[SRU] ubuntu-advantage-tools (10ubuntu0.16.04.1 -> 27.0) Xenial, Bionic, Focal, Hirsute

[Impact]

Ubuntu 16.04 reaches its end of standard support this week. After this time, Canonical customers can continue receiving security updates through ESM. No other updates are expected. To enable ESM, users need the ubuntu-advantage-tools package to provide the ua command, and this package needs updating to correctly interact with the ESM archives. Without this, users will have no opportunity to continue receiving updates.

Due to the urgency of this infrastructional update to maintain continuity of security updates for Ubuntu users transitioning over to ESM for 16.04, and in consideration of the limitation of regression risk as noted below, we (Steve and Robie) have decided to waive the usual 7 day aging period, as well as the usual reluctance to release on a Friday.

The notable changes are:
   * Xenial and Bionic:
     - New Python-based client to automatically setup livepatch, fips, esm-infra, esm-apps using a single UA contract token from https://ubuntu.com/advantage. This is a backward incompatible transition from the previous shell-based ubuntu-advantage commands to the new Python-based "ua" command.

   * For all Ubuntu releases:
     - APT command and MOTD messaging hooks about available esm-infra and esm-apps package upgrades and ESM-infra availability on Ubuntu releases entering Extended Security Maintenance (Xenial)
     - FIPS and FIPS-updates support
     - New “ua fix” subcommand to allow fixing individual CVE or USN security issues.
     - New “ua help” command to give information about the available products the “ua” command can enable.
     - Notices section in “ua status” about outstanding configuration changes needed to apply configuration changes as a result of Ubuntu Advantage services

See the changelog entry below for a full list of changes and bugs.

[Test Case]

The following development and SRU process was followed:

    https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdate

The ubuntu-advantage-tools team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. ubuntu-advantage-tools team members will not mark ‘verification-done’ until this has happened.

    * Automated Test Results

Logs added for all Xenial tests. Xenial is a pass.

<TODO Bionic-> Hirsute verification tomorrow>
Attach or link the following automated integration test runs for ubuntu-advantage-tools on each affected LTS release:
- lxd.container platform
- lxd.kvm platform
- AWS Ubuntu PRO
- AWS Ubuntu cloud-images (non-Pro)
- Azure Ubuntu PRO
- Azure Ubuntu cloud-images (non-Pro)
- GCP Ubuntu PRO
- GCP Ubuntu cloud-images (non-Pro)
</TODO>

    * Manual Test Runs
        1. Manual upgrade enabled livepatch/fips bash client -> retains enabled service attachment to APT repos/livepatch without running `ua attach
        2. Manual update enabled livepatch/FIPS bash client -> ua attach token -> retains enabled livepatch/FIPS services
Verification Script 1 & 2: https://github.com/canonical/ubuntu-advantage-client/blob/main/tools/test_xenial_upgrade.sh
        3. Upgrade Test Trusty released UA client -> Xenial

    * <TODO: attach manual upgrade path test from previous LTS to current -proposed release>

[Where problems could occur]

Extensive integration testing has been done to try to mitigate regression potential. This section evaluates if issues do arise, where they may appear.

Since Ubuntu 16.04 will be at the end of standard support, security updates will be ending for non-ESM users. These users will already need to upgrade to a newer LTS, thus limiting our regression concerns.

In a worst case scenario, if the update goes wrong it potentially could break: 1) users not interested in ESM, shortly before no other source of updates are available for 16.04; 2) users who wish to enable ESM, but in a manner that prevents ESM from being enabled.

The list below represents places where this update could cause regressions:

* apt hook messages not working properly resulting in error messages from ubuntu-advantage-tools apt hooks. apt will still exit 0 in these cases

* MOTD hooks during error conditions omitting messages about available esm package updates.

[ Known issues ]

* The CLI for the “ua” command has changed, by design.
It is possible that existing UA users have scripted use of this command, for example to enable UA on new cloud instances. We don’t think this type of breakage is likely. Therefore we have concluded that this deliberate behavioural change is acceptable, and this decision has been approved by Steve and Robie wearing their TB hats.

