[SRU] update-manager crashes when ua security-status response is an error

Thanks, Gregorym, for reporting this.

I do not see anything wrong in the attached log files regarding ubuntu-pro-client. The status looks good and there are no error traces.

Per your error traceback, it looks like update-manager is trying to json-decode the output of some, presumably pro, command, and failing. I have attached update-manager to the bug.

Checking into update-manager source code in jammy, I think the command is `pro security-status --format=json`, could you please attach the output of that command?

This looks like a duplicate of https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2058158 .

Status changed to 'Confirmed' because the bug affects multiple users.

Hi, I've reported duplicate bug 2058158. I post the output of `pro security-status --format=json` below and attach as text file my ubuntu-avantage log.

Unexpected error(s) occurred.
For more details, see the log: /var/log/ubuntu-advantage.log
To file a bug run: ubuntu-bug ubuntu-advantage-tools

Thanks for the logs.

The output of `pro security-status --format=json` and the internal error look correct, so I'm going to mark the ubuntu-advantage-tools bit as invalid.

It feels like this is something that should be handled and fixed in update-manager. https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/2049785 sounds very similar to this.

Giacomo or anyone else getting "Unexpected error(s) occurred." from 'ua security-status --format=json', can you please also attach the output of

  python3 -c 'import uaclient.api.u.pro.packages.updates.v1 as ua;print(ua.updates().updates)'

> The output of `pro security-status --format=json` and the internal error look correct, so I'm going to mark the ubuntu-advantage-tools bit as invalid.

I don't understand this bit. I wouldn't say that "Unexpected error(s) occurred." looks correct, quite on the contrary, so I'm reverting the task but please let me know if you disagree.

In any case, update-manager is also "to blame" insofar as it doesn't validate the output of that command and just directly tries to parse it as a JSON. For it, there are two possible ways forward:

1. If the output of the command is not a JSON, just skip all the Pro logic.
   Positive: Keep changes to a minimal for a backport to the LTS series.
   Negative: Buries the error and so we will not realize that the Pro logic was disabled, which is unintended behavior.
2. Use the API[1] as shown above.
   Positive: No exception is raised by the end point, and possibly it also gives the correct output even when the pro command would fail reported. This looks quite probable by the way, as from the log the command failed because of Livepatch, which update-manager has no interest in, but let's see if the affected users come back with that information.
   Negative: Changes are more encompassing as to see in [2].

[1] https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/references/api/#u-pro-packages-updates-v1
[2] https://code.launchpad.net/~nteodosio/update-manager/+git/update-manager/+merge/459172

The ubuntu-advantage-tools side had been discussed internally and "invalid" concluded as the best state because the best that could be done is to improve the error message, so I'm setting that back.

Hi Nathan, here is the output from the python3 command as requested:

[UpdateInfo{'download_size': 3590030, 'origin': 'it.archive.ubuntu.com', 'package': 'librados2', 'provided_by': 'standard-updates', 'status': 'upgrade_available', 'version': '17.2.7-0ubuntu0.22.04.1'}, UpdateInfo{'download_size': 3547412, 'origin': 'it.archive.ubuntu.com', 'package': 'librbd1', 'provided_by': 'standard-updates', 'status': 'upgrade_available', 'version': '17.2.7-0ubuntu0.22.04.1'}, UpdateInfo{'download_size': 115463212, 'origin': 'brave-browser-apt-release.s3.brave.com', 'package': 'brave-browser', 'provided_by': 'standard-updates', 'status': 'upgrade_available', 'version': '1.64.109'}, UpdateInfo{'download_size': 2412, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-image-oem-22.04c', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 1674, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-modules-ipu6-oem-22.04b', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 2370, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-modules-ipu6-oem-22.04c', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 1654, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-oem-22.04b', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 1710, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-oem-22.04c', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 2284, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-headers-oem-22.04c', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 1674, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-modules-ivsc-oem-22.04b', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}, UpdateInfo{'download_size': 2378, 'origin': 'it.archive.ubuntu.com', 'package': 'linux-modules-ivsc-oem-22.04c', 'provided_by': 'standard-security', 'status': 'upgrade_available', 'version': '6.1.0.1036.37'}]

Reproduced in Bionic:

--->
% canonical-livepatch
snap-confine has elevated permissions and is not confined but should be. [...]
% systemctl status snapd-apparmor
[...]
Mär 22 10:58:04 snapd-apparmor[3198]: Failed to load policy-features from '/etc/apparmor.d/abi/kernel-5.4-outoftree-network': No such file or directory
<---

So I guess the whole story is: /etc/apparmor.d/abi/kernel-5.4-outoftree-network is missing, which is causing snapd-apparmor to fail, which is causing Livepatch to fail, which is causing 'ua security-status' to fail, which is causing update-manager to fail.

I don't know if this helps but I've tested the patch https://code.launchpad.net/~nteodosio/update-manager/+git/update-manager/+ref/jammy-json-to-api for Jammy by nteodosio and it fixes the problem.

