[SRU] ubuntu-advantage-tools (27.2.2 -> 27.3) Xenial, Bionic, Focal, Hirsute

One of the packaging changes in the SRU which I don't see an explicit bug for (so I'm attaching the question here) is:

+++ ubuntu-advantage-tools-27.3~21.10.1/debian/ubuntu-advantage-tools.postinst 2021-09-21 13:02:06.000000000 +0000
[...]
+configure_log_file() {
+ log_path=$1
+ if [ ! -f $log_path ]; then
+ touch $log_path
+ fi
+ chmod 0600 $log_path
+ chown root:root $log_path
+}
[...]
- if [ ! -f /var/log/ubuntu-advantage.log ]; then
- touch /var/log/ubuntu-advantage.log
- fi
- chmod 0600 /var/log/ubuntu-advantage.log
- chown root:root /var/log/ubuntu-advantage.log
+ configure_log_file /var/log/ubuntu-advantage.log
+ configure_log_file /var/log/ubuntu-advantage-timer.log
+ configure_log_file /var/log/ubuntu-advantage-license-check.log
+
[...]

It is unusual for maintainer scripts to pre-create log files. If these files are removed, do the tools recreate them with the correct permissions? (If so: is this code needed at all?)

+enable_periodic_license_check() {
+ cloud_id=$(cloud-id 2>/dev/null) || cloud_id=""
+ if echo "$cloud_id" | grep -q "^gce"; then
+ if check_is_lts "${UBUNTU_CODENAME}"; then
+ if [ ! -f $MACHINE_TOKEN_FILE ]; then
+ touch $LICENSE_CHECK_MARKER_FILE
+ fi
+ fi
+ fi
+}

What is the expected behavior here if the user upgrades to this version of the package on an LTS, and then upgrades to a non-LTS release?

What is the expected behavior if the user is running on a non-LTS release, and then upgrades to a non-LTS release?

(Current behavior with this implementation: on upgrade to an LTS release, the timer will be enabled, because a new version of the package is configured and this code runs again. On upgrade to a non-LTS release, the timer will not be disabled.)

Thank you Steve for taking a look.

You are right on all counts.

It appears the code to pre-create log files is unnecessary. If you consider this a blocker then we can remove it in this release. Otherwise we will remove it in 27.4

We purposefully kept the purpose of the enable_periodic_license_check function to _enabling_ when run on GCP LTS non-attached instances. You are right that the timer will not be disabled during postinst when upgrading to a non-LTS; however, the timer will notice that it is non-LTS and disable itself next time it runs.

The code that does this is here:
https://github.com/canonical/ubuntu-advantage-client/blob/release-27/uaclient/jobs/license_check.py#L36

And our integration test for the timer disabling itself on non-LTS is here:
https://github.com/canonical/ubuntu-advantage-client/blob/release-27/features/license_check.feature#L47

Thanks, your responses to the previous two comments are satisfactory and I don't think changes are needed for this SRU for those points.

+ # We should only perform this check on UA version that have the
+ # ua-messaging.timer: 27.0 until 27.2. This will also guarantee
+ # that on 27.3 and forward, we will not run this logic.
+ if dpkg --compare-versions "$PREVIOUS_PKG_VER" ge-nl "27.0~"; then
+ if dpkg --compare-versions "$PREVIOUS_PKG_VER" lt-nl "27.3~"; then
+ if [ -x "/usr/bin/deb-systemd-helper" ]; then
+ if [ -d /run/systemd/system ]; then
+ if ! deb-systemd-helper --quiet was-enabled $OLD_MESSAGING_TIMER; then

This could be written without all the nesting as:
    if dpkg --compare-versions "$PREVIOUS_PKG_VER" lt "27.0~" \
       || dpkg --compare-versions "$PREVIOUS_PKG_VER" ge "27.3~"; then
        return
    fi
    if [ -x "/usr/bin/deb-systemd-helper" ] && [ -d /run/systemd/system ] \
       && ! deb-systemd-helper --quiet was-enabled $OLD_MESSAGING_TIMER; then

Under what circumstances would deb-systemd-helper not be present? init-system-helpers is part of the minimal task from trusty onwards; it is Essential: yes from bionic onwards; and ubuntu-advantage-tools itself could reasonably declare a dependency on it.

What is the expected behavior if we don't have a running systemd (such as in a chroot, and /run/systemd/system is not present)? Why are you short-circuiting in this case, rather than calling deb-systemd-helper and letting it handle these cases?

Also, for some reason you are calling deb-systemd-helper *enable*, not disable?

I think this should be reduced to:

    if ! deb-systemd-helper --quiet was-enabled $OLD_MESSAGING_TIMER; then
        deb-systemd-helper disable $UA_TIMER_NAME > /dev/null 2>&1 || true
        systemctl stop $UA_TIMER_NAME > /dev/null 2>&1 || true
    fi

the other checks are either superfluous, or actively harmful.

Thank you Steve, you raise several good points.

1. The excessive nesting.
I agree that it is annoying to read several layers of nested ifs. As an individual issue, we don't think this is a blocker; however if we decide to rewrite this function for this SRU for the below reasons, we can use the early return like you suggest. If not, then we will simplify this for next release.

2. The check for deb-systemd-helper existing.
There's a longer story as to why we thought this check was a good idea at the time, but the end result is that we were mistaken and it is superfluous. We don't think this check hurts anything but it doesn't help either. We can remove it in our next release unless you think it blocks this one.

3. The check for systemd existing.
This is present because we were copying a pattern that deb-systemd-helper uses in its autosnippets. Whenever d-s-h appends a snippet that uses systemctl, it makes this check first. For example, a snippet that is added to our postinst by d-s-h:

# Automatically added by dh_systemd_start
if [ -d /run/systemd/system ]; then
        systemctl --system daemon-reload >/dev/null || true
        deb-systemd-invoke start ua-timer.timer >/dev/null || true
fi
# End automatically added section

However, it turns out our use of systemctl in this case is also unnecessary. We don't need to run systemctl stop in this case because ua-timer.timer will never have been started when this chunk of code runs. Again, this shouldn't hurt anything. We can remove it in our next release unless you think it blocks this one.

4. Running deb-systemd-helper enable is confusing.
The use of enable was intentional. We attempted to explain in the comment above that line. The reason is that we want to take advantage of d-s-h's autosnippet for enabling/updating config for ua-timer.timer which appends the following to the bottom of postinst:

# Automatically added by dh_systemd_enable
# This will only remove masks created by d-s-h on package removal.
deb-systemd-helper unmask ua-timer.timer >/dev/null || true

# was-enabled defaults to true, so new installations run enable.
if deb-systemd-helper --quiet was-enabled ua-timer.timer; then
        # Enables the unit on first installation, creates new
        # symlinks on upgrades if the unit file has changed.
        deb-systemd-helper enable ua-timer.timer >/dev/null || true
else
        # Update the statefile to add new symlinks (if any), which need to be
        # cleaned up on purge. Also remove old symlinks.
        deb-systemd-helper update-state ua-timer.timer >/dev/null || true
fi
# End automatically added section

The chunk of code that we are talking about happens before this d-s-h autosnippet, and the intent is to prevent this d-s-h snippet from running "enable".
By running "enable" and then "disable" we update the d-s-h state such that "was-enabled" will fail and so that snippet will not run "enable".

We acknowledge that this solution is confusing, to put it charitably. We've evaluated a number of alternatives:

4.1. Straightforward simplification
deb-systemd-helper enable $UA_TIMER_NAME > /dev/null 2>&1 || true
deb-systemd-helper disable $UA_TIMER_NAME > /dev/null 2>&1 || t...

Thanks for the review here Steve.

Grant has already started working on your prior review comments 1 & 2 to reduce some of the complexity and excessive nesting for next release to aid in maintainability of this section.

For the comment about "the other checks are either superfluous, or actively harmful."

I'm not certain how this section will be harmful here, if we are in chroots, we should be skipping this section in general because our initial `if [ -d /run/systemd/system ]` check. If this code happens to run in a chroot w/ run/systemd/system present we also avoid non-zero exit in the failure case if systemctl or deb-systremd-helper error.

I presumed this was also why debhelper snippets is automatically adding the similar check prior to invoking `systemctl ...`.

Are you suggesting we don't use systemctl or deb-systemd-helper tools directly and instead just attempt to unlink systemd timer/service link files to ensure we continue to disable ua-timer.timer if ua-messaging.timer is not represented as enabled?

On Tue, Oct 19, 2021 at 07:48:03PM -0000, Chad Smith wrote:
> For the comment about "the other checks are either superfluous, or
> actively harmful."

> I'm not certain how this section will be harmful here, if we are in
> chroots, we should be skipping this section in general because our
> initial `if [ -d /run/systemd/system ]` check. If this code happens to
> run in a chroot w/ run/systemd/system present we also avoid non-zero
> exit in the failure case if systemctl or deb-systremd-helper error.

The point is that, if the system is *currently* mounted as a chroot, and
this postinst runs, it will not to disable the new service in accordance
with the admin's choice regarding the old service. If furthermore in the
course of normal operation this is a booted system and not a chroot, this
means that on next boot (and subsequently), the new service will be started
when the intent was that it not be.

This is an unlikely scenario in the grand scheme of things, but is not
impossible. If someone has disabled this service; and the instance ends up
in a broken state, so the user mounts the root drive from another instance,
chroots into it, and runs package updates as part of fixing it; then you
could have exactly this situation.

So not applying the "disable" policy when running the postinst in a chroot
is a bug. We should avoid introducing bugs in SRUs when possible, however
corner case.

> I presumed this was also why debhelper snippets is automatically adding
> the similar check prior to invoking `systemctl ...`.

debhelper doesn't wrap calls to 'deb-systemd-helper enable' with checks
for whether the system currently has a running systemd. The
'deb-systemd-helper enable' and 'deb-systemd-helper disable' calls are
explicitly intended to update the state of the unit even if systemd is not
currently running.

> Are you suggesting we don't use systemctl or deb-systemd-helper tools
> directly and instead just attempt to unlink systemd timer/service link
> files to ensure we continue to disable ua-timer.timer if ua-
> messaging.timer is not represented as enabled?

That would be an option, but seems unnecessary vs just calling
'deb-systemd-helper disable $UA_TIMER_NAME > /dev/null 2>&1 || true' here.

On Fri, Oct 15, 2021 at 05:59:56PM -0000, Grant Orndorff wrote:

> 4. Running deb-systemd-helper enable is confusing.
> The use of enable was intentional. We attempted to explain in the comment
> above that line. The reason is that we want to take advantage of d-s-h's
> autosnippet for enabling/updating config for ua-timer.timer which appends
> the following to the bottom of postinst:

> # Automatically added by dh_systemd_enable
> # This will only remove masks created by d-s-h on package removal.
> deb-systemd-helper unmask ua-timer.timer >/dev/null || true

> # was-enabled defaults to true, so new installations run enable.
> if deb-systemd-helper --quiet was-enabled ua-timer.timer; then
> # Enables the unit on first installation, creates new
> # symlinks on upgrades if the unit file has changed.
> deb-systemd-helper enable ua-timer.timer >/dev/null || true
> else
> # Update the statefile to add new symlinks (if any),...

Thank you for the additional context on the potential failure paths here. Agreed we shouldn't knowingly introduce a bug no matter how corner case the condition may be.

>> In what case do you see incorrect behavior by calling (the more obviously
named) 'deb-systemd-helper disable'?

I actually don't think there was a specific case that was Just an attempt to be explicit about the stop and disable calls from systemctl (stop was not necessary anyway).

In fact, Grant has already proposed changes to drop the systemctl disable call anyway and adopt the `deb-systemd-helper disable` instead
https://github.com/canonical/ubuntu-advantage-client/pull/1842/files#diff-7ca7735b78964990b8c31fc79692c988e6904a1058d4f752765cd59b54a882aeR338-R352

If this minor diff is reasonable to reduce the conditional nesting and avoid a corner case issue with invoking systemctl directly from within a chrooted disk, then I'll talk w/ Grant and others tomorrow to see if we can get an upload queued with that change.

Hi Steve,

> Ok, now I see - but that means deb-systemd-helper's auxiliary state will be
> permanently out of sync with the systemd state, I think?

We are purposefully manipulating d-s-h's state here, but it never becomes out of sync with the systemd state.

> Also, this
> dh_systemd_enable snippet calls deb-systemd-helper enable if 'was-enabled'
> was true, but I don't see that you want to call enable again, as this is
> either a no-op, or it will enable the service which we explicitly are aiming
> to disable.

Exactly! :) We need `was-enabled` to fail or else the timer will get enabled. This is why we are calling "enable" then "disable" up above. I will explain via example below.

> In what case do you see incorrect behavior by calling (the more obviously
> named) 'deb-systemd-helper disable'?

If we only call "disable", the total relevant script will look like this

# our call
deb-systemd-helper disable ua-timer.timer >/dev/null || true
# d-s-h snippet
deb-systemd-helper unmask ua-timer.timer >/dev/null || true
if deb-systemd-helper --quiet was-enabled ua-timer.timer; then
        deb-systemd-helper enable ua-timer.timer >/dev/null || true
else
        deb-systemd-helper update-state ua-timer.timer >/dev/null || true
fi

In this case, "was-enabled" will _succeed_, and "deb-systemd-helper enable" in the d-s-h snippet will run. This is due to "was-enabled" having an explicit special case for the first install: If "deb-systemd-helper enable" has never been run before, then "was-enabled" will succeed. They note this in a comment in their autosnippet.
So as a result, if we _only_ run "deb-systemd-helper disable", then the timer will end up getting enabled.

Now, suppose we adopt the simplified version of what we're doing here (https://github.com/canonical/ubuntu-advantage-client/pull/1842/commits/f8b1a7222eeeea21f7b416a2bdd3d08e688cbef7).

Then the total relevant script will be this:

# our calls
deb-systemd-helper enable ua-timer.timer >/dev/null || true
deb-systemd-helper disable ua-timer.timer >/dev/null || true
# d-s-h snippet
deb-systemd-helper unmask ua-timer.timer >/dev/null || true
if deb-systemd-helper --quiet was-enabled ua-timer.timer; then
        deb-systemd-helper enable ua-timer.timer >/dev/null || true
else
        deb-systemd-helper update-state ua-timer.timer >/dev/null || true
fi

In this case, "was-enabled" will _fail_. So the d-s-h snippet will not run the "deb-systemd-helper enable" line. "was-enabled" fails here because d-s-h was used to enable the timer at least once in the past, but the timer is currently disabled.
So as a result, if we run "enable" and then "disable", then the timer will end up disabled.

We have tested all of the above. The timer is correctly disabled if we call "enable" then "disable". The timer is not correctly disabled if we only call "disable".

If you agree, then we will apply this commit https://github.com/canonical/ubuntu-advantage-client/pull/1842/commits/f8b1a7222eeeea21f7b416a2bdd3d08e688cbef7 to this release to at least make the code here simpler.

Edit: And of course, this change would fix the systemd concerns by no longer calling systemctl directly.

Steve and Chad: I just finished a manual test of:

1. Disabling ua-messaging.timer
2. In a chroot, upgrade ubuntu-advantage-tools
3. Check if ua-timer.timer was disabled

With the current upload this is unsuccessful, as Steve has predicted.

With our proposed change (https://github.com/canonical/ubuntu-advantage-client/commit/2d7da9e5ab3d1ed482c6c8f1f8be3bba7e403b40), then it is successful.

So I think we should go ahead and re-upload with this patch.

+1 on this Grant. Let's queue another upload today if we can

Hello Grant, or anyone else affected,

Accepted ubuntu-advantage-tools into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Grant, or anyone else affected,

Accepted ubuntu-advantage-tools into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Grant, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Grant, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Grant, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I have run all of the manual tests with the proposed package and they are all working as expected

We have run the full ubuntu-advantage-tools integration test suite against the version in -proposed. The results are attached. All tests passed.

You can verify the correct version was used by checking the output of the first test in each file, which prints the version number.

Next we will run all the manual tests described on this bug and upload logs. Then we will mark verification done.

Attached are logs for all the manual tests for all series. All are working as expected.

Marking verification done now.

This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.10.1

---------------
ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      + only runs on LTS GCP instances that are not attached
      + runs every 5 minutes to check if gcp instance has license r...

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.04.1

---------------
ubuntu-advantage-tools (27.3~21.04.1) hirsute; urgency=medium

  * Backport new upstream release: (LP: #1942929) to hirsute

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
   ...

This bug was fixed in the package ubuntu-advantage-tools - 27.3~20.04.1

---------------
ubuntu-advantage-tools (27.3~20.04.1) focal; urgency=medium

  * Backport new upstream release: (LP: #1942929) to focal

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      +...

This bug was fixed in the package ubuntu-advantage-tools - 27.3~18.04.1

---------------
ubuntu-advantage-tools (27.3~18.04.1) bionic; urgency=medium

  * Backport new upstream release: (LP: #1942929) to bionic

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
     ...

This bug was fixed in the package ubuntu-advantage-tools - 27.3~16.04.1

---------------
ubuntu-advantage-tools (27.3~16.04.1) xenial; urgency=medium

  * Backport new upstream release: (LP: #1942929) to xenial

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
     ...

This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.10.1

---------------
ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      + only runs on LTS GCP instances that are not attached
      + runs every 5 minutes to check if gcp instance has license r...