linux-cloud-tools version specific packages are being removed by unattended-upgrade's Remove-Unused-Dependencies

Yes, indeed, the packages should be kept but 01autoremove-kernels is generated by /etc/kernel/postinst.d/apt-auto-removal which is shipped by apt.
Reassigning to apt.

I'm testing the fix for u-u right now that will rely on apt's one. The u-u fix will land soon in the git repository.

apt fix committed: https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=923ba67464960940a19b24a341e896a9338161fb

This bug was fixed in the package unattended-upgrades - 1.0ubuntu1

---------------
unattended-upgrades (1.0ubuntu1) bionic; urgency=medium

  * Merge from Debian unstable
    - Remaining changes:
      - unattended-upgrades: Do not automatically upgrade the development
        release of Ubuntu unless Unattended-Upgrade::DevRelease is true.
    - Dropped changes, included in Debian:
      - Run upgrade-between-snapshots only on amd64.
        The test exercises only unattented-upgrade's Python code and uses
        dependencies from the frozen Debian snapshot archive thus running
        it on all architectures would provide little benefit.

unattended-upgrades (1.0) unstable; urgency=medium

  [ Simon Arlott ]
  * Revert sending mails on WARNINGS when in MailOnlyOnError mode"
  * Consider conffile prompts to be errors (Closes: #852465)
    Flag packages that have to be upgraded manually because of a conffile
    prompt and consider this to be an error when sending email or exiting.

  [ Simon McVittie ]
  * Add python, python3, setuptools, DistutilsExtra to Build-Depends.
    They are needed for `clean`, so Build-Depends-Indep is not enough.
  * Add .gitignore and debian/.gitignore
  * Remove bzr configuration.
    This is unnecessary now that u-u is in git.

  [ Michael Vogt ]
  * unattended-upgrades: tweak mail-on-warnings PR
  * unattended-upgrade: extract is_autoremove_valid helper

  [ Balint Reczey ]
  * Run upgrade-between-snapshots only on amd64.
    The test exercises only unattented-upgrade's Python code and uses
    dependencies from the frozen Debian snapshot archive thus running
    it on all architectures would provide little benefit.
  * Clean up processes started for getting md5 sums
  * Don't keep /var/lib/dpkg/status open multiple times
  * Adjust candidates in UnattendedUpgradesCache.open()
  * Perform autoremovals in minimal steps, too.
    Also add check to remove only the set of packages selected for autoremoval.
    Without that check unattended-upgrades when (by default) configured to
    remove newly unused packages could also remove auto removable packages
    which were unused before starting starting the upgrade step.
  * Remove unused automatically installed kernel packages
    (LP: #1357093, #1624644, #1675079, #1698159)
  * Stop including Python syntax in the report (Closes: #876796)
  * Do not auto remove packages related to the running kernel (LP: #1615381)
  * Check packages to be autoremoved against blacklists, whitelists.
    Also check if the packages are held.
  * Report package removals in the summary email (Closes: #876797)
  * Run upgrade-between-snapshots test with debugging enabled
  * Don't create new UnattendedUpgradesCache for checking for autoremovals
    .open() refreshes the state in each cache_commit(), this is enough
  * Update .pot and .po files
  * Update .travis.yml to actually build and test u-u from the repo
  * Run only a simple installation test on Travis, the system upgrade
    test was always failing

 -- Balint Reczey <email address hidden> Thu, 01 Mar 2018 17:29:33 +0700

This bug was fixed in the package apt - 1.6~beta1

---------------
apt (1.6~beta1) unstable; urgency=medium

  [ David Kalnischkies ]
  * allow the apt/lists/auxfiles/ directory to be missing (Closes: 887624)
  * add apt-helper drop-privs command…
  * restore gcc visibility=hidden for apt-private
  * ensure correct file permissions for auxfiles
  * allow the apt/lists/auxfiles/ directory to be missing (Closes: 887624)
  * add apt-helper drop-privs command…
  * restore gcc visibility=hidden for apt-private
  * ensure correct file permissions for auxfiles

  [ Julian Andres Klode ]
  * indexcopy: Copy uncompressed indices from cdrom again (LP: #1746807)
  * Work around test-method-mirror failure by setting umask at start
  * Check that Date of Release file is not in the future
  * apt.conf.autoremove: Add linux-cloud-tools to list (LP: #1698159)
  * indexcopy: Copy uncompressed indices from cdrom again (LP: #1746807)
  * Work around test-method-mirror failure by setting umask at start
  * Check that Date of Release file is not in the future
  * apt.conf.autoremove: Add linux-cloud-tools to list (LP: #1698159)

  [ Chris Leick ]
  * German manpage translation update
  * German manpage translation update

 -- Julian Andres Klode <email address hidden> Mon, 26 Feb 2018 13:14:13 +0100

Cherry-picked the change into xenial's 1.2.y branch for the next SRU. Will do that in trusty too.

