sicherboot postinst script fails on new kernel on artful

[tdaitx]

Sicherboot postinst script failed to run today with a new kernel in Ubuntu 17.10 (artful, the development release). This is a somewhat new install and this is the first kernel update I got since installing sicherboot.

The error was (see full log on the bottom)

Setting up linux-image-4.10.0-26-generic (4.10.0-26.30) ...
Running depmod.
update-initramfs: deferring update (hook will be called later)
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dracut 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
sicherboot: Installing 4.10.0-26-generic to ESP
objcopy: cannot open: /boot//initrd.img-4.10.0-26-generic: No such file or directory
run-parts: /etc/kernel/postinst.d/dracut exited with return code 1
Failed to process /etc/kernel/postinst.d at /var/lib/dpkg/info/linux-image-4.10.0-26-generic.postinst line 1052.
dpkg: error processing package linux-image-4.10.0-26-generic (--configure):
 subprocess installed post-installation script returned error exit status 2

This is caused by a missing initrd.img for the kernel. The initramfs update is postponed as it is called from the /etc/kernel/postinst.d/initramfs-tools script, which is called after dracut (alphabetical order).

To solve it I had to remove the sicherboot call from the dracut script and moved it to a zz-update-sicherboot (following grub's naming)

--- /etc/kernel/postinst.d/dracut.orig
+++ /etc/kernel/postinst.d/dracut
@@ -9,7 +9,3 @@
 if [ -e /etc/kernel/postinst.d/dracut.SecureBoot ]; then
     /etc/kernel/postinst.d/dracut.SecureBoot "$@"
 fi
-
-echo "sicherboot: Installing $1 to ESP"
-
-sicherboot install-kernel "$1"
--- /dev/null
+++ /etc/kernel/postinst.d/zz-update-sicherboot
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+echo "sicherboot: Installing $1 to ESP"
+
+sicherboot install-kernel "$1"

After that the new install was successful:

Setting up linux-image-4.10.0-26-generic (4.10.0-26.30) ...
Running depmod.
update-initramfs: deferring update (hook will be called later)
Not updating initrd symbolic links since we are being updated/reinstalled 
(4.10.0-26.30 was configured last, according to dpkg)
Not updating image symbolic links since we are being updated/reinstalled 
(4.10.0-26.30 was configured last, according to dpkg)
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dracut 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
update-initramfs: Generating /boot/initrd.img-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/unattended-upgrades 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/update-notifier 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/x-grub-legacy-ec2 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-4.10.0-26-generic
Found kernel: /boot/vmlinuz-4.10.0-22-generic
Found kernel: /boot/vmlinuz-4.10.0-21-generic
Found kernel: /boot/vmlinuz-4.10.0-26-generic
Found kernel: /boot/vmlinuz-4.10.0-22-generic
Found kernel: /boot/vmlinuz-4.10.0-21-generic
Updating /boot/grub/menu.lst ... done

run-parts: executing /etc/kernel/postinst.d/zz-update-bootctl 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.10.0-26-generic
Found initrd image: /boot/initrd.img-4.10.0-26-generic
Found linux image: /boot/vmlinuz-4.10.0-22-generic
Found initrd image: /boot/initrd.img-4.10.0-22-generic
Found linux image: /boot/vmlinuz-4.10.0-21-generic
Found initrd image: /boot/initrd.img-4.10.0-21-generic
Adding boot menu entry for EFI firmware configuration
done
run-parts: executing /etc/kernel/postinst.d/zz-update-sicherboot 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic

The full error log is

Performing actions...
(Reading database ... 200348 files and directories currently installed.)
Preparing to unpack .../linux-image-4.10.0-26-generic_4.10.0-26.30_amd64.deb ...
Done.
Unpacking linux-image-4.10.0-26-generic (4.10.0-26.30) ...
Selecting previously unselected package linux-firmware.
Preparing to unpack .../linux-firmware_1.167_all.deb ...
Unpacking linux-firmware (1.167) ...
Selecting previously unselected package linux-image-generic.
Preparing to unpack .../linux-image-generic_4.10.0.26.28_amd64.deb ...
Unpacking linux-image-generic (4.10.0.26.28) ...
Selecting previously unselected package linux-generic.
Preparing to unpack .../linux-generic_4.10.0.26.28_amd64.deb ...
Unpacking linux-generic (4.10.0.26.28) ...
Preparing to unpack .../thermald_1.6.0-4_amd64.deb ...
Unpacking thermald (1.6.0-4) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up thermald (1.6.0-4) ...
Setting up linux-image-4.10.0-26-generic (4.10.0-26.30) ...
Running depmod.
update-initramfs: deferring update (hook will be called later)
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dracut 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
sicherboot: Installing 4.10.0-26-generic to ESP
objcopy: cannot open: /boot//initrd.img-4.10.0-26-generic: No such file or directory
run-parts: /etc/kernel/postinst.d/dracut exited with return code 1
Failed to process /etc/kernel/postinst.d at /var/lib/dpkg/info/linux-image-4.10.0-26-generic.postinst line 1052.
dpkg: error processing package linux-image-4.10.0-26-generic (--configure):
 subprocess installed post-installation script returned error exit status 2
Processing triggers for systemd (233-8ubuntu2) ...
Processing triggers for man-db (2.7.6.1-2) ...
Processing triggers for dbus (1.10.18-1ubuntu2) ...
dpkg: dependency problems prevent configuration of linux-image-generic:
 linux-image-generic depends on linux-image-4.10.0-26-generic; however:
  Package linux-image-4.10.0-26-generic is not configured yet.
 linux-image-generic depends on linux-image-extra-4.10.0-26-generic; however:
  Package linux-image-extra-4.10.0-26-generic is not installed.

