** Description changed:
[Impact]
- * An explanation of the effects of the bug on users and
+ Sometimes, auditd will get stuck when starting up, causing systemd to
+ kill it after a while since it (systemd) never got the start
+ notification.
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ Upstream troubleshooted this to be caused by calling a syslog() function
+ inside a signal handler.
[Test Case]
+ There is no reliable test case to reproduce the bug, other than trying the
fixed packages on an affected system where the hang occurs more frequently.
- * detailed instructions how to reproduce the bug
+ Basically:
+ sudo systemctl stop auditd
+ sudo systemctl start auditd
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ should work reliably. Do not run that in a tight loop, however, as that
+ will trigger a it's-restarting-too-frequently failure.
[Where problems could occur]
+ - if auditd fails to start, then the first fallback is syslog, and if that is
not picking up the audit messages, the last resort is the kernel buffer, which
can fill up. In the case it fills up, audit logs will be lost.
- * Think about what the upload changes in the software. Imagine the change is
- wrong or breaks something else: how would this show up?
+ - it's possible to configure the audit system to panic() the machine if
+ audit messages are lost or otherwise not able to be recorded (auditctl
+ -f 2; default is 1 which is printk())
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ - the update restarts auditd as expected. Misconfiguration on very very
+ busy systems could mean that audit logs would be lost during the brief
+ moment the service is restarted. If that's the case, this update would
+ just be one more way to trigger it, but not be the root cause of the
+ problem
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
+ - this update removes a logging statement that occurs during startup:
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ ("dispatcher %d reaped", pid)
+
+ It's unlikely, but possible, that some monitoring software could be
+ looking for that message in the logs. It won't be there anymore after
+ this update.
+
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+ The patch is committed upstream and part of the 2.8.5 release, which is
present in Focal and later.
[Original Description]
-
- This happens sometimes when installing auditd on Ubuntu 18.04.2, most
installations work successfully, though. Re-running the install also fixes the
issue, but the failure breaks our automation. The log from the failure looks
like this:
+ This happens sometimes when installing auditd on Ubuntu 18.04.2, most
+ installations work successfully, though. Re-running the install also
+ fixes the issue, but the failure breaks our automation. The log from the
+ failure looks like this:
# apt install auditd
...
Setting up auditd (1:2.8.2-1ubuntu1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service →
/lib/systemd/system/auditd.service.
Job for auditd.service failed because a timeout was exceeded.
See "systemctl status auditd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript auditd, action "start" failed.
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled)
Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms
ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)
Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing
Service...
Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher:
/sbin/audispd pid: 9705
Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation
timed out. Terminating.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State
'stop-sigterm' timed out. Killing.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process
9702 (auditd) with signal SIGKILL.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process
9703 (auditd) with signal SIGKILL.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process
exited, code=killed status=9
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result
'timeout'.
Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing
Service.
dpkg: error processing package auditd (--configure):
installed auditd package post-installation script subprocess returned error
exit status 1
** Description changed:
[Impact]
Sometimes, auditd will get stuck when starting up, causing systemd to
kill it after a while since it (systemd) never got the start
notification.
Upstream troubleshooted this to be caused by calling a syslog() function
inside a signal handler.
[Test Case]
There is no reliable test case to reproduce the bug, other than trying the
fixed packages on an affected system where the hang occurs more frequently.
Basically:
sudo systemctl stop auditd
sudo systemctl start auditd
should work reliably. Do not run that in a tight loop, however, as that
will trigger a it's-restarting-too-frequently failure.
[Where problems could occur]
- if auditd fails to start, then the first fallback is syslog, and if that is
not picking up the audit messages, the last resort is the kernel buffer, which
can fill up. In the case it fills up, audit logs will be lost.
- it's possible to configure the audit system to panic() the machine if
audit messages are lost or otherwise not able to be recorded (auditctl
-f 2; default is 1 which is printk())
- the update restarts auditd as expected. Misconfiguration on very very
busy systems could mean that audit logs would be lost during the brief
moment the service is restarted. If that's the case, this update would
just be one more way to trigger it, but not be the root cause of the
problem
+ - similarly, as is usual with updates that restart services, it's
+ possible than an incorrect configuration for auditd is present, but was
+ never loaded before. The restart will load the config, and will fail in
+ such a case.
+
- this update removes a logging statement that occurs during startup:
- ("dispatcher %d reaped", pid)
+ ("dispatcher %d reaped", pid)
It's unlikely, but possible, that some monitoring software could be
looking for that message in the logs. It won't be there anymore after
this update.
-
[Other Info]
The patch is committed upstream and part of the 2.8.5 release, which is
present in Focal and later.
-
[Original Description]
This happens sometimes when installing auditd on Ubuntu 18.04.2, most
installations work successfully, though. Re-running the install also
fixes the issue, but the failure breaks our automation. The log from the
failure looks like this:
# apt install auditd
...
Setting up auditd (1:2.8.2-1ubuntu1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service →
/lib/systemd/system/auditd.service.
Job for auditd.service failed because a timeout was exceeded.
See "systemctl status auditd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript auditd, action "start" failed.
● auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled)
Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms
ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL)
Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing
Service...
Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher:
/sbin/audispd pid: 9705
Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting
Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation
timed out. Terminating.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State
'stop-sigterm' timed out. Killing.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process
9702 (auditd) with signal SIGKILL.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process
9703 (auditd) with signal SIGKILL.
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process
exited, code=killed status=9
Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result
'timeout'.
Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing
Service.
dpkg: error processing package auditd (--configure):
installed auditd package post-installation script subprocess returned error
exit status 1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1848330
Title:
Installing auditd sometimes fails in post-inst
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