Justification:
These are intentional usage decisions that enabled adding and updating functionality for the client. Given the lack of previous usage and lack of risk for breaking or causing issues on the system it’s deemed safe and an improvement for the users going forward that needed to be done.

* Logs of a successful run show a traceback that confuses users.
https://github.com/canonical/ubuntu-advantage-client/issues/1586

Justification:
While the traceback is surprising there is no harm to the system or the configuration of the UA products. We agree to clean this in a subsequent point release.

* trusty upgrade to xenial will result in esm-infra being disabled
https://github.com/canonical/ubuntu-advantage-client/issues/1590

Justification:
Trusty ESM has ended as of April 23, 2021. This means users affected are beyond extended support. Trusty ESM users are a niche user base with very low volume and requiring a documented upgrade step is deemed to be acceptable from a product management perspective.

* This has been documented in the FAQ section of the UA Client documentation at: https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788

* Customers using the following cloud-config userdata will have to update to use the new cmdline client 'ua attach', 'ua enable' commands.

   #cloud-config
     ubuntu_advantage:
         commands: XXX
     runcmd:
         ubuntu-advantage enable-fips

Justification:
There is no harm to the system in using the old behavior. The scope of impacted users is very small as much of the functionality that is used did not exist before this version of the UA client. This has been documented in the UA Client FAQ documentation at https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788

* autopkgtest regressions with update-motd pkg, will file an update excuses tag. not going to resolve it in ubuntu-advantage-tools

Justification:
This autopkgtest failure will occurr any time ua-tools adds a new /etc/update-motd.d file since the previous version of ua-tools in <release>-updates pocket will not contain that file. https://bugs.launchpad.net/ubuntu/+source/update-motd/+bug/1926660.Resolve to update-excuses tag on this and expect autokpkgtest failures to go away after publish to -updates

* package build failures on i386 focal, groovy, hirsute and impish due to inability to install golang-1.14-go build dependency. This is a known issue and considered unsupported build architecture on Focal and newer
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1926361

[Changelog for release delta]

ubuntu-advantage-tools (27.0~16.04.1) xenial; urgency=medium

  * New upstream release 27.0: (LP: #1926361)
    - apt-hook: mitigate failures with true
    - messages: add optional (s) to apt messaging to include
      singular/plural pkgs
    - apt-hook: avoid reporting and counting duplicate package
      names (GH: #1578)
    - fix: don't say reboot required when unnecessary (LP: #1926183)
    - test: uncomment additional xenial upgrade tests

 -- Lucas Moura <email address hidden> Tue, 27 Apr 2021 15:31:06 -0300

ubuntu-advantage-tools (27.0~21.04.1~beta3) hirsute; urgency=medium

  * New upstream beta3 release:
    - config: avoid tracebacks on invalid features value in uaclient.conf
      (GH: #1564)
    - apt-hook: new json hook for security update counts
    - Remove redundant messaging from uaclient

 -- Chad Smith <email address hidden> Fri, 23 Apr 2021 15:28:44 -0600

ubuntu-advantage-tools (27.0~21.04.1~beta2) hirsute; urgency=medium

  * d/control:
    - add distro-info dependency
    - add new debianutils dependency
    - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute
      and later when dh-systemd is not present
  * d/rules: enable and start ua-messaging.timer on package install
  * d/postinst:
    - configure esm on any LTS release avoid beta services
    - configure esm-infra when is_active_esm and apps on LTS
    - xenial enable unauthenticated apt source for apps/infra
  * New upstream release 27.0~beta:
    - apt-hook:
      + adapt hook to process separate message templates
      + esm-apps and esm-infra pkg counts not mutually-exclusive
      + print static messages on apt upgrade/dist-upgrade (GH: #1546)
    - config: create settings_overrides on config (GH: #1507)
    - docs: add entry for uploading new version to ppa
    - esm:
      + add pin never when disabling esm-infra/apps on xenial
      + enable infra when EOL LTS and apps on all LTS (GH: #1558)
    - fips: add notice when installing over old fips
    - fix:
      + add links to ubuntu.com/gcp/aws in messaging when on non-PRO
      + add notice to reboot operation on ua fix
      + do not prompt user for beta services (GH: #1544)
      + notify users if reboot is required (GH: #1476)
      + update how the expired token logic works
      + wrap output greater than 80 chars (GH: #1487)
    - lib: fix notice handling on reboot script
    - messages
      + provide static message files for use in APT and MOTD
      + update_ua_messages on attach/detach/disable
    - mypy: add lib/ dir for coverage
    - status: do not remove notices on non-root call (GH: #1518)
    - subp: separate % format strings when logging (GH: #1520)
    - systemd: add ua-messaging.timer to update ua MOTD and APT msgs
    - update-motd.d: add conditional hooks for motd to source ua messages
    - util: add is_lts and is_active_esm funtions to support ESM
    - test
      + add integration tests asserting esm-apps setup due to postinst
      + manual test script for xenial upgrade
      + trusty and xenial infra and apps disabled in pkg install
    - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA
    - jenkins: make lint and style stage run sequentially

 -- Lucas Moura <email address hidden> Thu, 22 Apr 2021 14:16:26 -0300

ubuntu-advantage-tools (27.0~21.04.1~beta) hirsute; urgency=medium

  * d/*: prefix all the debhelper conf files with the package name
  * d/control:
    - add Rules-Requires-Root: no
    - bump Standards-Version to 4.5.1
    - make ubuntu-advantage-pro Architecture: all
  * d/lintian-overrides:
    - override maintainer-script-calls-service
    - package-supports-alternative-init-but-no-init.d-script
  * d/postinst: move the u-a-pro note to a config script
  * d/ubuntu-advantage-tools.templates: suggest the use of apt
  * New upstream release 27.0~beta:
    - apt: add retry for apt-helper command (GH: #1431)
    - cli: drop subcommand repeated help output, fix enable & refresh
      (GH: #1440)
    - config:
      + allow parsing yaml delivered from env values
      + environment variable support for feature overrides (GH: #1395)
      + create config to add extra params to security url
    - docs:
      + add ppas and fix typos
      + use Ubuntu Pro not Ubuntu PRO
      + add stop "." punctuation to messages (GH: #1320)
    - fips: fix FIPS message when disable operation fails
    - fix:
      + add basic UASecurityClient to which queries CVE and USNs
      + add security_url to config
      + check if service is enabled during ua fix (GH: #1462)
      + closer representation of cve and usn responses
      + filter usns by cve details (GH: #1470)
      + fix regex to be more permissive and strict
      + get_cve_affected_source_packages_status won't list not-affected
        (GH: #1467)
      + handle other package status when running ua fix (GH: #1435)
      + improve error message for ua fix (GH: #1420)
      + install pkg fixes when they are on standard pocket (GH: #1401)
      + move timeout and retries to security client only
      + only prompt for subscription attach for UA-related pkg updates
      + parse all related USNS to a given CVE when fixing
      + parse full API responses for related CVEs and USNs
      + prefer USN.release_packages binary pkg versions to CVE src ver
        (GH: #1436)
      + prompt for new ua token when expired one is used (GH: #1475)
      + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386)
      + prompt to enable service during ua fix (GH: #1455)
      + provide related CVE URLs instead of USNs (GH: #1456)
      + raise errors when source_link is null or unexpected format
      + show packages that were not fixed in the output
      + update output for released packages in ua fix (GH: #1438)
      + update message for invalid issue in ua fix (GH: #1433)
      + use pocket values from USNs (GH: #1439)
    - logs: emit error response on API errors and redact sensitive logs
      (GH: #1424)
    - serviceclient: add 10 second timeout and two retries to API calls
      (GH: #1374)
    - util:
      + add error prompts on invalid selection
      + add timeout to readurl
    - tests:
      + Add disable_auto_attach config to all test PRO vms
      + add merge_usn_released_binary_package_versions tests
      + add unittest coverage for override_usn_release_package_status
      + drop traceback checks on fips integration tests
      + refactor integration tests for ua fix cmd
      + run status wait before detach in PRO tests
      + use ssh to run commands on lxd containers
    - jenkins: archiveArtifacts can only reference paths within workspace

 -- Lucas Moura <email address hidden> Tue, 30 Mar 2021 14:16:03 -0300

ubuntu-advantage-tools (26.3~21.04.1) hirsute; urgency=medium

  * d/control: add new debianutils dependency
  * New upstream release 26.3
    - util: improve is_container check for chroot
    - cli: pass assume_yes param to services on detach (GH: #1530)

 -- Grant Orndorff <email address hidden> Tue, 06 Apr 2021 14:26:20 -0300

ubuntu-advantage-tools (26.2) hirsute; urgency=medium

  * Drop dh-systemd build dependency.

 -- Matthias Klose <email address hidden> Wed, 10 Mar 2021 16:54:12 +0100

ubuntu-advantage-tools (26.2~21.04.1) hirsute; urgency=medium

  * status: show beta services in status if enabled (GH: #1410)

 -- Lucas Moura <email address hidden> Tue, 02 Mar 2021 10:11:53 -0300

ubuntu-advantage-tools (26.1~21.04.1) hirsute; urgency=medium

  * New upstream release 26.1
     - contract: block detach call to contract if machine-id change
     - docs: add readme docs about mastering clean golden images
     - fips: add reboot notices for fips operations (GH: #1368)
     - livepatch: add retry when running canonical-livepatch status
       (GH: #1360)
     - util: use lru_cache to avoid re-reading os-release and machine-id
       (GH: #1329)
     - tests:
       + add disable_auto_attach config to all test PRO vms
       + add more log artifacts during failed integration test
       + check cloudinit status after launching image
       + mock leaking livepatch.application_status for fips test
       + retry package installs on apt exit 100
     - jenkins: parameterize build stages to avoid parallel job collision

 -- Lucas Moura <email address hidden> Fri, 19 Feb 2021 10:30:22 -0300

ubuntu-advantage-tools (26.0.1~21.04.1) hirsute; urgency=medium

  * auto-attach: fix comparing numeric iid

 -- Lucas Moura <email address hidden> Fri, 05 Feb 2021 14:10:09 -0300

ubuntu-advantage-tools (26.0~21.04.1) hirsute; urgency=medium

  * New upstream release 26.0:
    - auto-attach: systemd unit to run before ua-reboot-cmds.service
    - config: remove_notice should remove notices.json when empty
    - fips:
      + add notice if running a deactivated FIPS kernel (GH: #1348)
      + block enabling FIPS on clouds using Xenial
      + block enabling fips on GCP instances
      + check /proc/sys/crypto/fips_enable to see if fips is enabled
      + override fips metapackage when on bionic cloud
      + update metapackage override logic on fips
    - notices: clear lock file and notice when encountering any exception
      (GH: #1326)
    - reboot_cmds: retry on lock held errors due to pro auto-attach
    - services: allow uaclient to disable services during enable
    - status: include beta services in json formatted output with --all
      (GH: #1341)
    - tests:
      + add FIPS tests to AWS and Azure bionic images
      + add GCP pro test for focal machine
      + add after_step collection of artifacts on failure
      + remove proc file check after disabling fips
      + pro: block auto-attach with cloud-config bootcmd
      + add validation of systemd unit ua-reboot-cmds.service
      + test enabling fips-updates when fips is enabled
    - jenkins:
      - add deb build stage to assert package builds
      - use series-specific sbuild --build-dir avoid races
      - use --append-to-version for each sbuild run to avoid races
      - presume success when no integration artifacts created

