A new release of the Ubuntu Cloud Images for stable Ubuntu release 21.04 (Hirsute Hippo) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * libxml2: 2.9.10+dfsg-6.3build2 => 2.9.10+dfsg-6.3ubuntu0.1 * linux-meta: 5.11.0.18.19 => 5.11.0.22.23 * linux-signed: 5.11.0-18.19 => 5.11.0-22.23 * manpages: 5.10-1 => 5.10-1ubuntu0.1 * nettle: 3.7-2.1ubuntu1 => 3.7-2.1ubuntu1.1 * systemd: 247.3-3ubuntu3 => 247.3-3ubuntu3.1 * ubuntu-advantage-tools: 27.0.2~21.04.1 => 27.1~21.04.1 The following is a complete changelog for this image. new: {'linux-modules-5.11.0-22-generic': '5.11.0-22.23', 'linux-headers-5.11.0-22': '5.11.0-22.23', 'linux-headers-5.11.0-22-generic': '5.11.0-22.23'} removed: {'linux-modules-5.11.0-18-generic': '5.11.0-18.19', 'linux-headers-5.11.0-18-generic': '5.11.0-18.19', 'linux-headers-5.11.0-18': '5.11.0-18.19'} changed: ['libhogweed6:amd64', 'libnettle8:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'libxml2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.11.0-22-generic', 'linux-image-virtual', 'linux-virtual', 'manpages', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'ubuntu-advantage-tools', 'udev'] new snaps: {'core20': ['stable', '1026']} removed snaps: {'core18': ['stable', '2066']} changed snaps: ['lxd'] ==== libxml2: 2.9.10+dfsg-6.3build2 => 2.9.10+dfsg-6.3ubuntu0.1 ==== ==== libxml2:amd64 * SECURITY UPDATE: use-after-free in xmlEncodeEntitiesInternal - debian/patches/CVE-2021-3516.patch: Call htmlCtxtUseOptions to make sure that names aren't stored in dictionaries. - CVE-2021-3516 * SECURITY UPDATE: heap-based buffer overflow in xmlEncodeEntitiesInternal - debian/patches/CVE-2021-3517.patch: Add some checks to validate input is UTF-8 format, supplementing CVE-2020-24977 fix. - CVE-2021-3517 * SECURITY UPDATE: use-after-free in xmlXIncludeDoProcess - debian/patches/CVE-2021-3518.patch: Move from a block list to an allow list approach to avoid descending into other node types that can't contain elements. - CVE-2021-3518 * SECURITY UPDATE: NULL pointer dereference in xmlValidBuildAContentModel - debian/patches/CVE-2021-3537.patch: Check return value of recursive calls to xmlParseElementChildrenContentDeclPriv and return immediately in case of errors. - CVE-2021-3537 * SECURITY UPDATE: Exponential entity expansion - debian/patches/Patch-for-security-issue-CVE-2021-3541.patch: Add check to xmlParserEntityCheck to prevent entity exponential. - CVE-2021-3541 ==== linux-meta: 5.11.0.18.19 => 5.11.0.22.23 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.11.0-22 * Bump ABI 5.11.0-21 * Bump ABI 5.11.0-20 * Bump ABI 5.11.0-19 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.11.0-18.19 => 5.11.0-22.23 ==== ==== linux-image-5.11.0-22-generic * Master version: 5.11.0-22.23 * Master version: 5.11.0-21.22 * Master version: 5.11.0-20.21 * Master version: 5.11.0-19.20 ==== manpages: 5.10-1 => 5.10-1ubuntu0.1 ==== ==== manpages * kernel_lockdown.7: Remove description of unsupported lockdown lift mechanism via SysRq. LP: #1931171. ==== nettle: 3.7-2.1ubuntu1 => 3.7-2.1ubuntu1.1 ==== ==== libhogweed6:amd64 libnettle8:amd64 * SECURITY UPDATE: crash in RSA decryption via manipulated ciphertext - debian/patches/CVE-2021-3580-1.patch: change _rsa_sec_compute_root_tr to take a fixed input size in rsa-decrypt-tr.c, rsa-internal.h, rsa-sec-decrypt.c, rsa-sign-tr.c, testsuite/rsa-encrypt-test.c. - debian/patches/CVE-2021-3580-2.patch: add input check to rsa_decrypt family of functions in rsa-decrypt-tr.c, rsa-decrypt.c, rsa-sec-decrypt.c, rsa.h, testsuite/rsa-encrypt-test.c. - CVE-2021-3580 ==== systemd: 247.3-3ubuntu3 => 247.3-3ubuntu3.1 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev [ Andy Chi ] * debian/patches/lp1926547-hwdb-60-keyboard-Update-Dell-Privacy-Local-Mic-Mute-.patch - Apply upstream patch to correct key and device mapping. (LP: #1926547) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f360a705d992205e3da511910c859e81390e93c6 [ ukasz 'sil2100' Zemczak ] * d/p/lp1664844/0001-network-add-ActivationPolicy-configuration-parameter.patch, d/p/lp1664844/0002-test-add-ActivationPolicy-unit-tests.patch, d/p/lp1664844/0003-save-link-activation-policy-to-state-file-and-displa.patch: - add support for configuring the activation policy for an interface (LP: #1664844) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ae75627f573f5946169819e4fdfe89290badaf21 [ Dan Streetman ] * d/p/debian/UBUNTU-resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch, d/p/lp1785383-resolved-address-DVE-2018-0001.patch: - Use upstream patch for DVE-2018-0001 handling (LP: #1785383) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6c6e948e4364649a4a803a8f1c9cdd5c70e1f0ab * d/p/lp1929849-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch: - Fix FTBFS due to kernel header change (LP: #1929849) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=656bfde76b7a2d172d84d4e7905d80e1dfa2b68d ==== ubuntu-advantage-tools: 27.0.2~21.04.1 => 27.1~21.04.1 ==== ==== ubuntu-advantage-tools * Backport new upstream release: (LP: #1929597) to hirsute * d/control: - specify debianutils min version * d/changelog: - fix lintian typos amend and redact incorrect 27.0 entry (GH: #1624) * lintian: - override ubuntu-advantage-pro wanted-by-target cloud-init - override xenial specific errors - rename package-specific overrides for pro vs tools * New upstream release 27.1: - apt-hook: + avoid segfault when comparing null Apt file origin to esm (LP: #1929123) + avoid wrapping static message formats at 80 chars + update go build flags based on lintian warnings (GH: #1626) + only add newlines for MOTD if message file length is non-zero - attach: do not print contract name if empty - autocomplete: Do not show beta services in autocomplete (GH: #1594) - cis: + make service non-beta + post enable message pointing to docs + update cis help url - docs: update releases.md per SRU review feedback on branch structuring - enable: correct messaging for beta service (GH: #1588) - errors: print a more helpful message when ssl fails (GH: #1618) - fips: + Block enabling fips if fips-updates once enabled (GH: #1600) + Update output of fips commands (GH: #1631) - livepatch: alert when snapd does not have wait cmd (LP: #1927329) - logging: remove tracebacks for UserFacingErrors (GH: #1586) - messaging: + Infra and Apps messaging is mutually exclusive (GH: #1573) + point to u.com/16-04 instead of u.com/advantage on ESM (GH: #1584) + separate _remove_msg_template. emit no warranty on infra disabled - pro: obtain AWS IMDSv2 API token before trying to grab pkcs7 doc (GH: #1608) - status: do not show info if not on contract (GH: #1592) - tests: + drop trusty specific tests + fix mock for handle_message_operations + fix motd message for bionic (GH: #1615) + integration tests for hirsute and groovy + manual test for trusty upgrade to xenial + reboot after dist-upgrade for upgrade test + test enabling CIS on focal (GH: #1582) + update messages in integration tests (GH: #1635) + use proposed pocket on xenial upgrade test - jenkins: + add pytest runs for xenial and bionic + run focal lxd integration tests * d/control: - order build-depends alternatives newer first (LP: #1926949) - apt-hook: do not attempt to package go APT JSON hook on some architectures (GH: #1603) (LP: #1927886, LP: #1927795) * Bug-fix release 27.0.2: build failures on riscv64 and powerpc - apt-hook: refactor json hook messaging to be dry - tests: fix subp ls error case for powerpc builds - jenkinsfile: add --resolve-alternatives for trusty builds - amend changelog: add omitted apt-hook message for 27.0.1 stanza * Add .gitignore and cleanup ignored directory .pytest_cache * apt-hook: mitigate failures with true * New upstream release 27.0: - [redacted: actually landed in 27.0.1] apt-hook: mitigate failures with true - messages: add optional (s) to apt messaging to include singular/plural pkgs - apt-hook: avoid reporting and counting duplicate package names (GH: #1578) - fix: don't say reboot required when unnecessary (LP: #1926183) - test: uncomment additional xenial upgrade tests * New upstream beta3 release: - config: avoid tracebacks on invalid features