We would need some SRU information here. Since this is part of the xenial apt SRU, we'd need to have reliable testing steps for verification of the update. Thank you!

Thanks! Would it be maybe possible to actually check if the cloud-tools packages aren't auto-removed by unattended-upgrades as well besides just looking at the APT::NeverAutoRemove rules?

Hello Ian, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.28 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi,

I installed apt 1.2.28 from proposed on a xenial server with the linux-cloud-tools packages installed and it added linux-cloud-tools to the VersionedKernelPackages section of /etc/apt/apt.conf.d/01autoremove.

It did not add linux-cloud-tools lines to the 01autoremove-kernels file. This did not occur until I upgraded the kernel to 4.4.0-137. After doing this the 01autoremove-kernels contains:

  "^linux-cloud-tools-4\.4\.0-134-generic$";
  "^linux-cloud-tools-4\.4\.0-137-generic$";

I confirmed that linux-cloud-tools package was also not auto removed.

So the new version of apt fixes the problem.

Regards,

Ian.

Hello Ian, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.29 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Marking verification-done-xenial again, this got reset by 1.2.29.

FWIW; I also retested: after upgrading apt to 1.2.29 in the xenial container, and rerunning the kernel hook that creates the file, I also see

   "^linux-cloud-tools-4\.18\.0-8-generic$";

in the list.

This bug was fixed in the package apt - 1.2.29

---------------
apt (1.2.29) xenial; urgency=medium

  * Set DPKG_FRONTEND_LOCKED when running {pre,post}-invoke scripts.
    Some post-invoke scripts install packages, which fails because
    the environment variable is not set. This sets the variable for
    all three kinds of scripts {pre,post-}invoke and pre-install-pkgs,
    but we will only allow post-invoke at a later time.
    (LP: #1796808)

apt (1.2.28) xenial; urgency=medium

  [ Julian Andres Klode ]
  * apt.conf.autoremove: Add linux-cloud-tools to list (LP: #1698159)
  * Add support for dpkg frontend lock (Closes: #869546) (LP: #1781169)
  * Set DPKG_FRONTEND_LOCKED as needed when doing selection changes
  * http: Stop pipeline after close only if it was not filled before
    (LP: #1794957)
  * pkgCacheFile: Only unlock in destructor if locked before (LP: #1794053)
  * Update libapt-pkg5.0 symbols for frontend locking

  [ David Kalnischkies ]
  * Support records larger than 32kb in 'apt show' (Closes: #905527)
    (LP: #1787120)

 -- Julian Andres Klode <email address hidden> Tue, 09 Oct 2018 12:35:03 +0200

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Ian, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Ian, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Ian, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested with 1.1ubuntu1.18.04.7~16.04.2:

ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ sudo apt autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  feh libid3tag0 libimlib2 libjpeg-progs libjpeg9 linux-cloud-tools-4.15.0-39-generic linux-cloud-tools-common
  linux-hwe-cloud-tools-4.15.0-39
0 upgraded, 0 newly installed, 8 to remove and 192 not upgraded.
After this operation, 2.452 kB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
ubuntu@ubuntu-Standard-PC-i440FX-PIIX-1996:~$ sudo unattended-upgrade --dry-run --verbose --debug
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages
Using (^linux-image-4\.15\.0\-39\-generic$|^linux-headers-4\.15\.0\-39\-generic$|^linux-image-extra-4\.15\.0\-39\-generic$|^linux-modules-4\.15\.0\-39\-generic$|^linux-modules-extra-4\.15\.0\-39\-generic$|^linux-signed-image-4\.15\.0\-39\-generic$|^kfreebsd-image-4\.15\.0\-39\-generic$|^kfreebsd-headers-4\.15\.0\-39\-generic$|^gnumach-image-4\.15\.0\-39\-generic$|^.*-modules-4\.15\.0\-39\-generic$|^.*-kernel-4\.15\.0\-39\-generic$|^linux-backports-modules-.*-4\.15\.0\-39\-generic$|^linux-modules-.*-4\.15\.0\-39\-generic$|^linux-tools-4\.15\.0\-39\-generic$|^linux-cloud-tools-4\.15\.0\-39\-generic$) regexp to find running kernel packages
Checking: avahi-autoipd ([<Origin component:'main' archive:'xenial-updates' origin:'Ubuntu' label:'Ubuntu' site:'be.archive.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'xenial-security' origin:'Ubuntu' label:'Ubuntu' site:'security.ubuntu.com' isTrusted:True>])
Checking: avahi-daemon ([<Origin component:'main' archive:'xenial-updates' origin:'Ubuntu' label:'Ubuntu' site:'be.archive.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'xenial-security' origin:'Ubuntu' label:'Ubuntu' site:'security.ubuntu.com' isTrusted:True>])
...
All upgrades installed
marking linux-cloud-tools-common for removal
Keeping the following auto-removable package(s) because they include linux-cloud-tools-4.15.0-39-generic which package is related to the running kernel: linux-cloud-tools-4.15.0-39-generic linux-cloud-tools-common linux-hwe-cloud-tools-4.15.0-39
marking libjpeg-progs for removal
marking feh for removal
marking libjpeg9 for removal
marking libimlib2 for removal
marking linux-cloud-tools-4.15.0-39-generic for removal
Keeping the following auto-removable package(s) because they include linux-cloud-tools-4.15.0-39-ge...

