Ship ubuntu-advantage in ubuntu-minimal

Bug #1686183 reported by David Britton on 2017-04-25
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Status tracked in Artful
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned
ubuntu-meta (Ubuntu)
Status tracked in Artful
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

The ubuntu-advantage-tools package is a bit odd as it was first landed in precise to support the ESM effort inside canonical. [0] In order to bring this package up to date across other series in ubuntu, it has been recommended by the Ubuntu Foundations team to land into trusty next, then forward-port pocket-copy to all supported series until we get to the devel release.

The version here:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2

... has all on-disk bits correctly working, for all series, but no-ops on any release other than precise (ESM is only for "unsupported" LTS releases as it were). This is a request to land ubuntu-advantage-tools into trusty, then pocket-copy it to supported series of ubuntu once that is finished.

[Impact]

 * Allow ubuntu-advantage users to access the extended security maintenance script with a simple command line tool. This script needs to hit precise machines and be easy for ubuntu-advantage customers to enable, thus basefiles was chosen as a home.

[Test Case]

 * Run ubuntu-advantage, it should print out help

 * Run sudo ubuntu-advantage enable <token> (without sudo it will warn you), but you need to be an ubuntu-advantage customer to get that token. In the end, the script simply adds and removes an /etc/apt/sources.list.d entry.

 * Verify that the MOTD does not contain any mention of ubuntu-advantage esm or precise and its end of life

 * Verify that ubuntu-advantage enable-esm <token> installs needed dependencies:
  - create the following file and its contents to have apt not install recommended packages by default:
$ cat /etc/apt/apt.conf.d/no-recommends
APT::Install-Recommends "false";
  - remove ca-certificates and apt-transport-https:
$ sudo apt remove ca-certificates apt-transport-https
  - run sudo ubuntu-advantage enable-esm <token> and verify that the two removed packages are reinstalled

 * you can contact me (<email address hidden>) if you would like a token for test purposes.

[Regression Potential]

 * Low, this is a new script, not included in any automated startup paths.

[Other Info]

 * http://blog.dustinkirkland.com/2017/03/ubuntu-1204-esm.html

[0] https://insights.ubuntu.com/2017/03/14/introducing-ubuntu-12-04-esm-extended-security-maintenance/

Andreas Hasenack (ahasenack) wrote :

debdiff for base-files on precise

description: updated
tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in base-files (Ubuntu):
status: New → Confirmed
Changed in base-files (Ubuntu):
status: Confirmed → Incomplete
Andreas Hasenack (ahasenack) wrote :

This introduces a python dependency to base-files, which I think is incorrect. I think the decision to choose base-files should be reevaluated.

From the point of view of end-users, regardless if the script is in base-files or in its own package, the same number of apt commands will be needed either way.

It's either:
apt-get update
apt-get dist-upgrade
ubuntu-advantage enable-esm <token>

or:
apt-get update
apt-get install ubuntu-advantage
ubuntu-advantage enable-esm <token>

In its own package it can have its own copyright, manpage, correct dependencies, its own source tarball, tests (which were stripped from the debdiff here), upstream url, nice description, etc.

David Britton (davidpbritton) wrote :

The difference here is a supported machine is up to date, even if it only has the minimum packages installed.

Asking for another package to be installed to be "supported" is a small bit of friction that can be removed by delivering the script with basefiles.

Andreas Hasenack (ahasenack) wrote :

Updated debdiff attached. Changes:
- the ubuntu-advantage script is now shell (/bin/sh)
- install an MOTD script that will print a banner informing the status of ESM

Dimitri John Ledkov (xnox) wrote :

The key UID is interesting. It is "Ubuntu ESM <email address hidden>" is this an appropriate user facing uid that is listed in the output of $ apt-key list?

Our current key names are a bit more descriptive than that, e.g.:
* Ubuntu Archive Automatic Signing Key <email address hidden>
* Ubuntu CD Image Automatic Signing Key <email address hidden>

Have you considered changing UID to e.g.
 * Ubuntu Extended Security Maintenance Automatic Signing Key <email address hidden>

Such that it is descriptive, and has email address that is user/public facing.

prodstack-cdo seems like an internal email address, which is not customer facing.

Dimitri John Ledkov (xnox) wrote :

* the key should be shipped as a key fragment in /usr/share/keyrings/ubuntu-keyring-extended-security-maintainance.gpg

* the shell script should simply copy that key fragment into /etc/apt/trusted.gpg.d/ upon enablement of the ESM repository

* there should not be encoded binary in the shell script, and no need to call apt-key; just a cp.

* the script should check for and install apt-transport-https if missing

Dimitri John Ledkov (xnox) wrote :

<email address hidden> actually might be a better email address, following on ftpmaster@ cdimage@ pattern.

Dimitri John Ledkov (xnox) wrote :

The key was updated, is there an updated export of it available?

Andreas Hasenack (ahasenack) wrote :

I pushed it to keyserver.ubuntu.com, key id 67C7A026

Andreas Hasenack (ahasenack) wrote :

I can't use a debdiff here anymore because the new key is a binary file. I created a git branch here:

https://code.launchpad.net/~ahasenack/ubuntu/+source/base-files/+git/base-files/+ref/ubuntu-advantage-sru

Is that enough for your review? Should I make an MP against the precise-updates packaging branch imported at https://code.launchpad.net/~usd-import-team/ubuntu/+source/base-files/+git/base-files ?

summary: - Ship ubuntu-advantage in basefiles for ubuntu
+ Ship ubuntu-advantage in ubuntu-minimal
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-advantage-tools (Ubuntu Precise):
status: New → Confirmed
Dimitri John Ledkov (xnox) wrote :

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

affects: base-files (Ubuntu) → ubuntu-advantage-tools (Ubuntu)
Changed in ubuntu-advantage-tools (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in ubuntu-advantage-tools (Ubuntu):
status: Incomplete → New

An upload of ubuntu-meta to precise-proposed has been rejected from the upload queue for the following reason: "unexpected changes to desktop seed".

Hello David, or anyone else affected,

Accepted ubuntu-meta into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-meta/1.267.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-meta (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Steve Langasek (vorlon) wrote :

$ ubuntu-advantage
usage: ubuntu-advantage [enable-esm|disable-esm]

Enable or disable the Ubuntu Extended Security Maintenance archive.

Parameters:
 enable-esm <token> enable the ESM repository
 disable-esm disable the ESM repository

the <token> argument must be in the form "user:password"

$ sudo ubuntu-advantage enable-esm <token>
[sudo] password for vorlon:
Running apt-get update...
W: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/precise/Release Unable to find expected entry 'main/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old ones used instead.
$

Having foreign-arch multiarch enabled on 12.04 is a pretty marginal use case. ;) Should we care about filtering out unsupported ports architectures when constructing the sources.list.d file?

Steve Langasek (vorlon) wrote :

discussed the above error with the team:
- non-x86 multiarch is a quite minor use case on precise
- it is not clear that esm.ubuntu.com is intended to be x86-only, or that it will remain so indefinitely

So we will not limit the sources.list.d entry by architecture, which could do more harm than good, and so I'm considering this verified.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 1

---------------
ubuntu-advantage-tools (1) precise; urgency=medium

  * Initial Release. LP: #1686183

 -- Dimitri John Ledkov <email address hidden> Fri, 28 Apr 2017 15:04:47 +0100

Changed in ubuntu-advantage-tools (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-meta - 1.267.2

---------------
ubuntu-meta (1.267.2) precise; urgency=medium

  * Refreshed dependencies
  * Added ubuntu-advantage-tools to minimal LP: #1686183

 -- Dimitri John Ledkov <email address hidden> Fri, 28 Apr 2017 16:12:30 +0100

Changed in ubuntu-meta (Ubuntu Precise):
status: Fix Committed → Fix Released
Steve Langasek (vorlon) wrote :

This package needs to be brought forward to post-trusty releases, but the motd script currently hard-codes 12.04 in its message so this shouldn't be a straight forward-copy.