value in uaclient.conf (GH: #1564) - apt-hook: new json hook for security update counts - Remove redundant messaging from uaclient * d/control: - add distro-info dependency - add new debianutils dependency - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute and later when dh-systemd is not present * d/rules: enable and start ua-messaging.timer on package install * d/postinst: - configure esm on any LTS release avoid beta services - configure esm-infra when is_active_esm and apps on LTS - xenial enable unauthenticated apt source for apps/infra * New upstream release 27.0~beta: - apt-hook: + adapt hook to process separate message templates + esm-apps and esm-infra pkg counts not mutually-exclusive + print static messages on apt upgrade/dist-upgrade (GH: #1546) - config: create settings_overrides on config (GH: #1507) - docs: add entry for uploading new version to ppa - esm: + add pin never when disabling esm-infra/apps on xenial + enable infra when EOL LTS and apps on all LTS (GH: #1558) - fips: add notice when installing over old fips - fix: + add links to ubuntu.com/gcp/aws in messaging when on non-PRO + add notice to reboot operation on ua fix + do not prompt user for beta services (GH: #1544) + notify users if reboot is required (GH: #1476) + update how the expired token logic works + wrap output greater than 80 chars (GH: #1487) - lib: fix notice handling on reboot script - messages + provide static message files for use in APT and MOTD + update_ua_messages on attach/detach/disable - mypy: add lib/ dir for coverage - status: do not remove notices on non-root call (GH: #1518) - subp: separate % format strings when logging (GH: #1520) - systemd: add ua-messaging.timer to update ua MOTD and APT msgs - update-motd.d: add conditional hooks for motd to source ua messages - util: add is_lts and is_active_esm funtions to support ESM - test + add integration tests asserting esm-apps setup due to postinst + manual test script for xenial upgrade + trusty and xenial infra and apps disabled in pkg install - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA - jenkins: make lint and style stage run sequentially * d/*: prefix all the debhelper conf files with the package name * d/control: - add Rules-Requires-Root: no - bump Standards-Version to 4.5.1 - make ubuntu-advantage-pro Architecture: all * d/lintian-overrides: - override maintainer-script-calls-service - package-supports-alternative-init-but-no-init.d-script * d/postinst: move the u-a-pro note to a config script * d/ubuntu-advantage-tools.templates: suggest the use of apt * New upstream release 27.0~beta: - apt: add retry for apt-helper command (GH: #1431) - cli: drop subcommand repeated help output, fix enable & refresh (GH: #1440) - config: + allow parsing yaml delivered from env values + environment variable support for feature overrides (GH: #1395) + create config to add extra params to security url - docs: + add ppas and fix typos + use Ubuntu Pro not Ubuntu PRO + add stop "." punctuation to messages (GH: #1320) - fips: fix FIPS message when disable operation fails - fix: + add basic UASecurityClient to which queries CVE and USNs + add security_url to config + check if service is enabled during ua fix (GH: #1462) + closer representation of cve and usn responses + filter usns by cve details (GH: #1470) + fix regex to be more permissive and strict + get_cve_affected_source_packages_status won't list not-affected (GH: #1467) + handle other package status when running ua fix (GH: #1435) + improve error message for ua fix (GH: #1420) + install pkg fixes when they are on standard pocket (GH: #1401) + move timeout and retries to security client only + only prompt for subscription attach for UA-related pkg updates + parse all related USNS to a given CVE when fixing + parse full API responses for related CVEs and USNs + prefer USN.release_packages binary pkg versions to CVE src ver (GH: #1436) + prompt for new ua token when expired one is used (GH: #1475) + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386) + prompt to enable service during ua fix (GH: #1455) + provide related CVE URLs instead of USNs (GH: #1456) + raise errors when source_link is null or unexpected format + show packages that were not fixed in the output + update output for released packages in ua fix (GH: #1438) + update message for invalid issue in ua fix (GH: #1433) + use pocket values from USNs (GH: #1439) - logs: emit error response on API errors and redact sensitive logs (GH: #1424) - serviceclient: add 10 second timeout and two retries to API calls (GH: #1374) - util: + add error prompts on invalid selection + add timeout to readurl - tests: + Add disable_auto_attach config to all test PRO vms + add merge_usn_released_binary_package_versions tests + add unittest coverage for override_usn_release_package_status + drop traceback checks on fips integration tests + refactor integration tests for ua fix cmd + run status wait before detach in PRO tests + use ssh to run commands on lxd containers - jenkins: archiveArtifacts can only reference paths within workspace * d/control: add new debianutils dependency * New upstream release 26.3 - util: improve is_container check for chroot - cli: pass assume_yes param to services on detach (GH: #1530) * Drop dh-systemd build dependency. * status: show beta services in status if enabled (GH: #1410) * New upstream release 26.1 - contract: block detach call to contract if machine-id change - docs: add readme docs about mastering clean golden images - fips: add reboot notices for fips operations (GH: #1368) - livepatch: add retry when running canonical-livepatch status (GH: #1360) - util: use lru_cache to avoid re-reading os-release and machine-id (GH: #1329) - tests: + add disable_auto_attach config to all test PRO vms + add more log artifacts during failed integration test + check cloudinit status after launching image + mock leaking livepatch.application_status for fips test + retry package installs on apt exit 100 - jenkins: parameterize build stages to avoid parallel job collision * auto-attach: fix comparing numeric iid * New upstream release 26.0: - auto-attach: systemd unit to run before ua-reboot-cmds.service - config: remove_notice should remove notices.json when empty - fips: + add notice if running a deactivated FIPS kernel (GH: #1348) + block enabling FIPS on clouds using Xenial + block enabling fips on GCP instances + check /proc/sys/crypto/fips_enable to see if fips is enabled + override fips metapackage when on bionic cloud + update metapackage override logic on fips - notices: clear lock file and notice when encountering any exception (GH: #1326) - reboot_cmds: retry on lock held errors due to pro auto-attach - services: allow uaclient to disable services during enable - status: include beta services in json formatted output with --all (GH: #1341) - tests: + add FIPS tests to AWS and Azure bionic images + add GCP pro test for focal machine + add after_step collection of artifacts on failure + remove proc file check after disabling fips + pro: block auto-attach with cloud-config bootcmd + add validation of systemd unit ua-reboot-cmds.service + test enabling fips-updates when fips is enabled - jenkins: - add deb build stage to assert package builds - use series-specific sbuild --build-dir avoid races - use --append-to-version for each sbuild run to avoid races - presume success when no integration artifacts created * d/rules: - add --with systemd to allow reboot init script - do not remove lib/systemd/system folder * d/postinst: - create marker file when reboot script need to run: - enable livepatch across trusty to xenial upgrade - update fips on existing fips pro machines * New upstream release 26.0~beta: - gcp: add Google Cloud Platform support (GH #1269) - fips: + remove is_beta from fips sevices + fips pro: add upgrade support to require reboot to unmark held fips pkgs + update origin UbuntuFIPSUpdates - status: + add notice to tabular output + held locks emit notice about Operation in progress - cli: help sort output so trusty ordering matches xenial++ - cis: rename service from cis-audit - config: provide