Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SSM Distributor installing amazon-guardduty-agent 1.15.0 with non-idempotent postinst, breaks apt?

0

AmazonGuardDuty-RuntimeMonitoringSsmPlugin 1.15.0 (published 2026-04-29) ships a .deb whose postinst calls /opt/aws/amazon-guardduty-agent/scripts/configure.sh. That script sed -is three placeholders (__OOM_POLICY__, __CPU_QUOTA__, __MEMORY_LIMIT__) into /lib/systemd/system/amazon-guardduty-agent.service and errors out if any aren't found:

Placeholder for __OOM_POLICY__ not found in /lib/systemd/system/amazon-guardduty-agent.service. Exiting.

So configure.sh succeeds exactly once and fails on every subsequent run. That's normally fine — but if anything makes the first postinst fail (in my case the agent service couldn't start during EC2 boot), Distributor's install.sh retries dpkg -i 5x and apt later runs dpkg --configure -a to clean up — both re-trigger the broken configure.sh, package gets stuck at dpkg state iF, any later apt-get install exits non-zero.

Repro on a Debian 13 EC2 with SSM + GuardDuty Runtime Monitoring (EC2_AGENT_MANAGEMENT) enabled, after the agent's been pushed:

/var/lib/dpkg/info/amazon-guardduty-agent.postinst configure 1.15.0

Exits 1.

Looks like a quick fix on AWS's end — configure.sh should no-op when placeholders are already substituted, or write to a marker file. Anyone else seeing this?

Topics
Security, Identity, & Compliance
Tags
Amazon GuardDuty
Language
English
asked 21 days ago55 views
1 Answer
0

If that is the case - and assuming there is no misunderstanding on my part - then you are absolutely correct. This is a clear violation of Debian packaging policy, which requires postinst scripts to be idempotent.

The configure.sh script fails because it expects placeholders that it removed during the first (failed) attempt. This creates a deadlock where dpkg remains in state iF, blocking all subsequent apt operations.

Quick Workaround to unblock apt: Until AWS releases a fix (e.g., v1.15.1), you can manually force the package to a configured state by bypassing the faulty script:

  1. Edit the postinst script: sudo nano /var/lib/dpkg/info/amazon-guardduty-agent.postinst
  2. Add exit 0 at the very top of the script.
  3. Run the configuration fix: sudo dpkg --configure -a

Recommended fix: The configure.sh should use a check like grep -q "__OOM_POLICY__" ... before attempting sed, or simply allow sed to fail silently if the pattern is missing, ensuring the script always exits with 0 if the service file is already in the desired state.

EXPERT
answered 21 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content