pro client times out when setting an https_proxy that uses HTTPS itself

Bug #1999909 reported by David Torrey
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
Wishlist
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]
User that use a TLS-in-TLS proxy are unable to properly use it in the Pro client since the network libraries we are using do not support that type of proxy configuration.

Therefore, users cannot properly attach and access many of the service the Pro client delivers.

[ Test Plan ]
We will verify that the Pro client now supports that type of proxy through an integration test that was created specifically for this issue. We will attach the test results of running this integration test here

[ Where problems could occur ]
We are using pycurl to add support for this type of proxy. We only make requests using this library if all of the following requirements are true:

    - The target url scheme is https
    - The target host is not in no_proxy
    - An https_proxy is configured either via pro's config or via environment
    - The https_proxy url scheme is https

Therefore, the only problems that can occur are that we either use pycurl for non TLS-in-TLS proxies or that we don't use it for valid TLS-in-TLS proxies. In the case where we use pycurl for non TLS-in-TLS proxies, it should not be a huge issue, as we expect pycurl to still handle the request appropriately. And we believe our checks are sufficient to avoid us not detecting a TLS-in-TLS proxy, so we consider this a minor risk

[ Original Description ]
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.

Reproduction:

root@foobar:~# pro config set http_proxy=https://foo:<email address hidden>:443
Setting snap proxy
root@foobar:~# pro config set https_proxy=https://foo:<email address hidden>:443
... this hangs forever either interrupted]

$ pro config set https://user:<email address hidden>:443/
* times out and fails

Expected result:
* Configures a working proxy for subsequent pro client commands

Notes:
* was so far tested and reproduced with a proxy where TLS terminated on a network load balancer.
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.

Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1

Thanks,
Dave
Canonical Support

David Torrey (dotj)
description: updated
Revision history for this message
John A. Fuqua (johnfuqua) wrote :

Please make this a high priority. This is tied to the purchase of a support subscription by the end of the year.

Revision history for this message
John A. Fuqua (johnfuqua) wrote :

Is it possible to get someone to look into this? Customer will not sign Order Form until they know this will work. 400 servers

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Confirmed
Revision history for this message
John A. Fuqua (johnfuqua) wrote :

bump

Revision history for this message
Hua Zhang (zhhuabj) wrote (last edit ):

We're hitting this upstream bug[1], it seems python modules(urllib, urllib3, requests) do not support to tunnel one TLS connection through another TLS connection.

and HTTP CONNECT was designed on HTTP, so not sure if HTTP CONNECT can work well over HTTPS as well.

One workaround is to use an HTTP proxy instead of HTTPS proxy, since HTTPS is encrypted end-to-end, the HTTPS traffic over HTTP TUNNEL is also secure.

[1] https://bugs.python.org/issue29610

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi David,
Due to the shutdown phase this got no responses yet, sorry.
There will be more people looking after it later.

But until then as a start of the discussion the settings of proxies is done slightly different to what you've reported. As [1] shows, or better the recently improved proxy docs [2] that can be seen here already [3] - you need key=value to set config values.

In addition you said "times out and fails", but could you show what exactly happens?
You usually get meaningful error messages which might help in this case.
Either to clarify the problem or to identify a case that needs a better error message.
Example
$ sudo pro config set http_proxy=http://host:port
"http://host:port" is not a valid url. Not setting as proxy.
$ sudo pro config set http_proxy=http://foo.bar:3128
"http://foo.bar:3128" is not working. Not setting as proxy.

Using a working real proxy I was able to set this just fine for me, example:
$ sudo pro config set http_proxy=http://squid.internal:3128
Setting snap proxy
Setting Livepatch proxy
$ sudo pro config set https_proxy=https://squid.internal:3128
Setting snap proxy
Setting Livepatch proxy

So could you please retest this command as documented and shown here and then report back the full output and behavior.

P.S. Thanks Hua Zhang, I have indeed seen that problem in other cases (not related to pro) and it was a valid workaround there. Not sure yet if it is here, I want to understand the original problem better to conclude.

Setting to incomplete until details are clarified.

[1]: https://canonical-ubuntu-advantage-client.readthedocs-hosted.com/en/latest/howtoguides/configure_proxies.html
[2]: https://github.com/canonical/ubuntu-advantage-client/commit/508db0f80664cb9dca78d7ea63e5736c004dc67f
[3]: https://github.com/canonical/ubuntu-advantage-client/blob/main/docs/howtoguides/configure_proxies.md

Changed in ubuntu-advantage-tools (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I've got access to the commands used and have got the answers I wanted, updating the description ...

description: updated
Changed in ubuntu-advantage-tools (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
we'd like to gather some more info to properly prioritize this.
As far as it is analyzed by the team behind the pro tool - and gladly Hua Zhang came to the same conclusion in comment #5 - it is due to the python libs that do not support tls over tls-proxy.

From the experiments that we have done, we might be able to use urllib3 (and there is even some different between the package and pypi) instead of urllib, but even that only has that support back to Bionic. For Xenial (these tools are meant to work the same everywhere) there needs to be a different solution.
But then, we don't know all about the setup used - so mileage might vary.
AFAIU Hua Zhang he found none of the libs working for his setup.

Given that the solution seems messy and that there is a workaround provided we'd like to ask the if the workaround provided using an http proxy for https work for you?
If not, why not?
You said this is happening on a proxy where TLS terminated. So if you are terminating it there anyway at least some possible arguments against using http to connect to the proxy should be non-critical as well.

To re-state, for the example reported in the bug, that workaround would use:
  $ pro config set https_proxy=http://foo:<email address hidden>:443

And furthermore for testing, if you are using squid or something else in the Ubuntu Archive.
Would someone mind summarizing the configuration so this case can be reproduced outside of your environment?

Especially in terms of terminology I'd ask everyone to refer to a case described in [1] and use the terms used there. Use it for what you currently use as well as for what you want to achieve.
Only then we all really talk about the same thing.

Only then we can properly decide if:
1. That is an edge/unwanted use case or something very common and reasonable
2. Properly test whatever solution we ever come up with

Until then this can only be a whishlist item.

P.S. @Hua Zhang
1. I've heard that you had some success with curl [2] and derived from that pycurl.
I've checked and pycurl is in main at least. But again - considering back to xenial only at 7.43.0-1ubuntu1 - and being a wrapper around libcurl that also has isn't recent enough as curl itself is at 7.47.0-1ubuntu2 but it needs 7.52.
2. You have tested this, so do you happen to know what kind exactly the proxy is set up and maybe how it could be reproduced with in-archive components? If so we'd be happy if you could summarize that here.

[1]: https://wiki.squid-cache.org/Features/HTTPS.html
[2]: https://curl.se/libcurl/c/CURLOPT_PROXY.html

Changed in ubuntu-advantage-tools (Ubuntu):
status: Confirmed → Incomplete
status: Incomplete → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Due to confusion that came up in chat, let me document some clarifications

What was tried:
  $ pro config set https_proxy=https://foo:<email address hidden>:443
What should be tried:
  $ pro config set https_proxy=http://foo:<email address hidden>:443
Mind the lack of "s" in the second case on the right side.

Furthermore this is already an uncommon setup.
Port 443 is https itself, a proxy usually resides on :3128.

And just to re-iterate - please try to answer all the questions I had and not just one of them.
Especially on the usual "does it work? why not?" do not just reply "no".
Have seen it too often, want to prevent it before it happens :-)

Revision history for this message
David Torrey (dotj) wrote :

Adding to the background, the customer has business and technical reasons for the use of an HTTPS-based proxy for HTTPS URLs:

1) All communication that we leverage needs to be encrypted, and secured in any meaningful way necessary. A plain HTTP proxy would expose target URLs and proxy credentials.

2) The proxy aggregates traffic from multiple customers of their products and services, avoiding the need for each customer to manage their own whitelists.

3) Attempting to address this by squid config is not possible, as the TLS termination here is on a load balancer in front of the squid proxy. Squid is unaware that the initial proxy connection used TLS.

For those reasons, the workaround of using a plain HTTP-based proxy is not possible, nor is direct use of HTTPS to target URLs.

Thanks,
Dave
Canonical Support

Revision history for this message
Hua Zhang (zhhuabj) wrote :
Download full text (3.2 KiB)

Hey @paelzer, reply to your comment #8

I created an HTTPS-based proxy for testing using the following methods.

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/C=CN/ST=BJ/O=STS/CN=CA"
DOMAIN=quqi.com
openssl genrsa -out $DOMAIN.key
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr -subj "/C=CN/ST=BJ/O=STS/CN=$DOMAIN"
openssl x509 -req -in $DOMAIN.csr -out $DOMAIN.crt -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

sudo apt-get install openssl libssl-dev ssl-cert squid-openssl -y

$ cat /etc/squid/squid.conf
#htpasswd -c /etc/squid/passwd quqi99
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
acl auth_user proxy_auth REQUIRED
http_access allow auth_user
http_access allow all
via off
forwarded_for delete
http_port 127.0.0.1:3128
https_port 127.0.0.1:3129 cert=/etc/squid/cert/quqi.com.crt key=/etc/squid/cert/quqi.com.key

Of course, the customer did not use squid to create an HTTPS-based proxy, they just used an HTTP-based proxy, but they have TLS terminated NLB in front of squid, so the traffic getting to the actual squid instance is unencrypted between the NLB and the ec2 instance. I don't spend time researching how NLB is set up, because whether it has NLB or not, it's an HTTPS-based proxy, so I just used squid for a quick HTTPS-based proxy testing env.

Then we can easily reproduce the problem with urllib, urllib3, requests, nodejs and java

1, urllib version - https://paste.ubuntu.com/p/WPkBKwKKVX/
2, urllib3 version - https://paste.ubuntu.com/p/Pjxq7h8pJ9/
   urllib3 version throws ProxySchemeUnsupported, ProxySchemeUnsupported means tls-over-tls is not supported.
3, requests version - https://paste.ubuntu.com/p/82zMNjdtz7/
   requests version throws ProxySchemeUnsupported as well, TLS in TLS requires support for the 'ssl' module
4, I also tried nodejs and java versions, they don't work, but I don't record test program

However, using curl always works, eg:

1, test http port 3128, it works

$ curl -x http://quqi99:password@127.0.0.1:3128 https://api.snapcraft.io
snapcraft.io store API service - Copyright 2018-2022 Canonical.

2, test https port 3129, it works as well

$ curl --resolve quqi.com:3129:127.0.0.1 --proxy-cacert /etc/squid/cert/ca.crt -x https://quqi99:<email address hidden>:3129 https://api.snapcraft.io
snapcraft.io store API service - Copyright 2018-2022 Canonical.

so then I tested pycurl, and it worked well as well - https://paste.ubuntu.com/p/j6TPBwSC69/

then I found an upstream bug[1]. Normally, the client will use HTTP CONNECT to set up HTTP TUNNEL between the client and proxy, then the proxy set up TCP TUNNEL between the proxy and target, and the tls/https traffic from the client to target will go through these two TUNNELS(HTTP TUNNEL + TCP TUNNEL). but now it seems all python modules(urllib, urllib3, requests) do not support to tunnel one tls/https connection through another tls/https connection. curl doesn't use the python SSL module, the SSL module it is using may support tls-over-tls feature so it works, and curl supports tls over tls since 7.52.0 according to the page - https://curl.se/libcurl/c/CURLOPT_PROXY.html

That's all my f...

Read more...

Revision history for this message
John A. Fuqua (johnfuqua) wrote :

So it looks like ssl.SSLContext.wrap_socket() in python is causing the issue?

Bug report: https://bugs.python.org/issue29394

Suggestion is to use: ssl.SSLContext.wrap_bio()

My be more than just changing out a method call. What do you guys think on fixing or possible workaround?

Revision history for this message
Hua Zhang (zhhuabj) wrote :

Hey @johnfuqua, I try bio version, it doesn't work as well.

I borrow a piece of a bio code from [2], here's my complete bio test code [1].

Although my bio test did not succeed, I still believe that's because python's wrap_socket doesn't support tls-over-tls, so the idea in my mind is:

1, need to bypass wrap_socket and implement another wrap method (eg: wrap_ssl_socket) with openssl to be able to wrap ssl_socket instead of non-ssl socket, this seems very difficult.

2, or use a third-party solution, eg: pycurl, I'm not sure whether more third-party python libraries have implemented tls-over-tls feature.

[1] https://paste.ubuntu.com/p/NTqWKWGphj/plain/
[2] https://raw.githubusercontent.com/python-trio/trio/master/notes-to-self/ssl-handshake/ssl-handshake.py

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hey, we think this is not a bug unless you consider it a bug in urllib.
For the pro client this is a feature request.

We are currently planning, evaluating options and outlining details to hopefully be able to commit to work on it next cycle (23.10), but this will take time so I wanted to make you aware.

If there are further insights or suggestions from SEG or Field we are happy to know and invited Hua, John and David to the specification of that feature.

Revision history for this message
Hua Zhang (zhhuabj) wrote :

I found this page [1], and it said tlslite-ng had implemented tls-over-tls feature, I tested it and it did work. So maybe we can use it in ubuntu-advantage-client for a combination of https proxy and https target.

$ python3 tlsliteclient.py
HTTP/1.0 200 Connection Established
HTTP/1.1 200 OK
server: gunicorn/20.0.4
date: Fri, 13 Jan 2023 07:28:59 GMT
content-type: text/html; charset=utf-8
content-length: 64
snap-store-version: 52
x-view-name: snapdevicegw.webapi.root
x-vcs-revision: bf69cb87
x-request-id: 0AAC4128E3420A8325F301BB63C1083B15A0F9BD

$ cat tlsliteclient.py
#!/usr/bin/env python
# coding=utf-8
import tlslite, ssl, socket
sock = tlslite.TLSConnection(socket.create_connection(('127.0.0.1', 7070)))
sock.handshakeClientCert()
sock.sendall(bytes('CONNECT api.snapcraft.io:443 HTTP/1.1\r\nHost: api.snapcraft.io:443\r\n\r\n', 'ascii'))
print(sock.recv(1024).decode());
conn = tlslite.TLSConnection(sock)
conn.handshakeClientCert()
conn.sendall(b'GET / HTTP/1.1\r\nHost: api.snapcraft.io\r\n\r\n')
print(conn.recv(1024).decode())

[1] https://github.com/urllib3/urllib3/pull/1121#issuecomment-281686973

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 29

---------------
ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 31 Jul 2023 15:46:23 +0000

Changed in ubuntu-advantage-tools (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~23.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Lunar):
status: New → Fix Committed
tags: added: verification-needed verification-needed-lunar
Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~23.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Robie Basak (racb) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
Revision history for this message
Lucas Albuquerque Medeiros de Moura (lamoura) wrote :

We have run the full ubuntu-advantage-tools integration test suite against the version in -proposed. The results are attached (Please look for the "Support HTTPS-in-HTTPS proxies" test scenario).

You can verify the correct version was used by checking the output of the first test in each file, which prints the version number as well as the output of `apt-cache policy ubuntu-advantage-tools`.

I am marking the verification done for this SRU.

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-lunar verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 29.4~23.04

---------------
ubuntu-advantage-tools (29.4~23.04) lunar; urgency=medium

  * Backport new upstream release: (LP: #2029144) to lunar

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:34 -0300

Changed in ubuntu-advantage-tools (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 29.4~22.04

---------------
ubuntu-advantage-tools (29.4~22.04) jammy; urgency=medium

  * Backport new upstream release: (LP: #2029144) to jammy

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:29 -0300

Changed in ubuntu-advantage-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 29.4~20.04

---------------
ubuntu-advantage-tools (29.4~20.04) focal; urgency=medium

  * Backport new upstream release: (LP: #2029144) to focal

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:24 -0300

Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 29.4~18.04

---------------
ubuntu-advantage-tools (29.4~18.04) bionic; urgency=medium

  * Backport new upstream release: (LP: #2029144) to bionic

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:19 -0300

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 29.4~16.04

---------------
ubuntu-advantage-tools (29.4~16.04) xenial; urgency=medium

  * Backport new upstream release: (LP: #2029144) to xenial

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:13 -0300

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.