Ubuntu
unattended-upgrades package

Please add ${distro_id}ESM:${distro_codename}-infra-security and ${distro_id}ESMApps:${distro_codename}-apps-security to allowed origins (on Ubuntu)

Bug #1857051 reported by Chad Smith
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unattended-upgrades (Ubuntu)
Fix Released
High
Unassigned
Trusty
Won't Fix
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * Changes to the ESM repo naming and the introduction of the new esm-infra and esm-apps suites require an update to unattended-upgrades to ensure the security pockets are used.
 * This change will ensure users are actually receiving updates, where as today they will not without making manual changes.

[Test Case]

 * 1) Bionic and Xenial ESM-Apps/ESM-infra with Ubuntu Pro
 * 2) Trusty ESM

[Regression Potential]

 * This change is ensuring users actually receive security updates when using ESM. Therefore, 1) users of ESM-apps on Ubuntu Pro and 2) ESM-infra on Trusty will be the only users affected.
 * The possible issue would be if/when users receive actual security updates that then regress or cause issues to the system.

[Other Info]

Previous description:

ESM <distro>-infra-security and <distro>-apps-security will need to participate in unattended upgrades.

Currently /etc/apt/apt.conf.d/50unattended-upgrades provides:
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}ESM:${distro_codename}";
}

Given that there have been ESM apt pocket renames over the last few months, the above ESM allowed-origin should not apply anymore and can be dropped or replaced.

See RT #C122697 and #C121067 for the pocket/suite renames related to ESM

What is needed after the ESM apt pocket/suite renames:

Support for unattended upgrades for ESM for Infrastructure customers:

Unattended-Upgrade::Allowed-Origins {
  // Extended Security Maintenance; doesn't necessarily exist for
  // every release and this system may not have it installed, but if
  // available, the policy for updates is such that unattended-upgrades
  // should also install from here by default.
  "${distro_id}ESM:${distro_codename}-infra-security";
  "${distro_id}ESMApps:${distro_codename}-apps-security";
};

=== Confirmed proper origin on an attached Trusty instance with ESM-infra enabled:

 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     release v=14.04,o=UbuntuESM,a=trusty-infra-security,n=trusty,l=UbuntuESM,c=main

=== Confirmed proper origins on Bionic for enabled ESM-infra and ESM-apps on an AWS Ubuntu PRO instance:
 500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64 Packages
     release v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64

 500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64 Packages
     release v=18.04,o=UbuntuESMApps,a=bionic-apps-security,n=bionic,l=UbuntuESMApps,c=main,b=amd64

See original description
Chad Smith (chad.smith)
summary: Please add ${distro_id}ESM:${distro_codename}-infra-security and
- t${distro_id}ESM:${distro_codename}-apps-securityo allowed origins (on
+ ${distro_id}ESM:${distro_codename}-apps-security to allowed origins (on
Ubuntu)
Revision history for this message
Balint Reczey (rbalint) wrote : Re: Please add ${distro_id}ESM:${distro_codename}-infra-security and ${distro_id}ESM:${distro_codename}-apps-security to allowed origins (on Ubuntu)

https://github.com/mvo5/unattended-upgrades/pull/243

Changed in unattended-upgrades (Ubuntu):
status: New → Incomplete
status: Incomplete → In Progress
importance: Undecided → High
Revision history for this message
Balint Reczey (rbalint) wrote :

Should previous ESM repos be removed?

Could you please share the design document for the new origins at least on an other channel?

I saw this example somewhere, and it does not match ${distro_id}ESM:... :
o=UbuntuESMApps,a=bionic-apps-security

Changed in unattended-upgrades (Ubuntu):
status: In Progress → Incomplete
Chad Smith (chad.smith)
description: updated
description: updated
summary: Please add ${distro_id}ESM:${distro_codename}-infra-security and
- ${distro_id}ESM:${distro_codename}-apps-security to allowed origins (on
- Ubuntu)
+ ${distro_id}ESMApps:${distro_codename}-apps-security to allowed origins
+ (on Ubuntu)
Chad Smith (chad.smith)
Changed in unattended-upgrades (Ubuntu):
status: Incomplete → New
Joshua Powers (powersj)
description: updated
Francis Ginther (fginther)
tags: added: id-5e2af6c2292b6f85495764a9
Revision history for this message
Chad Smith (chad.smith) wrote :

Balint,
It looks like this is addressed by: https://github.com/mvo5/unattended-upgrades/pull/244 which has now merged. Do we know if that branch going to be SRU'd to Trusty, Xenial and Bionic

Changed in unattended-upgrades (Ubuntu):
status: New → In Progress
Revision history for this message
Balint Reczey (rbalint) wrote :

@chad.smith The full branch will not be SRU-d, just individual changes. The change itself is in focal-proposed waiting for an apt fix to migrate to the release pocket, then the change can be SRU-d to stable releases.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.17

---------------
unattended-upgrades (1.17) unstable; urgency=medium

  [ Amit Gurdasani ]
  * Check that a candidate is available before checking the version has changed.
  * Add test case to check upgrade calculation behavior for a package with no
    candidate.

  [ Balint Reczey ]
  * Fix help about --no-minimal-upgrade-steps (Closes: #946379)
  * data/50unattended-upgrades.Ubuntu: add new ESM repositories (LP: #1857051)

 -- Balint Reczey <email address hidden> Thu, 23 Jan 2020 16:20:04 +0100

Changed in unattended-upgrades (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Chad, or anyone else affected,

Accepted unattended-upgrades into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.14ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu Eoan):
status: New → Fix Committed
tags: added: verification-needed verification-needed-eoan
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Chad, or anyone else affected,

Accepted unattended-upgrades into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in unattended-upgrades (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Changed in unattended-upgrades (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Chad, or anyone else affected,

Accepted unattended-upgrades into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unattended-upgrades/1.1ubuntu1.18.04.7~16.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Chad Smith (chad.smith) wrote :
Download full text (9.3 KiB)

### Bionic validation

1. start with a bionic VM with unattended-upgrades from bionic-updates
2. ua enable ESM-Infra via ubuntu-advantage-tools
3. /etc/apt/apt.conf.d/51ubuntu-advantage-esm (which delivers Allowed-Origins config)
       "${distro_id}ESMApps:${distro_codename}-apps-security";
       "${distro_id}ESM:${distro_codename}-infra-security";
4. Check whether unattended-upgrades sees bionic esm packages
    sudo unattended-upgrades --dry-run --debug 2>&1 | egrep -i 'Allowed|ESM'
5. Upgrade unattended-upgrades to -proposed
6. Check whether unattended-upgrades sees bionic esm packages
    sudo unattended-upgrades --dry-run --debug 2>&1 | egrep -i 'Allowed|ESM'

root@test-bionic:~/ubuntu-advantage-client# dpkg-query --show unattended-upgrades
unattended-upgrades 1.1ubuntu1.18.04.13

# No esm-infra packages seen by unattended-upgrades dry-run
root@test-bionic:~/ubuntu-advantage-client# sudo unattended-upgrades --dry-run --debug 2>&1 | egrep -i 'Allowed|ESM'
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
Checking: krb5-locales ([<Origin component:'main' archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])
Checking: libgssapi-krb5-2 ([<Origin component:'main' archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])
Checking: libk5crypto3 ([<Origin component:'main' archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])
Checking: libkrb5-3 ([<Origin component:'main' archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])
Checking: libkrb5support0 ([<Origin component:'main' archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])

# upgrade to -proposed
root@test-bionic:~/ubuntu-advantage-client# apt-get install unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
Suggested packages:
  bsd-mailx default-mta | mail-transport-agent needrestart
The following packages will be upgraded:
  unattended-upgrades
1 upgraded, 0 newly installed, 0 to remove and 34 not upgraded.
Need to get 41.7 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bi...

Read more...

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Chad Smith (chad.smith) wrote :
Download full text (3.8 KiB)

### Bionic esm-apps * esm-infra verification on AWS Ubuntu Pro

test script:

