adds ESM to sources.list.d unconditionally, despite it being x86-only

Bug #1851858 reported by Adam Conrad on 2019-11-08
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-advantage-script
Fix Released
Unknown
ubuntu-advantage-tools (Ubuntu)
High
Andreas Hasenack
Trusty
High
Andreas Hasenack

Bug Description

[Impact]
The ubuntu-advantage-tools package ("uat", for short) installs by default a sources.list snippet so that the machine can become aware of available ESM updates. They cannot be downloaded without authentication, so to prevent them from being considered in updates, an apt preferences file is also installed pinning the esm repository down.

Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.

A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.

The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-architecture`.

This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.

[Test Case]
# Install the current trusty-updates ubuntu-advantage-tools on a non-x86 system (armhf, arm64, ppc64el, or s390x).
$ sudo apt install ubuntu-advantage-tools

# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
...

# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
     origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
     origin esm.ubuntu.com

# upgrade to the ubuntu-advantage-tools package from proposed and repeat the test. apt-get update shouldn't be hitting the ESm repository anymore, and the policy output should be empty as well:
$ sudo apt install ubuntu-advantage-tools # from trusty-proposed
$ apt-get update | grep esm
<empty>
$ apt-cache policy | grep esm
<empty>

# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning

[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-architecture`. It there is a change in its output, or some other bug, we could be disabling (or enabling) the esm repository where we shouldn't.

[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.

If esm-infra was already enabled before applying the update, it will become disabled on non-x86 architectures. Since there are no non-x86 ESM updates available, this is just reflecting the truth about the support.

[Original Description]
The shiny new ubuntu-advantage-tools client adds ESM to sources.list.d unconditionally on all architectures, but the ESM archive itself currently only publishes for x86. One of those two things is a bug.

Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-advantage-tools is very much in the wrong here, as it creates a situation where apt-get update fails on all !x86.

Related branches

Philip Roche (philroche) wrote :

We (CPC) are seeing this issue too when trying to build Trusty non amd64/i386 images.

When we hit this yesterday Security team confirmed that ESM doesn't support other arches but we shouldn't block builds because of this change.

Mark Morlino (markmorlino) wrote :

This seems to require a 2-part fix:
1. The ubuntu-advantage-tools client should be changed, only x86 is supported by ESM.
2. Empty Release files can be added so that trusty machines of other architectures that have already been setup with ESM by the new ua tool can run apt without errors

Joshua Powers (powersj) on 2019-11-08
Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-script:
status: Unknown → New
Adam Conrad (adconrad) wrote :

If we update the archives (which seems to be the current plan of attack), I'm not sure we need to update the tool to not enable it. It would be nice if it mentioned that the arch you're on isn't supported, so you don't expect kernel updates and the like, but it's harmless to let those people get tzdata and distro-info-data updated.

Let's see how the archive hackery goes on Monday, though.

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: Triaged → In Progress
Andreas Hasenack (ahasenack) wrote :

A server-side mitigation was put in place and apt-get update shouldn't fail anymore with esm disabled, but the sources.list snipped file in place, on non-x86 arches. There is another issue still in that the ua server is reporting esm-infra as being available for non-x86 arches, which is incorrect. That is also being addressed.

description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
Changed in ubuntu-advantage-script:
status: New → Fix Released

Hello Adam, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/19.6~ubuntu14.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
description: updated
Andreas Hasenack (ahasenack) wrote :
Download full text (4.3 KiB)

= Trusty verification =

# install current uat from updates on ppc64el
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
 *** 19.6~ubuntu14.04.3 0
        500 http://ports.ubuntu.com/ubuntu-ports/ trusty-updates/main ppc64el Packages

ubuntu@trusty-ppc64el:~$ uname -m
ppc64le
ubuntu@trusty-ppc64el:~$ dpkg --print-architecture
ppc64el

# apt-get update hits the esm repo. It doesn't fail because the server published
# empty repositories for non-x86
ubuntu@trusty-ppc64el:~$ sudo apt-get update|grep esm
Get:1 https://esm.ubuntu.com trusty-infra-security InRelease
Get:2 https://esm.ubuntu.com trusty-infra-updates InRelease
Get:3 https://esm.ubuntu.com trusty-infra-security/main ppc64el Packages
Get:4 https://esm.ubuntu.com trusty-infra-security/main Translation-en_US
Get:5 https://esm.ubuntu.com trusty-infra-updates/main Translation-en_US
Ign https://esm.ubuntu.com trusty-infra-security/main Translation-en_US
Ign https://esm.ubuntu.com trusty-infra-security/main Translation-en
Ign https://esm.ubuntu.com trusty-infra-updates/main Translation-en_US
Ign https://esm.ubuntu.com trusty-infra-updates/main Translation-en

# verify that esm pinning was installed and is negative:
ubuntu@trusty-ppc64el:~$ apt-cache policy | grep esm
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main ppc64el Packages
     origin esm.ubuntu.com
-32768 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ppc64el Packages
     origin esm.ubuntu.com

# upgrade to the package in proposed:
ubuntu@trusty-ppc64el:~$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.4
  Candidate: 19.6~ubuntu14.04.4
  Version table:
 *** 19.6~ubuntu14.04.4 0
        500 http://ports.ubuntu.com/ubuntu-ports/ trusty-proposed/main ppc64el Packages

# verify esm repo isn't hit anymore:
ubuntu@trusty-ppc64el:~$ sudo apt-get update|grep esm
ubuntu@trusty-ppc64el:~$
1

# verify esm pinning isn't in place anymore:
ubuntu@trusty-ppc64el:~$ apt-cache policy | grep esm
ubuntu@trusty-ppc64el:~$
ubuntu@trusty-ppc64el:~$ ll /etc/apt/preferences.d/
total 8
drwxr-xr-x 2 root root 4096 Nov 27 13:34 ./
drwxr-xr-x 7 root root 4096 Nov 27 13:33 ../
ubuntu@trusty-ppc64el:~$

# update: the server-side changes were deployed already, and now esm is
# correctly no longer advertised for non-x86 systems:
ubuntu@trusty-ppc64el:~$ sudo ua enable esm-infra
One moment, checking your subscription first
ESM Infra is not available for platform ppc64le.
Supported platforms are: amd64, i386, i686, x86_64

# repeating the test on x86 shows no change in behaviour
# current version from updates:
ubuntu@t1:~$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
 *** 19.6~ubuntu14.04.3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

# esm repo is hit:
ubuntu@t1:~$ sudo apt-get update | grep esm
Get:6 https://esm.ubuntu.com trusty-infra-security InRelease
Get:7 https://esm.ubuntu.com trusty-infra-updates InRelease
Get:9 https://esm.ubuntu.com trusty-infra-security/main amd64 Packages
...

# esm pinne...

Read more...

tags: added: verification-done-trusty
removed: verification-needed-trusty
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.