Update ubuntu-advantage-client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
This is a major rewrite of ubuntu-
Disco, Eoan, and Focal already have this rewrite (but an older version of it), but trusty, xenial, bionic and cosmic do not. This update is for trusty only at the moment, because the other LTSs and later releases have other services available under the UA umbrella which haven't yet been fully converted to the new backend.
[Test Case]
There are free services available for Trusty and anyone with an ubuntu one account can try them out with the new client.
1.
In order to attach a machine to UA, first obtain a token at https:/
sudo ua attach <token>
If that's successful, you will have ESM-infra enabled at the end.
Additional test cases to confirm that the package correctly handles upgrades for all relevant cases:
2. Script reference https:/
a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates.
Do not enable ua. Upgrade to u-a-t from -proposed.
b. In an identical instance, install u-a-t from -proposed.
c. Confirm that the on-disk results of a) and b) are identical.
sudo su -
# adjust if needed, i.e., point to a mirror
export ARCHIVE_URL=http://
export PROPOSED_REPO="deb $ARCHIVE_URL trusty-proposed main"
mkdir /esm-sru
cd /esm-sru
truncate -s 10G file.img
zpool create -O sync=disabled tank $(pwd)/file.img
zfs create tank/trusty-minimal
debootstrap --exclude=
zfs snapshot tank/trusty-
# confirm no ubuntu-minimal nor ubuntu-
chroot /tank/trusty-
# create a clone from trusty-minimal called trusty-2a
zfs clone tank/trusty-
# add extra pockets
cat >> /tank/trusty-
deb $ARCHIVE_URL trusty-updates main
deb $ARCHIVE_URL trusty-security main
EOF
# install u-a-t from updates
chroot /tank/trusty-2a/ apt-get update
chroot /tank/trusty-2a/ apt-get install ubuntu-
# upgrade to u-a-t from proposed
cat > /tank/trusty-
$PROPOSED_REPO
EOF
chroot /tank/trusty-2a/ apt-get update
chroot /tank/trusty-2a/ apt-get install ubuntu-
# clone the first fresh snapshot and call it trusty-2b
zfs clone tank/trusty-
# install u-a-t directly from proposed
cat >> /tank/trusty-
deb $ARCHIVE_URL trusty-updates main
deb $ARCHIVE_URL trusty-security main
EOF
cat > /tank/trusty-
$PROPOSED_REPO
EOF
chroot /tank/trusty-2b/ apt-get update
chroot /tank/trusty-2b/ apt-get install ubuntu-
# get files from both datasets, stripping the zfs prefix
find /tank/trusty-2a/ | sed -r 's,^/tank/[^/]+,,' | sort > trusty-2a.list
find /tank/trusty-2b/ | sed -r 's,^/tank/[^/]+,,' | sort > trusty-2b.list
3. Script reference https:/
a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
b. In an identical instance, install u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
c. Confirm that the on-disk results of a) and b) are identical.
sudo su -
# adjust if needed, i.e., point to a mirror
export ARCHIVE_URL=http://
export PROPOSED_REPO="deb $ARCHIVE_URL trusty-proposed main"
# these are needed
export LEGACY_
export UA_CONTRACT_
mkdir /esm-sru
cd /esm-sru
truncate -s 10G file.img
zpool create -O sync=disabled tank $(pwd)/file.img
zfs create tank/trusty-minimal
debootstrap --exclude=
zfs snapshot tank/trusty-
# confirm no ubuntu-minimal nor ubuntu-
chroot /tank/trusty-
# create a clone from trusty-minimal called trusty-3a
zfs clone tank/trusty-
# add extra pockets
cat >> /tank/trusty-
deb $ARCHIVE_URL trusty-updates main
deb $ARCHIVE_URL trusty-security main
EOF
# install u-a-t from updates
chroot /tank/trusty-3a/ apt-get update
chroot /tank/trusty-3a/ apt-get install ubuntu-
# enable esm
chroot /tank/trusty-3a/ ubuntu-advantage enable-esm "$LEGACY_ESM_TOKEN"
# upgrade to u-a-t from proposed
cat > /tank/trusty-
$PROPOSED_REPO
EOF
chroot /tank/trusty-3a/ apt-get update
chroot /tank/trusty-3a/ apt-get install ubuntu-
# clone the first fresh snapshot and call it trusyt-3b
zfs clone tank/trusty-
# install u-a-t directly from proposed
cat >> /tank/trusty-
deb $ARCHIVE_URL trusty-updates main
deb $ARCHIVE_URL trusty-security main
EOF
cat > /tank/trusty-
$PROPOSED_REPO
EOF
chroot /tank/trusty-3b/ apt-get update
chroot /tank/trusty-3b/ apt-get install ubuntu-
# with the new u-a-t from proposed, run attach, which also enables esm
chroot /tank/trusty-3b/ ua attach $UA_CONTRACT_TOKEN
# get files from both datasets, stripping the zfs prefix
find /tank/trusty-3a/ | sed -r 's,^/tank/[^/]+,,' | sort > trusty-3a.list
find /tank/trusty-3b/ | sed -r 's,^/tank/[^/]+,,' | sort > trusty-3b.list
4.Script reference https:/
4a. Start with a fresh Ubuntu instance which does have u-a-t installed. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
4b. In an identical instance, upgrade to u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
4c. Confirm that the on-disk results of a) and b) are identical other than legacyToken|
export LEGACY_
export UA_CONTRACT_
export ARCHIVE_URL=http://
echo -- BEGIN test 4a: enable esm via `ubuntu-advantage enable-esm` on typical trusty-updates cloud-images which already have -updates installed
# Launch a basic trusty cloud-image that is updated to latest ubuntu-
cat > update-
#cloud-config
package_update: true
package_upgrade: true
runcmd:
- apt-get install -qy ubuntu-
EOF
lxc launch ubuntu-daily:trusty esm-sru-4a -c user.user-
echo "Wait for cloud-init to finish startup on trusty"
RUNLEVEL="NOTSET"
while ! [ "N 2" = "$RUNLEVEL" ]; do echo -n '.'; sleep 1; RUNLEVEL=`lxc exec esm-sru-4a runlevel`; done; echo
mkdir /esm-sru
cd /esm-sru
mkdir 4a 4b
echo "Confirm u-a-t is already installed"
lxc exec esm-sru-4a -- apt-cache policy ubuntu-
cat > ppa-key << EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
xo0EUs00cgEEAJJ
9BPAs1RAzja96N0
qORlWK3SfsYa6Ep
K0xhdW5jaHBhZCB
AQIAIgUCUs00cgI
IEy62gP/
uB4gPjaFeenJBhC
6DT7VuUFiVlfZUw
=aPbC
-----END PGP PUBLIC KEY BLOCK-----
EOF
# emit script to upgrade u-a-t
cat > add_uat_
#/bin/bash
pocket_name=\$1
if [ "\$pocket_name" = "devel" ]; then
echo deb [trusted=yes] http://
apt-key add /ppa-key
else
echo deb $ARCHIVE_URL \$pocket_name main | tee /etc/apt/
fi
EOF
lxc file push ppa-key esm-sru-4a/
lxc file push add_uat_
lxc exec esm-sru-4a chmod 755 /add_uat_
echo "Make a pristine lxc snapshot for 4a and 4b"
lxc snapshot esm-sru-4a esm-sru-4a-pristine
echo "Enable esm via ubuntu-advantage enable-esm"
lxc exec esm-sru-4a -- ubuntu-advantage enable-esm $LEGACY_ESM_TOKEN
echo "Confirm ansible is available for esm PPA"
lxc exec esm-sru-4a apt-cache policy ansible
echo "Upgrade u-a-t to trusty-proposed"
