Bug #1832757 “Update ubuntu-advantage-client” : Bugs : ubuntu-advantage-tools package : Ubuntu

Andreas Hasenack (ahasenack) on 2019-06-13

description:	updated
description:	updated
description:	updated

Andreas Hasenack (ahasenack) on 2019-06-13

description:

updated

Andreas Hasenack (ahasenack) on 2019-06-13

description:

updated

Andreas Hasenack (ahasenack) on 2019-06-13

description:

updated

Andreas Hasenack (ahasenack) on 2019-06-13

description:	updated
description:	updated

Sebastien Bacher (seb128) on 2019-06-21

Changed in ubuntu-advantage-tools (Ubuntu):
importance:	Undecided → High
Changed in ubuntu-advantage-tools (Ubuntu Trusty):
importance:	Undecided → High

Andreas Hasenack (ahasenack) on 2019-07-03

Changed in ubuntu-advantage-tools (Ubuntu):
assignee:	nobody → Andreas Hasenack (ahasenack)
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-07-04:

#1

This bug was fixed in the package ubuntu-advantage-tools - 19.5.1

---------------
ubuntu-advantage-tools (19.5.1) eoan; urgency=medium

* d/t/usage: fix dep8 test ("entitlements" was renamed to "services")

ubuntu-advantage-tools (19.5) eoan; urgency=medium

  * New upstream release (LP: #1832757):
    - packaging:
      + d/control: depend on libapt-pkg<ABI_VERSION> to use pin-priority never
      + d/postinst: adjust logfile permissions
      + d/postinst: remove public files and generate status cache on upgrade
      + d/postinst: Remove the old CACHE_DIR in postinst
      + d/postrm: remove log files on package purge
      + d/postrm: remove the ESM pinning file on purge
      + trusty should remove v1 esm key if present after upgrade
      + keyrings: regenerate keyrings on a trusty host
      + refresh keyrings to match current production for fips and cc-eal
    - apt:
      + all repo entitlements now call apt-get update on enable
      + enable -updates if -updates from the Ubuntu archive is enabled
      + Add basic i18n (good enough for lang packs)
      + retry apt install and update commands 3 times simple backoff
      + write commented -updates lines instead of omitting them
    - attach/detach:
      + added --no-auto-enable option
      + suppress messages from inapplicable default entitlements
      + two-factor auth reprompt only two-factor auth on failed 2fa
      + honour enableByDefault obligations from contract server
      + livepatch: no auto-enable on attach for trusty
      + don't attempt to disable inapplicable entitlements during detach
      + check for root before checking for attach in assert_attached_root
    - status:
      + add --json cli formatting option
      + emit a SERVICE header in status output
      + redact technical support and expiry for free contracts
      + unentitled services will report n/a
    - cc-eal:
      + add a warning about download size before install
      + change cc to cc-eal in docs, parameters and commandline help
    - esm:
      + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive
      + and livepatch auto enabled on attach where supported
      + on upgrade do not install preferences to pin never if esm enabled
      + remove only the apt auth entry on disable, leaving sources.list
      + use Pin-Priority never apt preference file to disable esm initially
    - fips:
      + display as pending when linux-fips is not the running kernel
      + only install/upgrade optional packages that are already on the system
    - logs:
      + no longer redact secrets as logfile is root read-only
      + separate console log devel from logfile level
      + remove level from messages to the console
    - add subcommand to refresh all contract details
    - config: allow contract_url and sso_auth_url to have a trailing slash
    - docker: fix persisting generated uuid on images without machine-id files
    - environ: allow lowercase ua_<config_option> overrides
    - repo: un-comment ESM sources.list lines on repo disable
    - updated manpage and help docs

-- Andreas Hasenack <email address hidden> Wed, 03 Jul 2019 21:55:25 -0300

This bug was fixed in the package ubuntu-advantage-tools - 19.5.1

---------------
ubuntu-advantage-tools (19.5.1) eoan; urgency=medium

* d/t/usage: fix dep8 test ("entitlements" was renamed to "services")

ubuntu-advantage-tools (19.5) eoan; urgency=medium

* New upstream release (LP: #1832757):
    - packaging:
      + d/control: depend on libapt-pkg<ABI_VERSION> to use pin-priority never
      + d/postinst: adjust logfile permissions
      + d/postinst: remove public files and generate status cache on upgrade
      + d/postinst: Remove the old CACHE_DIR in postinst
      + d/postrm: remove log files on package purge
      + d/postrm: remove the ESM pinning file on purge
      + trusty should remove v1 esm key if present after upgrade
      + keyrings: regenerate keyrings on a trusty host
      + refresh keyrings to match current production for fips and cc-eal
    - apt:
      + all repo entitlements now call apt-get update on enable
      + enable -updates if -updates from the Ubuntu archive is enabled
      + Add basic i18n (good enough for lang packs)
      + retry apt install and update commands 3 times simple backoff
      + write commented -updates lines instead of omitting them
    - attach/detach:
      + added --no-auto-enable option
      + suppress messages from inapplicable default entitlements
      + two-factor auth reprompt only two-factor auth on failed 2fa
      + honour enableByDefault obligations from contract server
      + livepatch: no auto-enable on attach for trusty
      + don't attempt to disable inapplicable entitlements during detach
      + check for root before checking for attach in assert_attached_root
    - status:
      + add --json cli formatting option
      + emit a SERVICE header in status output
      + redact technical support and expiry for free contracts
      + unentitled services will report n/a
    - cc-eal:
      + add a warning about download size before install
      + change cc to cc-eal in docs, parameters and commandline help
    - esm:
      + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive
      + and livepatch auto enabled on attach where supported
      + on upgrade do not install preferences to pin never if esm enabled
      + remove only the apt auth entry on disable, leaving sources.list
      + use Pin-Priority never apt preference file to disable esm initially
    - fips:
      + display as pending when linux-fips is not the running kernel
      + only install/upgrade optional packages that are already on the system
    - logs:
      + no longer redact secrets as logfile is root read-only
      + separate console log devel from logfile level
      + remove level from messages to the console
    - add subcommand to refresh all contract details
    - config: allow contract_url and sso_auth_url to have a trailing slash
    - docker: fix persisting generated uuid on images without machine-id files
    - environ: allow lowercase ua_<config_option> overrides
    - repo: un-comment ESM sources.list lines on repo disable
    - updated manpage and help docs

-- Andreas Hasenack <andreas@canonical.com>  Wed, 03 Jul 2019 21:55:25 -0300

Changed in ubuntu-advantage-tools (Ubuntu):
status:	In Progress → Fix Released

Andreas Hasenack (ahasenack) on 2019-07-04

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status:	New → In Progress
assignee:	nobody → Andreas Hasenack (ahasenack)

Steve Langasek (vorlon) on 2019-07-10

description:	updated
description:	updated

Steve Langasek (vorlon) on 2019-07-10

description:

updated

Andreas Hasenack (ahasenack) on 2019-07-11

description:	updated
description:	updated

Andreas Hasenack (ahasenack) on 2019-07-11

description:

updated

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-07-11:

#2

I have verified that the new fips archive key introduced in this SRU (in both the fips and fips-updates keyrings) is the key used to sign the InRelease files served by esm.ubuntu.com over https, both publicly and on the Canonical VPN.

