[Bug 2038915] Re: Don't ask debconf question when upgrading grub on cloud images

Thomas Bechtold 2038915 at bugs.launchpad.net
Thu Oct 12 12:45:47 UTC 2023 

I thought I've seen this on other releases than Focal, but it turns out that this only affect Focal Pro FIPS images. The latest good (working) image for Pro FIPS Focal has serial 20230613, the first bad (non-working) image has serial 20230614.
The change triggering this bug is https://git.launchpad.net/~cloudware/cloudware/+git/cpc_packaging.extra/commit/?id=a05127df84a038fec657f0302ec0de9636bbf915 .

The debconf entries look good (means empty) before calling "apt-get
dist-upgrade --assume-yes --allow-downgrades" which does trigger a shim-
signed downgrade. Here's part of the build log with some extra debug
messages:


+ echo 'XXXXXXXXXXXXXXXXXX BEFORE XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX BEFORE XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE debconf-show grub-pc
  grub-pc/partition_description:
  grub2/no_efi_extra_removable: false
  grub-pc/mixed_legacy_and_grub2: true
  grub-pc/postrm_purge_boot_grub: false
  grub-pc/timeout: 0
  grub2/unsigned_kernels_title:
  grub-efi/install_devices_disks_changed:
  grub-efi/install_devices_empty: false
  grub2/unsigned_kernels:
  grub-pc/install_devices_failed_upgrade: true
  grub-efi/partition_description:
  grub2/update_nvram: true
  grub-pc/install_devices_disks_changed:
  grub2/linux_cmdline_default: quiet splash
  grub-pc/kopt_extracted: false
  grub-efi/install_devices_failed: false
  grub-pc/chainload_from_menu.lst: true
  grub-pc/hidden_timeout: true
  grub2/kfreebsd_cmdline_default: quiet splash
  grub-pc/disk_description:
  grub-pc/install_devices:
  grub-efi/install_devices:
  grub2/kfreebsd_cmdline:
  grub2/linux_cmdline:
  grub-pc/install_devices_empty: false
  grub-pc/install_devices_failed: false
+ echo 'XXXXXXXXXXXXXXXXXX BEFORE END XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX BEFORE END XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE apt-get dist-upgrade --assume-yes --allow-downgrades
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following NEW packages will be installed:
  libgcrypt20-hmac libssl1.1-hmac
The following packages will be upgraded:
  libgcrypt20 libssl1.1 openssh-client openssh-server openssh-sftp-server
  openssl
The following packages will be DOWNGRADED:
  shim-signed
6 upgraded, 2 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 3945 kB of archives.
After this operation, 631 kB disk space will be freed.
[snipped]
Preparing to unpack .../libgcrypt20_1.8.5-5ubuntu1.fips.1.4_amd64.deb ...
Unpacking libgcrypt20:amd64 (1.8.5-5ubuntu1.fips.1.4) over (1.8.5-5ubuntu1.1) ...
Setting up libgcrypt20:amd64 (1.8.5-5ubuntu1.fips.1.4) ...
[snipped]
Preparing to unpack .../0-libssl1.1_1.1.1f-1ubuntu2.fips.7.1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1f-1ubuntu2.fips.7.1) over (1.1.1f-1ubuntu2.19) ...
Preparing to unpack .../1-openssh-sftp-server_1%3a8.2p1-4ubuntu0.fips.0.2.1_amd64.deb ...
Unpacking openssh-sftp-server (1:8.2p1-4ubuntu0.fips.0.2.1) over (1:8.2p1-4ubuntu0.9) ...
Preparing to unpack .../2-openssh-server_1%3a8.2p1-4ubuntu0.fips.0.2.1_amd64.deb ...
Unpacking openssh-server (1:8.2p1-4ubuntu0.fips.0.2.1) over (1:8.2p1-4ubuntu0.9) ...
Preparing to unpack .../3-openssh-client_1%3a8.2p1-4ubuntu0.fips.0.2.1_amd64.deb ...
Unpacking openssh-client (1:8.2p1-4ubuntu0.fips.0.2.1) over (1:8.2p1-4ubuntu0.9) ...
Preparing to unpack .../4-openssl_1.1.1f-1ubuntu2.fips.7.1_amd64.deb ...
Unpacking openssl (1.1.1f-1ubuntu2.fips.7.1) over (1.1.1f-1ubuntu2.19) ...
dpkg: warning: downgrading shim-signed from 1.40.9+15.7-0ubuntu1 to 1.40.7+15.4-0ubuntu9
Preparing to unpack .../5-shim-signed_1.40.7+15.4-0ubuntu9_amd64.deb ...
Unpacking shim-signed (1.40.7+15.4-0ubuntu9) over (1.40.9+15.7-0ubuntu1) ...
Selecting previously unselected package libgcrypt20-hmac:amd64.
Preparing to unpack .../6-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.4_amd64.deb ...
Unpacking libgcrypt20-hmac:amd64 (1.8.5-5ubuntu1.fips.1.4) ...
Selecting previously unselected package libssl1.1-hmac:amd64.
Preparing to unpack .../7-libssl1.1-hmac_1.1.1f-1ubuntu2.fips.7.1_amd64.deb ...
Unpacking libssl1.1-hmac:amd64 (1.1.1f-1ubuntu2.fips.7.1) ...
Setting up libssl1.1:amd64 (1.1.1f-1ubuntu2.fips.7.1) ...
Setting up shim-signed (1.40.7+15.4-0ubuntu9) ...
Trying to migrate /boot/efi into esp config
Installing grub to /var/lib/grub/esp.
Installing for x86_64-efi platform.
Installation finished. No error reported.
Installing grub to /var/lib/grub/esp.
Installing for x86_64-efi platform.
Installation finished. No error reported.
Setting up libssl1.1-hmac:amd64 (1.1.1f-1ubuntu2.fips.7.1) ...
update-initramfs: deferring update (trigger activated)
Setting up libgcrypt20-hmac:amd64 (1.8.5-5ubuntu1.fips.1.4) ...
update-initramfs: deferring update (trigger activated)
Setting up openssl (1.1.1f-1ubuntu2.fips.7.1) ...
Setting up openssh-client (1:8.2p1-4ubuntu0.fips.0.2.1) ...
Setting up openssh-sftp-server (1:8.2p1-4ubuntu0.fips.0.2.1) ...
Setting up openssh-server (1:8.2p1-4ubuntu0.fips.0.2.1) ...
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:F/MYTq9OeNFiCdCQ0e6/mLpZwKN8upHQCwnJhnSOozc root at big-jaguar-ubuntu-bartender (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:z10NTpfM0E6pu4lgwMtBqTGFd3Qqn37TDKSoUp1AA0A root at big-jaguar-ubuntu-bartender (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:dXIrCEmoQiKb5GbOHM6UOl0//5tGO1c+G22Ly+ywSi8 root at big-jaguar-ubuntu-bartender (ED25519)
Running in chroot, ignoring request.
All runlevel operations denied by policy
invoke-rc.d: policy-rc.d denied execution of restart.
Processing triggers for ufw (0.36-6ubuntu1.1) ...
Processing triggers for systemd (245.4-4ubuntu3.22) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.12) ...
Processing triggers for initramfs-tools (0.136ubuntu6.7) ...
update-initramfs: Generating /boot/initrd.img-5.15.0-1047-aws
+ echo 'XXXXXXXXXXXXXXXXXX AFTER XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX AFTER XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE debconf-show grub-pc
  grub-pc/kopt_extracted: false
  grub-pc/install_devices_failed: false
  grub2/linux_cmdline:
  grub-pc/chainload_from_menu.lst: true
  grub-pc/install_devices_disks_changed:
  grub-pc/hidden_timeout: true
  grub2/kfreebsd_cmdline_default: quiet splash
  grub2/kfreebsd_cmdline:
* grub-efi/install_devices: /dev/disk/by-id/dm-name-loop3p15, /dev/disk/by-id/dm-name-loop3p15
  grub-efi/partition_description:
  grub2/unsigned_kernels_title:
  grub-pc/install_devices_empty: false
  grub-pc/disk_description:
  grub2/no_efi_extra_removable: false
  grub-efi/install_devices_disks_changed: /dev/disk/by-id/dm-name-loop3p15, /dev/disk/by-id/dm-name-loop3p15
  grub-pc/postrm_purge_boot_grub: false
  grub-pc/install_devices:
  grub-pc/install_devices_failed_upgrade: true
  grub-efi/install_devices_failed: false
  grub-efi/install_devices_empty: false
  grub2/unsigned_kernels:
  grub2/update_nvram: true
  grub2/linux_cmdline_default: quiet splash
  grub-pc/mixed_legacy_and_grub2: true
  grub-pc/partition_description:
  grub-pc/timeout: 0
+ echo 'XXXXXXXXXXXXXXXXXX AFTER END XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX AFTER END XXXXXXXXXXXXXXXXXX


