[Bug 1832757] Re: Update ubuntu-advantage-client
Andreas Hasenack
andreas at canonical.com
Fri Oct 18 16:18:23 UTC 2019
** Description changed:
[Impact]
This is a major rewrite of ubuntu-advantage-client. This version introduces an updated command line interface (UA Client) to simplify some interaction with Ubuntu Advantage support offerings, and interacts with a new service backend built specifically for this new streamlined experience.
- Disco and Eoan already have this new version (but slightly older), but
- trusty, xenial, bionic and cosmic do not. This update is for trusty only
- at the moment, because the other LTSs and later releases have other
- services available under the UA umbrella which haven't yet been fully
- converted to the new backend.
+ Disco, Eoan, and Focal already have this rewrite (but an older version
+ of it), but trusty, xenial, bionic and cosmic do not. This update is for
+ trusty only at the moment, because the other LTSs and later releases
+ have other services available under the UA umbrella which haven't yet
+ been fully converted to the new backend.
[Test Case]
There are free services available for Trusty and anyone with an ubuntu one account can try them out with the new client.
- You can sign up interactively by just typing:
-
- sudo ua attach
-
- That will prompt you for your ubuntu one login credentials, and 2FA if
- needed, and enable ESM and Livepatch (the latter if running an HWE
- kernel).
-
- Alternatively, you can go to https://auth.contracts.canonical.com/,
- obtain a token, and attach your machine with:
+ In order to attach a machine to UA, first obtain a token at
+ https://auth.contracts.canonical.com/. With that token, attach the
+ machine with this command:
sudo ua attach <token>
+
+ If that's successful, you will have ESM-infra enabled at the end.
Additional test cases to confirm that the package correctly handles
upgrades for all relevant cases:
2.
a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates.
Do not enable ua. Upgrade to u-a-t from -proposed.
b. In an identical instance, install u-a-t from -proposed.
c. Confirm that the on-disk results of a) and b) are identical.
3.
a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
b. In an identical instance, install u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
c. Confirm that the on-disk results of a) and b) are identical.
4.
a. Start with a fresh Ubuntu instance which does have u-a-t installed. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
b. In an identical instance, upgrade to u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
c. Confirm that the on-disk results of a) and b) are identical.
5.
a. Start with a fresh Ubuntu *precise* instance which does have u-a-t installed and esm enabled. Dist-upgrade to trusty, then upgrade to u-a-t from -proposed.
b. In an identical instance, dist-upgrade to trusty with -proposed enabled.
c. Confirm that the on-disk results of a) and b) are identical.
[Regression Potential]
This is a major rewrite from bash to python3 and there are changes in behavior.
- new services will be listed, but not avaialble for trusty, only for later LTSs
- even when ESM is not enabled, an apt hook will advertise the availability of updates in that repository. This hook has failed in the past while this package was in disco, and that failed the apt transaction. This has of course been fixed since then (see #1824523 and #1824523).
[Other Info]
This is the FFe bug that got this rewrite into Disco at that time:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1814157
Development of this client is happening on github:
https://github.com/CanonicalLtd/ubuntu-advantage-client
The GPG keys can be verified by checking the signed release files over https. Respectively:
CC (not available on trusty atm): https://esm.ubuntu.com/cc/ubuntu/dists/xenial/InRelease
FIPS (not available on trusty atm): https://esm.ubuntu.com/fips/ubuntu/dists/xenial/InRelease
FIPS-updates (not available on trusty atm): https://esm.ubuntu.com/fips-updates/ubuntu/dists/xenial-updates/InRelease
ESM: https://esm.ubuntu.com/ubuntu/dists/trusty-updates/InRelease and https://esm.ubuntu.com/ubuntu/dists/trusty-security/InRelease
cis-audit is not ready and we don't have a gpg key for it yet, so we are
shpping a placeholder file in the package called ubuntu-
securitybenchmarks-keyring.gpg and that is a zero-sized file. Since cis-
audit is not available for trusty, and gpg keyrings are only copied over
to /etc/apt/trusted.gpg.d/ at enable time, this isn't an issue. And even
if it was copied over to that directory, an empty file there doesn't
cause issues. The reason we still have the file is, as said, a
placeholder, as the code and tests expect it, and because we want to use
the same source package for all supported ubuntu releases.
On an upgrade, existing users of trusty esm are expected to run "sudo ua
attach [<token>]", although not doing it won't disable their existing
ESM access. The new ua tool just won't recognize esm as being active in
its "ua status" output until the attach operation is complete. The same
applies to livepatch, if it was enabled before.
** Description changed:
[Impact]
This is a major rewrite of ubuntu-advantage-client. This version introduces an updated command line interface (UA Client) to simplify some interaction with Ubuntu Advantage support offerings, and interacts with a new service backend built specifically for this new streamlined experience.
Disco, Eoan, and Focal already have this rewrite (but an older version
of it), but trusty, xenial, bionic and cosmic do not. This update is for
trusty only at the moment, because the other LTSs and later releases
have other services available under the UA umbrella which haven't yet
been fully converted to the new backend.
[Test Case]
There are free services available for Trusty and anyone with an ubuntu one account can try them out with the new client.
In order to attach a machine to UA, first obtain a token at
https://auth.contracts.canonical.com/. With that token, attach the
machine with this command:
sudo ua attach <token>
If that's successful, you will have ESM-infra enabled at the end.
Additional test cases to confirm that the package correctly handles
upgrades for all relevant cases:
2.
a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates.
Do not enable ua. Upgrade to u-a-t from -proposed.
b. In an identical instance, install u-a-t from -proposed.
c. Confirm that the on-disk results of a) and b) are identical.
3.
a. Start with a fresh Ubuntu instance which does not have u-a-t installed (i.e. ubuntu-minimal is not installed). Install u-a-t from -updates. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
b. In an identical instance, install u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
c. Confirm that the on-disk results of a) and b) are identical.
4.
a. Start with a fresh Ubuntu instance which does have u-a-t installed. Enable esm with 'ubuntu-advantage enable-esm'. Upgrade to u-a-t from -proposed.
b. In an identical instance, upgrade to u-a-t from -proposed. Enable esm with 'ubuntu-advantage attach'.
c. Confirm that the on-disk results of a) and b) are identical.
5.
a. Start with a fresh Ubuntu *precise* instance which does have u-a-t installed and esm enabled. Dist-upgrade to trusty, then upgrade to u-a-t from -proposed.
b. In an identical instance, dist-upgrade to trusty with -proposed enabled.
c. Confirm that the on-disk results of a) and b) are identical.
[Regression Potential]
This is a major rewrite from bash to python3 and there are changes in behavior.
- new services will be listed, but not avaialble for trusty, only for later LTSs
- even when ESM is not enabled, an apt hook will advertise the availability of updates in that repository. This hook has failed in the past while this package was in disco, and that failed the apt transaction. This has of course been fixed since then (see #1824523 and #1824523).
[Other Info]
This is the FFe bug that got this rewrite into Disco at that time:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1814157
Development of this client is happening on github:
https://github.com/CanonicalLtd/ubuntu-advantage-client
- The GPG keys can be verified by checking the signed release files over https. Respectively:
- CC (not available on trusty atm): https://esm.ubuntu.com/cc/ubuntu/dists/xenial/InRelease
- FIPS (not available on trusty atm): https://esm.ubuntu.com/fips/ubuntu/dists/xenial/InRelease
- FIPS-updates (not available on trusty atm): https://esm.ubuntu.com/fips-updates/ubuntu/dists/xenial-updates/InRelease
- ESM: https://esm.ubuntu.com/ubuntu/dists/trusty-updates/InRelease and https://esm.ubuntu.com/ubuntu/dists/trusty-security/InRelease
+ Recently esm was renamed to esm-infra. Upgrading from an older package
+ where it was just "esm" is handled in postinst.
- cis-audit is not ready and we don't have a gpg key for it yet, so we are
- shpping a placeholder file in the package called ubuntu-
- securitybenchmarks-keyring.gpg and that is a zero-sized file. Since cis-
- audit is not available for trusty, and gpg keyrings are only copied over
- to /etc/apt/trusted.gpg.d/ at enable time, this isn't an issue. And even
- if it was copied over to that directory, an empty file there doesn't
- cause issues. The reason we still have the file is, as said, a
- placeholder, as the code and tests expect it, and because we want to use
- the same source package for all supported ubuntu releases.
+ The ESM-infra GPG key can be verified by checking the signed release
+ file over https:
+
+ ESM: https://esm.ubuntu.com/ubuntu/dists/trusty-infra-updates/InRelease
+ and https://esm.ubuntu.com/ubuntu/dists/trusty-infra-security/InRelease
On an upgrade, existing users of trusty esm are expected to run "sudo ua
attach [<token>]", although not doing it won't disable their existing
ESM access. The new ua tool just won't recognize esm as being active in
its "ua status" output until the attach operation is complete. The same
applies to livepatch, if it was enabled before.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1832757
Title:
Update ubuntu-advantage-client
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1832757/+subscriptions
More information about the Ubuntu-server-bugs
mailing list