Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: validate_release_series could be fired with a stale contract information rather than an up-to-date contract from the server #3340

Open
nobuto-m opened this issue Oct 8, 2024 · 0 comments
Open

Bug: validate_release_series could be fired with a stale contract information rather than an up-to-date contract from the server #3340

nobuto-m opened this issue Oct 8, 2024 · 0 comments
Labels
bug something isn't working P - Low S - Triaged Must have priority label

Comments

@nobuto-m
Copy link

nobuto-m commented Oct 8, 2024
edited
Loading

Description of the bug

This is a corner case, but let me explain the actual situation at a customer.

  1. Pro for Devices token (with onlySeries=noble) was used for a jammy machine with Pro client < 33
  2. the attachment actually succeeded since pro-client < 33 doesn't have a logic of checking onlySeries
  3. Pro client was updated to >= 33
  4. ua-timer.service by ua-timer.timer kicked in and ran validate_release_series
  5. the machine got detached due to the mismatch between onlySeries=noble and the running series as jammy

Oct 07 09:01:58 pro-testing-old python3[11460]: ["2024-10-07T09:01:58.471", "WARNING", "ubuntupro.timer.update_contract_info", "validate_release_series", 33, "Detaching Ubuntu Pro. Previously attached subscription was only valid for Ubuntu 24.04 LTS (Noble Numbat) release.", {}]

In this case, Pro client behaved correctly by design. However, we wanted to stop the detachment from happening since once it happens there will be no connection with the token and there will be no "phone home" to do something from the server side.

What we tried was putting onlySeries=jammy for the token in the contract server so the detachment can be prevented at the step 5 above since the new onlySeries=jammy from the contract server should match with the running series as jammy.

However it wasn't the case, the step 4 and 5 happened with the "stale" contract information in the local file system instead of fetching the up-to-date contract information from the server. Since the automatic and unattended detachment is the last resort by cutting the association with a Pro token, we'd like to have more guard rails before doing the automatic detachment.

Expected behavior

At least, Pro client should make a decision of the unattended and automatic detachment with the latest and up-to-date contract information from the contract server by having pro refresh contract equivalent operation before executing validate_release_series. In this case, the detachment shouldn't have happened once the metadata for the token was overwritten at the contract server.

Current behavior

The unattended and automatic detachment happened based on the local information without fetching the latest information from the server.

To Reproduce

Please include details on how to reproduce the bug.

  1. Launch a jammy VM/Container for example
  2. Attach the machine with a token with onlySeries=jammy for example
  3. Rewrite the content of /var/lib/ubuntu-advantage/private/machine-token.json by hand to simulate the file is "stale" by setting one release older series onlySeries=focal
  4. Trigger the marker-only-series-check and ua-timer.service forcibly
  5. To see what information was used if onlySeries=focal from the local filesystem or onlySeries=jammy from the contract server
$ sudo pro attach '<TOKEN_WITH_ONLYSERIES_JAMMY>'

$ sudo sed -i.orig \
    -e 's/"onlySeries": "jammy"/"onlySeries": "focal"/' \
    /var/lib/ubuntu-advantage/private/machine-token.json

## -> now the local file in the filesystem is "stale"

$ sudo touch /var/lib/ubuntu-advantage/marker-only-series-check

$ sudo systemctl start ua-timer.service

$ journalctl -u ua-timer.service

Oct 08 14:53:52 pro-testing-jammy python3[31886]: ["2024-10-08T14:53:52.512", "WARNING",
"ubuntupro.timer.update_contract_info", "validate_release_series", 33, "Detaching Ubuntu Pro.
Previously attached subscription was only valid for Ubuntu 20.04 LTS (Focal Fossa) release.", {}]

## -> detachment happened with the "stale" information as `onlySeries=focal`

System information:

  • Ubuntu release: jammy
  • Pro Client version: 34~22.04

Additional context

Add any other context about the problem here.

ubuntu-pro-client/uaclient/update_contract_info.py

Lines 11 to 31 in 5801b1b

def validate_release_series(cfg: UAConfig, only_series, show_message=False):
LOG.debug("Validating release series")
if not _is_attached(cfg).is_attached:
return
current_series = system.get_release_info().series
if only_series != current_series:
LOG.debug(
"Detaching due to current series being %s. only_series: %s",
current_series,
only_series,
)
lock.clear_lock_file_if_present()
detach()
allowed_release = system.get_distro_info(only_series)
message = messages.PRO_ONLY_ALLOWED_FOR_RELEASE.format(
release=allowed_release.release,
series_codename=allowed_release.series_codename,
)
if show_message:
print(message)
LOG.warning(message)

@nobuto-m nobuto-m added the bug something isn't working label Oct 8, 2024
@orndorffgrant orndorffgrant added S - Triaged Must have priority label P - Low labels Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug something isn't working P - Low S - Triaged Must have priority label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nobuto-m @orndorffgrant