Bionic to Focal upgrade fails with fips-updates enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-release-upgrader (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
On a bionic VM with fips-updates enabled, do-release-upgrade starts cascading failures about FIPS at a certain point. This is NOT a duplicate of #1982543 that I can tell as that version of ubuntu-
```
Get:1318 http://
Get:1319 http://
...
Setting up netbase (6.1) ...
Installing new version of config file /etc/services ...
Setting up tzdata (2023c-
Current default time zone: 'America/New_York'
Local time is now: Wed Jul 12 17:14:19 EDT 2023.
Universal Time is now: Wed Jul 12 21:14:19 UTC 2023.
Run 'dpkg-reconfigure tzdata' if you wish to change it.
Setting up libbsd0:amd64 (0.10.0-1) ...
Setting up libedit2:amd64 (3.1-20191231-1) ...
Setting up libopts25:amd64 (1:5.18.16-3) ...
Setting up ntp (1:4.2.
Configuration file '/etc/ntp.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** ntp.conf (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/ntp.conf ...
Warning from /etc/apparmor.
ntp-systemd-
../crypto/
Job for ntp.service failed because the control process exited with error code.
See "systemctl status ntp.service" and "journalctl -xe" for details.
invoke-rc.d: initscript ntp, action "start" failed.
● ntp.service - Network Time Service
Loaded: loaded (/lib/systemd/
Active: failed (Result: exit-code) since Thu 2023-07-13 09:09:08 EDT; 70ms ago
Docs: man:ntpd(8)
Process: 112082 ExecStart=
Main PID: 2078 (code=exited, status=0/SUCCESS)
Jul 13 09:09:08 robby systemd[1]: Starting Network Time Service...
Jul 13 09:09:08 robby ntp-systemd-
Jul 13 09:09:08 robby ntp-systemd-
Jul 13 09:09:08 robby systemd[1]: ntp.service: Control process exited, code=exited status=134
Jul 13 09:09:08 robby systemd[1]: ntp.service: Failed with result 'exit-code'.
Jul 13 09:09:08 robby systemd[1]: Failed to start Network Time Service.
invoke-rc.d: release upgrade in progress, error is not fatal
Setting up mount (2.34-0.1ubuntu9.4) ...
Setting up systemd (245.4-4ubuntu3.22) ...
Installing new version of config file /etc/systemd/
Installing new version of config file /etc/systemd/
Configuration file '/etc/systemd/
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** resolved.conf (Y/I/N/O/D/Z) [default=N] ?
Installing new version of config file /etc/systemd/
Installing new version of config file /etc/systemd/
Created symlink /etc/systemd/
../crypto/
Aborted
dpkg: error processing package systemd (--configure):
installed systemd package post-installation script subprocess returned error exit status 134
../crypto/
Exception during pm.DoInstall(): E:Sub-process /usr/bin/dpkg returned an error code (1)
../crypto/
Could not install the upgrades
The upgrade has aborted. Your system could be in an unusable state. A
recovery will run now (dpkg --configure -a).
Please report this bug in a browser at
http://
and attach the files in /var/log/
E:Sub-process /usr/bin/dpkg returned an error code (1)
Setting up libgme0:amd64 (0.6.2-1build1) ...
Setting up libbrlapi0.7:amd64 (6.0+dfsg-4ubuntu6) ...
Setting up libpwquality-common (1.4.2-1build1) ...
Configuration file '/etc/security/
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** pwquality.conf (Y/I/N/O/D/Z) [default=N] ?
Setting up libapt-pkg-perl (0.1.36build3) ...
Setting up libksba8:amd64 (1.3.5-
Setting up libexpat1:amd64 (2.2.9-1ubuntu0.6) ...
Setting up cpio (2.13+dfsg-
Setting up libgsf-1-common (1.14.46-1) ...
...
...<things proceed okay, and then stuff like this starts popping up>
...
Setting up e2fsprogs (1.45.5-2ubuntu1.1) ...
Installing new version of config file /etc/mke2fs.conf ...
update-initramfs: deferring update (trigger activated)
Created symlink /etc/systemd/
Created symlink /etc/systemd/
e2scrub_all.service is a disabled or a static unit not running, not starting it.
../crypto/
Setting up libnpth0:amd64 (1.6-1) ...
Setting up systemd (245.4-4ubuntu3.22) ...
../crypto/
Aborted
dpkg: error processing package systemd (--configure):
installed systemd package post-installation script subprocess returned error exit status 134
Setting up libpeas-common (1.26.0-2) ...
Setting up libxcb-shm0:amd64 (1.14-2) ...
```
I have also confirmed that the following works around the issue from a fresh copy of the fips-updates enabled VM:
sudo pro disable esm-infra `dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo pro disable fips-updates
sudo systemctl reboot
<LOGIN>
FIPS_KERNELS=
sudo apt-get remove -y $FIPS_KERNELS
sudo systemctl reboot
And then:
do-release-upgrade
We'll see if re-enabling esm-infra and fips-updates works though -- I am still mid-upgrade.