Univention Bugzilla – Bug 54530
Update 4.4 kernel to 4.19
Last modified: 2022-05-03 12:55:18 CEST
We should update the linux kernel to version 4.19 for ucs 4.4-9, since our version 4.9 becomes EOL in 2023.
Started tests with new kernel: All samba tests failed because bind9 didn't start up. The reason was, that apparmor was automatically installed and and enabled. After removing it, everything was fine. Mar 11 08:38:48 master091 kernel: [26831.891062] audit: type=1400 audit(1646984328.080:1796): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=29711 comm="named" requested_mask="m" denied_mask="m" fsuid=0 ouid=0 Mar 11 08:38:48 master091 named[29711]: generating session key for dynamic DNS Mar 11 08:38:48 master091 named[29711]: sizing zone task pool based on 1 zones Mar 11 08:38:48 master091 named[29711]: Loading 'samba4.zone' using driver dlopen Mar 11 08:38:48 master091 kernel: [26831.892143] audit: type=1400 audit(1646984328.084:1797): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/tmp-iT7HaBOqKe" pid=29711 comm="named" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Mar 11 08:38:48 master091 named[29711]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map segment from shared object Mar 11 08:38:48 master091 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Mar 11 08:38:48 master091 named[29711]: dlz_dlopen of 'samba4.zone' failed Mar 11 08:38:48 master091 named[29711]: SDLZ driver failed to load. Mar 11 08:38:48 master091 named[29711]: DLZ driver failed to load. Mar 11 08:38:48 master091 named[29711]: loading configuration: failure Mar 11 08:38:48 master091 named[29711]: exiting (due to fatal error) Mar 11 08:38:48 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:49 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:51 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:52 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:53 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:54 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:55 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:56 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:56 master091 check_nrpe: Remote 10.207.181.86 accepted a Version 3 Packet Mar 11 08:38:57 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 11 08:38:58 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
After removing apparmor, the tests show no regression. After importing the kernel to 4.4, we should disable apparmor, as we did in UCS 5.0 https://forge.univention.org/bugzilla/show_bug.cgi?id=51786
[4.4-9] c8bfc7c9de feat[linux]: Update to linux-4.19.232-1 kernel/univention-kernel-image/debian/changelog | 2 +- kernel/univention-kernel-image/debian/rules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) [4.4-9] 106326f738 feat[linux]: Update to linux-4.19.208-1 kernel/univention-kernel-image/debian/changelog | 6 ++++++ kernel/univention-kernel-image/debian/rules | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) [4.4-9] 91b7589988 feat[linux]: Update to linux-4.19.232-1 kernel/univention-kernel-image/debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: univention-kernel-image Version: 12.0.0-11A~4.4.0.202203241819 Branch: ucs_4.4-0 Scope: ucs4.4-9 [4.4-9] dad910d2d7 feat[grub]: Disable apparmor base/univention-grub/conffiles/etc/default/grub | 1 + base/univention-grub/debian/changelog | 6 ++++++ 2 files changed, 7 insertions(+) Package: univention-grub Version: 12.0.0-4A~4.4.0.202203231711 Branch: ucs_4.4-0 Scope: ucs4.4-9 [4.4-9] c09e108af1 feat[kernel]: Update to linux-4.19.232-0 kernel/univention-kernel-image-signed/debian/changelog | 6 ++++++ kernel/univention-kernel-image-signed/debian/control | 16 ++++++++-------- .../vmlinuz-4.19.0-0.bpo.19-amd64.efi.signed | Bin 0 -> 5289680 bytes kernel/univention-kernel-image-signed/vmlinuz-4.9.0-18-amd64.efi.signed | Bin 4269680 -> 0 bytes 4 files changed, 14 insertions(+), 8 deletions(-) [4.4-9] 88f8b30185 feat[kernel]: Update to linux-4.19.232-19 kernel/univention-kernel-image-signed/debian/control | 10 +++++----- .../vmlinuz-4.19.0-0.bpo.19-amd64.efi.signed | Bin 5289680 -> 0 bytes kernel/univention-kernel-image-signed/vmlinuz-4.19.0-19-amd64.efi.signed | Bin 0 -> 5303376 bytes 3 files changed, 5 insertions(+), 5 deletions(-) Package: univention-kernel-image-signed Version: 5.0.0-21A~4.4.0.202203241817 Branch: ucs_4.4-0 Scope: ucs4.4-9 repo-copy-dsc -vcp /mnt/build-storage/upstream/debian/pool/main/l/linux/linux_4.19.232-1.dsc repo-copy-dsc -vcp /mnt/build-storage/upstream/debian/pool/main/l/linux-signed-i386/linux-signed-i386_4.19.232+1.dsc repo-copy-dsc -vcp /mnt/build-storage/upstream/debian/pool/main/l/linux-signed-amd64/linux-signed-amd64_4.19.232+1.dsc
[4.4-9] 198a64203f feat[kernel]: Update to linux-4.19.232-19 .../vmlinuz-4.19.0-19-amd64.efi.signed | Bin 5303376 -> 5301968 bytes 1 file changed, 0 insertions(+), 0 deletions(-) Package: univention-kernel-image-signed Version: 5.0.0-21A~4.4.0.202203251651 Branch: ucs_4.4-0 Scope: ucs4.4-9 QA: OK: dmesg -H > secureboot: Secure boot enabled > Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' > Loaded X.509 cert 'Debian Secure Boot Signer 2021 - linux: 4b6ef5abca669825178e052c84667ccbc0531f8c' > Loaded UEFI:db cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to secondary sys keyring > Loaded UEFI:db cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to secondary sys keyring > Loaded UEFI:MokListRT cert 'Univention GmbH: 6e64bb8434167933dc54ad1a1e61862ebafaf74d' linked to secondary sys keyring OK: amd64 @ kvm OVMF+SB OK: amd64 @ kvm OK: i386 @ kvm OK: amd64.iso OK: i386.iso
[4.4-9] 64693e1d26 feat[kernel]: Update to linux-4.19.235-20 kernel/univention-kernel-image-signed/debian/control | 10 +++++----- kernel/univention-kernel-image-signed/vmlinuz-4.19.0-19-amd64.efi.signed | Bin 5301968 -> 0 bytes kernel/univention-kernel-image-signed/vmlinuz-4.19.0-20-amd64.efi.signed | Bin 0 -> 5301968 bytes 3 files changed, 5 insertions(+), 5 deletions(-) Package: univention-kernel-image-signed Version: 5.0.0-21A~4.4.0.202203281002 Branch: ucs_4.4-0 Scope: ucs4.4-9 [4.4-9] 8cc9d71b5e feat[linux]: Update to linux-4.19.235-1 kernel/univention-kernel-image/debian/changelog | 6 ++++++ kernel/univention-kernel-image/debian/rules | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) Package: univention-kernel-image Version: 12.0.0-12A~4.4.0.202203281007 Branch: ucs_4.4-0 Scope: ucs4.4-9
[4.4-9] f2deef2f18 doc: UCS 4.4-9 release notes doc/changelog/changelog-4.4-9.xml | 16 +++++++++++++--- doc/changelog/release-notes-4.4-9-de.xml | 34 +++++++++++++++++++++++++++++++++- doc/changelog/release-notes-4.4-9-en.xml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 4 deletions(-)
OK: apparmor disabled with univention-grub 12.0.0-4A~4.4.0.202203231711; cat /proc/cmdline | grep apparmor OK: Install 4.4-9 from DVD OK: Update from 4.4-8 -> 4.4-9 OK: Update from 4.4-8 -> 4.4-9 with secure boot Verified
Important change between 4.9 and 4.19: the old `vsyscall` support was disabled because is is deprecated and a security problem: old binaries might crash with SIGSEGV, e.g. bash from UCS-3.2 (Debian-6-Squeeze) will crash: `dmesg` shows this then: > dpkg-architectu[19649] vsyscall attempted with vsyscall=none ip:ffffffffff600400 cs:33 sp:7ffde8fcbb18 ax:ffffffffff600400 si:0 di:1329530 > dpkg-architectu[19649]: segfault at ffffffffff600400 ip ffffffffff600400 sp 00007ffde8fcbb18 error 15 > Code: Bad RIP value. `egrep 'vdso|vsyscall' /proc/self/maps` will only list `vdso`, but no `vsyscall`. Can be re-enabled by adding `vsyscall=emulate` to UCRV `grub/append` and doing a reboot.