Ubuntu
ubuntu-advantage-tools package

ua auto-attach hangs whilst starting ubuntu-advantage on FIPS machines

Bug #1980865 reported by George Campbell
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

This bug causes custom images based on Ubuntu Pro in public clouds that were built in a certain way to never finish booting (as determined by `cloud-init status --wait` never exiting). The bug occcurs when `ua detach` is not run as part of the custom image creation process.

The bug occurs because of a systemd service starting deadlock. The oneshot `ua-auto-attach.service` erroneously trys to start (and wait on) `ubuntu-advantage.service`, but `ubuntu-advantage.service` is `After: ua-auto-attach.service`. The result is that `ubuntu-advantage.service` never starts and `ua-auto-attach.service` never finishes.

The fix is to not start `ubuntu-advantage.service` during `ua-auto-attach.service`. This is never necessary anyway and never should have happened. So just removing the call is sufficient.

[Test Plan]

To Reproduce:
Use a packer.json like the following:
```
{
    "builders": [
      {
        "type": "amazon-ebs",
        "access_key": "{{user `aws_access_key`}}",
        "secret_key": "{{user `aws_secret_key`}}",
        "region": "us-east-2",
        "instance_type": "t2.micro",
        "ami_name": "My-Ubuntu-Pro-20.04-{{timestamp}}",
        "source_ami_filter": {
          "filters": {
            "virtualization-type": "hvm",
            "name": "ubuntu-pro-server*20.04-amd64*",
            "root-device-type": "ebs"
          },
          "owners": ["679593333241"],
          "most_recent": true
        },
        "ssh_username": "ubuntu"
      }
    ],
    "provisioners": [
      {
        "type": "shell",
        "inline": [
          "cloud-init status --wait"
        ]
      }
    ]
}
```
build the image with packer
```
packer build packer.json
```
use the ami to launch a new instance

ssh into the machine and run
```
cloud-init status --wait
```
That command will never finish.
Also systemctl status will report the system as "starting" forever. And ua-auto-attach.service will show "systemctl start ubuntu-advantage.service" as a subprocess that never exits.

To test that release 27.10.1 of ubuntu-advantage-tools fixes the problem, you can use the following packer.json to enable proposed and upgrade during image creation.

```
{
   "builders": [
     {
       "type": "amazon-ebs",
       "access_key": "{{user `aws_access_key`}}",
       "secret_key": "{{user `aws_secret_key`}}",
       "region": "us-east-2",
       "instance_type": "t2.micro",
       "ami_name": "My-Ubuntu-Pro-20.04-{{timestamp}}",
       "source_ami_filter": {
         "filters": {
           "virtualization-type": "hvm",
           "name": "ubuntu-pro-server*20.04-amd64*",
           "root-device-type": "ebs"
         },
         "owners": ["679593333241"],
         "most_recent": true
       },
       "ssh_username": "ubuntu"
     }
   ],
   "provisioners": [
     {
       "type": "shell",
       "inline": [
         "cloud-init status --wait",
         "printf \"deb http://archive.ubuntu.com/ubuntu/ focal-proposed main\" | sudo tee /etc/apt/sources.
list.d/uaclient-proposed.list",
         "sudo apt update",
         "sudo apt install ubuntu-advantage-tools"
       ]
     }
   ]
}
```

In an instance launched from that packer.json, `cloud-init status --wait` will complete. And the other symptoms mentioned above will not be present.

[Where problems could occur]

The fix is to move the `systemctl start ubuntu-advantage.service` call out of a shared function that gets called during auto-attach.

If we made a mistake, it may happen that the service is not started in some scenario where it should be started.

