[Bug 2039113] Re: ubuntu-advantage-tools installs "core" snap even though canonical-livepatch snap exists for every base

Dimitri John Ledkov 2039113 at bugs.launchpad.net
Mon Oct 16 13:50:20 UTC 2023 

There are two bugs here:

1) pro client must never pull in non-matching base, this is prohibited
by the seeded snaps policy in Ubuntu Archive, which it is currently
violating. It is absolutely critical that it must never install non-
matching base, meaning I will request removal of livepatch feature from
Ubuntu Archive for 24.04 release if this is not fixed for 24.04 release
to install core24/stable channel

2) pro client must fix this for upgrades, and refresh all existing
installs on all LTS releases to an appropraite coreXX/stable channel
before "core" goes EOL in April 2026 (ticking time bomb). Or have
base:bare published in latest/stable, or publish a supported base snap
into latest/stable (i.e. core22 base promoted to latest/stable). Another
alternative is to make core22 the default track, but that's still
kicking the can down the road by 8 years, as it will not be suitable for
24.04 release

3) Even after we fix pro client to switch/referesh everyone off "core"
base livepatch-client, this is still not enough. As currently, once
"core" snap gets installed it can never ever ever be removed from a
system. This is I believe a snapd bug. Meaning today, whilst jammy
systems start out without "core" snap that is about to go EOL, they gain
it, and can never remove it again.

This is absolutely critical to solve in some way. Which way it is
solved, doesn't matter. But you cannot all reference each other's
implementations, and deprioritise all of them. As at least one of them
should be scheduled to be fixed soon. (as in the current situation,
where base:bare is deprioritised, and installing/refreshing to the
matching coreXX/stable track is also deprioritised).

You are currently exposing modern ubuntu systems to the risk of forcing
to run and make available obsolete and vulnerable binaries on modern
Ubuntu releases. Recent security exploits have been demonstrated to use
unrelated binaries available on the host system, to gain advantage (see
recent ssh-agent attack that use random available files on the host,
with the right properties to dlopen them to stage remote code
executation and prviledge escalation attacks).

** Also affects: canonical-livepatch-client
   Importance: Undecided
       Status: New

** Changed in: canonical-livepatch-client
   Importance: Undecided => Critical

** Also affects: ubuntu-release-upgrader (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: ubuntu-release-upgrader (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2039113

Title:
  ubuntu-advantage-tools installs "core" snap even though canonical-
  livepatch snap exists for every base

Status in Canonical Livepatch Client:
  New
Status in snapd package in Ubuntu:
  New
Status in ubuntu-advantage-tools package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  ubuntu-advantage-tools installs "core" snap even though canonical-
  livepatch snap exists for every base

  it seems like instead of installing core22/stable on jammy systems, it
  installs latest/stable with core snap base, making core snap
  uninstallable.

  I will try to reproduce this, but this is off.

  Jammy+ systems, must not have core snap as unremovable anymore.

  === summary
  snapd: once core snap is installed, it can never be removed

  canonical-livepatch-client: does not provide base:bare build, nor does
  the default track point to most current base (today "base:core22");
  nor do latest/stable/ubuntu-MM.YY branches exist that use matching
  base (i.e. latest/stable/ubuntu-22.04 publishes the core22/stable snap
  revisions)

  ubuntu-advantage-tools: installs default track livepatch-client, which
  doesn't match a given LTS release

  ubuntu-release-upgrader: doens't currently switch canonical-livepatch-
  client to use modern/matching base snap track.

  ===

  
  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ubuntu-advantage-tools 29.4~22.04
  ProcVersionSignature: Ubuntu 6.2.0-34.34~22.04.1-generic 6.2.16
  Uname: Linux 6.2.0-34-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Oct 12 00:22:38 2023
  InstallationDate: Installed on 2023-04-28 (166 days ago)
  InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230223)
  SourcePackage: ubuntu-advantage-tools
  UpgradeStatus: No upgrade log present (probably fresh install)
  cloud-id.txt-error: Invalid command specified 'cloud-id'.
  uaclient.conf:
   contract_url: https://contracts.canonical.com
   log_level: debug

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-livepatch-client/+bug/2039113/+subscriptions

More information about the foundations-bugs mailing list