Ubuntu
apt package

size mismatch error if request of unknown size is larger than others

  1. Groovy (20.10)
  2. Bug #1921626
Bug #1921626 reported by Rossen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Groovy
New
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

Downloads fail if:

- there is at least one package each with Size and no size on a mirror
- a package without a Size field is larger than a package with a Size field that's currently in the pipeline

Also, this was silent, we need to add an error so people fix repos. For hirsute and earlier, this is a warning; for hirsute+1 it's an error so people's CI fails on them and doesn't "succeed with warnings"

[Test plan]

We have included a test case in the apt integration tests, which downloads three packages a, b, c where b is largest and has no Size field. With 2.2.2, it fails; with 2.2.3 it succceeds.

We have also added a test case that a warning is shown.

[Where problems could occur]
Problems can only occur if you try to download packages without a Size field, as that is the only place code changes (adding code guarded with if ... Size ... == 0; 0 being unknown size).

[Other changes]
2.2.3 includes the same change as 2.2.2ubuntu1

[Original bug report]

1) Ubuntu 18.04.5 LTS

2) apt 1.6.12ubuntu0.2

3) What you expected to happen

I set a custom set of repositories in /etc/apt/sources.list and then I run "apt install <list of packages>". I expect the command to download and install the packages.

4) What happened instead

"apt install ..." fails during the download phase with "File has unexpected size ...."

5) What I've established trying to debug the issue:

- Disabling http pipelining resolves the issue: "apt -oAcquire::http::Pipeline-Depth=0 install ..."
- All the packages, and repo metadata in the referenced repositories is correct
- The issue is easily reproducible in my setup with different repositories
- tcpdump shows that requests and responses are in the correct order, and contain the correct data

More details about the issue: https://projects.theforeman.org/issues/32178

With all the above in mind, it appears that this must be a bug in apt's http pipeline handling.
It seem that apt is trying to match a request to do wrong response, and size doesn't match.

I've attached an example log, where the error pops up for multiple packages, and they all appear to be compared to one size (86464 bytes). That size is correct for one of the package being downloaded, but somehow apt is trying to match to multiple other packages.

See original description
Revision history for this message
Rossen (rgpio) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

Please let me know if you can reproduce this with 2.2.2 in hirsute. No changes can be made to the http method in stable releases, as it's super fragile - Every time we make changes, something else breaks.

Changed in apt (Ubuntu):
status: New → Incomplete
Revision history for this message
Julian Andres Klode (juliank) wrote :

Managing to get a reproducer for HTTP issues more than a couple of hours has not really worked so far, and most people's reproducers don't work. It's highly subjective to network latency and MTU afaict.

Revision history for this message
David Kalnischkies (donkult) wrote :

> I've attached an example log, where the error pops up for multiple packages, and they all appear to be compared to one size (86464 bytes).

just for the record: This is a misunderstanding. If apt does pipelining it searches in the requests it made for the file this response is for. If no request matches the size the error shows the last tried size (aka of the last file in the queue).

I wonder a bit why Filesize isn't included in the message as internally it is implemented as a (very weak) hash, but that might be due to the apt version… I am not remembering ATM how it worked back then.

I am also a bit worried about the screenshot in the referred bugreport as that shows two different servers replying (Apache vs some python via a proxy).

And last not least: The sizes given in the HTTP request logs for python3-zmq (which failed in that example) shown in /var/log/httpd/foreman_access.log and /var/log/messages do not match (254232 vs 254454).

Revision history for this message
Rossen (rgpio) wrote :

> I am also a bit worried about the screenshot in the referred bugreport as that shows two different servers replying (Apache vs some python via a proxy).

The saltstack repository is served by pulp, so client -> httpd -> pulp. I've verified that httpd responds with correctly. Not sure why pulpcore response is slightly larger, maybe something to do with wsgi.

> Please let me know if you can reproduce this with 2.2.2 in hirsute

I don't have that mirrored, but I have focal, and I could not reproduce. Apt 2.0.2

Revision history for this message
Julian Andres Klode (juliank) wrote :

> I don't have that mirrored, but I have focal, and I could not reproduce. Apt 2.0.2

There have been no relevant changes between 1.6.y and 2.0.y, so it really should reproduce with both of them or none of them.

But you have to be careful that the download is _exactly_ the same, usually by pointing new apt at the older system state, otherwise you might have lost your reproducer.

But yeah, this "comes and goes" is why we're not making much progress on HTTP bugs.

Revision history for this message
Rossen (rgpio) wrote :

With help from @juliank, I was able to transfer the state from my bionic box to focal, and hirsute. Issue reproduces on all of them. On hirsute, apt is 2.2.1. Where do we go from here?

Revision history for this message
Julian Andres Klode (juliank) wrote :

We tracked this down to the Pulp repository not having Size fields. While this is a broken repository, APT should also more gracefully handle that situation, either by warning about missing Size values, erroring out, disabling pipelining; or by fixing pipelining to behave if we don't know the size in advance.

Changed in apt (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

I tracked it down further today, accidentally finding a reproducer. In methods/http.cc we check for Req.DownloadSize > Req.MaximumSize and fail with an error if that's the case; hence ensuring our download was within the allowed range for the request.

