ubuntu-security-status

Is livepatch enabled on this system? Please check using '/snap/bin/canonical-livepatch status'.

Livepatch is disabled from that system (shown in the output of ua status above).

Looks like logic in ubuntu-security-status bases that message only on whether livepatch is enabled or not. this is an invalid test because containers will not have livepatch enabled and neither will UA attached VMs with FIPS enabled.

So the following test is not an accurate representation of whether the system is attached to a license:

    if lts and not livepatch_enabled:
         print("\nThis machine is not attached to an Ubuntu Advantage "
               "subscription.\nSee https://ubuntu.com/advantage")

Attached is a patch that would allow ubuntu-security-updates to determine both attach status and service enabled/disabled by processing `ua status --format=json` or the JSON status cache provided by UA

Looks like logic in ubuntu-security-status bases that message only on whether livepatch is enabled or not. this is an invalid test because containers will not have livepatch enabled and neither will UA attached VMs with FIPS enabled.

So the following test is not an accurate representation of whether the system is attached to a license:

    if lts and not livepatch_enabled:
         print("\nThis machine is not attached to an Ubuntu Advantage "
               "subscription.\nSee https://ubuntu.com/advantage")

Attached is a patch that would allow ubuntu-security-updates to determine both attach status and service enabled/disabled by processing `ua status --format=json` or the JSON status cache provided by UA

The attachment "ubuntu-security-status-from-ua-status.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Corrected patch to drop unused livepatch_is_enabled.
Ran it through python3 -m flake8 and pyflakes and tested on focal machines which were attached, unattached both with and without the cache file /var/lib/ubuntu-advantage/status.json cache file (which forces a subprocess call to "ua status --format=json"

Below is my manual test run output:
root@dev-f:~# # install hello package which is provided as well from ESM repos
root@dev-f:~# apt install hello=2.10-2ubuntu2
Reading package lists... Done
Building dependency tree
Reading state information... Done
hello is already the newest version (2.10-2ubuntu2).
0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded.
root@dev-f:~# apt policy hello
hello:
  Installed: 2.10-2ubuntu2
  Candidate: 2.10-2ubuntu2
  Version table:
 *** 2.10-2ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
root@dev-f:~# # unattached machine, no status.json cache
root@dev-f:~# [ -f /var/lib/ubuntu-advantage/status.json ] && echo JSON CACHE PRESENT || echo JSON CACHE ABSENT
JSON CACHE ABSENT
root@dev-f:~# /ubuntu-security-status
589 packages installed, of which:
586 receive package updates with LTS until 4/2025
  3 could receive security updates with ESM Apps until 4/2030

Enable Extended Security Maintenance (ESM Apps) to get 1 security
update (so far) and enable coverage of 3 packages.

This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
root@dev-f:~# # JSON CACHE IS PRESENT NOW
root@dev-f:~# [ -f /var/lib/ubuntu-advantage/status.json ] && echo JSON CACHE PRESENT || echo JSON CACHE ABSENT
JSON CACHE PRESENT
root@dev-f:~# /ubuntu-security-status
589 packages installed, of which:
586 receive package updates with LTS until 4/2025
  3 could receive security updates with ESM Apps until 4/2030

Enable Extended Security Maintenance (ESM Apps) to get 1 security
update (so far) and enable coverage of 3 packages.

This machine is not attached to an Ubuntu Advantage subscription.
See https://ubuntu.com/advantage
root@dev-f:~# # Now attach the machine to a UA contract
root@dev-f:~# ua attach <REDACTED_TOKEN>
Enabling default service esm-apps
Updating package lists
UA Apps: ESM enabled
Enabling default service esm-infra
Updating package lists
UA Infra: ESM enabled
This machine is now attached to 'UA Infrastructure & Applications - Essential (Virtual)'

SERVICE ENTITLED STATUS DESCRIPTION
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service

NOTICES
Operation in progress: ua attach

Enable services with: ua enable <service>

                Account: <email address hidden>
           Subscription: UA Infrastructure & Applications - Essential (Virtual)
            Valid until: 2022-02-23 18:11:01+00:00
Tec...

Updated patch file per comment #6

This bug was fixed in the package update-manager - 1:21.10.4

---------------
update-manager (1:21.10.4) impish; urgency=medium

  * ubuntu-security-status: use ubuntu-advantage-tools to determine whether or
    not livepatch or esm are enabled and if the system is attached. Thanks to
    Chad Smith for the patch. (LP: #1938043)

 -- Brian Murray <email address hidden> Fri, 03 Sep 2021 14:43:22 -0700

Hello Nikos, or anyone else affected,

Accepted update-manager into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:20.04.10.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The issue is addressed!

Verified success on Focal for update-manager 1:20.04.10.9

=== Verification script ===

#!/bin/bash
# assert old version incorrectly reports unattached when livepatch is disabled
# assert new version properly reports attached regardless of livepatch enabled/disabled
# assert new version reports detached when not attached to active ua contract

TOKEN=$1

cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy update-manager | grep update-manager
dpkg-query --show update-manager
EOF

multipass launch focal -n vm-f
multipass exec vm-f sudo apt install hello
multipass exec vm-f -- dpkg-query --show hello
multipass exec vm-f -- dpkg-query --show update-manager
multipass exec vm-f -- ua status
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILURE: ubuntu-security-status didn't report unattached"
multipass exec vm-f -- sudo ua attach $TOKEN
# Expect no unattached message because livepatch is running
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: OLD VERSION should NOT report attached state when livepatch is active"
multipass exec vm-f -- sudo ua disable livepatch
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILED: OLD VERSION DID NOT report unattached state when livepatch disabled"
echo "Upgrade to focal-proposed update-manager"
multipass transfer setup_proposed.sh vm-f:.
multipass exec vm-f sudo bash /home/ubuntu/setup_proposed.sh
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: PROPOSED VERSION DID NOT report attached state when livepatch disabled"
multipass exec vm-f -- sudo ua enable livepatch
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." && echo "FAILED: PROPOSED VERSION DID NOT report attached state when livepatch enabled"
multipass exec vm-f -- sudo ua detach
multipass exec vm-f -- ubuntu-security-status
multipass exec vm-f -- ubuntu-security-status | grep "This machine is not attached to an Ubuntu Advantage subscription." || echo "FAILED: PROPOSED VERSION DID NOT report unattached state when detached"

==== Verification output ====
Note: no "FAILURE" messages
Note: new update manager reports attach regardless of livepatch status
Note: ubuntu-security-status properly reports unattached after `ua detach` called

Launched: vm-f
Reading package lists... Done
Building dependency tree
Read...

This bug was fixed in the package update-manager - 1:20.04.10.9

---------------
update-manager (1:20.04.10.9) focal; urgency=medium

  * ubuntu-security-status: use ubuntu-advantage-tools to determine whether or
    not livepatch or esm are enabled and if the system is attached. Thanks to
    Chad Smith for the patch. (LP: #1938043)

 -- Brian Murray <email address hidden> Fri, 03 Sep 2021 15:17:22 -0700

The verification of the Stable Release Update for update-manager has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.