#!/bin/bash

if [ $# != 1 ]; then
 echo "usage: $0 <AWS_IP_ADDR>"
 exit 1
fi
echo 1. Launch AWs Ubuntu PRO Bionic which auto-enables both esm-apps and esm-infra
VM_IP=$1
echo 2. Remove ubuntu-advantage-tools Alllowed-Origins config
ssh ubuntu@$VM_IP sudo rm -f /etc/apt/apt.conf.d/51ubuntu-advantage-esm
echo 3. Run unattended-upgrades to confirm Allowed origins does not find esm packages
ssh ubuntu@$VM_IP dpkg-query --show unattended-upgrades
ssh ubuntu@$VM_IP sudo unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 4. Install unattended-upgrades from -proposed suites
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy unattended-upgrades
EOF
scp setup_proposed.sh ubuntu@$VM_IP:.
ssh ubuntu@$VM_IP sudo bash ./setup_proposed.sh 2>&1 | grep unattended-upgrades
echo 5.Run unattended-upgrades to confirm -proposed Allowed origins does find esm packages
ssh ubuntu@$VM_IP sudo unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 6. Verify apt-cache policy shows matching origins and suites
ssh ubuntu@$VM_IP sudo apt-cache policy | grep -i esm

### Verification output
1. Launch AWs Ubuntu PRO Bionic which auto-enables both esm-apps and esm-infra
2. Remove ubuntu-advantage-tools Alllowed-Origins config
3. Run unattended-upgrades to confirm Allowed origins does not find esm packages
unattended-upgrades 1.1ubuntu1.18.04.12
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
4. Install unattended-upgrades from -proposed suites
setup_proposed.sh 100% 203 3.3KB/s 00:00
  unattended-upgrades
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 unattended-upgrades all 1.1ubuntu1.18.04.14 [41.7 kB]
Preparing to unpack .../unattended-upgrades_1.1ubuntu1.18.04.14_all.deb ...
Unpacking unattended-upgrades (1.1ubuntu1.18.04.14) over (1.1ubuntu1.18.04.12) ...
Setting up unattended-upgrades (1.1ubuntu1.18.04.14) ...
Replacing config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESMApps,a=bionic-apps-security, o=UbuntuESM,a=bionic-infra-security
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb /var/cache/apt/archives/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb /var/cache/apt/archives/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb
6. Verify apt-cache policy shows matching origins and suites
 500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-updates/main amd64 Packages
     release v=18.04,o=UbuntuESM,a=bionic-infra-updates,n=bionic,l=Ubuntu...

Read more...

Revision history for this message
Chad Smith (chad.smith) wrote :
Download full text (4.2 KiB)

### Xenial AwS Ubuntu Pro instance test

test script:
#!/bin/bash

if [ $# != 1 ]; then
 echo "usage: $0 <AWS_IP_ADDR>"
 exit 1
fi
echo 1. Launch AWs Ubuntu PRO Xenial which auto-enables both esm-apps and esm-infra
VM_IP=$1
echo 2. Remove ubuntu-advantage-tools Alllowed-Origins config
ssh ubuntu@$VM_IP sudo rm -f /etc/apt/apt.conf.d/51ubuntu-advantage-esm
echo 3. Run unattended-upgrades to confirm Allowed origins does not find esm packages
ssh ubuntu@$VM_IP dpkg-query --show unattended-upgrades
ssh ubuntu@$VM_IP sudo unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 4. Install unattended-upgrades from -proposed suites
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy unattended-upgrades
EOF
scp setup_proposed.sh ubuntu@$VM_IP:.
ssh ubuntu@$VM_IP sudo bash ./setup_proposed.sh 2>&1 | grep unattended-upgrades
echo 5.Run unattended-upgrades to confirm -proposed Allowed origins does find esm packages
ssh ubuntu@$VM_IP sudo unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 6. Verify apt-cache policy shows matching origins and suites
ssh ubuntu@$VM_IP sudo apt-cache policy | grep -i esm

#### Verification output

csmith@uptown:~/src$ ./unattended-up.sh 3.84.44.110
1. Launch AWs Ubuntu PRO Trusty which auto-enables both esm-apps and esm-infra
2. Remove ubuntu-advantage-tools Alllowed-Origins config
The authenticity of host '3.84.44.110 (3.84.44.110)' can't be established.
ECDSA key fingerprint is SHA256:uO/pH0y4oazsq85AdXn33dZEtNRWTBu7y+Of/Kc1XOU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '3.84.44.110' (ECDSA) to the list of known hosts.
3. Run unattended-upgrades to confirm Allowed origins does not find esm packages
unattended-upgrades 1.1ubuntu1.18.04.7~16.04.4
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
4. Install unattended-upgrades from -proposed suites
setup_proposed.sh 100% 203 3.5KB/s 00:00
  unattended-upgrades
Get:1 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 unattended-upgrades all 1.1ubuntu1.18.04.7~16.04.6 [42.1 kB]
Preparing to unpack .../unattended-upgrades_1.1ubuntu1.18.04.7~16.04.6_all.deb ...
Unpacking unattended-upgrades (1.1ubuntu1.18.04.7~16.04.6) over (1.1ubuntu1.18.04.7~16.04.4) ...
Setting up unattended-upgrades (1.1ubuntu1.18.04.7~16.04.6) ...
Replacing config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
5.Run unattended-upgrades to confirm -proposed Allowed origins does find esm packages
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-security, o=UbuntuESMApps,a=xenial-apps-security, o=UbuntuESM,a=xenial-infra-security
/usr/bin/dpkg --status-fd 11 --unpack --auto-deconfigure /var/cache/apt/archives/krb5-locales_1.13.2+dfsg-5ubuntu2.1+esm1_all.deb
/usr/bin/dpkg --status-fd 11 --unpack --auto-deconfigure /var/cache/apt/archives/libk5crypto3_1.13.2+dfsg-5ubuntu2.1+esm1_amd64.deb
/usr/bin/dpkg --status-fd 11 --unpack --auto-decon...

Read more...

tags: added: verification-dibe-xenial
removed: verification-needed-xenial
Revision history for this message
Chad Smith (chad.smith) wrote :

### Verification Failure??? of ESM-infra for Eoan

Not much to verify here. The ESM-infra and ESM-Apps services are only targeted to support LTS releases of Ubuntu, so ubuntu-advantage-tools will not even allow enabling ESM services on Eoan.

As such, I don't think we should be targeting Eoan for this APT Allowed Origin APT config changeset.

marking verification-failed-eoan so someone can confirm if the intent here was to keep APT configuration the same in all releases when you SRU this change back to trusty.

tags: added: verification-failed-eoan
removed: verification-needed-eoan
Revision history for this message
Chad Smith (chad.smith) wrote :

Hi Łukasz, Also there is a trusty series task on this bug, I'm unsure whether to mark this SRU tag "verification-done" until we resolve both the trusty task and potentially dropping the Eoan task

Revision history for this message
Chad Smith (chad.smith) wrote :

Note for expected results on a typical Eoan system while trying to `ua enable esm-infra`

One moment, checking your subscription first
ESM Infra is not available for Ubuntu 19.10 (Eoan Ermine).

So no ESM APT repos should be accessible on Eoan systems per product design.

Revision history for this message
Joshua Powers (powersj) wrote :

We will not drop the Eoan task as the SRU needs to go back to all supported versions of the package, whether or not the UA components are available in that release.

The test for Eoan then is to verify that nothing regressed. Please re-test that unattended-upgrades continues to function with no new error messages on Eoan.

Joshua Powers (powersj)
tags: added: verification-needed-eoan
removed: verification-failed-eoan
tags: added: verification-done-xenial
removed: verification-dibe-xenial
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of unattended-upgrades to trusty-proposed has been rejected from the upload queue for the following reason: "trusty archive is closed except for critical fixes required for ESM enablement".

Steve Langasek (vorlon)
Changed in unattended-upgrades (Ubuntu Trusty):
status: New → Won't Fix
Revision history for this message
Joshua Powers (powersj) wrote :

After providing more background, the Trusty package needs to be uploaded to the security pockets to ensure our Ubuntu Pro users are able to get this update. This is essential to Pro users getting updates from the new esm-infra pockets.

Changed in unattended-upgrades (Ubuntu Trusty):
status: Won't Fix → In Progress
Revision history for this message
Chad Smith (chad.smith) wrote :

This changeset is not 'critical' for ESM support on trusty because ubuntu-advantage-tools package already delivers a static APT config with the appropriate values:

root@trusty-box:~# cat /etc/apt/apt.conf.d/51ubuntu-advantage-esm
Unattended-Upgrade::Allowed-Origins {
  "${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::Allowed-Origins {
  "${distro_id}ESMApps:${distro_codename}-apps-security";
};

Since ubuntu-advantage-tools already delivers the necessary config, we don't need to add risk to trusty unnecessarily for this optimization. As such, we can reject the trusty request as a workaround is in place.

