Ubuntu
linux-aws package

Enabling fips-preview on Jammy AWS fails with: Depends: linux-aws-fips (>= 5.15.0.1042.43) but it is not installable

Bug #2044722 reported by Thomas Bechtold
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux-aws (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I'm testing the fips-review packages on AWS for Jammy. That fails with:

Unexpected APT error.
Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to correct problems, you have held broken packages.

Steps to reproduce:

1) aws ec2 run-instances --image-id resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id --instance-type m6a.large --key-name toabctl
2) ssh into the instance
3) ua attach $MY_UA_TOKEN
4) ua enable fips-preview # (answer with yes)

The result is:

# ua enable fips-preview
One moment, checking your subscription first
FIPS Preview cannot be enabled with Livepatch.
Disable Livepatch and proceed to enable FIPS Preview? (y/N) y
Disabling incompatible service: Livepatch
This will install crypto packages that have been submitted to NIST for review
but do not have FIPS certification yet. Use this for early access to the FIPS
modules.
Please note that the Livepatch service will be unavailable after
this operation.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Updating FIPS Preview package lists
Installing FIPS Preview packages
Updating standard Ubuntu package lists
Could not enable FIPS Preview.
Updating package lists
Unexpected APT error.
Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to correct problems, you have held broken packages.

See /var/log/ubuntu-advantage.log

From that log:
["2023-11-27T09:58:33.581", "DEBUG", "ubuntupro.system", "subp", 714, "Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" ubuntu-aws-fips' [exit(100)]. Mes
sage: E: Unable to correct problems, you have held broken packages.\n", {}]
["2023-11-27T09:58:33.581", "WARNING", "ubuntupro.system", "subp", 715, "Stderr: E: Unable to correct problems, you have held broken packages.\n\nStdout: Reading package lists...\nBuilding dependency tree...\nReading state information...\nSome packages c
ould not be installed. This may mean that you have\nrequested an impossible situation or if you are using the unstable\ndistribution that some required packages have not yet been created\nor been moved out of Incoming.\nThe following information may help
 to resolve the situation:\n\nThe following packages have unmet dependencies:\n ubuntu-aws-fips : Depends: linux-aws-fips (>= 5.15.0.1042.43) but it is not installable\n", {}]

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ubuntu-advantage-tools 30~22.04
ProcVersionSignature: Ubuntu 6.2.0-1016.16~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1016-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: eu-central-1
CloudSubPlatform: metadata (http://169.254.169.254)
Date: Mon Nov 27 09:59:57 2023
Ec2AMI: ami-097610d2a71255e7d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: eu-central-1a
Ec2Imageid: ami-097610d2a71255e7d
Ec2InstanceType: m6a.large
Ec2Instancetype: m6a.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: eu-central-1
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: ubuntu-advantage-tools
UpgradeStatus: No upgrade log present (probably fresh install)
cloud-id.txt: aws
livepatch-status.txt-error:
 Failed running command '/snap/bin/canonical-livepatch status' [exit(1)]. Message: Machine is not enabled. Please run 'sudo canonical-livepatch enable' with the
 token obtained from https://ubuntu.com/livepatch.
pro-journal.txt:
 Nov 27 09:57:07.273351 ip-172-31-20-161 systemd[1]: Condition check resulted in Ubuntu Pro reboot cmds being skipped.
 Nov 27 09:57:13.549831 ip-172-31-20-161 systemd[1]: Condition check resulted in Ubuntu Pro Background Auto Attach being skipped.
uaclient.conf:
 contract_url: https://contracts.canonical.com
 log_level: debug

Note: there is no hold package:
# apt-mark showhold
root@ip-172-31-20-161:~#

See original description
Revision history for this message
Thomas Bechtold (toabctl) wrote :
description: updated
Renan Rodrigo (renanrodrigo)
information type: Private → Public
Thomas Bechtold (toabctl)
affects: ubuntu-advantage-tools (Ubuntu) → linux-aws (Ubuntu)
summary: - Enabling fips-preview on Jammy AWS fails with: Unexpected APT error
+ Enabling fips-preview on Jammy AWS fails with: Depends: linux-aws-fips
+ (>= 5.15.0.1042.43) but it is not installable
Revision history for this message
Renan Rodrigo (renanrodrigo) wrote :

Hello, Thomas

this seems to be something wrong with the metapackage itself. I believe u-a-t is doing what it should, but the dependency chain for ubuntu-aws-fips is broken, based on the logs:

> The following packages have unmet dependencies:\n ubuntu-aws-fips : Depends: linux-aws-fips (>= 5.15.0.1042.43) but it is not installable\n

FIPS people may know better how to deal with this.

Apport retracing service (apport)
tags: removed: need-amd64-retrace
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux-aws (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.