Ubuntu
snapd package

Canonical-LivePatch fails SILENTLY! (Only Ubuntu 16.04 LTS is supported, exiting.)

Bug #1667467 reported by gutschke
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Please note, this is a bug report for canonical-livepatch. http://blog.dustinkirkland.com/2016/10/canonical-livepatch.html requests that all bugs are reported at https://bugs.launchpad.net/ubuntu/+source/canonical-livepatch/+filebug, but that is not possible for Snap packages. I got the following Oops in Launchpad: https://bugs.launchpad.net/ubuntu/+source/canonical-livepatch/+filebug

--------------------------------------------------------

This morning, canonical-livepatch successfully applied fixes for several CVEs, and it then asked me to reboot the machine. I did so, when it was convenient, and once the machine was up again, I tested whether all known vulnerabilities were addressed:

  # canonical-livepatch status --verbose
  Connection to the daemon failed: Get http://127.0.0.1/status?verbose=true: dial unix /var/snap/canonical-livepatch/17/livepatchd.sock: connect: no such file or directory

Now that's unexpected. Something failed silently! Good thing I noticed. Let's debug:

  # systemctl status snap.canonical-livepatch.canonical-livepatchd.service
  * snap.canonical-livepatch.canonical-livepatchd.service - Service for snap application canonical-livepatch.canonical-livepatchd
     Loaded: loaded (/etc/systemd/system/snap.canonical-livepatch.canonical-livepatchd.service; enabled; vendor preset: enabled)
     Active: inactive (dead) (Result: exit-code) since Thu 2017-02-23 11:12:28 PST; 16min ago
    Process: 23885 ExecStart=/usr/bin/snap run canonical-livepatch.canonical-livepatchd (code=exited, status=1/FAILURE)
   Main PID: 23885 (code=exited, status=1/FAILURE)

  systemd[1]: snap.canonical-livepatch.canonical-livepatchd.service: Unit entered failed state.
  systemd[1]: snap.canonical-livepatch.canonical-livepatchd.service: Failed with result 'exit-code'.
  systemd[1]: snap.canonical-livepatch.canonical-livepatchd.service: Service hold-off time over, scheduling restart.
  systemd[1]: Stopped Service for snap application canonical-livepatch.canonical-livepatchd.
  systemd[1]: snap.canonical-livepatch.canonical-livepatchd.service: Start request repeated too quickly.
  systemd[1]: Failed to start Service for snap application canonical-livepatch.canonical-livepatchd.

Seems as if the Snap package had some problem. Let's run it manually:

  # snap run canonical-livepatch.canonical-livepatchd
  Only Ubuntu 16.04 LTS is supported, exiting.

That's unexpected. It worked this morning and I didn't change distributions since. Let's see what snap things it is running on:

  # snap --version
  snap 2.22.6
  snapd 2.22.6
  series 16
  ubuntu 16.04
  kernel 4.4.0-64-lowlatency

  # cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=16.04
  DISTRIB_CODENAME=xenial
  DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

That all looks perfectly normal to me. Sounds as if it is a bug in Canonical-Livepatch.

--------------------------------------------------------

In summary, there are three problems here. First of all, Canonical-Livepatch fails, even though the distribution is supported, and it in fact patched this kernel release only hours earlier.

Secondly, and that's more worrisome, it fails silently.

For a security feature that is supposed to work in the background and to apply crucial security fixes, silent failure is even worse than not running Canonical-Livepatch at all. It gives a false sense of security.

Because of this, I am marking this bug as a security bug, so that the relevant team can take a look and triage. Feel free to remove the security flag, if you think it isn't appropriate.

And thirdly, Canonical makes the LivePatch service available to the community for free in order to collect bug reports. That's commendable, but ultimately futile, if the official documentation at http://blog.dustinkirkland.com/2016/10/canonical-livepatch.html gives erroneous instructions for filing bugs. According to information obtained on #ubuntu, it is apparently impossible to file Launchpad bugs against Snap packages.

Seth Arnold (seth-arnold)
information type: Private Security → Public
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The new place for livepatch client bugs is https://bugs.launchpad.net/canonical-livepatch-client/+filebug

I couldn't just add this bug to that project, so I filed a new bug there referencing this one. I don't know if that one will be visible but its url is https://bugs.launchpad.net/bugs/1667515 just in case it is made public.

Thanks

Revision history for this message
gutschke (markus+launchpad) wrote :

I can't access the bug, yet. But hopefully, I will be able to do so at some point -- or maybe, you can add me to it? Not sure if Launchpad supports doing that.

In the meantime, I noticed that you updated the link in the FAQ. Thank you! That's awesome.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Lenin (gagarin) wrote :

if i want to enable it it tells me:

error executing enable: Livepatchd error: Couldn't setup system logger.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.