lxc exec esm-sru-4a /add_uat_
lxc exec esm-sru-4a -- apt-get update -q;
lxc exec esm-sru-4a -- apt-get install -qy ubuntu-
echo "Confirm ansible is available for esm PPA"
lxc exec esm-sru-4a apt-cache policy ansible
lxc exec esm-sru-4a -- find / -xdev | sort > 4a/files.list
lxc file pull -r esm-sru-4a/etc 4a/
echo -- BEGIN test 4b: upgrade u-a-t to -proposed version on typical trusty-updates cloud-images which already have -updates installed
lxc restore esm-sru-4a esm-sru-4a-pristine
echo "Confirm u-a-t is already installed from trusty-updates v. 10ubuntu0.14.04.4"
lxc exec esm-sru-4a -- apt-cache policy ubuntu-
echo "Upgrade u-a-t to trusty-proposed"
lxc exec esm-sru-4a /add_uat_
lxc exec esm-sru-4a -- apt-get update -q;
lxc exec esm-sru-4a -- apt-get install -qy ubuntu-
echo "Enable esm via: ua attach <contractToken>"
lxc exec esm-sru-4a ua attach $UA_CONTRACT_TOKEN
echo "Confirm ansible is available for esm PPA"
lxc exec esm-sru-4a apt-cache policy ansible
lxc exec esm-sru-4a -- find / -xdev | sort > 4b/files.list
lxc file pull -r esm-sru-4a/etc 4b/
echo --- BEGIN test 4c: ensure no filesystem diffs between 4a and 4b with exception of token used
diff -urN 4a 4b
5. Script reference https:/
a. Start with a fresh Ubuntu *precise* instance which does have u-a-t installed and esm enabled. Dist-upgrade to trusty, then upgrade to u-a-t from -proposed.
echo --- BEGIN test 5a: dist-upgrade an esm-enable precise-updates to trusty-updates, then upgrade to -proposed
mkdir -p 5a/var/lib/
echo "Launch precise container with allowing ssh access for <LP_ID>"
cat >precise.yaml <<EOF
#cloud-config
ssh_import_id: [<LP_ID>]
EOF
lxc launch ubuntu-
echo "Enable esm on precise"
lxc exec sru-precise ubuntu-advantage enable-esm <legacyToken>
echo "Dist-upgrade precise -> trusty"
VM_IP=`lxc list dev-p -c 4 | awk '/10/{print $2}'`
ssh ubuntu@$VM_IP
sudo mkdir -p /etc/update-
echo -e "[Sources]
sudo mv allow.cfg /etc/update-
sudo do-release-upgrade # respond yes to any interactive prompts
echo "Confirm ansible is available for trusty esm PPA"
apt-cache policy ansible
echo "Upgrade u-a-t to trusty-proposed"
lxc file push ua_tools_
lxc exec sru-precise "bash /ua_tools_
lxc exec sru-precise -- dpkg -l > 5a/dpkg.list
lxc file pull -r sru-precise/etc 5a/
lxc file pull -r sru-precise/
lxc stop sru-precise
lxc delete sru-precise
b. In an identical instance, dist-upgrade to trusty with -proposed enabled.
echo --- BEGIN test 5b: dist-upgrade an esm-enable precise-proposed to trusty-proposed
mkdir -p 5b/var/lib/
echo "Launch precise container with allowing ssh access for <LP_ID>"
cat >precise.yaml <<EOF
#cloud-config
ssh_import_id: [<LP_ID>]
EOF
lxc launch ubuntu-
echo "Enable esm on precise"
lxc exec sru-precise ubuntu-advantage enable-esm <legacyToken>
echo "Upgrade u-a-t to precise-proposed" # no-op
lxc file push ua_tools_
lxc exec sru-precise "bash /ua_tools_
lxc exec sru-precise "apt-get dist-upgrade"
echo "Dist-upgrade precise-proposed -> trusty-proposed"
VM_IP=`lxc list dev-p -c 4 | awk '/10/{print $2}'`
ssh ubuntu@$VM_IP
sudo mkdir -p /etc/update-
echo -e "[Sources]
sudo mv allow.cfg /etc/update-
sudo do-release-upgrade # respond yes to any interactive prompts
echo "Confirm ansible is available for trusty esm PPA"
apt-cache policy ansible
lxc exec sru-precise -- dpkg -l > 5b/dpkg.list
lxc file pull -r sru-precise/etc 5b/
lxc file pull -r sru-precise/
lxc stop sru-precise
lxc delete sru-precise
c. Confirm that the on-disk results of a) and b) are identical.
echo --- BEGIN test 5c: confirm filesytem changes of test 5a and 5b are identical
dirr -urN 5a 5b
[Regression Potential]
This is a major rewrite from bash to python3 and there are changes in behavior.
- new services will be listed, but not avaialble for trusty, only for later LTSs
- even when ESM is not enabled, an apt hook will advertise the availability of updates in that repository. This hook has failed in the past while this package was in disco, and that failed the apt transaction. This has of course been fixed since then (see #1824523 and #1824523).
[Other Info]
This is the FFe bug that got this rewrite into Disco at that time:
https:/
Development of this client is happening on github:
https:/
Recently esm was renamed to esm-infra. Upgrading from an older package where it was just "esm" is handled in postinst.
The ESM-infra GPG key can be verified by checking the signed release file over https:
ESM: https:/
On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in ubuntu-advantage-tools (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
status: | In Progress → Triaged |
assignee: | Andreas Hasenack (ahasenack) → nobody |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | removed: verification-needed |
This bug was fixed in the package ubuntu- advantage- tools - 19.5.1
--------------- advantage- tools (19.5.1) eoan; urgency=medium
ubuntu-
* d/t/usage: fix dep8 test ("entitlements" was renamed to "services")
ubuntu- advantage- tools (19.5) eoan; urgency=medium
* New upstream release (LP: #1832757): pkg<ABI_ VERSION> to use pin-priority never attached_ root
- packaging:
+ d/control: depend on libapt-
+ d/postinst: adjust logfile permissions
+ d/postinst: remove public files and generate status cache on upgrade
+ d/postinst: Remove the old CACHE_DIR in postinst
+ d/postrm: remove log files on package purge
+ d/postrm: remove the ESM pinning file on purge
+ trusty should remove v1 esm key if present after upgrade
+ keyrings: regenerate keyrings on a trusty host
+ refresh keyrings to match current production for fips and cc-eal
- apt:
+ all repo entitlements now call apt-get update on enable
+ enable -updates if -updates from the Ubuntu archive is enabled
+ Add basic i18n (good enough for lang packs)
+ retry apt install and update commands 3 times simple backoff
+ write commented -updates lines instead of omitting them
- attach/detach:
+ added --no-auto-enable option
+ suppress messages from inapplicable default entitlements
+ two-factor auth reprompt only two-factor auth on failed 2fa
+ honour enableByDefault obligations from contract server
+ livepatch: no auto-enable on attach for trusty
+ don't attempt to disable inapplicable entitlements during detach
+ check for root before checking for attach in assert_
- status:
+ add --json cli formatting option
+ emit a SERVICE header in status output
+ redact technical support and expiry for free contracts
+ unentitled services will report n/a
- cc-eal:
+ add a warning about download size before install
+ change cc to cc-eal in docs, parameters and commandline help
- esm:
+ add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive
+ and livepatch auto enabled on attach where supported
+ on upgrade do not install preferences to pin never if esm enabled
+ remove only the apt auth entry on disable, leaving sources.list
+ use Pin-Priority never apt preference file to disable esm initially
- fips:
+ display as pending when linux-fips is not the running kernel
+ only install/upgrade optional packages that are already on the system
- logs:
+ no longer redact secrets as logfile is root read-only
+ separate console log devel from logfile level
+ remove level from messages to the console
- add subcommand to refresh all contract details
- config: allow contract_url and sso_auth_url to have a trailing slash
- docker: fix persisting generated uuid on images without machine-id files
- environ: allow lowercase ua_<config_option> overrides
- repo: un-comment ESM sources.list lines on repo disable
- updated manpage and help docs
-- Andreas Hasenack <email address hidden> Wed, 03 Jul 2019 21:55:25 -0300