 -- Lucas Moura <email address hidden> Thu, 04 Feb 2021 16:34:56 -0300

ubuntu-advantage-tools (26.0~21.04.1~beta) hirsute; urgency=medium

  * d/rules:
    - add --with systemd to allow reboot init script
    - do not remove lib/systemd/system folder
  * d/postinst:
    - create marker file when reboot script need to run:
      - enable livepatch across trusty to xenial upgrade
      - update fips on existing fips pro machines
  * New upstream release 26.0~beta:
    - gcp: add Google Cloud Platform support (GH #1269)
    - fips:
      + remove is_beta from fips sevices
      + fips pro: add upgrade support to require reboot to unmark held fips pkgs
      + update origin UbuntuFIPSUpdates
    - status:
      + add notice to tabular output
      + held locks emit notice about Operation in progress
    - cli: help sort output so trusty ordering matches xenial++
    - cis: rename service from cis-audit
    - config: provide config notices and add_notice and remove_notice methods
    - contract: add resource-machine-access route and datapath
    - init: add init script to run commands on reboot
    - keys: add ubuntu-advantage-cis keyring
    - livepatch: make livepatch react to enableByDefault delta
    - log: log when we install pkgs because of contract delta
    - make: drop six testdeps target
    - pro: do not install pro debs on non-pro instances
    - services: Update beta info for services (GH #1220)
    - tools: add tox-lxd-runner, that execute the test command in a shell
    - tools: refresh-keyrings handles cis keys. drop series-specific keys
    - tests:
      + add GCE support for integration tests
      + add cis integration tests for unattached and pro
      + add pytest constraint for mypy tests
      + add unittests for reboot_cmds script
      + fix esm package messages for new update notifier version
      + pin importlib-metadata for mypy tests
      + repo tests for request_resource_machine_access
      + unit tests for config cache clearing and machine-access data
    - jenkins:
      + add basic Jenkinsfile for CI runs per PR
      + add jenkins parseable test results
      + add lxc cleanup stage on Jenkinsfile

 -- Lucas Moura <email address hidden> Thu, 14 Jan 2021 10:08:20 -0300

ubuntu-advantage-tools (25.0~20.10.1) groovy; urgency=medium

  * Release version 25.0

 -- Chad Smith <email address hidden> Fri, 04 Dec 2020 13:32:16 -0700

ubuntu-advantage-tools (25.0~20.10.1beta3) groovy; urgency=medium

  * New upstream release 25.0~beta3:
    - upgrade-lts-conract: noop during do-release-upgrade on unattached
      (GH: #1255)
    - ua-auto-attach: order systemd unit before cloud-config.service
    - Update FIPSUpdates pin origin
    - fips: unmark held fips packages for ubuntu pro fips image support
      (GH: #1109)
    - repo: handle changes to additionalPackages contract deltas
    - repo: move package installation to install_packages method
    - pro: trigger auto-attach as soon as instance-data.json is available
      (GH: #1234)
    - Conditionally install packages when enabling FIPS
    - fips: allow disable (GH: #1168)
    - cli: add trailing newline to argparse errors (GH: #1236)
    - Install fips metapacking when enabling service
    - integration test improvements:
      + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257)
      + Fix integration test setup scripts (GH: #1253)
      + strict checking for command success on behave
      + Update tests to use new pycloudlib LXD abstraction
      + Add upgrade scenario tests when FIPS is enabled
      + Improve FIPS tests for checking packages
      + Update esm-infra xenial lxd test
      + Fix vm tests as esm-apps is beta service
      + Fix azure generic integration testing
      + Update esm-apps check on staging_commands tests
      + Install pycloudlib for azure jobs only
      + Fix shell condition in run_azure_travis_integration_tests.sh
      + Update azure jobs on travis
      + Update travis url in README
      + Update travis scripts to use ppa only on master
      + Fix cron event type check on travis yaml

 -- Chad Smith <email address hidden> Wed, 02 Dec 2020 13:43:16 -0700

ubuntu-advantage-tools (25.0~20.10.1~beta2) groovy; urgency=medium

  * New upstream release 25.0~beta2:
    - help: update esm-infra help text (GH: #1212)
    - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM
      product names
    - help: update fips help docs (GH: #1213)
    - help: revert CIS help doc URL (GH: #1211)
    - help: add new fips help URLs to CLI help docs (GH: #1210)
    - Show error when enabling service with invalid repo [Lucas Moura]
      (GH: #954)
    - Update beta info for services (#1220) [Lucas Moura] (GH: #1216)
    - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209)
    - Add vm test commands in tox.ini (#1204) [Lucas Moura]

 -- Chad Smith <email address hidden> Mon, 26 Oct 2020 20:01:21 -0600

ubuntu-advantage-tools (25.0~20.10.1~beta1) groovy; urgency=medium

  * Beta bug fix release
    - status: fix missing description_override key after upgrade from
      trusty (GH: #1201)
    - During contract delta processing use _check_application_status_on_cache
      instead of live service status

 -- Chad Smith <email address hidden> Sat, 10 Oct 2020 21:47:21 -0600

ubuntu-advantage-tools (25.0~20.10.1~beta) groovy; urgency=medium

  * d/control:
    - add po-debconf dependency and fix lintian not-using-po-debconf and
      untranslatable-debconf-templates
    - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian
      debhelper-but-no-misc-depends (GH: #1024)
  * d/rules:
    - drop --with systemd fix build-depends-on-obsolete-package
    - set fix lintian warning extra:Depends even if empty
  * d/postrm
    - Add more gpg keys to be deleted in postrm for Xenial+ support
  * d/postinst:
    - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170)
    - check if esm is already enabled (GH: #1095)
  * New upstream release 25.0:
    - Do not uninstall additionalPackages or livepatch when disabling services
    - check for issubclass on clean_apt_files
    - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169)
    - Apply contract deltas during do-release-upgrade operations
    - cli: add ua help command
    - cli: status add blocking --wait param and lock files for config change
    - Fix livepatch behaviour on aws pro focal machine
    - travis: drop inapplicable workspaces from specific awsgeneric release
      jobs
    - Add possible reboot text after enabling/disabling services
    - apt-hook: package apt-hook and apt configuration files on all releases
      (GH: #1150)
    - Fix enable fail bug
    - Add uaclient.conf override mechanism for auto-attach, beta services and
      machine-token
    - Support ESM Apps [Brian Murray] (GH: #930)
    - Do not enable services if blocking services is active (GH: #1029)
    - contract: handle 401 on invalid token, 403 on expired (GH: #1335)
    - Hide beta services from default status output and enable/disable
      operations (GH: #1079) (GH: #1091)
    - fips: force apt noninteractive prompts during package installs
      (GH: #1084)
    - tests: add unit tests for aws-gov/aws-china cloud detection
    - Add AWS China and GovCloud partitions [Robert Jennings]
    - Disable beta services to be show/enabled without flag
    - Add missing build_pr command to environment
    - Use additionalPackages from service payload
    - Add integration testing for Travis runs [patriciadomin] (GH: #856)
      (GH: #857) (GH: #853)

 -- Chad Smith <email address hidden> Mon, 28 Sep 2020 21:11:54 -0600

ubuntu-advantage-tools (24.4) groovy; urgency=medium

  * New bug-fix-only release 24.4:
    - uaclient.version bump to 24.4
    - fips: honor additionalPackage directive from contract for bionic
      (GH #1173)

 -- Chad Smith <email address hidden> Tue, 01 Sep 2020 11:14:39 -0600

ubuntu-advantage-tools (24.3) groovy; urgency=medium

  * New bug-fix-only release 24.3:
    - uaclient.version bump to 24.3
    - fips: add conditional reboot message only if /var/run/reboot-required is
      present
    - fips: add apt repo key for FIPS and FIPS updates (GH #1026)

 -- Chad Smith <email address hidden> Thu, 20 Aug 2020 14:50:17 -0600

ubuntu-advantage-tools (24.2) groovy; urgency=medium

  * New bug-fix-only release 24.2:
    - uaclient.version bump to 24.2
    - pro: Add AWS China and GovCloud partitions support (GH #1077)

 -- Chad Smith <email address hidden> Wed, 03 Jun 2020 16:12:41 -0600

ubuntu-advantage-tools (24.1) groovy; urgency=medium

  * New bug-fix-only release 24.1:
    - livepatch: run snap wait system snap.seeded before trying to install
      (GH: #1049)
    - version: return debian/changelog version when git describe fails to
      match upstream <major>.<minor> tags for git-ubuntu workflow
      (GH: #1058)

