• Come risolvere un problema di aggiornamento con procps

    Ultimamente gli aggiornamenti dei sistemi Linux e in particolare Ubuntu possono portare a un problema con procps, che inibisce l'upgrade di altri pacchetti. Vediamo in questo articolo come risolvere in fretta questo problema fastidioso.


    Quando si tenta di aggiornare pacchetti, si presenta un errore come segue, da cui non è possibile uscirne in nessun modo:
    Codice:
    Setting up procps (1:3.2.8-11ubuntu6.1) ...
    start: Job failed to start
    invoke-rc.d: initscript procps, action "start" failed.
    dpkg: error processing procps (--configure):
     subprocess installed post-installation script returned error exit status 1
    Errors were encountered while processing:
     procps
    Reading package lists...
    Building dependency tree...
    Reading state information...
    Suggested packages:
      zip
    The following packages will be upgraded:
      unzip
    1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
    1 not fully installed or removed.
    Need to get 193 kB of archives.
    After this operation, 48.1 kB disk space will be freed.
    Get:1 http://archive.ubuntu.com/ubuntu/ precise-updates/main unzip amd64 6.0-4ubuntu2 [193 kB]
    Fetched 193 kB in 0s (4122 kB/s)
    (Reading database ... 47564 files and directories currently installed.)
    Preparing to replace unzip 6.0-4ubuntu1 (using .../unzip_6.0-4ubuntu2_amd64.deb) ...
    Unpacking replacement unzip ...
    Processing triggers for man-db ...
    Setting up procps (1:3.2.8-11ubuntu6.1) ...
    start: Job failed to start
    invoke-rc.d: initscript procps, action "start" failed.
    dpkg: error processing procps (--configure):
     subprocess installed post-installation script returned error exit status 1
    Setting up unzip (6.0-4ubuntu2) ...
    Errors were encountered while processing:
     procps
    E: Sub-process /usr/bin/dpkg returned an error code (1)
    Abbiamo scelto il paccchetto unzip per evidenziare il problema base. Ora, per trovare i problemi, bisogna loggarsi come root e poi eseguire il seguente comando, che scova i problemi presenti nel sistema:
    Codice:
    cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -p -
    Questo comando inoltra tutti i file di configurazione del sistema a sysctl e salva i parametri in modo permanente. Se ci sono errori, allora sono elencati, come ad esempio questi:
    Codice:
    kernel.printk = 4 4 1 7
    net.ipv6.conf.all.use_tempaddr = 2
    net.ipv6.conf.default.use_tempaddr = 2
    error: permission denied on key 'kernel.kptr_restrict'
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.tcp_syncookies = 1
    error: "kernel.yama.ptrace_scope" is an unknown key
    vm.mmap_min_addr = 65536
    Quindi si cercano i file con le chiavi errate:
    Codice:
    grep -lr kernel.kptr_restrict /etc/*
    grep: /etc/blkid.tab: No such file or directory
    grep: /etc/nologin: No such file or directory
    grep: /etc/ssl/certs/a1539387.0: No such file or directory
    grep: /etc/ssl/certs/16830b73.0: No such file or directory
    /etc/sysctl.d/10-kernel-hardening.conf
    e con l'editor commentiamo le chiavi (# all'inizio riga) e salviamo, ad esempio:
    Codice:
    nano /etc/sysctl.d/10-kernel-hardening.conf
    # These settings are specific to hardening the kernel itself from attack
    # from userspace, rather than protecting userspace from other malicious
    # userspace things.
    #
    #
    # When an attacker is trying to exploit the local kernel, it is often
    # helpful to be able to examine where in memory the kernel, modules,
    # and data structures live. As such, kernel addresses should be treated
    # as sensitive information.
    #
    # Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
    # /proc/modules, etc), and this setting can censor the addresses. A value
    # of "0" allows all users to see the kernel addresses. A value of "1"
    # limits visibility to the root user, and "2" blocks even the root user.
    #kernel.kptr_restrict = 1
    A questo punto possiamo aggiornare il sistema con aptitude o apt-get come di consueto. Eventualmente sarà necessario ripetere diverse volte fin quando non verrà aggiornato completamente procps.