Bug #2038915 “Don't ask debconf question when upgrading grub on ...” : Bugs : cloud-images

Revision history for this message

Thomas Bechtold (toabctl) wrote on 2023-10-10:

#1

debconf prompt Edit (37.8 KiB, image/png)

Thomas Bechtold (toabctl) on 2023-10-10

Changed in livecd-rootfs (Ubuntu):
assignee:	nobody → Thomas Bechtold (toabctl)

Thomas Bechtold (toabctl) on 2023-10-10

summary:	- Don't show prompt when upgrading grub on cloud images + Don't show debconf prompt when upgrading grub on cloud images
summary:	- Don't show debconf prompt when upgrading grub on cloud images + Don't ask debconf question when upgrading grub on cloud images

Revision history for this message

Steve Langasek (vorlon) wrote on 2023-10-10: Re: Don't ask debconf question when upgrading grub on cloud images

#2

How far back are images affected by this? It is not a new thing that we will have updates to grub packages in the security pocket that need to be applied. Is this a mantic-specific regression, and should changes be made to the grub package to work around it for existing images?

Revision history for this message

Thomas Bechtold (toabctl) wrote on 2023-10-12 (last edit on 2023-10-13):

#3

Download full text (4.9 KiB)

I thought I've seen this on other releases than Focal, but it turns out that this only affect Focal Pro FIPS images. The latest good (working) image for Pro FIPS Focal has serial 20230613, the first bad (non-working) image has serial 20230614.
The change triggering this bug is https://git.launchpad.net/~cloudware/cloudware/+git/cpc_packaging.extra/commit/?id=a05127df84a038fec657f0302ec0de9636bbf915 .

The debconf entries look good (means empty) before calling "apt-get dist-upgrade --assume-yes --allow-downgrades" which does trigger a shim-signed downgrade. Here's part of the build log with some extra debug messages:

+ echo 'XXXXXXXXXXXXXXXXXX BEFORE XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX BEFORE XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE debconf-show grub-pc
  grub-pc/partition_description:
  grub2/no_efi_extra_removable: false
  grub-pc/mixed_legacy_and_grub2: true
  grub-pc/postrm_purge_boot_grub: false
  grub-pc/timeout: 0
  grub2/unsigned_kernels_title:
  grub-efi/install_devices_disks_changed:
  grub-efi/install_devices_empty: false
  grub2/unsigned_kernels:
  grub-pc/install_devices_failed_upgrade: true
  grub-efi/partition_description:
  grub2/update_nvram: true
  grub-pc/install_devices_disks_changed:
  grub2/linux_cmdline_default: quiet splash
  grub-pc/kopt_extracted: false
  grub-efi/install_devices_failed: false
  grub-pc/chainload_from_menu.lst: true
  grub-pc/hidden_timeout: true
  grub2/kfreebsd_cmdline_default: quiet splash
  grub-pc/disk_description:
  grub-pc/install_devices:
  grub-efi/install_devices:
  grub2/kfreebsd_cmdline:
  grub2/linux_cmdline:
  grub-pc/install_devices_empty: false
  grub-pc/install_devices_failed: false
+ echo 'XXXXXXXXXXXXXXXXXX BEFORE END XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX BEFORE END XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE apt-get dist-upgrade --assume-yes --allow-downgrades
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following NEW packages will be installed:
  libgcrypt20-hmac libssl1.1-hmac
The following packages will be upgraded:
  libgcrypt20 libssl1.1 openssh-client openssh-server openssh-sftp-server
  openssl
The following packages will be DOWNGRADED:
  shim-signed
6 upgraded, 2 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 3945 kB of archives.
After this operation, 631 kB disk space will be freed.
[snipped]
Setting up shim-signed (1.40.7+15.4-0ubuntu9) ...
Trying to migrate /boot/efi into esp config
Installing grub to /var/lib/grub/esp.
Installing for x86_64-efi platform.
Installation finished. No error reported.
Installing grub to /var/lib/grub/esp.
Installing for x86_64-efi platform.
Installation finished. No error reported.
[snipped]
+ echo 'XXXXXXXXXXXXXXXXXX AFTER XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX AFTER XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE debconf-show grub-pc
  grub-pc/kopt_extracted: false
  grub-pc/install_devices_failed: false
  grub2/linux_cmdline:
  grub-pc/chainload_from_menu.lst: true
  grub-pc/install_devices_disks_changed:
  grub-pc/hidden_timeout...

I thought I've seen this on other releases than Focal, but it turns out that this only affect Focal Pro FIPS images. The latest good (working) image for Pro FIPS Focal has serial 20230613, the first bad (non-working) image has serial 20230614.
The change triggering this bug is https://git.launchpad.net/~cloudware/cloudware/+git/cpc_packaging.extra/commit/?id=a05127df84a038fec657f0302ec0de9636bbf915 .

