[Bug 2027694] Re: Bionic to Focal upgrade fails with fips-updates enabled

Jeff 2027694 at bugs.launchpad.net
Thu Jul 13 18:25:04 UTC 2023 

The upgrade completed per the workaround above, but now I still cannot
re-enable fips-updates :(

~:robby # pro enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
Stderr: E: Sub-process /usr/bin/dpkg returned an error code (1)

Stdout: Reading package lists...
Building dependency tree...
Reading state information...
The following packages were automatically installed and are no longer required:
  dh-python flightgear-data-ai flightgear-data-all flightgear-data-base
  flightgear-data-models flightgear-phi gdal-data geoclue geoclue-ubuntu-geoip
  gir1.2-harfbuzz-0.0 libairspyhf0 libarmadillo8 libavcodec57 libavdevice57
  libavfilter6 libavformat57 libavresample3 libavutil55 libbfio1 libbison-dev
...
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  fips-initramfs-generic kcapi-tools libgcrypt20 libgcrypt20-hmac libkcapi1
  libssl-dev libssl1.1 libssl1.1-hmac linux-fips linux-fips-headers-5.4.0-1080
  linux-headers-5.4.0-1080-fips linux-headers-fips linux-image-5.4.0-1080-fips
  linux-image-fips linux-image-hmac-5.4.0-1080-fips
  linux-modules-5.4.0-1080-fips linux-modules-extra-5.4.0-1080-fips openssl
Suggested packages:
  rng-tools libssl-doc fdutils linux-doc | linux-fips-source-5.4.0
  linux-fips-tools
The following NEW packages will be installed:
  fips-initramfs-generic kcapi-tools libgcrypt20-hmac libkcapi1 libssl1.1-hmac
  linux-fips linux-fips-headers-5.4.0-1080 linux-headers-5.4.0-1080-fips
  linux-headers-fips linux-image-5.4.0-1080-fips linux-image-fips
  linux-image-hmac-5.4.0-1080-fips linux-modules-5.4.0-1080-fips
  linux-modules-extra-5.4.0-1080-fips ubuntu-fips
The following packages will be upgraded:
  libgcrypt20 libssl-dev libssl1.1 openssl
4 upgraded, 15 newly installed, 0 to remove and 5 not upgraded.
Need to get 84.9 MB of archives.
After this operation, 382 MB of additional disk space will be used.
...
Preparing to unpack .../15-libssl1.1-hmac_1.1.1f-1ubuntu2.fips.19_amd64.deb ...
Unpacking libssl1.1-hmac:amd64 (1.1.1f-1ubuntu2.fips.19) ...
Selecting previously unselected package libgcrypt20-hmac:amd64.
Preparing to unpack .../16-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.7_amd64.deb ...
Unpacking libgcrypt20-hmac:amd64 (1.8.5-5ubuntu1.fips.1.7) ...
dpkg: error processing archive /tmp/apt-dpkg-install-MxU3Br/16-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.7_amd64.deb (--unpack):
 trying to overwrite '/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac', which is the diverted version of '/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac'
Selecting previously unselected package ubuntu-fips.
Preparing to unpack .../17-ubuntu-fips_1.2.5+updates1_amd64.deb ...
Unpacking ubuntu-fips (1.2.5+updates1) ...
Errors were encountered while processing:
 /tmp/apt-dpkg-install-MxU3Br/16-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.7_amd64.deb

Stderr: E: Unmet dependencies. Try 'apt --fix-broken install' with no
packages (or specify a solution).

Stdout: Reading package lists...
Building dependency tree...
Reading state information...
ubuntu-fips is already the newest version (1.2.5+updates1).
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 ubuntu-fips : Depends: libgcrypt20-hmac (>= 1.8.5-5ubuntu1.fips.1.4) but it is not going to be installed

Stderr: E: Unmet dependencies. Try 'apt --fix-broken install' with no
packages (or specify a solution).

