[12:03] <rbasak> $ sudo canonical-livepatch status
[12:03] <rbasak> uptime: 598h20m30s
[12:03] <rbasak> ^ that's wrong - `uptime` reports 24 days, 22:21
[12:03] <rbasak> And also
[12:03] <rbasak>     patchState: apply-failed
[12:03] <rbasak> Anything I should look at before I lose state by rebooting?
[12:04] <rbasak> http://paste.ubuntu.com/p/gNKr4YPdhB/
[13:37] <TJ-> rbasak: uptime seems correct; 24 days x 24 = 576 + 22 hours 
[13:37] <rbasak> TJ-: oh. Thanks. I saw 598 and didn't pay attention to the units.
[13:37] <TJ-> :)
[13:38] <TJ-> yeah, at first glance I thought "wow" !
[13:39] <rbasak> I found some logs (on "apply-failed"): https://paste.ubuntu.com/p/F4mYrd45Tc/
[13:41] <rbasak> It's been doing that a while. https://paste.ubuntu.com/p/td7qYQ9SjZ/ is when it seems to have started.
[13:42] <rbasak> https://askubuntu.com/q/1152398/7808 is the only Google hit with the same problem - no answer currently.
[13:44] <rbasak> Seems too much of a coincidence that both of us had it happen on exactly the same day.
[13:47] <TJ-> we've been seeing a lot of reports of livepatch failures in #ubuntu for the last 2 weeks. Originally we thought it was a server connection issue but canonical-sysadmin couldn't see any problems. We asked some users to report bugs but I think they were lazy :)
[13:48]  * rbasak is writing up a bug
[13:52] <rbasak> https://bugs.launchpad.net/canonical-livepatch-client/+bug/1833566
[15:10] <apw> ben_r: ^
[15:32]  * ben_r will take a look at it
[15:37] <ben_r> rbasak, I am confused, your text says 4.4.0.151.159, did you mean 151.178? Also, that is not the kernel that was running, you were on 4.4.0-148.174 at the time right?
[15:38] <rbasak> ben_r: otp sorry, back in a bit
[15:38] <ben_r> np
[15:46] <rbasak> ben_r: ah, I see the confusion
[15:47] <ben_r> rbasak, np I think I've figured it out. Is this system running with secure boot enabled?
[15:53] <rbasak> ben_r: I think so. I have grub-efi-amd64-signed installed. Is there a way to verify?
[15:55] <ben_r> rbasak, mokutil --sb-state
[15:55] <ben_r> if that is enabled, did you enroll the livepatch key?
[15:55] <rbasak> SecureBoot enabled
[15:56] <rbasak> ben_r: I believe livepatch has been working correctly for a long time prior to that error
[15:56] <rbasak> ben_r: eg: https://paste.ubuntu.com/p/xBQBZD7tpd/
[15:56] <rbasak> ben_r: so I think it was all enrolled correctly, yes.
[15:56] <rbasak> ben_r: I recall seeing patches applied in previous calls to "status" (in previous boots)
[15:57] <rbasak> your text says 4.4.0.151.159> because that's the kernel package currently installed, not the one running
[15:59] <ben_r> rbasak, OK, that doesn't do anything to livepatch though. :)  you can list the enrolled keys with "mokutil --list-enrolled". If there's a key enrolled you'll see one with the Subject field "        Issuer: CN=Canonical Ltd. Live Patch Signing"
[15:59] <rbasak> MokListRT is empty
[16:00] <ben_r> rbasak, any chance the system's BIOS was updated recently? that can trash keys sometimes
[16:01] <rbasak> I have only rebooted once in months, and I believe livepatch was working before the reboot.
[16:01] <rbasak> The reboot itself seemed to be completely normal - I didn't enter the BIOS or anything.
[16:01] <rbasak> The reason I rebooted was some kind of kernel bug though.
[16:03] <rbasak> https://irclogs.ubuntu.com/2019/05/24/%23ubuntu-server.html#t18:29 was what happened that caused me to reboot
[16:04] <rbasak> I suppose it's possible that fwupd might have done something though perhaps, and the reboot caused a new BIOS fw version to run?
[16:04] <rbasak> I don't remember having done that though.
[16:04] <rbasak> And on this machine I always update/upgrade manually
[16:06] <rbasak> "Earlier I sent SIGSTOP to firefox and snap related process, so I can't run livepatch right now."
[16:06] <rbasak> I did that before rebooting.
[16:06] <rbasak> Could that have broken livepatch - by it not being able to "shut down" properly?
[16:07] <rbasak> Also "canonical-livepatch status" hangs, but I don't know if I caused that by interfering with it earlier. <-- also before my reboot
[16:08] <ben_r> rbasak, it's likely that it would have stopped it from doing anything else, but that wouldn't break livepatch. The next time the system boots it would have started normally.
[16:10] <ben_r> I think the lack of keys is the problem here, on secure boot the kernel won't let you load anything that isn't signed with a key it recognises. I don't know where your keys went, but there should be at least the one used to boot the system listed