Duplicate entries on security-status for systems that got esm-apps with the old advertisement model
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Renan Rodrigo | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Renan Rodrigo |
Bug Description
[Original description]
When esm-apps went open beta, November 2022, some versions of ubuntu-
In those cases, the client inserted the unauthenticated esm-apps repository to the system APT. This causes packages to show twice now that esm-apps is GA.
Another case where it could happen is when the `allow_beta` flag was set, inserting the aforementioned file to the config as well.
[Impact]
When running the pro security-status command we users that have the unauthenticated esm-apps source file will see the duplicate package counts
in the command output and will probably make wrong assumptions about the system.
[Test Case]
To test that change, we will use the following script:
-------
#!/bin/bash
set -e
series=$1
name=$series-dev
version=$2
install_from=$3
function cleanup {
lxc delete $name --force
}
function on_err {
echo -e "Test Failed"
cleanup
exit 1
}
trap on_err ERR
lxc launch ubuntu-
sleep 5
# Install ubuntu-
lxc exec $name -- wget -O ./ua.deb $(curl https:/
lxc exec $name -- dpkg -i ./ua.deb > /dev/null
echo -e "\n* UA version 27.11.1 is installed"
echo "######
lxc exec $name -- apt-cache policy ubuntu-
echo -e "######
# Install a universe package (ansible)
lxc exec $name -- apt-get update > /dev/null
lxc exec $name -- apt-get install ansible -y > /dev/null
echo -e "\n* Ansible (from universe) is installed"
echo "######
lxc exec $name -- apt-cache policy ansible
echo -e "######
# Run security-status and see the number of esm-apps updates
echo -e "\n* Updates from esm-apps"
echo "######
lxc exec $name -- pro security-status
echo -e "######
# Run security-status --esm-apps to check for the updates
echo -e "\n* Updates from esm-apps"
echo "######
lxc exec $name -- pro security-status --esm-apps
echo -e "######
# Install latest ubuntu-
lxc exec $name -- apt-get install ubuntu-
echo -e "\n* UA is updated to the latest version"
echo "######
lxc exec $name -- apt-cache policy ubuntu-
echo -e "######
lxc exec $name -- apt-get update > /dev/null
# Run security-status and see the number of esm-apps updates
echo -e "\n* Duplicated updates"
echo "######
lxc exec $name -- pro security-status
echo -e "######
# Run security-status --esm-apps to check for the updates
echo -e "\n* Duplicated updates"
echo "######
lxc exec $name -- pro security-status --esm-apps
echo -e "######
# Upgrading UA to new version
# -------
if [ $install_from == 'staging' ]; then
lxc exec $name -- sudo add-apt-repository ppa:ua-
lxc exec $name -- apt-get install ubuntu-
elif [ $install_from == 'proposed' ]; then
lxc exec $name -- sh -c "echo \"deb http://
lxc exec $name -- apt-get install ubuntu-
else
lxc file push $install_from $name/new-ua.deb
lxc exec $name -- dpkg -i /new-ua.deb > /dev/null
fi
# -------
echo -e "\n* UA now has the fix"
echo "######
lxc exec $name -- apt-cache policy ubuntu-
echo -e "######
# Run security-status and see the number of esm-apps updates
echo -e "\n* Updates are back to normal"
echo "######
lxc exec $name -- pro security-status
echo -e "######
# Run security-status --esm-apps to check for the updates
echo -e "\n* Updates are back to normal"
echo "######
lxc exec $name -- pro security-status --esm-apps
echo -e "######
# Check that files don't exist where they shouldn't
echo -e "\n* No unauthenticated apt files"
echo "######
lxc exec $name -- ls /etc/apt/
echo -e "######
cleanup
-------
[Regression Potential]
Since 27.13, we are no longer relying on any unauthenticated esm source file to deliver any feature to the users. Therefore, removing that file should not pose any extra risk for existing users
[Discussion]
There are some scenarios where users where able to get the unauthenticated esm-apps source file in the system. For example, version 27.11.1 introduced that file. Additionally, if the user added the allow_beta: true
line into uaclient.conf before upgrading the package, the unauthenticated file will also be there. The fix should cover all of those scenarios
$ uname -a
Linux sdeziel-lemur 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Renan Rodrigo (renanrodrigo) |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu Lunar): | |
status: | In Progress → Fix Released |
status: | Fix Released → In Progress |
Hello Renan, or anyone else affected,
Accepted ubuntu- advantage- tools into kinetic-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ ubuntu- advantage- tools/27. 13.4~22. 10.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification- needed- kinetic to verification- done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- kinetic. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.