Ubuntu
ubuntu-advantage-tools package

Proxy should be set up only for ua-related repos

Bug #1956764 reported by Andrey Grebennikov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

[Impact]

This was intended behavior, but is considered unintuitive and undesirable in some situations.

The issue affects users who want an apt proxy only for ua-related packages, who may find the `apt_http(s)_proxy` variables and expect them to do that. They will be surprised when those variables actually set global apt proxy settings.

This feature was built as such per the request of a different user, so we need to keep the ability to easily set a global apt proxy.

The fix is to add/rename the supported apt proxy settings in a backwards compatible way. We now support two differently scoped apt proxy settings:

global_apt_http(s)_proxy
ua_apt_http(s)_proxy

which we think behave more intuitively.

The global_ settings set a global apt proxy. The ua_ settings set a proxy only for ua related packages.

We also still support the plain apt_http(s)_proxy variables and they behave the same way they always have, which is the same as the new global_ settings.

[Test Plan]

To Reproduce:
```
lxc launch ubuntu-daily:focal squid
lxc exec squid -- apt update
lxc exec squid -- apt install squid
lxc exec squid -- sed -i 's/http_access deny all/dns_v4_first on\nacl all src 0.0.0.0\/0\nhttp_access allow all\nhttp_access deny all/' /etc/squid/squid.conf
lxc exec squid -- systemctl restart squid.service

lxc launch ubuntu-daily:focal f-1956764
lxc exec f-1956764 -- ua config set apt_http_proxy=http://squid:3128
lxc exec f-1956764 -- ua config set apt_https_proxy=http://squid:3128
lxc exec f-1956764 -- cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy
# See that the proxy was configured globally
```

To see that release 27.9 of ubuntu-advantage-tools fixes the problem, you can use the build in `ppa:ua-client/staging` for now (or once it is in -proposed, just enable proposed).

Continuing in the same container from reproducing the bug:

```
lxc exec f-1956764 -- ua config unset apt_http_proxy
lxc exec f-1956764 -- ua config unset apt_https_proxy
lxc exec f-1956764 -- add-apt-repository ppa:ua-client/staging
lxc exec f-1956764 -- apt install ubuntu-advantage-tools

# first check that backwards compatibility is maintained
lxc exec f-1956764 -- ua config set apt_http_proxy=http://squid:3128
# see message about renaming of field, but still success
lxc exec f-1956764 -- ua config set apt_https_proxy=http://squid:3128
# see message about renaming of field, but still success
lxc exec f-1956764 -- cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy
# see that proxy was configured globally

lxc exec f-1956764 -- ua config unset apt_http_proxy
lxc exec f-1956764 -- ua config unset apt_https_proxy

# second check that new global_ fields work the same as the old fields
lxc exec f-1956764 -- ua config set global_apt_http_proxy=http://squid:3128
lxc exec f-1956764 -- ua config set global_apt_https_proxy=http://squid:3128
lxc exec f-1956764 -- cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy
# see that proxy was configured globally

lxc exec f-1956764 -- ua config unset global_apt_http_proxy
lxc exec f-1956764 -- ua config unset global_apt_https_proxy

# finally check that new ua_ fields work as the bug author desires
lxc exec f-1956764 -- ua config set ua_apt_http_proxy=http://squid:3128
lxc exec f-1956764 -- ua config set ua_apt_https_proxy=http://squid:3128
lxc exec f-1956764 -- cat /etc/apt/apt.conf.d/90ubuntu-advantage-aptproxy
# see that proxy was configured only for esm.ubuntu.com

```

[Where problems could occur]

There is some complexity in maintaining backwards compatibility with the new setting names. If we made mistakes here, then backwards compatibility may not work for this feature in all cases.

This feature touches apt configuration, and so if we made a mistake, this could cause broader apt warnings/errors if the generated config is invalid.

[Original Description]

Currently if the proxy is configured for the UA client it is setting up global proxy for the entire apt:

* To change what ubuntu-advantage-tools sets, run one of the following:
* Substitute "apt_https_proxy" for "apt_http_proxy" as necessary.
* sudo ua config set apt_http_proxy=<value>
* sudo ua config unset apt_http_proxy
*/
Acquire::http::Proxy http://<proxy_ip>:3128;
Acquire::https::Proxy http://<proxy_ip>:3128;

In the clouds though all the packages come from the cloud-based mirrors except UA-related ones.
There is a use case currently when a customer wants to set up a proxy to reach the UA repositories but the proxy is throttling the bandwidth and it is impossible to pull all the packages through it.

Suggesting to set up proxy in apt specifying the repo names such as

Acquire::http::Proxy::<esm repo> "http://your.proxy.host/";
Acquire::http::Proxy::<fips repo> "http://your.proxy.host/";

See original description
Revision history for this message
Grant Orndorff (orndorffgrant) wrote :

Thanks for the bug report! I think this is a good idea.

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Renan Rodrigo (renanrodrigo)
Changed in ubuntu-advantage-tools (Ubuntu):
status: Confirmed → Fix Committed
Grant Orndorff (orndorffgrant)
Changed in ubuntu-advantage-tools (Ubuntu):
status: Fix Committed → In Progress
Grant Orndorff (orndorffgrant)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.9~22.10.1

---------------
ubuntu-advantage-tools (27.9~22.10.1) kinetic; urgency=medium

  * d/rules
    - remove trusty specific code
    - remove ua-license-check.{timer,service,path}
    - install ubuntu-advantage.service
    - only on xenial: install ubuntu-advantage-cloud-id-shim.service
  * d/tools.preinst: remove old config field to avoid warnings in logs
  * d/tools.postinst
    - remove trusty specific code
    - print warnings if /etc/os-release doesn't have required fields
    - hardcode service list instead of exec-ing python3 for old migration
    - refactor python to avoid instantiating UAConfig extra times
    - refactor python to always use messages module for strings
    - rm the old marker file that triggered ua-license-check.path
    - remove unnecessary deb-systemd-helper check in ua-messaging cleanup
    - clean up old ua-license-check state
    - run new cloud-id-shim script
  * d/tools/postrm
    - clean up ubuntu-advantage-daemon log files
  * New upstream release 27.9 (LP: #1973099)
    - cli:
      + for json formatted output, include additional_info for some errors
      + new subcommand `ua refresh messages` to update motd and apt messages
    - daemon:
      + replace ua-license-check timer with ubuntu-advantage.service daemon
      + detects on-boot if pro license was added and runs auto-attach
      + only runs on gcp and does not continuously long-poll by default for now
    - enable:
      + fix error message on wrong service name when unattached
    - fips:
      + allow enabling generic fips kernel on azure by default
      + clean up fips reboot message (LP: #1972026)
    - fix:
      + handle errors during attach process
      + fix bug where enable or detach during a fix failed (LP: #1969809)
      + fix bug where attempting to fix some CVEs would never finish
    - performance:
      + remove unnecessary UAConfig object instantiation (also cleans up logs)
      + cache "apt-cache policy" output to avoid unnecessary subp calls
    - proxy:
      + apt_http(s)_proxy renamed to global_apt_http(s)_proxy
      + apt_http(s)_proxy config var names will still work
      + new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764)
      + global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the
        same time
    - realtime: adjust warning to clarify that a manual revert is possible
    - refresh: a normal `ua refresh` will also update motd and apt messages
    - security-status: add counts of packages from each archive component
    - status: check if contract has updated and notify user to run "ua refresh"

 -- Grant Orndorff <email address hidden> Wed, 11 May 2022 13:04:46 -0400

Changed in ubuntu-advantage-tools (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.