[Original Description]

When ua auto-attach v27.9 is ran on Ubuntu Pro hosts (with FIPS enabled) it issues an systemctl start ubuntu-advantage command which hangs forever and is never killed, my understanding is this service is only meant to run on GCP and has constraints in the systemd unit which should ensure this is true so unsure whats causing the systemctl command to hang rather than exit immediately

root@<hostname>:~# ps f -g 590
    PID TTY STAT TIME COMMAND
    590 ? Ss 0:00 /usr/bin/python3 /usr/bin/ua auto-attach
  15387 ? S 0:00 \_ systemctl start ubuntu-advantage.service

Description: Ubuntu 20.04.4 LTS
Release: 20.04

Also confirmed the same behaviour on Ubuntu 18.04 LTS

ubuntu-advantage-tools:
  Installed: 27.9~20.04.1
  Candidate: 27.9~20.04.1
  Version table:
 *** 27.9~20.04.1 500
        500 http://us-gov-west-1.ec2.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
  Packages
     20.3 500
        500 http://us-gov-west-1.ec2.archive.ubuntu.com/ubuntu focal/main amd64 Packages

See original description
George Campbell (gcampbellpal)
summary: - ua auto-attach hangs whilst starting ubuntu-advantage on AWS Gov Cloud
- hosts (FIPS)
+ ua auto-attach hangs whilst starting ubuntu-advantage on FIPS machines
description: updated
Revision history for this message
Grant Orndorff (orndorffgrant) wrote :

Hi George Campbell,

Thank you for taking the time to report this bug! It looks like two bugs:

1. We shouldn't run `systemctl start ubuntu-advantage.service` ever during a `ua auto-attach`
2. `systemctl start ubuntu-advantage.service` should always exit immediately, especially when not on GCP like you mentioned.

We'll be sure to address these in the next version.

A question to help me reproduce this issue: from looking at the code, this is the scenario I'm imagining might cause this:
1. Launch an Ubuntu Pro image from the aws marketplace
2. Make changes to the instance and create a new custom image based on that instance.
3. Launch the new custom image

Is that roughly what you did to trigger this bug?

As a workaround in the mean time, I think masking ubuntu-advantage.service and rebooting will allow everything to continue:

sudo systemctl mask ubuntu-advantage.service

And if you need to run that early on first-boot, I think a cloud-init bootcmd would work: https://cloudinit.readthedocs.io/en/latest/topics/modules.html#bootcmd

Revision history for this message
George Campbell (gcampbellpal) wrote :

Hey Grant,

The steps you listed sounds like you should be able to reproduce this issue.

We're hitting this as part of our AMI build pipeline (with packer) where like you say we take the latest Ubuntu Pro marketplace image, make some modifications and create a new image, it's only when we come to launch the new custom image we find ubuntu-advantage stuck.

I can also confirm masking the ubuntu-advantage.service works to mitigate the issue.

Revision history for this message
Grant Orndorff (orndorffgrant) wrote :

Great! Thanks for the added detail. And I'm glad masking the service is a viable workaround for now.

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.10.1~22.10.1

---------------
ubuntu-advantage-tools (27.10.1~22.10.1) kinetic; urgency=medium

  * apt-hook: Fix missing import warning when compiling

 -- Lucas Moura <email address hidden> Tue, 09 Aug 2022 14:03:14 -0300

Changed in ubuntu-advantage-tools (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello George, or anyone else affected,

Accepted ubuntu-advantage-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.10.1~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Hello George, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.10.1~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Robie Basak (racb) wrote :

Hello George, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.10.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Robie Basak (racb) wrote :

Hello George, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.10.1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Grant Orndorff (orndorffgrant) wrote :

I've reproduced this issue with ubuntu-advantage-tools version 27.9 and verified that version 27.10.1 in -proposed fixes the issue. I'll attach logs for both here.

description: updated
Revision history for this message
Grant Orndorff (orndorffgrant) wrote :
Revision history for this message
Grant Orndorff (orndorffgrant) wrote :
tags: added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.10.1~22.04.1

---------------
ubuntu-advantage-tools (27.10.1~22.04.1) jammy; urgency=medium

  * Backport new upstream release: (LP: #1980990) to jammy

ubuntu-advantage-tools (27.10.1~22.10.1) kinetic; urgency=medium

  * apt-hook: Fix missing import warning when compiling

ubuntu-advantage-tools (27.10~22.10.1) kinetic; urgency=medium

  * d/control:
    - Drop golang dependencies
  * d/rules:
    - Only install APT hooks on LTS series
  * New upstream release 27.10 (LP: #1980990)
    - apt-hook: replace golang with cpp for json-hook
    - cli
      + properly sort services for detach/attach (GH: #1831)
      + collect-logs include rotated log files
      + display UA features directly on status
    - daemon: do not try enabling daemon during auto-attach (LP: #1980865)
    - fix:
      + update ua portal url when asking for attach
      + add --dry-run option
    - gcp-pro: better error message for metadata endpoint error
    - requests: Add default timeout for web requests
    - timer: log when job start running
    - security-status: include download size of package updates

 -- Lucas Moura <email address hidden> Tue, 12 Jul 2022 15:10:11 -0300

Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.10.1~20.04.1

---------------
ubuntu-advantage-tools (27.10.1~20.04.1) focal; urgency=medium

  * Backport new upstream release: (LP: #1980990) to focal

ubuntu-advantage-tools (27.10.1~22.10.1) kinetic; urgency=medium

  * apt-hook: Fix missing import warning when compiling

ubuntu-advantage-tools (27.10~22.10.1) kinetic; urgency=medium

  * d/control:
    - Drop golang dependencies
  * d/rules:
    - Only install APT hooks on LTS series
  * New upstream release 27.10 (LP: #1980990)
    - apt-hook: replace golang with cpp for json-hook
    - cli
      + properly sort services for detach/attach (GH: #1831)
      + collect-logs include rotated log files
      + display UA features directly on status
    - daemon: do not try enabling daemon during auto-attach (LP: #1980865)
    - fix:
      + update ua portal url when asking for attach
      + add --dry-run option
    - gcp-pro: better error message for metadata endpoint error
    - requests: Add default timeout for web requests
    - timer: log when job start running
    - security-status: include download size of package updates

 -- Lucas Moura <email address hidden> Tue, 12 Jul 2022 15:09:57 -0300

Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.10.1~18.04.1

---------------
ubuntu-advantage-tools (27.10.1~18.04.1) bionic; urgency=medium

  * Backport new upstream release: (LP: #1980990) to bionic

ubuntu-advantage-tools (27.10.1~22.10.1) kinetic; urgency=medium

  * apt-hook: Fix missing import warning when compiling

ubuntu-advantage-tools (27.10~22.10.1) kinetic; urgency=medium

  * d/control:
    - Drop golang dependencies
  * d/rules:
    - Only install APT hooks on LTS series
  * New upstream release 27.10 (LP: #1980990)
    - apt-hook: replace golang with cpp for json-hook
    - cli
      + properly sort services for detach/attach (GH: #1831)
      + collect-logs include rotated log files
      + display UA features directly on status
    - daemon: do not try enabling daemon during auto-attach (LP: #1980865)
    - fix:
      + update ua portal url when asking for attach
      + add --dry-run option
    - gcp-pro: better error message for metadata endpoint error
    - requests: Add default timeout for web requests
    - timer: log when job start running
    - security-status: include download size of package updates

 -- Lucas Moura <email address hidden> Tue, 12 Jul 2022 15:09:51 -0300

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.10.1~16.04.1

---------------
ubuntu-advantage-tools (27.10.1~16.04.1) xenial; urgency=medium

  * Backport new upstream release: (LP: #1980990) to xenial

ubuntu-advantage-tools (27.10.1~22.10.1) kinetic; urgency=medium

  * apt-hook: Fix missing import warning when compiling

ubuntu-advantage-tools (27.10~22.10.1) kinetic; urgency=medium

  * d/control:
    - Drop golang dependencies
  * d/rules:
    - Only install APT hooks on LTS series
  * New upstream release 27.10 (LP: #1980990)
    - apt-hook: replace golang with cpp for json-hook
    - cli
      + properly sort services for detach/attach (GH: #1831)
      + collect-logs include rotated log files
      + display UA features directly on status
    - daemon: do not try enabling daemon during auto-attach (LP: #1980865)
    - fix:
      + update ua portal url when asking for attach
      + add --dry-run option
    - gcp-pro: better error message for metadata endpoint error
    - requests: Add default timeout for web requests
    - timer: log when job start running
    - security-status: include download size of package updates

 -- Lucas Moura <email address hidden> Tue, 12 Jul 2022 15:09:46 -0300

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.