Ubuntu
ubuntu-advantage-tools package

"precise esm -> trusty -> trusty new client" upgrade disables ESM

Bug #1850672 reported by Andreas Hasenack
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-script
Fix Released
Unknown
ubuntu-advantage-tools (Ubuntu)
Fix Released
Low
Unassigned
Trusty
Fix Released
High
Andreas Hasenack

Bug Description

[Impact]
When enabling ESM on precise, then upgrading that to current trusty, and from there to the proposed new trusty client (see #1832757), ESM gets disabled.

This was found when executing test case (5) in the original SRU bug #1832757.

The reason is that d/postinst, when dealing with this upgrade path, was conditioning a file rename on the package upgrade coming from version 1, which is the precise one. The fix is to drop that conditional, since the filename we intend to rename is the precise one (it has "precise" in its name) and there is no need to check for the version.

[Test Case]

lxc launch ubuntu-daily:precise p1
 lxc exec p1 ubuntu-advantage enable-esm $USER:$PASS
# confirm esm is enabled and shows a positive pinning value
lxc exec p1 apt-cache policy|grep esm
# ssh into p1 and call do-release-upgrade (doesn't work via lxc exec)
ssh p1
    sudo do-release-upgrade
    logout
lxc exec p1 -- bash -c "echo deb http://archive.ubuntu.com/ubuntu trusty-proposed main > /etc/apt/sources.list.d/trusty-proposed.list"
lxc exec p1 apt-get update
lxc exec p1 -- apt-get install -y ubuntu-advantage-tools
lxc exec p1 apt-get update
# confirm esm is enabled and shows a positive pinning value
lxc exec p1 apt-cache policy|grep esm

[Regression Potential]
Before we were pinning this upgrade path on having come from the exact precise package version, which is "1". Now we are dropping that requirement, and only checking if the precise esm sources.list file exists, then we rename it to the trusty name:

ubuntu-esm-precise.list -> ubuntu-esm-infra-trusty.list

do-release-upgrade will have renamed "precise" to "trusty" inside ubuntu-esm-precise.list. If someone is doing the upgrade manually via dist-upgrade, for example, then this person is expected to rename the precise repositories to trusty ones in all of /etc/apt/sources.list*

[Other Info]
As with the $1832757 SRU, this is being published only on trusty.

See original description
Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu):
status: New → In Progress
Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
importance: Undecided → High
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu):
status: In Progress → Triaged
importance: High → Low
assignee: Andreas Hasenack (ahasenack) → nobody
Andreas Hasenack (ahasenack)
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Andreas, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/19.6~ubuntu14.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
Bug Watch Updater (bug-watch-updater)
Changed in ubuntu-advantage-script:
status: Unknown → Fix Released
Mathew Hodson (mhodson)
Changed in ubuntu-advantage-tools (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Trusty verification, in two parts:

a) following the [testing] section, i.e., upgrading from precise, to trusty, then to trusty-updates
b) almost the same setup, but upgrading from precise to trusty with the u-a-t proposed package, without going through the intermediary current u-a-t from trusty-updates.

Since the logs are rather long, I'll do these in separate comments

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.7 KiB)

a) upgrading from precise, to trusty, then to trusty-updates
$ lxc launch ubuntu-daily:precise p1
Creating p1
Starting p1

$ lxc exec p1 ubuntu-advantage enable-esm $u:$p
Running apt-get update...
Ubuntu ESM repository enabled.

# esm enabled, positive pinning:
$ lxc exec p1 apt-cache policy|grep esm
 500 https://esm.ubuntu.com/ubuntu/ precise/main i386 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages
     origin esm.ubuntu.com

# starting do-release-upgrade to trusty
ubuntu@p1:~$ sudo do-release-upgrade
...
reboot

# ua version after do-release-upgrade:
root@p1:~# apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 10ubuntu0.14.04.4
  Candidate: 10ubuntu0.14.04.4
  Version table:
 *** 10ubuntu0.14.04.4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

# how u-a-t was upgraded, from do-release-upgrade logs:
Unpacking ubuntu-advantage-tools (10ubuntu0.14.04.4) over (1) ...

# esm trusty packages were included in the do-release-upgrade:
root@p1:~# grep -E 'esm\.ubuntu' /var/log/dist-upgrade/screenlog.0 |tail -n 2
Get:492 https://esm.ubuntu.com/ubuntu/ trusty-security/main linux-headers-virtual amd64 3.13.0.174.185 [1,754 B]
Get:493 https://esm.ubuntu.com/ubuntu/ trusty-security/main wpasupplicant amd64 2.1-0ubuntu1.7+esm2 [752 kB]

# add trusty-proposed
$ lxc exec p1 -- bash -c "echo deb http://archive.ubuntu.com/ubuntu trusty-proposed main > /etc/apt/sources.list.d/trusty-proposed.list
$ lxc exec p1 apt-get update
...
# install u-a-t from proposed
$ lxc exec p1 -- apt-get install -y ubuntu-advantage-tools
...
Get:3 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main ubuntu-advantage-tools amd64 19.6~ubuntu14.04.3 [47.3 kB]
...
Unpacking ubuntu-advantage-tools (19.6~ubuntu14.04.3) over (10ubuntu0.14.04.4) ...
$ lxc exec p1 apt-get update
...
# confirm esm is enabled and shows a positive pinning value
$ lxc exec p1 apt-cache policy|grep esm
 500 https://esm.ubuntu.com/ubuntu/ trusty-security/main i386 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     origin esm.ubuntu.com

# as an extra step, let's confirm we can attach now with the new client
$ lxc exec p1 ua attach $token
Updating 'esm-infra' apt sources list on changed directives.
Updating package lists
Updating package lists
This machine is now attached to '<email address hidden>'

SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes enabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes n/a Canonical Livepatch service

Enable services with: ua enable <service>

     Account: <email address hidden>
Sub...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (4.0 KiB)

 b) almost the same setup, but upgrading from precise to trusty with the u-a-t proposed package, without going through the intermediary current u-a-t from trusty-updates.

$ lxc launch ubuntu-daily:precise p1
$ lxc exec p1 ubuntu-advantage enable-esm $u:$p
Running apt-get update...
Ubuntu ESM repository enabled.

# confirming
$ lxc exec p1 apt-cache policy|grep esm
 500 https://esm.ubuntu.com/ubuntu/ precise/main i386 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ precise/main amd64 Packages
     origin esm.ubuntu.com
# enable precise-proposed, which do-release-upgrade will change to trusty-proposed
$ lxc exec p1 -- bash -c "echo deb http://archive.ubuntu.com/ubuntu precise-proposed main > /etc/apt/sources.list.d/precise-proposed.list"

# ssh in and create a pinning config so not all of trusty-proposed is used
root@p1:~# cat > /etc/apt/preferences.d/proposed-pinning <<EOF
> Package: *
> Pin: release a=trusty-proposed
> Pin-Priority: 400
>
> Package: ubuntu-advantage-tools
> Pin: release a=trusty-proposed
> Pin-Priority: 500
> EOF

# perform the upgrade
root@p1:~# sudo do-release-upgrade
...

# after reboot
# confirm only u-a-t was taken from trusty-proposed
$ lxc exec p1 grep trusty-proposed /var/log/dist-upgrade/screenlog.0
Get:11 http://archive.ubuntu.com trusty-proposed Release.gpg [916 B]
Get:19 http://archive.ubuntu.com trusty-proposed Release [64.9 kB]
Get:31 http://archive.ubuntu.com trusty-proposed/main amd64 Packages [4,598 B]
Get:44 http://archive.ubuntu.com trusty-proposed/main i386 Packages [2,792 B]
Get:60 http://archive.ubuntu.com trusty-proposed/main TranslationIndex [202 B]
Get:74 http://archive.ubuntu.com trusty-proposed/main Translation-en [2,932 B]
Get:87 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main ubuntu-advantage-tools amd64 19.6~ubuntu14.04.3 [47.3 kB]
$

# confirm upgrade path: version from precise, direct to trusty-proposed
$ lxc exec p1 grep ubuntu-advantage-tools /var/log/dist-upgrade/apt-term.log
Preparing to unpack .../ubuntu-advantage-tools_19.6~ubuntu14.04.3_amd64.deb ...
Unpacking ubuntu-advantage-tools (19.6~ubuntu14.04.3) over (1) ...
Setting up ubuntu-advantage-tools (19.6~ubuntu14.04.3) ...

# confirm esm is enabled and shows a positive pinning value
$ lxc exec p1 apt-cache policy|grep esm
 500 https://esm.ubuntu.com/ubuntu/ trusty-security/main i386 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-updates/main i386 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     origin esm.ubuntu.com

# finally, confirm we can ua attach and esm keeps working
$ lxc exec p1 ua attach $token
Updating 'esm-infra' apt sources list on changed directives.
Updating package lists
Updating package lists
This machine is now attached to '<email address hidden>'

SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes enabled UA Infra: Extended Secur...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

trusty verification succeeded

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 19.6~ubuntu14.04.3

---------------
ubuntu-advantage-tools (19.6~ubuntu14.04.3) trusty; urgency=medium

  * d/postinst: rename existing ubuntu-esm-precise.list file to trusty.
    This fixes the upgrade path from precise to trusty and to this client
    while esm is enabled (LP: #1850672)

ubuntu-advantage-tools (19.6~ubuntu14.04.2) trusty; urgency=medium

  * d/control, d/rules: don't run flake8 tests since python3-flake8 is in
    universe (LP: #1849851)

ubuntu-advantage-tools (19.6~ubuntu14.04.1) trusty; urgency=medium

  * New upstream release (LP: #1832757). Main changes:
    - drop SSO interactive login support
    - d/control: no longer depend on pymacaroons, which was only needed for
      the SSO interactive login support
    - drop keyrings for services not supported in trusty: cc-eal, fips,
      fips-updates, cis audit
    - make sure /var/lib/ubuntu-advantage/private has 0700 perms
    - rename esm to esm-infra. Also handle upgrades
    - don't unecessarily remove config files that are already handled by dpkg
    - expand the apt related runtime dependencies
    - handle sources.list.d esm snippet when release upgrading from precise
    - ua status now reports availability of services even in unattached state
    - the "ua status" output was changed, including the json format option
    - drop "ua status" call in postinst as it now requires internet access and
      that is restricted in LP builders and test runners.
    - fix the d/t/usage DEP8 test that was also using status

 -- Andreas Hasenack <email address hidden> Wed, 30 Oct 2019 10:01:58 -0300

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.