[Bug 1938043] Re: ubuntu-security-status
This bug was fixed in the package update-manager - 1:20.04.10.9 --- update-manager (1:20.04.10.9) focal; urgency=medium * ubuntu-security-status: use ubuntu-advantage-tools to determine whether or not livepatch or esm are enabled and if the system is attached. Thanks to Chad Smith for the patch. (LP: #1938043) -- Brian Murray Fri, 03 Sep 2021 15:17:22 -0700 ** Changed in: update-manager (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Verified success on Focal for update-manager1:20.04.10.9 === Verification script === #!/bin/bash # assert old version incorrectly reports unattached when livepatch is disabled # assert new version properly reports attached regardless of livepatch enabled/disabled # assert new version reports detached when not attached to active ua contract TOKEN=$1 cat > setup_proposed.sh
[Bug 1938043] Re: ubuntu-security-status
The issue is addressed! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Hello Nikos, or anyone else affected, Accepted update-manager into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/update- manager/1:20.04.10.9 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: update-manager (Ubuntu Focal) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Description changed: - In 20.04 ubuntu-security-status incorrect reports the status of - subscription: + Impact + -- + ubuntu-security-status incorrectly reports the status of Ubuntu Advantage subscriptions. + + Test Case + - + 1) ua attach + 2) ubuntu-security-status + + With the version of the package in the release pocket you'll see output + ending with "This machine is not attached to an Ubuntu Advantage + subscription" + + With the version of the package from -proposed the output will not say + you are not attached. + + Another test case + 1) Run the version of ubuntu-security-status from -proposed on an unattached system + + You'll see output with "This machine is not attached to an Ubuntu + Advantage subscription" + + Where things could go wrong + --- + Its possible that ubuntu-security-status could think that a UA subscription is attached when in fact one is not attached so ubuntu-security-status should also be run on an unattached system. + + Original Description + + In 20.04 ubuntu-security-status incorrect reports the status of subscription: ``` - $ sudo ubuntu-security-status + $ sudo ubuntu-security-status 1594 packages installed, of which: 1588 receive package updates with LTS until 4/2025 -6 are receiving security updates with ESM Apps until 4/2030 + 6 are receiving security updates with ESM Apps until 4/2030 This machine is not attached to an Ubuntu Advantage subscription. See https://ubuntu.com/advantage ``` It shows no subscription in the system even though there is. ua status correctly shows the subscription: ``` $ ua status SERVICE ENTITLED STATUSDESCRIPTION cis yes disabled Center for Internet Security Audit Tools esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes disabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes disabled Canonical Livepatch service Enable services with: ua enable - Account: Canonical - staff -Subscription: UA Applications - Essential (Virtual) - Valid until: 3999-12-31 00:00:00 + Account: Canonical - staff + Subscription: UA Applications - Essential (Virtual) + Valid until: 3999-12-31 00:00:00 Technical support level: essential ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
This bug was fixed in the package update-manager - 1:21.10.4 --- update-manager (1:21.10.4) impish; urgency=medium * ubuntu-security-status: use ubuntu-advantage-tools to determine whether or not livepatch or esm are enabled and if the system is attached. Thanks to Chad Smith for the patch. (LP: #1938043) -- Brian Murray Fri, 03 Sep 2021 14:43:22 -0700 ** Changed in: update-manager (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Branch linked: lp:update-manager -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Changed in: update-manager (Ubuntu) Assignee: (unassigned) => Brian Murray (brian-murray) ** Changed in: update-manager (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Updated patch file per comment #6 ** Patch removed: "lp-1938043-ua-status-attach-fix.patch" https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+attachment/5522622/+files/lp-1938043-ua-status-attach-fix.patch ** Patch added: "lp-1938043-ua-status-attach-fix.patch" https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+attachment/5522639/+files/lp-1938043-ua-status-attach-fix.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Corrected patch to drop unused livepatch_is_enabled. Ran it through python3 -m flake8 and pyflakes and tested on focal machines which were attached, unattached both with and without the cache file /var/lib/ubuntu-advantage/status.json cache file (which forces a subprocess call to "ua status --format=json" Below is my manual test run output: root@dev-f:~# # install hello package which is provided as well from ESM repos root@dev-f:~# apt install hello=2.10-2ubuntu2 Reading package lists... Done Building dependency tree Reading state information... Done hello is already the newest version (2.10-2ubuntu2). 