David Britton (davidpbritton) wrote :

I have a candidate for this to be submitted into artful, and then we can work on the SRU back to trusty after it's accepted. As this one went a bit out of order (precise first after it EOLed!), I'll just attach the git tag in upstream:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2

Currently the script does nothing for newer releases of Ubuntu. Once those release go EOL and an ESM product is available for them, we will request an SRU with new bits. But, that will be a while.

Nish Aravamudan (nacc) wrote :

This is bit of a funky SRU (IMO). It seems like we want version 2 (from the linked repository) in all releases > 12.04. However, given that is not yet present in any release != 12.04, I'm not sure we need to worry about the exact version (that is, they can all be 2?).

My immediate feedback is the debian/changelog from the linked repo should be for artful, not precise. Then that can be backported (I think) to all releases != 12.04. If this already existed, it seems like it would say "trusty" and then have been copied forward.

On Wed, Jul 19, 2017 at 12:06:52PM -0000, Nish Aravamudan wrote:
> This is bit of a funky SRU (IMO). It seems like we want version 2 (from
> the linked repository) in all releases > 12.04. However, given that is
> not yet present in any release != 12.04, I'm not sure we need to worry
> about the exact version (that is, they can all be 2?).

> My immediate feedback is the debian/changelog from the linked repo
> should be for artful, not precise. Then that can be backported (I think)
> to all releases != 12.04. If this already existed, it seems like it
> would say "trusty" and then have been copied forward.

As discussed in person, if we are going to use a single version and pocket
copy it, we should upload to trusty and then copy forward rather than
uploading to artful and copying backward.

David Britton (davidpbritton) wrote :

Hello -- this is ready for a re-review:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2

release has been changed to 'trusty' in the changelog.

description: updated
description: updated
David Britton (davidpbritton) wrote :

A bashism was found in the dep8 test, this has now been removed. The new package can be found here:

https://github.com/CanonicalLtd/ubuntu-advantage-script/releases/tag/v2-upload3

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-trusty
removed: verification-done
Adam Conrad (adconrad) on 2017-07-28
Changed in ubuntu-advantage-tools (Ubuntu Yakkety):
status: New → Won't Fix
Changed in ubuntu-meta (Ubuntu Yakkety):
status: New → Won't Fix
Adam Conrad (adconrad) on 2017-07-28
Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: New → Fix Committed
Changed in ubuntu-advantage-tools (Ubuntu Zesty):
status: New → Fix Committed
Changed in ubuntu-advantage-tools (Ubuntu Artful):
status: New → Fix Committed
tags: added: verification-needed-xenial verification-needed-zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 2

---------------
ubuntu-advantage-tools (2) trusty; urgency=medium

  * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet
    on non-precise release. (LP: #1686183)
  * Add simple dep8 tests.
  * Also install ca-certificates (LP: #1690270)

 -- David Britton <email address hidden> Fri, 30 Jun 2017 15:20:00 -0600

Changed in ubuntu-advantage-tools (Ubuntu Artful):
status: Fix Committed → Fix Released
Andreas Hasenack (ahasenack) wrote :

Trusty verification using the ubuntu-advantage-tools package from trusty-proposed:
 *** 2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages

a) enabling esm
Installation works, but enabling esm is not a good experience:
"""
$ sudo ubuntu-advantage enable-esm <redacted>
Running apt-get update...
W: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/trusty/main/binary-amd64/Packages HttpError404

E: Some index files failed to download. They have been ignored, or old ones used instead.
$ echo $?
100
"""

Since there is no ESM for non-precise Ubuntu releases, it fails correctly with a 404 error. Is that acceptable?

b) MOTD
There is no mention of ESM, precise, or looming end-of-life in the MOTD when logging in, so that's good.

tags: added: verification-done-trusty
removed: verification-needed-trusty
description: updated
Andreas Hasenack (ahasenack) wrote :

Xenial verification with ubuntu-advantage-tools 2 from xenial-proposed:
 *** 2 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages

a) Since there is no ESM avaiable for xenial, enabling esm fails:
ubuntu@xenial-ubuntu-advantage:~$ sudo ubuntu-advantage enable-esm <redacted>
Running apt-get update...
W: The repository 'https://esm.ubuntu.com/ubuntu xenial Release' does not have a Release file.
E: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/xenial/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
ubuntu@xenial-ubuntu-advantage:~$ echo $?
100

apt-get update commands will continue to fail like above until ESM is disabled with "sudo ubuntu-advantage disable-esm".

b) MOTD is unaffected by esm, enabled or not, since we are not running on precise.

Andreas Hasenack (ahasenack) wrote :

Zesty verification with ubuntu-advantage-tools 2 from zesty-proposed:
 *** 2 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages

a) Since there is no ESM for zesty, the enable-esm command fails with a 404 Not found error:
$ sudo ubuntu-advantage enable-esm <redacteD>
Running apt-get update...
W: The repository 'https://esm.ubuntu.com/ubuntu zesty Release' does not have a Release file.
E: Failed to fetch https://esm.ubuntu.com/ubuntu/dists/zesty/main/binary-amd64/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.

apt-get update will remain in this state until esm is disabled. This will probably affect the "package update count" message that is displayed in the MOTD (unrelated to ubuntu-advantage or ESM), since apt-get update is erroring.

b) No ubuntu-advantage related messages are shown in MOTD, regardless if esm is enabled or not, which is correct for non-precise releases of Ubuntu.

tags: added: verification-done-zesty
removed: verification-needed-zesty
tags: added: verification-done-xenial
removed: verification-needed-xenial
Andreas Hasenack (ahasenack) wrote :

To summarize, as expected, all non-precise releases behave the same:

a) enable-esm fails with a valid token because ESM is not available for non-precise ubuntu releases. That causes apt-get update to fail with a 404. The situation is resolved by running the disable-esm command.

b) MOTD gets no ubuntu-advantage or esm related messages, regardless if esm is enabled or not. This is correct, since esm is only available for precise, and ubuntu-advantage has no other functionality.

After having done the above passes on trusty, xenial and zesty, I decided to take another pass and verify that if ca-certificates or apt-transport-https are missing, that ubuntu-advantage would install them. This already happens on precise, but maybe the package names or dependencies changed in other releases.

To properly test this I configured apt to not install recommends by default, otherwise just by installing apt-transport-https we would already get ca-certificates. I'm going to update the [Test Case] section of this SRU about this extra test and its preparation:

$ cat /etc/apt/apt.conf.d/no-recommends
APT::Install-Recommends "false";

Here are the results:

a) zesty:
ubuntu@zesty-ubuntu-advantage:~$ sudo ubuntu-advantage enable-esm <redacted>
Installing missing dependency apt-transport-https
Installing missing dependency ca-certificates
Running apt-get update...
(...)

b) xenial:
ubuntu@xenial-ubuntu-advantage:~$ sudo ubuntu-advantage enable-esm <redacted>
Installing missing dependency apt-transport-https
Installing missing dependency ca-certificates
Running apt-get update...
(...)

c) trusty:
ubuntu@trusty-ubuntu-advantage-1686183:~$ sudo ubuntu-advantage enable-esm <redacted>
Installing missing dependency apt-transport-https
Installing missing dependency ca-certificates
Running apt-get update...
(...)

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 2

---------------
ubuntu-advantage-tools (2) trusty; urgency=medium

  * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet
    on non-precise release. (LP: #1686183)
  * Add simple dep8 tests.
  * Also install ca-certificates (LP: #1690270)

 -- David Britton <email address hidden> Fri, 30 Jun 2017 15:20:00 -0600

Changed in ubuntu-advantage-tools (Ubuntu Zesty):
status: Fix Committed → Fix Released
Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers