Automated 'grub-pc' security update failing on some platforms

Issue:

Automatic security update of `grub-pc` package fails.

Affects:

All AMI (AWS EC2), OVA & VMDK v16.x appliances released to date. ISO & LXC/Proxmox builds are NOT affected.

Severity:

PITA - This issue means that the recent `grub-pc` package update isn't installed (and thus remains vulnerable) on TurnKey v16.x systems. On face value that doesn't sound good. But it's not as bad as it sounds... Of the 7 CVEs patched by the `grub-pc` security update, only CVE-2021-20233 appears to be relevant to TurnKey users. And that one relates to USB... (For full details; please see Debian Security Advisory DSA-4867-1).

I will provide further details about the issue below (scroll down to "What the issue looks like"), but first I'll post what to do:

To resolve - or check if you're ok

Log into your server as `root` (or `admin` for AWSMP users). Then manually ensure that there are no broken packages:

apt install --fix-broken

(AWSMP users, will need to pre-fix `sudo`).

If it responds like this:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Then you are NOT AFFECTED and you can safely ignore the rest of this post.

If you have been hit with this issue, then it will interactively ask you where to install `grub` (the default bootloader). First you should see this screen:

As that text notes, there is no harm in installing it places it doesn't need to be. But to ensure that this (and any future grub updates) are installed to the correct place it is important that it is installed to where it needs to be.

As part of the build process, we always install grub to the primary (and only) disk image that contains TurnKey Linux. In the case of OVA/VMDK builds that should be `/dev/sda`; in the case of our AMI (AWS EC2 instance) that should be `/dev/xvda`.

The next screen will ask you to select where to install (OVA/VMDK):

Assuming that you haven't added any additional volumes, then you only need to install to `/dev/sda` in OVA/VMDK; or `/dev/xvda` AMI (AWS EC2). If you have additional permanent volumes in use on your server, then unless you are 100% sure which is which, please don't hesitate to install to all disks. It's important to note, that if you have ANY DOUBT at all, please install it everywhere you can!

To select the relevant places to install grub, please use the arrow keys to move up & down the list, space to select/deselect the individual options and tab to move between the list and the "Ok". Here's is what OVA users might expect after selecting `/dev/sda`:

Once you click Ok, it will go about installing grub to the relevant place. Please note that any of the following warnings/errors can _safely be ignored_:

• File descriptor 3 (pipe:[xxxxxxx]) leaked on vgs invocation. Parent PID xxxxx: grub-install

• grub-install: error: unable to identify a filesystem in hostdisk//dev/sda; safety check can't be performed.

• (or `hostdisk//dev/xvda` for AWS users).

• grub-install: warning: File system 'ext2' doesn't support embedding.

• grub-install: warning: Embedding is not possible.  GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged.

• grub-install: error: diskfilter writes are not supported.

---

What the issue looks like

It can be confirmed to exist if either you have been getting emails that look like this:

CRON-APT RUN [/etc/cron-apt/config]: Tue Mar 9 20:50:01 UTC 2021
CRON-APT SLEEP: 2699, Tue Mar 9 21:35:00 UTC 2021
CRON-APT ACTION: 5-install
CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold
Setting up grub-pc (2.02+dfsg1-20+deb10u4) ...
You must correct your GRUB install devices before proceeding:
 DEBIAN_FRONTEND=dialog dpkg --configure grub-pc
 dpkg --configure -a
dpkg: error processing package grub-pc (--configure):
installed grub-pc package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
grub-pc
E: Sub-process /usr/bin/dpkg returned an error code (1)

Or perhaps if you're not getting the emails, when you log in via SSH, you will see a message at the bottom of the MOTD (message of the day - the message you see when you first log in) saying `You have mail`. If you check your mail (e.g. for the `root` user: `cat /var/mail/root`) then you will see the above message.

If you didn't get the above email, then that's a separate issue. Please feel free to ask about that below or open a new thread in the support section of the forums and we can discuss that further...

This content is also available as issue #1579 on our Issue Tracker.

if you have any problems, questions or other feedback, please feel free to comment below, or open a new thread in the support section of the forums.

Good luck with it all and I look forward to hearing from you.