Automated 'grub-pc' security update failing on some platforms.

[JedMeister]

Issue:

Automatic security update of grub-pc package fails.

Affects:

All AMI (AWS EC2), OVA & VMDK v16.x appliances released to date. ISO & LXC/Proxmox builds are NOT affected.

Severity:

PITA - This issue means that the recent grub-pc package update isn't installed (and thus remains vulnerable) on TurnKey v16.x systems. On face value that doesn't sound good. But it's not as bad as it sounds... Of the 7 CVEs patched by the grub-pc security update, only CVE-2021-20233 appears to be relevant to TurnKey users. And that one relates to USB... (For full details; please see Debian Security Advisory DSA-4867-1).

---

I will provide further details about the issue below (scroll down to "What the issue looks like"), but first I'll post what to do:

To resolve - or check if you're ok (simplified)

Log into your server as root (or admin for AWSMP users). Then manually ensure that there are no broken pacakges:

apt install --fix-broken

(AWSMP users, will need to pre-fix sudo).

If it responds like this:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Then you are NOT AFFECTED and you can safely ignore the rest of this post.

If you have been hit with this issue, then it will interactively ask you where to install grub (the default bootloader). First you should see this screen:

As that text notes, there is no harm in installing it places it doesn't need to be. But to ensure that this (and any future grub updates) are installed to the correct place it is important that it is installed to where it needs to be.

As part of the build process, we always install grub to the primary (and only) disk image that contains TurnKey Linux. In the case of OVA/VMDK builds that should be /dev/sda; in the case of our AMI (AWS EC2 instance) that should be /dev/xvda.

The next screen will ask you to select where to install (OVA/VMDK):

Assuming that you haven't added any additional volumes, then you only need to install to /dev/sda in OVA/VMDK; or /dev/xvda AMI (AWS EC2). If you have additional permanent volumes in use on your server, then unless you are 100% sure which is which, please don't hesitate to install to all disks. It's important to note, that if you have ANY DOUBT at all, please install it everywhere you can!

To select the relevant places to install grub, please use the arrow keys to move up & down the list, space to select/deselect the individual options and tab to move between the list and the "Ok". Here's is what OVA users might expect after selecting /dev/sda:

Once you click Ok, it will go about installing grub to the relevant place. Please note that any of the following warnings/errors can safely be ignored:

• File descriptor 3 (pipe:[xxxxxxx]) leaked on vgs invocation. Parent PID xxxxx: grub-install
• grub-install: error: unable to identify a filesystem in hostdisk//dev/sda; safety check can't be performed. (or hostdisk//dev/xvda for AWS users).
• grub-install: warning: File system 'ext2' doesn't support embedding.
• grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged.

• grub-install: error: diskfilter writes are not supported.

What the issue looks like

It can be confirmed to exist if either you have been getting emails that look like this:

CRON-APT RUN [/etc/cron-apt/config]: Tue Mar 9 20:50:01 UTC 2021
CRON-APT SLEEP: 2699, Tue Mar 9 21:35:00 UTC 2021
CRON-APT ACTION: 5-install
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold
Setting up grub-pc (2.02+dfsg1-20+deb10u4) ...
You must correct your GRUB install devices before proceeding:
 DEBIAN_FRONTEND=dialog dpkg --configure grub-pc
 dpkg --configure -a
dpkg: error processing package grub-pc (--configure):
installed grub-pc package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-pc
E: Sub-process /usr/bin/dpkg returned an error code (1)

Or perhaps if you're not getting the emails, when you log in via SSH, you will see a message at the bottom of the MOTD (message of the day - the message you see when you first log in) saying You have mail. If you check your mail (e.g. for the root user: cat /var/mail/root) then you will see the above message.

If you didn't get the email, then that's a separate issue. Please get in touch and we can discuss that further...

[OnGle]

@JedMeister status on this bug?

[JedMeister]

@OnGle - this is still an issue...

The essence is that unless the user installs from ISO, the grub install location is not configured. When grub updates occur, grub does not know where to install to which will cause the error. The workaround is fairly straight forward; pre-seed the grub install location.

E.g. on a AWS EC2 instance:

debconf-set-selections <<< "grub-pc grub-pc/install_devices multiselect /dev/xvda"

Or for a OVA/VMDK VM:

debconf-set-selections <<< "grub-pc grub-pc/install_devices multiselect /dev/sda"

To fix/close this issue, this needs to be done within buildtasks.

[lzadjsf]

It seems like grub installer cannot work with symbolic links.

After applying recommendation from previous comment - it installed with any issue.

Before it was as defined at screenshot below: