← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1531150] Re: package-reporter doesn't get proxy settings from client.conf

 

This bug was fixed in the package landscape-client -
16.03-0ubuntu2.16.04.2

---------------
landscape-client (16.03-0ubuntu2.16.04.2) xenial; urgency=medium

  [ Simon Poirier ]
  * Add proxy handling to package reporter. (LP: #1531150)
  * Fix regression in configuration hook under install-cd chroot (LP: #1699789)
  * Report autoremovable packages (LP: #1208393)
  * No not re-register client by default (LP: #1618483)

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Fri, 10 Nov 2017 16:09:30
-0200

** Changed in: landscape-client (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1531150

Title:
  package-reporter doesn't get proxy settings from client.conf

Status in Landscape Client:
  Fix Released
Status in landscape-client package in Ubuntu:
  Fix Released
Status in landscape-client source package in Trusty:
  Fix Released
Status in landscape-client source package in Xenial:
  Fix Released
Status in landscape-client source package in Zesty:
  Fix Released
Status in landscape-client source package in Artful:
  Fix Released

Bug description:
  [Impact]

  The package reporter is not getting the proxy settings set in
  /etc/landscape/client.conf. As a result, fetching hash-id-database
  file and running the SUID root /usr/lib/landscape/apt-update helper
  fail. Even though the binary it calls in turn fails (apt-get itself),
  the exit code is 0. It's only seen in the logs if using debug mode.

  [Test Case]
  Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed.

  DO NOT set proxy environment variables, as these will be picked up by
  the client when it's restarted and give a false good test result. We
  want to be sure the values are being grabbed from the config file, and
  not the environment.

  DO NOT set proxy values in /etc/environment.

  * Create an ubuntu container or VM, take note of its IP address, and
  install the proposed landscape-client package on it.

  sudo apt install landscape-client

  Also make sure dnsutils is installed:
  sudo apt install dnsutils

  * Enable debugging on the client. Edit /etc/landscape/client.conf and make sure this line is there:
  log_level = debug

  * Block direct access to landscape.canonical.com:
  for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done

  Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled):
  for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done

  * Confirm that this access is indeed blocked:
  $ telnet landscape.canonical.com 80
  Trying 91.189.90.173...
  Trying 91.189.89.90...
  telnet: Unable to connect to remote host: Connection refused
  $ telnet landscape.canonical.com 443
  Trying 91.189.89.90...
  Trying 91.189.90.173...
  telnet: Unable to connect to remote host: Connection refused

  * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror):
  $ sudo apt update
  (...)
  Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease
    Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80]

  * In a xenial container, install the squid proxy server:
  sudo apt install squid3

  * Take note of the IP of this container

  * Edit /etc/squid/squid.conf and make these changes:
  - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example:
  acl localnet src 10.0.0.0/8
  - locate the "#http_access allow localnet" line and remove the comment:
  http_access allow localnet

  * Restart squid:
  sudo service squid restart

  * Keep tailing the squid access logs:
  sudo tail -f /var/log/squid/access.log

  * Go back to the landscape-client container

  * Verify that the proxy is allowing your connections, and that without the proxy it fails:
  ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo
  ds5:errors19:provide insecure_id;
  ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo
  curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused

  * Same for https:
  ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo
  Landscape message server
  ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo
  curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused

  * in a terminal, tail the (still non existing) package-reporter logs:
  sudo tail -F /var/log/landscape/package-reporter.log

  * in another terminal, tail the (still non existing) broker log:
  sudo tail -F /var/log/landscape/broker.log

  * register the client with a landscape server. In this example we are
  going to use landscape.canonical.com and the proxy we just configured
  (replace <proxy> with the IP of the squid container we created above):

  sudo landscape-config -a <youraccount> -u
  https://landscape.canonical.com/message-system --ping-url
  http://landscape.canonical.com/ping -t sru-proxy-test --silent --http-
  proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ --apt-
  update-interval=300

  * the proxy access logs should show some activity already:
  1511531199.415   1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 -
  1511531229.909    485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html

  That's the registration request (port 443) and the ping (port 80)

  * go to landscape.canonical.com, login and accept the new pending
  computer we just created

  * monitor package-reporter.log. At some point it should log that it downloaded the hash-id-database:
  2017-11-24 14:31:24,203 INFO     [MainThread] Downloaded hash=>id database from https://landscape.canonical.com/hash-id-databases/af6f2dcf-1967-11de-8dd0-001a4b4d8d10_xenial_amd64

  Since this is via https, it will be hard to match it to a proxy access
  log, but since we blocked direct access to landscape, we know this
  download happened via the proxy. That's one bug fix confirmed.

  * also in package-reporter.log, keep an eye out for the apt run. Something like this indicates it worked:
  2017-11-24 14:35:17,736 DEBUG    [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Hit:1 http://br.archive.ubuntu.com/ubuntu xenial InRelease
  Hit:2 http://br.archive.ubuntu.com/ubuntu xenial-updates InRelease
  Hit:3 http://br.archive.ubuntu.com/ubuntu xenial-backports InRelease
  Hit:4 http://br.archive.ubuntu.com/ubuntu xenial-security InRelease
  Reading package lists...
  ', err='')
  i.e., no error reported

  There should also be matching entries in the proxy access logs:
  1511534116.438     27 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial/InRelease - HIER_DIRECT/200.236.31.4 -
  1511534116.442      3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease - HIER_DIRECT/200.236.31.4 -
  1511534116.445      3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease - HIER_DIRECT/200.236.31.4 -
  1511534116.449      3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/200.236.31.4 -

  That confirms that apt-update was given the proxy information by
  landscape from the package-reporter, and confirms that the package-
  reporter got the proxy information.

  These two verifications (hash-id download, and apt update run) confirm
  this bug is fixed.

  [Regression Potential]
  Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected.

  Should a major regression creep in, something that prevents the client
  from communicating with the server, then the server would eventually
  issue a "computer offline" alert and the admin would have to
  investigate. What could be troublesome is if the only means of
  accessing the computer is via landscape. This should be rare, as ssh
  usage is widespread.

  [Other Info]

  * Upstream revision:
  http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919

  This PPA has test packages built from the attached branches, using a ~ppaN suffix:
  https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383

  --- Original description ---

  The package reporter is not getting the proxy settings set in
  /etc/landscape/client.conf. It will honor the environment variables if
  they are somehow set when landscape-client is started, but not if the
  values are just defined in that configuration file.

  As a result, the following fails:
  - fetching hash-id-database file
  - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode.

  Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf:
  2016-01-05 12:41:25,678 DEBUG    [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease

  Err http://archive.ubuntu.com trusty-updates InRelease

  Err http://archive.ubuntu.com trusty-security InRelease

  Err http://archive.ubuntu.com trusty Release.gpg
    Unable to connect to archive.ubuntu.com:http:
  Err http://archive.ubuntu.com trusty-updates Release.gpg
    Unable to connect to archive.ubuntu.com:http:
  Err http://archive.ubuntu.com trusty-security Release.gpg
    Unable to connect to archive.ubuntu.com:http:
  Reading package lists...
  ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease

  W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
  updates/InRelease

  W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
  security/InRelease

  W: Failed to fetch
  http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg  Unable to
  connect to archive.ubuntu.com:http:

  W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
  updates/Release.gpg  Unable to connect to archive.ubuntu.com:http:

  W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty-
  security/Release.gpg  Unable to connect to archive.ubuntu.com:http:

  W: Some index files failed to download. They have been ignored, or old ones used instead.
  ')
  2016-01-05 12:41:27,861 WARNING  [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused
  2016-01-05 12:41:28,012 DEBUG    [MainThread] Started firing stop.
  2016-01-05 12:41:28,012 DEBUG    [MainThread] Finished firing stop.

  Broker exchanges work just fine, as do the client pings.

  One has to be careful when trying to reproduce this bug, as there are
  many ways the environment values can leak into the process and
  invalidate the test.

  For example, if you have the http_proxy and https_proxy variables in
  root's environment, and restart the client, it will inherit those, and
  invalidate the test.

  Or let's say you have them in ubuntu's environment, and use sudo to
  restart the client. They won't be propagated to the daemon by default
  unless -E is used, and/or the proxy variables are whitelisted in
  /etc/sudoers.

To manage notifications about this bug go to:
https://bugs.launchpad.net/landscape-client/+bug/1531150/+subscriptions