pro security-status not showing support as expected.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Renan Rodrigo | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The users affected by this bug are running Bionic/Focal/Jammy machines, and see the wrong support dates for the Main/Restricted packages.
The support is active and working for the whole ESM period, but pro security-status shows the date for LTS only until it expires.
[Test Case]
- Enable esm-infra in an Ubuntu Bionic/Focal/Jammy machine
- run `pro security-status`
- see that the reported support date is still the LTS one
- install ubuntu-
- run `pro security-status`
- verify that the reported support date is now the esm-infra one.
[Regression Potential]
This presents as a small fix, and there is little to no regression potential. Integration tests are covering this.
[Original Description]
I enabled Ubuntu Pro on 18.04. when I use the command:
pro security-status
I get the following:
Main/Restricted packages receive updates until 2023.
Universe/Multiverse packages receive updates until 2028.
Shouldn't I be receiving updates for both Main/Restricted and Universe/multiverse until 2028 after enabling Ubuntu Pro?
If this is a bug, I am not sure if this is a security vulnerability or not.
Renan Rodrigo (renanrodrigo) wrote : | #1 |
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu): | |
assignee: | nobody → Renan Rodrigo (renanrodrigo) |
oshirowanen yoshigawa (oshirowanen-7) wrote : | #2 |
Good to know. Thank you.
summary: |
- Enabling Ubuntu Pro not working as expected. + pro security-status not showing support as expected. |
description: | updated |
Andreas Hasenack (ahasenack) wrote : | #3 |
In the SRU review it was noticed that the apt environment used to update the ESM cache is not really isolated from the system. For example, we noticed that the APT::Update:
APT::Update:
"[ ! -e /run/systemd/system ] || systemctl start --no-block apt-news.service esm-cache.service || true";
};
https:/
This happens because esm-cache.service, in the end, calls apt update again (via the python library). We just don't get a nasty loop here because systemd won't start a second copy of esm-cache.service.
This lack of isolation is a concern. All hooks from the system apt (defined in /etc/apt) will be called by the esm-only apt, maybe even in parallel, depending on timing. There are hooks to update stamp files, and motd. There are many unknowns here.
We discussed this at length with the Pro team, and will take the following approach:
- the Pro team work on isolating the esm-cache apt instance, and pull in only very specific configs from the system apt (/etc/apt), like proxy settings, and other settings they identify as being needed
- I will accept u-a-t into proposed, so that the other aspects of this SRU can be tested in parallel, but with the condition that: a) the Pro team will come up with a new set of fixes on top for the "shared config" issue identified above, and upload a new version to proposed; b) this package I'm accepting into proposed today MUST NOT be released. I will add a block-proposed tag to this bug to that effect
- when the improved package is ready to be uploaded, it shall be accepted in to proposed on top of today's package, and a new round of testing will be done. Initially only on top of the new changes, but if possible, the whole test suite.
tags: | added: block-proposed-kinetic |
Changed in ubuntu-advantage-tools (Ubuntu Kinetic): | |
status: | New → Fix Committed |
tags: | added: verification-needed verification-needed-kinetic |
Andreas Hasenack (ahasenack) wrote : Please test proposed package | #4 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
status: | New → Fix Committed |
tags: | added: verification-needed-jammy |
Andreas Hasenack (ahasenack) wrote : | #5 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: block-proposed-bionic block-proposed-focal block-proposed-jammy block-proposed-xenial removed: verification-needed-jammy |
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
status: | New → Fix Committed |
tags: | added: verification-needed-focal |
Andreas Hasenack (ahasenack) wrote : | #6 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
status: | New → Fix Committed |
tags: | added: verification-needed-bionic |
Andreas Hasenack (ahasenack) wrote : | #7 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
status: | New → Fix Committed |
tags: | added: verification-needed-xenial |
Andreas Hasenack (ahasenack) wrote : | #8 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* d/bash-completion:
- enable autocomplete for the 'pro' command (GH: #2280)
* d/control:
- update the package description
* d/postinst:
- remove unauthenticated esm repos from Xenial systems (LP: #1990378)
* New upstream release 27.13 (LP: #2003018)
- apt:
+ remove logic which added repositories and pinned them to 'never' to
enable access to esm package lists
+ add functionality to create and update a local apt esm cache with
the lists for esm-infra and esm-apps
- apt-hook: update the cpp hook to use the local esm apt cache
- apt-news:
+ fetch and display APT News in apt upgrade
+ show contract expiration notices in the apt news output
- attach: support attaching without being able to install snapd
(LP: #1997514)
- cli:
+ do not show invalid subcommands in autocomplete (GH: #2279)
+ add support for attaching through the web portal, without a token
- config: add apt_news_url option
- docs: reorganize documentation and correct information
- esm-apps: release the service as GA
- jobs:
+ remove the update_status job
+ remove unused job which checks for the system EOL
- messaging: do not fail if the apt-hook executable is not present
(LP: #1994480)
- motd: announce esm-apps as GA
- security-status:
+ use the local esm cache to report updates when the services are
disabled
+ redesign output to properly show support (LP: #2002407)
- services: add new service to update the local esm caches
- ros: release the service as GA
- bug fixes:
+ report reboot_required even if 'livepatch status' fails
+ do not create unexpected environment variables when the autocomplete
script runs
+ contract requests do not cause 'pro status' to fail
+ remove auto-attach motd message if any failure happens
+ log when 'cloud-id' fails
+ always honor the metering job timer config
+ write files atomically
-- Renan Rodrigo <email address hidden> Mon, 16 Jan 2023 10:01:11 -0300
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | In Progress → Fix Released |
Andreas Hasenack (ahasenack) wrote : | #10 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: | removed: block-proposed-kinetic |
tags: | removed: block-proposed-jammy |
tags: | added: verification-needed-jammy |
Andreas Hasenack (ahasenack) wrote : | #11 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: | removed: block-proposed-focal |
Andreas Hasenack (ahasenack) wrote : | #12 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: | removed: block-proposed-bionic |
Andreas Hasenack (ahasenack) wrote : | #13 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Andreas Hasenack (ahasenack) wrote : | #14 |
Hello oshirowanen, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: | removed: block-proposed-xenial |
Lucas Albuquerque Medeiros de Moura (lamoura) wrote : | #15 |
- pro-test-results.tar.xz Edit (1.5 KiB, application/x-tar)
I have verified this bug with the following script:
-------
#!/bin/bash
set -e
series=$1
token=$2
name=$series-dev
cleanup () {
lxc delete $name --force
}
on_err () {
echo -e "Test Failed"
cleanup
exit 1
}
trap on_err ERR
lxc launch ubuntu-
sleep 10
echo "######
echo "Update to latest version of pro (27.12)"
lxc exec $name -- sudo apt-get update > /dev/null
lxc exec $name -- sudo apt-get install ubuntu-
lxc exec $name -- apt-cache policy ubuntu-
echo -e "######
echo "######
echo "Attach to Pro subscription"
lxc exec $name -- sudo pro attach $token
echo -e "######
echo "######
echo "Run pro security-status (Verify that the esm-infra date is incorrect)"
lxc exec $name -- pro security-status
echo -e "######
echo "######
echo "Installing package from proposed"
lxc exec $name -- sh -c "echo \"deb http://
lxc exec $name -- sudo apt-get update > /dev/null
lxc exec $name -- sudo apt-get install ubuntu-
lxc exec $name -- apt-cache policy ubuntu-
echo -e "######
echo "######
echo "Run pro security-status (Verify that the esm-infra date is now correct)"
lxc exec $name -- pro security-status
echo "######
cleanup
-------
And I can confirm that `pro security-status` is working as expected.
PS: Note we will not see dates wrong dates on Xenial, is it already ESM and Kinetic does not have esm-infra support
tags: |
added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-kinetic verification-done-xenial removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic verification-needed-xenial |
Andreas Hasenack (ahasenack) wrote : | #16 |
I verified all test logs and am satisfied that they followed the proposed test plan. Noted the exception for xenial (already under ESM, dates are correct), and kinetic (not an LTS, so no change).
The package built correctly in all architectures and ubuntu releases it was meant for.
There are no DEP8 regressions.
There is no SRU freeze ongoing at the moment.
