Ubuntu
ubuntu-release-upgrader package

Bionic to Focal upgrade fails with fips-updates enabled

Bug #2027694 reported by Jeff
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

On a bionic VM with fips-updates enabled, do-release-upgrade starts cascading failures about FIPS at a certain point. This is NOT a duplicate of #1982543 that I can tell as that version of ubuntu-release-upgrader is already published to "-updates" and my bionic host is fully up to date. You can see below that I am using a newer version (1:20.04.41)

```
Get:1318 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-release-upgrader-gtk all 1:20.04.41 [9,364 B]
Get:1319 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 ubuntu-release-upgrader-core all 1:20.04.41 [24.3 kB]
...
Setting up netbase (6.1) ...
Installing new version of config file /etc/services ...
Setting up tzdata (2023c-0ubuntu0.20.04.2) ...

Current default time zone: 'America/New_York'
Local time is now: Wed Jul 12 17:14:19 EDT 2023.
Universal Time is now: Wed Jul 12 21:14:19 UTC 2023.
Run 'dpkg-reconfigure tzdata' if you wish to change it.

Setting up libbsd0:amd64 (0.10.0-1) ...
Setting up libedit2:amd64 (3.1-20191231-1) ...
Setting up libopts25:amd64 (1:5.18.16-3) ...
Setting up ntp (1:4.2.8p12+dfsg-3ubuntu4.20.04.1) ...

Configuration file '/etc/ntp.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.
*** ntp.conf (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/ntp.conf ...
Warning from /etc/apparmor.d/usr.sbin.ntpd (/etc/apparmor.d/usr.sbin.ntpd line 19): apparmor_parser: File '/etc/apparmor.d/usr.sbin.ntpd' missing feature abi, falling back to default policy feature abi
ntp-systemd-netif.service is a disabled or a static unit not running, not starting it.
../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Job for ntp.service failed because the control process exited with error code.
See "systemctl status ntp.service" and "journalctl -xe" for details.
invoke-rc.d: initscript ntp, action "start" failed.
● ntp.service - Network Time Service
     Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2023-07-13 09:09:08 EDT; 70ms ago
       Docs: man:ntpd(8)
    Process: 112082 ExecStart=/usr/lib/ntp/ntp-systemd-wrapper (code=exited, status=134)
   Main PID: 2078 (code=exited, status=0/SUCCESS)

Jul 13 09:09:08 robby systemd[1]: Starting Network Time Service...
Jul 13 09:09:08 robby ntp-systemd-wrapper[112082]: ../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Jul 13 09:09:08 robby ntp-systemd-wrapper[112082]: Aborted
Jul 13 09:09:08 robby systemd[1]: ntp.service: Control process exited, code=exited status=134
Jul 13 09:09:08 robby systemd[1]: ntp.service: Failed with result 'exit-code'.
Jul 13 09:09:08 robby systemd[1]: Failed to start Network Time Service.
invoke-rc.d: release upgrade in progress, error is not fatal
Setting up mount (2.34-0.1ubuntu9.4) ...
Setting up systemd (245.4-4ubuntu3.22) ...
Installing new version of config file /etc/systemd/journald.conf ...
Installing new version of config file /etc/systemd/logind.conf ...

Configuration file '/etc/systemd/resolved.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.
*** resolved.conf (Y/I/N/O/D/Z) [default=N] ?
Installing new version of config file /etc/systemd/system.conf ...
Installing new version of config file /etc/systemd/user.conf ...
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service → /lib/systemd/system/systemd-pstore.service.
../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted
dpkg: error processing package systemd (--configure):
 installed systemd package post-installation script subprocess returned error exit status 134
../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Exception during pm.DoInstall(): E:Sub-process /usr/bin/dpkg returned an error code (1)
../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE

Could not install the upgrades

The upgrade has aborted. Your system could be in an unusable state. A
recovery will run now (dpkg --configure -a).

Please report this bug in a browser at
http://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+filebug
and attach the files in /var/log/dist-upgrade/ to the bug report.
E:Sub-process /usr/bin/dpkg returned an error code (1)

Setting up libgme0:amd64 (0.6.2-1build1) ...
Setting up libbrlapi0.7:amd64 (6.0+dfsg-4ubuntu6) ...
Setting up libpwquality-common (1.4.2-1build1) ...

Configuration file '/etc/security/pwquality.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.
*** pwquality.conf (Y/I/N/O/D/Z) [default=N] ?
Setting up libapt-pkg-perl (0.1.36build3) ...
Setting up libksba8:amd64 (1.3.5-2ubuntu0.20.04.2) ...
Setting up libexpat1:amd64 (2.2.9-1ubuntu0.6) ...
Setting up cpio (2.13+dfsg-2ubuntu0.3) ...
Setting up libgsf-1-common (1.14.46-1) ...
...
...<things proceed okay, and then stuff like this starts popping up>
...
Setting up e2fsprogs (1.45.5-2ubuntu1.1) ...
Installing new version of config file /etc/mke2fs.conf ...
update-initramfs: deferring update (trigger activated)
Created symlink /etc/systemd/system/timers.target.wants/e2scrub_all.timer → /lib/systemd/system/e2scrub_all.timer.
Created symlink /etc/systemd/system/default.target.wants/e2scrub_reap.service → /lib/systemd/system/e2scrub_reap.service.
e2scrub_all.service is a disabled or a static unit not running, not starting it.
../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Setting up libnpth0:amd64 (1.6-1) ...
Setting up systemd (245.4-4ubuntu3.22) ...
../crypto/fips/fips.c:151: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted
dpkg: error processing package systemd (--configure):
 installed systemd package post-installation script subprocess returned error exit status 134
Setting up libpeas-common (1.26.0-2) ...
Setting up libxcb-shm0:amd64 (1.14-2) ...
```

