Ubuntu
opencryptoki package

[UBUNTU 23.10] Opencryptoki package installation not creating /run/opencryptoki directory

Bug #2039783 reported by bugproxy
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
High
Skipper Bug Screeners
Mantic
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:

[ Impact ]

 * Under some conditions the post-install script may fail
   due to a missing /run/opencryptoki directory,
   that is needed by the pkcsslotd service.

 * This happens either after a second install (install, purge, install)
   or when the system got rebooted, since /run/opencryptoki is not persistent.

 * To fix the issue on re-install, removing the system user manually would be
   a workaround, but should really be better done automatically.

 * To fix the issue on reboot, the handling of /run/opencryptoki
   is handed over to dh by adding it to d/opencryptoki.dirs.

 * In addition it turned out that /usr/lib/tmpfiles.d/opencryptoki.conf
   is outdated, because it's overwritten since 3.5+dfsg-2
   which prevented the use of the build opencryptoki.conf
   and with that the correct handling of /run/opencryptoki.

[ Test Plan ]

 * To have a test coverage for the modification it should be verified that:
   - a package installation on a pristine system is not affected
     (this is more a regression testing, since that worked before)
   - re-installation (with and without reboots in between),
     since the reported issue popped up after re-installs and reboots.
   - upgrades, from former mantic version to this fixed mantic version
     and upgrade from lunar to fixed mantic version should be tested
     (probably only possible via do-release-upgrade due to the different
      libc6 package versions 2.37 vs 2.38, but LP#1880760)
   - install libopencryptoki-dev in addition

 * After each of the above steps it's needed to check if the pkcsslotd
   service is active:
   $ systemctl status pkcsslotd
   ● pkcsslotd.service - Daemon which manages cryptographic hardware tokens for th>
      Loaded: loaded (/lib/systemd/system/pkcsslotd.service; enabled; preset: en>
      Active: active (running) since Fri 2023-10-20 15:26:05 UTC; 2 days ago
    Main PID: 638 (pkcsslotd)
       Tasks: 1 (limit: 9577)
      Memory: 9.6M
         CPU: 2.817s
      CGroup: /system.slice/pkcsslotd.service
              └─638 /usr/sbin/pkcsslotd
   Oct 20 15:26:05 zbox systemd[1]: Starting pkcsslotd.service - Daemon which m>
   Oct 20 15:26:05 zbox pkcsslotd[604]: PID File created
   Oct 20 15:26:05 zbox systemd[1]: Started pkcsslotd.service - Daemon which ma

 * ... and furthermore that it correctly accepts calls, like done by:
   $ sudo pkcsconf -t
      Token #1 Info:
    Label: icatok
    Manufacturer: IBM
    Model: ICA
    Serial Number:
    Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
    Sessions: 0/[effectively infinite]
    R/W Sessions: 0/[effectively infinite]
    PIN Length: 4-8
    Public Memory: [information unavailable]/[information unavailable]
    Private Memory: [information unavailable]/[information unavailable]
    Hardware Version: 0.0
    Firmware Version: 0.0
    Time: 2023102309540300
    URI: pkcs11:manufacturer=IBM;model=ICA;token=icatok
   Token #3 Info:
    Label: softtok
    Manufacturer: IBM
    Model: Soft
    Serial Number:
    Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
    Sessions: 0/[effectively infinite]
    R/W Sessions: 0/[effectively infinite]
    PIN Length: 4-8
    Public Memory: [information unavailable]/[information unavailable]
    Private Memory: [information unavailable]/[information unavailable]
    Hardware Version: 0.0
    Firmware Version: 0.0
    Time: 2023102309540300
    URI: pkcs11:manufacturer=IBM;model=Soft;token=softtok

 * Optionally, an end-to-end test like described in '[ Test Plan ]'
   at LP#2018911 could be done (just as regression test, since this worked
   well with the existing package).

[ Where problems could occur ]

 * The different default /usr/lib/tmpfiles.d/opencryptoki.conf
   could lead to unforeseen behavior.
   But it was confirmed that it is correct and the e2e test
   would be another test.

 * The modifications in the postinst and postrm scripts could lead
   to problems during install, remove or purge.
   But this is covered by the (re-)install and upgrade tests above.

 * Test test build (done in PPA and available here:
   https://launchpad.net/~fheimes/+archive/ubuntu/lp2039783)
   was already pre-tested by the person the bug is assigned to
   and by the initial bug reporter.

 * No opencryptoki code was modified, only the default configuration
   (now using what falls out from a default build)
   and package meta-data.

[ Other Info ]

 * The reported problem affects 23.10, since this includes
   opencryptoki 2.21 that comes with pkcsslotd service modifications
   (LP#2025922 - 'hardening').
__________

---Problem Description (by Grgo Mariani) ---
Opencryptoki post-installation script fails due to a non-existing directory.
Although the package is shown as installed the missing directory is critical for service running.

Contact Information = <email address hidden> <email address hidden>

---uname output---
Linux SYSTEM 6.5.0-9-generic #9-Ubuntu SMP Fri Oct 6 19:43:35 UTC 2023 s390x s390x s390x GNU/Linux

Machine Type = Manufacturer: IBM Type: 3931 Model: 704 A01

---Debugger---
A debugger is not configured

---Steps to Reproduce---
Install the opencryptoki package and check if the service is running.

root@SYSTEM:~# apt install opencryptoki
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  opencryptoki
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 228 kB of archives.
After this operation, 834 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports mantic/universe s390x opencryptoki s390x 3.21.0+dfsg-0ubuntu1 [228 kB]
Fetched 228 kB in 0s (1,130 kB/s)
Selecting previously unselected package opencryptoki.
(Reading database ... 68397 files and directories currently installed.)
Preparing to unpack .../opencryptoki_3.21.0+dfsg-0ubuntu1_s390x.deb ...
Unpacking opencryptoki (3.21.0+dfsg-0ubuntu1) ...
Setting up opencryptoki (3.21.0+dfsg-0ubuntu1) ...
info: The group `pkcs11' already exists as a system group. Exiting.
info: The system user `pkcsslotd' already exists. Exiting.

info: Adding user `root' to group `pkcs11' ...
chown: cannot access '/run/opencryptoki': No such file or directory
dpkg: error processing package opencryptoki (--configure):
 installed opencryptoki package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.11.2-3) ...
Errors were encountered while processing:
 opencryptoki
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@SYSTEM:~# systemctl status pkcsslotd

Userspace tool common name: opencryptoki

The userspace tool has the following bit modes: 64bit

Userspace rpm: opencryptoki v3.21.0

Userspace tool obtained from project website: na

== Comment: #1 - Ingo Franzki - 2023-10-18 09:26:50 ==
/run/opencryptoki should be created by the package install, but is also created by tmpfiles.d service after every boot, because /run is usually in tempfs, so its not persistent across boots. OCK installs a tempfiles.d config script (/usr/lib/tmpfiles.d/opencryptoki.conf), too.

== Comment: #3 - Ingo Franzki - 2023-10-18 10:13:30 ==
It also seems that Ubuntu's /usr/lib/tmpfiles.d/opencryptoki.conf file has incorrect (outdated?) contents.
It must be ensured that the file as produced by building Opencryptoki (via 'make install') is installed, and not something else/older.

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-203873 severity-high targetmilestone-inin2310
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → opencryptoki (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Changed in opencryptoki (Ubuntu):
importance: Undecided → High
Revision history for this message
Frank Heimes (fheimes) wrote :

The installation works interestingly on a pristine 23.10 installation,
since in this case the pkcsslotd user creation will also create the folder used for its home (/run/opencryptoki).
That is probably the reason why this wasn't noticed earlier.
But you're right, /run/opencryptoki is not persistent, hence it lasts only until the next reboot.
Handing the folder management over to dh solves this.

In addition I found that a debian/opencryptoki.tmpfile file existed (since 3.5+dfsg-2):
" Updated systemd-tmpfiles debian/opencryptoki.tmpfiles snippet to
  create TOK_OBJ per-token subdirectories with correct
  permissions. Upstream should probably ship tmpfiles snippet. LP:#1595192. "

So opencryptoki.tmpfile contains:
"
d /var/lock/opencryptoki 0770 root pkcs11 -
d /var/lock/opencryptoki/icsf 0770 root pkcs11 -
d /var/lock/opencryptoki/swtok 0770 root pkcs11 -
d /var/lock/opencryptoki/tpm 0770 root pkcs11 -
d /var/lock/opencryptoki/lite 0770 root pkcs11 -
d /var/lock/opencryptoki/ccatok 0770 root pkcs11 -
d /var/lock/opencryptoki/ep11tok 0770 root pkcs11 -

d /var/lib/opencryptoki 0770 root pkcs11 -
d /var/lib/opencryptoki/icsf 0770 root pkcs11 -
d /var/lib/opencryptoki/swtok 0770 root pkcs11 -
d /var/lib/opencryptoki/tpm 0770 root pkcs11 -
d /var/lib/opencryptoki/lite 0770 root pkcs11 -
d /var/lib/opencryptoki/ccatok 0770 root pkcs11 -
d /var/lib/opencryptoki/ep11tok 0770 root pkcs11 -

