Bug 54530 – Update 4.4 kernel to 4.19

Bug 54530 - (ucs449kernel) Update 4.4 kernel to 4.19

(ucs449kernel)
Summary:	Update 4.4 kernel to 4.19

Status:	VERIFIED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Kernel
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-9
Assigned To:	Philipp Hahn
QA Contact:	Julia Bremer

URL:
Keywords:

Depends on:
Blocks:	53919
	Show dependency tree / graph

Reported:	2022-03-09 19:08 CET by Julia Bremer
Modified:	2022-05-03 12:55 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Release Management
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2022-03-09 19:08:44 CET

We should update the linux kernel to version 4.19 for ucs 4.4-9, since our version 4.9 becomes EOL in 2023.

Comment 1 Julia Bremer

2022-03-11 08:49:26 CET

Started tests with new kernel:
All samba tests failed because bind9 didn't start up. 
The reason was, that apparmor was automatically installed and and enabled.
After removing it, everything was fine.

Mar 11 08:38:48 master091 kernel: [26831.891062] audit: type=1400 audit(1646984328.080:1796): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=29711 comm="named" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
Mar 11 08:38:48 master091 named[29711]: generating session key for dynamic DNS
Mar 11 08:38:48 master091 named[29711]: sizing zone task pool based on 1 zones
Mar 11 08:38:48 master091 named[29711]: Loading 'samba4.zone' using driver dlopen
Mar 11 08:38:48 master091 kernel: [26831.892143] audit: type=1400 audit(1646984328.084:1797): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/tmp-iT7HaBOqKe" pid=29711 comm="named" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Mar 11 08:38:48 master091 named[29711]: dlz_dlopen failed to open library '/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map segment from shared object
Mar 11 08:38:48 master091 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Mar 11 08:38:48 master091 named[29711]: dlz_dlopen of 'samba4.zone' failed
Mar 11 08:38:48 master091 named[29711]: SDLZ driver failed to load.
Mar 11 08:38:48 master091 named[29711]: DLZ driver failed to load.
Mar 11 08:38:48 master091 named[29711]: loading configuration: failure
Mar 11 08:38:48 master091 named[29711]: exiting (due to fatal error)
Mar 11 08:38:48 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:49 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:51 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:52 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:53 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:54 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:55 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:56 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:56 master091 check_nrpe: Remote 10.207.181.86 accepted a Version 3 Packet
Mar 11 08:38:57 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 11 08:38:58 master091 samba4[29712]: rndc: connect failed: 127.0.0.1#953: connection refused

Comment 2 Julia Bremer

2022-03-14 08:39:17 CET

After removing apparmor, the tests show no regression.
After importing the kernel to 4.4, we should disable apparmor, as we did in UCS 5.0

https://forge.univention.org/bugzilla/show_bug.cgi?id=51786

Comment 3 Philipp Hahn

2022-03-24 19:39:44 CET

[4.4-9] c8bfc7c9de feat[linux]: Update to linux-4.19.232-1
 kernel/univention-kernel-image/debian/changelog | 2 +-
 kernel/univention-kernel-image/debian/rules     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

[4.4-9] 106326f738 feat[linux]: Update to linux-4.19.208-1
 kernel/univention-kernel-image/debian/changelog | 6 ++++++
 kernel/univention-kernel-image/debian/rules     | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)
[4.4-9] 91b7589988 feat[linux]: Update to linux-4.19.232-1
 kernel/univention-kernel-image/debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Package: univention-kernel-image
Version: 12.0.0-11A~4.4.0.202203241819
Branch: ucs_4.4-0
Scope: ucs4.4-9


[4.4-9] dad910d2d7 feat[grub]: Disable apparmor
 base/univention-grub/conffiles/etc/default/grub | 1 +
 base/univention-grub/debian/changelog           | 6 ++++++
 2 files changed, 7 insertions(+)

Package: univention-grub
Version: 12.0.0-4A~4.4.0.202203231711
Branch: ucs_4.4-0
Scope: ucs4.4-9


[4.4-9] c09e108af1 feat[kernel]: Update to linux-4.19.232-0
 kernel/univention-kernel-image-signed/debian/changelog                    |   6 ++++++
 kernel/univention-kernel-image-signed/debian/control                      |  16 ++++++++--------
 .../vmlinuz-4.19.0-0.bpo.19-amd64.efi.signed                              | Bin 0 -> 5289680 bytes
 kernel/univention-kernel-image-signed/vmlinuz-4.9.0-18-amd64.efi.signed   | Bin 4269680 -> 0 bytes
 4 files changed, 14 insertions(+), 8 deletions(-)
[4.4-9] 88f8b30185 feat[kernel]: Update to linux-4.19.232-19
 kernel/univention-kernel-image-signed/debian/control                      |  10 +++++-----
 .../vmlinuz-4.19.0-0.bpo.19-amd64.efi.signed                              | Bin 5289680 -> 0 bytes
 kernel/univention-kernel-image-signed/vmlinuz-4.19.0-19-amd64.efi.signed  | Bin 0 -> 5303376 bytes
 3 files changed, 5 insertions(+), 5 deletions(-)

Package: univention-kernel-image-signed
Version: 5.0.0-21A~4.4.0.202203241817
Branch: ucs_4.4-0
Scope: ucs4.4-9



repo-copy-dsc -vcp /mnt/build-storage/upstream/debian/pool/main/l/linux/linux_4.19.232-1.dsc
repo-copy-dsc -vcp /mnt/build-storage/upstream/debian/pool/main/l/linux-signed-i386/linux-signed-i386_4.19.232+1.dsc
repo-copy-dsc -vcp /mnt/build-storage/upstream/debian/pool/main/l/linux-signed-amd64/linux-signed-amd64_4.19.232+1.dsc

Comment 4 Philipp Hahn

2022-03-25 17:50:20 CET

[4.4-9] 198a64203f feat[kernel]: Update to linux-4.19.232-19
 .../vmlinuz-4.19.0-19-amd64.efi.signed                              | Bin 5303376 -> 5301968 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

Package: univention-kernel-image-signed
Version: 5.0.0-21A~4.4.0.202203251651
Branch: ucs_4.4-0
Scope: ucs4.4-9


QA:
OK: dmesg -H
> secureboot: Secure boot enabled
> Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
> Loaded X.509 cert 'Debian Secure Boot Signer 2021 - linux: 4b6ef5abca669825178e052c84667ccbc0531f8c'
> Loaded UEFI:db cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to secondary sys keyring
> Loaded UEFI:db cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to secondary sys keyring
> Loaded UEFI:MokListRT cert 'Univention GmbH: 6e64bb8434167933dc54ad1a1e61862ebafaf74d' linked to secondary sys keyring
OK: amd64 @ kvm OVMF+SB
OK: amd64 @ kvm
OK: i386 @ kvm
OK: amd64.iso
OK: i386.iso

Comment 5 Philipp Hahn

2022-03-28 10:14:13 CEST

[4.4-9] 64693e1d26 feat[kernel]: Update to linux-4.19.235-20
 kernel/univention-kernel-image-signed/debian/control                     |  10 +++++-----
 kernel/univention-kernel-image-signed/vmlinuz-4.19.0-19-amd64.efi.signed | Bin 5301968 -> 0 bytes
 kernel/univention-kernel-image-signed/vmlinuz-4.19.0-20-amd64.efi.signed | Bin 0 -> 5301968 bytes
 3 files changed, 5 insertions(+), 5 deletions(-)

Package: univention-kernel-image-signed
Version: 5.0.0-21A~4.4.0.202203281002
Branch: ucs_4.4-0
Scope: ucs4.4-9

[4.4-9] 8cc9d71b5e feat[linux]: Update to linux-4.19.235-1
 kernel/univention-kernel-image/debian/changelog | 6 ++++++
 kernel/univention-kernel-image/debian/rules     | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

Package: univention-kernel-image
Version: 12.0.0-12A~4.4.0.202203281007
Branch: ucs_4.4-0
Scope: ucs4.4-9

Comment 6 Philipp Hahn

2022-03-30 11:48:15 CEST

[4.4-9] f2deef2f18 doc: UCS 4.4-9 release notes
 doc/changelog/changelog-4.4-9.xml        | 16 +++++++++++++---
 doc/changelog/release-notes-4.4-9-de.xml | 34 +++++++++++++++++++++++++++++++++-
 doc/changelog/release-notes-4.4-9-en.xml | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+), 4 deletions(-)

Comment 7 Erik Damrose

2022-04-11 16:09:42 CEST

OK: apparmor disabled with univention-grub 12.0.0-4A~4.4.0.202203231711; cat  /proc/cmdline | grep apparmor
OK: Install 4.4-9 from DVD
OK: Update from 4.4-8 -> 4.4-9
OK: Update from 4.4-8 -> 4.4-9 with secure boot

Verified

Comment 8 Philipp Hahn

2022-05-03 12:55:18 CEST

Important change between 4.9 and 4.19: the old `vsyscall` support was disabled because is is deprecated and a security problem: old binaries might crash with SIGSEGV, e.g. bash from UCS-3.2 (Debian-6-Squeeze) will crash:

`dmesg` shows this then:
> dpkg-architectu[19649] vsyscall attempted with vsyscall=none ip:ffffffffff600400 cs:33 sp:7ffde8fcbb18 ax:ffffffffff600400 si:0 di:1329530
> dpkg-architectu[19649]: segfault at ffffffffff600400 ip ffffffffff600400 sp 00007ffde8fcbb18 error 15
> Code: Bad RIP value.

`egrep 'vdso|vsyscall' /proc/self/maps` will only list `vdso`, but no `vsyscall`.

Can be re-enabled by adding `vsyscall=emulate` to UCRV `grub/append` and doing a reboot.