So shim-signed will be downgraded and that triggers the postinst script
which runs  /usr/lib/grub/grub-multi-install if
/boot/grub/${grubarch}/core.efi exists (see
https://git.launchpad.net/ubuntu/+source/shim-signed/tree/debian/shim-
signed.postinst?h=applied/ubuntu/focal-updates#n164 )

Given that this file (core.img) does exist when running shim-signed
postinst, this triggers the code path for "Trying to migrate /boot/efi
into esp config" which does set the debconf grub-efi/install_devices
entries. See
https://git.launchpad.net/ubuntu/+source/grub2/tree/debian/grub-multi-
install?h=applied/ubuntu/focal-updates#n262 .

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/2038915

Title:
  Don't ask debconf question when upgrading grub on cloud images

Status in livecd-rootfs package in Ubuntu:
  New

Bug description:
  [ Impact ]
  cloud images show a debconf prompt (see attachment) when upgrading some grub packages (eg. grub-efi-amd64-signed). That's because the debconf entries are set wrongly during image build to:

  # debconf-show grub-pc | grep grub-efi/install_devices
    grub-efi/install_devices_disks_changed: /dev/disk/by-id/dm-name-loop3p15, /dev/disk/by-id/dm-name-loop3p15
  * grub-efi/install_devices: /dev/disk/by-id/dm-name-loop3p15, /dev/disk/by-id/dm-name-loop3p15
    grub-efi/install_devices_failed: false
    grub-efi/install_devices_empty: false

  
  Upgrade of the packages leads to a prompt for users or automation which should be avoided

  [ Test Plan ]
  * build image
  * check debconf-show grub-pc and check that "grub-efi/install_devices_disks_changed", and "grub-efi/install_devices" are both empty and both unseen.

  [ Where problems could occur ]
  -

  [ Other Info ]

  Reproducer on AWS is:

  - AWS_DEFAULT_REGION=us-east-1 aws ec2 run-instances --image-id ami-0d6c64aedaee5f74f --instance-type m6a.large --key-name toabctl
  - apt update && apt upgrade

  now the prompt is visible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2038915/+subscriptions

More information about the foundations-bugs mailing list