Ubuntu
ubuntu-advantage-tools package

apt-news.service reporting errors after ubuntu-pro-client install

Bug #2057937 reported by Erik Meitner
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
High
Andreas Hasenack
Xenial
Fix Released
High
Andreas Hasenack
Bionic
Fix Released
High
Andreas Hasenack
Focal
Fix Released
High
Andreas Hasenack
Jammy
Fix Released
High
Andreas Hasenack
Mantic
Fix Released
High
Andreas Hasenack
Noble
Fix Released
High
Andreas Hasenack

Bug Description

[ Impact ]

src:ubuntu-advantage-tools version 31 introduced[1] an apparmor profile to the apt-news service. It's known that some ubuntu systems do not have apparmor enabled, and this was considered. The systemd.exec(5) manpage states that the AppArmorProfile setting has no effect if apparmor is disabled[2]. This was tested and verified.

Turns out, however, that apparmor can be enabled on a system, but without the apparmor package installed. When this package is not installed, no profiles are loaded. Crucially, the ubuntu_pro_apt_news profile, used by apt-news.service, is not loaded.

This situation is different than "apparmor is disabled", and systemd will try to launch apt-news confined by ubuntu_pro_apt_news. But since that profile is not loaded into the kernel, the service will fail.

apt-news.service is called as an apt update hook, but its failure does not fail apt, since it's guarded[3] by "|| true", i.e., failures in the hook are ignored. The only impact is that apt news won't be fetched.

[ Test Plan ]

The test plan will be in two parts. One to confirm the apt-news service won't fail to start if the apparmor profile is not available (it's what triggered this bug). The second part is to confirm that in the "good case", with apparmor available on the system, the confinement is still applied.

a) To reproduce the problem, launch an ubuntu lxd container, or a VM, and:

# install ubuntu-advantage-tools 31 or later. It's in updates right now, so just make sure the system is updated:

sudo apt update && sudo apt install ubuntu-advantage-tools -y

# verify it's version 31 or higher:

$ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools
ii ubuntu-advantage-tools 31.2~22.04 all transitional dummy package for ubuntu-pro-client

# remove (not purge) apparmor:

sudo apt remove apparmor -y

# reboot

sudo reboot

# start apt-news.service, and verify it fails:

$ sudo systemctl start apt-news.service
Job for apt-news.service failed because the control process exited with error code.
See "systemctl status apt-news.service" and "journalctl -xeu apt-news.service" for details.

# The log will show it's because it couldn't confine the service with the ubuntu_pro_apt_news profile:

$ systemctl status apt-news.service
× apt-news.service - Update APT News
     Loaded: loaded (/lib/systemd/system/apt-news.service; static)
     Active: failed (Result: exit-code) since Mon 2024-03-18 20:35:41 UTC; 35s ago
    Process: 263 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR)
   Main PID: 263 (code=exited, status=231/APPARMOR)
        CPU: 7ms

Mar 18 20:35:41 j systemd[1]: Starting Update APT News...
Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed to prepare AppArmor profile change to ubuntu_pro_apt_news: No such file or directory
Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed at step APPARMOR spawning /usr/bin/python3: No such file or directory
Mar 18 20:35:41 j systemd[1]: apt-news.service: Main process exited, code=exited, status=231/APPARMOR
Mar 18 20:35:41 j systemd[1]: apt-news.service: Failed with result 'exit-code'.
Mar 18 20:35:41 j systemd[1]: Failed to start Update APT News.

With the fixed package, the service will not fail to start.

b) Continuing from the test plan above, now we will confirm that if apparmor is installed, that the apt-news service is run confined.

* Install apparmor back again and reboot:

$ sudo apt install apparmor -y
$ sudo reboot

* Confirm the apt-news profile is loaded and in enforce mode:

$ sudo grep ubuntu_pro_apt_news /sys/kernel/security/apparmor/profiles
ubuntu_pro_apt_news (enforce)

* start apt-news, and confirm it doesn't fail:
$ sudo systemctl start apt-news.service ; echo $?
0

To really confirm that the profile is being applied, and not just ignored, we have to hack the service unit file. Replace ExecStart with a sleep command in /lib/systemd/system/apt-news.service like below:

[Service]
Type=oneshot
ExecStart=/usr/bin/python3 -c "import time; time.sleep(500)"

Then run:

$ sudo systemctl daemon-reload

Start the service again in one terminal (it will hang):

$ sudo systemctl start apt-news.service

In another terminal, list the process and its confinement status:

$ ps auxwZ|grep time\\.sleep
ubuntu_pro_apt_news (enforce) root 553 0.0 0.0 17224 8576 ? Ss 13:54 0:00 /usr/bin/python3 -c import time;time.sleep(3600)

The first column will show the apparmor profile being enforced on the process.

[ Where problems could occur ]

Note that most ubuntu packages use apparmor in an opportunistic way. If there is a profile, and its name matches the executable's path, then it will be applied. Otherwise, the executable runs unconfined. With the change in this SRU, that's essentially what we doing with apt-news.service.

The fix is essentially ignoring errors when loading the specified apparmor profile, leaving the service unconfined in the case of an error like this, which is exactly how it was prior to the version 31 update. If the profile is loaded in the kernel, it will be applied as designed.

Since we are now ignoring errors, here are some scenarios where things could go wrong:

a) the user decided they don't like apparmor, and removed the apparmor package. That's the scenario that triggered this bug. In that case, it's a decision the user made, and apt-news.service will run unconfined.

b) the user made a change to the installed apparmor profile in /etc/apparmor.d/ubuntu_pro_apt_news, and that change has a syntax error.

The error will only be noticed when that profile is loaded into the kernel. Then we have the following possible outcomes:

b1) The user, right after making the change, invokes apparmor_parser to actually apply them and load the modified profile into the kernel. The tool will flag the error, and not load the changed profile. The previous profile will remain loaded, and apt-news will remain confined by it.

b2) The user forgets to run apparmor_parser, and eventually reboots. Upon reboot, that profile specifically will fail to load (all the others will load), and when apt-news is started, there will be no ubuntu_pro_apt_news profile to attach to. With this new "-" flag, that will not be an error, and the service will run unconfined.

b3) Instead of rebooting or running apparmor_parser, the user invokes "systemctl restart apparmor". From my testing, that will also flag the syntax error, and not unload the already-loaded profile, so this is similar to (b1).

b4) We (Ubuntu) might make a mistake in the profile, and introduce a syntax error that will make it fail to load. To guard against that, the package build runs a syntax check on the generated profile. But it's still possible it would pass that check, but fail to load in the actual kernel that is running on the system.

[ Other Info ]

Upstream issue:
https://github.com/canonical/ubuntu-pro-client/issues/3002

Fixed via:
https://github.com/canonical/ubuntu-pro-client/pull/3003

1. https://github.com/canonical/ubuntu-pro-client/pull/2794
2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile=
3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2

[ Original Description ]

After ubuntu-pro-client was installed the following errors are being logged.

Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News...
Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang
e to ubuntu_pro_apt_news: No such file or directory
Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi
n/python3: No such file or directory

The updates that started the problem:

Start-Date: 2024-03-13 22:00:22
Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade
Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic)
Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04)
End-Date: 2024-03-13 22:00:28

This is happening on all servers where this update is installed.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ubuntu-pro-client 31.2~22.04
ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131
Uname: Linux 5.15.0-91-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Thu Mar 14 10:02:35 2024
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: ubuntu-advantage-tools
UpgradeStatus: No upgrade log present (probably fresh install)
apparmor_logs.txt:

cloud-id.txt-error: Invalid command specified 'cloud-id'.
livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'.
uaclient.conf:
 contract_url: https://contracts.canonical.com
 log_level: debug

