Ubuntu – “kernel-upgrade-required” is not one of applied, apply-failed, unapplied, needs-check, nothing-to-apply, unknown, check-failed

canonical-livepatch

FYI: Canonical's bug tracker has a bug in it on launchpad.net, so I'm incapable of posting this bug on their platform. Canonical decided not to provide direct support, so this security flaw is now being released into the wild so they have to do something about it.

Before we begin, I've marked this as a security vulnerability simply because the whole purpose of canonical-livepatch is to keep the system secure, and with this bug, it's incapable of doing so.

All of our machines are reporting an HTTP 400 error when using their respective URL for the live patch service.

The canonical-livepatch tool runs automatically after being configured as per the instructions on the Canonical website. Whenever it runs, it sends us the following error in our alerts.log file from OSSEC.

canonical-livepatch[31251]: during refresh: cannot check: Bad server status code: 400. URL: https://livepatch.canonical.com/api/machine/[REDACTED MACHINE TOKEN] {"details": {"Status.0.Livepatch.State": "\"kernel-upgrade-required\" is not one of applied, apply-failed, unapplied, needs-check, nothing-to-apply, unknown, check-failed"}, "error": "Invalid payload"}

Running an "apt-get update" and then "apt-get-upgrade" does not yield any upgradable Linux kernels. Presumably your software is out of sync with the API server. If that's not the case, please let me know if there's some way for me to fix it on our end.

When I try to do it manually, here's what it says:

$ sudo canonical-livepatch refresh
Before refresh:

kernel: 4.15.0-29.31-generic
fully-patched: false
version: "42.1"

After refresh:

kernel: 4.15.0-29.31-generic
fully-patched: false
version: "42.1"

Here's the config dump:

$ sudo canonical-livepatch config
http-proxy: ""
https-proxy: ""
no-proxy: ""
remote-server: https://livepatch.canonical.com
ca-certs: ""
check-interval: 60  # minutes

Best Answer

I'm not sure what your question is, but there is a difference between the following two commands:

apt-get upgrade
apt-get dist-upgrade

Typically (or always?), upgrade will not install new kernels, whereas dist-upgrade will.

From the apt-get man page:

   upgrade
       upgrade is used to install the newest versions of all packages
       currently installed on the system from the sources enumerated in
       /etc/apt/sources.list. Packages currently installed with new
       versions available are retrieved and upgraded; under no
       circumstances are currently installed packages removed, or packages
       not already installed retrieved and installed. New versions of
       currently installed packages that cannot be upgraded without
       changing the install status of another package will be left at
       their current version. An update must be performed first so that
       apt-get knows that new versions of packages are available.

   dist-upgrade
       dist-upgrade in addition to performing the function of upgrade,
       also intelligently handles changing dependencies with new versions
       of packages; apt-get has a "smart" conflict resolution system, and
       it will attempt to upgrade the most important packages at the
       expense of less important ones if necessary. The dist-upgrade
       command may therefore remove some packages. The
       /etc/apt/sources.list file contains a list of locations from which
       to retrieve desired package files. See also apt_preferences(5) for
       a mechanism for overriding the general settings for individual
       packages.

Confusingly, apt upgrade is different from apt-get upgrade. I believe apt upgrade is the same as apt-get dist-upgrade.

Rick also says he is using the following command:

sudo apt-get upgrade linux-generic linux-headers-generic linux-image-generic

However, the following should suffice:

sudo apt-get upgrade linux-generic

The above will upgrade all packages, and will install any new packages required by the latest version of linux-generic. (And linux-generic depends on linux-headers-generic and linux-image-generic.)

Alternatively, if you only want to install the most recent linux-generic (and its dependencies), and not upgrade any other packages, consider:

sudo apt-get install linux-generic
Related Question