There is no halted phasing for previous SRUs of ubuntu-
Launchpad Janitor (janitor) wrote : | #17 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport new upstream release: (LP: #2003018) to kinetic
ubuntu-
* apt: better isolate apt esm cache by only fetching necessary
configuration from the system apt
ubuntu-
* d/bash-completion:
- enable autocomplete for the 'pro' command (GH: #2280)
* d/control:
- update the package description
* d/postinst:
- remove unauthenticated esm repos from Xenial systems (LP: #1990378)
* New upstream release 27.13 (LP: #2003018)
- apt:
+ remove logic which added repositories and pinned them to 'never' to
enable access to esm package lists
+ add functionality to create and update a local apt esm cache with
the lists for esm-infra and esm-apps
- apt-hook: update the cpp hook to use the local esm apt cache
- apt-news:
+ fetch and display APT News in apt upgrade
+ show contract expiration notices in the apt news output
- attach: support attaching without being able to install snapd
(LP: #1997514)
- cli:
+ do not show invalid subcommands in autocomplete (GH: #2279)
+ add support for attaching through the web portal, without a token
- config: add apt_news_url option
- docs: reorganize documentation and correct information
- esm-apps: release the service as GA
- jobs:
+ remove the update_status job
+ remove unused job which checks for the system EOL
- messaging: do not fail if the apt-hook executable is not present
(LP: #1994480)
- motd: announce esm-apps as GA
- security-status:
+ use the local esm cache to report updates when the services are
disabled
+ redesign output to properly show support (LP: #2002407)
- services: add new service to update the local esm caches
- ros: release the service as GA
- bug fixes:
+ report reboot_required even if 'livepatch status' fails
+ do not create unexpected environment variables when the autocomplete
script runs
+ contract requests do not cause 'pro status' to fail
+ remove auto-attach motd message if any failure happens
+ log when 'cloud-id' fails
+ always honor the metering job timer config
+ write files atomically
-- Lucas Moura <email address hidden> Mon, 23 Jan 2023 12:28:56 -0300
Changed in ubuntu-advantage-tools (Ubuntu Kinetic): | |
status: | Fix Committed → Fix Released |
Andreas Hasenack (ahasenack) wrote : Update Released | #18 |
The verification of the Stable Release Update for ubuntu-
Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport new upstream release: (LP: #2003018) to jammy
ubuntu-
* apt: better isolate apt esm cache by only fetching necessary
configuration from the system apt
ubuntu-
* d/bash-completion:
- enable autocomplete for the 'pro' command (GH: #2280)
* d/control:
- update the package description
* d/postinst:
- remove unauthenticated esm repos from Xenial systems (LP: #1990378)
* New upstream release 27.13 (LP: #2003018)
- apt:
+ remove logic which added repositories and pinned them to 'never' to
enable access to esm package lists
+ add functionality to create and update a local apt esm cache with
the lists for esm-infra and esm-apps
- apt-hook: update the cpp hook to use the local esm apt cache
- apt-news:
+ fetch and display APT News in apt upgrade
+ show contract expiration notices in the apt news output
- attach: support attaching without being able to install snapd
(LP: #1997514)
- cli:
+ do not show invalid subcommands in autocomplete (GH: #2279)
+ add support for attaching through the web portal, without a token
- config: add apt_news_url option
- docs: reorganize documentation and correct information
- esm-apps: release the service as GA
- jobs:
+ remove the update_status job
+ remove unused job which checks for the system EOL
- messaging: do not fail if the apt-hook executable is not present
(LP: #1994480)
- motd: announce esm-apps as GA
- security-status:
+ use the local esm cache to report updates when the services are
disabled
+ redesign output to properly show support (LP: #2002407)
- services: add new service to update the local esm caches
- ros: release the service as GA
- bug fixes:
+ report reboot_required even if 'livepatch status' fails
+ do not create unexpected environment variables when the autocomplete
script runs
+ contract requests do not cause 'pro status' to fail
+ remove auto-attach motd message if any failure happens
+ log when 'cloud-id' fails
+ always honor the metering job timer config
+ write files atomically
-- Lucas Moura <email address hidden> Mon, 23 Jan 2023 12:28:48 -0300
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport new upstream release: (LP: #2003018) to focal
ubuntu-
* apt: better isolate apt esm cache by only fetching necessary
configuration from the system apt
ubuntu-
* d/bash-completion:
- enable autocomplete for the 'pro' command (GH: #2280)
* d/control:
- update the package description
* d/postinst:
- remove unauthenticated esm repos from Xenial systems (LP: #1990378)
* New upstream release 27.13 (LP: #2003018)
- apt:
+ remove logic which added repositories and pinned them to 'never' to
enable access to esm package lists
+ add functionality to create and update a local apt esm cache with
the lists for esm-infra and esm-apps
- apt-hook: update the cpp hook to use the local esm apt cache
- apt-news:
+ fetch and display APT News in apt upgrade
+ show contract expiration notices in the apt news output
- attach: support attaching without being able to install snapd
(LP: #1997514)
- cli:
+ do not show invalid subcommands in autocomplete (GH: #2279)
+ add support for attaching through the web portal, without a token
- config: add apt_news_url option
- docs: reorganize documentation and correct information
- esm-apps: release the service as GA
- jobs:
+ remove the update_status job
+ remove unused job which checks for the system EOL
- messaging: do not fail if the apt-hook executable is not present
(LP: #1994480)
- motd: announce esm-apps as GA
- security-status:
+ use the local esm cache to report updates when the services are
disabled
+ redesign output to properly show support (LP: #2002407)
- services: add new service to update the local esm caches
- ros: release the service as GA
- bug fixes:
+ report reboot_required even if 'livepatch status' fails
+ do not create unexpected environment variables when the autocomplete
script runs
+ contract requests do not cause 'pro status' to fail
+ remove auto-attach motd message if any failure happens
+ log when 'cloud-id' fails
+ always honor the metering job timer config
+ write files atomically
-- Lucas Moura <email address hidden> Mon, 23 Jan 2023 12:28:43 -0300
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #21 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport new upstream release: (LP: #2003018) to bionic
ubuntu-
* apt: better isolate apt esm cache by only fetching necessary
configuration from the system apt
ubuntu-
* d/bash-completion:
- enable autocomplete for the 'pro' command (GH: #2280)
* d/control:
- update the package description
* d/postinst:
- remove unauthenticated esm repos from Xenial systems (LP: #1990378)
* New upstream release 27.13 (LP: #2003018)
- apt:
+ remove logic which added repositories and pinned them to 'never' to
enable access to esm package lists
+ add functionality to create and update a local apt esm cache with
the lists for esm-infra and esm-apps
- apt-hook: update the cpp hook to use the local esm apt cache
- apt-news:
+ fetch and display APT News in apt upgrade
+ show contract expiration notices in the apt news output
- attach: support attaching without being able to install snapd
(LP: #1997514)
- cli:
+ do not show invalid subcommands in autocomplete (GH: #2279)
+ add support for attaching through the web portal, without a token
- config: add apt_news_url option
- docs: reorganize documentation and correct information
- esm-apps: release the service as GA
- jobs:
+ remove the update_status job
+ remove unused job which checks for the system EOL
- messaging: do not fail if the apt-hook executable is not present
(LP: #1994480)
- motd: announce esm-apps as GA
- security-status:
+ use the local esm cache to report updates when the services are
disabled
+ redesign output to properly show support (LP: #2002407)
- services: add new service to update the local esm caches
- ros: release the service as GA
- bug fixes:
+ report reboot_required even if 'livepatch status' fails
+ do not create unexpected environment variables when the autocomplete
script runs
+ contract requests do not cause 'pro status' to fail
+ remove auto-attach motd message if any failure happens
+ log when 'cloud-id' fails
+ always honor the metering job timer config
+ write files atomically
-- Lucas Moura <email address hidden> Mon, 23 Jan 2023 12:28:37 -0300
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #22 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport new upstream release: (LP: #2003018) to xenial
ubuntu-
* apt: better isolate apt esm cache by only fetching necessary
configuration from the system apt
ubuntu-
* d/bash-completion:
- enable autocomplete for the 'pro' command (GH: #2280)
* d/control:
- update the package description
* d/postinst:
- remove unauthenticated esm repos from Xenial systems (LP: #1990378)
* New upstream release 27.13 (LP: #2003018)
- apt:
+ remove logic which added repositories and pinned them to 'never' to
enable access to esm package lists
+ add functionality to create and update a local apt esm cache with
the lists for esm-infra and esm-apps
- apt-hook: update the cpp hook to use the local esm apt cache
- apt-news:
+ fetch and display APT News in apt upgrade
+ show contract expiration notices in the apt news output
- attach: support attaching without being able to install snapd
(LP: #1997514)
- cli:
+ do not show invalid subcommands in autocomplete (GH: #2279)
+ add support for attaching through the web portal, without a token
- config: add apt_news_url option
- docs: reorganize documentation and correct information
- esm-apps: release the service as GA
- jobs:
+ remove the update_status job
+ remove unused job which checks for the system EOL
- messaging: do not fail if the apt-hook executable is not present
(LP: #1994480)
- motd: announce esm-apps as GA
- security-status:
+ use the local esm cache to report updates when the services are
disabled
+ redesign output to properly show support (LP: #2002407)
- services: add new service to update the local esm caches
- ros: release the service as GA
- bug fixes:
+ report reboot_required even if 'livepatch status' fails
+ do not create unexpected environment variables when the autocomplete
script runs
+ contract requests do not cause 'pro status' to fail
+ remove auto-attach motd message if any failure happens
+ log when 'cloud-id' fails
+ always honor the metering job timer config
+ write files atomically
-- Lucas Moura <email address hidden> Mon, 23 Jan 2023 12:28:29 -0300
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
Hello, oshirowanen, thanks for reporting this issue.
Yes, the text there is misleading. After enabling Ubuntu Pro, you DO get updates until 2028. It works like this:
- You have support until 2023 with the regular LTS support
- You have support from 2023 to 2028 with Pro and esm-infra enabled, which is missing in the text.
Your support is assured, don't worry. But the message should say it right, we will fix it.