Steve Langasek (vorlon) on 2019-07-11

description:	updated
description:	updated

Andreas Hasenack (ahasenack) on 2019-10-18

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status:	In Progress → Triaged
assignee:	Andreas Hasenack (ahasenack) → nobody

Andreas Hasenack (ahasenack) on 2019-10-18

description:	updated
description:	updated

Chad Smith (chad.smith) on 2019-10-22

description:

updated

Chad Smith (chad.smith) on 2019-10-23

description:

updated

Chad Smith (chad.smith) on 2019-10-23

description:

updated

Chad Smith (chad.smith) on 2019-10-23

description:

updated

Chad Smith (chad.smith) on 2019-10-23

description:

updated

Chad Smith (chad.smith) on 2019-10-24

description:

updated

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-10-25: Please test proposed package

#3

Hello Andreas, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/19.6~ubuntu14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status:	Triaged → Fix Committed
tags:	added: verification-needed verification-needed-trusty

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-10-25:

#4

Hello Andreas, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/19.6~ubuntu14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Chad Smith (chad.smith) on 2019-10-28

description:

updated

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-28:

#5

Download full text (4.6 KiB)

trusty verification, test case (3)

Both start from fresh trusty minimal with no u-a-t installed

a) u-a-t updates -> enable esm -> upgrade proposed
b) u-a-t proposed -> attach

The u-a-t package from updates that was used is: 10ubuntu0.14.04.4
The u-a-t package from proposed that was used is: 19.6~ubuntu14.04.2

1) Output of diff -uNr /tank/trusty-3{a,b}/etc/apt. An explanation follows each hunk:
--- /tank/trusty-3a/etc/apt/auth.conf.d/90ubuntu-advantage
+++ /tank/trusty-3b/etc/apt/auth.conf.d/90ubuntu-advantage
@@ -1 +1 @@
-machine esm.ubuntu.com/ login $user password $pass
+machine esm.ubuntu.com/ login bearer password $reallylongpass

Since (a) didn't run ua attach, but just upgraded to the proposed package, the credentials were not migrated to the new bearer token. ESM keeps working without this step, but "ua status" will say the machine is unattached. This is expected and explained in the last paragraph of the "[Other Info]" section in this SRU bug.

--- /tank/trusty-3a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
+++ /tank/trusty-3b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

Only an "ua attach" command will rewrite the esm pockets in the sources.list snippet to include the "infra" word. The old names, without "infra", will not be removed from the ESM server for trusty, so having step (a) keep using the old names isn't a problem.

2) File listing diff. An explanation follows each hunk:
--- trusty-3a.list
+++ trusty-3b.list
@@ -13723,7 +13723,6 @@
/var/cache/apt/archives/sysv-rc_2.88dsf-41ubuntu6_all.deb
/var/cache/apt/archives/tar_1.27.1-1_amd64.deb
/var/cache/apt/archives/tzdata_2014b-1_all.deb
-/var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb
/var/cache/apt/archives/ubuntu-advantage-tools_19.6~ubuntu14.04.2_amd64.deb
/var/cache/apt/archives/ubuntu-keyring_2012.05.19_all.deb
/var/cache/apt/archives/ucf_3.0027+nmu1_all.deb

(b) didn't go through trusty-updates, therefore that package isn't cached.

@@ -13765,10 +13764,10 @@
/var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
/var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
/var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-updates_main_i18n_Translation-en
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease...

trusty verification, test case (3)

Both start from fresh trusty minimal with no u-a-t installed

a) u-a-t updates -> enable esm -> upgrade proposed
b) u-a-t proposed -> attach

The u-a-t package from updates that was used is: 10ubuntu0.14.04.4
The u-a-t package from proposed that was used is: 19.6~ubuntu14.04.2

1) Output of diff -uNr /tank/trusty-3{a,b}/etc/apt. An explanation follows each hunk:
--- /tank/trusty-3a/etc/apt/auth.conf.d/90ubuntu-advantage
+++ /tank/trusty-3b/etc/apt/auth.conf.d/90ubuntu-advantage
@@ -1 +1 @@
-machine esm.ubuntu.com/ login $user password $pass
+machine esm.ubuntu.com/ login bearer password $reallylongpass

Since (a) didn't run ua attach, but just upgraded to the proposed package, the credentials were not migrated to the new bearer token. ESM keeps working without this step, but "ua status" will say the machine is unattached. This is expected and explained in the last paragraph of the "[Other Info]" section in this SRU bug.

--- /tank/trusty-3a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
+++ /tank/trusty-3b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

Only an "ua attach" command will rewrite the esm pockets in the sources.list snippet to include the "infra" word. The old names, without "infra", will not be removed from the ESM server for trusty, so having step (a) keep using the old names isn't a problem.

2) File listing diff. An explanation follows each hunk:
--- trusty-3a.list
+++ trusty-3b.list
@@ -13723,7 +13723,6 @@
 /var/cache/apt/archives/sysv-rc_2.88dsf-41ubuntu6_all.deb
 /var/cache/apt/archives/tar_1.27.1-1_amd64.deb
 /var/cache/apt/archives/tzdata_2014b-1_all.deb
-/var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb
 /var/cache/apt/archives/ubuntu-advantage-tools_19.6~ubuntu14.04.2_amd64.deb
 /var/cache/apt/archives/ubuntu-keyring_2012.05.19_all.deb
 /var/cache/apt/archives/ucf_3.0027+nmu1_all.deb

(b) didn't go through trusty-updates, therefore that package isn't cached.

@@ -13765,10 +13764,10 @@
 /var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
 /var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
 /var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-updates_main_i18n_Translation-en
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_InRelease
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_main_binary-amd64_Packages
 /var/lib/apt/lists/lock
 /var/lib/apt/lists/partial
 /var/lib/apt/mirrors

(a) is still using the trusty pockets without the "infra" name, and (b), because it ran an "ua attach", that also runs "apt update", therefore the infra pockets are shown in apt's lists/ directory.

@@ -14881,6 +14880,15 @@
 /var/lib/systemd/deb-systemd-helper-enabled/rsyslog.service.dsh-also
 /var/lib/systemd/deb-systemd-helper-enabled/syslog.service
 /var/lib/ubuntu-advantage
+/var/lib/ubuntu-advantage/machine-id
+/var/lib/ubuntu-advantage/private
+/var/lib/ubuntu-advantage/private/machine-access-cc-eal.json
+/var/lib/ubuntu-advantage/private/machine-access-esm-infra.json
+/var/lib/ubuntu-advantage/private/machine-access-fips.json
+/var/lib/ubuntu-advantage/private/machine-access-fips-updates.json
+/var/lib/ubuntu-advantage/private/machine-access-livepatch.json
+/var/lib/ubuntu-advantage/private/machine-access-support.json
+/var/lib/ubuntu-advantage/private/machine-token.json
 /var/lib/ubuntu-advantage/status.json
 /var/lib/ucf
 /var/lib/ucf/cache

Since (b) ran "ua attach", that fully migrated that setup to the new client, which is then showing content in its data directory at /var/lib/ubuntu-advantage/. The (a) case did not run attach.

I declare test case (3) as having succeeded.

