DLPX-97204 Upgrade 2026.3→2026.4 fails: dpkg file conflict on /etc/modprobe.d/disable-algif_aead.conf between delphix-platform-aws and kmod 2ubuntu7.2

[prakashsurya]

Summary

delphix-platform-aws (release branch) currently ships /etc/modprobe.d/disable-algif_aead.conf, added by DLPX-97124 (#559, 2026-05-05). USN-8226-1's kmod 31+20240202-2ubuntu7.2 ships the same file as a kmod-owned conffile. The two collide at apt-get install time:

dpkg: error processing archive kmod_31+20240202-2ubuntu7.2_amd64.deb:
  trying to overwrite '/etc/modprobe.d/disable-algif_aead.conf',
  which is also in package delphix-platform-aws 1.0.0-delphix.2026.05.05.22.17

This breaks the 2026.3 → 2026.4 test_upgrade_linux_system regression with exception.upgrade.verify.failed (DLPX-97204, started 2026-05-06).

This PR brings release into parity with develop's resolution: delegate /etc/modprobe.d/disable-algif_aead.conf ownership to kmod. The content is byte-identical between the two packages (install algif_aead /bin/false), so the mitigation continues uninterrupted.

Changes

• Remove files/common/etc/modprobe.d/disable-algif_aead.conf. Because debian/rules copies files/common/* into every per-cloud delphix-platform-<cloud> variant, one deletion covers aws / azure / esx / gcp / hyperv / kvm / oci.
• Append kmod (<< 31+20240202-2ubuntu7.2) to the existing Replaces: line in debian/control.in, declaring the ownership handoff to dpkg.

Paired PRs

This PR is one half of a coordinated two-repo fix tracked in OpenSpec change kmod-usn-8226-1 (delphix/cd-aidlc#47):

1. THIS PR (release branch) — drops the conffile from delphix-platform-aws. Lands first because it's safe in isolation (the file-conflict only manifests once kmod 2ubuntu7.2 is also present on the appliance).
2. delphix/linux-pkg projects/DLPX-97147 — backports kmod + libkmod2 at 31+20240202-2ubuntu7.2 to packages/misc-debs/config.sh's debs=(). PR to be opened after this one lands; its CI gates on this fix being on the release branch.

The two combined are validated via git-ab-pre-push -b "misc-debs delphix-platform" --extra-repo <delphix-platform-feature-branch> on Jenkins — first run #14010 kicked off 2026-05-12.

Test plan

• appliance-build-orchestrator-pre-push #14010 (in flight) — stage 1 builds misc-debs + delphix-platform; stage 2 assembles the appliance image; stage 4 re-runs test_upgrade_linux_system which is the canonical pass gate for DLPX-97204.
• On the post-build AMI: dpkg-query -S /etc/modprobe.d/disable-algif_aead.conf reports kmod: ..., NOT delphix-platform-aws: ....
• On the post-build AMI: dpkg-query -W kmod libkmod2 reports 31+20240202-2ubuntu7.2.

Validation evidence (pre-build)

Confirmed on freshly-provisioned VMs 2026-05-12 (cf. delphix/cd-aidlc#47's verification.md):

• Release VM psurya-rel-usn8226 (2026.3.0.0, post-push DLPX-80427 zcache crashes after a deferred upgrade #366):
  • delphix-platform-aws 1.0.0-delphix.2026.05.11.21.45 (still shipping the file)
  • dpkg-query -S /etc/modprobe.d/disable-algif_aead.conf → delphix-platform-aws: ...
  • kmod at 31+20240202-2ubuntu7.1 (vulnerable; develop ships 2ubuntu7.2)
• Develop VM psurya-dev-usn8226 (2026.4.0.0, post-push #4117):
  • delphix-platform-aws 1.0.0-delphix.2026.05.08.18.02 (no longer ships the file)
  • dpkg-query -S /etc/modprobe.d/disable-algif_aead.conf → kmod: ...

🤖 Generated with Claude Code

[prakashsurya]

Manual smoke test on a fresh dlpx-release VM — dpkg-level necessity + sufficiency

To unblock the release without waiting for the full Jenkins
#14010
matrix (currently in stage 2 of 4, ETA ~6h), I ran a focused dpkg-level smoke test
that brackets DLPX-97204's failure scenario as both necessary and sufficient.

Setup: two fresh dlpx-release VMs cloned from the same post-push #366 image
(2026.3.0.0), identical baseline. Both have
delphix-platform-aws 1.0.0-delphix.2026.05.11.21.45 (still shipping
/etc/modprobe.d/disable-algif_aead.conf) and kmod 31+20240202-2ubuntu7.1.
Each .deb installed below was downloaded straight from Jenkins #14010 stage 1's
build artifacts (sha256 matches SHA256SUMS byte-for-byte).

Control (necessity): kmod-only install → FAIL, exactly as DLPX-97204 reports

On a baseline VM, installed ONLY kmod + libkmod2 (skipping the new
delphix-platform-aws):

$ sudo dpkg -i kmod_31+20240202-2ubuntu7.2_amd64.deb \
               libkmod2_31+20240202-2ubuntu7.2_amd64.deb
Preparing to unpack kmod_31+20240202-2ubuntu7.2_amd64.deb ...
Unpacking kmod (31+20240202-2ubuntu7.2) over (31+20240202-2ubuntu7.1) ...
dpkg: error processing archive kmod_31+20240202-2ubuntu7.2_amd64.deb (--install):
 trying to overwrite '/etc/modprobe.d/disable-algif_aead.conf',
 which is also in package delphix-platform-aws 1.0.0-delphix.2026.05.11.21.45
...
Errors were encountered while processing:
 kmod_31+20240202-2ubuntu7.2_amd64.deb
$ echo $?
1

Byte-identical to DLPX-97204's reported error. After-state: kmod
rolls back to 2ubuntu7.1, delphix-platform-aws still owns the
file. Confirms the bug requires the delphix-platform-aws fix to land
alongside kmod.

Treatment (sufficiency): both fixes installed together → PASS

On a second baseline VM with identical state, installed all three Jenkins-built
.debs together:

$ sudo dpkg -i delphix-platform-aws_1.0.0-delphix.2026.05.12.19.11_amd64.deb \
               kmod_31+20240202-2ubuntu7.2_amd64.deb \
               libkmod2_31+20240202-2ubuntu7.2_amd64.deb
# … (normal unpack / postinst output, NO "trying to overwrite" error) …
$ echo $?
0

$ dpkg-query -S /etc/modprobe.d/disable-algif_aead.conf
kmod: /etc/modprobe.d/disable-algif_aead.conf          ← OWNERSHIP TRANSITIONED

$ dpkg -l kmod libkmod2 delphix-platform-aws | grep ^ii
ii  delphix-platform-aws 1.0.0-delphix.2026.05.12.19.11 amd64
ii  kmod                 31+20240202-2ubuntu7.2         amd64
ii  libkmod2:amd64       31+20240202-2ubuntu7.2         amd64

The new kmod 31+20240202-2ubuntu7.2 package successfully takes over
/etc/modprobe.d/disable-algif_aead.conf as a conffile. File content
is byte-identical to what delphix-platform-aws previously shipped
(install algif_aead /bin/false), so the algif_aead mitigation
continues uninterrupted.

Why this is sufficient to land now (instead of waiting for stage 4)

• The DLPX-97204 failure surface is a dpkg-layer file-overwrite check. The
  control above reproduces that exact error verbatim; the treatment exercises
  the same dpkg path with the fix and passes.
• The Replaces: kmod (<< 31+20240202-2ubuntu7.2) clause in the new
  delphix-platform-aws is sufficient — no postrm upgrade fallback
  is needed.
• Jenkins #14010 stage 1 (Build Necessary Packages) passed —
  confirms all 7 per-cloud delphix-platform-<cloud> variants build
  cleanly with the file removed. dpkg-deb -f on the built .deb
  shows Replaces: landed correctly; dpkg-deb -c confirms the file
  is no longer in package contents (only dirty-frag.conf from
  DLPX-97202 remains under ./etc/modprobe.d/).
• The upgrade-execute script in test_upgrade_linux_system ultimately
  runs apt-get install against packages.list.gz — same dpkg
  unpacking layer the manual test exercises directly.

Stage 4 (test_upgrade_linux_system) on #14010 is still the unattended
end-to-end confirmation and will follow, but the dpkg-level evidence
directly addresses the bug's failure mode.

Merge plan: #561 and delphix/linux-pkg#392
land simultaneously (in the same merge window) so no release-track
appliance build runs between them — linux-pkg alone on release would
hit the same dpkg conflict the control test reproduces.

Full evidence and tracking: delphix/cd-aidlc#47 (OpenSpec change
kmod-usn-8226-1), branch projects/openspec/kmod-usn-8226-1-rollup's
verification.md.