Revision history for this message
Jeff (jblainemitre) wrote :

I have also confirmed that the following works around the issue from a fresh copy of the fips-updates enabled VM:

sudo pro disable esm-infra
sudo pro disable fips-updates
sudo systemctl reboot
<LOGIN>
FIPS_KERNELS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo apt-get remove -y $FIPS_KERNELS
sudo systemctl reboot

And then:
do-release-upgrade

We'll see if re-enabling esm-infra and fips-updates works though -- I am still mid-upgrade.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Confirmed
Revision history for this message
Jeff (jblainemitre) wrote :
Download full text (4.8 KiB)

The upgrade completed per the workaround above, but now I still cannot re-enable fips-updates :(

~:robby # pro enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
Stderr: E: Sub-process /usr/bin/dpkg returned an error code (1)

Stdout: Reading package lists...
Building dependency tree...
Reading state information...
The following packages were automatically installed and are no longer required:
  dh-python flightgear-data-ai flightgear-data-all flightgear-data-base
  flightgear-data-models flightgear-phi gdal-data geoclue geoclue-ubuntu-geoip
  gir1.2-harfbuzz-0.0 libairspyhf0 libarmadillo8 libavcodec57 libavdevice57
  libavfilter6 libavformat57 libavresample3 libavutil55 libbfio1 libbison-dev
...
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  fips-initramfs-generic kcapi-tools libgcrypt20 libgcrypt20-hmac libkcapi1
  libssl-dev libssl1.1 libssl1.1-hmac linux-fips linux-fips-headers-5.4.0-1080
  linux-headers-5.4.0-1080-fips linux-headers-fips linux-image-5.4.0-1080-fips
  linux-image-fips linux-image-hmac-5.4.0-1080-fips
  linux-modules-5.4.0-1080-fips linux-modules-extra-5.4.0-1080-fips openssl
Suggested packages:
  rng-tools libssl-doc fdutils linux-doc | linux-fips-source-5.4.0
  linux-fips-tools
The following NEW packages will be installed:
  fips-initramfs-generic kcapi-tools libgcrypt20-hmac libkcapi1 libssl1.1-hmac
  linux-fips linux-fips-headers-5.4.0-1080 linux-headers-5.4.0-1080-fips
  linux-headers-fips linux-image-5.4.0-1080-fips linux-image-fips
  linux-image-hmac-5.4.0-1080-fips linux-modules-5.4.0-1080-fips
  linux-modules-extra-5.4.0-1080-fips ubuntu-fips
The following packages will be upgraded:
  libgcrypt20 libssl-dev libssl1.1 openssl
4 upgraded, 15 newly installed, 0 to remove and 5 not upgraded.
Need to get 84.9 MB of archives.
After this operation, 382 MB of additional disk space will be used.
...
Preparing to unpack .../15-libssl1.1-hmac_1.1.1f-1ubuntu2.fips.19_amd64.deb ...
Unpacking libssl1.1-hmac:amd64 (1.1.1f-1ubuntu2.fips.19) ...
Selecting previously unselected package libgcrypt20-hmac:amd64.
Preparing to unpack .../16-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.7_amd64.deb ...
Unpacking libgcrypt20-hmac:amd64 (1.8.5-5ubuntu1.fips.1.7) ...
dpkg: error processing archive /tmp/apt-dpkg-install-MxU3Br/16-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.7_amd64.deb (--unpack):
 trying to overwrite '/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac', which is the diverted version of '/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac'
Selecting previously unselected package ubuntu-fips.
Preparing to unpack .../17-ubuntu-fips_1.2.5+updates1_amd64.deb ...
Unpacking ubuntu-fips (1.2.5+updates1) ...
Errors were encountered while processing:
 /tmp/apt-dpkg-install-MxU3Br/16-libgcrypt20-hmac_1.8.5-5ubuntu1.fips.1.7_amd64.deb

Stderr: E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).

Stdout: Reading package lists...
Building dependency tree...
R...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.