The issue is that Req.MaximumSize is calculated by BaseHttpMethod::FindMaximumObjectSizeInQueue as the maximum of all maximum sizes in the queue; and requests with unknown sizes are encoded as 0, so FindMaximumObjectSizeInQueue() will return any other size that is not 0, despite the 0 meaning "unknown". The fix is to return 0 if any maximum size is 0.

Julian Andres Klode (juliank)
summary: - apt install - File has unexpected size - http pipeline
+ size mismatch error if request of unknown size is larger than others
Julian Andres Klode (juliank)
Changed in apt (Ubuntu Hirsute):
status: Triaged → Fix Committed
Julian Andres Klode (juliank)
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.2.3

---------------
apt (2.2.3) unstable; urgency=medium

  * tests: Check for and discard expected warning from MaybeAddAuth. For some
    reason, this was only noticed with LTO enabled, but should be a general
    issue.
  * Fix downloads of unsized files that are largest in pipeline (LP: #1921626)
  * Warn on packages without a Size field. Such repositories are broken and
    need to be fixed, as we do not test apt against them, see the bug above
    for more details. Set Acquire::AllowUnsizedPackages to disable the
    warning.

 -- Julian Andres Klode <email address hidden> Tue, 13 Apr 2021 17:53:32 +0200

Changed in apt (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Karthik (knzivid) wrote :

Will this fix be packported to bionic and focal?

Revision history for this message
Julian Andres Klode (juliank) wrote :

Yes, see the tasks.

Julian Andres Klode (juliank)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Rossen, or anyone else affected,

Accepted apt into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.0.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apt (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in apt (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Rossen, or anyone else affected,

Accepted apt into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.6.14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apt/1.6.14)

All autopkgtests for the newly accepted apt (1.6.14) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.9-0ubuntu7.24 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (apt/2.0.6)

All autopkgtests for the newly accepted apt (2.0.6) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

reprotest/0.7.14 (ppc64el)
apport/2.20.11-0ubuntu27.18 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Julian Andres Klode (juliank) wrote :

autopkgtests for apt itself have passed, verifying the fix. We still battle with one apport regression on focal, but it seems unrelated - they've failed before.

tags: added: verification-done verification-done-bionic verification-done-focal
removed: verification-needed verification-needed-bionic verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.0.6

---------------
apt (2.0.6) focal; urgency=medium

  * RunScripts: Do not reset SIGQUIT and SIGINT to SIG_DFL (LP: #1898026)
  * test suite fix: Check for and discard expected warning from MaybeAddAuth
  * Fix downloads of unsized files that are largest in pipeline (LP: #1921626),
    and warn about packages without size (option Acquire::AllowUnsizedPackages)
  * JSON hooks 0.2 and assorted JSON bugfixes (LP: #1926150)
    - encoder fixes:
      + json: Escape strings using \u escape sequences, add test
      + json: Actually pop states
      + json: Encode NULL strings as null
    - json: Flush standard file descriptors before calling hooks
      (this avoids output from hooks in middle of apt output)
    - non-code changes:
      + test/json: Make the test hook more reliable
      + Fix a typo in json-hooks-protocol.md (thanks to Brian Murray)
    - semantic changes (new fields, hooks, and protocol 0.2):
      + json: Add origins fields to version
      + upgrade: Add JSON hook support (AptCli::Hooks::Upgrade)
      + json: Add `package-list` and `statistics` install hooks
      + json: Hook protocol 0.2 (added upgrade,downgrade,reinstall modes)
    + Fix a typo in json-hooks-protocol.md (thanks to Brian Murray)
  * Avoid infinite loop on EOF on media change prompt (LP: #1928687)

 -- Julian Andres Klode <email address hidden> Tue, 15 Jun 2021 13:05:46 +0200

Changed in apt (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for apt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.6.14

---------------
apt (1.6.14) bionic; urgency=medium

  * RunScripts: Do not reset SIGQUIT and SIGINT to SIG_DFL (LP: #1898026)
  * Fix downloads of unsized files that are largest in pipeline (LP: #1921626),
    and warn about packages without size (option Acquire::AllowUnsizedPackages)
  * JSON hooks 0.2 and assorted JSON bugfixes (LP: #1926150)
    - encoder fixes:
      + json: Escape strings using \u escape sequences, add test
      + json: Actually pop states
      + json: Encode NULL strings as null
    - json: Flush standard file descriptors before calling hooks
      (this avoids output from hooks in middle of apt output)
    - Minor fixes to include and C++ namespaces
    - non-code changes:
      + test/json: Make the test hook more reliable
      + Fix a typo in json-hooks-protocol.md (thanks to Brian Murray)
    - semantic changes (new fields, hooks, and protocol 0.2):
      + json: Add origins fields to version
      + upgrade: Add JSON hook support (AptCli::Hooks::Upgrade)
      + json: Add `package-list` and `statistics` install hooks
      + json: Hook protocol 0.2 (added upgrade,downgrade,reinstall modes)
    + Fix a typo in json-hooks-protocol.md (thanks to Brian Murray)
  * Avoid infinite loop on EOF on media change prompt (LP: #1928687)

 -- Julian Andres Klode <email address hidden> Tue, 15 Jun 2021 16:12:38 +0200

Changed in apt (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.