** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done + Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled): + for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done + * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused + + * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror): + $ sudo apt update + (...) + Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease + Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused * Same for https: ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo Landscape message server ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused - * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created - [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers.
** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] + Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed. DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled): for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror): $ sudo apt update (...) - Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease - Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] + Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease + Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused * Same for https: ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo Landscape message server ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. ** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed. DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils + + * Enable debugging on the client. Edit /etc/landscape/client.conf and make sure this line is there: + log_level = debug * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled): for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror): $ sudo apt update (...) Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused * Same for https: ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo Landscape message server ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created + [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. ** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed. DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils * Enable debugging on the client. Edit /etc/landscape/client.conf and make sure this line is there: log_level = debug * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled): for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror): $ sudo apt update (...) Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused * Same for https: ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo Landscape message server ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created + * monitor package-reporter.log. At some point it should log that it downloaded the hash-id-database: + 2017-11-24 14:31:24,203 INFO [MainThread] Downloaded hash=>id database from https://landscape.canonical.com/hash-id-databases/af6f2dcf-1967-11de-8dd0-001a4b4d8d10_xenial_amd64 + + Since this is via https, it will be hard to match it to a proxy access + log, but since we blocked direct access to landscape, we know this + download happened via the proxy. That's one bug fix confirmed. + [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. ** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed. DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils * Enable debugging on the client. Edit /etc/landscape/client.conf and make sure this line is there: log_level = debug * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled): for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror): $ sudo apt update (...) Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused * Same for https: ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo Landscape message server ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- - proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ + proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ --apt- + update-interval=300 * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created * monitor package-reporter.log. At some point it should log that it downloaded the hash-id-database: 2017-11-24 14:31:24,203 INFO [MainThread] Downloaded hash=>id database from https://landscape.canonical.com/hash-id-databases/af6f2dcf-1967-11de-8dd0-001a4b4d8d10_xenial_amd64 Since this is via https, it will be hard to match it to a proxy access log, but since we blocked direct access to landscape, we know this download happened via the proxy. That's one bug fix confirmed. - [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. ** Description changed: [Impact] The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. As a result, fetching hash-id-database file and running the SUID root /usr/lib/landscape/apt-update helper fail. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. [Test Case] Here we want to block direct access from a client to landscape.canonical.com and the ubuntu archive, forcing it to use a proxy we will setup. That's how we will determine that the bug is fixed. DO NOT set proxy environment variables, as these will be picked up by the client when it's restarted and give a false good test result. We want to be sure the values are being grabbed from the config file, and not the environment. DO NOT set proxy values in /etc/environment. * Create an ubuntu container or VM, take note of its IP address, and install the proposed landscape-client package on it. sudo apt install landscape-client Also make sure dnsutils is installed: sudo apt install dnsutils * Enable debugging on the client. Edit /etc/landscape/client.conf and make sure this line is there: log_level = debug * Block direct access to landscape.canonical.com: for ip in $(dig +short landscape.canonical.com); do sudo iptables -A OUTPUT -d $ip -j REJECT; done Do the same for your ubuntu archive or whatever mirror you are using (note: this won't work if you have ipv6 enabled): for ip in $(dig +short archive.ubuntu.com; do sudo iptables -A OUTPUT -d $ip -j REJECT; done * Confirm that this access is indeed blocked: $ telnet landscape.canonical.com 80 Trying 91.189.90.173... Trying 91.189.89.90... telnet: Unable to connect to remote host: Connection refused $ telnet landscape.canonical.com 443 Trying 91.189.89.90... Trying 91.189.90.173... telnet: Unable to connect to remote host: Connection refused * Verify that apt-get update is blocked for the archive (your ips might differ, here I'm using a mirror): $ sudo apt update (...) Err:2 http://br.archive.ubuntu.com/ubuntu xenial InRelease Cannot initiate the connection to br.archive.ubuntu.com:80 (2801:82:80ff:8000::5). - connect (101: Network is unreachable) [IP: 2801:82:80ff:8000::5 80] * In a xenial container, install the squid proxy server: sudo apt install squid3 * Take note of the IP of this container * Edit /etc/squid/squid.conf and make these changes: - locate the "#acl localnet src" block of lines and add one for the network where the landscape-client container you created before has an IP. For example: acl localnet src 10.0.0.0/8 - locate the "#http_access allow localnet" line and remove the comment: http_access allow localnet * Restart squid: sudo service squid restart * Keep tailing the squid access logs: sudo tail -f /var/log/squid/access.log * Go back to the landscape-client container * Verify that the proxy is allowing your connections, and that without the proxy it fails: ubuntu@xenial-client-sru:~$ http_proxy=http://xenial-proxy.lxd:3128/ curl http://landscape.canonical.com/ping ;echo ds5:errors19:provide insecure_id; ubuntu@xenial-client-sru:~$ curl http://landscape.canonical.com/ping ;echo curl: (7) Failed to connect to landscape.canonical.com port 80: Connection refused * Same for https: ubuntu@xenial-client-sru:~$ https_proxy=http://xenial-proxy.lxd:3128 curl https://landscape.canonical.com/message-system;echo Landscape message server ubuntu@xenial-client-sru:~$ curl https://landscape.canonical.com/message-system;echo curl: (7) Failed to connect to landscape.canonical.com port 443: Connection refused * in a terminal, tail the (still non existing) package-reporter logs: sudo tail -F /var/log/landscape/package-reporter.log * in another terminal, tail the (still non existing) broker log: sudo tail -F /var/log/landscape/broker.log * register the client with a landscape server. In this example we are going to use landscape.canonical.com and the proxy we just configured (replace <proxy> with the IP of the squid container we created above): sudo landscape-config -a <youraccount> -u https://landscape.canonical.com/message-system --ping-url http://landscape.canonical.com/ping -t sru-proxy-test --silent --http- proxy=http://<proxy>:3128/ --https-proxy=http://<proxy>:3128/ --apt- update-interval=300 * the proxy access logs should show some activity already: 1511531199.415 1230 127.0.0.1 TCP_TUNNEL/200 4474 CONNECT landscape.canonical.com:443 - HIER_DIRECT/91.189.89.90 - 1511531229.909 485 127.0.0.1 TCP_MISS/200 357 POST http://landscape.canonical.com/ping - HIER_DIRECT/91.189.89.90 text/html That's the registration request (port 443) and the ping (port 80) * go to landscape.canonical.com, login and accept the new pending computer we just created * monitor package-reporter.log. At some point it should log that it downloaded the hash-id-database: 2017-11-24 14:31:24,203 INFO [MainThread] Downloaded hash=>id database from https://landscape.canonical.com/hash-id-databases/af6f2dcf-1967-11de-8dd0-001a4b4d8d10_xenial_amd64 Since this is via https, it will be hard to match it to a proxy access log, but since we blocked direct access to landscape, we know this download happened via the proxy. That's one bug fix confirmed. + + * also in package-reporter.log, keep an eye out for the apt run. Something like this indicates it worked: + 2017-11-24 14:35:17,736 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Hit:1 http://br.archive.ubuntu.com/ubuntu xenial InRelease + Hit:2 http://br.archive.ubuntu.com/ubuntu xenial-updates InRelease + Hit:3 http://br.archive.ubuntu.com/ubuntu xenial-backports InRelease + Hit:4 http://br.archive.ubuntu.com/ubuntu xenial-security InRelease + Reading package lists... + ', err='') + i.e., no error reported + + There should also be matching entries in the proxy access logs: + 1511534116.438 27 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial/InRelease - HIER_DIRECT/200.236.31.4 - + 1511534116.442 3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease - HIER_DIRECT/200.236.31.4 - + 1511534116.445 3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease - HIER_DIRECT/200.236.31.4 - + 1511534116.449 3 10.0.100.95 TCP_MISS/304 251 GET http://br.archive.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/200.236.31.4 - + + That confirms that apt-update was given the proxy information by + landscape from the package-reporter, and confirms that the package- + reporter got the proxy information. + + These two verifications (hash-id download, and apt update run) confirm + this bug is fixed. + + [Regression Potential] Regressions in this area will basically prevent the client from fetching package information from the ubuntu archive and whatever other repositories are configured. This situation would be obvious enough by checking the lack of updates available for the registered computers, which is the problem this patch is fixing. What's important is that communication with the server would remain unaffected. Should a major regression creep in, something that prevents the client from communicating with the server, then the server would eventually issue a "computer offline" alert and the admin would have to investigate. What could be troublesome is if the only means of accessing the computer is via landscape. This should be rare, as ssh usage is widespread. [Other Info] * Upstream revision: http://bazaar.launchpad.net/~landscape/landscape-client/trunk/revision/919 This PPA has test packages built from these branches, using a ~ppaN suffix: https://launchpad.net/~ahasenack/+archive/ubuntu/lsclient-sru-1721383 --- Original description --- The package reporter is not getting the proxy settings set in /etc/landscape/client.conf. It will honor the environment variables if they are somehow set when landscape-client is started, but not if the values are just defined in that configuration file. As a result, the following fails: - fetching hash-id-database file - running the SUID root /usr/lib/landscape/apt-update helper. Even though the binary it calls in turn fails (apt-get itself), the exit code is 0. It's only seen in the logs if using debug mode. Logs from a run on a test system which is prohibited from accessing the internet directly, but does have the proxy settings in client.conf: 2016-01-05 12:41:25,678 DEBUG [MainThread] '/usr/lib/landscape/apt-update' exited with status 0 (out='Err http://archive.ubuntu.com trusty InRelease Err http://archive.ubuntu.com trusty-updates InRelease Err http://archive.ubuntu.com trusty-security InRelease Err http://archive.ubuntu.com trusty Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-updates Release.gpg Unable to connect to archive.ubuntu.com:http: Err http://archive.ubuntu.com trusty-security Release.gpg Unable to connect to archive.ubuntu.com:http: Reading package lists... ', err='W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/InRelease W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- updates/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Failed to fetch http://archive.ubuntu.com//ubuntu/dists/trusty- security/Release.gpg Unable to connect to archive.ubuntu.com:http: W: Some index files failed to download. They have been ignored, or old ones used instead. ') 2016-01-05 12:41:27,861 WARNING [MainThread] Couldn't download hash=>id database: Error 7: Failed to connect to landscape.canonical.com port 443: Connection refused 2016-01-05 12:41:28,012 DEBUG [MainThread] Started firing stop. 2016-01-05 12:41:28,012 DEBUG [MainThread] Finished firing stop. Broker exchanges work just fine, as do the client pings. One has to be careful when trying to reproduce this bug, as there are many ways the environment values can leak into the process and invalidate the test. For example, if you have the http_proxy and https_proxy variables in root's environment, and restart the client, it will inherit those, and invalidate the test. Or let's say you have them in ubuntu's environment, and use sudo to restart the client. They won't be propagated to the daemon by default unless -E is used, and/or the proxy variables are whitelisted in /etc/sudoers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531150 Title: package-reporter doesn't get proxy settings from client.conf To manage notifications about this bug go to: https://bugs.launchpad.net/landscape-client/+bug/1531150/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
