group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 2057937] Re: apt-news.service reporting errors after ubuntu-pro-client install

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2057937@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Apr 2024 16:41:55 -0000
Reply-to: Bug 2057937 <2057937@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package ubuntu-advantage-tools - 31.2.2~16.04

---------------
ubuntu-advantage-tools (31.2.2~16.04) xenial; urgency=medium

  * version.py: match version from d/changelog (LP: #2058934)

ubuntu-advantage-tools (31.2.1~16.04) xenial; urgency=medium

  * apt-news.service: ignore apparmor errors when starting (LP:
#2057937)

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Mon, 25 Mar 2024 11:29:56
-0300

** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2057937

Title:
  apt-news.service reporting errors after ubuntu-pro-client install

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Mantic:
  Fix Released
Status in ubuntu-advantage-tools source package in Noble:
  Fix Released

Bug description:
  [ Impact ]

  src:ubuntu-advantage-tools version 31 introduced[1] an apparmor
  profile to the apt-news service. It's known that some ubuntu systems
  do not have apparmor enabled, and this was considered. The
  systemd.exec(5) manpage states that the AppArmorProfile setting has no
  effect if apparmor is disabled[2]. This was tested and verified.

  Turns out, however, that apparmor can be enabled on a system, but
  without the apparmor package installed. When this package is not
  installed, no profiles are loaded. Crucially, the ubuntu_pro_apt_news
  profile, used by apt-news.service, is not loaded.

  This situation is different than "apparmor is disabled", and systemd
  will try to launch apt-news confined by ubuntu_pro_apt_news. But since
  that profile is not loaded into the kernel, the service will fail.

  apt-news.service is called as an apt update hook, but its failure does
  not fail apt, since it's guarded[3] by "|| true", i.e., failures in
  the hook are ignored. The only impact is that apt news won't be
  fetched.

  [ Test Plan ]

  The test plan will be in two parts. One to confirm the apt-news
  service won't fail to start if the apparmor profile is not available
  (it's what triggered this bug). The second part is to confirm that in
  the "good case", with apparmor available on the system, the
  confinement is still applied.

  a) To reproduce the problem, launch an ubuntu lxd container, or a VM,
  and:

  # install ubuntu-advantage-tools 31 or later. It's in updates right
  now, so just make sure the system is updated:

  sudo apt update && sudo apt install ubuntu-advantage-tools -y

  # verify it's version 31 or higher:

  $ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools
  ii  ubuntu-advantage-tools 31.2~22.04   all          transitional dummy package for ubuntu-pro-client

  # remove (not purge) apparmor:

  sudo apt remove apparmor -y

  # reboot

  sudo reboot

  # start apt-news.service, and verify it fails:

  $ sudo systemctl start apt-news.service
  Job for apt-news.service failed because the control process exited with error code.
  See "systemctl status apt-news.service" and "journalctl -xeu apt-news.service" for details.

  # The log will show it's because it couldn't confine the service with
  the ubuntu_pro_apt_news profile:

  $ systemctl status apt-news.service
  × apt-news.service - Update APT News
       Loaded: loaded (/lib/systemd/system/apt-news.service; static)
       Active: failed (Result: exit-code) since Mon 2024-03-18 20:35:41 UTC; 35s ago
      Process: 263 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR)
     Main PID: 263 (code=exited, status=231/APPARMOR)
          CPU: 7ms

  Mar 18 20:35:41 j systemd[1]: Starting Update APT News...
  Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed to prepare AppArmor profile change to ubuntu_pro_apt_news: No such file or directory
  Mar 18 20:35:41 j systemd[263]: apt-news.service: Failed at step APPARMOR spawning /usr/bin/python3: No such file or directory
  Mar 18 20:35:41 j systemd[1]: apt-news.service: Main process exited, code=exited, status=231/APPARMOR
  Mar 18 20:35:41 j systemd[1]: apt-news.service: Failed with result 'exit-code'.
  Mar 18 20:35:41 j systemd[1]: Failed to start Update APT News.

  With the fixed package, the service will not fail to start.

  b) Continuing from the test plan above, now we will confirm that if
  apparmor is installed, that the apt-news service is run confined.

  * Install apparmor back again and reboot:

  $ sudo apt install apparmor -y
  $ sudo reboot

  * Confirm the apt-news profile is loaded and in enforce mode:

  $ sudo grep ubuntu_pro_apt_news /sys/kernel/security/apparmor/profiles
  ubuntu_pro_apt_news (enforce)

  * start apt-news, and confirm it doesn't fail:
  $ sudo systemctl start apt-news.service ; echo $?
  0

  To really confirm that the profile is being applied, and not just
  ignored, we have to hack the service unit file. Replace ExecStart with
  a sleep command in /lib/systemd/system/apt-news.service like below:

  [Service]
  Type=oneshot
  ExecStart=/usr/bin/python3 -c "import time; time.sleep(500)"

  Then run:

  $ sudo systemctl daemon-reload

  Start the service again in one terminal (it will hang):

  $ sudo systemctl start apt-news.service

  In another terminal, list the process and its confinement status:

  $ ps auxwZ|grep time\\.sleep
  ubuntu_pro_apt_news (enforce)   root         553  0.0  0.0  17224  8576 ?        Ss   13:54   0:00 /usr/bin/python3 -c import time;time.sleep(3600)

  The first column will show the apparmor profile being enforced on the
  process.

  [ Where problems could occur ]

  Note that most ubuntu packages use apparmor in an opportunistic way.
  If there is a profile, and its name matches the executable's path,
  then it will be applied. Otherwise, the executable runs unconfined.
  With the change in this SRU, that's essentially what we doing with
  apt-news.service.

  The fix is essentially ignoring errors when loading the specified
  apparmor profile, leaving the service unconfined in the case of an
  error like this, which is exactly how it was prior to the version 31
  update. If the profile is loaded in the kernel, it will be applied as
  designed.

  Since we are now ignoring errors, here are some scenarios where things
  could go wrong:

  a) the user decided they don't like apparmor, and removed the apparmor
  package. That's the scenario that triggered this bug. In that case,
  it's a decision the user made, and apt-news.service will run
  unconfined.

  b) the user made a change to the installed apparmor profile in
  /etc/apparmor.d/ubuntu_pro_apt_news, and that change has a syntax
  error.

  The error will only be noticed when that profile is loaded into the
  kernel. Then we have the following possible outcomes:

  b1) The user, right after making the change, invokes apparmor_parser
  to actually apply them and load the modified profile into the kernel.
  The tool will flag the error, and not load the changed profile. The
  previous profile will remain loaded, and apt-news will remain confined
  by it.

  b2) The user forgets to run apparmor_parser, and eventually reboots.
  Upon reboot, that profile specifically will fail to load (all the
  others will load), and when apt-news is started, there will be no
  ubuntu_pro_apt_news profile to attach to. With this new "-" flag, that
  will not be an error, and the service will run unconfined.

  b3) Instead of rebooting or running apparmor_parser, the user invokes
  "systemctl restart apparmor". From my testing, that will also flag the
  syntax error, and not unload the already-loaded profile, so this is
  similar to (b1).

  b4) We (Ubuntu) might make a mistake in the profile, and introduce a
  syntax error that will make it fail to load. To guard against that,
  the package build runs a syntax check on the generated profile. But
  it's still possible it would pass that check, but fail to load in the
  actual kernel that is running on the system.

  
  [ Other Info ]

  Upstream issue:
  https://github.com/canonical/ubuntu-pro-client/issues/3002

  Fixed via:
  https://github.com/canonical/ubuntu-pro-client/pull/3003

  1. https://github.com/canonical/ubuntu-pro-client/pull/2794
  2. https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#AppArmorProfile=
  3. https://git.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/tree/apt-hook/20apt-esm-hook.conf#n2

  [ Original Description ]

  After ubuntu-pro-client was installed the following errors are being
  logged.

  Mar 14 09:00:11 edmonton systemd[1]: Starting Update APT News...
  Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed to prepare AppArmor profile chang
  e to ubuntu_pro_apt_news: No such file or directory
  Mar 14 09:00:11 edmonton systemd[2927302]: apt-news.service: Failed at step APPARMOR spawning /usr/bi
  n/python3: No such file or directory

  The updates that started the problem:

  Start-Date: 2024-03-13  22:00:22
  Commandline: apt-get -y -o Dpkg::Options::=--force-confnew dist-upgrade
  Install: ubuntu-pro-client:amd64 (31.2~22.04, automatic)
  Upgrade: ubuntu-advantage-tools:amd64 (30~22.04, 31.2~22.04)
  End-Date: 2024-03-13  22:00:28

  This is happening on all servers where this update is installed.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ubuntu-pro-client 31.2~22.04
  ProcVersionSignature: Ubuntu 5.15.0-91.101-generic 5.15.131
  Uname: Linux 5.15.0-91-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: unknown
  Date: Thu Mar 14 10:02:35 2024
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: ubuntu-advantage-tools
  UpgradeStatus: No upgrade log present (probably fresh install)
  apparmor_logs.txt:

  cloud-id.txt-error: Invalid command specified 'cloud-id'.
  livepatch-status.txt-error: Invalid command specified '/snap/bin/canonical-livepatch status'.
  uaclient.conf:
   contract_url: https://contracts.canonical.com
   log_level: debug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2057937/+subscriptions