adds ESM to sources.list.d unconditionally, despite it being x86-only
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-script |
Fix Released
|
Unknown
|
|||
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Trusty |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
[Impact]
The ubuntu-
Turns out that ESM is only available for the x86 architecture, and installing that sources.list snippet for other architectures leads to apt-get update failures.
A mitigation was put in place on the ESM repository to publish an empty archive for these unsupported architectures, so apt-get update won't fail.
The change in this SRU adds another case for when postinst configures and unconfigures ESM, and that is an architecture check via `dpkg --print-
This by itself is not enough to prevent users from trying to enable esm-infra on non-x86 architectures, as the contract server is still incorrectly advertising that support. This has been fixed in the staging deployment and a production deployment with this change should happen soon as well, completing the fix for this issue.
[Test Case]
# Install the current trusty-updates ubuntu-
$ sudo apt install ubuntu-
# verify that apt-get update is hitting the esm repository:
$ sudo apt-get update | grep esm
Get:1 https:/
Get:2 https:/
...
# verify that an esm pinning file was installed. Check that esm.ubuntu.com shows up in the apt-cache policy output, and that its pinning is negative:
$ apt-cache policy | grep esm
-32768 https:/
origin esm.ubuntu.com
-32768 https:/
origin esm.ubuntu.com
# upgrade to the ubuntu-
$ sudo apt install ubuntu-
$ apt-get update | grep esm
<empty>
$ apt-cache policy | grep esm
<empty>
# conversely, on a x86 system, the output should remain the same, i.e., esm should be listed and again with a negative pinning
[Regression Potential]
The logic relies on architecture names returned by `dpkg --print-
[Other Info]
The knowledge about which architectures are supported is now statically stored in the package, which is a bit unfortunate. The final authority is the contract server, and the actual esm repository. This information is sent to the client, but we are not making a network call in postinst to verify that. One reason being that the launchpad builders and DEP8 runners block such egress traffic.
If esm-infra was already enabled before applying the update, it will become disabled on non-x86 architectures. Since there are no non-x86 ESM updates available, this is just reflecting the truth about the support.
[Original Description]
The shiny new ubuntu-
Personally, I think it's a bug we don't publish ESM for all the same arches as we released for (even if we don't update all the packages for all arches, people would at least get things like tzdata updates), but if the intent is to be strictly x86-only, then ubuntu-
Related branches
- Bryce Harrington (community): Approve
- Chad Smith: Pending requested
-
Diff: 44 lines (+16/-1)2 files modifieddebian/changelog (+6/-0)
debian/postinst (+10/-1)
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-script: | |
status: | Unknown → New |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-advantage-script: | |
status: | New → Fix Released |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | Triaged → Fix Committed |
We (CPC) are seeing this issue too when trying to build Trusty non amd64/i386 images.
When we hit this yesterday Security team confirmed that ESM doesn't support other arches but we shouldn't block builds because of this change.