xargs not contained in initramdisk

First of all, affected package is dropbear-initramfs, not dropbear.

Offending line in "/usr/share/initramfs-tools/scripts/init-bottom/dropbear" script is supposed to kill all dropbear children.

There are two problems with it:
1. The "ps" command (part of busybox, of busybox-initramfs, here 1:1.22.0-15ubuntu1) does not support options: -eo ppid,pid
2. As mentioned, "xargs" is missing entirely in initrd

Proposed solution is based on facts, that:
- there is "ps -l" which outputs PID and PPID (as 3rd and 4th column)
- there is awk
- in this case, xargs can be easily replaced with shell construct

Solution was succesfully tested on our servers.

Status changed to 'Confirmed' because the bug affects multiple users.

The attachment "/usr/share/initramfs-tools/scripts/init-bottom/dropbear" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I have worked around this in my Xenial dropbear/initrd environment by replacing the package /usr/share/initramfs-tools/scripts/init-bottom/dropbear with:

##############################################
#!/bin/sh
#From /usr/share/initramfs-tools/scripts/init-bottom/dropbear

PREREQ=""

prereqs() {
 echo "$PREREQ"
}

case "$1" in
 prereqs)
  prereqs
  exit 0
 ;;
esac

. /scripts/functions

[ -s /run/dropbear.pid ] || exit 0

log_begin_msg "Stopping dropbear and its children"

pid=$(cat /run/dropbear.pid)
for child in `ps l | awk '$4=="'$pid'"{print $3}'`; do
  kill $child
done
kill $pid
##############################################

Hope that might help someone.

This bug was fixed in the package dropbear - 2017.75-2

---------------
dropbear (2017.75-2) unstable; urgency=low

  * dropbear-initramfs:
    + init-bottom script: in the init-bottom script, send a SIGTERM to all
      process groups the leader of which is a child of the dropbear process,
      to ensure that all children of all SSH sessions are terminated (before
      dropear itself is killed).
    + postinst: don't print the reminder to check "ip=" boot parameter if it's
      already found in /proc/cmdline.
    + premount script: log to standard error if the 'debug' environment
      variable is set.
    + premount script: boot method (local or NFS) is in environment variable
      'BOOT' not 'boot'.
    + On local mounts, don't bring down the network before dropbear was
      terminated (at init-bottom stage, not at local-bottom stage). Bringing
      down the network while an SSH session is still active makes clients hang
      until the connection times out.
    + init-bottom script: log which network interfaces are being brought down.
    + init-bottom script: replace xargs(1) with a while loop as it's
      apparently not included in Ubuntu's busybox. (LP: #1652091)
    + Compile with '--disable-bundled-libtom' to use system libtomcrypt /
      libtommath. (Closes: #870035)
  * debian/control: bump Standards-Version to 4.0.0 (no changes necessary).
  * debian/{control,dropbear-bin.install,dropbear-bin.manpages}: apply
    wrap-and-sort(1).

 -- Guilhem Moulin <email address hidden> Tue, 08 Aug 2017 21:59:06 +0200

The change that was made to address this bug does not work correctly. The version of busybox included in the Ubuntu initramfs doesn't include all the features of busybox included in the Debian initramfs. This lack of features is still causing the killing of dropbear's child processes to fail.

You can see the available options of busybox's 'ps' by executing it with an invalid option. On Ubuntu, you get the following:

(initramfs) /bin/busybox ps -h
ps: invalid option -- 'h'
BusyBox v1.27.2 (Ubuntu 1:1.27.2-2ubuntu3) multi-call binary.

Usage: ps

Show list of processes

        w Wide output
        l Long output

(initramfs)

If you run the same command on Debian, you get the following:

(initramfs) /bin/busybox ps -h
ps: invalid option -- 'h'
BusyBox v1.22.1 (Debian 1:1.22.0-19+b3) multi-call binary.

Usage: ps [-o COL1,COL2=HEADER] [-T]

Show list of processes

        -o COL1,COL2=HEADER Select columns for display
        -T Show threads

(initramfs)

It is the missing '-o' option that causes this issue.

I am reopening this bug instead of creating a new bug because scott28 previously pointed out these problems and already provided a more correct solution. I have included a patch based on his patch created against the current 'master' version of dropbear.

I don't think this can really be fixed upstream. The two versions of busybox ps are not compatable. The only reasonable fix I can see is to add Ubuntu specific code and I suspect the Debian maintainer will be unwilling to do that. Ubuntu should probably apply this patch before creating their build.

Nevermind the patch. I got Guilhem Moulin to fix this upstream:
https://salsa.debian.org/debian/dropbear/commit/617cc6f67d57932a5f421c08fdc303bad3a3d6db