2022-05-12 01:34:24 |
Grant Orndorff |
bug |
|
|
added bug |
2022-05-12 01:36:17 |
Grant Orndorff |
description |
[Impact]
This release sports both bug-fixes and new features and we would like to make sure all of our supported customers have access to these improvements. The notable ones are:
* A daemon that only runs on GCP
* Currently it ends early based on a default config setting - making it hardly a deamon. But this config setting will be flipped on as soon as it's needed via a follow up SRU, so please review as if the daemon was long-running.
* When it turns on, it will long-poll the GCP metadata endpoint and run `ua auto-attach` when a pro license is added.
* This replaces the 5 minute timer we currently have on GCP.
* A part of this is a shim service only on xenial to replace a needed feature from cloud-init, that is not backported to xenial.
* Contract renewal UX improvements
* `ua status` now notifies you when your contract is updated (e.g. renewed), and instructs the user to run `ua refresh`. (Note this isn't technically required for renewal - services will keep working regardless.)
* `ua refresh` now ensures motd/apt messaging is all up to date in addition to updating contract details.
* In combination, these two features address user concerns over confusing/outdated motd/apt messaging shortly after contract renewal.
* More granular APT Proxy configuration with backwards compatibility
* apt_http(s)_proxy is renamed to global_apt_http(s)_proxy (but the old name still works)
* ua_apt_http(s)_proxy is introduced for ua-scoped apt proxy configurations
* `ua security-status` now includes counts of packages from each archive component
See the changelog entry below for a full list of changes and bugs.
[Test Case]
The following development and SRU process was followed:
[https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates](https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates)
The ubuntu-advantage-tools team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. ubuntu-advantage-tools team members will not mark ‘verification-done’ until this has happened.
[Regression Potential]
This is a big update, with several refactors touching many pieces of the codebase. It is possible that some behavior changed in subtle ways not captured by our integration tests.
There are also several small refactors and additions to the postinst script. Any adjustment to postinst poses the risk of breaking upgrades if a mistake was made.
We already dropped support for trusty, but we removed even more trusty related code in this release. It is possible that we were unknowingly relying on some of this trusty code for subtle behavior.
We included backwards compatibility for the proxy configuration changes, but it is possible that if we made a mistake then old configurations will stop working correctly.
[Discussion]
There were a series of discussions about the daemon and it was decided to limit the scope as much as possible. As such, it only runs on GCP on unattached instances. Python won't even be instantiated on other machines. The daemon checks several conditions on start up as well and ends early if any don't match.
There was some effort to keep the memory footprint from being too high. It depends on the python version; on xenial systemd says the daemon takes just under 14Mb and on focal, just under 11Mb. We have regression tests in place to keep on eye on memory usage. When the daemon is running, it will almost always be blocked on a long-poll endpoint, so CPU usage should be minimal.
The daemon does run as root, but doesn't listen on a socket or accept on any user input. It looks at root-only config files and talks to a particular GCP metadata endpoint. If a user were to maliciously MITM the metadata endpoint, they could provide data to the daemon that would cause it to send requests to the Contract Server unnecessarily.
[Changelog]
Coming soon... |
[Impact]
This release sports both bug-fixes and new features and we would like to make sure all of our supported customers have access to these improvements. The notable ones are:
* A daemon that only runs on GCP
* Currently it ends early based on a default config setting - making it
hardly a deamon. But this config setting will be flipped on as soon
as it's needed via a follow up SRU, so please review as if the daemon
was long-running.
* When it turns on, it will long-poll the GCP metadata endpoint and run
`ua auto-attach` when a pro license is added.
* This replaces the 5 minute timer we currently have on GCP.
* A part of this is a shim service only on xenial to replace a needed
feature from cloud-init, that is not backported to xenial.
* Contract renewal UX improvements
* `ua status` now notifies you when your contract is updated (e.g.
renewed), and instructs the user to run `ua refresh`. (Note this
isn't technically required for renewal - services will keep working
for a renewed contract regardless.)
* `ua refresh` now ensures motd/apt messaging is all up to date in
addition to updating contract details.
