Update ubuntu-advantage-client

Bug #1832757 reported by Andreas Hasenack on 2019-06-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
High
Andreas Hasenack
Trusty
High
Unassigned

Bug Description

[Impact]
This is a major rewrite of ubuntu-advantage-client. This version introduces an updated command line interface (UA Client) to simplify some interaction with Ubuntu Advantage support offerings, and interacts with a new service backend built specifically for this new streamlined experience.

Disco, Eoan, and Focal already have this rewrite (but an older version of it), but trusty, xenial, bionic and cosmic do not. This update is for trusty only at the moment, because the other LTSs and later releases have other services available under the UA umbrella which haven't yet been fully converted to the new backend.

[Test Case]
There are free services available for Trusty and anyone with an ubuntu one account can try them out with the new client.

In order to attach a machine to UA, first obtain a token at https://auth.contracts.canonical.com/. With that token, attach the machine with this command:

sudo ua attach <token>

If that's successful, you will have ESM-infra enabled at the end.

Additional test cases to confirm that the package correctly handles upgrades for all relevant cases:

2.
 a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates.
 Do not enable ua. Upgrade to u-a-t from -proposed.
 b. In an identical instance, install u-a-t from -proposed.
 c. Confirm that the on-disk results of a) and b) are identical.
3.
 a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
 b. In an identical instance, install u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
 c. Confirm that the on-disk results of a) and b) are identical.
4.
 a. Start with a fresh Ubuntu instance which does have u-a-t installed. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
 b. In an identical instance, upgrade to u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
 c. Confirm that the on-disk results of a) and b) are identical.
5.
 a. Start with a fresh Ubuntu *precise* instance which does have u-a-t installed and esm enabled. Dist-upgrade to trusty, then upgrade to u-a-t from -proposed.
 b. In an identical instance, dist-upgrade to trusty with -proposed enabled.
 c. Confirm that the on-disk results of a) and b) are identical.

[Regression Potential]
This is a major rewrite from bash to python3 and there are changes in behavior.
- new services will be listed, but not avaialble for trusty, only for later LTSs
- even when ESM is not enabled, an apt hook will advertise the availability of updates in that repository. This hook has failed in the past while this package was in disco, and that failed the apt transaction. This has of course been fixed since then (see #1824523 and #1824523).

[Other Info]
This is the FFe bug that got this rewrite into Disco at that time:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1814157

Development of this client is happening on github:
https://github.com/CanonicalLtd/ubuntu-advantage-client

Recently esm was renamed to esm-infra. Upgrading from an older package where it was just "esm" is handled in postinst.

The ESM-infra GPG key can be verified by checking the signed release file over https:

ESM: https://esm.ubuntu.com/ubuntu/dists/trusty-infra-updates/InRelease and https://esm.ubuntu.com/ubuntu/dists/trusty-infra-security/InRelease

On an upgrade, existing users of trusty esm are expected to run "sudo ua attach [<token>]", although not doing it won't disable their existing ESM access. The new ua tool just won't recognize esm as being active in its "ua status" output until the attach operation is complete. The same applies to livepatch, if it was enabled before.

description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
Changed in ubuntu-advantage-tools (Ubuntu):
importance: Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
importance: Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 19.5.1

---------------
ubuntu-advantage-tools (19.5.1) eoan; urgency=medium

  * d/t/usage: fix dep8 test ("entitlements" was renamed to "services")

ubuntu-advantage-tools (19.5) eoan; urgency=medium

  * New upstream release (LP: #1832757):
    - packaging:
      + d/control: depend on libapt-pkg<ABI_VERSION> to use pin-priority never
      + d/postinst: adjust logfile permissions
      + d/postinst: remove public files and generate status cache on upgrade
      + d/postinst: Remove the old CACHE_DIR in postinst
      + d/postrm: remove log files on package purge
      + d/postrm: remove the ESM pinning file on purge
      + trusty should remove v1 esm key if present after upgrade
      + keyrings: regenerate keyrings on a trusty host
      + refresh keyrings to match current production for fips and cc-eal
    - apt:
      + all repo entitlements now call apt-get update on enable
      + enable -updates if -updates from the Ubuntu archive is enabled
      + Add basic i18n (good enough for lang packs)
      + retry apt install and update commands 3 times simple backoff
      + write commented -updates lines instead of omitting them
    - attach/detach:
      + added --no-auto-enable option
      + suppress messages from inapplicable default entitlements
      + two-factor auth reprompt only two-factor auth on failed 2fa
      + honour enableByDefault obligations from contract server
      + livepatch: no auto-enable on attach for trusty
      + don't attempt to disable inapplicable entitlements during detach
      + check for root before checking for attach in assert_attached_root
    - status:
      + add --json cli formatting option
      + emit a SERVICE header in status output
      + redact technical support and expiry for free contracts
      + unentitled services will report n/a
    - cc-eal:
      + add a warning about download size before install
      + change cc to cc-eal in docs, parameters and commandline help
    - esm:
      + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive
      + and livepatch auto enabled on attach where supported
      + on upgrade do not install preferences to pin never if esm enabled
      + remove only the apt auth entry on disable, leaving sources.list
      + use Pin-Priority never apt preference file to disable esm initially
    - fips:
      + display as pending when linux-fips is not the running kernel
      + only install/upgrade optional packages that are already on the system
    - logs:
      + no longer redact secrets as logfile is root read-only
      + separate console log devel from logfile level
      + remove level from messages to the console
    - add subcommand to refresh all contract details
    - config: allow contract_url and sso_auth_url to have a trailing slash
    - docker: fix persisting generated uuid on images without machine-id files
    - environ: allow lowercase ua_<config_option> overrides
    - repo: un-comment ESM sources.list lines on repo disable
    - updated manpage and help docs

 -- Andreas Hasenack <email address hidden> Wed, 03 Jul 2019 21:55:25 -0300

Changed in ubuntu-advantage-tools (Ubuntu):
status: In Progress → Fix Released
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Steve Langasek (vorlon) on 2019-07-10
description: updated
description: updated
Steve Langasek (vorlon) on 2019-07-10
description: updated
description: updated
description: updated
description: updated
Steve Langasek (vorlon) wrote :

I have verified that the new fips archive key introduced in this SRU (in both the fips and fips-updates keyrings) is the key used to sign the InRelease files served by esm.ubuntu.com over https, both publicly and on the Canonical VPN.

Steve Langasek (vorlon) on 2019-07-11
description: updated
description: updated
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status: In Progress → Triaged
assignee: Andreas Hasenack (ahasenack) → nobody
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers