Automated 'grub-pc' security update failing on some platforms

Issue:

Automatic security update of `grub-pc` package fails.

Affects:

All AMI (AWS EC2), OVA & VMDK v16.x appliances released to date. ISO & LXC/Proxmox builds are NOT affected.

Severity:

PITA - This issue means that the recent `grub-pc` package update isn't installed (and thus remains vulnerable) on TurnKey v16.x systems. On face value that doesn't sound good. But it's not as bad as it sounds... Of the 7 CVEs patched by the `grub-pc` security update, only CVE-2021-20233 appears to be relevant to TurnKey users. And that one relates to USB... (For full details; please see Debian Security Advisory DSA-4867-1).


I will provide further details about the issue below (scroll down to "What the issue looks like"), but first I'll post what to do:

To resolve - or check if you're ok

Log into your server as `root` (or `admin` for AWSMP users). Then manually ensure that there are no broken packages:

apt install --fix-broken

(AWSMP users, will need to pre-fix `sudo`).

If it responds like this:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Then you are NOT AFFECTED and you can safely ignore the rest of this post.

If you have been hit with this issue, then it will interactively ask you where to install `grub` (the default bootloader). First you should see this screen:

As that text notes, there is no harm in installing it places it doesn't need to be. But to ensure that this (and any future grub updates) are installed to the correct place it is important that it is installed to where it needs to be.

As part of the build process, we always install grub to the primary (and only) disk image that contains TurnKey Linux. In the case of OVA/VMDK builds that should be `/dev/sda`; in the case of our AMI (AWS EC2 instance) that should be `/dev/xvda`.

The next screen will ask you to select where to install (OVA/VMDK):

Assuming that you haven't added any additional volumes, then you only need to install to `/dev/sda` in OVA/VMDK; or `/dev/xvda` AMI (AWS EC2). If you have additional permanent volumes in use on your server, then unless you are 100% sure which is which, please don't hesitate to install to all disks. It's important to note, that if you have ANY DOUBT at all, please install it everywhere you can!

To select the relevant places to install grub, please use the arrow keys to move up & down the list, space to select/deselect the individual options and tab to move between the list and the "Ok". Here's is what OVA users might expect after selecting `/dev/sda`:

Once you click Ok, it will go about installing grub to the relevant place. Please note that any of the following warnings/errors can _safely be ignored_:

  • File descriptor 3 (pipe:[xxxxxxx]) leaked on vgs invocation. Parent PID xxxxx: grub-install
  • grub-install: error: unable to identify a filesystem in hostdisk//dev/sda; safety check can't be performed.
  • (or `hostdisk//dev/xvda` for AWS users).
  • grub-install: warning: File system 'ext2' doesn't support embedding.
  • grub-install: warning: Embedding is not possible.  GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged.
  • grub-install: error: diskfilter writes are not supported.

  • What the issue looks like

    It can be confirmed to exist if either you have been getting emails that look like this:

CRON-APT RUN [/etc/cron-apt/config]: Tue Mar 9 20:50:01 UTC 2021
CRON-APT SLEEP: 2699, Tue Mar 9 21:35:00 UTC 2021
CRON-APT ACTION: 5-install
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold
Setting up grub-pc (2.02+dfsg1-20+deb10u4) ...
You must correct your GRUB install devices before proceeding:
 DEBIAN_FRONTEND=dialog dpkg --configure grub-pc
 dpkg --configure -a
dpkg: error processing package grub-pc (--configure):
installed grub-pc package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-pc
E: Sub-process /usr/bin/dpkg returned an error code (1)

Or perhaps if you're not getting the emails, when you log in via SSH, you will see a message at the bottom of the MOTD (message of the day - the message you see when you first log in) saying `You have mail`. If you check your mail (e.g. for the `root` user: `cat /var/mail/root`) then you will see the above message.

If you didn't get the above email, then that's a separate issue. Please feel free to ask about that below or open a new thread in the support section of the forums and we can discuss that further...

This content is also available as issue #1579 on our Issue Tracker.

if you have any problems, questions or other feedback, please feel free to comment below, or open a new thread in the support section of the forums.

Good luck with it all and I look forward to hearing from you.

Comments

raff33_1430841's picture

This may solve part of my problem.

OscarLS's picture

Hi,

When I update the system it show me this error:

apt-get update
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://security.debian.org buster/updates InRelease
Get:3 https://packages.sury.org/php buster InRelease [6823 B] 
Ign:4 http://archive.turnkeylinux.org/debian buster-security InRelease 
Ign:5 http://archive.turnkeylinux.org/debian buster InRelease
Hit:6 http://archive.turnkeylinux.org/debian buster-security Release
Err:3 https://packages.sury.org/php buster InRelease
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic 
  Signing Key <deb@sury.org>
Hit:8 http://archive.turnkeylinux.org/debian buster Release
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the
  previous index files will be used.
  GPG error: https://packages.sury.org/php buster InRelease:
  The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic
  Signing Key <deb@sury.org>
W: Failed to fetch https://packages.sury.org/php/dists/buster/InRelease
 The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic
  Signing Key <deb@sury.org>
W: Some index files failed to download. They have been ignored, or old ones used instead

The system is:

Linux 5.4.34-1-pve #1 SMP PVE 5.4.34-2 (Thu, 07 May 2020 10:02:02 +0200) x86_64

The program is NextCloud.

Jeremy Davis's picture

Hi Oscar - Welcome to TurnKey! :)

First I would highly recommend that you create a user account and subscribe to our (really) low traffic "Security and News Announcements" newsletter (the checkbox is enabled by default when you sign up - so just enter your desired username and email). That way we can send out notifications of any important issues.

Anyway, assuming that you are running TurnKey Linux as a Proxmox LXC container (as it appears to be from your output) then this issue (i.e. the one I'm discussing in this blog post) does not affect you!

Looking at the output you've posted, I assume that you are using a v16.0 release of Nextcloud (note the same applies to ownCloud). (I suspect v16.0 as I see "buster" in your apt output & v16.x is based on Debian Buster). If you want to confirm, (or anyone else reading this who wants to know if this alternate issue affects them), run 'turnkey-version'. It should give output like this:

turnkey-nextcloud-16.0-buster-amd64

or others using 'ownCloud':

turnkey-owncloud-16.0-buster-amd64

(Note the 'nextcloud' (or 'owncloud') is the appliance name; '16.0' is the TurnKey version number & 'buster' is the Debian codename.)

Assuming I'm on the right track here, then the issue you've hit appears to be this bug. Please have a read there for how to address that.

For anyone else hitting a similar issue but on TurnKey v15.x (i.e. your output of turnkey-version is something like ''turnkey-APPLIANCE_NAME-15.X-stretch-amd64" - where APPLIANCE_NAME is likely 'nextcloud' or 'owncloud', but could be another PHP based app & X is a minor version - probably '1' or '2' but could be any integer - and 'stretch' is the Debian Codename) then you'll still need to continue using the sury.org apt repo, but will need to update the key to the current one.

This separate v15.x issue has been discussed in a post in a separate thread. I responded with some additional info that hopefully helps anyone else hitting that old v15.x issue.

ytong22's picture

This might solve my problem with grub.

Brant's picture

Hi

How resolve this message

apt install --fix-broken
Reading package lists... Done
Building dependency tree       
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
Jeremy Davis's picture

Hi Brant.

Is this issue related to this blog post? I.e. fixing the grub package in the auto-updates?

If not, it's best if you start a new thread. If that's the case and you do that, please detail what you are/were trying to achieve when the error occurred. Also, please post the full output not just a bit of it (as it appears you have here).

The short answer is, have you tried to run 'apt install --fix-broken' as the message suggests?

Moshe_Strugano_Blogger's picture

Great post, thank you for sharing

floribabiden's picture

hello,

Thank you so much for sharing this helpful information, it helped me alot

Thanks and regards.:)
 

Muhammad Hammad Qadir's picture

Dear All,

Thank you very much all of developers who are working on such a great thing. It is my request if any body have made a trunkey on Complete Enterprise Level Email Server. Which must be complete Email server who can do every thing like Mailcow EMail Server or any Enterprise Level server. Really your efforts are spechless and Again Thank you Very Much.

 

Waiting for your Kind reply.

 

Hammad

 

Bea Jensen's picture

thanks - this solved my problem with grub.

Pages

Add new comment