* In combination, these two features address user concerns over
confusing/outdated motd/apt messaging shortly after contract renewal.
* More granular APT Proxy configuration with backwards compatibility
* apt_http(s)_proxy is renamed to global_apt_http(s)_proxy (but the old
name still works)
* ua_apt_http(s)_proxy is introduced for ua-scoped apt proxy
configurations
* `ua security-status` now includes counts of packages from each archive
component
See the changelog entry below for a full list of changes and bugs.
[Test Case]
The following development and SRU process was followed:
[https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates](https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates)
The ubuntu-advantage-tools team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. ubuntu-advantage-tools team members will not mark ‘verification-done’ until this has happened.
[Regression Potential]
This is a big update, with several refactors touching many pieces of the codebase. It is possible that some behavior changed in subtle ways not captured by our integration tests.
There are also several small refactors and additions to the postinst script. Any adjustment to postinst poses the risk of breaking upgrades if a mistake was made.
We already dropped support for trusty, but we removed even more trusty related code in this release. It is possible that we were unknowingly relying on some of this trusty code for subtle behavior.
We included backwards compatibility for the proxy configuration changes, but it is possible that if we made a mistake then old configurations will stop working correctly.
[Discussion]
There were a series of discussions about the daemon and it was decided to limit the scope as much as possible. As such, it only runs on GCP on unattached instances. Python won't even be instantiated on other machines. The daemon checks several conditions on start up as well and ends early if any don't match.
There was some effort to keep the memory footprint from being too high. It depends on the python version; on xenial systemd says the daemon takes just under 14Mb and on focal, just under 11Mb. We have regression tests in place to keep on eye on memory usage. When the daemon is running, it will almost always be blocked on a long-poll endpoint, so CPU usage should be minimal.
The daemon does run as root, but doesn't listen on a socket or accept on any user input. It looks at root-only config files and talks to a particular GCP metadata endpoint. If a user were to maliciously MITM the metadata endpoint, they could provide data to the daemon that would cause it to send requests to the Contract Server unnecessarily.
[Changelog]
Coming soon... |
|
2022-05-19 17:39:24 |
Grant Orndorff |
description |
[Impact]
This release sports both bug-fixes and new features and we would like to make sure all of our supported customers have access to these improvements. The notable ones are:
* A daemon that only runs on GCP
* Currently it ends early based on a default config setting - making it
hardly a deamon. But this config setting will be flipped on as soon
as it's needed via a follow up SRU, so please review as if the daemon
was long-running.
* When it turns on, it will long-poll the GCP metadata endpoint and run
`ua auto-attach` when a pro license is added.
* This replaces the 5 minute timer we currently have on GCP.
* A part of this is a shim service only on xenial to replace a needed
feature from cloud-init, that is not backported to xenial.
* Contract renewal UX improvements
* `ua status` now notifies you when your contract is updated (e.g.
renewed), and instructs the user to run `ua refresh`. (Note this
isn't technically required for renewal - services will keep working
for a renewed contract regardless.)
* `ua refresh` now ensures motd/apt messaging is all up to date in
addition to updating contract details.
* In combination, these two features address user concerns over
confusing/outdated motd/apt messaging shortly after contract renewal.
* More granular APT Proxy configuration with backwards compatibility
* apt_http(s)_proxy is renamed to global_apt_http(s)_proxy (but the old
name still works)
* ua_apt_http(s)_proxy is introduced for ua-scoped apt proxy
configurations
* `ua security-status` now includes counts of packages from each archive
component
See the changelog entry below for a full list of changes and bugs.
[Test Case]
The following development and SRU process was followed:
[https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates](https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates)
The ubuntu-advantage-tools team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. ubuntu-advantage-tools team members will not mark ‘verification-done’ until this has happened.
[Regression Potential]
This is a big update, with several refactors touching many pieces of the codebase. It is possible that some behavior changed in subtle ways not captured by our integration tests.
There are also several small refactors and additions to the postinst script. Any adjustment to postinst poses the risk of breaking upgrades if a mistake was made.
We already dropped support for trusty, but we removed even more trusty related code in this release. It is possible that we were unknowingly relying on some of this trusty code for subtle behavior.
We included backwards compatibility for the proxy configuration changes, but it is possible that if we made a mistake then old configurations will stop working correctly.
[Discussion]
There were a series of discussions about the daemon and it was decided to limit the scope as much as possible. As such, it only runs on GCP on unattached instances. Python won't even be instantiated on other machines. The daemon checks several conditions on start up as well and ends early if any don't match.
There was some effort to keep the memory footprint from being too high. It depends on the python version; on xenial systemd says the daemon takes just under 14Mb and on focal, just under 11Mb. We have regression tests in place to keep on eye on memory usage. When the daemon is running, it will almost always be blocked on a long-poll endpoint, so CPU usage should be minimal.
The daemon does run as root, but doesn't listen on a socket or accept on any user input. It looks at root-only config files and talks to a particular GCP metadata endpoint. If a user were to maliciously MITM the metadata endpoint, they could provide data to the daemon that would cause it to send requests to the Contract Server unnecessarily.
[Changelog]
Coming soon... |
[Impact]
This release sports both bug-fixes and new features and we would like to make sure all of our supported customers have access to these improvements. The notable ones are:
* A daemon that only runs on GCP
* Currently it ends early based on a default config setting - making it
hardly a deamon. But this config setting will be flipped on as soon
as it's needed via a follow up SRU, so please review as if the daemon
was long-running.
* When it turns on, it will long-poll the GCP metadata endpoint and run
`ua auto-attach` when a pro license is added.
* This replaces the 5 minute timer we currently have on GCP.
* A part of this is a shim service only on xenial to replace a needed
feature from cloud-init, that is not backported to xenial.
* Contract renewal UX improvements
* `ua status` now notifies you when your contract is updated (e.g.
renewed), and instructs the user to run `ua refresh`. (Note this
isn't technically required for renewal - services will keep working
for a renewed contract regardless.)
* `ua refresh` now ensures motd/apt messaging is all up to date in
addition to updating contract details.
* In combination, these two features address user concerns over
confusing/outdated motd/apt messaging shortly after contract renewal.
* More granular APT Proxy configuration with backwards compatibility
* apt_http(s)_proxy is renamed to global_apt_http(s)_proxy (but the old
name still works)
* ua_apt_http(s)_proxy is introduced for ua-scoped apt proxy
configurations
* `ua security-status` now includes counts of packages from each archive
component
See the changelog entry below for a full list of changes and bugs.
[Test Case]
The following development and SRU process was followed:
[https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates](https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates)
The ubuntu-advantage-tools team will be in charge of attaching the artifacts and console output of the appropriate run to the bug. ubuntu-advantage-tools team members will not mark ‘verification-done’ until this has happened.
[Regression Potential]
This is a big update, with several refactors touching many pieces of the codebase. It is possible that some behavior changed in subtle ways not captured by our integration tests.
There are also several small refactors and additions to the postinst script. Any adjustment to postinst poses the risk of breaking upgrades if a mistake was made.
We already dropped support for trusty, but we removed even more trusty related code in this release. It is possible that we were unknowingly relying on some of this trusty code for subtle behavior.
We included backwards compatibility for the proxy configuration changes, but it is possible that if we made a mistake then old configurations will stop working correctly.
[Discussion]
There were a series of discussions about the daemon and it was decided to limit the scope as much as possible. As such, it only runs on GCP on unattached instances. Python won't even be instantiated on other machines. The daemon checks several conditions on start up as well and ends early if any don't match.
There was some effort to keep the memory footprint from being too high. It depends on the python version; on xenial systemd says the daemon takes just under 14Mb and on focal, just under 11Mb. We have regression tests in place to keep on eye on memory usage. When the daemon is running, it will almost always be blocked on a long-poll endpoint, so CPU usage should be minimal.
The daemon does run as root, but doesn't listen on a socket or accept on any user input. It looks at root-only config files and talks to a particular GCP metadata endpoint. If a user were to maliciously MITM the metadata endpoint, they could provide data to the daemon that would cause it to send requests to the Contract Server unnecessarily.
[Changelog]
* d/rules
- remove trusty specific code
- remove ua-license-check.{timer,service,path}
- install ubuntu-advantage.service
- only on xenial: install ubuntu-advantage-cloud-id-shim.service
* d/tools.postinst
- remove trusty specific code
- print warnings if /etc/os-release doesn't have required fields
- hardcode service list instead of exec-ing python3 for old migration
- refactor python to avoid instantiating UAConfig extra times
- refactor python to always use messages module for strings
- rm the old marker file that triggered ua-license-check.path
- remove unnecessary deb-systemd-helper check in ua-messaging cleanup
- clean up old ua-license-check state
- run new cloud-id-shim script
* d/tools/postrm
- clean up ubuntu-advantage-daemon log files
* New upstream release 27.9 (LP: #1973099)
- cli:
+ for json formatted output, include additional_info for some errors
+ new subcommand `ua refresh messages` to update motd and apt messages
- daemon:
+ replace ua-license-check timer with ubuntu-advantage.service daemon
+ detects on-boot if pro license was added and runs auto-attach
+ only runs on gcp and does not continuously long-poll by default for now
- enable:
+ fix error message on wrong service name when unattached
- fips:
+ allow enabling generic fips kernel on azure by default
+ clean up fips reboot message (LP: #1972026)
- fix:
+ handle errors during attach process
+ fix bug where enable or detach during a fix failed (LP: #1969809)
+ fix bug where attempting to fix some CVEs would never finish
- performance:
+ remove unnecessary UAConfig object instantiation (also cleans up logs)
+ cache "apt-cache policy" output to avoid unnecessary subp calls
- proxy:
+ apt_http(s)_proxy renamed to global_apt_http(s)_proxy
+ apt_http(s)_proxy config var names will still work
+ new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764)
+ global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the
same time
- realtime: adjust warning to clarify that a manual revert is possible
- refresh: a normal `ua refresh` will also update motd and apt messages
- security-status: add counts of packages from each archive component
- status: check if contract has updated and notify user to run "ua refresh" |
|
2022-06-19 14:36:24 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
New |
Fix Released |
|
2022-06-20 14:20:04 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Jammy): status |
New |
Fix Committed |
|
2022-06-20 14:20:05 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-06-20 14:20:07 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2022-06-20 14:20:09 |
Robie Basak |
tags |
|
verification-needed verification-needed-jammy |
|
2022-06-20 14:20:23 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Impish): status |
New |
Fix Committed |
|
2022-06-20 14:20:26 |
Robie Basak |
tags |
verification-needed verification-needed-jammy |
verification-needed verification-needed-impish verification-needed-jammy |
|
2022-06-20 14:20:41 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Focal): status |
New |
Fix Committed |
|
2022-06-20 14:20:44 |
Robie Basak |
tags |
verification-needed verification-needed-impish verification-needed-jammy |
verification-needed verification-needed-focal verification-needed-impish verification-needed-jammy |
|
2022-06-20 14:21:01 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Bionic): status |
New |
Fix Committed |
|
2022-06-20 14:21:04 |
Robie Basak |
tags |
verification-needed verification-needed-focal verification-needed-impish verification-needed-jammy |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish verification-needed-jammy |
|
2022-06-20 14:22:23 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Xenial): status |
New |
Fix Committed |
|
2022-06-20 14:22:29 |
Robie Basak |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish verification-needed-jammy |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish verification-needed-jammy verification-needed-xenial |
|
2022-06-23 19:39:43 |
Grant Orndorff |
attachment added |
|
ua27.9verification.tar.gz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1973099/+attachment/5599317/+files/ua27.9verification.tar.gz |
|
2022-06-23 19:40:08 |
Grant Orndorff |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-impish verification-needed-jammy verification-needed-xenial |
verification-done verification-done-bionic verification-done-focal verification-done-impish verification-done-jammy verification-done-xenial |
|
2022-06-27 19:32:20 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-06-27 19:32:24 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-06-27 19:33:48 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2022-06-27 19:34:09 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2022-06-27 19:35:11 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2022-06-27 19:37:21 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|