#!/bin/sh set -e type=$1 preversion=$2 kernel_compare_versions () { verA=$(($(echo "$1" | sed 's/\([0-9]*\)\.\([0-9]*\).*/\1 \* 100 + \2/'))) verB=$(($(echo "$3" | sed 's/\([0-9]*\)\.\([0-9]*\).*/\1 \* 100 + \2/'))) test $verA -$2 $verB } if [ "$type" != abort-upgrade ] then # Load debconf module if available and usable if [ -f /usr/share/debconf/confmodule ] && \ ( [ "$DEBCONF_USE_CDEBCONF" ] || perl -e "" 2>/dev/null ) ; then . /usr/share/debconf/confmodule USE_DEBCONF=1 else USE_DEBCONF= fi # Only change LC_ALL after loading debconf to ensure the debconf templates # are properly localized. export LC_ALL=C fi if [ "$type" != abort-upgrade ] && [ -z "$DPKG_ROOT" ] then # See if LD_LIBRARY_PATH contains the traditional /lib, but not the # multiarch path dirs=$(echo $LD_LIBRARY_PATH | sed 's/:/ /g') for dir in $dirs ; do dir=$(readlink -e $dir || true) case "$dir" in /lib) seen_traditional=1 ;; /lib/x86_64-linux-gnu) seen_multiarch=1 ;; esac done if test -n "$seen_traditional" && test -z "$seen_multiarch" ; then echo echo "LD_LIBRARY_PATH contains the traditional /lib directory," echo "but not the multiarch directory /lib/x86_64-linux-gnu." echo "It is not safe to upgrade the C library in this situation;" echo "please remove the /lib/directory from LD_LIBRARY_PATH and" echo "try again." echo exit 1 fi # glibc kernel version check system=`uname -s` if [ "$system" = "Linux" ] then # sanity checking for the appropriate kernel on each architecture. kernel_ver=`uname -r` case ${DPKG_MAINTSCRIPT_ARCH} in *) # The GNU libc requires a >= 3.2 kernel, found in wheezy kernel_ver_min=3.2 kernel_ver_rec=3.2 ;; esac if kernel_compare_versions "$kernel_ver" lt $kernel_ver_min then if [ "$USE_DEBCONF" ] then db_version 2.0 db_fset glibc/kernel-too-old seen false db_reset glibc/kernel-too-old db_subst glibc/kernel-too-old kernel_ver $kernel_ver_rec db_input critical glibc/kernel-too-old || true db_go db_stop else echo "ERROR: This version of the GNU libc requires kernel version" echo "$kernel_ver_rec or later. Please upgrade your kernel and reboot before installing" echo 'glibc. You may need to use "apt -f install" after reboot to solve dependencies.' echo fi exit 1 fi if kernel_compare_versions "$kernel_ver" lt $kernel_ver_rec then if [ "$USE_DEBCONF" ] then db_version 2.0 db_fset glibc/kernel-not-supported seen false db_reset glibc/kernel-not-supported db_subst glibc/kernel-not-supported kernel_ver $kernel_ver_rec db_input critical glibc/kernel-not-supported || true db_go db_stop else echo "WARNING: This version of the GNU libc requires kernel version" echo "$kernel_ver_rec or later. Older versions might work but are not officially" echo "supported. Please consider upgrading your kernel." echo fi fi elif [ $system = "GNU/kFreeBSD" ] then kernel_ver=`uname -r` kernel_ver_min=8.3 if kernel_compare_versions "$kernel_ver" lt $kernel_ver_min then if [ "$USE_DEBCONF" ] then db_version 2.0 db_version 2.0 db_fset glibc/kernel-too-old seen false db_reset glibc/kernel-too-old db_subst glibc/kernel-too-old kernel_ver $kernel_ver_min db_input critical glibc/kernel-too-old || true db_go db_stop else echo "ERROR: This version of the GNU libc requires kernel version" echo "$kernel_ver_min or later. Please upgrade your kernel and reboot before installing" echo 'glibc. You may need to use "apt -f install" after reboot to solve dependencies.' echo fi exit 1 fi elif [ $system = "GNU" ] then kernel_ver=`uname -v | cut -d / -f 1 | cut -d ' ' -f 2` kernel_ver_git=${kernel_ver#*+git} kernel_ver_git=${kernel_ver_git%%-*} kernel_ver=${kernel_ver%+git*} kernel_ver_min=1.8 kernel_ver_git_min=20210923 if kernel_compare_versions "$kernel_ver" lt $kernel_ver_min || \ ( kernel_compare_versions "$kernel_ver" eq $kernel_ver_min && \ [ "$kernel_ver_git" -lt $kernel_ver_git_min ] ) then if [ "$USE_DEBCONF" ] then db_version 2.0 db_fset glibc/kernel-too-old seen false db_reset glibc/kernel-too-old db_subst glibc/kernel-too-old kernel_ver $kernel_ver_min+git$kernel_ver_git_min db_input critical glibc/kernel-too-old || true db_go db_stop else echo "ERROR: This version of the GNU libc requires kernel version" echo "$kernel_ver_min+git$kernel_ver_git_min or later." echo "Please upgrade your kernel and reboot before installing glibc." echo 'You may need to use "apt -f install" after reboot to solve dependencies.' echo fi exit 1 fi fi fi if [ "$type" = upgrade ] then if [ -n "$preversion" ] && [ -x "$(command -v ischroot)" ] && ! ischroot; then # NSS authentication trouble guard if dpkg --compare-versions "$preversion" lt 2.37; then if grep -E -q '(^|/)(xscreensaver|xlockmore)' /proc/*/cmdline 2>/dev/null; then if [ "$USE_DEBCONF" ] ; then db_version 2.0 db_reset glibc/disable-screensaver db_input critical glibc/disable-screensaver || true db_go || true else echo "xscreensaver and xlockmore must be restarted before upgrading" echo echo "One or more running instances of xscreensaver or xlockmore have been" echo "detected on this system. Because of incompatible library changes, the" echo "upgrade of the GNU C library will leave you unable to authenticate to" echo "these programs. You should arrange for these programs to be restarted" echo "or stopped before continuing this upgrade, to avoid locking your users" echo "out of their current sessions." echo frontend=`echo "$DEBIAN_FRONTEND" | tr '[:upper:]' '[:lower:]'` if [ "$frontend" = noninteractive ]; then echo "Non-interactive mode, upgrade glibc forcibly" else echo -n "Press a key to continue" read answer fi echo fi fi check="kdm postgresql xdm" # NSS services check: echo -n "Checking for services that may need to be restarted..." # Only get the ones that are installed, of the same architecture # as libc (or arch all) and configured. Restart openssh-server even # if only half-configured to continue accepting new connections # during the upgrade. check=$(dpkg-query -W -f='${binary:Package} ${Status} ${Architecture}\n' $check 2> /dev/null | \ grep -E "(^openssh-server .* unpacked|installed) (all|${DPKG_MAINTSCRIPT_ARCH})$" | sed 's/[: ].*//') # some init scripts don't match the package names check=$(echo $check | \ sed -e's/\bapache2.2-common\b/apache2/g' \ -e's/\bat\b/atd/g' \ -e's/\bdovecot-common\b/dovecot/g' \ -e's/\bexim4-base\b/exim4/g' \ -e's/\blpr\b/lpd/g' \ -e's/\blpr-ppd\b/lpd-ppd/g' \ -e's/\bmysql-server\b/mysql/g' \ -e's/\bopenssh-server\b/ssh/g' \ -e's/\bsasl2-bin\b/saslauthd/g' \ -e's/\bsamba\b/smbd/g' \ -e's/\bpostgresql-common\b/postgresql/g' \ ) echo echo "Checking init scripts..." for service in $check; do invoke-rc.d ${service} status >/dev/null 2>/dev/null && status=0 || status=$? if [ "$status" = "0" ] || [ "$status" = "2" ] ; then services="$service $services" elif [ "$status" = "100" ] ; then echo "WARNING: init script for $service not found." fi done if [ -n "$services" ]; then if [ "$USE_DEBCONF" ] ; then db_version 2.0 db_reset glibc/upgrade db_subst glibc/upgrade services $services db_input critical glibc/upgrade || true db_go || true db_get glibc/upgrade answer=$RET else echo "Do you want to upgrade glibc now?" echo echo "Running services and programs that are using NSS need to be restarted," echo "otherwise they might not be able to do lookup or authentication any more." echo "The installation process is able to restart some services (such as ssh or" echo "telnetd), but other programs cannot be restarted automatically. One such" echo "program that needs manual stopping and restart after the glibc upgrade by" echo "yourself