The debconf entries look good (means empty) before calling "apt-get dist-upgrade --assume-yes --allow-downgrades" which does trigger a shim-signed downgrade. Here's part of the build log with some extra debug messages:

+ echo 'XXXXXXXXXXXXXXXXXX BEFORE XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX BEFORE XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE debconf-show grub-pc
  grub-pc/partition_description:
  grub2/no_efi_extra_removable: false
  grub-pc/mixed_legacy_and_grub2: true
  grub-pc/postrm_purge_boot_grub: false
  grub-pc/timeout: 0
  grub2/unsigned_kernels_title:
  grub-efi/install_devices_disks_changed:
  grub-efi/install_devices_empty: false
  grub2/unsigned_kernels:
  grub-pc/install_devices_failed_upgrade: true
  grub-efi/partition_description:
  grub2/update_nvram: true
  grub-pc/install_devices_disks_changed:
  grub2/linux_cmdline_default: quiet splash
  grub-pc/kopt_extracted: false
  grub-efi/install_devices_failed: false
  grub-pc/chainload_from_menu.lst: true
  grub-pc/hidden_timeout: true
  grub2/kfreebsd_cmdline_default: quiet splash
  grub-pc/disk_description:
  grub-pc/install_devices:
  grub-efi/install_devices:
  grub2/kfreebsd_cmdline:
  grub2/linux_cmdline:
  grub-pc/install_devices_empty: false
  grub-pc/install_devices_failed: false
+ echo 'XXXXXXXXXXXXXXXXXX BEFORE END XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX BEFORE END XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE apt-get dist-upgrade --assume-yes --allow-downgrades
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following NEW packages will be installed:
  libgcrypt20-hmac libssl1.1-hmac
The following packages will be upgraded:
  libgcrypt20 libssl1.1 openssh-client openssh-server openssh-sftp-server
  openssl
The following packages will be DOWNGRADED:
  shim-signed
6 upgraded, 2 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 3945 kB of archives.
After this operation, 631 kB disk space will be freed.
[snipped]
Setting up shim-signed (1.40.7+15.4-0ubuntu9) ...
Trying to migrate /boot/efi into esp config
Installing grub to /var/lib/grub/esp.
Installing for x86_64-efi platform.
Installation finished. No error reported.
Installing grub to /var/lib/grub/esp.
Installing for x86_64-efi platform.
Installation finished. No error reported.
[snipped]
+ echo 'XXXXXXXXXXXXXXXXXX AFTER XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX AFTER XXXXXXXXXXXXXXXXXX
+ env DEBIAN_FRONTEND=noninteractive chroot /tmp/tmp.ZhjtEWnLTE debconf-show grub-pc
  grub-pc/kopt_extracted: false
  grub-pc/install_devices_failed: false
  grub2/linux_cmdline:
  grub-pc/chainload_from_menu.lst: true
  grub-pc/install_devices_disks_changed:
  grub-pc/hidden_timeout: true
  grub2/kfreebsd_cmdline_default: quiet splash
  grub2/kfreebsd_cmdline:
* grub-efi/install_devices: /dev/disk/by-id/dm-name-loop3p15, /dev/disk/by-id/dm-name-loop3p15
  grub-efi/partition_description:
  grub2/unsigned_kernels_title:
  grub-pc/install_devices_empty: false
  grub-pc/disk_description:
  grub2/no_efi_extra_removable: false
  grub-efi/install_devices_disks_changed: /dev/disk/by-id/dm-name-loop3p15, /dev/disk/by-id/dm-name-loop3p15
  grub-pc/postrm_purge_boot_grub: false
  grub-pc/install_devices:
  grub-pc/install_devices_failed_upgrade: true
  grub-efi/install_devices_failed: false
  grub-efi/install_devices_empty: false
  grub2/unsigned_kernels:
  grub2/update_nvram: true
  grub2/linux_cmdline_default: quiet splash
  grub-pc/mixed_legacy_and_grub2: true
  grub-pc/partition_description:
  grub-pc/timeout: 0
+ echo 'XXXXXXXXXXXXXXXXXX AFTER END XXXXXXXXXXXXXXXXXX'
XXXXXXXXXXXXXXXXXX AFTER END XXXXXXXXXXXXXXXXXX

So shim-signed will be downgraded and that triggers the postinst script which runs  /usr/lib/grub/grub-multi-install if /boot/grub/${grubarch}/core.efi exists (see https://git.launchpad.net/ubuntu/+source/shim-signed/tree/debian/shim-signed.postinst?h=applied/ubuntu/focal-updates#n164 )

Given that this file (core.img) does exist when running shim-signed postinst, this triggers the code path for "Trying to migrate /boot/efi into esp config" which does set the debconf grub-efi/install_devices entries. See https://git.launchpad.net/ubuntu/+source/grub2/tree/debian/grub-multi-install?h=applied/ubuntu/focal-updates#n262 .

A possible fix would be, to move /boot/grub/${grubarch}/core.efi away before shim-signed will be downgraded and move it back after the downgrade. but that feels like a hack.
Any better ideas?

Thomas Bechtold (toabctl) on 2023-10-13

affects:	livecd-rootfs (Ubuntu) → cloud-images
summary:	- Don't ask debconf question when upgrading grub on cloud images + Don't ask debconf question when upgrading grub on cloud Focal Pro FIPS + images

Thomas Bechtold (toabctl) on 2023-10-19

Changed in cloud-images:
importance:	Undecided → High
status:	New → Fix Committed

cloud-images

Don't ask debconf question when upgrading grub on cloud Focal Pro FIPS images

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches