group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #19717
[Bug 1531150] Re: package-reporter doesn't get proxy settings from client.conf
This bug was fixed in the package landscape-client -
16.03-0ubuntu3.17.04.1
---------------
landscape-client (16.03-0ubuntu3.17.04.1) zesty; urgency=medium
[ Simon Poirier ]
* Add proxy handling to package reporter. (LP: #1531150)
* Fix regression in configuration hook under install-cd chroot (LP: #1699789)
* Report autoremovable packages (LP: #1208393)
* No not re-register client by default (LP: #1618483)
-- Andreas Hasenack <andreas@xxxxxxxxxxxxx> Fri, 10 Nov 2017 16:06:54
-0200
** Changed in: landscape-client (Ubuntu Zesty)
Status: Fix Committed => Fix Released
** Changed in: landscape-client (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1531150
Title:
package-reporter doesn't get proxy settings from client.conf
Status in Landscape Client:
Fix Released
Status in landscape-client package in Ubuntu:
Fix Released
Status in landscape-client source package in Trusty:
Fix Released
Status in landscape-client source package in Xenial:
Fix Released
Status in landscape-client source package in Zesty:
Fix Released
Status in landscape-client source package in Artful:
Fix Released
Bug description:
[Impact]
The package reporter is not getting the proxy settings set in
/etc/landscape/client.conf. As a result, fetching hash-id-database
file and running the SUID root /usr/lib/landscape/apt-update helper
fail. Even though the binary it calls in turn fails (apt-get itself),
the exit code is 0. It's only seen in the logs if using debug mode.
[Test Case]
Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed.
DO NOT set proxy environment variables, as these will be picked up by
the client when it's restarted and give a false good test result. We
want to be sure the values are being grabbed from the config file, and
not the environment.
DO NOT set proxy values in /etc/environment.
* Create an ubuntu container or VM, take note of its IP address, and
install the proposed landscape-client package on it.
sudo apt install landscape-client
Also make sure dnsutils is installed:
sudo apt install dnsutils
* Enable debugging on the client. Edit /etc/landscape/client.conf and make sure this line is there:
log_level = debug
* Block direct access to landscape.canonical.com:
for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done
Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled):
for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done
* Confirm that this access is indeed blocked:
$ telnet landscape.canonical.com 80
Trying 91.189.90.173...
Trying 91.189.89.90...
telnet: Unable to connect to remote host: Connection refused
$ telnet landscape.canonical.com 443
Trying 91.189.89.90...
Trying 91.189.90.173...
telnet: Unable to connect to remote host: Connection refused
* Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror):
$ sudo apt update
(...)
Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease
Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80]
* In a xenial container, install the squid proxy server:
sudo apt install squid3
* Take note of the IP of this container
* Edit /etc/squid/squid.conf and make these changes:
- locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example:
acl localnet src 10.0.0.0/8
- locate the "#http_access allow localnet" line and remove the comment:
http_access allow localnet
* Restart squid:
sudo service squid restart
* Keep tailing the squid access logs:
sudo tail -f /var/log/squid/access.log
* Go back to the landscape-client container
* Verify that the proxy is allowing your connections, and that without the proxy it fails:
ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo
ds5:errors19:provide insecure_id;
ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo
curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused
* Same for https:
ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo
Landscape message server
ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo
curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused
* in a terminal, tail the (still non existing) package-reporter logs:
sudo tail -F /var/log/landscape/package-reporter.log
* in another terminal, tail the (still non existing) broker log:
sudo tail -F /var/log/landscape/broker.log
* register the client with a landscape server. In this example we are
going to use landscape.canonical.com and the proxy we just configured
(replace <proxy> with the IP of the squid container we created above):
sudo landscape-config -a <youraccount> -u
https://landscape.canonical.com/message-system --ping-url
http://landscape.canonical.com/ping -t sru-proxy-test --silent --http-
proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ --apt-
update-interval=300
* the proxy access logs should show some activity already:
1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 -
1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html
That's the registration request (port 443) and the ping (port 80)
* go to landscape.canonical.com, login and accept the new pending
computer we just created
* monitor package-reporter.log. At some point it should log that it downloaded the hash-id-database:
2017-11-24 14:31:24,203 INFO [MainThread] Downloaded hash=>id database from https://landscape.canonical.com/hash-id-databases/af6f2dcf-1967-11de-8dd0-001a4b4d8d10_xenial_amd64
Since this is via https, it will be hard to match it to a proxy access
log, but since we blocked direct access to landscape, we know this
download happened via the proxy. That's one bug fix confirmed.
* also in package-reporter.log, keep an eye out for the apt run. Something like this indicates it worked:
2017-11-24 14:35:17,736 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Hit:1 http://br.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://br.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://br.archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:4 http://br.archive.ubuntu.com/ubuntu xenial-security InRelease
Reading package lists...
', err='')
i.e., no error reported
There should also be matching entries in the proxy access logs:
1511534116.438 27 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial/InRelease - HIER_DIRECT/200.236.31.4 -
1511534116.442 3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease - HIER_DIRECT/200.236.31.4 -
1511534116.445 3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease - HIER_DIRECT/200.236.31.4 -
1511534116.449 3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/200.236.31.4 -
That confirms that apt-update was given the proxy information by
landscape from the package-reporter, and confirms that the package-
reporter got the proxy information.
These two verifications (hash-id download, and apt update run) confirm
this bug is fixed.
[Regression Potential]
Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected.
Should a major regression creep in, something that prevents the client
from communicating with the server, then the server would eventually
issue a "computer offline" alert and the admin would have to
investigate. What could be troublesome is if the only means of
accessing the computer is via landscape. This should be rare, as ssh
usage is widespread.
[Other Info]
* Upstream revision:
http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919
This PPA has test packages built from the attached branches, using a ~ppaN suffix:
https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383
--- Original description ---
The package reporter is not getting the proxy settings set in
/etc/landscape/client.conf. It will honor the environment variables if
they are somehow set when landscape-client is started, but not if the
values are just defined in that configuration file.
As a result, the following fails:
- fetching hash-id-database file
- running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode.
Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf:
2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease
Err http://archive.ubuntu.com trusty-updates InRelease
Err http://archive.ubuntu.com trusty-security InRelease
Err http://archive.ubuntu.com trusty Release.gpg
Unable to connect to archive.ubuntu.com:http:
Err http://archive.ubuntu.com trusty-updates Release.gpg
Unable to connect to archive.ubuntu.com:http:
Err http://archive.ubuntu.com trusty-security Release.gpg
Unable to connect to archive.ubuntu.com:http:
Reading package lists...
', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease
W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
updates/InRelease
W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
security/InRelease
W: Failed to fetch
http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to
connect to archive.ubuntu.com:http:
W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
updates/Release.gpg Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
security/Release.gpg Unable to connect to archive.ubuntu.com:http:
W: Some index files failed to download. They have been ignored, or old ones used instead.
')
2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused
2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop.
2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop.
Broker exchanges work just fine, as do the client pings.
One has to be careful when trying to reproduce this bug, as there are
many ways the environment values can leak into the process and
invalidate the test.
For example, if you have the http_proxy and https_proxy variables in
root's environment, and restart the client, it will inherit those, and
invalidate the test.
Or let's say you have them in ubuntu's environment, and use sudo to
restart the client. They won't be propagated to the daemon by default
unless -E is used, and/or the proxy variables are whitelisted in
/etc/sudoers.
To manage notifications about this bug go to:
https://bugs.launchpad.net/landscape-client/+bug/1531150/+subscriptions
