Thanks for reporting this issue. I'm opening up it publicly since it would be useful for the people who work on the installer to see this.
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1977875 Title: Ubuntu Desktop boot hangs absent zeroconf packets and after avahi- daemon purge Status in gnome-shell package in Ubuntu: New Bug description: Our install procedures customarily airgap machines during installation, purge unnecessary and irrelevant packages such as avahi- daemon, ufw, netplan.io, ModemManager, network-manager, fprintd, etc., configure networking via systemd-networkd, and enable an iptables firewall to be in place before the network is up, all before exposing any machine to a network for further configuration. The iptables rules drop all zeroconf and broadcast traffic for obvious security reasons. The kernel is typically configured to forward packets, so these DROP rules are in the mangle table's PREROUTING chain, to scrub them before reaching the filter table's INPUT or FORWARD chains. Presumably, this also scrubs such traffic to the loopback interface. INPUT, OUTPUT, and FORWARD rules ACCEPT suitable traffic before a default DROP rule in each case. We have found the Ubuntu desktop 22.04 boot process to be especially fragile. System boot hangs every time, typically presenting as either an ordering cycle or a failure of partition mounts, which may be related. Occasionally, we note that dmesg.service and networkd- dispatcher.service fail by reason of time-out. Often, the last message in tty1 is Reached target Host and Network Name Lookups. Over the course of weeks, we have debugged our install scripts and packet filtering and although the modality is unclear, the cause is an absence of zeroconf network traffic or the purge of the avahi-daemon package. Curiously, none of this configuration has any effect and the boot process proceeds normally and as expected so long as a machine's Ethernet cables are unplugged. Once connected, attempts to upgrade a system (# apt update && apt upgrade) themselves hang, the machine reboots successfully, and then after dpkg --reconfigure -a, the attempted reboot hangs as before. Ubuntu desktop 20.04 machines do not exhibit this behavior. The expectation is that local processes would utilize d-bus or, if ip traffic somehow was necessary for local interprocess communication, that those processes would rely on name resolution other than broadcast traffic. Alternatively, the expectation is that the necessity of deliberately opening this security vulnerability would be well and conspicuously documented, including identifying the processes, ports, protocols, sources, destinations, interfaces, sockets, and any IP or MAC address so that the traffic can be suitably filtered. Persisting avahi-daemon and zeroconf is a non-starter. Release: Ubuntu desktop 22.04 LTS Version: gnome-shell 42.0-2ubuntu1 Expected behavior: Boot to gdm3 login prompt. Actual behavior: Consistent boot hang. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: gnome-shell 42.0-2ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30 Uname: Linux 5.15.0-33-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: pass Date: Tue Jun 7 10:00:18 2022 DisplayManager: gdm3 GsettingsChanges: InstallationDate: Installed on 2022-05-24 (14 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) ProcEnviron: SHELL=/bin/bash LANG=en_US.UTF-8 TERM=xterm-256color PATH=(custom, no user) RelatedPackageVersions: mutter-common 42.0-3ubuntu2 SourcePackage: gnome-shell UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1977875/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
