### Bionic validation
1. start with a bionic VM with unattended-upgrades from bionic-updates
2. ua enable ESM-Infra via ubuntu-advantage-tools
3. /etc/apt/apt.conf.d/51ubuntu-advantage-esm (which delivers Allowed-Origins
config)
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
4. Check whether unattended-upgrades sees bionic esm packages
sudo unattended-upgrades --dry-run --debug 2>&1 | egrep -i 'Allowed|ESM'
5. Upgrade unattended-upgrades to -proposed
6. Check whether unattended-upgrades sees bionic esm packages
sudo unattended-upgrades --dry-run --debug 2>&1 | egrep -i 'Allowed|ESM'
root@test-bionic:~/ubuntu-advantage-client# dpkg-query --show
unattended-upgrades
unattended-upgrades 1.1ubuntu1.18.04.13
# No esm-infra packages seen by unattended-upgrades dry-run
root@test-bionic:~/ubuntu-advantage-client# sudo unattended-upgrades --dry-run
--debug 2>&1 | egrep -i 'Allowed|ESM'
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security,
o=UbuntuESM,a=bionic
Checking: krb5-locales ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
Checking: libgssapi-krb5-2 ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
Checking: libk5crypto3 ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
Checking: libkrb5-3 ([<Origin component:'main' archive:'bionic-infra-security'
origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>,
<Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM'
label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])
Checking: libkrb5support0 ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
# upgrade to -proposed
root@test-bionic:~/ubuntu-advantage-client# apt-get install unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
libfreetype6
Use 'apt autoremove' to remove it.
Suggested packages:
bsd-mailx default-mta | mail-transport-agent needrestart
The following packages will be upgraded:
unattended-upgrades
1 upgraded, 0 newly installed, 0 to remove and 34 not upgraded.
Need to get 41.7 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64
unattended-upgrades all 1.1ubuntu1.18.04.14 [41.7 kB]
Fetched 41.7 kB in 1s (65.2 kB/s)
Preconfiguring packages ...
(Reading database ... 41831 files and directories currently installed.)
Preparing to unpack .../unattended-upgrades_1.1ubuntu1.18.04.14_all.deb ...
Unpacking unattended-upgrades (1.1ubuntu1.18.04.14) over (1.1ubuntu1.18.04.13)
...
Setting up unattended-upgrades (1.1ubuntu1.18.04.14) ...
Replacing config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.38) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
# See esm-infra packages after upgrading to -proposed
root@test-bionic:~/ubuntu-advantage-client# sudo unattended-upgrades --dry-run
--debug 2>&1 | egrep -i 'Allowed|ESM'
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security,
o=UbuntuESMApps,a=bionic-apps-security, o=UbuntuESM,a=bionic-infra-security
Checking: krb5-locales ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
Checking: libgssapi-krb5-2 ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
Checking: libk5crypto3 ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
Checking: libkrb5-3 ([<Origin component:'main' archive:'bionic-infra-security'
origin:'UbuntuESM' label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>,
<Origin component:'main' archive:'bionic-infra-updates' origin:'UbuntuESM'
label:'UbuntuESM' site:'esm.ubuntu.com' isTrusted:True>])
Checking: libkrb5support0 ([<Origin component:'main'
archive:'bionic-infra-security' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>, <Origin component:'main'
archive:'bionic-infra-updates' origin:'UbuntuESM' label:'UbuntuESM'
site:'esm.ubuntu.com' isTrusted:True>])
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1
FileSize: 13400
DestFile:'/var/cache/apt/archives/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb'
DescURI:
'https://esm.ubuntu.com/infra/ubuntu/pool/main/k/krb5/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb'
ID:0 ErrorText: ''>
check_conffile_prompt(/var/cache/apt/archives/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb)
No conffiles in deb
/var/cache/apt/archives/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb (There is no
member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1
FileSize: 122252
DestFile:'/var/cache/apt/archives/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb'
DescURI:
'https://esm.ubuntu.com/infra/ubuntu/pool/main/k/krb5/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb'
ID:0 ErrorText: ''>
check_conffile_prompt(/var/cache/apt/archives/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb)
No conffiles in deb
/var/cache/apt/archives/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb (There
is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1
FileSize: 278360
DestFile:'/var/cache/apt/archives/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb'
DescURI:
'https://esm.ubuntu.com/infra/ubuntu/pool/main/k/krb5/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb'
ID:0 ErrorText: ''>
check_conffile_prompt(/var/cache/apt/archives/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb)
