Ubuntu
ubuntu-advantage-tools package

Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS kernel via ubuntu-fips metapackage

Bug #1939932 reported by Chad Smith
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

This bug impacts users on AWS or Azure, trying to enable FIPS/FIPS updates on Focal images. Trying to install a non-cloud-optimized FIPS kernel may lead to unwanted behavior on those clouds, including inability to boot to the systems.

Although Focal has a FIPS certified kernel, the AWS adapted kernel is not ready yet. There will be in the future a cloud-optimized version of the FIPS kernel, and then users will be able to install it.

With the applied fix, UA will show a message saying that the kernel is not available instead of showing any error. If the user really wants to install FIPS, there is a feature override ("allow_default_fips_metapackage_on_focal_cloud") which will install the default kernel, but this is the user's choice, and not recommended.

[Test Case]

To verify that this issue is fixed by version 27.3, please run the following script:

------------------------------
import os

from pycloudlib.ec2.cloud import EC2

api = EC2(
    tag="test-ec2",
    access_key_id=os.getenv("UACLIENT_BEHAVE_AWS_ACCESS_KEY_ID"),
    secret_access_key=os.getenv("UACLIENT_BEHAVE_AWS_SECRET_ACCESS_KEY")
)

image_id = "ami-0ae1f7f35ab8e62d5" # Focal pro image
private_key_path = "ec2-{}.pem".format("test-key")
key_name = "test-key"

if key_name in api.list_keys():
    api.delete_key(key_name)

keypair = api.client.create_key_pair(KeyName=key_name)

with open(private_key_path, "w") as stream:
    stream.write(keypair["KeyMaterial"])

os.chmod(private_key_path, 0o600)

api.use_key(private_key_path, private_key_path, key_name)
vpc = api.get_or_create_vpc(name="test-ec2-pro")
instance = api.launch(image_id, vpc=vpc)

print("--- Creating base instance")
print(instance.execute("lsb_release -a"))
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("------------------")

print("--- Updating ua package")
print(instance.execute('sh -c \'echo "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc)-proposed main" | tee /etc/apt/sources.list.d/proposed.list\''))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools > /dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("------------------")
instance.delete()
-------------------------------------------

This script depends on pycloudlib, which can be found here:
https://github.com/canonical/pycloudlib/tree/main/pycloudlib

[Regression Potential]
This change needs to make sure that we indeed prevent the installation of non-cloud-optimized kernels. If a corner case shows up, the user might end up with a wrong kernel. This is unlikely because we are using cloud-init tools, present in AWS and Azure, to detect the cloud instance and effective blocking the install. If this detection fails, it means cloud-init has some problem and then, on AWS or Azure, the instance will have more problems than this one.

We need to make sure to keep track of the certification progress for the cloud adapted FIPS package, so we can enable it in the future, when it becomes available.

[Original Description]
For Ubuntu PRO on 20.04 (Focal) `ua enable fips` should only install a cloud-optimized ubuntu-aws-fips or ubuntu-azure-fips metapackage. Installing a non-cloud-optimized FIPS kernel on AWS and Azure could lead to inability to boot on certain instance types. Expectation is that Focal AWS and Azure images should disallow enabling either fips or fips-updates.

Expected behavior on Ubuntu PRO AWS and Azure Focal:
$ ua status | grep fips
fips no — NIST-certified FIPS modules
fips-updates no — Uncertified security updates to FIPS modules

$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
This subscription is not entitled to FIPS Updates.
For more information see: https://ubuntu.com/advantage

Actual behavior:
$ ua status | grep fips
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules

$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install

# see ubuntu-fips generic get installed which potentially degrades AWS and Azure environments
$ sudo grep install /var/log/ubuntu-advantage.log
2021-08-13 22:19:07,344 - util.py:(506) [DEBUG]: Ran cmd: apt-get install --assume-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-fips openssh-client openssh-client-hmac openssh-server openssh-server-hmac openssh-client openssh-client-hmac openssh-server openssh-server-hmac, rc: 0 stderr: b''

See original description
Renan Rodrigo (renanrodrigo)
description: updated
Lucas Albuquerque Medeiros de Moura (lamoura)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

The test case references a ppa and doesn't handle installing from -proposed, so isn't a suitable SRU test case...

