[Bug 1857051] Re: Please add ${distro_id}ESM:${distro_codename}-infra-security and ${distro_id}ESMApps:${distro_codename}-apps-security to allowed origins (on Ubuntu)

Chad Smith 1857051 at bugs.launchpad.net
Wed Feb 19 03:57:28 UTC 2020 

### Bionic esm-apps * esm-infra verification  on AWS Ubuntu Pro

test script:

#!/bin/bash

if [ $# != 1 ]; then
 echo "usage: $0 <AWS_IP_ADDR>"
 exit 1
fi
echo 1. Launch AWs Ubuntu PRO Bionic which auto-enables both esm-apps and esm-infra
VM_IP=$1
echo 2. Remove ubuntu-advantage-tools Alllowed-Origins config
ssh ubuntu@$VM_IP sudo rm -f /etc/apt/apt.conf.d/51ubuntu-advantage-esm
echo 3. Run unattended-upgrades to confirm Allowed origins does not find esm packages
ssh ubuntu@$VM_IP dpkg-query --show unattended-upgrades
ssh ubuntu@$VM_IP sudo unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 4. Install unattended-upgrades from -proposed suites
cat > setup_proposed.sh <<EOF
#/bin/bash
mirror=http://archive.ubuntu.com/ubuntu
echo deb \$mirror \$(lsb_release -sc)-proposed main | tee /etc/apt/sources.list.d/proposed.list
apt-get update -q
apt-get install -qy unattended-upgrades
EOF
scp setup_proposed.sh ubuntu@$VM_IP:.
ssh ubuntu@$VM_IP sudo  bash ./setup_proposed.sh 2>&1 | grep unattended-upgrades
echo 5.Run unattended-upgrades to confirm -proposed Allowed origins does find esm packages
ssh ubuntu@$VM_IP sudo unattended-upgrades --dry-run --verbose 2>&1 | egrep -i 'Allowed|esm'
echo 6. Verify apt-cache policy shows matching origins and suites
ssh ubuntu@$VM_IP sudo apt-cache policy | grep -i esm


### Verification output
1. Launch AWs Ubuntu PRO Bionic which auto-enables both esm-apps and esm-infra
2. Remove ubuntu-advantage-tools Alllowed-Origins config
3. Run unattended-upgrades to confirm Allowed origins does not find esm packages
unattended-upgrades	1.1ubuntu1.18.04.12
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic
4. Install unattended-upgrades from -proposed suites
setup_proposed.sh                            100%  203     3.3KB/s   00:00    
  unattended-upgrades
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 unattended-upgrades all 1.1ubuntu1.18.04.14 [41.7 kB]
Preparing to unpack .../unattended-upgrades_1.1ubuntu1.18.04.14_all.deb ...
Unpacking unattended-upgrades (1.1ubuntu1.18.04.14) over (1.1ubuntu1.18.04.12) ...
Setting up unattended-upgrades (1.1ubuntu1.18.04.14) ...
Replacing config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESMApps,a=bionic-apps-security, o=UbuntuESM,a=bionic-infra-security
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/krb5-locales_1.16-2ubuntu0.1+esm1_all.deb 
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libk5crypto3_1.16-2ubuntu0.1+esm1_amd64.deb 
/usr/bin/dpkg --status-fd 11 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libkrb5support0_1.16-2ubuntu0.1+esm1_amd64.deb /var/cache/apt/archives/libgssapi-krb5-2_1.16-2ubuntu0.1+esm1_amd64.deb /var/cache/apt/archives/libkrb5-3_1.16-2ubuntu0.1+esm1_amd64.deb 
6. Verify apt-cache policy shows matching origins and suites
 500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-updates/main amd64 Packages
     release v=18.04,o=UbuntuESM,a=bionic-infra-updates,n=bionic,l=UbuntuESM,c=main,b=amd64
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64 Packages
     release v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-updates/main amd64 Packages
     release v=18.04,o=UbuntuESMApps,a=bionic-apps-updates,n=bionic,l=UbuntuESMApps,c=main,b=amd64
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64 Packages
     release v=18.04,o=UbuntuESMApps,a=bionic-apps-security,n=bionic,l=UbuntuESMApps,c=main,b=amd64
     origin esm.ubuntu.com

### Verification output

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1857051

Title:
  Please add ${distro_id}ESM:${distro_codename}-infra-security  and
  ${distro_id}ESMApps:${distro_codename}-apps-security to allowed
  origins (on Ubuntu)

Status in unattended-upgrades package in Ubuntu:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  New
Status in unattended-upgrades source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Bionic:
  Fix Committed
Status in unattended-upgrades source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

   * Changes to the ESM repo naming and the introduction of the new esm-infra and esm-apps suites require an update to unattended-upgrades to ensure the security pockets are used.
   * This change will ensure users are actually receiving updates, where as today they will not without making manual changes.

  [Test Case]

   * 1) Bionic and Xenial ESM-Apps/ESM-infra with Ubuntu Pro
   * 2) Trusty ESM

  [Regression Potential]

   * This change is ensuring users actually receive security updates when using ESM. Therefore, 1) users of ESM-apps on Ubuntu Pro and 2) ESM-infra on Trusty will be the only users affected.
   * The possible issue would be if/when users receive actual security updates that then regress or cause issues to the system.

  [Other Info]
   
  Previous description:

  ESM <distro>-infra-security and <distro>-apps-security will need to
  participate in unattended upgrades.

  Currently /etc/apt/apt.conf.d/50unattended-upgrades provides:
  Unattended-Upgrade::Allowed-Origins {
          "${distro_id}ESM:${distro_codename}";
  }

  Given that there have been ESM apt pocket renames over the last few
  months, the above ESM allowed-origin should not apply anymore and can
  be dropped or replaced.

  See RT #C122697 and #C121067 for the pocket/suite renames related to
  ESM

  What is needed after the ESM apt pocket/suite renames:

  Support for unattended upgrades for ESM for Infrastructure customers:

  Unattended-Upgrade::Allowed-Origins {
    // Extended Security Maintenance; doesn't necessarily exist for
    // every release and this system may not have it installed, but if
    // available, the policy for updates is such that unattended-upgrades
    // should also install from here by default.
    "${distro_id}ESM:${distro_codename}-infra-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
  };

  === Confirmed proper origin on an attached Trusty instance with ESM-
  infra enabled:

   500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
       release v=14.04,o=UbuntuESM,a=trusty-infra-security,n=trusty,l=UbuntuESM,c=main

  === Confirmed proper origins on Bionic for enabled ESM-infra and ESM-apps on an AWS Ubuntu PRO instance:
   500 https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main amd64 Packages
       release v=18.04,o=UbuntuESM,a=bionic-infra-security,n=bionic,l=UbuntuESM,c=main,b=amd64

   500 https://esm.ubuntu.com/apps/ubuntu bionic-apps-security/main amd64 Packages
       release v=18.04,o=UbuntuESMApps,a=bionic-apps-security,n=bionic,l=UbuntuESMApps,c=main,b=amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1857051/+subscriptions

More information about the foundations-bugs mailing list