Ubuntu
systemd package

DynamicUser=1 doesn't get along with services that need dbus-daemon

Bug #1969976 reported by Mario Limonciello
66
This bug affects 10 people
Affects Status Importance Assigned to Milestone
Fwupd
Fix Released
Unknown
OEM Priority Project
Fix Committed
High
Yuan-Chen Cheng
systemd
New
Unknown
fwupd (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Impish
Won't Fix
Undecided
Unassigned
Jammy
Fix Released
Undecided
Yuan-Chen Cheng
systemd (Ubuntu)
Won't Fix
Undecided
Unassigned
Focal
Won't Fix
Undecided
Unassigned
Impish
Won't Fix
Undecided
Unassigned
Jammy
Won't Fix
Undecided
Unassigned

Bug Description

Updating to systemd 245.4-4ubuntu3.16 has caused a regression in Ubuntu 20.04, that fwupd-refresh.service always fails to run.

This has been root caused down to the changes in https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1871538

Unfortunately this is an upstream issue introduced by stable systemd.
https://github.com/systemd/systemd/issues/22737

The problem also occurs in Ubuntu 22.04 with a newer systemd release.
As discussed in https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/1871538/comments/61 it's a tradeoff of issues. So within Ubuntu something probably needs to be done about fwupd-refresh.service.

One proposal is to remove DynamicUser=yes from the systemd unit, but this will mean fwupdgmr refresh runs as root. It's relatively sandboxed by other security mechanisms, but still not ideal. Could we repurpose any other service account? Or alternatively we can make a new fwupd service account that this systemd unit uses.

Bug Watch Updater (bug-watch-updater)
Changed in fwupd:
status: Unknown → New
Changed in systemd:
status: Unknown → New
Lukas Märdian (slyon)
tags: added: rls-kk-incoming
Revision history for this message
Lukas Märdian (slyon) wrote :

Yes, I think we could create a new user for fwupd, similar to how it is done in systemd-oomd.postinst (https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/tree/debian/systemd-oomd.postinst?h=ubuntu-jammy) and then use a "User=fwupd" configuration in fwupd-refresh.service.

Bug Watch Updater (bug-watch-updater)
Changed in fwupd:
status: New → Fix Released
Revision history for this message
Mario Limonciello (superm1) wrote :

OK, so upstream here is what we have done (pretty much your suggested W/A).

main:
https://github.com/fwupd/fwupd/commit/7b0d6bc6e03381544e3fb1836c177d492c9d0bbc
https://github.com/fwupd/fwupd/commit/e90b04d7319874db36c06245ab07858589ce8bc8
https://github.com/fwupd/fwupd/commit/f818404d817f6f36699807424cd1d9b84c9be752

backported to 1_7_X (which can SRU to Ubuntu):
https://github.com/fwupd/fwupd/commit/e6ea2916b1f7e1b26eefd6e2e762a9a26492ffaa
https://github.com/fwupd/fwupd/commit/3c72bcc181470c5a9f1f01fbd9826fa6f7e37cc1
https://github.com/fwupd/fwupd/commit/7bb2f00ca96fb23f7de88c64353916436b2504bb

Revision history for this message
Lukas Märdian (slyon) wrote :

Thank you for getting it fixed upstream and getting the package synced into Ubuntu kinetic-proposed!

We should SRU this fix back to the other affected series.
Also, I'll mark the systemd component as WONTFIX, as we want to apply your upstream fwupd fix (not wait on upstream systemd)

Changed in systemd (Ubuntu):
status: New → Won't Fix
Changed in systemd (Ubuntu Focal):
status: New → Won't Fix
Changed in systemd (Ubuntu Impish):
status: New → Won't Fix
Changed in systemd (Ubuntu Jammy):
status: New → Won't Fix
Lukas Märdian (slyon)
tags: added: fr-2353
tags: removed: rls-kk-incoming
Mario Limonciello (superm1)
Changed in fwupd (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd - 1.7.7-1ubuntu2

---------------
fwupd (1.7.7-1ubuntu2) kinetic; urgency=medium

  * d/t/ci: don't stderr-fail the autopkgtest on modprobe error
    + it's optional as tests can be skipped, if mtdram module isn't there

 -- Lukas Märdian <email address hidden> Wed, 18 May 2022 09:34:56 +0200

Changed in fwupd (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in fwupd (Ubuntu Focal):
status: New → Confirmed
Changed in fwupd (Ubuntu Impish):
status: New → Confirmed
Changed in fwupd (Ubuntu Jammy):
status: New → Confirmed
Revision history for this message
Tom Hughes (tomhughes) wrote :

It may be fixed for kinetic but it's still very much not fixed for jammy! That still has the broken 1.7.5 release...

Mario Limonciello (superm1)
Changed in fwupd (Ubuntu Impish):
status: Confirmed → Won't Fix
Revision history for this message
Eric Horst (erichorst) wrote :

Can someone explain why this fix is still not rolled out on Focal and Jammy? What am I missing?

Revision history for this message
imker (imker) wrote :

I think Eric has a good point. Why this fix is not ported back to Jammy? Jammy is a LTS Version so this service won't work for the next two years if the fix gets not back ported for all who stick to LTS for whatever reason.

This is then from my point of view also a security issue, since if this service is not running no firmware updates will be installed for several devices automatically. Since this is what this service is supposed to do and FW updates may also fix security issues.
But the user thinks this service is there and doing it's job. Since from my experience most users never check if all the services are up and running fine as long as there is no unexpected behavior.
So the user will also not manually check for FW updates, he believes the service does.

And this service does not start on any Ubuntu installation at the moment!