dpkg: error processing package linux-image-generic (--configure):
 dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
                                                                                                          Setting up linux-firmware (1.167) ...
update-initramfs: Generating /boot/initrd.img-4.10.0-22-generic
warning: data remaining[50002432 vs 50010712]: gaps between PE/COFF sections?
update-initramfs: Generating /boot/initrd.img-4.10.0-21-generic
warning: data remaining[49989632 vs 49997912]: gaps between PE/COFF sections?
dpkg: dependency problems prevent configuration of linux-generic:
 linux-generic depends on linux-image-generic (= 4.10.0.26.28); however:
  Package linux-image-generic is not configured yet.

dpkg: error processing package linux-generic (--configure):
 dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
                                                                                                          Errors were encountered while processing:
 linux-image-4.10.0-26-generic
 linux-image-generic
 linux-generic
E: Sub-process /usr/bin/dpkg returned an error code (1)
Setting up linux-image-4.10.0-26-generic (4.10.0-26.30) ...
Running depmod.
update-initramfs: deferring update (hook will be called later)
The link /initrd.img is a dangling linkto /boot/initrd.img-4.10.0-26-generic
vmlinuz(/boot/vmlinuz-4.10.0-26-generic
) points to /boot/vmlinuz-4.10.0-26-generic
 (/boot/vmlinuz-4.10.0-26-generic) -- doing nothing at /var/lib/dpkg/info/linux-image-4.10.0-26-generic.postinst line 491.
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
run-parts: executing /etc/kernel/postinst.d/dracut 4.10.0-26-generic /boot/vmlinuz-4.10.0-26-generic
sicherboot: Installing 4.10.0-26-generic to ESP
objcopy: cannot open: /boot//initrd.img-4.10.0-26-generic: No such file or directory
run-parts: /etc/kernel/postinst.d/dracut exited with return code 1
Failed to process /etc/kernel/postinst.d at /var/lib/dpkg/info/linux-image-4.10.0-26-generic.postinst line 1052.
dpkg: error processing package linux-image-4.10.0-26-generic (--configure):
 subprocess installed post-installation script returned error exit status 2
dpkg: dependency problems prevent configuration of linux-image-generic:
 linux-image-generic depends on linux-image-4.10.0-26-generic; however:
  Package linux-image-4.10.0-26-generic is not configured yet.
 linux-image-generic depends on linux-image-extra-4.10.0-26-generic; however:
  Package linux-image-extra-4.10.0-26-generic is not installed.

dpkg: error processing package linux-image-generic (--configure):
 dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of linux-generic:
 linux-generic depends on linux-image-generic (= 4.10.0.26.28); however:
  Package linux-image-generic is not configured yet.

dpkg: error processing package linux-generic (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 linux-image-4.10.0-26-generic
 linux-image-generic
 linux-generic

[julian-klode]

Hmm, not sure what to do here. There's a reason it hijacked the dracut file - dracut does not support hooks.

But then I'm confused - how can you have both dracut and initramfs-tool installed? Both create a initramfs, and for dracut we hack around the missing hook, while for initramfs-tools it's done as an initramfs-tools hook.

[julian-klode]

Ah, I see, you probably don't have dracut - the dracut hack does not check if dracut is actually installed.

[tdaitx]

Indeed, I don't have it installed.

$ ls -l /etc/kernel/postinst.d/dracut*
-rwxr-xr-x 1 root root 262 Jul  5 16:45 /etc/kernel/postinst.d/dracut
$ dpkg -S /etc/kernel/postinst.d/dracut 
diversion by sicherboot from: /etc/kernel/postinst.d/dracut
diversion by sicherboot to: /etc/kernel/postinst.d/dracut.SecureBoot
sicherboot: /etc/kernel/postinst.d/dracut

Then maybe the right way is to modify how sicherboot gets called from the dracut postinst script, how about this:

--- /etc/kernel/postinst.d/dracut.orig  2017-07-05 17:30:23.944058660 -0300
+++ /etc/kernel/postinst.d/dracut   2017-07-06 12:39:12.950788522 -0300
@@ -5,10 +5,11 @@

 set -e

-# Run the real dracut first if it exists
-if [ -e /etc/kernel/postinst.d/dracut.SecureBoot ]; then
-    /etc/kernel/postinst.d/dracut.SecureBoot "$@"
-fi
+# Do nothing if the diverted dracut does not exist
+[ -e /etc/kernel/postinst.d/dracut.SecureBoot ] || exit 0
+
+# Run the real dracut first
+/etc/kernel/postinst.d/dracut.SecureBoot "$@"

 echo "sicherboot: Installing $1 to ESP"

[julian-klode]

No, that would be the wrong fix, it breaks on removed, but not purged dracut. I think I should divert /usr/bin/dracut, and not the kernel install hook, I'm not entirely sure why I did what I did.

A more correct fix is to look for /usr/bin/dracut, but there are some other cases where dracut does not generate the initramfs.

[ghost]

First of all thanks for this great tool! Unfortunately this issue isn't fixed.

The problem is scripts in /etc/kernel/postinst.d/ are executed in alphabetical order which means /etc/kernel/postinst.d/dracut is executed before /etc/kernel/postinst.d/initramfs-tools. That means sicherboot will be executed before initramfs is created which obviously fail.

For solution dracut hook should be renamed to zz-dracut or something like that.