[Bug 1938043] Re: ubuntu-security-status
Chad Smith
1938043 at bugs.launchpad.net
Thu Sep 16 03:54:44 UTC 2021
Verified success on Focal for update-manager 1:20.04.10.9
=== Verification script ===
#!/bin/bash
# assert old version incorrectly reports unattached when livepatch is disabled
# assert new version properly reports attached regardless of livepatch enabled/disabled
# assert new version reports detached when not attached to active ua contract
TOKEN=$1
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-manager | grep update-manager
dpkg-query --show update-manager
EOF
multipass launch focal -n vm-f
multipass exec vm-f sudo apt install hello
multipass exec vm-f -- dpkg-query --show hello
multipass exec vm-f -- dpkg-query --show update-manager
multipass exec vm-f -- ua status
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILURE: ubuntu-security-status didn't report unattached"
multipass exec vm-f -- sudo ua attach $TOKEN
# Expect no unattached message because livepatch is running
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: OLD VERSION should NOT report attached state when livepatch is active"
multipass exec vm-f -- sudo ua disable livepatch
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILED: OLD VERSION DID NOT report unattached state when livepatch disabled"
echo "Upgrade to focal-proposed update-manager"
multipass transfer setup_proposed.sh vm-f:.
multipass exec vm-f sudo bash /home/ubuntu/setup_proposed.sh
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: PROPOSED VERSION DID NOT report attached state when livepatch disabled"
multipass exec vm-f -- sudo ua enable livepatch
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: PROPOSED VERSION DID NOT report attached state when livepatch enabled"
multipass exec vm-f -- sudo ua detach
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILED: PROPOSED VERSION DID NOT report unattached state when detached"
==== Verification output ====
Note: no "FAILURE" messages
Note: new update manager reports attach regardless of livepatch status
Note: ubuntu-security-status properly reports unattached after `ua detach` called
Launched: vm-f
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
hello
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 28.2 kB of archives.
After this operation, 115 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 hello amd64 2.10-2ubuntu2 [28.2 kB]
Fetched 28.2 kB in 1s (31.5 kB/s)
Selecting previously unselected package hello.
(Reading database ... 63512 files and directories currently installed.)
Preparing to unpack .../hello_2.10-2ubuntu2_amd64.deb ...
Unpacking hello (2.10-2ubuntu2) ...
Setting up hello (2.10-2ubuntu2) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for install-info (6.7.0.dfsg.2-5) ...
hello 2.10-2ubuntu2
update-manager
SERVICE AVAILABLE DESCRIPTION
cis yes Center for Internet Security Audit Tools
esm-infra yes UA Infra: Extended Security Maintenance (ESM)
fips yes NIST-certified core packages
fips-updates yes NIST-certified core packages with priority security updates
livepatch yes Canonical Livepatch service
This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage
583 packages installed, of which:
583 receive package updates with LTS until 4/2025
This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
This machine is not attached to an Ubuntu Advantage subscription.
Enabling default service esm-infra
Updating package lists
UA Infra: ESM enabled
Enabling default service livepatch
Installing canonical-livepatch snap
Canonical livepatch enabled.
This machine is now attached to 'chad.smith at canonical.com'
SERVICE ENTITLED STATUS DESCRIPTION
cis yes disabled Center for Internet Security Audit Tools
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes enabled Canonical Livepatch service
NOTICES
Operation in progress: ua attach
Enable services with: ua enable <service>
Account: chad.smith at canonical.com
Subscription: chad.smith at canonical.com
This machine is not attached to an Ubuntu Advantage subscription.
Upgrade to focal-proposed update-manager
deb http://archive.ubuntu.com/ubuntu focal-proposed main
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:3 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Get:7 http://archive.ubuntu.com/ubuntu focal-proposed InRelease [267 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages [148 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-proposed/main Translation-en [37.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 c-n-f Metadata [2340 B]
Fetched 455 kB in 2s (211 kB/s)
Reading package lists...
python3-software-properties python3-talloc python3-tz python3-update-manager
ubuntu-wallpapers-focal unzip update-inetd update-manager-core
ubuntu-wallpapers ubuntu-wallpapers-focal unzip update-inetd update-manager
python3-apport python3-software-properties python3-update-manager
software-properties-common update-manager-core
Get:40 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 python3-update-manager all 1:20.04.10.9 [38.1 kB]
Get:41 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 update-manager-core all 1:20.04.10.9 [11.5 kB]
Get:490 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 update-manager all 1:20.04.10.9 [551 kB]
Extracting templates from packages: 100%
Preparing to unpack .../039-python3-update-manager_1%3a20.04.10.9_all.deb ...
Unpacking python3-update-manager (1:20.04.10.9) over (1:20.04.10.7) ...
Preparing to unpack .../040-update-manager-core_1%3a20.04.10.9_all.deb ...
Unpacking update-manager-core (1:20.04.10.9) over (1:20.04.10.7) ...
Selecting previously unselected package update-manager.
Preparing to unpack .../489-update-manager_1%3a20.04.10.9_all.deb ...
Unpacking update-manager (1:20.04.10.9) ...
Setting up python3-update-manager (1:20.04.10.9) ...
Setting up update-manager-core (1:20.04.10.9) ...
Setting up update-manager (1:20.04.10.9) ...
update-manager 1:20.04.10.9
1112 packages installed, of which:
1112 receive package updates with LTS until 4/2025
One moment, checking your subscription first
Canonical livepatch enabled.
Detach will disable the following services:
esm-infra
livepatch
Are you sure? (y/N) y
Updating package lists
A reboot is required to complete disable operation.
This machine is now detached.
1112 packages installed, of which:
1112 receive package updates with LTS until 4/2025
This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
This machine is not attached to an Ubuntu Advantage subscription.
====
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1938043
Title:
ubuntu-security-status
Status in update-manager package in Ubuntu:
Fix Released
Status in update-manager source package in Focal:
Fix Committed
Bug description:
Impact
------
ubuntu-security-status incorrectly reports the status of Ubuntu Advantage subscriptions.
Test Case
---------
1) ua attach <REDACTED_TOKEN>
2) ubuntu-security-status
With the version of the package in the release pocket you'll see
output ending with "This machine is not attached to an Ubuntu
Advantage subscription"
With the version of the package from -proposed the output will not say
you are not attached.
Another test case
1) Run the version of ubuntu-security-status from -proposed on an unattached system
You'll see output with "This machine is not attached to an Ubuntu
Advantage subscription"
Where things could go wrong
---------------------------
Its possible that ubuntu-security-status could think that a UA subscription is attached when in fact one is not attached so ubuntu-security-status should also be run on an unattached system.
Original Description
--------------------
In 20.04 ubuntu-security-status incorrect reports the status of subscription:
```
$ sudo ubuntu-security-status
1594 packages installed, of which:
1588 receive package updates with LTS until 4/2025
6 are receiving security updates with ESM Apps until 4/2030
This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
```
It shows no subscription in the system even though there is. ua status correctly shows the subscription:
```
$ ua status
SERVICE ENTITLED STATUS DESCRIPTION
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: Canonical - staff
Subscription: UA Applications - Essential (Virtual)
Valid until: 3999-12-31 00:00:00
Technical support level: essential
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions
More information about the foundations-bugs
mailing list