailable.
        Add RequiresMountsFor=/var/log /var/run /var/lib /boot : Necessary if
        /var is a separate file system. Set WantedBy= to multi-user.target
    - Add DEP8 tests to verify the following :
      Verify that the unattended-upgrades.service unit is enabled and started.
      Verify that InstallOnShutdown works when configured.

unattended-upgrades (0.93.1ubuntu2) zesty; urgency=medium

* The systemd unit needs to be an ExecStop since it is is activated on
    shutdown. Otherwise, it will get scheduled after completion of
    the local-fs.target. In the case where /var is a separate
    filesystem, unattended-upgrade-shutdown will hang until timeout
    since /var/run is expected but no longer there (LP: #1654600)

unattended-upgrades (0.93.1ubuntu1) zesty; urgency=medium

[ Brian Murray ]
  * When performing a sanity check for packages to install or upgrade return
    false when either there are no packages in the cache or the package to
    upgrade is not in the change set. (LP: #1654070)
  * Do not mark packages for deletion / autoremoval if unattended-upgrades is
    being run in dry-run mode. (LP: #1544942)

[ Louis Bouchard ]
  * Store delay command line option as an int not a string since we do maths
    with it.

unattended-upgrades (0.93.1) unstable; urgency=medium

[ Brian Murray ]
  * Create logfile_dpkg if it doesn't exist
  * Make sure the statedir exists too
  * ensure network and local-fs are available in shutdown

[ Michael Vogt ]
  * fix incorrect "needrestart" package name, move to sugests
    (Closes: #844051, #846652)

[ Manuel "Venturi" Porras Peralta ]
  * [INTL:es] Spanish po translation (Closes: #817160)

[ Takuma Yamada ]
  * [INTL:ja] Japanese translation of po file update (Closes: #820755)

[ Jonatan Nyberg ]
  * [INTL:sv] Swedish strings for unattended-upgrades debconf (Closes: #822119)

[ Frans Spiesschaert ]
  * [INTL:nl] Dutch po file for the unattended-upgrades package
    (Closes: #823975)

unattended-upgrades (0.93) unstable; urgency=medium

[ Michael Vogt ]
  * Ensure to keep "automatic install" information (Closes: #828215)
  * add recommends to "need-restart" to ensure that all running serivces
    affected by library updates get restarted

[ Brian Murray ]
  * Update 50unattended-upgrades.Ubuntu

[ Germar Reitze ]
  * enable escaped colons in Unattended-Upgrade::Allowed-Origins
  * fix pep8 warning

unattended-upgrades (0.92) unstable; urgency=medium

[ Matt Bearup ]
  * Add support for logging to syslog

[ Raphael Geissert ]
  * Fix bug in minimal upgrade step calculation

unattended-upgrades (0.91) unstable; urgency=medium

* Updated japanese debconf templates.
    Thanks to Takuma Yamada (Closes: 815389)
  * Increase TimeoutStartSec in the shutdown script
  * Document how to set Dpkg::Options.
    Thanks to Matt Bearup
  * add Unattended-Upgrade::Update-Days config
  * [INTL:pt_BR] Brazilian Portuguese.
    Thanks to Adriano Rafael Gomes (Closes: #805460)

-- Balint Reczey <rbalint@ubuntu.com>  Thu, 21 Feb 2019 15:36:42 +0100

Changed in unattended-upgrades (Ubuntu Xenial):
status:	Fix Committed → Fix Released

	Status	Importance	Assigned to
unattended-upgrades (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Fix Released	Undecided	Unassigned
Bionic	Fix Released	Undecided	Unassigned

Ubuntu
unattended-upgrades package

checking trust of archives eats a lot of cpu

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntuunattended-upgrades package

checking trust of archives eats a lot of cpu

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
unattended-upgrades package