 -- Chad Smith <email address hidden> Mon, 18 May 2020 15:07:17 -0600

ubuntu-advantage-tools (24.0) groovy; urgency=medium

  * bump version to 24.0 for new versioninig scheme

 -- Chad Smith <email address hidden> Mon, 18 May 2020 15:04:33 -0600

ubuntu-advantage-tools (20.3) focal; urgency=medium

  * New upstream release 20.3:
    - ubuntu-pro: automatically reattach across instance id delta
      (LP: #1867573)
    - integration testing:
      + add behave tests ua subcommands for attached vm
      + add invalid token tests
      + add reuse_container test docs
      + refactor token parameter

 -- Chad Smith <email address hidden> Mon, 30 Mar 2020 14:49:17 -0600

ubuntu-advantage-tools (20.2) focal; urgency=medium

  * d/templates: add a debconf note on upgrade from pre-ubuntu pro package
  * d/control: create a separate ubuntu-advantage-pro package which
      delivers the tooling and scripts necessary to auto-attach pro machines
      This change breaks/replaces ubuntu-advantage-tools <= 20.1
  * d/maintscript: rm_conffile /etc/init/ua-auto-attach.conf from ua-tools pkg
  * d/postint: remove stale systemd symlinks which have migrated to ubuntu-pro
  * d/rules: only install the apt hook on trusty
  * d/rules: provide --no-start to debhelper to avoid auto-attach on pkg install
  * Release 20.2:
    - ubuntu-pro:
      + azure: fix detection of DatasourceAzureNet as azure on trusty
      + generalize identity_doc to return dict instead of string
      + auto-attach: any 4XX errors during auto-attach are the result of non-Pro
      + auto-attach: handle 403 errors raised by contract server for invalid vms
    - attach: persist any status config changes after attach failures
    - output: add messaging using a different subscription if attached

 -- Chad Smith <email address hidden> Thu, 20 Feb 2020 11:13:15 -0700

ubuntu-advantage-tools (20.1) xenial; urgency=medium

  * Release 20.1:
    - azure-pro, support for azure ubuntu pro auto-attach:
      + add azure auto-attach instance as valid cloud_instance_factory
      + add azure cloud instance module and tests
      + generalize request_aws_contract_token for multiple cloud_types
      + contract: request_auto_attach_contract_token takes an instance param
    - constraints: add constraint on pyyaml version in trusty
    - auto-attach: move duplicate invalid cloud_type check out of cli

 -- Chad Smith <email address hidden> Mon, 13 Jan 2020 15:09:18 -0700

ubuntu-advantage-tools (19.7) xenial; urgency=medium

  * d/postinst: only configure ESM on supported architectures (LP: #1851858)
      [Andreas Hasenack]
  * d/postinst: rename existing ubuntu-esm-precise.list file to trusty.
    This fixes the upgrade path from precise to trusty and to this client
    while esm is enabled (LP: #1850672)
  * Release 19.7:
    - aws: handle missing SYS_HYPERVISOR_PRODUCT_UUID
    - aws-pro: support for aws ubuntu pro auto-attach
    - pro: add cloud identity module and fix unit tests
    - pro: update systemd service and upstart boot scripts to auto-attach
    - pro: esm do not do apt pin never on disable on xenial or bionic
    - pro: esm-apps has origin UbuntuESMApps and esm-infra is UbuntuESM
    - status: dynamic status available now from refreshed machine-token
    - uaclient: update customer visible messages after UX review
    - esm-apps: allow unattended security upgrades for esm-apps
    - systemd: needs WantedBy=multi-user.target to get pulled into boot
    - cli: update docstring to describe errors raised from auto-attach
    - keyrings: update ubuntu-advantage-esm-apps.gpg with correct key
    - repo: match strict repo url in apt-policy to avoid esm substring matches
    - esm: don't disable_apt_auth_only for ESM entitlements
    - initial implementation of esm-apps
    - repo: don't raise exception in application_status if aptURL missing
    - entitlements: rely solely on contract server for repo_url
    - cli: exit 0 if already attached
    - cli: use decorators for action_attach and action_attach_premium
    - cli: add assert_not_attached decorator
    - status: custom descriptions for n/a service status