is xdm - because automatic restart might disconnect your active" echo "X11 sessions." echo echo "This script detected the following installed services which must be" echo "stopped before the upgrade: $services" echo echo "If you want to interrupt the upgrade now and continue later, please" echo "answer No to the question below." echo frontend=`echo "$DEBIAN_FRONTEND" | tr '[:upper:]' '[:lower:]'` if [ "$frontend" = noninteractive ]; then echo "Non-interactive mode, upgrade glibc forcibly" answer=true else echo -n "Do you want to upgrade glibc now? [Y/n] " read answer case $answer in Y*|y*) answer=true ;; N*|n*) answer=false ;; *) answer=true ;; esac fi echo fi if [ "x$answer" != "xtrue" ]; then echo "Stopped glibc upgrade. Please retry the upgrade after you have" echo "checked or stopped services by hand." exit 1 fi fi # As long systemd-logind has not seen any login request since the system has been # booted, it has not loaded any NSS module. In that condition if glibc is upgraded # (that means with a non session shell or by some automation), the NSS modules are # replaced by a new major version which might be incompatible (and definitely are # for some versions). # # The solution implemented for most daemons is to restart them, but unfortunately # it is not something supported with systemd-logind (see bug#91950). # # As a workaround, when detected that the system is using systemd and that the # systemd-logind process has not not loaded any NSS module, force systemd-logind to # load NSS modules. This is done by disabling lingering on a non-existing user. This # has to be done by talking directly to systemd-logind through sd-bus, as loginctl # first checks if the user actually exist. The nonexistent uid is chosen as # 4294967294, which is reserved by Policy ยง9.2.2. # # Note that starting with glibc 2.34, the nss_files is builtin. When glibc >= 2.34 # ends-up in a stable release, this workaround can therefore be dropped. if dpkg --compare-versions "$preversion" lt 2.34 && [ -d /run/systemd/system ]; then if ! grep -q -E 'libnss_(compat|db|files)' /proc/$(systemctl show --property MainPID --value systemd-logind.service)/maps >/dev/null 2>&1; then echo "Forcing systemd-logind to load NSS modules..." busctl call --system org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager \ SetUserLinger ubb 4294967294 false false >/dev/null 2>&1 || true fi fi fi # end upgrading and $preversion lt 2.37 fi # Upgrading fi # We create the top-level lib symlink on merged-usr systems, so that we can # cover cases where for example libc6:amd64 on i386 is installed and then removed # (which deletes the symlink too). Note that we only suppor the simplest case, # no conversion (moving files) is done here, as that's the job of the usrmerge # package. See: https://bugs.debian.org/926699 # Once all packages install only under /usr, this can be removed, as removing # this package will no longer result in the symlink being deleted. if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then if [ -L "$DPKG_ROOT/lib" ]; then # Has the link already been created? # If it has not, is a directory already there? Half-merged systems are # the problem of usrmerge, simply ignore them here. if [ ! -L "${DPKG_ROOT}/lib64" ] && [ ! -d "${DPKG_ROOT}/lib64" ]; then mkdir -p "$DPKG_ROOT/usr/lib64" ln -s usr/lib64 "${DPKG_ROOT}/lib64" fi fi fi if [ -n "$preversion" ]; then if dpkg --compare-versions "$preversion" lt 2.37; then # unconditionally wipe ld.so.cache on major version upgrades; this # makes those upgrades a bit slower, but is less error-prone than # hoping we notice every time the cache format is changed upstream rm -f "$DPKG_ROOT/etc/ld.so.cache" rm -f "$DPKG_ROOT/var/cache/ldconfig/aux-cache" fi fi exit 0