[Bug 1938043] Re: ubuntu-security-status

Chad Smith 1938043 at bugs.launchpad.net
Thu Sep 16 03:54:44 UTC 2021 

Verified success on Focal for update-manager    1:20.04.10.9

=== Verification script ===


#!/bin/bash
# assert old version incorrectly reports unattached when livepatch is disabled
# assert new version properly reports attached regardless of livepatch enabled/disabled
# assert new version reports detached when not attached to active ua contract

TOKEN=$1

cat > setup_proposed.sh <<EOF
#/bin/bash                                                                      
mirror=http://archive.ubuntu.com/ubuntu                                         
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q                                                               
apt-get install -qy update-manager | grep update-manager
dpkg-query --show update-manager
EOF


multipass launch focal -n vm-f
multipass exec vm-f sudo apt install hello
multipass exec vm-f -- dpkg-query --show hello
multipass exec vm-f -- dpkg-query --show update-manager
multipass exec vm-f -- ua status
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILURE: ubuntu-security-status didn't report unattached"
multipass exec vm-f -- sudo ua attach $TOKEN
# Expect no unattached message because livepatch is running
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: OLD VERSION should NOT report attached state when livepatch is active"
multipass exec vm-f -- sudo ua disable livepatch
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILED: OLD VERSION DID NOT report unattached state when livepatch disabled"
echo "Upgrade to focal-proposed update-manager"
multipass transfer setup_proposed.sh vm-f:.
multipass exec vm-f sudo bash /home/ubuntu/setup_proposed.sh
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: PROPOSED VERSION DID NOT report attached state when livepatch disabled"
multipass exec vm-f -- sudo ua enable livepatch
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: PROPOSED VERSION DID NOT report attached state when livepatch enabled"
multipass exec vm-f -- sudo ua detach
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILED: PROPOSED VERSION DID NOT report unattached state when detached"


==== Verification output ====
Note: no "FAILURE" messages
Note: new update manager reports attach regardless of livepatch status
Note: ubuntu-security-status properly reports unattached after `ua detach` called

Launched: vm-f                                                                  
Reading package lists... Done                                                   
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  hello
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 28.2 kB of archives.
After this operation, 115 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 hello amd64 2.10-2ubuntu2 [28.2 kB]
Fetched 28.2 kB in 1s (31.5 kB/s)
Selecting previously unselected package hello.
(Reading database ... 63512 files and directories currently installed.)
Preparing to unpack .../hello_2.10-2ubuntu2_amd64.deb ...
Unpacking hello (2.10-2ubuntu2) ...
Setting up hello (2.10-2ubuntu2) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for install-info (6.7.0.dfsg.2-5) ...
hello	2.10-2ubuntu2
update-manager	
SERVICE       AVAILABLE  DESCRIPTION
cis           yes        Center for Internet Security Audit Tools
esm-infra     yes        UA Infra: Extended Security Maintenance (ESM)
fips          yes        NIST-certified core packages
fips-updates  yes        NIST-certified core packages with priority security updates
livepatch     yes        Canonical Livepatch service

This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage
583 packages installed, of which:
583 receive package updates with LTS until 4/2025

This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
This machine is not attached to an Ubuntu Advantage subscription.
Enabling default service esm-infra
Updating package lists
UA Infra: ESM enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical livepatch enabled.
This machine is now attached to 'chad.smith at canonical.com'

SERVICE       ENTITLED  STATUS    DESCRIPTION
cis           yes       disabled  Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       disabled  NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority security updates
livepatch     yes       enabled   Canonical Livepatch service