Also Focal needs this fix, since it is still supported for two more years. So can you please explain?

Revision history for this message
Mario Limonciello (superm1) wrote :

YC is in the process of doing an SRU for a bunch of other bugs in fwupd and the fix should come in that same SRU I expect.

Changed in fwupd (Ubuntu Jammy):
assignee: nobody → Yosu (yc)
assignee: Yosu (yc) → Yuan-Chen Cheng (ycheng-twn)
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Mario, or anyone else affected,

Accepted fwupd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.8.3-1~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd (Ubuntu Jammy):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Aaron Carlton (acarlton) wrote :

I would be happy to test this on 22.04. However, I am new to the process. I followed the linked instructions to enable proposed repository, but I don't see a fwupd/jammy-proposed available after an apt-get update. I'm unfamiliar with the process -- does it just take more time to get into -proposed, or is there some other step in the pipeline needed to go from Fix Committed -> -proposed? I set the software updater to use "Main Servers", thinking that a gap in mirroring could be an issue, but it's been over 24h...

I know process issues probably don't belong here, but I would like to learn how to get involved in things like this. Thanks in advance for patience.

Revision history for this message
Steven Hay (stevenhay) wrote :

I am on jammy and have tested the package.

Package: fwupd
Version: 1.8.3-1~22.04.1
Priority: optional
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>

My testing has been to install the package then stop and start the fwupd-refresh.service unit. The unit exited successfully.

Revision history for this message
Steven Hay (stevenhay) wrote :

Aaron:

This step adds the repository to apt:

cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

This step makes it so that packages from -proposes are not automatically pulled in, which is what you want:

cat <<EOF >/etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

Then to install the fwupd package in particular:

sudo apt-get install fwupd/jammy-proposed

I hope this helps. If not maybe try #ubuntu on Libera IRC.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (fwupd/1.8.3-1~22.04.1)

All autopkgtests for the newly accepted fwupd (1.8.3-1~22.04.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

fwupd/1.8.3-1~22.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#fwupd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

as the deb is removed from jammy proposed, change back to confimed

Changed in fwupd (Ubuntu Jammy):
status: Fix Committed → Confirmed
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
assignee: nobody → Yuan-Chen Cheng (ycheng-twn)
importance: Undecided → High
status: New → Confirmed
tags: added: fwupd
removed: verification-done-jammy verification-needed
tags: added: oem-priority
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Mario, or anyone else affected,

Accepted fwupd into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.7.9-1~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd (Ubuntu Jammy):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (fwupd/1.7.9-1~22.04.1)

All autopkgtests for the newly accepted fwupd (1.7.9-1~22.04.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

fwupd/1.7.9-1~22.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#fwupd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Mario, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.7.9-1~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd (Ubuntu Focal):
status: Confirmed → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (fwupd/1.7.9-1~20.04.1)

All autopkgtests for the newly accepted fwupd (1.7.9-1~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

fwupd/1.7.9-1~20.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#fwupd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
imker (imker) wrote :

Hi,

I can also confirm that fwupd Version 1.7.9-1~22.04.1 fixes this issue for jammy.
After installing the patched version, the service starts and runs as expected.

I'm sorry that I can not provide tests for focal, since I already updated all my machines..

Thank you all
imker

Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: Confirmed → In Progress
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

given #23, jammy is tested and test passed, thank you.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

Test method: "systemctl start fwupd-refresh.service" and check syslog
to see if the fwupd metadata could be updated.

Per test on focal, use existing 1.7.5-3~20.04.1, still can reproduce this issue.

After install 1.7.9-1~20.04.1 from the proposed channel, can't reproduce this issue.

Given so, mark verification-done-focal

tags: added: verification-done-focal
removed: verification-needed-focal
tags: added: verification-done
removed: verification-needed
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: In Progress → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for fwupd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd - 1.7.9-1~20.04.1

---------------
fwupd (1.7.9-1~20.04.1) focal; urgency=medium

  * New upstream release, and drop all patches since they are merged.
  * Properly fall back to use DMI instead of /sys/class/dmi interface.
    (LP: #1982103)
  * Build depends on mondemmanager 1.8 and libxmlb 0.3.6 to support
    EM120/160. (LP: #1980334)
  * Don't stderr-fail the autopkgtest on modprobe error as they are
    optional. (LP: #1966364)
  * Run fwupd-refresh under a dedicated fwupd-refresh user. This is
    fixed in 1.1.7, so it's automatically included. (LP: #1969976)

 -- Yuan-Chen Cheng <email address hidden> Sun, 03 Jul 2022 03:18:51 +0000

Changed in fwupd (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd - 1.7.9-1~22.04.1

---------------
fwupd (1.7.9-1~22.04.1) jammy; urgency=medium

  * New upstream release, and drop all patches since they are merged.
  * Properly fall back to use DMI instead of /sys/class/dmi interface.
    (LP: #1982103)
  * Don't stderr-fail the autopkgtest on modprobe error as they are
    optional. (LP: #1966364)
  * Run fwupd-refresh under a dedicated fwupd-refresh user. This is
    fixed in 1.7.7, so it's automatically included. (LP: #1969976)

 -- Yuan-Chen Cheng <email address hidden> Tue, 20 Sep 2022 03:18:51 +0000

Changed in fwupd (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (fwupd/1.7.9-1~20.04.1)

All autopkgtests for the newly accepted fwupd (1.7.9-1~20.04.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

fwupd/1.7.9-1~20.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#fwupd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (fwupd/1.7.9-1~22.04.1)

All autopkgtests for the newly accepted fwupd (1.7.9-1~22.04.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

fwupd/1.7.9-1~22.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#fwupd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.