Ubuntu
policykit-1 package

package polkitd 124-1 failed to install/upgrade: installed polkitd package post-installation script subprocess returned error exit status 1

Bug #2054716 reported by Brian Murray
104
This bug affects 19 people
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Fix Released
High
Nick Rosbrook
Ubuntu ubuntu-24.04-beta
systemd (Ubuntu)
Confirmed
High
Nick Rosbrook

Bug Description

I was working on recreating bug 2054319 and did so by modifying my /etc/apt/sources.list file from jammy to noble and installing polkit and all its dependencies.

bdmurray@clean-jammy-amd64:~$ sudo apt-get install gir1.2-polkit-1.0 libpolkit-agent-1-0:amd64 libpolkit-gobject-1-0:amd64 pkexec policykit-1 polkitd
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-6.2.0-26-generic linux-headers-6.2.0-36-generic linux-headers-6.5.0-14-generic
  linux-hwe-6.2-headers-6.2.0-26 linux-hwe-6.2-headers-6.2.0-36 linux-hwe-6.5-headers-6.5.0-14 linux-image-6.2.0-26-generic
  linux-image-6.2.0-36-generic linux-image-6.5.0-14-generic linux-modules-6.2.0-26-generic linux-modules-6.2.0-36-generic
  linux-modules-6.5.0-14-generic linux-modules-extra-6.2.0-26-generic linux-modules-extra-6.2.0-36-generic
  linux-modules-extra-6.5.0-14-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libc-bin libc-dev-bin libc-devtools libc6 libc6-dbg libc6-dev libduktape207 libgcrypt20 libglib2.0-0 libglib2.0-bin
  libnss-systemd libpam-systemd libsystemd-shared libsystemd0 libudev1 libzstd1 locales systemd systemd-dev systemd-oomd
  systemd-resolved systemd-sysv systemd-timesyncd udev
Suggested packages:
  glibc-doc rng-tools low-memory-monitor polkitd-pkla systemd-container systemd-homed systemd-userdbd systemd-boot
  libqrencode4 libtss2-rc0
Recommended packages:
  libnss-nis libnss-nisplus
The following NEW packages will be installed:
  libduktape207 libsystemd-shared systemd-dev systemd-resolved
The following packages will be upgraded:
  gir1.2-polkit-1.0 libc-bin libc-dev-bin libc-devtools libc6 libc6-dbg libc6-dev libgcrypt20 libglib2.0-0 libglib2.0-bin
  libnss-systemd libpam-systemd libpolkit-agent-1-0 libpolkit-gobject-1-0 libsystemd0 libudev1 libzstd1 locales pkexec
  policykit-1 polkitd systemd systemd-oomd systemd-sysv systemd-timesyncd udev
26 upgraded, 4 newly installed, 0 to remove and 1407 not upgraded.
Need to get 34.9 MB of archives.

ProblemType: Package
DistroRelease: Ubuntu 22.04
Package: polkitd 124-1
ProcVersionSignature: Ubuntu 6.5.0-18.18~22.04.1-generic 6.5.8
Uname: Linux 6.5.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckMismatches: ./boot/grub/grub.cfg
CasperMD5CheckResult: fail
Date: Thu Feb 22 08:46:48 2024
ErrorMessage: installed polkitd package post-installation script subprocess returned error exit status 1
InstallationDate: Installed on 2023-11-02 (112 days ago)
InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2)
Python3Details: /usr/bin/python3.10, Python 3.10.12, python3-minimal, 3.10.6-1~22.04
PythonDetails: N/A
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
 dpkg 1.21.1ubuntu2.2
 apt 2.4.11
SourcePackage: policykit-1
Title: package polkitd 124-1 failed to install/upgrade: installed polkitd package post-installation script subprocess returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

~enr0n/ubuntu/+source/policykit-1:lp-2054716
Sebastien Bacher (community): Approve
Diff: 30 lines (+10/-1)
2 files modified
debian/changelog (+9/-0)
debian/polkitd.postinst (+1/-1)
Revision history for this message
Brian Murray (brian-murray) wrote :
Apport retracing service (apport)
tags: removed: need-duplicate-check
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
Brian Murray (brian-murray)
tags: added: cuqa-automated-testing need-duplicate-check
Apport retracing service (apport)
tags: removed: need-duplicate-check
Brian Murray (brian-murray)
Changed in policykit-1 (Ubuntu):
milestone: none → ubuntu-24.04-beta
tags: added: need-duplicate-check rls-nn-incoming
Apport retracing service (apport)
tags: removed: need-duplicate-check
Paride Legovini (paride)
Changed in policykit-1 (Ubuntu):
importance: Undecided → High
Revision history for this message
Sebastien Bacher (seb128) wrote :

The issue is that the new polkitd installs a file
/usr/lib/tmpfiles.d/polkitd.conf
which creates directories owned by the 'polkitd' user

The polkitd user is created by the polkitd postinst maintainer script

But a newer systemd is installed as a part of the upgrade and configured polkitd, which leads to systemd picking up the tmfiles.d config and trying to create the directories, but it errors out since polkitd wasn't configured yet and the corresponding user doesn't exists at this point.

Unsure what the right fix is there? Should the user creation be moved to be done in a preinst instead?

Revision history for this message
Nick Rosbrook (enr0n) wrote :

So the call of:

  systemd-tmpfiles --create || :

in systemd.postinst is an Ubuntu delta from Debian, which was originally introduced in to fix bug 1748147. If a package just lets debhelper generate its systemd-tmpfiles and systemd-sysusers calls (dh_installtmpfiles and dh_installsysusers), then each package's postinst will call systemd-tmpfiles and systemd-sysusers such that *only* configurations shipped by the package are processed.

From a quick investigation, it seems that we might not need the fix for bug 1748147 any longer (calling systemd-tmpfiles --create var.conf after systemd-tmpfiles --create 00rsyslog.conf does not undo the syslog changes). Hence, dropping this call from systemd.postinst might be the right fix.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

Actually, while the delta in systemd.postinst is still likely unnecessary, this should not affect polkitd.postinst. The real error looks like:

Setting up polkitd (124-1) ...
Failed to check if group polkitd already exists: Connection refused

So I am looking into that.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

After the upgrade, I manually run the systemd-sysusers command and see this.

root@j:~# SYSTEMD_LOG_LEVEL=debug systemd-sysusers polkit.conf
Failed to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Unable to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Failed to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Unable to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Failed to check if group polkitd already exists: Connection refused

So, the getgrnam() call in systemd-sysusers results in libnss-systemd attempting to make a varlink call to pid1 to check if the group exists as a dynamic group, but the varlink connection setup fails. This appears to go away after a reboot, but not a `systemctl daemon re-exec`.

I have yet to figure out the root cause on the systemd side. However, as a workaround, we could set SYSTEMD_NSS_BYPASS_DYNAMIC=1 when calling systemd-sysusers in polkitd.postinst. This should be safe because the polkitd package is creating a real user/group for polkitd, so a successful check from io.systemd.DynamicUser is irrelevant.

I have prepared a patch with this proposed workaround, but will continue to look into this from the systemd side.

Changed in systemd (Ubuntu):
status: New → Confirmed
assignee: nobody → Nick Rosbrook (enr0n)
importance: Undecided → High
Apport retracing service (apport)
tags: added: noble
Julian Andres Klode (juliank)
tags: removed: rls-nn-incoming
Revision history for this message
Matthew (gromituk) wrote :

I came across this after being offered an upgrade prematurely (which appears to be another bug). Please note #9 in https://answers.launchpad.net/ubuntu/+question/709594 if you are fettling the postinst for polkitd.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Nick uploaded a workaround https://launchpad.net/ubuntu/+source/policykit-1/124-1ubuntu1

Changed in policykit-1 (Ubuntu):
assignee: nobody → Nick Rosbrook (enr0n)
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 124-1ubuntu1

---------------
policykit-1 (124-1ubuntu1) noble; urgency=medium

  * polkitd.postinst: call systemd-sysusers with SYSTEMD_NSS_DYNAMIC_BYPASS=1
    This works around an upgrade bug in systemd where nss-systemd cannot
    establish a varlink connection with io.systemd.DynamicUser, hence causing
    the polkitd user/group creation to fail. (LP: #2054716)

 -- Nick Rosbrook <email address hidden> Wed, 13 Mar 2024 14:15:18 -0400

Changed in policykit-1 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.