d /var/lib/opencryptoki/icsf/TOK_OBJ 0770 root pkcs11 -
d /var/lib/opencryptoki/swtok/TOK_OBJ 0770 root pkcs11 -
d /var/lib/opencryptoki/lite/TOK_OBJ 0770 root pkcs11 -
d /var/lib/opencryptoki/ccatok/TOK_OBJ 0770 root pkcs11 -
d /var/lib/opencryptoki/ep11tok/TOK_OBJ 0770 root pkcs11 -
"
And if I remove this and just take the /usr/lib/tmpfiles.d/opencryptoki.conf that falls out of the build, it has this content:
"
# path mode uid gid age
D /run/opencryptoki 710 pkcsslotd pkcs11 -
d /var/lib/opencryptoki 0770 root pkcs11 -
d /var/log/opencryptoki 0770 root pkcs11 -
D /var/lock/opencryptoki 0770 root pkcs11 -
D /var/lock/opencryptoki/swtok 0770 root pkcs11 -
D /var/lock/opencryptoki/lite 0770 root pkcs11 -
D /var/lock/opencryptoki/ep11tok 0770 root pkcs11 -
D /var/lock/opencryptoki/tpm 0770 root pkcs11 -
D /var/lock/opencryptoki/ccatok 0770 root pkcs11 -
D /var/lock/opencryptoki/icsf 0770 root pkcs11 -
"

Could you please confirm if this is what you've expected (and if the content is sufficient, since it's considerably less).

I've created a test build with these changes thats available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2039783

And tested it on a pristine install, upgrade, remove/reinstall, and after reboot - see attachment.

Revision history for this message
Frank Heimes (fheimes) wrote :
Changed in ubuntu-z-systems:
status: New → In Progress
Changed in opencryptoki (Ubuntu):
status: New → In Progress
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-10-23 02:38 EDT-------
> Could you please confirm if this is what you've expected (and if the content is sufficient, since it's considerably less).

Hello Frank,

yes this is sufficient. The token directories under /var/lib/opencryptoki are created by the pkcsslotd based on the token configuration. Since a user may configure any number of tokens with any name, only pkcsslotd can know which directories to create.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-10-23 02:51 EDT-------
Just verified the package. The upgrade, installation and removal are successful.

The pkcsslotd service is running successfully after the installation and all tokens are coming up. Also the new tmpfiles.d entries are visible.

Thank you for a quick resolution.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-10-23 04:34 EDT-------
Successfully verified. Thank you all for your work.
With that, we can close the bug.
==> Changing the status to: "CLOSED"

Revision history for this message
Frank Heimes (fheimes) wrote : Re: [UBUNTU 23.10] Opencryptoki package instalation not creating /run/opencryptoki directory

updated debdiff to face some lintian messages

Frank Heimes (fheimes)
description: updated
Revision history for this message
Simon Chopin (schopin) wrote :

I'm really confused by this.

First off, the lintian warnings are there for a good reason, and I don't think your override actually justifies anything. If the directories in question are handled by tmpfiled, why do you need to *install* them in the package? It seems to me you could just run systemd-tmpfiles manually in the postinst, assuming dh_installinit doesn't already do it for you? That way you could actually remove *all* the redundant code from the postinst.

Second, the /run/opencryptoki directory seems like a good candidate for being dealt with directly by the pkcsslotd service file via RuntimeDirectory, although I guess that might be better done in devel rather than in an SRU.

Frank Heimes (fheimes)
summary: - [UBUNTU 23.10] Opencryptoki package instalation not creating
+ [UBUNTU 23.10] Opencryptoki package installation not creating
/run/opencryptoki directory
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-10-24 04:23 EDT-------
> Second, the /run/opencryptoki directory seems like a good candidate for being dealt with directly by the pkcsslotd service file via RuntimeDirectory, although I guess that might be better done in devel rather than in an SRU.

That might work, but for compatibility reasons pkcsslod can also be stared without systemd. In that case /run/opencryptoki would possibly not exist and pkcsslotd would fail to start. Also, /run/opencryptoki must be owned by the pkcsslotd user and must have mode 710 (i.e. only writable by pkcsslotd) for security reasons.
So I think creating this directory via tmpfiles.d is preferable.

Revision history for this message
Frank Heimes (fheimes) wrote :

Hi Simon, thanks for taking the time to review.
Lintian warnings (and in this case even errors!) are of course for a reason reported, and I try to avoid them in the first place.

The description of these lintian messages say that the folders in question (/run/opencryptoki/ and /var/lock/opencryptoki) might well be on a temp. filesystem, so that they must be created dynamically at boot time.
Boot time is not sufficient since, they need to be there also at install time, because for the initial service user creation, at least /run/opencryptoki needs to be there, since it acts as home folder. And one wants to make use of pkcsslotd w/o reboot.

I assume with 'why do you need to *install* them' you mean having them in the .dirs file (for dh_installdirs), right?
Well, that was the idea to have them in place at install time. Initially it seemed to be cleaner to have them handled by dh_installdirs, instead of manually adding a step to postinst calling another (external) tool (and tbh. I never called systemd-tmpfiles manually so far).

There is a little 'chicken and egg' problem because systemd-tmpfiles uses the pkcsslotd user already, but adduser should use /run/opencryptoki as home, but this is created by systemd-tmpfiles.
I now circumvent this by adding --no-create-home to adduser and then calling systemd-tmpfiles as a direct next step.
This results in one or two info messages like this 'info: The home dir /run/opencryptoki you specified can't be accessed: No such file or directory', but I think that's fine (since it's info level only).
On the plus side I don't get any warn messages anymore that (under specific circumstances) that 'The home directory `/run/opencryptoki' already exists. Not touching this directory.'.

The list of all the postinst commands are the consequence of their (direct) movement away from the makefile.
Calling systemd-tmpfiles in postinst will make this now a bit less obvious, but otohs less overall commands in postinst, but most important: this is the wanted way to avoid the lintian error in the first place!

I've did a first build and some tests and it looks promising - but need to do more install, re-install and upgrade tests ...
If I don't run into any issues, I'll finally upload it like this.

So many thanks for your suggestion and feedback.

Revision history for this message
Frank Heimes (fheimes) wrote :

I've did another test build that is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2039783/+packages
Testing was fine.
Just uploaded the modified package with this debdiff (see attachment).
Awaiting approval to be accepted for mantic-proposed.

Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.21.0+dfsg-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in opencryptoki (Ubuntu Mantic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-mantic
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-10-30 05:08 EDT-------
Successfully verified with the available -proposed package:

# dpkg -l | grep opencryptoki
ii libopencryptoki0:s390x 3.21.0+dfsg-0ubuntu1.1 s390x PKCS#11 implementation (library)
ii opencryptoki 3.21.0+dfsg-0ubuntu1.1 s390x PKCS#11 implementation (daemon)

The directory /run/opencryptoki is visible after the installation and the service runs without issues. The new tmpfiles.d entries for opencryptoki.conf are also visible after the installation.

tags: removed: verification-needed verification-needed-mantic
Frank Heimes (fheimes)
tags: added: verification-done verification-done-mantic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.21.0+dfsg-0ubuntu1.1

---------------
opencryptoki (3.21.0+dfsg-0ubuntu1.1) mantic; urgency=medium

  * Fix opencryptoki package install issue (LP: #2039783)
    - Remove d/opencryptoki.tmpfile since upstream opencryptoki.conf
      from build output should be used.
    - Leave the handling of non-persistent file and folders
      (like /run/opencryptoki/ and /var/lock/opencryptoki) entirely
      to systemd-tmpfiles and tmpfiles.d/opencryptoki.conf, means:
      - remove them from d/openstack.dirs
      - and instead call systemd-tmpfiles in d/openstack.postinst
      - this also allows to consolidate and remove commands from postinst
    - Ensure that pkcs11 is a supplementary group for root.
    - Modify d/opencryptoki.postrm and remove pkcsslotd user before
      removing pkcs11 group (otherwise it'll never be empty).
    - Remove obsolete Depends on lsb-base to avoid a lintian error report.

 -- Frank Heimes <email address hidden> Thu, 24 Oct 2023 18:21:02 +0200

Changed in opencryptoki (Ubuntu Mantic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for opencryptoki has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in opencryptoki (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.21.0+dfsg-0ubuntu2

---------------
opencryptoki (3.21.0+dfsg-0ubuntu2) noble; urgency=medium

  * Fix opencryptoki package install issue (LP: #2039783)
    - Remove d/opencryptoki.tmpfile since upstream opencryptoki.conf
      from build output should be used.
    - Leave the handling of non-persistent file and folders
      (like /run/opencryptoki/ and /var/lock/opencryptoki) entirely
      to systemd-tmpfiles and tmpfiles.d/opencryptoki.conf, means:
      - remove them from d/openstack.dirs
      - and instead call systemd-tmpfiles in d/openstack.postinst
      - this also allows to consolidate and remove commands from postinst
    - Ensure that pkcs11 is a supplementary group for root.
    - Modify d/opencryptoki.postrm and remove pkcsslotd user before
      removing pkcs11 group (otherwise it'll never be empty).
    - Remove obsolete Depends on lsb-base to avoid a lintian error report.

 -- Frank Heimes <email address hidden> Fri, 01 Dec 2023 16:32:47 +0100

Changed in opencryptoki (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.