Revision history for this message

Chad Smith (chad.smith) wrote on 2019-10-28:

#6

Download full text (10.7 KiB)

test case 1: trusty `ua attach <token>` enables ESM and can install esm packages

--- Test 1: Attach a trusty machine using a token from auth.contracts.canonical.com and verify ESM is attached and ESM packages can be installed.
Launch Trusty container with allowing ssh access for <LP_ID>
Creating sru-trusty
Starting sru-trusty
Wait for cloud-init to finish startup on trusty
...
Upgrade ubuntu-advantage-tools to trusty-proposed
deb http://archive.ubuntu.com/ubuntu trusty-proposed main
Get:1 http://security.ubuntu.com trusty-security InRelease [65.9 kB]
Ign http://archive.ubuntu.com trusty InRelease
Get:2 http://security.ubuntu.com trusty-security/main amd64 Packages [835 kB]
Get:3 http://archive.ubuntu.com trusty-updates InRelease [65.9 kB]
Hit http://archive.ubuntu.com trusty-backports InRelease
Get:4 http://security.ubuntu.com trusty-security/restricted amd64 Packages [14.2 kB]
Get:5 http://security.ubuntu.com trusty-security/universe amd64 Packages [294 kB]
Get:6 http://archive.ubuntu.com trusty-proposed InRelease [65.9 kB]
Get:7 http://security.ubuntu.com trusty-security/multiverse amd64 Packages [4806 B]
Get:8 http://security.ubuntu.com trusty-security/main Translation-en [448 kB]
Hit http://archive.ubuntu.com trusty Release.gpg
Get:9 http://archive.ubuntu.com trusty-updates/main amd64 Packages [1177 kB]
Get:10 http://security.ubuntu.com trusty-security/multiverse Translation-en [2564 B]
Get:11 http://security.ubuntu.com trusty-security/restricted Translation-en [3556 B]
Get:12 http://security.ubuntu.com trusty-security/universe Translation-en [162 kB]
Get:13 http://archive.ubuntu.com trusty-updates/restricted amd64 Packages [17.2 kB]
Get:14 http://archive.ubuntu.com trusty-updates/universe amd64 Packages [525 kB]
Get:15 http://archive.ubuntu.com trusty-updates/multiverse amd64 Packages [14.6 kB]
Get:16 http://archive.ubuntu.com trusty-updates/main Translation-en [582 kB]
Get:17 http://archive.ubuntu.com trusty-updates/multiverse Translation-en [7616 B]
Get:18 http://archive.ubuntu.com trusty-updates/restricted Translation-en [4028 B]
Get:19 http://archive.ubuntu.com trusty-updates/universe Translation-en [281 kB]
Hit http://archive.ubuntu.com trusty-backports/main amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/restricted amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/universe amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/multiverse amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/main Translation-en
Hit http://archive.ubuntu.com trusty-backports/multiverse Translation-en
Hit http://archive.ubuntu.com trusty-backports/restricted Translation-en
Hit http://archive.ubuntu.com trusty-backports/universe Translation-en
Get:20 http://archive.ubuntu.com trusty-proposed/main amd64 Packages [4595 B]
Get:21 http://archive.ubuntu.com trusty-proposed/main Translation-en [2932 B]
Hit http://archive.ubuntu.com trusty Release
Hit http://archive.ubuntu.com trusty/main amd64 Packages
Hit http://archive.ubuntu.com trusty/restricted amd64 Packages
Hit http://archive.ubuntu.com trusty/universe amd64 Packages
Hit http://archive.ubuntu.com trusty/multiverse amd64 Packages
Hit http://archive.ubuntu.com t...

test case 1: trusty `ua attach <token>` enables ESM and can install esm packages

--- Test 1: Attach a trusty machine using a token from auth.contracts.canonical.com and verify ESM is attached and ESM packages can be installed.
Launch Trusty container with allowing ssh access for <LP_ID>
Creating sru-trusty
Starting sru-trusty
Wait for cloud-init to finish startup on trusty
...
Upgrade ubuntu-advantage-tools to trusty-proposed
deb http://archive.ubuntu.com/ubuntu trusty-proposed main
Get:1 http://security.ubuntu.com trusty-security InRelease [65.9 kB]
Ign http://archive.ubuntu.com trusty InRelease
Get:2 http://security.ubuntu.com trusty-security/main amd64 Packages [835 kB]
Get:3 http://archive.ubuntu.com trusty-updates InRelease [65.9 kB]
Hit http://archive.ubuntu.com trusty-backports InRelease
Get:4 http://security.ubuntu.com trusty-security/restricted amd64 Packages [14.2 kB]
Get:5 http://security.ubuntu.com trusty-security/universe amd64 Packages [294 kB]
Get:6 http://archive.ubuntu.com trusty-proposed InRelease [65.9 kB]
Get:7 http://security.ubuntu.com trusty-security/multiverse amd64 Packages [4806 B]
Get:8 http://security.ubuntu.com trusty-security/main Translation-en [448 kB]
Hit http://archive.ubuntu.com trusty Release.gpg
Get:9 http://archive.ubuntu.com trusty-updates/main amd64 Packages [1177 kB]
Get:10 http://security.ubuntu.com trusty-security/multiverse Translation-en [2564 B]
Get:11 http://security.ubuntu.com trusty-security/restricted Translation-en [3556 B]
Get:12 http://security.ubuntu.com trusty-security/universe Translation-en [162 kB]
Get:13 http://archive.ubuntu.com trusty-updates/restricted amd64 Packages [17.2 kB]
Get:14 http://archive.ubuntu.com trusty-updates/universe amd64 Packages [525 kB]
Get:15 http://archive.ubuntu.com trusty-updates/multiverse amd64 Packages [14.6 kB]
Get:16 http://archive.ubuntu.com trusty-updates/main Translation-en [582 kB]
Get:17 http://archive.ubuntu.com trusty-updates/multiverse Translation-en [7616 B]
Get:18 http://archive.ubuntu.com trusty-updates/restricted Translation-en [4028 B]
Get:19 http://archive.ubuntu.com trusty-updates/universe Translation-en [281 kB]
Hit http://archive.ubuntu.com trusty-backports/main amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/restricted amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/universe amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/multiverse amd64 Packages
Hit http://archive.ubuntu.com trusty-backports/main Translation-en
Hit http://archive.ubuntu.com trusty-backports/multiverse Translation-en
Hit http://archive.ubuntu.com trusty-backports/restricted Translation-en
Hit http://archive.ubuntu.com trusty-backports/universe Translation-en
Get:20 http://archive.ubuntu.com trusty-proposed/main amd64 Packages [4595 B]
Get:21 http://archive.ubuntu.com trusty-proposed/main Translation-en [2932 B]
Hit http://archive.ubuntu.com trusty Release
Hit http://archive.ubuntu.com trusty/main amd64 Packages
Hit http://archive.ubuntu.com trusty/restricted amd64 Packages
Hit http://archive.ubuntu.com trusty/universe amd64 Packages
Hit http://archive.ubuntu.com trusty/multiverse amd64 Packages
Hit http://archive.ubuntu.com trusty/main Translation-en
Hit http://archive.ubuntu.com trusty/multiverse Translation-en
Hit http://archive.ubuntu.com trusty/restricted Translation-en
Hit http://archive.ubuntu.com trusty/universe Translation-en
Fetched 4578 kB in 15s (294 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following packages were automatically installed and are no longer required:
  libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  python3-pkg-resources python3-yaml
Suggested packages:
  python3-setuptools
The following NEW packages will be installed:
  python3-pkg-resources python3-yaml
The following packages will be upgraded:
  ubuntu-advantage-tools
1 upgraded, 2 newly installed, 0 to remove and 8 not upgraded.
Need to get 172 kB of archives.
After this operation, 798 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-updates/main python3-yaml amd64 3.10-4ubuntu0.1 [92.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu/ trusty-updates/main python3-pkg-resources all 3.3-1ubuntu2 [31.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main ubuntu-advantage-tools amd64 19.6~ubuntu14.04.2 [47.3 kB]
Fetched 172 kB in 1s (91.9 kB/s)
Selecting previously unselected package python3-yaml.
(Reading database ... 25111 files and directories currently installed.)
Preparing to unpack .../python3-yaml_3.10-4ubuntu0.1_amd64.deb ...
Unpacking python3-yaml (3.10-4ubuntu0.1) ...
Selecting previously unselected package python3-pkg-resources.
Preparing to unpack .../python3-pkg-resources_3.3-1ubuntu2_all.deb ...
Unpacking python3-pkg-resources (3.3-1ubuntu2) ...
Preparing to unpack .../ubuntu-advantage-tools_19.6~ubuntu14.04.2_amd64.deb ...
Moving obsolete conffile /etc/update-motd.d/99-esm out of the way...
Unpacking ubuntu-advantage-tools (19.6~ubuntu14.04.2) over (10ubuntu0.14.04.3) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up python3-yaml (3.10-4ubuntu0.1) ...
Setting up python3-pkg-resources (3.3-1ubuntu2) ...
Setting up ubuntu-advantage-tools (19.6~ubuntu14.04.2) ...
Installing new version of config file /etc/apt/apt.conf.d/51ubuntu-advantage-esm ...
Removing obsolete conffile /etc/update-motd.d/99-esm ...
Confirm ubuntu-advantage-tools version from -proposed
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.2
  Candidate: 19.6~ubuntu14.04.2
  Version table:
 *** 19.6~ubuntu14.04.2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
Enable esm on trusty as non-root sudo
The authenticity of host '10.69.12.218 (10.69.12.218)' can't be established.
ECDSA key fingerprint is SHA256:Ai/HHC8l+oTiv2YXrpy5gZgdktAw4MY3x4XOEnig5tI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.69.12.218' (ECDSA) to the list of known hosts.
Enabling default service esm-infra
Updating package lists
ESM Infra enabled
This machine is now attached to 'chad.smith@canonical.com'

SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes                n/a                Common Criteria EAL2 Provisioning Packages
cis-audit     no                 —                  Center for Internet Security Audit Tools
esm-infra     yes                enabled            UA Infra: Extended Security Maintenance
fips          yes                n/a                NIST-certified FIPS modules
fips-updates  yes                n/a                Uncertified security updates to FIPS modules
livepatch     yes                n/a                Canonical Livepatch service

Enable services with: ua enable <service>

Account: chad.smith@canonical.com
Subscription: chad.smith@canonical.com
Confirm ansible is available for trusty esm PPA
ansible:
  Installed: (none)
  Candidate: 1.5.4+dfsg-1ubuntu0.1~esm2
  Version table:
     1.7.2+dfsg-1~ubuntu14.04.1 0
        100 http://archive.ubuntu.com/ubuntu/ trusty-backports/universe amd64 Packages
     1.5.4+dfsg-1ubuntu0.1~esm2 0
        500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     1.5.4+dfsg-1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
Installing ansible from esm
Reading package lists...
Building dependency tree...
Reading state information...
The following packages were automatically installed and are no longer required:
  libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libgmp10 python-crypto python-httplib2 python-jinja2 python-markupsafe
Suggested packages:
  ansible-doc sshpass python-crypto-dbg python-crypto-doc python-jinja2-doc
The following NEW packages will be installed:
  ansible libgmp10 python-crypto python-httplib2 python-jinja2
  python-markupsafe
0 upgraded, 6 newly installed, 0 to remove and 60 not upgraded.
Need to get 1,089 kB of archives.
After this operation, 5,973 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libgmp10 amd64 2:5.1.3+dfsg-1ubuntu1 [218 kB]
Get:2 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main python-jinja2 all 2.7.2-2ubuntu0.1~esm1 [162 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ trusty-updates/main python-crypto amd64 2.6.1-4ubuntu0.3 [239 kB]
Get:4 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main ansible all 1.5.4+dfsg-1ubuntu0.1~esm2 [420 kB]
Get:5 http://archive.ubuntu.com/ubuntu/ trusty/main python-markupsafe amd64 0.18-1build2 [14.3 kB]
Get:6 http://archive.ubuntu.com/ubuntu/ trusty/main python-httplib2 all 0.8-2build1 [35.4 kB]
debconf: unable to initialize frontend: Dialog
debconf: (Dialog frontend will not work on a dumb terminal, an emacs shell buffer, or without a controlling terminal.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
dpkg-preconfigure: unable to re-open stdin: 
Fetched 1,089 kB in 2s (416 kB/s)
Selecting previously unselected package libgmp10:amd64.
(Reading database ... 25175 files and directories currently installed.)
Preparing to unpack .../libgmp10_2%3a5.1.3+dfsg-1ubuntu1_amd64.deb ...
Unpacking libgmp10:amd64 (2:5.1.3+dfsg-1ubuntu1) ...
Selecting previously unselected package python-crypto.
Preparing to unpack .../python-crypto_2.6.1-4ubuntu0.3_amd64.deb ...
Unpacking python-crypto (2.6.1-4ubuntu0.3) ...
Selecting previously unselected package python-markupsafe.
Preparing to unpack .../python-markupsafe_0.18-1build2_amd64.deb ...
Unpacking python-markupsafe (0.18-1build2) ...
Selecting previously unselected package python-jinja2.
Preparing to unpack .../python-jinja2_2.7.2-2ubuntu0.1~esm1_all.deb ...
Unpacking python-jinja2 (2.7.2-2ubuntu0.1~esm1) ...
Selecting previously unselected package python-httplib2.
Preparing to unpack .../python-httplib2_0.8-2build1_all.deb ...
Unpacking python-httplib2 (0.8-2build1) ...
Selecting previously unselected package ansible.
Preparing to unpack .../ansible_1.5.4+dfsg-1ubuntu0.1~esm2_all.deb ...
Unpacking ansible (1.5.4+dfsg-1ubuntu0.1~esm2) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up libgmp10:amd64 (2:5.1.3+dfsg-1ubuntu1) ...
Setting up python-crypto (2.6.1-4ubuntu0.3) ...
Setting up python-markupsafe (0.18-1build2) ...
Setting up python-jinja2 (2.7.2-2ubuntu0.1~esm1) ...
Setting up python-httplib2 (0.8-2build1) ...
Setting up ansible (1.5.4+dfsg-1ubuntu0.1~esm2) ...
Processing triggers for libc-bin (2.19-0ubuntu6.15) ...

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-28:

#7

Download full text (4.6 KiB)

trusty verification, test case (4)

Both scenarios, (a) and (b), start from trusty with u-a-t already installed from updates

Test (a): enable esm -> upgrade to proposed
Test (b): upgrade to proposed -> ua attach (which enables esm)

The u-a-t package from updates that was used is: 10ubuntu0.14.04.4
The u-a-t package from proposed that was used is: 19.6~ubuntu14.04.2

At the end, this is the diff between the files on both containers. I manually removed uninteresting bits like /etc/hostname, /etc/ssh/*, cloud-init data, etc. This is what remains:

1) output of diff -uNr 4a 4b (minus the manually excluded hunks described above):
--- 4a/etc/apt/auth.conf.d/90ubuntu-advantage
+++ 4b/etc/apt/auth.conf.d/90ubuntu-advantage
@@ -1 +1 @@
-machine esm.ubuntu.com/ login $user password $pass
+machine esm.ubuntu.com/ login bearer password $newverylongpass

Since (a) didn't run ua attach, but just upgraded to the proposed package, the credentials were not migrated to the new bearer token. ESM keeps working without this step, but "ua status" will say the machine is unattached. This is expected and explained in the last paragraph of the "[Other Info]" section in this SRU bug.

--- 4a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
+++ 4b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

Only an "ua attach" command will rewrite the esm pockets in the sources.list snippet to include the "infra" word. The old names, without "infra", will not be removed from the ESM server for trusty, so having step (a) keep using the old names isn't a problem.

2) diff -u 4a/files.list 4b/files.list
Manually removed the following diff noise:
- /var/cache/apt/archives
- /var/lib/cloud/instances
- /var/log/auth.log and /var/log/dmesg.1.gz

The following hunks remain:
--- 4a/files.list
+++ 4b/files.list
@@ -29617,10 +29623,10 @@
/var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-proposed_InRelease
/var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-proposed_main_binary-amd64_Packages
/var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-proposed_main_i18n_Translation-en
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_InRelease
+/...

trusty verification, test case (4)

Both scenarios, (a) and (b), start from trusty with u-a-t already installed from updates

Test (a): enable esm -> upgrade to proposed
Test (b): upgrade to proposed -> ua attach (which enables esm)

The u-a-t package from updates that was used is: 10ubuntu0.14.04.4
The u-a-t package from proposed that was used is: 19.6~ubuntu14.04.2

At the end, this is the diff between the files on both containers. I manually removed uninteresting bits like /etc/hostname, /etc/ssh/*, cloud-init data, etc. This is what remains:

1) output of diff -uNr 4a 4b (minus the manually excluded hunks described above):
--- 4a/etc/apt/auth.conf.d/90ubuntu-advantage
+++ 4b/etc/apt/auth.conf.d/90ubuntu-advantage
@@ -1 +1 @@
-machine esm.ubuntu.com/ login $user password $pass
+machine esm.ubuntu.com/ login bearer password $newverylongpass

Since (a) didn't run ua attach, but just upgraded to the proposed package, the credentials were not migrated to the new bearer token. ESM keeps working without this step, but "ua status" will say the machine is unattached. This is expected and explained in the last paragraph of the "[Other Info]" section in this SRU bug.

--- 4a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
+++ 4b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

Only an "ua attach" command will rewrite the esm pockets in the sources.list snippet to include the "infra" word. The old names, without "infra", will not be removed from the ESM server for trusty, so having step (a) keep using the old names isn't a problem.

2) diff -u 4a/files.list 4b/files.list
Manually removed the following diff noise:
- /var/cache/apt/archives
- /var/lib/cloud/instances
- /var/log/auth.log and /var/log/dmesg.1.gz

The following hunks remain:
--- 4a/files.list
+++ 4b/files.list
@@ -29617,10 +29623,10 @@
 /var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-proposed_InRelease
 /var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-proposed_main_binary-amd64_Packages
 /var/lib/apt/lists/br.archive.ubuntu.com_ubuntu_dists_trusty-proposed_main_i18n_Translation-en
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
-/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packages
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_InRelease
+/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_main_binary-amd64_Packages
 /var/lib/apt/lists/lock
 /var/lib/apt/lists/partial
 /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_trusty-security_InRelease

(a) is still using the trusty pockets without the "infra" name, and (b), because it ran an "ua attach", that also runs "apt update", therefore the infra pockets are shown in apt's lists/ directory for (b) and not for (a).

@@ -31900,6 +31953,15 @@
 /var/lib/systemd/deb-systemd-helper-enabled/ssh.socket.dsh-also
 /var/lib/systemd/deb-systemd-helper-enabled/syslog.service
 /var/lib/ubuntu-advantage
+/var/lib/ubuntu-advantage/private
+/var/lib/ubuntu-advantage/private/machine-access-cc-eal.json
+/var/lib/ubuntu-advantage/private/machine-access-esm-infra.json
+/var/lib/ubuntu-advantage/private/machine-access-fips.json
+/var/lib/ubuntu-advantage/private/machine-access-fips-updates.json
+/var/lib/ubuntu-advantage/private/machine-access-livepatch.json
+/var/lib/ubuntu-advantage/private/machine-access-support.json
+/var/lib/ubuntu-advantage/private/machine-token.json
+/var/lib/ubuntu-advantage/status.json
 /var/lib/ubuntu-release-upgrader
 /var/lib/ubuntu-release-upgrader/release-upgrade-available
 /var/lib/ucf

Since (b) ran "ua attach", that fully migrated that setup to the new client, which is then showing content in its data directory at /var/lib/ubuntu-advantage/. The (a) case did not run attach.

I declare test case (4) as having succeeded.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-30:

#8

Test (5a) failed. The scenario is an upgrade from precise with esm enabled to trusty, and then to trusty-proposed. What happened is that after installing the trusty proposed package in this sequence, ESM became disabled.

Upstream bug: https://github.com/CanonicalLtd/ubuntu-advantage-client/issues/899

tags:

added: verification-failed-trusty
removed: verification-needed-trusty

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-30:

#9

An 19.6~ubuntu14.04.3 upload with the fix will be done shortly.

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-10-30:

#10

Hello Andreas, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/19.6~ubuntu14.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags:

added: verification-needed-trusty
removed: verification-failed-trusty

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#11

Repeating tests 1-4 here.

Test number 5, which failed in the previous verification, can be seen done in bug https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1850672. It was done with do-release-upgade, which is how I expect users would upgrade from precise, and I took care with the repositories to make sure esm was included in the upgrades, and the right ubuntu-advantage-tools package was used each time (either from trusty-updates, or from -proposed).

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#12

Test 1: basic attach w/ proposed
================================

Result: PASS

Details:
$ lxc launch ubuntu-daily:trusty t1
Creating t1
Starting t1

# enable proposed, update, check
$ lxc exec t1 apt-get update
$ lxc exec t1 apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 10ubuntu0.14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
     19.6~ubuntu14.04.3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
     10ubuntu0.14.04.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
*** 10ubuntu0.14.04.3 0

# update
$ lxc exec t1 apt-get install ubuntu-advantage-tools

# attach
$ lxc exec t1 ua attach $token
Enabling default service esm-infra
Updating package lists
ESM Infra enabled
This machine is now attached to '<email address hidden>'

SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis-audit no — Center for Internet Security Audit Tools
esm-infra yes enabled UA Infra: Extended Security Maintenance
fips yes n/a NIST-certified FIPS modules
fips-updates yes n/a Uncertified security updates to FIPS modules
livepatch yes n/a Canonical Livepatch service

Enable services with: ua enable <service>

Account: <email address hidden>
Subscription: <email address hidden>

# confirm esm repo is enabled with positive pinning
$ lxc exec t1 apt-cache policy|grep esm
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main amd64 Packages
origin esm.ubuntu.com
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
origin esm.ubuntu.com

# test download an esm update
$ lxc exec t1 -- apt-get install -d sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
sudo
1 upgraded, 0 newly installed, 0 to remove and 59 not upgraded.
Need to get 833 kB of archives.
After this operation, 1072 kB of additional disk space will be used.
Get:1 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main sudo amd64 1.8.9p5-1ubuntu1.5+esm2 [833 kB]
Fetched 833 kB in 5s (166 kB/s)
Download complete and in download only mode

Test 1: basic attach w/ proposed
================================

Result: PASS

Details:
$ lxc launch ubuntu-daily:trusty t1
Creating t1
Starting t1

# enable proposed, update, check
$ lxc exec t1 apt-get update
$ lxc exec t1 apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 10ubuntu0.14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
     19.6~ubuntu14.04.3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
     10ubuntu0.14.04.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
 *** 10ubuntu0.14.04.3 0

# update
$ lxc exec t1 apt-get install ubuntu-advantage-tools

# attach
$ lxc exec t1 ua attach $token
Enabling default service esm-infra
Updating package lists
ESM Infra enabled
This machine is now attached to 'panlinux@gmail.com'

SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis-audit     no        —         Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance
fips          yes       n/a       NIST-certified FIPS modules
fips-updates  yes       n/a       Uncertified security updates to FIPS modules
livepatch     yes       n/a       Canonical Livepatch service

Enable services with: ua enable <service>

Account: panlinux@gmail.com
Subscription: panlinux@gmail.com

# confirm esm repo is enabled with positive pinning
$ lxc exec t1 apt-cache policy|grep esm
 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main amd64 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     origin esm.ubuntu.com

# test download an esm update
$ lxc exec t1 -- apt-get install -d sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
  sudo
1 upgraded, 0 newly installed, 0 to remove and 59 not upgraded.
Need to get 833 kB of archives.
After this operation, 1072 kB of additional disk space will be used.
Get:1 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main sudo amd64 1.8.9p5-1ubuntu1.5+esm2 [833 kB]
Fetched 833 kB in 5s (166 kB/s)
Download complete and in download only mode

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#13

Test 2:
a) fresh install from t-updates, go to t-proposed
b) fresh install from t-proposed directly

Result: PASS

Details:
At the end, we have two chroots: /tank/trusty-2a and /tank/trusty-2b
# chroot /tank/trusty-2a apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
*** 19.6~ubuntu14.04.3 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

# chroot /tank/trusty-2b apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
*** 19.6~ubuntu14.04.3 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

Diffing content of both chroots:
# find /tank/trusty-2b/ -xdev | sed -r 's,^/tank/[^/]+,,' | sort > full-trusty-2b.list
# find /tank/trusty-2a/ -xdev | sed -r 's,^/tank/[^/]+,,' | sort > full-trusty-2a.list

The diff is:
# diff -u full-trusty-2{a,b}.list
--- full-trusty-2a.list 2019-10-31 14:46:33.307720630 -0300
+++ full-trusty-2b.list 2019-10-31 14:46:26.487592874 -0300
@@ -1567,7 +1567,6 @@
/opt
/proc
/root
-/root/.bash_history
/root/.bashrc
/root/.profile
/run
@@ -13724,7 +13723,6 @@
/var/cache/apt/archives/sysv-rc_2.88dsf-41ubuntu6_all.deb
/var/cache/apt/archives/tar_1.27.1-1_amd64.deb
/var/cache/apt/archives/tzdata_2014b-1_all.deb
-/var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb
/var/cache/apt/archives/ubuntu-advantage-tools_19.6~ubuntu14.04.3_amd64.deb
/var/cache/apt/archives/ubuntu-keyring_2012.05.19_all.deb
/var/cache/apt/archives/ucf_3.0027+nmu1_all.deb

The above shows that trusty-2a went through the trusty-updates u-a-t package, while trusty-2b didn't.

Test 2:
a) fresh install from t-updates, go to t-proposed
b) fresh install from t-proposed directly

Result: PASS

Details:
At the end, we have two chroots: /tank/trusty-2a and /tank/trusty-2b
# chroot /tank/trusty-2a apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
 *** 19.6~ubuntu14.04.3 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

# chroot /tank/trusty-2b apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
 *** 19.6~ubuntu14.04.3 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

Diffing content of both chroots:
# find /tank/trusty-2b/ -xdev | sed -r 's,^/tank/[^/]+,,' | sort > full-trusty-2b.list
# find /tank/trusty-2a/ -xdev | sed -r 's,^/tank/[^/]+,,' | sort > full-trusty-2a.list

The diff is:
# diff -u full-trusty-2{a,b}.list
--- full-trusty-2a.list	2019-10-31 14:46:33.307720630 -0300
+++ full-trusty-2b.list	2019-10-31 14:46:26.487592874 -0300
@@ -1567,7 +1567,6 @@
 /opt
 /proc
 /root
-/root/.bash_history
 /root/.bashrc
 /root/.profile
 /run
@@ -13724,7 +13723,6 @@
 /var/cache/apt/archives/sysv-rc_2.88dsf-41ubuntu6_all.deb
 /var/cache/apt/archives/tar_1.27.1-1_amd64.deb
 /var/cache/apt/archives/tzdata_2014b-1_all.deb
-/var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb
 /var/cache/apt/archives/ubuntu-advantage-tools_19.6~ubuntu14.04.3_amd64.deb
 /var/cache/apt/archives/ubuntu-keyring_2012.05.19_all.deb
 /var/cache/apt/archives/ucf_3.0027+nmu1_all.deb

The above shows that trusty-2a went through the trusty-updates u-a-t package, while trusty-2b didn't.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#14

addendum for test 2:
# diff -uNr /tank/trusty-2{a,b}/ 2>/dev/null|diffstat
root/.bash_history | 2
var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb |binary
var/cache/apt/pkgcache.bin |binary
var/cache/ldconfig/aux-cache |binary
var/lib/apt/extended_states | 24
var/lib/dpkg/available | 46
var/lib/dpkg/available-old | 601 ---------
var/lib/dpkg/status-old | 105 -
var/log/apt/history.log | 12
var/log/apt/term.log | 7
var/log/dpkg.log | 639 ++++------
11 files changed, 409 insertions(+), 1027 deletions(-)

2>/dev/null was added because of broken absolute symlinks, which are only fine inside the chroot, but not from the outside. Full list at https://paste.ubuntu.com/p/sMmzYRrJT9/

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#15

Download full text (4.6 KiB)

Test 3:
From a fresh trusty system, no uat installed, no ubuntu-minimal installed
a) install uat from updates, enable esm, upgrade to proposed
b) install uat from proposed, enable esm (via ua attach)

Result: PASS

Details:
At the end, confirmed that both chroots have esm enabled and with a positive pinning:
# chroot /tank/trusty-3a/ apt-cache policy | grep esm
500 https://esm.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     origin esm.ubuntu.com
500 https://esm.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     origin esm.ubuntu.com
# chroot /tank/trusty-3b/ apt-cache policy | grep esm
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main amd64 Packages
     origin esm.ubuntu.com
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     origin esm.ubuntu.com

Note how (3b) is using the new infra pocket names, however. That's because "ua attach" was run in that case, and it wasn't run in (3a). Both work, though, and it's expected that users will eventually run "ua attach" after upgrading even if they had esm enabled before. This is mentioned in the [Other Info] section of the bug description.

Filesystem differences:
# diff -uNr /tank/trusty-3{a,b}/ 2>/dev/null | diffstat -l
etc/apt/auth.conf.d/90ubuntu-advantage
etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb
var/cache/apt/pkgcache.bin
var/cache/apt/srcpkgcache.bin
var/cache/ldconfig/aux-cache
var/lib/apt/extended_states
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packages
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_main_binary-amd64_Packages
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
var/lib/dpkg/available
var/lib/dpkg/available-old
var/lib/dpkg/status-old
var/lib/ubuntu-advantage/machine-id
var/lib/ubuntu-advantage/private/machine-access-cc-eal.json
var/lib/ubuntu-advantage/private/machine-access-esm-infra.json
var/lib/ubuntu-advantage/private/machine-access-fips-updates.json
var/lib/ubuntu-advantage/private/machine-access-fips.json
var/lib/ubuntu-advantage/private/machine-access-livepatch.json
var/lib/ubuntu-advantage/private/machine-access-support.json
var/lib/ubuntu-advantage/private/machine-token.json
var/lib/ubuntu-advantage/status.json
var/log/apt/history.log
var/log/apt/term.log
var/log/dpkg.log
var/log/ubuntu-advantage.log

Of the above, only /etc/apt is of interest, so let's take a closer look:
# diff -uNr /tank/trusty-3{a,b}/etc/apt
diff -uNr /tank/trusty-3a/etc/apt/auth.conf.d/90ubuntu-advantage /tank/trusty-3b/etc/apt/auth.conf.d/90ubuntu-advantage
--- /tank/trusty-3a/etc/apt/auth.conf.d/90ubuntu-advantage 2019-10-31 15:04:20.083887502 -0300
+++ /tank/trusty-3b/e...

Test 3:
From a fresh trusty system, no uat installed, no ubuntu-minimal installed
a) install uat from updates, enable esm, upgrade to proposed
b) install uat from proposed, enable esm (via ua attach)

Result: PASS

Details:
At the end, confirmed that both chroots have esm enabled and with a positive pinning:
# chroot /tank/trusty-3a/ apt-cache policy | grep esm
 500 https://esm.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     origin esm.ubuntu.com
# chroot /tank/trusty-3b/ apt-cache policy | grep esm
 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main amd64 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     origin esm.ubuntu.com

Note how (3b) is using the new infra pocket names, however. That's because "ua attach" was run in that case, and it wasn't run in (3a). Both work, though, and it's expected that users will eventually run "ua attach" after upgrading even if they had esm enabled before. This is mentioned in the [Other Info] section of the bug description.

Filesystem differences:
# diff -uNr /tank/trusty-3{a,b}/ 2>/dev/null | diffstat -l
etc/apt/auth.conf.d/90ubuntu-advantage
etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
var/cache/apt/archives/ubuntu-advantage-tools_10ubuntu0.14.04.4_all.deb
var/cache/apt/pkgcache.bin
var/cache/apt/srcpkgcache.bin
var/cache/ldconfig/aux-cache
var/lib/apt/extended_states
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packages
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_main_binary-amd64_Packages
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
var/lib/dpkg/available
var/lib/dpkg/available-old
var/lib/dpkg/status-old
var/lib/ubuntu-advantage/machine-id
var/lib/ubuntu-advantage/private/machine-access-cc-eal.json
var/lib/ubuntu-advantage/private/machine-access-esm-infra.json
var/lib/ubuntu-advantage/private/machine-access-fips-updates.json
var/lib/ubuntu-advantage/private/machine-access-fips.json
var/lib/ubuntu-advantage/private/machine-access-livepatch.json
var/lib/ubuntu-advantage/private/machine-access-support.json
var/lib/ubuntu-advantage/private/machine-token.json
var/lib/ubuntu-advantage/status.json
var/log/apt/history.log
var/log/apt/term.log
var/log/dpkg.log
var/log/ubuntu-advantage.log

Of the above, only /etc/apt is of interest, so let's take a closer look:
# diff -uNr /tank/trusty-3{a,b}/etc/apt
diff -uNr /tank/trusty-3a/etc/apt/auth.conf.d/90ubuntu-advantage /tank/trusty-3b/etc/apt/auth.conf.d/90ubuntu-advantage
--- /tank/trusty-3a/etc/apt/auth.conf.d/90ubuntu-advantage	2019-10-31 15:04:20.083887502 -0300
+++ /tank/trusty-3b/etc/apt/auth.conf.d/90ubuntu-advantage	2019-10-31 15:06:51.943489600 -0300
@@ -1 +1 @@
-machine esm.ubuntu.com/ login myuser password mypass
+machine esm.ubuntu.com/ login bearer password verylongrandompass  # ubuntu-advantage-tools

The above confirms that ua attach was run on (3b), because the old style credentials were removed and the new style was put in place.

diff -uNr /tank/trusty-3a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list /tank/trusty-3b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
--- /tank/trusty-3a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list	2019-10-31 15:04:20.083887502 -0300
+++ /tank/trusty-3b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list	2019-10-31 15:06:51.935489610 -0300
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

This also confirms that ua attach was run on (3b), since we now have the new infra pocket names.

Like with test (2), absolute symlinks in the chroot get broken when looked at from the outside, so here is a list of what was suppressed from the full diff output: https://paste.ubuntu.com/p/7BmfzQjtqt/

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#16

Download full text (5.4 KiB)

Test 4:
From a fresh trusty instance, which has uat installed (from updates):
a) enable esm (via ubuntu-advantage enable-esm), upgrade to proposed
b) upgrade to proposed, enable esm (via ua attach)

Result: PASS

Details:
In the end, both instances have the same proposed package:
$ lxc exec esm-sru-4a apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
*** 19.6~ubuntu14.04.3 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

And both have ESM enabled. In the (b) case, it's using the new infra pocket names because ESM was enabled with the new client via ua attach:

$ lxc exec esm-sru-4b apt-cache policy |grep esm
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main amd64 Packages
origin esm.ubuntu.com
500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
origin esm.ubuntu.com

Content comparison
- etc directory (/dev/null was used because of the broken absolute symlinks; here is the suppressed output: https://paste.ubuntu.com/p/n98rSKBqvP/):
$ diff -uNr 4a/etc 4b/etc 2>/dev/null
diff -uNr 4a/etc/apt/auth.conf.d/90ubuntu-advantage 4b/etc/apt/auth.conf.d/90ubuntu-advantage
--- 4a/etc/apt/auth.conf.d/90ubuntu-advantage 2019-10-31 15:52:19.613041203 -0300
+++ 4b/etc/apt/auth.conf.d/90ubuntu-advantage 2019-10-31 15:57:10.593242280 -0300
@@ -1 +1 @@
-machine esm.ubuntu.com/ login myuser password mypass
+machine esm.ubuntu.com/ login bearer password longrandompass # ubuntu-advantage-tools

Since (4b) runs ua attach, the credentials are converted to the new bearer format, so the above is expected and correct.

diff -uNr 4a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list 4b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
--- 4a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list 2019-10-31 15:52:19.629041498 -0300
+++ 4b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list 2019-10-31 15:57:10.605241750 -0300
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

Since (4b) runs attach, the pockets are renamed to the new infra names, so the above is also expected and correct.

- /var:
Also broken symlinks, and:
$ diff -uNr 4a/var 4b/var|diffstat -l
diff: 4a/var/lib/cloud/instance: No such file or directory
diff: 4b/var/lib/cloud/instance: No such file or directory
cache/apt/pkgcache.bin
cache/apt/srcpkgcache.bin
cache/man/index.db
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packag...