@rbalint it says "Keeping the following auto-removable package(s) because they include linux-cloud-tools-4.15.0-39-generic which package is related to the running kernel: linux-cloud-tools-4.15.0-39-generic linux-cloud-tools-common linux-hwe-cloud-tools-4.15.0-39".

So if 4.15.0-39-generic was not the running kernel, those would have been removed, even if the kernel itself was protected?

I have Unattended-Upgrade::Remove-Unused-Dependencies set to default value (false) and u-u 1.1ubuntu1.18.04.7~16.04.2 did not remove linux-hwe-cloud-tools-* package related to non-running protected kernel either.

Related bug report: Bug #1607845

@jarnos(#20) The running kernel's related packages are protected by u-u. There are the packages protected by apt, which are also not offered for autoremoval, hence u-u would not remove them either.
When the kernel package for -39- is protected by apt in /etc/apt/apt.conf.d/01autoremove-kernels u-u does not remove it either.

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.2

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.2) xenial; urgency=medium

  * Don't check blacklist too early and report updates from not allowed origins
    as kept back. (LP: #1781176)
  * test/test_blacklisted_wrong_origin.py: Fix and enable test
  * Filter out progress indicator from dpkg log (LP: #1599646)
  * Clear cache when autoremoval fails (LP: #1779157)
  * Find autoremovable kernel packages using the patterns in APT's way
    (LP: #1815494)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.1) xenial; urgency=medium

  * Start service after systemd-logind.service to be able to take inhibition
    lock (LP: #1806487)
  * Handle gracefully when logind is down (LP: #1806487)

unattended-upgrades (1.1ubuntu1.18.04.7~16.04.0) xenial; urgency=medium

  * Backport to Xenial (LP: #1702793)
  * Revert to build-depending on debhelper (>= 9~) and dh-systemd
  * Revert configuration example changes to avoid triggering a debconf question
  * debian/postinst: Update recovery to be triggered on Xenial's package versions

unattended-upgrades (1.1ubuntu1.18.04.7) bionic; urgency=medium

  * Trigger unattended-upgrade-shutdown actions with PrepareForShutdown()
    Performing upgrades in service's ExecStop did not work when the upgrades
    involved restarting services because systemd blocked other stop/start
    actions making maintainer scripts time out and be killed leaving a broken
    system behind.
    Running unattended-upgrades.service before shutdown.target as a oneshot
    service made it run after unmounting filesystems and scheduling services
    properly on shutdown is a complex problem and adding more services to the
    mix make it even more fragile.
    The solution of monitoring PrepareForShutdown() signal from DBus
    allows Unattended Upgrade to run _before_ the jobs related to shutdown are
    queued thus package upgrades can safely restart services without
    risking causing deadlocks or breaking part of the shutdown actions.
    Also ask running unattended-upgrades to stop when shutdown starts even in
    InstallOnShutdown mode and refactor most of unattended-upgrade-shutdown to
    UnattendedUpgradesShutdown class. (LP: #1778219)
  * Increase logind's InhibitDelayMaxSec to 30s. (LP: #1778219)
    This allows more time for unattended-upgrades to shut down gracefully
    or even install a few packages in InstallOnShutdown mode, but is still a
    big step back from the 30 minutes allowed for InstallOnShutdown previously.
    Users enabling InstallOnShutdown node are advised to increase
    InhibitDelayMaxSec even further possibly to 30 minutes.
    - Add NEWS entry about increasing InhibitDelayMaxSec and InstallOnShutdown
      changes
  * Ignore "W503 line break before binary operator"
    because it will become the best practice and breaks the build
  * Stop using ActionGroups, they interfere with apt.Cache.clear()
    causing all autoremovable packages to be handled as newly autoremovable
    ones and be removed by default. Dropping ActionGroup usage does not slow
    down the most frequent case of not having anything to upgrade a...