tags: added: verification-done verification-done-eoan
removed: verification-needed verification-needed-eoan
tags: added: verification-needed-eoan
removed: verification-done-eoan
Revision history for this message
Chad Smith (chad.smith) wrote :

### Eoan esm-apps * esm-infra verification on stock Eoan cloudimages
# This test will show no regression in unattended-upgrades because there are no ESM offerings
# on Eoan.

test script:
#!/bin/bash

if [ $# != 1 ]; then
 echo "usage: $0 <SERIES>"
 exit 1
fi
SERIES=$1
LXC_NAME=test-sru-$SERIES
echo 1. Launch ubuntu-daily $SERIES lxc
#lxc launch ubuntu-daily:$SERIES $LXC_NAME
echo 2. Run unattended-upgrades to confirm Allowed origins does not find esm packages
lxc exec $LXC_NAME -- unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 3. Install unattended-upgrades from -proposed suites
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy unattended-upgrades
EOF
lxc file push setup_proposed.sh $LXC_NAME/
lxc exec $LXC_NAME bash /setup_proposed.sh 2>&1 | grep unattended-upgrades
echo 5.Run unattended-upgrades to confirm -proposed Allowed origins does cause regressions
lxc exec $LXC_NAME -- unattended-upgrades --dry-run --verbose 2>&1

### Verification output

$ ./sru.sh eoan
1. Launch ubuntu-daily eoan lxc
2. Run unattended-upgrades to confirm Allowed origins does not find esm packages
Allowed origins are: o=Ubuntu,a=eoan, o=Ubuntu,a=eoan-security, o=UbuntuESM,a=eoan, o=UbuntuESM,a=eoan-security, o=UbuntuESM,a=eoan-security
3. Install unattended-upgrades from -proposed suites
  unattended-upgrades
Get:1 http://archive.ubuntu.com/ubuntu eoan-proposed/main amd64 unattended-upgrades all 1.14ubuntu1.2 [47.6 kB]
Preparing to unpack .../unattended-upgrades_1.14ubuntu1.2_all.deb ...
Unpacking unattended-upgrades (1.14ubuntu1.2) over (1.14ubuntu1.1) ...
Setting up unattended-upgrades (1.14ubuntu1.2) ...
Replacing config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
5.Run unattended-upgrades to confirm -proposed Allowed origins does cause regressions
Initial blacklist :
Initial whitelist:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=eoan, o=Ubuntu,a=eoan-security, o=UbuntuESMApps,a=eoan-apps-security, o=UbuntuESM,a=eoan-infra-security, o=UbuntuESM,a=eoan-security
No packages found that can be upgraded unattended and no pending auto-removals
csmith@uptown:~/src/ubuntu-advantage-client$ echo $?
0

tags: added: verification-done-eoan
removed: verification-needed-eoan
Changed in unattended-upgrades (Ubuntu Trusty):
status: In Progress → Won't Fix
Revision history for this message
Chad Smith (chad.smith) wrote :

Verification complete for this SRU thanks. I marked trusty as Won't Fix as ubuntu-advantage-tools already delivers the appropriate APT config supplement for esm-infra-security and esm-apps-security. So, it's unnecessary risk.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.14ubuntu1.2

---------------
unattended-upgrades (1.14ubuntu1.2) eoan; urgency=medium

  * data/50unattended-upgrades.Ubuntu: add new ESM repositories (LP: #1857051)
  * Update md5sum of 50unattended-upgrades.Ubuntu

 -- Balint Reczey <email address hidden> Mon, 17 Feb 2020 12:29:17 +0100

Changed in unattended-upgrades (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for unattended-upgrades has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.14

---------------
unattended-upgrades (1.1ubuntu1.18.04.14) bionic; urgency=medium

  * data/50unattended-upgrades.Ubuntu: add new ESM repositories (LP: #1857051)

 -- Balint Reczey <email address hidden> Mon, 17 Feb 2020 12:37:03 +0100

Changed in unattended-upgrades (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unattended-upgrades - 1.1ubuntu1.18.04.7~16.04.6

---------------
unattended-upgrades (1.1ubuntu1.18.04.7~16.04.6) xenial; urgency=medium

  * data/50unattended-upgrades.Ubuntu: add new ESM repositories (LP: #1857051)

 -- Balint Reczey <email address hidden> Mon, 17 Feb 2020 12:39:28 +0100

Changed in unattended-upgrades (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.