Steve Langasek (vorlon)
Changed in ubuntu-advantage-tools (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Grant Orndorff (orndorffgrant) wrote :

Sorry I missed this Steve. I've updated the script to enable proposed instead of use the staging ppa.

description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Chad, or anyone else affected,

Accepted ubuntu-advantage-tools into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Impish):
status: New → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Chad, or anyone else affected,

Accepted ubuntu-advantage-tools into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed-hirsute
Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Chad, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Chad, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Steve Langasek (vorlon)
Changed in ubuntu-advantage-tools (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Chad, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Lucas Albuquerque Medeiros de Moura (lamoura) wrote :

AWS Bug verified with the following script:

-----------------------------------
import logging
import os

from pycloudlib.ec2.cloud import EC2

api = EC2(
    tag="test-ec2",
    access_key_id=os.getenv("UACLIENT_BEHAVE_AWS_ACCESS_KEY_ID"),
    secret_access_key=os.getenv("UACLIENT_BEHAVE_AWS_SECRET_ACCESS_KEY")
)

image_id = "ami-0193aa0a9df84a08b" # Focal pro image
private_key_path = "ec2-{}.pem".format("test-key")
key_name = "test-key"

if key_name in api.list_keys():
    api.delete_key(key_name)

keypair = api.client.create_key_pair(KeyName=key_name)

with open(private_key_path, "w") as stream:
    stream.write(keypair["KeyMaterial"])

os.chmod(private_key_path, 0o600)

api.use_key(private_key_path, private_key_path, key_name)
vpc = api.get_or_create_vpc(name="test-ec2-pro")
instance = api.launch(image_id, vpc=vpc)

print("--- Creating base instance")
print(instance.execute("lsb_release -a"))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools > /dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("------------------")

print("--- Updating ua package")
cmd = "sudo sh -c \"echo 'deb http://archive.ubuntu.com/ubuntu/ {}-proposed restricted main multiverse universe' >> /etc/apt/sources.list.d/proposed-repositories.list\""
instance.execute(cmd.format("focal"))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools > /dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("------------------")
instance.delete()
-----------------------------------------------

To run that script, you need the pycloudlib dependency, which can be found here:
https://github.com/canonical/pycloudlib/tree/main/pycloudlib

Test output:

Test output:

--- Creating base instance
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
27.2.2~20.04.1
One moment, checking your subscription first
Updating package lists
Installing FIPS packages
Updating package lists
Could not enable FIPS.
------------------
--- Updating ua package
27.3~20.04.1
One moment, checking your subscription first
Ubuntu Focal does not provide an AWS optimized FIPS kernel
For help see: https://ubuntu.com/advantage.
------------------

PS: This bug only affects focal

Revision history for this message
Lucas Albuquerque Medeiros de Moura (lamoura) wrote :
Download full text (4.6 KiB)

Azure bug verified with the following script:
-----------------------------------
import logging
import os

from pycloudlib.azure.cloud import Azure

api = Azure(
    tag="test-azure",
    client_id=os.getenv("UACLIENT_BEHAVE_AZ_CLIENT_ID"),
    client_secret=os.getenv("UACLIENT_BEHAVE_AZ_CLIENT_SECRET"),
    tenant_id=os.getenv("UACLIENT_BEHAVE_AZ_TENANT_ID"),
    subscription_id=os.getenv("UACLIENT_BEHAVE_AZ_SUBSCRIPTION_ID")
)

image_id = "Canonical:0001-com-ubuntu-pro-focal:pro-20_04-lts" # Focal pro image
key_name = "test-key"
private_key_path = "azure-priv-{}.pem".format(key_name)
pub_key_path = "azure-pub-{}.txt".format(key_name)

pub_key, priv_key = api.create_key_pair(
    key_name=key_name
)

with open(pub_key_path, "w") as stream:
    stream.write(pub_key)

with open(private_key_path, "w") as stream:
    stream.write(priv_key)

os.chmod(pub_key_path, 0o600)
os.chmod(private_key_path, 0o600)

api.use_key(pub_key_path, private_key_path, key_name)
instance = api.launch(image_id)

print("--- Creating base instance")
print(instance.execute("lsb_release -a"))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools > /dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("------------------")

print("--- Updating ua package")
cmd = "sudo sh -c \"echo 'deb http://archive.ubuntu.com/ubuntu/ {}-proposed restricted main multiverse universe' >> /etc/apt/sources.list.d/proposed-repositories.list\""
instance.execute(cmd.format("focal"))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools > /dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("------------------")
instance.delete()
-------------------------------------

Test output:

--- Creating base instance
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
27.2.2~20.04.1
One moment, checking your subscription first
Updating package lists ...

Read more...

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-hirsute verification-done-impish verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.10.1

---------------
ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      + only runs on LTS GCP instances that are not attached
      + runs every 5 minutes to check if gcp instance has license r...

Read more...

Changed in ubuntu-advantage-tools (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.04.1

---------------
ubuntu-advantage-tools (27.3~21.04.1) hirsute; urgency=medium

  * Backport new upstream release: (LP: #1942929) to hirsute

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
   ...

Read more...

Changed in ubuntu-advantage-tools (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package ubuntu-advantage-tools - 27.3~20.04.1

---------------
ubuntu-advantage-tools (27.3~20.04.1) focal; urgency=medium

  * Backport new upstream release: (LP: #1942929) to focal

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      +...

Read more...

Changed in ubuntu-advantage-tools (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package ubuntu-advantage-tools - 27.3~18.04.1

---------------
ubuntu-advantage-tools (27.3~18.04.1) bionic; urgency=medium

  * Backport new upstream release: (LP: #1942929) to bionic

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
     ...

Read more...

Changed in ubuntu-advantage-tools (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package ubuntu-advantage-tools - 27.3~16.04.1

---------------
ubuntu-advantage-tools (27.3~16.04.1) xenial; urgency=medium

  * Backport new upstream release: (LP: #1942929) to xenial

ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
     ...

Read more...

Changed in ubuntu-advantage-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.10.1

---------------
ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium

  * d/tools.postinst:
    - consider cloud to be "none" on any cloud-id error
    - purge old ua-messaging.timer/service files
    - keep ua-timer.timer disabled if ua-messaging.timer was disabled by
      the user
    - properly configure both ubuntu-advantage-timer and
      ubuntu-advantage-licence-check logs
  * d/tools.postrm:
    - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
      during purge
  * systemd:
    - remove ua-messaging.timer/service
    - add new ua-timer.timer that runs every 6 hours
    - add new ua-license_check.timer that runs every 5 minutes only if
      activated by ua-license-check.path
  * New upstream release 27.3 (LP: #1942929)
    - ros:
      + add beta support to enable ros and ros-updates
      + add support for "required services" so that esm-infra and esm-apps
        get auto-enabled when enabling ros or ros-updates
      + add support for "dependent services" so that user gets prompted to
        disable ros/ros-updates if they disable esm-infra/esm-apps
    - fips:
      + allow fips on GCP bionic now that optimized kernel is ready
      + disallow enabling fips on focal on clouds until cloud-optimized focal
        fips-certified kernel is ready (LP: #1939449, LP: #1939932)
      + print warning about generic fips kernel if cloud-id fails
    - cloud:
      + rely only on cloud-id to determine cloud type (LP: #1940131)
      + catch errors when determining cloud type
        (LP: #1938207, LP: #1944676) (GH: #1541)
    - azure:
      + bump IMDS API version to support Azure published images
    - cli:
      + collect-logs command that creates a tar file with debug-relevant logs
        and status info (GH: #463)
      + clean locks on exceptions more thoroughly to avoid false "Operation in
        progress" status messages
      + retain past service state after detach
      + shows better error message when a port value in a proxy is invalid
    - non-unicode locale support:
      + remove unicode-only characters from help file
      + don't print unicode-only characters in ua fix if non-utf8 locale
        (GH: #1463)
    - logrotate:
      + add logrotate functionality for ubuntu-advantage-timer.log.
      + Fix root:root logrotate permissions.
    - ua-timer.timer:
      + introduce a single systemd timer to handle ua recurring jobs
      + timer runs every 2 hours to support most frequent timer job
      + recurring job intervals are configurable in uaclient.conf
      + individual jobs are disabled if their interval is set to 0
      - status job:
        + update ua status every 12 hours
      - messaging job:
        + update APT/MOTD ESM messaging every 6 hours
      - metering job:
        + disabled until infrastructure is ready
        + for attached machines only, periodically update contract server with
          status information for proper contract metering
    - ua-license-check.timer:
      + only runs on LTS GCP instances that are not attached
      + runs every 5 minutes to check if gcp instance has license r...

Read more...

Changed in ubuntu-advantage-tools (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.