Test 4:
From a fresh trusty instance, which has uat installed (from updates):
a) enable esm (via ubuntu-advantage enable-esm), upgrade to proposed
b) upgrade to proposed, enable esm (via ua attach)

Result: PASS

Details:
In the end, both instances have the same proposed package:
$ lxc exec esm-sru-4a apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 19.6~ubuntu14.04.3
  Candidate: 19.6~ubuntu14.04.3
  Version table:
 *** 19.6~ubuntu14.04.3 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     10ubuntu0.14.04.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages

And both have ESM enabled. In the (b) case, it's using the new infra pocket names because ESM was enabled with the new client via ua attach:

$ lxc exec esm-sru-4b apt-cache policy |grep esm
 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-updates/main amd64 Packages
     origin esm.ubuntu.com
 500 https://esm.ubuntu.com/ubuntu/ trusty-infra-security/main amd64 Packages
     origin esm.ubuntu.com

Content comparison
- etc directory (/dev/null was used because of the broken absolute symlinks; here is the suppressed output: https://paste.ubuntu.com/p/n98rSKBqvP/):
$ diff -uNr 4a/etc 4b/etc 2>/dev/null
diff -uNr 4a/etc/apt/auth.conf.d/90ubuntu-advantage 4b/etc/apt/auth.conf.d/90ubuntu-advantage
--- 4a/etc/apt/auth.conf.d/90ubuntu-advantage	2019-10-31 15:52:19.613041203 -0300
+++ 4b/etc/apt/auth.conf.d/90ubuntu-advantage	2019-10-31 15:57:10.593242280 -0300
@@ -1 +1 @@
-machine esm.ubuntu.com/ login myuser password mypass
+machine esm.ubuntu.com/ login bearer password longrandompass  # ubuntu-advantage-tools

Since (4b) runs ua attach, the credentials are converted to the new bearer format, so the above is expected and correct.

diff -uNr 4a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list 4b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list
--- 4a/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list	2019-10-31 15:52:19.629041498 -0300
+++ 4b/etc/apt/sources.list.d/ubuntu-esm-infra-trusty.list	2019-10-31 15:57:10.605241750 -0300
@@ -1,5 +1,4 @@
-deb https://esm.ubuntu.com/ubuntu trusty-security main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-security main
-
-deb https://esm.ubuntu.com/ubuntu trusty-updates main
-# deb-src https://esm.ubuntu.com/ubuntu trusty-updates main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
+deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
+# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main

Since (4b) runs attach, the pockets are renamed to the new infra names, so the above is also expected and correct.

- /var:
Also broken symlinks, and:
$ diff -uNr 4a/var 4b/var|diffstat -l
diff: 4a/var/lib/cloud/instance: No such file or directory
diff: 4b/var/lib/cloud/instance: No such file or directory
cache/apt/pkgcache.bin
cache/apt/srcpkgcache.bin
cache/man/index.db
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_InRelease
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-security_main_binary-amd64_Packages
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_InRelease
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-infra-updates_main_binary-amd64_Packages
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_InRelease
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_main_binary-amd64_Packages
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_InRelease
lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-updates_main_binary-amd64_Packages
lib/cloud/data/status.json
lib/cloud/instances/esm-sru-4a/boot-finished
lib/cloud/instances/esm-sru-4a/user-data.txt.i
lib/cloud/instances/esm-sru-4a/vendor-data.txt.i
lib/dhcp/dhclient.eth0.leases
lib/ubuntu-advantage/private/machine-access-cc-eal.json
lib/ubuntu-advantage/private/machine-access-esm-infra.json
lib/ubuntu-advantage/private/machine-access-fips-updates.json
lib/ubuntu-advantage/private/machine-access-fips.json
lib/ubuntu-advantage/private/machine-access-livepatch.json
lib/ubuntu-advantage/private/machine-access-support.json
lib/ubuntu-advantage/private/machine-token.json
lib/ubuntu-advantage/status.json
lib/urandom/random-seed
log/apt/history.log
log/apt/term.log
log/cloud-init-output.log
log/cloud-init.log
log/dmesg
log/dmesg.0
log/dmesg.1.gz
log/dpkg.log
log/kern.log
log/syslog
log/ubuntu-advantage.log
log/upstart/acpid.log
log/upstart/apport.log
log/upstart/console-setup.log
log/upstart/cryptdisks.log
log/upstart/hwclock.log
log/upstart/kmod.log
log/upstart/mountall.log
log/upstart/mounted-debugfs.log
log/upstart/mounted-dev.log
log/upstart/mounted-proc.log
log/upstart/procps-static-network-up.log
log/upstart/procps-virtual-filesystems.log
log/upstart/setvtrgb.log
log/upstart/systemd-logind.log
log/upstart/ttyS0.log
log/wtmp

The /var/lib/ubuntu-advantage files are new in (4b), because that's where we ran ua attach:
$ diff -uNr 4{a,b}/var/lib/ubuntu-advantage|diffstat
 private/machine-access-cc-eal.json       |    1 +
 private/machine-access-esm-infra.json    |    1 +
 private/machine-access-fips-updates.json |    1 +
 private/machine-access-fips.json         |    1 +
 private/machine-access-livepatch.json    |    1 +
 private/machine-access-support.json      |    1 +
 private/machine-token.json               |    1 +
 status.json                              |    1 +
 8 files changed, 8 insertions(+)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2019-10-31:

#17

I'm satisfied with the results, also considering test (5) done in the other bug. Just to be sure, I also tried it via dist-upgrade. That is a bit more hacky, as it involves changing s/precise/trusty/ in sources.list snippets, ignoring gpg errors (as precise doesn't have the gpg key for trusty-esm) and so on, but it also worked in the end.

Flipping the tags.

tags:

added: verification-done-trusty
removed: verification-needed-trusty

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-10-31:

#18

This bug was fixed in the package ubuntu-advantage-tools - 19.6~ubuntu14.04.3

---------------
ubuntu-advantage-tools (19.6~ubuntu14.04.3) trusty; urgency=medium

  * d/postinst: rename existing ubuntu-esm-precise.list file to trusty.
    This fixes the upgrade path from precise to trusty and to this client
    while esm is enabled (LP: #1850672)

ubuntu-advantage-tools (19.6~ubuntu14.04.2) trusty; urgency=medium

* d/control, d/rules: don't run flake8 tests since python3-flake8 is in
universe (LP: #1849851)

ubuntu-advantage-tools (19.6~ubuntu14.04.1) trusty; urgency=medium

  * New upstream release (LP: #1832757). Main changes:
    - drop SSO interactive login support
    - d/control: no longer depend on pymacaroons, which was only needed for
      the SSO interactive login support
    - drop keyrings for services not supported in trusty: cc-eal, fips,
      fips-updates, cis audit
    - make sure /var/lib/ubuntu-advantage/private has 0700 perms
    - rename esm to esm-infra. Also handle upgrades
    - don't unecessarily remove config files that are already handled by dpkg
    - expand the apt related runtime dependencies
    - handle sources.list.d esm snippet when release upgrading from precise
    - ua status now reports availability of services even in unattached state
    - the "ua status" output was changed, including the json format option
    - drop "ua status" call in postinst as it now requires internet access and
      that is restricted in LP builders and test runners.
    - fix the d/t/usage DEP8 test that was also using status

-- Andreas Hasenack <email address hidden> Wed, 30 Oct 2019 10:01:58 -0300

Changed in ubuntu-advantage-tools (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-10-31: Update Released

#19

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Mathew Hodson (mhodson) on 2019-11-02

tags:

removed: verification-needed

Ubuntu
ubuntu-advantage-tools package

Update ubuntu-advantage-client

Bug Description

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	ubuntu-advantage-tools (Ubuntu)	Fix Released	High	Andreas Hasenack
	Trusty	Fix Released	High	Unassigned

Ubuntuubuntu-advantage-tools package

Update ubuntu-advantage-client

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
ubuntu-advantage-tools package