 -- Chad Smith <email address hidden> Fri, 29 Nov 2019 11:09:18 -0700

ubuntu-advantage-tools (19.6) focal; urgency=medium

  * New upstream release. Main changes:
    - drop SSO interactive login support
    - d/control: no longer depend on pymacaroons, which was only needed for
      the SSO interactive login support
    - drop keyrings for services not supported in trusty: cc-eal, fips,
      fips-updates, cis audit
    - make sure /var/lib/ubuntu-advantage/private has 0700 perms
    - rename esm to esm-infra. Also handle upgrades
    - don't unecessarily remove config files that are already handled by dpkg
    - expand the apt related runtime dependencies
    - handle sources.list.d esm snippet when release upgrading from precise
    - ua status now reports availability of services even in unattached state
    - the "ua status" output was changed, including the json format option
    - drop "ua status" call in postinst as it now requires internet access and
      that is restricted in LP builders and test runners.
    - fix the d/t/usage DEP8 test that was also using status

 -- Andreas Hasenack <email address hidden> Thu, 04 Jul 2019 14:12:58 -0300

ubuntu-advantage-tools (19.5.1) eoan; urgency=medium

  * d/t/usage: fix dep8 test ("entitlements" was renamed to "services")

 -- Andreas Hasenack <email address hidden> Wed, 03 Jul 2019 21:55:25 -0300

ubuntu-advantage-tools (19.5) eoan; urgency=medium

  * New upstream release (LP: #1832757):
    - packaging:
      + d/control: depend on libapt-pkg<ABI_VERSION> to use pin-priority never
      + d/postinst: adjust logfile permissions
      + d/postinst: remove public files and generate status cache on upgrade
      + d/postinst: Remove the old CACHE_DIR in postinst
      + d/postrm: remove log files on package purge
      + d/postrm: remove the ESM pinning file on purge
      + trusty should remove v1 esm key if present after upgrade
      + keyrings: regenerate keyrings on a trusty host
      + refresh keyrings to match current production for fips and cc-eal
    - apt:
      + all repo entitlements now call apt-get update on enable
      + enable -updates if -updates from the Ubuntu archive is enabled
      + Add basic i18n (good enough for lang packs)
      + retry apt install and update commands 3 times simple backoff
      + write commented -updates lines instead of omitting them
    - attach/detach:
      + added --no-auto-enable option
      + suppress messages from inapplicable default entitlements
      + two-factor auth reprompt only two-factor auth on failed 2fa
      + honour enableByDefault obligations from contract server
      + livepatch: no auto-enable on attach for trusty
      + don't attempt to disable inapplicable entitlements during detach
      + check for root before checking for attach in assert_attached_root
    - status:
      + add --json cli formatting option
      + emit a SERVICE header in status output
      + redact technical support and expiry for free contracts
      + unentitled services will report n/a
    - cc-eal:
      + add a warning about download size before install
      + change cc to cc-eal in docs, parameters and commandline help
    - esm:
      + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive
      + and livepatch auto enabled on attach where supported
      + on upgrade do not install preferences to pin never if esm enabled
      + remove only the apt auth entry on disable, leaving sources.list
      + use Pin-Priority never apt preference file to disable esm initially
    - fips:
      + display as pending when linux-fips is not the running kernel
      + only install/upgrade optional packages that are already on the system
    - logs:
      + no longer redact secrets as logfile is root read-only
      + separate console log devel from logfile level
      + remove level from messages to the console
    - add subcommand to refresh all contract details
    - config: allow contract_url and sso_auth_url to have a trailing slash
    - docker: fix persisting generated uuid on images without machine-id files
    - environ: allow lowercase ua_<config_option> overrides
    - repo: un-comment ESM sources.list lines on repo disable
    - updated manpage and help docs

 -- Andreas Hasenack <email address hidden> Wed, 03 Jul 2019 15:55:11 -0300