See original description

Related branches

~ahasenack/ubuntu/+source/ubuntu-advantage-tools:xenial-ignore-apparmor-errors-when-starting-apt-news-2057937
Renan Rodrigo (community): Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:bionic-ignore-apparmor-errors-when-starting-apt-news-2057937
Renan Rodrigo (community): Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:focal-ignore-apparmor-errors-when-starting-apt-news-2057937
Renan Rodrigo (community): Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:jammy-ignore-apparmor-errors-when-starting-apt-news-2057937
Renan Rodrigo (community): Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:mantic-ignore-apparmor-errors-when-starting-apt-news-2057937
Renan Rodrigo (community): Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:mantic-ignore-apparmor-errors-when-starting-apt-news-2057937
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:jammy-ignore-apparmor-errors-when-starting-apt-news-2057937
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:focal-ignore-apparmor-errors-when-starting-apt-news-2057937
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:bionic-ignore-apparmor-errors-when-starting-apt-news-2057937
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:xenial-ignore-apparmor-errors-when-starting-apt-news-2057937
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 44 lines (+14/-2)
3 files modified
debian/changelog (+12/-0)
systemd/apt-news.service (+1/-1)
uaclient/version.py (+1/-1)
~ahasenack/ubuntu/+source/ubuntu-advantage-tools:noble-ignore-apparmor-errors-when-starting-apt-news-2057937
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 27 lines (+7/-1)
2 files modified
debian/changelog (+6/-0)
systemd/apt-news.service (+1/-1)
Revision history for this message
Erik Meitner (eamuwmath) wrote :
Erik Meitner (eamuwmath)
information type: Private → Public
Apport retracing service (apport)
tags: removed: need-amd64-retrace
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hi Erik,

please show the output of the following commands:

a) systemctl cat apt-news.service

b) ls -la /etc/apparmor.d/ubuntu*

c) sudo aa-status

d) dpkg -l ubuntu-advantage-tools ubuntu-pro-client ubuntu-pro-client-l10n

e) python3 --version

f) sudo apparmor_parser -r -W -T /etc/apparmor.d/ubuntu_pro_apt_news

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

You seem to have apparmor enabled, but not the apparmor package installed, is that it?

Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Incomplete
Revision history for this message
Erik Meitner (eamuwmath) wrote :

Correct, apparmor is not installed and never was.

a)

systemctl cat apt-news.service
# /lib/systemd/system/apt-news.service
# APT News is hosted at https://motd.ubuntu.com/aptnews.json and can include
# timely information related to apt updates available to your system.
# This service runs in the background during an `apt update` to download the
# latest news and set it to appear in the output of the next `apt upgrade`.
# The script won't do anything if you've run: `pro config set apt_news=false`.
# The script will limit network requests to at most once per 24 hours.
# You can also host your own aptnews.json and configure your system to use it
# with the command:
# `pro config set apt_news_url=https://yourhostname/path/to/aptnews.json`

[Unit]
Description=Update APT News

[Service]
Type=oneshot
ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py
AppArmorProfile=ubuntu_pro_apt_news
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_NET_RAW
PrivateTmp=true
RestrictAddressFamilies=~AF_NETLINK
RestrictAddressFamilies=~AF_PACKET
# These may break some tests, and should be enabled carefully
#NoNewPrivileges=true
#PrivateDevices=true
#ProtectControlGroups=true
# ProtectHome=true seems to reliably break the GH integration test with a lunar lxd on jammy host
#ProtectHome=true
#ProtectKernelModules=true
#ProtectKernelTunables=true
#ProtectSystem=full
#RestrictSUIDSGID=true
# Unsupported in bionic
# Suggestion from systemd.exec(5) manpage on SystemCallFilter
#SystemCallFilter=@system-service
#SystemCallFilter=~@mount
#SystemCallErrorNumber=EPERM
#ProtectClock=true
#ProtectKernelLogs=true

b) -rw-r--r-- 1 root root 945 Feb 29 08:03 /etc/apparmor.d/ubuntu_pro_apt_news

c) (aa is not installed)

d)

ii ubuntu-advantage-tools 31.2~22.04 all transitional dummy package for ubuntu-pro-client
ii ubuntu-pro-client 31.2~22.04 amd64 Management tools for Ubuntu Pro
un ubuntu-pro-client-l10n <none> <none> (no description available)

e) Python 3.10.12

f) (aa is not installed)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> Correct, apparmor is not installed and never was.

Interesting, because it seems to be enabled. The systemd service would not have failed to load the apparmor profile if apparmor were disabled[1]:

  This setting has no effect if AppArmor is not enabled.

Do you have the /sys/kernel/security/apparmor/profiles file, and does it have a list of loaded profiles by any chance?

In any case, the fix here seems to be to change the AppArmorProfile=ubuntu_pro_apt_news line to AppArmorProfile=-ubuntu_pro_apt_news in the apt_news.service unit file, but I'm trying to understand the situation a bit better before doing that. I didn't think apparmor could be enabled without the apparmor package installed on the system.

1. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile=

Revision history for this message
Erik Meitner (eamuwmath) wrote :

/sys/kernel/security/apparmor/profiles is empty.

Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Mantic):
status: New → Triaged
Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: New → Triaged
Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: New → Triaged
Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: New → Triaged
Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu Bionic):
importance: Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu Focal):
importance: Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu Jammy):
importance: Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu Mantic):
importance: Undecided → High
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Jammy):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Focal):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Bionic):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Xenial):
assignee: nobody → Andreas Hasenack (ahasenack)
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
tags: added: regression-update
description: updated
description: updated
Andreas Hasenack (ahasenack)
Changed in ubuntu-advantage-tools (Ubuntu Noble):
status: Triaged → In Progress
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
John Johansen (jjohansen) wrote :

So it depends on what you mean by enabled. The standard check to see if apparmor is enabled is to check the kernel for its presence, and if the kernel module reports that it is enabled. This is a separate state from if policy is loaded.

The apparmor library generally provides the check, but it can statically linked in, or even hard coded. Systemd statically links the library so it is only a build dependency not a run time.

In the systemd case if the module is enabled in the kernel /sys/module/apparmor/parameters/enabled == Y and securityfs is mounted, then apparmor is considered enabled, and ready to accept policy.

As for the default policy, that will depend. Generally you are only looking at unconfined. But it is possible to load policy in early boot (either initrd, or systemd vis /etc/apparmor/earlypolicy). It is even possible to compile policy into the kernel. So technically in these cases you do not actually need the apparmor userspace package installed.

Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 31.2.2

---------------
ubuntu-advantage-tools (31.2.2) noble; urgency=medium

  * version.py: fix internal version to match ubuntu package version (it was
    missed in the previous upload, so 31.2.1 is "burned" now)

 -- Andreas Hasenack <email address hidden> Sun, 24 Mar 2024 10:52:02 -0300

Changed in ubuntu-advantage-tools (Ubuntu Noble):
status: In Progress → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Erik, or anyone else affected,

Accepted ubuntu-advantage-tools into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/31.2.2~23.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Mantic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-mantic
Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: Triaged → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Erik, or anyone else affected,

Accepted ubuntu-advantage-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/31.2.2~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Erik, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/31.2.2~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Erik, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/31.2.2~18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Erik, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/31.2.2~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/31.2.2~23.10)

All autopkgtests for the newly accepted ubuntu-advantage-tools (31.2.2~23.10) for mantic have finished running.
The following regressions have been reported in tests triggered by the package:

software-properties/0.99.39 (amd64, arm64, armhf, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/mantic/update_excuses.html#ubuntu-advantage-tools

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/31.2.2~22.04)

All autopkgtests for the newly accepted ubuntu-advantage-tools (31.2.2~22.04) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

software-properties/0.99.22.9 (amd64, arm64, armhf, ppc64el, s390x)
update-manager/1:22.04.19 (amd64, arm64, armhf, i386, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#ubuntu-advantage-tools

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Erik Meitner (eamuwmath) wrote :

I can confirm that by upgrading four of our machines to the packages in the Proposed repo they machines no long log the errors.
Thank you.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Xenial verification

a) Reproducing the problem, and confirming the fix

Starting with 31.2:
$ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools
ii ubuntu-advantage-tools 31.2~16.04 all transitional dummy package for ubuntu-pro-client

Removing apparmor:
$ sudo apt remove apparmor -y
(...)
The following packages will be REMOVED:
  apparmor liblxc1 lxc-common lxd snapd ubuntu-core-launcher
(...)
Removing apparmor (2.10.95-0ubuntu2.12) ...
(...)

Rebooting...

Logging back in, checking apt-news.service to see it fails to start due to apparmor:

$ sudo systemctl start apt-news.service
Job for apt-news.service failed because the control process exited with error code. See "systemctl status apt-news.service" and "journalctl -xe" for details.

$ systemctl status apt-news.service
● apt-news.service - Update APT News
   Loaded: loaded (/lib/systemd/system/apt-news.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2024-04-14 15:41:47 UTC; 10s ago
  Process: 1486 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR)
 Main PID: 1486 (code=exited, status=231/APPARMOR)

Installing ubuntu-advantage-tools from proposed:
$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 31.2.2~16.04
  Candidate: 31.2.2~16.04
  Version table:
 *** 31.2.2~16.04 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     31.2~16.04 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages

$ pro version
31.2.2~16.04

Now the service starts:
$ sudo systemctl start apt-news.service
$

$ sudo systemctl status apt-news.service
● apt-news.service - Update APT News
   Loaded: loaded (/lib/systemd/system/apt-news.service; static; vendor preset: enabled)
   Active: inactive (dead)

(...)
Apr 14 15:43:40 x-vm systemd[1]: Starting Update APT News...
Apr 14 15:43:40 x-vm systemd[1]: Started Update APT News.

b) Confirming that apparmor, when available, is being applied

Continuing from test (a), we already have the proposed package installed.

Re-installing apparmor:
$ sudo apt install apparmor -y
(...)
Setting up apparmor (2.10.95-0ubuntu2.12) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults

Rebooting

Confirming profile is loaded and enforced:
$ sudo grep ubuntu_pro_apt_news /sys/kernel/security/apparmor/profiles
ubuntu_pro_apt_news (enforce)

Starting apt-news, it does not fail:
$ sudo systemctl start apt-news.service ; echo $?
0

Hacking the service unit file to force the service to stay running so we can inspect it:

$ sudo systemctl start apt-news.service
(it's sleeping)

Checking process:
# ps auxwZ|grep time\\.sleep
ubuntu_pro_apt_news (enforce) root 1749 0.0 0.8 35296 8716 ? Ss 15:49 0:00 /usr/bin/python3 -c import time; time.sleep(500)

We can see it's confined with ubuntu_pro_apt_news in enforce mode.

Xenial verification succeeded.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The remaining verifications were done with the attached script.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic verification succeeded.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Focal verification succeeded.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Jammy verification succeeded.

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Mantic verification succeeded.

tags: added: verification-done-mantic
removed: verification-needed-mantic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 31.2.2~23.10

---------------
ubuntu-advantage-tools (31.2.2~23.10) mantic; urgency=medium

  * version.py: match version from d/changelog (LP: #2058934)

ubuntu-advantage-tools (31.2.1~23.10) mantic; urgency=medium

  * apt-news.service: ignore apparmor errors when starting (LP: #2057937)

 -- Andreas Hasenack <email address hidden> Mon, 25 Mar 2024 11:56:18 -0300

Changed in ubuntu-advantage-tools (Ubuntu Mantic):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Update Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 31.2.2~22.04

---------------
ubuntu-advantage-tools (31.2.2~22.04) jammy; urgency=medium

  * version.py: match version from d/changelog (LP: #2058934)

ubuntu-advantage-tools (31.2.1~22.04) jammy; urgency=medium

  * apt-news.service: ignore apparmor errors when starting (LP: #2057937)

 -- Andreas Hasenack <email address hidden> Mon, 25 Mar 2024 11:52:09 -0300

Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 31.2.2~20.04

---------------
ubuntu-advantage-tools (31.2.2~20.04) focal; urgency=medium

  * version.py: match version from d/changelog (LP: #2058934)

ubuntu-advantage-tools (31.2.1~20.04) focal; urgency=medium

  * apt-news.service: ignore apparmor errors when starting (LP: #2057937)

 -- Andreas Hasenack <email address hidden> Mon, 25 Mar 2024 11:49:51 -0300

Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 31.2.2~16.04

---------------
ubuntu-advantage-tools (31.2.2~16.04) xenial; urgency=medium

  * version.py: match version from d/changelog (LP: #2058934)

ubuntu-advantage-tools (31.2.1~16.04) xenial; urgency=medium

  * apt-news.service: ignore apparmor errors when starting (LP: #2057937)

 -- Andreas Hasenack <email address hidden> Mon, 25 Mar 2024 11:29:56 -0300

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 31.2.2~18.04

---------------
ubuntu-advantage-tools (31.2.2~18.04) bionic; urgency=medium

  * version.py: match version from d/changelog (LP: #2058934)

ubuntu-advantage-tools (31.2.1~18.04) bionic; urgency=medium

  * apt-news.service: ignore apparmor errors when starting (LP: #2057937)

 -- Andreas Hasenack <email address hidden> Mon, 25 Mar 2024 11:39:20 -0300

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.