2023-10-19 08:59:14 |
bugproxy |
bug |
|
|
added bug |
2023-10-19 08:59:16 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-203873 severity-high targetmilestone-inin2310 |
|
2023-10-19 08:59:17 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2023-10-19 08:59:25 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2023-10-19 09:54:36 |
Frank Heimes |
affects |
linux (Ubuntu) |
opencryptoki (Ubuntu) |
|
2023-10-19 09:59:18 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2023-10-19 09:59:39 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2023-10-19 09:59:47 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2023-10-19 09:59:50 |
Frank Heimes |
opencryptoki (Ubuntu): importance |
Undecided |
High |
|
2023-10-20 16:26:18 |
Frank Heimes |
attachment added |
|
testing.txt https://bugs.launchpad.net/ubuntu-z-systems/+bug/2039783/+attachment/5711812/+files/testing.txt |
|
2023-10-20 16:27:04 |
Frank Heimes |
attachment added |
|
debdiff_mantic_opencryptoki_from_3.21.0+dfsg-0ubuntu1_to_3.21.0+dfsg-0ubuntu1.1.diff https://bugs.launchpad.net/ubuntu-z-systems/+bug/2039783/+attachment/5711813/+files/debdiff_mantic_opencryptoki_from_3.21.0+dfsg-0ubuntu1_to_3.21.0+dfsg-0ubuntu1.1.diff |
|
2023-10-20 16:27:14 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2023-10-20 16:27:17 |
Frank Heimes |
opencryptoki (Ubuntu): status |
New |
In Progress |
|
2023-10-21 16:16:19 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-203873 severity-high targetmilestone-inin2310 |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 |
|
2023-10-23 16:56:47 |
Frank Heimes |
attachment added |
|
debdiff_mantic_opencryptoki_from_3.21.0+dfsg-0ubuntu1_to_3.21.0+dfsg-0ubuntu1.1.diff https://bugs.launchpad.net/ubuntu-z-systems/+bug/2039783/+attachment/5712719/+files/debdiff_mantic_opencryptoki_from_3.21.0+dfsg-0ubuntu1_to_3.21.0+dfsg-0ubuntu1.1.diff |
|
2023-10-23 17:20:01 |
Frank Heimes |
description |
---Problem Description (by Grgo Mariani) ---
Opencryptoki post-installation script fails due to a non-existing directory.
Although the package is shown as installed the missing directory is critical for service running.
Contact Information = grgo.mariani@ibm.com christian.rund@de.ibm.com
---uname output---
Linux SYSTEM 6.5.0-9-generic #9-Ubuntu SMP Fri Oct 6 19:43:35 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = Manufacturer: IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Install the opencryptoki package and check if the service is running.
root@SYSTEM:~# apt install opencryptoki
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
opencryptoki
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 228 kB of archives.
After this operation, 834 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports mantic/universe s390x opencryptoki s390x 3.21.0+dfsg-0ubuntu1 [228 kB]
Fetched 228 kB in 0s (1,130 kB/s)
Selecting previously unselected package opencryptoki.
(Reading database ... 68397 files and directories currently installed.)
Preparing to unpack .../opencryptoki_3.21.0+dfsg-0ubuntu1_s390x.deb ...
Unpacking opencryptoki (3.21.0+dfsg-0ubuntu1) ...
Setting up opencryptoki (3.21.0+dfsg-0ubuntu1) ...
info: The group `pkcs11' already exists as a system group. Exiting.
info: The system user `pkcsslotd' already exists. Exiting.
info: Adding user `root' to group `pkcs11' ...
chown: cannot access '/run/opencryptoki': No such file or directory
dpkg: error processing package opencryptoki (--configure):
installed opencryptoki package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.11.2-3) ...
Errors were encountered while processing:
opencryptoki
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@SYSTEM:~# systemctl status pkcsslotd
Userspace tool common name: opencryptoki
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki v3.21.0
Userspace tool obtained from project website: na
== Comment: #1 - Ingo Franzki - 2023-10-18 09:26:50 ==
/run/opencryptoki should be created by the package install, but is also created by tmpfiles.d service after every boot, because /run is usually in tempfs, so its not persistent across boots. OCK installs a tempfiles.d config script (/usr/lib/tmpfiles.d/opencryptoki.conf), too.
== Comment: #3 - Ingo Franzki - 2023-10-18 10:13:30 ==
It also seems that Ubuntu's /usr/lib/tmpfiles.d/opencryptoki.conf file has incorrect (outdated?) contents.
It must be ensured that the file as produced by building Opencryptoki (via 'make install') is installed, and not something else/older. |
SRU Justification:
[ Impact ]
* Under some conditions the post-install script may fail
due to a missing /run/opencryptoki directory,
that is needed by the pkcsslotd service.
* This happens either after a second install (install, purge, install)
or when the system got rebooted, since /run/opencryptoki is not persistent.
* To fix the issue on re-install, removing the system user manually would be
a workaround, but should really be better done automatically.
* To fix the issue on reboot, the handling of /run/opencryptoki
is handed over to dh by adding it to d/opencryptoki.dirs.
* In addition it turned out that /usr/lib/tmpfiles.d/opencryptoki.conf
is outdated, because it's overwritten since 3.5+dfsg-2
which prevented the use of the build opencryptoki.conf
and with that the correct handling of /run/opencryptoki.
[ Test Plan ]
* To have a test coverage for the modification it should be verified that:
- a package installation on a pristine system is not affected
(this is more a regression testing, since that worked before)
- re-installation (with and without reboots in between),
since the reported issue popped up after re-installs and reboots.
- upgrades, from former mantic version to this fixed mantic version
and upgrade from lunar to fixed mantic version should be tested
(probably only possible via do-release-upgrade due to the different
libc6 package versions 2.37 vs 2.38, but LP#1880760)
- install libopencryptoki-dev in addition
* After each of the above steps it's needed to check if the pkcsslotd
service is active:
$ systemctl status pkcsslotd
● pkcsslotd.service - Daemon which manages cryptographic hardware tokens for th>
Loaded: loaded (/lib/systemd/system/pkcsslotd.service; enabled; preset: en>
Active: active (running) since Fri 2023-10-20 15:26:05 UTC; 2 days ago
Main PID: 638 (pkcsslotd)
Tasks: 1 (limit: 9577)
Memory: 9.6M
CPU: 2.817s
CGroup: /system.slice/pkcsslotd.service
└─638 /usr/sbin/pkcsslotd
Oct 20 15:26:05 zbox systemd[1]: Starting pkcsslotd.service - Daemon which m>
Oct 20 15:26:05 zbox pkcsslotd[604]: PID File created
Oct 20 15:26:05 zbox systemd[1]: Started pkcsslotd.service - Daemon which ma
* ... and furthermore that it correctly accepts calls, like done by:
$ sudo pkcsconf -t
Token #1 Info:
Label: icatok
Manufacturer: IBM
Model: ICA
Serial Number:
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/[effectively infinite]
R/W Sessions: 0/[effectively infinite]
PIN Length: 4-8
Public Memory: [information unavailable]/[information unavailable]
Private Memory: [information unavailable]/[information unavailable]
Hardware Version: 0.0
Firmware Version: 0.0
Time: 2023102309540300
URI: pkcs11:manufacturer=IBM;model=ICA;token=icatok
Token #3 Info:
Label: softtok
Manufacturer: IBM
Model: Soft
Serial Number:
Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/[effectively infinite]
R/W Sessions: 0/[effectively infinite]
PIN Length: 4-8
Public Memory: [information unavailable]/[information unavailable]
Private Memory: [information unavailable]/[information unavailable]
Hardware Version: 0.0
Firmware Version: 0.0
Time: 2023102309540300
URI: pkcs11:manufacturer=IBM;model=Soft;token=softtok
* Optionally, an end-to-end test like described in '[ Test Plan ]'
at LP#2018911 could be done (just as regression test, since this worked
well with the existing package).
[ Where problems could occur ]
* The different default /usr/lib/tmpfiles.d/opencryptoki.conf
could lead to unforeseen behavior.
But it was confirmed that it is correct and the e2e test
would be another test.
* The modifications in the postinst and postrm scripts could lead
to problems during install, remove or purge.
But this is covered by the (re-)install and upgrade tests above.
* Test test build (done in PPA and available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2039783)
was already pre-tested by the person the bug is assigned to
and by the initial bug reporter.
* No opencryptoki code was modified, only the default configuration
(now using what falls out from a default build)
and package meta-data.
[ Other Info ]
* The reported problem affects 23.10, since this includes
opencryptoki 2.21 that comes with pkcsslotd service modifications
(LP#2025922 - 'hardening').