NOTICES
Operation in progress: ua attach

Enable services with: ua enable <service>

     Account: chad.smith at canonical.com
Subscription: chad.smith at canonical.com
This machine is not attached to an Ubuntu Advantage subscription.
Upgrade to focal-proposed update-manager
deb http://archive.ubuntu.com/ubuntu focal-proposed main
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:3 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Get:7 http://archive.ubuntu.com/ubuntu focal-proposed InRelease [267 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages [148 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-proposed/main Translation-en [37.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 c-n-f Metadata [2340 B]
Fetched 455 kB in 2s (211 kB/s)
Reading package lists...
  python3-software-properties python3-talloc python3-tz python3-update-manager
  ubuntu-wallpapers-focal unzip update-inetd update-manager-core
  ubuntu-wallpapers ubuntu-wallpapers-focal unzip update-inetd update-manager
  python3-apport python3-software-properties python3-update-manager
  software-properties-common update-manager-core
Get:40 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 python3-update-manager all 1:20.04.10.9 [38.1 kB]
Get:41 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 update-manager-core all 1:20.04.10.9 [11.5 kB]
Get:490 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 update-manager all 1:20.04.10.9 [551 kB]
Extracting templates from packages: 100%
Preparing to unpack .../039-python3-update-manager_1%3a20.04.10.9_all.deb ...
Unpacking python3-update-manager (1:20.04.10.9) over (1:20.04.10.7) ...
Preparing to unpack .../040-update-manager-core_1%3a20.04.10.9_all.deb ...
Unpacking update-manager-core (1:20.04.10.9) over (1:20.04.10.7) ...
Selecting previously unselected package update-manager.
Preparing to unpack .../489-update-manager_1%3a20.04.10.9_all.deb ...
Unpacking update-manager (1:20.04.10.9) ...
Setting up python3-update-manager (1:20.04.10.9) ...
Setting up update-manager-core (1:20.04.10.9) ...
Setting up update-manager (1:20.04.10.9) ...
update-manager	1:20.04.10.9
1112 packages installed, of which:
1112 receive package updates with LTS until 4/2025
One moment, checking your subscription first
Canonical livepatch enabled.
Detach will disable the following services:
    esm-infra
    livepatch
Are you sure? (y/N) y
Updating package lists
A reboot is required to complete disable operation.
This machine is now detached.
1112 packages installed, of which:
1112 receive package updates with LTS until 4/2025

This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
This machine is not attached to an Ubuntu Advantage subscription.
====

** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1938043

Title:
  ubuntu-security-status

Status in update-manager package in Ubuntu:
  Fix Released
Status in update-manager source package in Focal:
  Fix Committed

Bug description:
  Impact
  ------
  ubuntu-security-status incorrectly reports the status of Ubuntu Advantage subscriptions.

  Test Case
  ---------
  1) ua attach <REDACTED_TOKEN>
  2) ubuntu-security-status

  With the version of the package in the release pocket you'll see
  output ending with "This machine is not attached to an Ubuntu
  Advantage subscription"

  With the version of the package from -proposed the output will not say
  you are not attached.

  Another test case
  1) Run the version of ubuntu-security-status from -proposed on an unattached system

  You'll see output with "This machine is not attached to an Ubuntu
  Advantage subscription"

  Where things could go wrong
  ---------------------------
  Its possible that ubuntu-security-status could think that a UA subscription is attached when in fact one is not attached so ubuntu-security-status should also be run on an unattached system.

  Original Description
  --------------------
  In 20.04 ubuntu-security-status incorrect reports the status of subscription:

  ```
  $ sudo ubuntu-security-status
  1594 packages installed, of which:
  1588 receive package updates with LTS until 4/2025
     6 are receiving security updates with ESM Apps until 4/2030

  This machine is not attached to an Ubuntu Advantage subscription.
  See https://ubuntu.com/advantage
  ```

  It shows no subscription in the system even though there is. ua status correctly shows the subscription:
  ```
  $ ua status
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       disabled  Center for Internet Security Audit Tools
  esm-apps      yes       enabled   UA Apps: Extended Security Maintenance (ESM)
  esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
  fips          yes       disabled  NIST-certified core packages
  fips-updates  yes       disabled  NIST-certified core packages with priority security updates
  livepatch     yes       disabled  Canonical Livepatch service

  Enable services with: ua enable <service>

                  Account: Canonical - staff
             Subscription: UA Applications - Essential (Virtual)
              Valid until: 3999-12-31 00:00:00
  Technical support level: essential
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions

More information about the foundations-bugs mailing list