Ubuntu
google-guest-agent package

FFe+SRU: update google-guest-agent from 20220622.00-0ubuntu to 20230330.00-0ubuntu1

Bug #2016593 reported by Utkarsh Gupta
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
google-guest-agent (Ubuntu)
Fix Released
Undecided
Utkarsh Gupta
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[FFE]
=====

One of your cloud partners have informed us that there is a customer issue blocking on this update, so we are attempting to expedite it ahead of (despite) Lunar’s release.

This package is in universe and is not seeded so there'll be no need to re-spin the images.

Here's the changelog diff:

  * New upstream version 20230330.00.
    - correct expired key handling (#175)
    - Expired key tests (#176)
    - add members to OWNERS (#178)
    - Workload certs (#177)
    - Workload certificate refresh (#182)
    - update workload_cert permissions (#180)
    - write workload cert status file (#184)
    - add workload cert refresh to preset (#185)
    - Updates to gce-workload-cert-refresh (#186)
    - Fix typo with wsfc agent (#189)
    - Validate user key for whitespace chars (#188)
    - Windows: retry adding MDS route (#194)
    - Updating logging module so cloud logs are flushed prior to exit
      (#196)
    - Update owners file (#199)
    - Update OWNERS (#201)
    - Allow a comment part of a pub ssh key to have an arbitrary format
      (#198)

Upstream diff: https://github.com/GoogleCloudPlatform/guest-agent/compare/20220622.00...20230330.00

There's no big feature here but an accumulation of small fixes, et al. There are some CVEs in the vendored dependencies which will also be included in this update.

Let us know if you need any more information. Thank you!

[SRU]
=====

[Impact]

This package is provided by Google for installation within guests that run on Google Compute Engine. It is part of a collection of tools and daemons, that ensure that the Ubuntu images published to GCE run properly on their platform.

Cloud platforms evolve at a rate that can't be handled in six-month increments, and they will often develop features that they would like to be available to customers who don't want to upgrade from earlier Ubuntu releases. As such, updating this package to more recent upstream releases is required within all Ubuntu releases, so they continue to function properly in their environment.

[Test Case]

When a new version of this package is uploaded to -proposed, the following will be done:

 * an image based on -proposed will be built for GCE and published to the ubuntu-os-cloud-devel project
 * the GCE team will be asked to validate that the new package addresses the issues it is expected to address, and that the image passes their internal image validation.
 * Each test image will be launched, and we will validate:
 ** the package version(s)
 ** that the correct ssh keys have been imported
 ** that the google specific services are running successfully

If all the testing indicates that the image containing the new package is acceptable, verification will be considered to be done.

[Other Information]

This bug is used for tracking of releasing the new upstream version for all supported series, as per the approved policy mentioned in the following MRE:

https://wiki.ubuntu.com/google-guest-agent-Updates

The updated package is not built for riscv64 on Focal, but it is not used on riscv64 either, thus please release the SRU without the risc64 binaries.

The package does not build for powerpc on Xenial, but this is OK since it is not used on powerpc either.

Also, since this bumps some of the vendored dependencies, here's a diff of the version bump: https://paste.ubuntu.com/p/dNYVQJ4fxn/

See original description
Revision history for this message
Steve Langasek (vorlon) wrote :

FFe granted.

Changed in google-guest-agent (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package google-guest-agent - 20230330.00-0ubuntu1

---------------
google-guest-agent (20230330.00-0ubuntu1) lunar; urgency=high

  * New upstream version 20230330.00. (LP: #2016593)
    - correct expired key handling (#175)
    - Expired key tests (#176)
    - add members to OWNERS (#178)
    - Workload certs (#177)
    - Workload certificate refresh (#182)
    - update workload_cert permissions (#180)
    - write workload cert status file (#184)
    - add workload cert refresh to preset (#185)
    - Updates to gce-workload-cert-refresh (#186)
    - Fix typo with wsfc agent (#189)
    - Validate user key for whitespace chars (#188)
    - Windows: retry adding MDS route (#194)
    - Updating logging module so cloud logs are flushed prior to exit
      (#196)
    - Update owners file (#199)
    - Update OWNERS (#201)
    - Allow a comment part of a pub ssh key to have an arbitrary format
      (#198)
  * d/extra/vendor: Update vendored dependencies.

 -- Utkarsh Gupta <email address hidden> Tue, 11 Apr 2023 20:17:10 +0530

Changed in google-guest-agent (Ubuntu):
status: Triaged → Fix Released
Utkarsh Gupta (utkarsh)
description: updated
summary: - FFE: update google-guest-agent from 20220622.00-0ubuntu to
+ FFe+SRU: update google-guest-agent from 20220622.00-0ubuntu to
20230330.00-0ubuntu1
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Similar to https://bugs.launchpad.net/ubuntu/+source/google-osconfig-agent/+bug/2015501/comments/3, there are vendored changes here in the form of d/extra/vendor updates (the one in the logging module I checked an it was just a one-line fix in that module). The bug description hints at "some CVEs", but nothing further.

Shouldn't we highlight these CVEs? Shouldn't this upload go into the security pocket? Which CVEs are those?

The changes file[1] (checked kinetic) also only has the latest d/changelog entry, which just mentions the backport (and, correctly, this bug). But the gist of the changes are in the previous entry. I would prefer the changes file to include that as well.

1. https://launchpadlibrarian.net/663252284/google-guest-agent_20230330.00-0ubuntu1~22.10.0_source.changes

Changed in google-guest-agent (Ubuntu Kinetic):
status: New → Incomplete
Changed in google-guest-agent (Ubuntu Jammy):
status: New → Incomplete
Changed in google-guest-agent (Ubuntu Focal):
status: New → Incomplete
Changed in google-guest-agent (Ubuntu Bionic):
status: New → Incomplete
Utkarsh Gupta (utkarsh)
description: updated
description: updated
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi!

I've updated the MRE wiki page to reflect that we don't have to link changelogs, et al, but just the diff of the version bumps of the vendored deps. I've also added that in the description now.

P.S. This was done after talking to Lukasz (and Robie) in-person last week because it's a wasted engineering effort and time for us to link the changelogs of everything and then for the SRU team to go through each of them. You'll see the amount of vendored stuff that has changed is A LOTTTTTT. Anyway, since this only affects src:google-guest-agent only, we decided to inspect the bumps and see if there's anything alarming and then dive into that further.

Changed in google-guest-agent (Ubuntu Bionic):
status: Incomplete → New
Changed in google-guest-agent (Ubuntu Focal):
status: Incomplete → New
Changed in google-guest-agent (Ubuntu Jammy):
status: Incomplete → New
Changed in google-guest-agent (Ubuntu Kinetic):
status: Incomplete → New
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Utkarsh, or anyone else affected,

Accepted google-guest-agent into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/google-guest-agent/20230330.00-0ubuntu1~22.10.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in google-guest-agent (Ubuntu Kinetic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Changed in google-guest-agent (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Utkarsh, or anyone else affected,

Accepted google-guest-agent into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/google-guest-agent/20230330.00-0ubuntu1~22.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in google-guest-agent (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Utkarsh, or anyone else affected,

Accepted google-guest-agent into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/google-guest-agent/20230330.00-0ubuntu1~20.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in google-guest-agent (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Utkarsh, or anyone else affected,

Accepted google-guest-agent into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/google-guest-agent/20230330.00-0ubuntu1~18.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I have accepted the agent to -proposed, but one thing worthwhile to mention for when filling in the SRU paperwork: the go version used for building this in bionic changed from 1.13 to 1.18 - I'm sure Google testing will test everything sufficiently enough, but I think next time we should make sure to call out any bumps like this.

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Lukasz,

Yep, noted. Thanks. It's mentioned in the changelog entry, though.

We previously bumped from golang-any to Go 1.13 and now to 1.18. But gotcha, I'll add that to the bug next time we bump the Go version. Thanks! :)

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

With LP: #2018272 superseding this bug and the former being verified, we can actually confirm that this is also verified. The former upload was built on top of this one so yes, this is tested. Adjusting the tags accordingly.

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package google-guest-agent - 20230426.00-0ubuntu2~22.10.0

---------------
google-guest-agent (20230426.00-0ubuntu2~22.10.0) kinetic; urgency=medium

  * No-change rebuild for Kinetic

google-guest-agent (20230426.00-0ubuntu2) mantic; urgency=medium

  * d/rules: Add --no-stop-on-upgrade for upgrade path
    to enforce no stop of the services on package upgrade.
    This has the desired side-effect of not stopping, starting or
    restarting the services as a part of the upgrade (LP: #2019089)
  * d/{rules,install}: ship gce-workload-cert-refresh.timer.

 -- Utkarsh Gupta <email address hidden> Thu, 25 May 2023 13:11:33 +0530

Changed in google-guest-agent (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package google-guest-agent - 20230426.00-0ubuntu2~22.04.0

---------------
google-guest-agent (20230426.00-0ubuntu2~22.04.0) jammy; urgency=medium

  * No-change rebuild for Jammy.

google-guest-agent (20230426.00-0ubuntu2) mantic; urgency=medium

  * d/rules: Add --no-stop-on-upgrade for upgrade path
    to enforce no stop of the services on package upgrade.
    This has the desired side-effect of not stopping, starting or
    restarting the services as a part of the upgrade (LP: #2019089)
  * d/{rules,install}: ship gce-workload-cert-refresh.timer.

 -- Utkarsh Gupta <email address hidden> Thu, 25 May 2023 13:13:37 +0530

Changed in google-guest-agent (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package google-guest-agent - 20230426.00-0ubuntu2~20.04.0

---------------
google-guest-agent (20230426.00-0ubuntu2~20.04.0) focal; urgency=medium

  * No-change rebuild for Focal.

google-guest-agent (20230426.00-0ubuntu2) mantic; urgency=medium

  * d/rules: Add --no-stop-on-upgrade for upgrade path
    to enforce no stop of the services on package upgrade.
    This has the desired side-effect of not stopping, starting or
    restarting the services as a part of the upgrade (LP: #2019089)
  * d/{rules,install}: ship gce-workload-cert-refresh.timer.

 -- Utkarsh Gupta <email address hidden> Thu, 25 May 2023 13:16:13 +0530

Changed in google-guest-agent (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package google-guest-agent - 20230426.00-0ubuntu2~18.04.0

---------------
google-guest-agent (20230426.00-0ubuntu2~18.04.0) bionic; urgency=medium

  * No-change rebuild for Bionic.

google-guest-agent (20230426.00-0ubuntu2) mantic; urgency=medium

  * d/rules: Add --no-stop-on-upgrade for upgrade path
    to enforce no stop of the services on package upgrade.
    This has the desired side-effect of not stopping, starting or
    restarting the services as a part of the upgrade (LP: #2019089)
  * d/{rules,install}: ship gce-workload-cert-refresh.timer.

 -- Utkarsh Gupta <email address hidden> Thu, 25 May 2023 13:22:23 +0530

Changed in google-guest-agent (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.