Canonical-LivePatch fails SILENTLY! (Only Ubuntu 16.04 LTS is supported, exiting.)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Please note, this is a bug report for canonical-
-------
This morning, canonical-livepatch successfully applied fixes for several CVEs, and it then asked me to reboot the machine. I did so, when it was convenient, and once the machine was up again, I tested whether all known vulnerabilities were addressed:
# canonical-livepatch status --verbose
Connection to the daemon failed: Get http://
Now that's unexpected. Something failed silently! Good thing I noticed. Let's debug:
# systemctl status snap.canonical-
* snap.canonical-
Loaded: loaded (/etc/systemd/
Active: inactive (dead) (Result: exit-code) since Thu 2017-02-23 11:12:28 PST; 16min ago
Process: 23885 ExecStart=
Main PID: 23885 (code=exited, status=1/FAILURE)
systemd[1]: snap.canonical-
systemd[1]: snap.canonical-
systemd[1]: snap.canonical-
systemd[1]: Stopped Service for snap application canonical-
systemd[1]: snap.canonical-
systemd[1]: Failed to start Service for snap application canonical-
Seems as if the Snap package had some problem. Let's run it manually:
# snap run canonical-
Only Ubuntu 16.04 LTS is supported, exiting.
That's unexpected. It worked this morning and I didn't change distributions since. Let's see what snap things it is running on:
# snap --version
snap 2.22.6
snapd 2.22.6
series 16
ubuntu 16.04
kernel 4.4.0-64-lowlatency
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
That all looks perfectly normal to me. Sounds as if it is a bug in Canonical-
-------
In summary, there are three problems here. First of all, Canonical-Livepatch fails, even though the distribution is supported, and it in fact patched this kernel release only hours earlier.
Secondly, and that's more worrisome, it fails silently.
For a security feature that is supposed to work in the background and to apply crucial security fixes, silent failure is even worse than not running Canonical-Livepatch at all. It gives a false sense of security.
Because of this, I am marking this bug as a security bug, so that the relevant team can take a look and triage. Feel free to remove the security flag, if you think it isn't appropriate.
And thirdly, Canonical makes the LivePatch service available to the community for free in order to collect bug reports. That's commendable, but ultimately futile, if the official documentation at http://
information type: | Private Security → Public |
The new place for livepatch client bugs is https:/ /bugs.launchpad .net/canonical- livepatch- client/ +filebug
I couldn't just add this bug to that project, so I filed a new bug there referencing this one. I don't know if that one will be visible but its url is https:/ /bugs.launchpad .net/bugs/ 1667515 just in case it is made public.
Thanks