### Eoan esm-apps * esm-infra verification on stock Eoan cloudimages # This test will show no regression in unattended-upgrades because there are no ESM offerings # on Eoan.
test script: #!/bin/bash if [ $# != 1 ]; then echo "usage: $0 <SERIES>" exit 1 fi SERIES=$1 LXC_NAME=test-sru-$SERIES echo 1. Launch ubuntu-daily $SERIES lxc #lxc launch ubuntu-daily:$SERIES $LXC_NAME echo 2. Run unattended-upgrades to confirm Allowed origins does not find esm packages lxc exec $LXC_NAME -- unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm' echo 3. Install unattended-upgrades from -proposed suites cat > setup_proposed.sh <<EOF #/bin/bash mirror=http://archive.ubuntu.com/ubuntu echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list apt-get update -q apt-get install -qy unattended-upgrades EOF lxc file push setup_proposed.sh $LXC_NAME/ lxc exec $LXC_NAME bash /setup_proposed.sh 2>&1 | grep unattended-upgrades echo 5.Run unattended-upgrades to confirm -proposed Allowed origins does cause regressions lxc exec $LXC_NAME -- unattended-upgrades --dry-run --verbose 2>&1 ### Verification output $ ./sru.sh eoan 1. Launch ubuntu-daily eoan lxc 2. Run unattended-upgrades to confirm Allowed origins does not find esm packages Allowed origins are: o=Ubuntu,a=eoan, o=Ubuntu,a=eoan-security, o=UbuntuESM,a=eoan, o=UbuntuESM,a=eoan-security, o=UbuntuESM,a=eoan-security 3. Install unattended-upgrades from -proposed suites unattended-upgrades Get:1 http://archive.ubuntu.com/ubuntu eoan-proposed/main amd64 unattended-upgrades all 1.14ubuntu1.2 [47.6 kB] Preparing to unpack .../unattended-upgrades_1.14ubuntu1.2_all.deb ... Unpacking unattended-upgrades (1.14ubuntu1.2) over (1.14ubuntu1.1) ... Setting up unattended-upgrades (1.14ubuntu1.2) ... Replacing config file /etc/apt/apt.conf.d/50unattended-upgrades with new version 5.Run unattended-upgrades to confirm -proposed Allowed origins does cause regressions Initial blacklist : Initial whitelist: Starting unattended upgrades script Allowed origins are: o=Ubuntu,a=eoan, o=Ubuntu,a=eoan-security, o=UbuntuESMApps,a=eoan-apps-security, o=UbuntuESM,a=eoan-infra-security, o=UbuntuESM,a=eoan-security No packages found that can be upgraded unattended and no pending auto-removals csmith@uptown:~/src/ubuntu-advantage-client$ echo $? 0 ** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan ** Changed in: unattended-upgrades (Ubuntu Trusty) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1857051 Title: Please add ${distro_id}ESM:${distro_codename}-infra-security and ${distro_id}ESMApps:${distro_codename}-apps-security to allowed origins (on Ubuntu) Status in unattended-upgrades package in Ubuntu: Fix Released Status in unattended-upgrades source package in Trusty: Won't Fix Status in unattended-upgrades source package in Xenial: Fix Committed Status in unattended-upgrades source package in Bionic: Fix Committed Status in unattended-upgrades source package in Eoan: Fix Committed Bug description: [Impact] * Changes to the ESM repo naming and the introduction of the new esm-infra and esm-apps suites require an update to unattended-upgrades to ensure the security pockets are used. * This change will ensure users are actually receiving updates, where as today they will not without making manual changes. [Test Case] * 1) Bionic and Xenial ESM-Apps/ESM-infra with Ubuntu Pro * 2) Trusty ESM [Regression Potential] * This change is ensuring users actually receive security updates when using ESM. Therefore, 1) users of ESM-apps on Ubuntu Pro and 2) ESM-infra on Trusty will be the only users affected. * The possible issue would be if/when users receive actual security updates that then regress or cause issues to the system. [Other Info] Previous description: ESM <distro>-infra-security and <distro>-apps-security will need to participate in unattended upgrades. Currently /etc/apt/apt.conf.d/50unattended-upgrades provides: Unattended-Upgrade::Allowed-Origins { "${distro_id}ESM:${distro_codename}"; } Given that there have been ESM apt pocket renames over the last few months, the above ESM allowed-origin should not apply anymore and can be dropped or replaced. See RT #C122697 and #C121067 for the pocket/suite renames related to ESM What is needed after the ESM apt pocket/suite renames: Support for unattended upgrades for ESM for Infrastructure customers: Unattended-Upgrade::Allowed-Origins { // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESM:${distro_codename}-infra-security"; "${distro_id}ESMApps:${distro_codename}-apps-security"; }; === Confirmed proper origin on an attached Trusty instance with ESM- infra enabled: 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages release v=14.04,o=UbuntuESM,a=trusty-infra-security,n=trusty,l=UbuntuESM,c=main === Confirmed proper origins on Bionic for enabled ESM-infra and ESM-apps on an AWS Ubuntu PRO instance: 500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64 Packages release v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64 500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64 Packages release v=18.04,o=UbuntuESMApps,a=bionic-apps-security,n=bionic,l=UbuntuESMApps,c=main,b=amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1857051/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