No conffiles in deb
/var/cache/apt/archives/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb (There is no
member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1
FileSize: 30808
DestFile:'/var/cache/apt/archives/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb'
DescURI:
'https://esm.ubuntu.com/infra/ubuntu/pool/main/k/krb5/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb'
ID:0 ErrorText: ''>
check_conffile_prompt(/var/cache/apt/archives/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb)
No conffiles in deb
/var/cache/apt/archives/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb (There
is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1
FileSize: 85668
DestFile:'/var/cache/apt/archives/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb'
DescURI:
'https://esm.ubuntu.com/infra/ubuntu/pool/main/k/krb5/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb'
ID:0 ErrorText: ''>
check_conffile_prompt(/var/cache/apt/archives/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb)
No conffiles in deb
/var/cache/apt/archives/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb (There is
no member named 'conffiles')
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure
/var/cache/apt/archives/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure
/var/cache/apt/archives/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure
/var/cache/apt/archives/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb
/var/cache/apt/archives/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb
/var/cache/apt/archives/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb
# Show apt policy for esm-infra
root@test-bionic:~/ubuntu-advantage-client# apt-cache policy | grep -i esm
500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-updates/main amd64
Packages
release
v=18.04,o=UbuntuESM,a=bionic-infra-updates,n=bionic,l=UbuntuESM,c=main,b=amd64
origin esm.ubuntu.com
500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64
Packages
release
v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64
origin esm.ubuntu.com
# can't validate esm-apps-bionic as I don't have a contract token with access,
but
https://esm.staging.ubuntu.com/apps/ubuntu/dists/bionic-apps-security/InRelease
confirms archive format for:
Origin: UbuntuESMApps
Suite: bionic-apps-security
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1857051
Title:
Please add ${distro_id}ESM:${distro_codename}-infra-security and
${distro_id}ESMApps:${distro_codename}-apps-security to allowed
origins (on Ubuntu)
Status in unattended-upgrades package in Ubuntu:
Fix Released
Status in unattended-upgrades source package in Trusty:
New
Status in unattended-upgrades source package in Xenial:
Fix Committed
Status in unattended-upgrades source package in Bionic:
Fix Committed
Status in unattended-upgrades source package in Eoan:
Fix Committed
Bug description:
[Impact]
* Changes to the ESM repo naming and the introduction of the new esm-infra
and esm-apps suites require an update to unattended-upgrades to ensure the
security pockets are used.
* This change will ensure users are actually receiving updates, where as
today they will not without making manual changes.
[Test Case]
* 1) Bionic and Xenial ESM-Apps/ESM-infra with Ubuntu Pro
* 2) Trusty ESM
[Regression Potential]
* This change is ensuring users actually receive security updates when using
ESM. Therefore, 1) users of ESM-apps on Ubuntu Pro and 2) ESM-infra on Trusty
will be the only users affected.
* The possible issue would be if/when users receive actual security updates
that then regress or cause issues to the system.
[Other Info]
Previous description:
ESM <distro>-infra-security and <distro>-apps-security will need to
participate in unattended upgrades.
Currently /etc/apt/apt.conf.d/50unattended-upgrades provides:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}ESM:${distro_codename}";
}
Given that there have been ESM apt pocket renames over the last few
months, the above ESM allowed-origin should not apply anymore and can
be dropped or replaced.
See RT #C122697 and #C121067 for the pocket/suite renames related to
ESM
What is needed after the ESM apt pocket/suite renames:
Support for unattended upgrades for ESM for Infrastructure customers:
Unattended-Upgrade::Allowed-Origins {
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
};
=== Confirmed proper origin on an attached Trusty instance with ESM-
infra enabled:
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
release
v=14.04,o=UbuntuESM,a=trusty-infra-security,n=trusty,l=UbuntuESM,c=main
=== Confirmed proper origins on Bionic for enabled ESM-infra and ESM-apps on
an AWS Ubuntu PRO instance:
500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64
Packages
release
v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64
500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64
Packages
release
v=18.04,o=UbuntuESMApps,a=bionic-apps-security,n=bionic,l=UbuntuESMApps,c=main,b=amd64
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1857051/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