0 upgraded, 0 newly installed, 0 to remove and 15 not upgraded. root@dev-f:~# apt policy hello hello: Installed: 2.10-2ubuntu2 Candidate: 2.10-2ubuntu2 Version table: *** 2.10-2ubuntu2 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status root@dev-f:~# # unattached machine, no status.json cache root@dev-f:~# [ -f /var/lib/ubuntu-advantage/status.json ] && echo JSON CACHE PRESENT || echo JSON CACHE ABSENT JSON CACHE ABSENT root@dev-f:~# /ubuntu-security-status 589 packages installed, of which: 586 receive package updates with LTS until 4/2025 3 could receive security updates with ESM Apps until 4/2030 Enable Extended Security Maintenance (ESM Apps) to get 1 security update (so far) and enable coverage of 3 packages. This machine is not attached to an Ubuntu Advantage subscription. See https://ubuntu.com/advantage root@dev-f:~# # JSON CACHE IS PRESENT NOW root@dev-f:~# [ -f /var/lib/ubuntu-advantage/status.json ] && echo JSON CACHE PRESENT || echo JSON CACHE ABSENT JSON CACHE PRESENT root@dev-f:~# /ubuntu-security-status 589 packages installed, of which: 586 receive package updates with LTS until 4/2025 3 could receive security updates with ESM Apps until 4/2030 Enable Extended Security Maintenance (ESM Apps) to get 1 security update (so far) and enable coverage of 3 packages. This machine is not attached to an Ubuntu Advantage subscription. See https://ubuntu.com/advantage root@dev-f:~# # Now attach the machine to a UA contract root@dev-f:~# ua attach Enabling default service esm-apps Updating package lists UA Apps: ESM enabled Enabling default service esm-infra Updating package lists UA Infra: ESM enabled This machine is now attached to 'UA Infrastructure & Applications - Essential (Virtual)' SERVICE ENTITLED STATUSDESCRIPTION cis yes disabled Center for Internet Security Audit Tools esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes disabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes n/a Canonical Livepatch service NOTICES Operation in progress: ua attach Enable services with: ua enable Account: lucas.mo...@canonical.com Subscription: UA Infrastructure & Applications - Essential (Virtual) Valid until: 2022-02-23 18:11:01+00:00 Technical support level: essential root@dev-f:~# [ -f /var/lib/ubuntu-advantage/status.json ] && echo JSON CACHE PRESENT || echo JSON CACHE ABSENT JSON CACHE PRESENT root@dev-f:~# /ubuntu-security-status 589 packages installed, of which: 586 receive package updates with LTS until 4/2025 3 are receiving security updates with ESM Apps until 4/2030 root@dev-f:~# # remove cached status.json to be sure attached status correct root@dev-f:~# rm /var/lib/ubuntu-advantage/status.json root@dev-f:~# [ -f /var/lib/ubuntu-advantage/status.json ] && echo JSON CACHE PRESENT || echo JSON CACHE ABSENT JSON CACHE ABSENT root@dev-f:~# /ubuntu-security-status 589 packages installed, of which: 586 receive package updates with LTS until 4/2025 3 are receiving security updates with ESM Apps until 4/2030 ** Patch added: "lp-1938043-ua-status-attach-fix.patch" https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+attachment/5522622/+files/lp-1938043-ua-status-attach-fix.patch ** Changed in: update-manager (Ubuntu Focal) Assignee: (unassigned) => Chad Smith (chad.smith) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
The attachment "ubuntu-security-status-from-ua-status.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Looks like logic in ubuntu-security-status bases that message only on whether livepatch is enabled or not. this is an invalid test because containers will not have livepatch enabled and neither will UA attached VMs with FIPS enabled. So the following test is not an accurate representation of whether the system is attached to a license: if lts and not livepatch_enabled: print("\nThis machine is not attached to an Ubuntu Advantage " "subscription.\nSee https://ubuntu.com/advantage";) Attached is a patch that would allow ubuntu-security-updates to determine both attach status and service enabled/disabled by processing `ua status --format=json` or the JSON status cache provided by UA ** Patch added: "ubuntu-security-status-from-ua-status.patch" https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+attachment/5522439/+files/ubuntu-security-status-from-ua-status.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Looks like logic in ubuntu-security-status bases that message only on whether livepatch is enabled or not. this is an invalid test because containers will not have livepatch enabled and neither will UA attached VMs with FIPS enabled. So the following test is not an accurate representation of whether the system is attached to a license: if lts and not livepatch_enabled: print("\nThis machine is not attached to an Ubuntu Advantage " "subscription.\nSee https://ubuntu.com/advantage";) Attached is a patch that would allow ubuntu-security-updates to determine both attach status and service enabled/disabled by processing `ua status --format=json` or the JSON status cache provided by UA ** Patch added: "ubuntu-security-status-from-ua-status.patch" https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+attachment/5522440/+files/ubuntu-security-status-from-ua-status.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Changed in: update-manager (Ubuntu Focal) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Livepatch is disabled from that system (shown in the output of ua status above). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
Is livepatch enabled on this system? Please check using '/snap/bin/canonical-livepatch status'. ** Tags removed: rls-ff-incoming ** Also affects: update-manager (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: update-manager (Ubuntu Focal) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Tags added: fr-1536 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Tags removed: rls-ii-incomings ** Tags added: rls-ff-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1938043] Re: ubuntu-security-status
** Tags added: rls-ii-incomings -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1938043 Title: ubuntu-security-status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1938043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs