** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] - Edit the /etc/landscape/client.conf with the proxy configuration: - http_proxy = <your-proxy> - https_proxy = <your-proxy> + DO NOT set proxy environment variables, as these will be picked up by + the client when it's restarted and give a false good test result. We + want to be sure the values are being grabbed from the config file, and + not the environment. - It will respect the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. - Clients can ping and broker exchanges work. There are ways the environment values can leak into the process and invalidate the test. - For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. - Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. + DO NOT set proxy values in /etc/environment. + + * Create an ubuntu container or VM, take note of its IP address, and + install the proposed landscape-client package on it. + + sudo apt install landscape-client + + Also make sure dnsutils is installed: + sudo apt install dnsutils + + * Block direct access to landscape.canonical.com: + for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done + + * Confirm that this access is indeed blocked: + $ telnet landscape.canonical.com 80 + Trying 91.189.90.173... + Trying 91.189.89.90... + telnet: Unable to connect to remote host: Connection refused + $ telnet landscape.canonical.com 443 + Trying 91.189.89.90... + Trying 91.189.90.173... + telnet: Unable to connect to remote host: Connection refused + + * In a xenial container, install the squid proxy server: + sudo apt install squid3 + + * Take note of the IP of this container + + * Edit /etc/squid/squid.conf and make these changes: + - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: + acl localnet src 10.0.0.0/8 + - locate the "#http_access allow localnet" line and remove the comment: + http_access allow localnet + + * Restart squid: + sudo service squid restart + + * Keep tailing the squid access logs: + sudo tail -f /var/log/squid/access.log + + + * Go back to the landscape-client container + + * Verify that the proxy is allowing your connections, and that without the proxy it fails: + ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo + ds5:errors19:provide insecure_id; + ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo + curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused + + ubuntu@xenial-client-sru:~$ + + + * in a terminal, tail the (still non existing) package-reporter logs: + sudo tail -F /var/log/landscape/package-reporter.log + + * in another terminal, tail the (still non existing) broker log: + sudo tail -F /var/log/landscape/broker.log + + * register the client with a landscape server. In this example we are + going to use landscape.canonical.com and the proxy we just configured + (replace <proxy> with the IP of the squid container we created above): + + sudo landscape-config -a <youraccount> -u + https://landscape.canonical.com/message-system --ping-url + http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- + proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ + + * the proxy access logs should show some activity already: + 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - + 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html + + That's the registration request (port 443) and the ping (port 80) + + * go to landscape.canonical.com, login and accept the new pending + computer we just created + [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. - [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 - --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers.
** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log - * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused - ubuntu@xenial-client-sru:~$ + * Same for https: + ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo + Landscape message server + ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo + curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531150 Title: package-reporter doesn't get proxy settings from client.conf To manage notifications about this bug go to: https://bugs.launchpad.net/landscape-client/+bug/1531150/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