Many thanks for your proactivity, Giacomo!, it is always very helpful to know beforehand that a proposed change really fixes the real end user case — that's all that matters after all.

Hello Gregory, or anyone else affected,

Accepted update-manager into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:22.04.20 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Gregory, or anyone else affected,

Accepted update-manager into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:20.04.10.21 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Gregory, or anyone else affected,

Accepted update-manager into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update-manager/1:18.04.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi Timo and everybody, just tested the proposed package for Jammy (22.04.4), version 1:22.04.20 and it fixes the bug for me same as it did applying the patch directly to UpdateManager.py before.

Preliminary:
- reverted UpdateManager.py to its original nonworking state
> bug is present

-updated the package to proposed version, then

Testing procedure:

mv /snap/bin/canonical-livepatch /snap/bin/canonical-livepatch.bak
>/snap/bin/canonical-livepatch printf '%s\n' '#!/bin/sh' 'exit 1'
chmod +x /snap/bin/canonical-livepatch
update-manager -c -d

Results:
software opens, runs and gives results without crashing.

Thank you for verifying the SRU for Jammy, Giacomo! You probably know that, but: After having verified the fix by running the test case, you may want to move the original Livepatch file back with 'mv /snap/bin/canonical-livepatch.bak /snap/bin/canonical-livepatch', in case it were at least partially working.

In a Ubuntu Pro attached Bionic virtual machine, I installed the 1:18.04.12 update-manager from proposed, sabotaged Livepatch with

--->
mv /snap/bin/canonical-livepatch /snap/bin/canonical-livepatch.bak
>/snap/bin/canonical-livepatch printf '%s\n' '#!/bin/sh' 'exit 1'
chmod +x /snap/bin/canonical-livepatch
<---

and launched update-manager, which opened and worked normally.

Also confirmed the bug goes away in a Ubuntu Pro attached Focal virtual machine. Installed the 1:20.04.10.21 update-manager from proposed, sabotaged Livepatch with

--->
mv /snap/bin/canonical-livepatch /snap/bin/canonical-livepatch.bak
>/snap/bin/canonical-livepatch printf '%s\n' '#!/bin/sh' 'exit 1'
chmod +x /snap/bin/canonical-livepatch
<---

and launched update-manager, which opened and worked normally.

All autopkgtests for the newly accepted update-manager (1:22.04.20) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

update-notifier/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#update-manager

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted update-manager (1:20.04.10.21) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-release-upgrader/1:20.04.41 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#update-manager

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Focal still has an ubuntu-release-upgrader regression on armhf. I triggered that one again.

Jammy is ok.

Bionic is ok, but can't be released before focal.

The xenial upload is still in unapproved, probably because there is another xenial SRU going on
 in xenial-proposed: 1:16.04.21

This bug was fixed in the package update-manager - 1:22.04.20

---------------
update-manager (1:22.04.20) jammy; urgency=medium

  * Replace Popen to 'ua security-status --format=json' by the Ubuntu Pro API.
    The former is not stable enough and would break the program once in a
    while when something unrelated to Update Manager (Livepatch, for instance)
    went awry. The updates() end point from the API, on the other hand,
    does not raise exceptions. LP: #2058133.

 -- Nathan Pratta Teodosio <email address hidden> Fri, 22 Mar 2024 08:24:04 +0100

The verification of the Stable Release Update for update-manager has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hallo Andreas,

also so ganz schlau bin ich aus dem Ganzen nicht geworden. Denn meine
Aktualisierungsverwaltung hakt nach wie vor.

Wenn ich hingegen den von Dir übermittelten Befehl eingebe im Terminal,
aktualisiert das alles problemlos.

mfG

Rainer Bruns

Am 11.04.24 um 21:08 schrieb Andreas Hasenack:
> Focal still has an ubuntu-release-upgrader regression on armhf. I
> triggered that one again.
>
> Jammy is ok.
>
> Bionic is ok, but can't be released before focal.
>
> The xenial upload is still in unapproved, probably because there is another xenial SRU going on
> in xenial-proposed: 1:16.04.21
>

 > Denn meine Aktualisierungsverwaltung hakt nach wie vor.

Derzeit ist das Update nur für Jammy veröffentlicht (was ist deine
Version?) und allerdings nur vor kurzer Zeit. Das heißt, dass es noch
nicht für jedermann verfügbar ist (c.f. phased updates[1]).

[1] https://wiki.ubuntuusers.de/Aktualisierungen/phased_update/

SRU Team: The phasing in 22.04 was blocked due to LP:2004482. That is not a problem of update-manager though, but caused by a namespace conflict between ubuntu-advantage-tools and opcua-client-gui when installed via Pip[1].

I think therefore that the phasing should be continued.

[1] https://github.com/canonical/ubuntu-pro-client/issues/2434