Ubuntu Desktop boot hangs absent zeroconf packets and after avahi-daemon purge
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
New
|
Undecided
|
Unassigned |
Bug Description
Our install procedures customarily airgap machines during installation, purge unnecessary and irrelevant packages such as avahi-daemon, ufw, netplan.io, ModemManager, network-manager, fprintd, etc., configure networking via systemd-networkd, and enable an iptables firewall to be in place before the network is up, all before exposing any machine to a network for further configuration.
The iptables rules drop all zeroconf and broadcast traffic for obvious security reasons. The kernel is typically configured to forward packets, so these DROP rules are in the mangle table's PREROUTING chain, to scrub them before reaching the filter table's INPUT or FORWARD chains. Presumably, this also scrubs such traffic to the loopback interface. INPUT, OUTPUT, and FORWARD rules ACCEPT suitable traffic before a default DROP rule in each case.
We have found the Ubuntu desktop 22.04 boot process to be especially fragile. System boot hangs every time, typically presenting as either an ordering cycle or a failure of partition mounts, which may be related. Occasionally, we note that dmesg.service and networkd-
Over the course of weeks, we have debugged our install scripts and packet filtering and although the modality is unclear, the cause is an absence of zeroconf network traffic or the purge of the avahi-daemon package.
Curiously, none of this configuration has any effect and the boot process proceeds normally and as expected so long as a machine's Ethernet cables are unplugged. Once connected, attempts to upgrade a system (# apt update && apt upgrade) themselves hang, the machine reboots successfully, and then after dpkg --reconfigure -a, the attempted reboot hangs as before.
Ubuntu desktop 20.04 machines do not exhibit this behavior.
The expectation is that local processes would utilize d-bus or, if ip traffic somehow was necessary for local interprocess communication, that those processes would rely on name resolution other than broadcast traffic.
Alternatively, the expectation is that the necessity of deliberately opening this security vulnerability would be well and conspicuously documented, including identifying the processes, ports, protocols, sources, destinations, interfaces, sockets, and any IP or MAC address so that the traffic can be suitably filtered.
Persisting avahi-daemon and zeroconf is a non-starter.
Release: Ubuntu desktop 22.04 LTS
Version: gnome-shell 42.0-2ubuntu1
Expected behavior: Boot to gdm3 login prompt.
Actual behavior: Consistent boot hang.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: gnome-shell 42.0-2ubuntu1
ProcVersionSign
Uname: Linux 5.15.0-33-generic x86_64
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckR
Date: Tue Jun 7 10:00:18 2022
DisplayManager: gdm3
GsettingsChanges:
InstallationDate: Installed on 2022-05-24 (14 days ago)
InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.UTF-8
TERM=xterm-
PATH=(custom, no user)
RelatedPackageV
SourcePackage: gnome-shell
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in ubuntu: | |
status: | Expired → New |
Thanks for reporting this issue. I'm opening up it publicly since it would be useful for the people who work on the installer to see this.