__________
---Problem Description (by Grgo Mariani) ---
Opencryptoki post-installation script fails due to a non-existing directory.
Although the package is shown as installed the missing directory is critical for service running.
Contact Information = grgo.mariani@ibm.com christian.rund@de.ibm.com
---uname output---
Linux SYSTEM 6.5.0-9-generic #9-Ubuntu SMP Fri Oct 6 19:43:35 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = Manufacturer: IBM Type: 3931 Model: 704 A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Install the opencryptoki package and check if the service is running.
root@SYSTEM:~# apt install opencryptoki
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
opencryptoki
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 228 kB of archives.
After this operation, 834 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports mantic/universe s390x opencryptoki s390x 3.21.0+dfsg-0ubuntu1 [228 kB]
Fetched 228 kB in 0s (1,130 kB/s)
Selecting previously unselected package opencryptoki.
(Reading database ... 68397 files and directories currently installed.)
Preparing to unpack .../opencryptoki_3.21.0+dfsg-0ubuntu1_s390x.deb ...
Unpacking opencryptoki (3.21.0+dfsg-0ubuntu1) ...
Setting up opencryptoki (3.21.0+dfsg-0ubuntu1) ...
info: The group `pkcs11' already exists as a system group. Exiting.
info: The system user `pkcsslotd' already exists. Exiting.
info: Adding user `root' to group `pkcs11' ...
chown: cannot access '/run/opencryptoki': No such file or directory
dpkg: error processing package opencryptoki (--configure):
installed opencryptoki package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.11.2-3) ...
Errors were encountered while processing:
opencryptoki
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@SYSTEM:~# systemctl status pkcsslotd
Userspace tool common name: opencryptoki
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki v3.21.0
Userspace tool obtained from project website: na
== Comment: #1 - Ingo Franzki - 2023-10-18 09:26:50 ==
/run/opencryptoki should be created by the package install, but is also created by tmpfiles.d service after every boot, because /run is usually in tempfs, so its not persistent across boots. OCK installs a tempfiles.d config script (/usr/lib/tmpfiles.d/opencryptoki.conf), too.
== Comment: #3 - Ingo Franzki - 2023-10-18 10:13:30 ==
It also seems that Ubuntu's /usr/lib/tmpfiles.d/opencryptoki.conf file has incorrect (outdated?) contents.
It must be ensured that the file as produced by building Opencryptoki (via 'make install') is installed, and not something else/older. |
|
2023-10-24 08:00:11 |
Frank Heimes |
summary |
[UBUNTU 23.10] Opencryptoki package instalation not creating /run/opencryptoki directory |
[UBUNTU 23.10] Opencryptoki package installation not creating /run/opencryptoki directory |
|
2023-10-24 16:18:32 |
Frank Heimes |
attachment added |
|
debdiff_mantic_opencryptoki_from_3.21.0+dfsg-0ubuntu1_to_3.21.0+dfsg-0ubuntu1.1.diff https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/2039783/+attachment/5712935/+files/debdiff_mantic_opencryptoki_from_3.21.0+dfsg-0ubuntu1_to_3.21.0+dfsg-0ubuntu1.1.diff |
|
2023-10-27 15:45:42 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Frank Heimes |
2023-10-27 15:56:46 |
Timo Aaltonen |
opencryptoki (Ubuntu Mantic): status |
New |
Fix Committed |
|
2023-10-27 15:56:47 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-10-27 15:56:55 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2023-10-27 15:56:57 |
Timo Aaltonen |
tags |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 verification-needed verification-needed-mantic |
|
2023-10-27 16:16:29 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2023-10-30 09:09:33 |
bugproxy |
tags |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 verification-needed verification-needed-mantic |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 |
|
2023-10-30 16:20:47 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 |
architecture-s39064 bugnameltc-203873 patch severity-high targetmilestone-inin2310 verification-done verification-done-mantic |
|
2023-11-28 23:39:16 |
Launchpad Janitor |
opencryptoki (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2023-11-28 23:39:18 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-12-01 17:47:56 |
Frank Heimes |
opencryptoki (Ubuntu): status |
In Progress |
Fix Committed |
|
2023-12-07 22:07:04 |
Launchpad Janitor |
opencryptoki (Ubuntu): status |
Fix Committed |
Fix Released |
|
2023-12-08 07:24:00 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|