Stdout: Reading package lists...
Building dependency tree...
Reading state information...
ubuntu-fips is already the newest version (1.2.5+updates1).
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 ubuntu-fips : Depends: libgcrypt20-hmac (>= 1.8.5-5ubuntu1.fips.1.4) but it is not going to be installed

Stderr: E: Unmet dependencies. Try 'apt --fix-broken install' with no
packages (or specify a solution).

Stdout: Reading package lists...
Building dependency tree...
Reading state information...
ubuntu-fips is already the newest version (1.2.5+updates1).
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 ubuntu-fips : Depends: libgcrypt20-hmac (>= 1.8.5-5ubuntu1.fips.1.4) but it is not going to be installed

Updating package lists
Could not enable FIPS Updates.
~:robby # apt autoremove -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 ubuntu-fips : Depends: libgcrypt20-hmac (>= 1.8.5-5ubuntu1.fips.1.4) but it is not installable
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2027694

Title:
  Bionic to Focal upgrade fails with fips-updates enabled

Status in ubuntu-release-upgrader package in Ubuntu:
  Confirmed

Bug description:
  On a bionic VM with fips-updates enabled, do-release-upgrade starts
  cascading failures about FIPS at a certain point. This is NOT a
  duplicate of #1982543 that I can tell as that version of ubuntu-
  release-upgrader is already published to "-updates" and my bionic host
  is fully up to date. You can see below that I am using a newer version
  (1:20.04.41)

  
  ```
  Get:1318 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-release-upgrader-gtk all 1:20.04.41 [9,364 B]
  Get:1319 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-release-upgrader-core all 1:20.04.41 [24.3 kB]
  ...
  Setting up netbase (6.1) ...
  Installing new version of config file /etc/services ...
  Setting up tzdata (2023c-0ubuntu0.20.04.2) ...

  Current default time zone: 'America/New_York'
  Local time is now:      Wed Jul 12 17:14:19 EDT 2023.
  Universal Time is now:  Wed Jul 12 21:14:19 UTC 2023.
  Run 'dpkg-reconfigure tzdata' if you wish to change it.

  Setting up libbsd0:amd64 (0.10.0-1) ...
  Setting up libedit2:amd64 (3.1-20191231-1) ...
  Setting up libopts25:amd64 (1:5.18.16-3) ...
  Setting up ntp (1:4.2.8p12+dfsg-3ubuntu4.20.04.1) ...

  Configuration file '/etc/ntp.conf'
   ==> Modified (by you or by a script) since installation.
   ==> Package distributor has shipped an updated version.
     What would you like to do about it ?  Your options are:
      Y or I  : install the package maintainer's version
      N or O  : keep your currently-installed version
        D     : show the differences between the versions
        Z     : start a shell to examine the situation
   The default action is to keep your current version.
  *** ntp.conf (Y/I/N/O/D/Z) [default=N] ? Y
  Installing new version of config file /etc/ntp.conf ...
  Warning from /etc/apparmor.d/usr.sbin.ntpd (/etc/apparmor.d/usr.sbin.ntpd line 19): apparmor_parser: File '/etc/apparmor.d/usr.sbin.ntpd' missing feature abi, falling back to default policy feature abi
  ntp-systemd-netif.service is a disabled or a static unit not running, not starting it.
  ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
  Job for ntp.service failed because the control process exited with error code.
  See "systemctl status ntp.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript ntp, action "start" failed.
  ● ntp.service - Network Time Service
       Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since Thu 2023-07-13 09:09:08 EDT; 70ms ago
         Docs: man:ntpd(8)
      Process: 112082 ExecStart=/usr/lib/ntp/ntp-systemd-wrapper (code=exited, status=134)
     Main PID: 2078 (code=exited, status=0/SUCCESS)

  Jul 13 09:09:08 robby systemd[1]: Starting Network Time Service...
  Jul 13 09:09:08 robby ntp-systemd-wrapper[112082]: ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
  Jul 13 09:09:08 robby ntp-systemd-wrapper[112082]: Aborted
  Jul 13 09:09:08 robby systemd[1]: ntp.service: Control process exited, code=exited status=134
  Jul 13 09:09:08 robby systemd[1]: ntp.service: Failed with result 'exit-code'.
  Jul 13 09:09:08 robby systemd[1]: Failed to start Network Time Service.
  invoke-rc.d: release upgrade in progress, error is not fatal
  Setting up mount (2.34-0.1ubuntu9.4) ...
  Setting up systemd (245.4-4ubuntu3.22) ...
  Installing new version of config file /etc/systemd/journald.conf ...
  Installing new version of config file /etc/systemd/logind.conf ...

  Configuration file '/etc/systemd/resolved.conf'
   ==> Modified (by you or by a script) since installation.
   ==> Package distributor has shipped an updated version.
     What would you like to do about it ?  Your options are:
      Y or I  : install the package maintainer's version
      N or O  : keep your currently-installed version
        D     : show the differences between the versions
        Z     : start a shell to examine the situation
   The default action is to keep your current version.
  *** resolved.conf (Y/I/N/O/D/Z) [default=N] ?
  Installing new version of config file /etc/systemd/system.conf ...
  Installing new version of config file /etc/systemd/user.conf ...
  Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service → /lib/systemd/system/systemd-pstore.service.
  ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
  Aborted
  dpkg: error processing package systemd (--configure):
   installed systemd package post-installation script subprocess returned error exit status 134
  ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned an error code (1)
  ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE

  Could not install the upgrades

  The upgrade has aborted. Your system could be in an unusable state. A
  recovery will run now (dpkg --configure -a).

  Please report this bug in a browser at
  http://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+filebug
  and attach the files in /var/log/dist-upgrade/ to the bug report.
  E:Sub-process /usr/bin/dpkg returned an error code (1)

  Setting up libgme0:amd64 (0.6.2-1build1) ...
  Setting up libbrlapi0.7:amd64 (6.0+dfsg-4ubuntu6) ...
  Setting up libpwquality-common (1.4.2-1build1) ...

  Configuration file '/etc/security/pwquality.conf'
   ==> Modified (by you or by a script) since installation.
   ==> Package distributor has shipped an updated version.
     What would you like to do about it ?  Your options are:
      Y or I  : install the package maintainer's version
      N or O  : keep your currently-installed version
        D     : show the differences between the versions
        Z     : start a shell to examine the situation
   The default action is to keep your current version.
  *** pwquality.conf (Y/I/N/O/D/Z) [default=N] ?
  Setting up libapt-pkg-perl (0.1.36build3) ...
  Setting up libksba8:amd64 (1.3.5-2ubuntu0.20.04.2) ...
  Setting up libexpat1:amd64 (2.2.9-1ubuntu0.6) ...
  Setting up cpio (2.13+dfsg-2ubuntu0.3) ...
  Setting up libgsf-1-common (1.14.46-1) ...
  ...
  ...<things proceed okay, and then stuff like this starts popping up>
  ...
  Setting up e2fsprogs (1.45.5-2ubuntu1.1) ...
  Installing new version of config file /etc/mke2fs.conf ...
  update-initramfs: deferring update (trigger activated)
  Created symlink /etc/systemd/system/timers.target.wants/e2scrub_all.timer → /lib/systemd/system/e2scrub_all.timer.
  Created symlink /etc/systemd/system/default.target.wants/e2scrub_reap.service → /lib/systemd/system/e2scrub_reap.service.
  e2scrub_all.service is a disabled or a static unit not running, not starting it.
  ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
  Setting up libnpth0:amd64 (1.6-1) ...
  Setting up systemd (245.4-4ubuntu3.22) ...
  ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
  Aborted
  dpkg: error processing package systemd (--configure):
   installed systemd package post-installation script subprocess returned error exit status 134
  Setting up libpeas-common (1.26.0-2) ...
  Setting up libxcb-shm0:amd64 (1.14-2) ...
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/2027694/+subscriptions

More information about the foundations-bugs mailing list