release-upgrade-motd can't update message via apt proxy

Bug #1771914 reported by Kaneg Gong on 2018-05-18
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
High
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]
apt proxy settings are not applied to https urls, and thus the release-upgrade-motd script fails, and upgrades from bionic to new versions won't be detected either, if you need to use a proxy. This is a regression from the 1:18.04.6 upload which switched changelogs.ubuntu.com from http to https.

[Test case]
Set acquire::http::proxy to a non-existing host, e.g. http://invalid.invalid/, and check that the tool fails.

Do the same with acquire::https::proxy.

(Kind of a reverse check, since I don't have a proxy setup to test against. If there's an actual proxy and otherwise, no internet, it can be verified by setting the actual proxy and checking that it works with it).

[Regression potential]
The fix changes the API of init_proxy() in UpdateManager/Core/utils.py to make it return a dict with 'http' and 'https' members rather than just a string. It seems the return value is only used by the test case, though, so that should be fine.

Apart from that, it also allows https proxies now, since we're doing https anyway, which means that a proxy setting ignored before now is not. The same applies to the the new proxy variables used - they were not used before, so things might fail that used to work - like you specify an invalid https proxy but don't actually need one. Low risk, though.

[Original bug report]
I have configured apt proxy in apt.conf.d and apt update and apt install can work correctly. However, when I logged in system everyday, in the login message, it says:

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

After further investigation, I found the the issue is caused in package python3-update-manager:

python3-update-manager: /usr/lib/python3/dist-packages/UpdateManager/Core/utils.py

In the init_proxy function of the python script, it only set a http proxy by below code:

proxy_support = ProxyHandler({"http": proxy})

after changing the line to add https proxy, it can work:

proxy_support = ProxyHandler({"http": proxy, "https":proxy})

Related branches

Kaneg Gong (kaneg) on 2018-05-18
affects: diskimage-builder → update-manager (Ubuntu)
tags: added: bionic
tags: added: rls-bb-incoming
Changed in update-manager (Ubuntu):
status: New → Triaged
importance: Undecided → High
tags: added: regression-release
Changed in update-manager (Ubuntu):
milestone: none → ubuntu-18.04.1
tags: added: id-5b02f3eecd6d6575c1cd9785
Werner Van Geit (wvangeit) wrote :

I confirm this bug. The fix proposed in the original post fixes the issue.

Julian Andres Klode (juliank) wrote :

The proposed fix is wrong, it needs to look at https proxy options for https proxies. But that's fine, we can fix that :)

Ben Smith (benjsmith) wrote :

I have the same problem - my Ubuntu machine can now not connect to the Internet at all as a result.

I tried applying the fix as described, but it didn't fix anything for me..

Ben Smith (benjsmith) wrote :

In my case, I have not configured anything special in apt.conf.d and apt install *no longer* works.

Looking at a comparable machine on the same network, it doesn't look like it should need any proxy configuration.

Ben Smith (benjsmith) wrote :

Update: appears related to resolv.conf. I copied the correct network settings into the /etc/resolv.conf, and that fixed the problem, but on reboot resolv.conf had been written into its usual state.

I will update once I've figured out what is writing to resolv.conf on my system.

Ben Smith (benjsmith) wrote :

We ended up disabling systems-resolv.

In any case, probably not related to this bug, in the end.

Julian Andres Klode (juliank) wrote :
Changed in update-manager (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:18.10.3

---------------
update-manager (1:18.10.3) cosmic; urgency=medium

  * Add support for HTTPS proxies; this breaks UpdateManager.Core.utils.init_proxy()
    API - the return value is now a dict, rather than a string (LP: #1771914).

 -- Julian Andres Klode <email address hidden> Wed, 27 Jun 2018 14:16:45 +0200

Changed in update-manager (Ubuntu):
status: In Progress → Fix Released
Changed in update-manager (Ubuntu Bionic):
status: New → Triaged
description: updated
description: updated
Changed in update-manager (Ubuntu Bionic):
status: Triaged → In Progress

Hello Kaneg, or anyone else affected,

Accepted update-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:18.04.11.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in update-manager (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Kaneg Gong (kaneg) wrote :

I have tested the proposed packages as below:
  ii python3-update-manager 1:18.04.11.3 all python 3.x module for update-manager
  ii update-manager-core 1:18.04.11.3 all manage release upgrades

Before applying the new packages, the below command reports:

$ /usr/lib/ubuntu-release-upgrader/check-new-release
Checking for a new Ubuntu release
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
No new release found.

After applying the patch, it says:

$ /usr/lib/ubuntu-release-upgrader/check-new-release
Checking for a new Ubuntu release
No new release found.

There is no error message anymore. It seems the patch works.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:18.04.11.3

---------------
update-manager (1:18.04.11.3) bionic; urgency=medium

  * Add support for HTTPS proxies; this breaks UpdateManager.Core.utils.init_proxy()
    API - the return value is now a dict, rather than a string (LP: #1771914).

 -- Julian Andres Klode <email address hidden> Fri, 29 Jun 2018 14:44:16 +0200

Changed in update-manager (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for update-manager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Oliver Brakmann (obrakmann) wrote :

This is still broken when you use something like apt-cacher-ng

Julian Andres Klode (juliank) wrote :

Sorry, obrakmann, but I don't think there's much to do there. I think you could patch acng to always accept HTTPS connections to changelogs.u.c, but I'm not sure I want to pursue that.

apt-cacher-ng can work around this without patching, just add

PassThroughPattern: ^changelogs.ubuntu.com:443$

to /etc/apt-cacher-ng/acng.conf

Perhaps that could even be put in to apt-cacher-ng package?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers