** Description changed: [ Impact ] - * An explanation of the effects of the bug on users and + src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile + to the apt-news service. It's known that some ubuntu systems do not have + apparmor enabled, and this was considered. The systemd.exec(5) manpage + states that the AppArmorProfile setting has no effect if apparmor is + disabled[2]. This was tested and verified. - * justification for backporting the fix to the stable release. + Turns out, however, that apparmor can be enabled on a system, but + without the apparmor package installed. When this package is not + installed, no profiles are loaded. Crucially, this also means that the + ubuntu_pro_apt_news profile, used by apt-news.service, is also not + loaded. - * In addition, it is helpful, but not required, to include an - explanation of how the upload fixes this bug. + This situation is different than "apparmor is disabled", and systemd + will try to launch apt-news confined by ubuntu_pro_apt_news. But since + that profile is not loaded into the kernel, the service will fail. + + apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. + The only impact is that apt news won't be fetched. + [ Test Plan ] - * detailed instructions how to reproduce the bug + * detailed instructions how to reproduce the bug - * these should allow someone who is not familiar with the affected - package to reproduce the bug and verify that the updated package fixes - the problem. + * these should allow someone who is not familiar with the affected + package to reproduce the bug and verify that the updated package fixes + the problem. - * if other testing is appropriate to perform before landing this update, - this should also be described here. + * if other testing is appropriate to perform before landing this update, + this should also be described here. [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the change is - wrong or breaks something else: how would this show up? + * Think about what the upload changes in the software. Imagine the change is + wrong or breaks something else: how would this show up? - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the + event of a regression. - * This must '''never''' be "None" or "Low", or entirely an argument as to why - your upload is low risk. + * This must '''never''' be "None" or "Low", or entirely an argument as to why + your upload is low risk. - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. [ Other Info ] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + + 1. https://github.com/canonical/ubuntu-pro-client/pull/2794 + 2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile= + 3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2 + [ Original Description ] After ubuntu-pro-client was installed the following errors are being logged. Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News... Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang e to ubuntu_pro_apt_news: No such file or directory Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi n/python3: No such file or directory The updates that started the problem: Start-Date: 2024-03-13 22:00:22 Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic) Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04) End-Date: 2024-03-13 22:00:28 This is happening on all servers where this update is installed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubuntu-pro-client 31.2~22.04 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Mar 14 10:02:35 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: ubuntu-advantage-tools UpgradeStatus: No upgrade log present (probably fresh install) apparmor_logs.txt: cloud-id.txt-error: Invalid command specified 'cloud-id'. livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'. uaclient.conf: contract_url: https://contracts.canonical.com log_level: debug
** Description changed: [ Impact ] src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile to the apt-news service. It's known that some ubuntu systems do not have apparmor enabled, and this was considered. The systemd.exec(5) manpage states that the AppArmorProfile setting has no effect if apparmor is disabled[2]. This was tested and verified. Turns out, however, that apparmor can be enabled on a system, but without the apparmor package installed. When this package is not installed, no profiles are loaded. Crucially, this also means that the ubuntu_pro_apt_news profile, used by apt-news.service, is also not loaded. This situation is different than "apparmor is disabled", and systemd will try to launch apt-news confined by ubuntu_pro_apt_news. But since that profile is not loaded into the kernel, the service will fail. - apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. - The only impact is that apt news won't be fetched. - + apt-news.service is called as an apt update hook, but its failure does + not fail apt, since it's guarded[3] by "|| true", i.e., failures in the + hook are ignored. The only impact is that apt news won't be fetched. [ Test Plan ] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [ Where problems could occur ] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [ Other Info ] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance - 1. https://github.com/canonical/ubuntu-pro-client/pull/2794 2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile= 3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2 - [ Original Description ] After ubuntu-pro-client was installed the following errors are being logged. Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News... Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang e to ubuntu_pro_apt_news: No such file or directory Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi n/python3: No such file or directory The updates that started the problem: Start-Date: 2024-03-13 22:00:22 Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic) Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04) End-Date: 2024-03-13 22:00:28 This is happening on all servers where this update is installed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubuntu-pro-client 31.2~22.04 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Mar 14 10:02:35 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: ubuntu-advantage-tools UpgradeStatus: No upgrade log present (probably fresh install) apparmor_logs.txt: cloud-id.txt-error: Invalid command specified 'cloud-id'. livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'. uaclient.conf: contract_url: https://contracts.canonical.com log_level: debug ** Description changed: [ Impact ] src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile to the apt-news service. It's known that some ubuntu systems do not have apparmor enabled, and this was considered. The systemd.exec(5) manpage states that the AppArmorProfile setting has no effect if apparmor is disabled[2]. This was tested and verified. Turns out, however, that apparmor can be enabled on a system, but without the apparmor package installed. When this package is not - installed, no profiles are loaded. Crucially, this also means that the - ubuntu_pro_apt_news profile, used by apt-news.service, is also not - loaded. + installed, no profiles are loaded. Crucially, the ubuntu_pro_apt_news + profile, used by apt-news.service, is not loaded. This situation is different than "apparmor is disabled", and systemd will try to launch apt-news confined by ubuntu_pro_apt_news. But since that profile is not loaded into the kernel, the service will fail. apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. The only impact is that apt news won't be fetched. [ Test Plan ] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [ Where problems could occur ] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [ Other Info ] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance 1. https://github.com/canonical/ubuntu-pro-client/pull/2794 2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile= 3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2 [ Original Description ] After ubuntu-pro-client was installed the following errors are being logged. Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News... Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang e to ubuntu_pro_apt_news: No such file or directory Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi n/python3: No such file or directory The updates that started the problem: Start-Date: 2024-03-13 22:00:22 Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic) Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04) End-Date: 2024-03-13 22:00:28 This is happening on all servers where this update is installed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubuntu-pro-client 31.2~22.04 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Mar 14 10:02:35 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: ubuntu-advantage-tools UpgradeStatus: No upgrade log present (probably fresh install) apparmor_logs.txt: cloud-id.txt-error: Invalid command specified 'cloud-id'. livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'. uaclient.conf: contract_url: https://contracts.canonical.com log_level: debug -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057937 Title: apt-news.service reporting errors after ubuntu-pro-client install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2057937/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs