** Description changed: [ Impact ] src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile to the apt-news service. It's known that some ubuntu systems do not have apparmor enabled, and this was considered. The systemd.exec(5) manpage states that the AppArmorProfile setting has no effect if apparmor is disabled[2]. This was tested and verified. Turns out, however, that apparmor can be enabled on a system, but without the apparmor package installed. When this package is not installed, no profiles are loaded. Crucially, the ubuntu_pro_apt_news profile, used by apt-news.service, is not loaded. This situation is different than "apparmor is disabled", and systemd will try to launch apt-news confined by ubuntu_pro_apt_news. But since that profile is not loaded into the kernel, the service will fail. apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. The only impact is that apt news won't be fetched. [ Test Plan ] To reproduce the problem, launch an ubuntu lxd container, or a VM, and: # install ubuntu-advantage-tools 31 or later. It's in updates right now, so just make sure the system is updated: sudo apt update && sudo apt install ubuntu-advantage-tools -y # verify it's version 31 or higher: $ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools ii ubuntu-advantage-tools 31.2~22.04 all transitional dummy package for ubuntu-pro-client - # remove (not purge) apparmor: sudo apt remove apparmor -y # reboot sudo reboot # start apt-news.service, and verify it fails: $ sudo systemctl start apt-news.service Job for apt-news.service failed because the control process exited with error code. See "systemctl status apt-news.service" and "journalctl -xeu apt-news.service" for details. # The log will show it's because it couldn't confine the service with the ubuntu_pro_apt_news profile: $ systemctl status apt-news.service × apt-news.service - Update APT News - Loaded: loaded (/lib/systemd/system/apt-news.service; static) - Active: failed (Result: exit-code) since Mon 2024-03-18 20:35:41 UTC; 35s ago - Process: 263 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR) - Main PID: 263 (code=exited, status=231/APPARMOR) - CPU: 7ms + Loaded: loaded (/lib/systemd/system/apt-news.service; static) + Active: failed (Result: exit-code) since Mon 2024-03-18 20:35:41 UTC; 35s ago + Process: 263 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR) + Main PID: 263 (code=exited, status=231/APPARMOR) + CPU: 7ms Mar 18 20:35:41 j systemd[1]: Starting Update APT News... Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed to prepare AppArmor profile change to ubuntu_pro_apt_news: No such file or directory Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed at step APPARMOR spawning /usr/bin/python3: No such file or directory Mar 18 20:35:41 j systemd[1]: apt-news.service: Main process exited, code=exited, status=231/APPARMOR Mar 18 20:35:41 j systemd[1]: apt-news.service: Failed with result 'exit-code'. Mar 18 20:35:41 j systemd[1]: Failed to start Update APT News. - With the fixed package, the service will not fail to start. - [ Where problems could occur ] - * Think about what the upload changes in the software. Imagine the change is - wrong or breaks something else: how would this show up? + The fix is essentially ignoring errors when loading the specified + apparmor profile, leaving the service unconfined in the case of an error + like this, which is exactly how it was prior to the version 31 update. + If the profile is loaded in the kernel, it will be applied as designed. - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. - - * This must '''never''' be "None" or "Low", or entirely an argument as to why - your upload is low risk. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + Since we are now ignoring errors, if the profile has some syntax error, + we would be running apt-news with the previously loaded profile, or, in + the case of a reboot, unconfined, without a visible error other than + logs. This could only happen if the user made manual changes to the + profile, because the u-a-t package runs a syntax check on the profile at + package build time. [ Other Info ] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance 1. https://github.com/canonical/ubuntu-pro-client/pull/2794 2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile= 3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2 [ Original Description ] After ubuntu-pro-client was installed the following errors are being logged. Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News... Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang e to ubuntu_pro_apt_news: No such file or directory Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi n/python3: No such file or directory The updates that started the problem: Start-Date: 2024-03-13 22:00:22 Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic) Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04) End-Date: 2024-03-13 22:00:28 This is happening on all servers where this update is installed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubuntu-pro-client 31.2~22.04 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Mar 14 10:02:35 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: ubuntu-advantage-tools UpgradeStatus: No upgrade log present (probably fresh install) apparmor_logs.txt: cloud-id.txt-error: Invalid command specified 'cloud-id'. livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'. uaclient.conf: contract_url: https://contracts.canonical.com log_level: debug
** Tags added: regression-update ** Description changed: [ Impact ] src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile to the apt-news service. It's known that some ubuntu systems do not have apparmor enabled, and this was considered. The systemd.exec(5) manpage states that the AppArmorProfile setting has no effect if apparmor is disabled[2]. This was tested and verified. Turns out, however, that apparmor can be enabled on a system, but without the apparmor package installed. When this package is not installed, no profiles are loaded. Crucially, the ubuntu_pro_apt_news profile, used by apt-news.service, is not loaded. This situation is different than "apparmor is disabled", and systemd will try to launch apt-news confined by ubuntu_pro_apt_news. But since that profile is not loaded into the kernel, the service will fail. apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. The only impact is that apt news won't be fetched. [ Test Plan ] To reproduce the problem, launch an ubuntu lxd container, or a VM, and: # install ubuntu-advantage-tools 31 or later. It's in updates right now, so just make sure the system is updated: sudo apt update && sudo apt install ubuntu-advantage-tools -y # verify it's version 31 or higher: $ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools ii ubuntu-advantage-tools 31.2~22.04 all transitional dummy package for ubuntu-pro-client # remove (not purge) apparmor: sudo apt remove apparmor -y # reboot sudo reboot # start apt-news.service, and verify it fails: $ sudo systemctl start apt-news.service Job for apt-news.service failed because the control process exited with error code. See "systemctl status apt-news.service" and "journalctl -xeu apt-news.service" for details. # The log will show it's because it couldn't confine the service with the ubuntu_pro_apt_news profile: $ systemctl status apt-news.service × apt-news.service - Update APT News Loaded: loaded (/lib/systemd/system/apt-news.service; static) Active: failed (Result: exit-code) since Mon 2024-03-18 20:35:41 UTC; 35s ago Process: 263 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR) Main PID: 263 (code=exited, status=231/APPARMOR) CPU: 7ms Mar 18 20:35:41 j systemd[1]: Starting Update APT News... Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed to prepare AppArmor profile change to ubuntu_pro_apt_news: No such file or directory Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed at step APPARMOR spawning /usr/bin/python3: No such file or directory Mar 18 20:35:41 j systemd[1]: apt-news.service: Main process exited, code=exited, status=231/APPARMOR Mar 18 20:35:41 j systemd[1]: apt-news.service: Failed with result 'exit-code'. Mar 18 20:35:41 j systemd[1]: Failed to start Update APT News. With the fixed package, the service will not fail to start. [ Where problems could occur ] The fix is essentially ignoring errors when loading the specified apparmor profile, leaving the service unconfined in the case of an error like this, which is exactly how it was prior to the version 31 update. If the profile is loaded in the kernel, it will be applied as designed. Since we are now ignoring errors, if the profile has some syntax error, we would be running apt-news with the previously loaded profile, or, in the case of a reboot, unconfined, without a visible error other than logs. This could only happen if the user made manual changes to the profile, because the u-a-t package runs a syntax check on the profile at package build time. [ Other Info ] - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + Not at this time. + 1. https://github.com/canonical/ubuntu-pro-client/pull/2794 2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile= 3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2 [ Original Description ] After ubuntu-pro-client was installed the following errors are being logged. Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News... Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang e to ubuntu_pro_apt_news: No such file or directory Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi n/python3: No such file or directory The updates that started the problem: Start-Date: 2024-03-13 22:00:22 Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic) Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04) End-Date: 2024-03-13 22:00:28 This is happening on all servers where this update is installed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubuntu-pro-client 31.2~22.04 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Mar 14 10:02:35 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: ubuntu-advantage-tools UpgradeStatus: No upgrade log present (probably fresh install) apparmor_logs.txt: cloud-id.txt-error: Invalid command specified 'cloud-id'. livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'. uaclient.conf: contract_url: https://contracts.canonical.com log_level: debug ** Description changed: [ Impact ] src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile to the apt-news service. It's known that some ubuntu systems do not have apparmor enabled, and this was considered. The systemd.exec(5) manpage states that the AppArmorProfile setting has no effect if apparmor is disabled[2]. This was tested and verified. Turns out, however, that apparmor can be enabled on a system, but without the apparmor package installed. When this package is not installed, no profiles are loaded. Crucially, the ubuntu_pro_apt_news profile, used by apt-news.service, is not loaded. This situation is different than "apparmor is disabled", and systemd will try to launch apt-news confined by ubuntu_pro_apt_news. But since that profile is not loaded into the kernel, the service will fail. apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. The only impact is that apt news won't be fetched. [ Test Plan ] To reproduce the problem, launch an ubuntu lxd container, or a VM, and: # install ubuntu-advantage-tools 31 or later. It's in updates right now, so just make sure the system is updated: sudo apt update && sudo apt install ubuntu-advantage-tools -y # verify it's version 31 or higher: $ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools ii ubuntu-advantage-tools 31.2~22.04 all transitional dummy package for ubuntu-pro-client # remove (not purge) apparmor: sudo apt remove apparmor -y # reboot sudo reboot # start apt-news.service, and verify it fails: $ sudo systemctl start apt-news.service Job for apt-news.service failed because the control process exited with error code. See "systemctl status apt-news.service" and "journalctl -xeu apt-news.service" for details. # The log will show it's because it couldn't confine the service with the ubuntu_pro_apt_news profile: $ systemctl status apt-news.service × apt-news.service - Update APT News Loaded: loaded (/lib/systemd/system/apt-news.service; static) Active: failed (Result: exit-code) since Mon 2024-03-18 20:35:41 UTC; 35s ago Process: 263 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR) Main PID: 263 (code=exited, status=231/APPARMOR) CPU: 7ms Mar 18 20:35:41 j systemd[1]: Starting Update APT News... Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed to prepare AppArmor profile change to ubuntu_pro_apt_news: No such file or directory Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed at step APPARMOR spawning /usr/bin/python3: No such file or directory Mar 18 20:35:41 j systemd[1]: apt-news.service: Main process exited, code=exited, status=231/APPARMOR Mar 18 20:35:41 j systemd[1]: apt-news.service: Failed with result 'exit-code'. Mar 18 20:35:41 j systemd[1]: Failed to start Update APT News. With the fixed package, the service will not fail to start. [ Where problems could occur ] The fix is essentially ignoring errors when loading the specified apparmor profile, leaving the service unconfined in the case of an error like this, which is exactly how it was prior to the version 31 update. If the profile is loaded in the kernel, it will be applied as designed. Since we are now ignoring errors, if the profile has some syntax error, we would be running apt-news with the previously loaded profile, or, in the case of a reboot, unconfined, without a visible error other than logs. This could only happen if the user made manual changes to the profile, because the u-a-t package runs a syntax check on the profile at package build time. [ Other Info ] - Not at this time. - - 1. https://github.com/canonical/ubuntu-pro-client/pull/2794 2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile= 3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2 [ Original Description ] After ubuntu-pro-client was installed the following errors are being logged. Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News... Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang e to ubuntu_pro_apt_news: No such file or directory Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi n/python3: No such file or directory The updates that started the problem: Start-Date: 2024-03-13 22:00:22 Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic) Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04) End-Date: 2024-03-13 22:00:28 This is happening on all servers where this update is installed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubuntu-pro-client 31.2~22.04 ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131 Uname: Linux 5.15.0-91-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Mar 14 10:02:35 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: ubuntu-advantage-tools UpgradeStatus: No upgrade log present (probably fresh install) apparmor_logs.txt: cloud-id.txt-error: Invalid command specified 'cloud-id'. livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'. uaclient.conf: contract_url: https://contracts.canonical.com log_level: debug -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2057937 Title: apt-news.service reporting errors after ubuntu-pro-client install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2057937/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs