← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 2059952] Re: pro sometimes runs before cloud-config.service

 

This bug was fixed in the package ubuntu-advantage-tools - 31.2.3~23.10

---------------
ubuntu-advantage-tools (31.2.3~23.10) mantic; urgency=medium

  * Backport new upstream release to mantic (LP: #2059952)

ubuntu-advantage-tools (31.2.3) noble; urgency=medium

  * daemon: wait for cloud-init.service to fully activate (LP: #2059952)

 -- Lucas Moura <lucas.moura@xxxxxxxxxxxxx>  Fri, 05 Apr 2024 10:09:10
-0300

** Changed in: ubuntu-advantage-tools (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2059952

Title:
  pro sometimes runs before cloud-config.service

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Invalid
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]
  Currently, the Pro client support a daemon named ubuntu-advantage.service that
  performs two actions:

  * Actively look for Pro licenses on Azure and GCP images to perform an auto-attach
  * Retry auto-attach on Pro images if that command fails on boot

  Therefore, this daemon is only being activated on generic Azure and
  GCP images and all Pro cloud images.

  This daemon was originally setup to run after the cloud-config.service. However,
  due to a race condition, this is no longer happening. Right now, we manually
  check in the daemon code to see if the cloud-config service has finished.

  Unfortunately, this new logic now breaks the current Pro setup through
  cloud-init userdata in both GCP and Azure Pro cloud images. That is
  because our daemon is now running before cloud-init has even started
  running. This means that the daemon will perform the attach and not
  cloud-init itself. This will be clearer, in the following example:

  Let's imagine this situation where a user is launching a Pro GCP
  image:

  1) User provides the following cloud-init userdata to the cloud image
  before booting it:

  #cloud-config

  ubuntu_advantage:
    enable: []

  This means that the user wants no services to be enabled, but still
  want to attach to the Pro license.

  2) Our daemon starts running before cloud-config.service has even started
  3) Our daemon see the cloud-config.service as inactive and proceeds normally
  4) Our daemon identifies that the user is running on a GCP instance and there is a valid Pro license for it.
  5) Due to that, our daemon auto-attach the machine completely ignoring the cloud-init directives.

  Therefore, to fix that issue we need to guarantee that we will only
  execute the daemon, if and only if, cloud-init has already started.
  That is because, on this situation, the cloud-config.service will
  already perform the attach operation following the user directives.
  When the daemon starts running, it will see that the image is already
  attached and do nothing.

  Finally, given this scenario, this bug is only affecting GCP/Azure Pro
  images, as these are the only ones that will be able to reach the flow
  described here.

  [Discussion]

  To address that issue, we are now also checking if the cloud-init service
  has already started if we detect that cloud-config service is inactive. If it isn't, the daemon will sleep for an specific amount of time before trying again.

  [ Test Plan ]
  Since this is a first boot issue, we will need to create a custom image with the package in proposed. Then, we need to guarantee that Pro configuration delivered
  through cloud-init is being honored when we launch the image.

  Additionally, it is worth noting that we cannot reproduce this issue
  on a VM easily. That is because, we would need "mock" the VM to pass
  as one of the affected clouds and also add a valid Pro license to it.

  Build image that pulls pro from -proposed but otherwise follows the
  standard pro image build hook. Upload and register the image with the
  cloud for testing.

  #Set cloud-init userdata that disables all pro services
  $ cat userdata.yaml
  #cloud-config

  ubuntu_advantage:
    enable: []

  #Instantiate VM (GCP)
  $ gcloud compute instances create pro-order-bug-mantic --image [IMAGE_NAME] --image-project ubuntu-catred --metadata-from-file=user-data=userdata.yaml --zone us-central1-a

  #Instantiate VM (Azure)
  [TODO]

  #On VM, validate version of pro and bugfix (services disable, no cloud-init warnings in log)
  $ apt-cache policy ubuntu-pro-client
  ubuntu-pro-client:
    Installed: 31.2.3~[RELEASE]
    Candidate: 31.2.3~[RELEASE]

  $ cat /var/log/cloud-init.log | grep 'WARNING'

  $ pro status
  SERVICE          AVAILABLE  DESCRIPTION
  anbox-cloud      yes        Scalable Android in the cloud
  esm-apps         yes        Expanded Security Maintenance for Applications
  esm-infra        yes        Expanded Security Maintenance for Infrastructure
  landscape        yes        Management and administration tool for Ubuntu
  livepatch        yes        Current kernel is not supported

  For a list of all Ubuntu Pro services, run 'pro status --all'

  This machine is not attached to an Ubuntu Pro subscription.
  See https://ubuntu.com/pro

  Supported livepatch kernels are listed here:
  https://ubuntu.com/security/livepatch/docs/kernels

  
  If the bug is still present, there will be a WARNING in the cloud-init log and pro status will return something similar to:
  SERVICE          ENTITLED  STATUS       DESCRIPTION
  anbox-cloud      yes       disabled     Scalable Android in the cloud
  esm-apps         yes       enabled      Expanded Security Maintenance for Applications
  esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
  fips-preview     yes       disabled     Preview of FIPS crypto packages undergoing certification with NIST
  fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
  livepatch        yes       enabled      Canonical Livepatch service
  usg              yes       disabled     Security compliance and audit tools

  For a list of all Ubuntu Pro services, run 'pro status --all'
  Enable services with: pro enable <service>

                  Account: ubuntu-catred
             Subscription: ubuntu-catred
              Valid until: Fri Dec 31 00:00:00 9999 UTC
  Technical support level: essential


  [ Where problems could occur ]
  We are updating the cloud-init wait logic on the daemon. This could potentially make our daemon to not start. However, since we are just now waiting on the base cloud-init.service to start and we have already tested this solution in a custom image, we believe this is a low risk for this fix.

  [ Original Description ]
  We have recently updated the Pro to not strictly run after cloud-config.service. If cloud-config.service has not been started when pro runs, it can complete before cloud-config.service begins and thus the user-specificed pro configuration will be ignored since the instance is already attached.

  When cloud-config.service has yet to run, ubuntu-advantage.service
  should wait until it's finished before running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2059952/+subscriptions