[UBUNTU 23.10] Opencryptoki package installation not creating /run/opencryptoki directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
opencryptoki (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Mantic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification:
[ Impact ]
* Under some conditions the post-install script may fail
due to a missing /run/opencryptoki directory,
that is needed by the pkcsslotd service.
* This happens either after a second install (install, purge, install)
or when the system got rebooted, since /run/opencryptoki is not persistent.
* To fix the issue on re-install, removing the system user manually would be
a workaround, but should really be better done automatically.
* To fix the issue on reboot, the handling of /run/opencryptoki
is handed over to dh by adding it to d/opencryptoki.
* In addition it turned out that /usr/lib/
is outdated, because it's overwritten since 3.5+dfsg-2
which prevented the use of the build opencryptoki.conf
and with that the correct handling of /run/opencryptoki.
[ Test Plan ]
* To have a test coverage for the modification it should be verified that:
- a package installation on a pristine system is not affected
(this is more a regression testing, since that worked before)
- re-installation (with and without reboots in between),
since the reported issue popped up after re-installs and reboots.
- upgrades, from former mantic version to this fixed mantic version
and upgrade from lunar to fixed mantic version should be tested
(probably only possible via do-release-upgrade due to the different
libc6 package versions 2.37 vs 2.38, but LP#1880760)
- install libopencryptoki-dev in addition
* After each of the above steps it's needed to check if the pkcsslotd
service is active:
$ systemctl status pkcsslotd
● pkcsslotd.service - Daemon which manages cryptographic hardware tokens for th>
Loaded: loaded (/lib/systemd/
Active: active (running) since Fri 2023-10-20 15:26:05 UTC; 2 days ago
Main PID: 638 (pkcsslotd)
Tasks: 1 (limit: 9577)
Memory: 9.6M
CPU: 2.817s
CGroup: /system.
└─638 /usr/sbin/pkcsslotd
Oct 20 15:26:05 zbox systemd[1]: Starting pkcsslotd.service - Daemon which m>
Oct 20 15:26:05 zbox pkcsslotd[604]: PID File created
Oct 20 15:26:05 zbox systemd[1]: Started pkcsslotd.service - Daemon which ma
* ... and furthermore that it correctly accepts calls, like done by:
$ sudo pkcsconf -t
Token #1 Info:
Label: icatok
Manufacturer: IBM
Model: ICA
Serial Number:
Flags: 0x880045 (RNG|LOGIN_
Sessions: 0/[effectively infinite]
R/W Sessions: 0/[effectively infinite]
PIN Length: 4-8
Public Memory: [information unavailable]
Private Memory: [information unavailable]
Hardware Version: 0.0
Firmware Version: 0.0
Time: 2023102309540300
URI: pkcs11:
Token #3 Info:
Label: softtok
Manufacturer: IBM
Model: Soft
Serial Number:
Flags: 0x880045 (RNG|LOGIN_
Sessions: 0/[effectively infinite]
R/W Sessions: 0/[effectively infinite]
PIN Length: 4-8
Public Memory: [information unavailable]
Private Memory: [information unavailable]
Hardware Version: 0.0
Firmware Version: 0.0
Time: 2023102309540300
URI: pkcs11:
* Optionally, an end-to-end test like described in '[ Test Plan ]'
at LP#2018911 could be done (just as regression test, since this worked
well with the existing package).
[ Where problems could occur ]
* The different default /usr/lib/
could lead to unforeseen behavior.
But it was confirmed that it is correct and the e2e test
would be another test.
* The modifications in the postinst and postrm scripts could lead
to problems during install, remove or purge.
But this is covered by the (re-)install and upgrade tests above.
* Test test build (done in PPA and available here:
https:/
was already pre-tested by the person the bug is assigned to
and by the initial bug reporter.
* No opencryptoki code was modified, only the default configuration
(now using what falls out from a default build)
and package meta-data.
[ Other Info ]
* The reported problem affects 23.10, since this includes
opencryptoki 2.21 that comes with pkcsslotd service modifications
(LP#2025922 - 'hardening').
__________
---Problem Description (by Grgo Mariani) ---
Opencryptoki post-installation script fails due to a non-existing directory.
Although the package is shown as installed the missing directory is critical for service running.
Contact Information = <email address hidden> <email address hidden>
---uname output---
Linux SYSTEM 6.5.0-9-generic #9-Ubuntu SMP Fri Oct 6 19:43:35 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = Manufacturer: IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Install the opencryptoki package and check if the service is running.
root@SYSTEM:~# apt install opencryptoki
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
opencryptoki
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 228 kB of archives.
After this operation, 834 kB of additional disk space will be used.
Get:1 http://
Fetched 228 kB in 0s (1,130 kB/s)
Selecting previously unselected package opencryptoki.
(Reading database ... 68397 files and directories currently installed.)
Preparing to unpack .../opencryptok
Unpacking opencryptoki (3.21.0+
Setting up opencryptoki (3.21.0+
info: The group `pkcs11' already exists as a system group. Exiting.
info: The system user `pkcsslotd' already exists. Exiting.
info: Adding user `root' to group `pkcs11' ...
chown: cannot access '/run/opencrypt
dpkg: error processing package opencryptoki (--configure):
installed opencryptoki package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.11.2-3) ...
Errors were encountered while processing:
opencryptoki
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@SYSTEM:~# systemctl status pkcsslotd
Userspace tool common name: opencryptoki
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki v3.21.0
Userspace tool obtained from project website: na
== Comment: #1 - Ingo Franzki - 2023-10-18 09:26:50 ==
/run/opencryptoki should be created by the package install, but is also created by tmpfiles.d service after every boot, because /run is usually in tempfs, so its not persistent across boots. OCK installs a tempfiles.d config script (/usr/lib/
== Comment: #3 - Ingo Franzki - 2023-10-18 10:13:30 ==
It also seems that Ubuntu's /usr/lib/
It must be ensured that the file as produced by building Opencryptoki (via 'make install') is installed, and not something else/older.
tags: | added: architecture-s39064 bugnameltc-203873 severity-high targetmilestone-inin2310 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → opencryptoki (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
importance: | Undecided → High |
Changed in opencryptoki (Ubuntu): | |
importance: | Undecided → High |
tags: | added: patch |
description: | updated |
summary: |
- [UBUNTU 23.10] Opencryptoki package instalation not creating + [UBUNTU 23.10] Opencryptoki package installation not creating /run/opencryptoki directory |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: | added: verification-done verification-done-mantic |
Changed in opencryptoki (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
The installation works interestingly on a pristine 23.10 installation, oki).
since in this case the pkcsslotd user creation will also create the folder used for its home (/run/opencrypt
That is probably the reason why this wasn't noticed earlier.
But you're right, /run/opencryptoki is not persistent, hence it lasts only until the next reboot.
Handing the folder management over to dh solves this.
In addition I found that a debian/ opencryptoki. tmpfile file existed (since 3.5+dfsg-2): opencryptoki. tmpfiles snippet to
" Updated systemd-tmpfiles debian/
create TOK_OBJ per-token subdirectories with correct
permissions. Upstream should probably ship tmpfiles snippet. LP:#1595192. "
So opencryptoki. tmpfile contains: opencryptoki 0770 root pkcs11 - opencryptoki/ icsf 0770 root pkcs11 - opencryptoki/ swtok 0770 root pkcs11 - opencryptoki/ tpm 0770 root pkcs11 - opencryptoki/ lite 0770 root pkcs11 - opencryptoki/ ccatok 0770 root pkcs11 - opencryptoki/ ep11tok 0770 root pkcs11 -
"
d /var/lock/
d /var/lock/
d /var/lock/
d /var/lock/
d /var/lock/
d /var/lock/
d /var/lock/
d /var/lib/ opencryptoki 0770 root pkcs11 - opencryptoki/ icsf 0770 root pkcs11 - opencryptoki/ swtok 0770 root pkcs11 - opencryptoki/ tpm 0770 root pkcs11 - opencryptoki/ lite 0770 root pkcs11 - opencryptoki/ ccatok 0770 root pkcs11 - opencryptoki/ ep11tok 0770 root pkcs11 -
d /var/lib/
d /var/lib/
d /var/lib/
d /var/lib/
d /var/lib/
d /var/lib/
d /var/lib/ opencryptoki/ icsf/TOK_ OBJ 0770 root pkcs11 - opencryptoki/ swtok/TOK_ OBJ 0770 root pkcs11 - opencryptoki/ lite/TOK_ OBJ 0770 root pkcs11 - opencryptoki/ ccatok/ TOK_OBJ 0770 root pkcs11 - opencryptoki/ ep11tok/ TOK_OBJ 0770 root pkcs11 - tmpfiles. d/opencryptoki. conf that falls out of the build, it has this content: opencryptoki 0770 root pkcs11 - opencryptoki 0770 root pkcs11 - opencryptoki 0770 root pkcs11 - opencryptoki/ swtok 0770 root pkcs11 - opencryptoki/ lite 0770 root pkcs11 - opencryptoki/ ep11tok 0770 root pkcs11 - opencryptoki/ tpm 0770 root pkcs11 - opencryptoki/ ccatok 0770 root pkcs11 - opencryptoki/ icsf 0770 root pkcs11 -
d /var/lib/
d /var/lib/
d /var/lib/
d /var/lib/
"
And if I remove this and just take the /usr/lib/
"
# path mode uid gid age
D /run/opencryptoki 710 pkcsslotd pkcs11 -
d /var/lib/
d /var/log/
D /var/lock/
D /var/lock/
D /var/lock/
D /var/lock/
D /var/lock/
D /var/lock/
D /var/lock/
"
Could you please confirm if this is what you've expected (and if the content is sufficient, since it's considerably less).
I've created a test build with these changes thats available here: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp2039783
https:/
And tested it on a pristine install, upgrade, remove/reinstall, and after reboot - see attachment.