config notices and add_notice and remove_notice methods - contract: add resource-machine-access route and datapath - init: add init script to run commands on reboot - keys: add ubuntu-advantage-cis keyring - livepatch: make livepatch react to enableByDefault delta - log: log when we install pkgs because of contract delta - make: drop six testdeps target - pro: do not install pro debs on non-pro instances - services: Update beta info for services (GH #1220) - tools: add tox-lxd-runner, that execute the test command in a shell - tools: refresh-keyrings handles cis keys. drop series-specific keys - tests: + add GCE support for integration tests + add cis integration tests for unattached and pro + add pytest constraint for mypy tests + add unittests for reboot_cmds script + fix esm package messages for new update notifier version + pin importlib-metadata for mypy tests + repo tests for request_resource_machine_access + unit tests for config cache clearing and machine-access data - jenkins: + add basic Jenkinsfile for CI runs per PR + add jenkins parseable test results + add lxc cleanup stage on Jenkinsfile * Release version 25.0 * New upstream release 25.0~beta3: - upgrade-lts-conract: noop during do-release-upgrade on unattached (GH: #1255) - ua-auto-attach: order systemd unit before cloud-config.service - Update FIPSUpdates pin origin - fips: unmark held fips packages for ubuntu pro fips image support (GH: #1109) - repo: handle changes to additionalPackages contract deltas - repo: move package installation to install_packages method - pro: trigger auto-attach as soon as instance-data.json is available (GH: #1234) - Conditionally install packages when enabling FIPS - fips: allow disable (GH: #1168) - cli: add trailing newline to argparse errors (GH: #1236) - Install fips metapacking when enabling service - integration test improvements: + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257) + Fix integration test setup scripts (GH: #1253) + strict checking for command success on behave + Update tests to use new pycloudlib LXD abstraction + Add upgrade scenario tests when FIPS is enabled + Improve FIPS tests for checking packages + Update esm-infra xenial lxd test + Fix vm tests as esm-apps is beta service + Fix azure generic integration testing + Update esm-apps check on staging_commands tests + Install pycloudlib for azure jobs only + Fix shell condition in run_azure_travis_integration_tests.sh + Update azure jobs on travis + Update travis url in README + Update travis scripts to use ppa only on master + Fix cron event type check on travis yaml * New upstream release 25.0~beta2: - help: update esm-infra help text (GH: #1212) - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM product names - help: update fips help docs (GH: #1213) - help: revert CIS help doc URL (GH: #1211) - help: add new fips help URLs to CLI help docs (GH: #1210) - Show error when enabling service with invalid repo [Lucas Moura] (GH: #954) - Update beta info for services (#1220) [Lucas Moura] (GH: #1216) - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209) - Add vm test commands in tox.ini (#1204) [Lucas Moura] * Beta bug fix release - status: fix missing description_override key after upgrade from trusty (GH: #1201) - During contract delta processing use _check_application_status_on_cache instead of live service status * d/control: - add po-debconf dependency and fix lintian not-using-po-debconf and untranslatable-debconf-templates - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian debhelper-but-no-misc-depends (GH: #1024) * d/rules: - drop --with systemd fix build-depends-on-obsolete-package - set fix lintian warning extra:Depends even if empty * d/postrm - Add more gpg keys to be deleted in postrm for Xenial+ support * d/postinst: - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170) - check if esm is already enabled (GH: #1095) * New upstream release 25.0: - Do not uninstall additionalPackages or livepatch when disabling services - check for issubclass on clean_apt_files - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169) - Apply contract deltas during do-release-upgrade operations - cli: add ua help command - cli: status add blocking --wait param and lock files for config change - Fix livepatch behaviour on aws pro focal machine - travis: drop inapplicable workspaces from specific awsgeneric release jobs - Add possible reboot text after enabling/disabling services - apt-hook: package apt-hook and apt configuration files on all releases (GH: #1150) - Fix enable fail bug - Add uaclient.conf override mechanism for auto-attach, beta services and machine-token - Support ESM Apps [Brian Murray] (GH: #930) - Do not enable services if blocking services is active (GH: #1029) - contract: handle 401 on invalid token, 403 on expired (GH: #1335) - Hide beta services from default status output and enable/disable operations (GH: #1079) (GH: #1091) - fips: force apt noninteractive prompts during package installs (GH: #1084) - tests: add unit tests for aws-gov/aws-china cloud detection - Add AWS China and GovCloud partitions [Robert Jennings] - Disable beta services to be show/enabled without flag - Add missing build_pr command to environment - Use additionalPackages from service payload - Add integration testing for Travis runs [patriciadomin] (GH: #856) (GH: #857) (GH: #853) * New bug-fix-only release 24.4: - uaclient.version bump to 24.4 - fips: honor additionalPackage directive from contract for bionic (GH #1173) * New bug-fix-only release 24.3: - uaclient.version bump to 24.3 - fips: add conditional reboot message only if /var/run/reboot-required is present - fips: add apt repo key for FIPS and FIPS updates (GH #1026) * New bug-fix-only release 24.2: - uaclient.version bump to 24.2 - pro: Add AWS China and GovCloud partitions support (GH #1077) * New bug-fix-only release 24.1: - livepatch: run snap wait system snap.seeded before trying to install (GH: #1049) - version: return debian/changelog version when git describe fails to match upstream . tags for git-ubuntu workflow (GH: #1058) * bump version to 24.0 for new versioninig scheme * New upstream release 20.3: - ubuntu-pro: automatically reattach across instance id delta (LP: #1867573) - integration testing: + add behave tests ua subcommands for attached vm + add invalid token tests + add reuse_container test docs + refactor token parameter * d/templates: add a debconf note on upgrade from pre-ubuntu pro package * d/control: create a separate ubuntu-advantage-pro package which delivers the tooling and scripts necessary to auto-attach pro machines This change breaks/replaces ubuntu-advantage-tools <= 20.1 * d/maintscript: rm_conffile /etc/init/ua-auto-attach.conf from ua-tools pkg * d/postint: remove stale systemd symlinks which have migrated to ubuntu-pro * d/rules: only install the apt hook on trusty * d/rules: provide --no-start to debhelper to avoid auto-attach on pkg install * Release 20.2: - ubuntu-pro: + azure: fix detection of DatasourceAzureNet as azure on trusty + generalize identity_doc to return dict instead of string + auto-attach: any 4XX errors during auto-attach are the result of non-Pro + auto-attach: handle 403 errors raised by contract server for invalid vms - attach: persist any status config changes after attach failures - output: add messaging using a different subscription if attached * Release 20.1: - azure-pro, support for azure ubuntu pro auto-attach: + add azure auto-attach instance as valid cloud_instance_factory + add azure cloud instance module and tests + generalize request_aws_contract_token for multiple cloud_types + contract: request_auto_attach_contract_token takes an instance param - constraints: add constraint on pyyaml version in trusty - auto-attach: move duplicate invalid cloud_type check out of cli * d/postinst: only configure ESM on supported architectures (LP: #1851858) [Andreas Hasenack] * d/postinst: rename existing ubuntu-esm-precise.list file to trusty. This fixes the upgrade path from precise to trusty and to this client while esm is enabled (LP: #1850672) * Release 19.7: - aws: handle missing SYS_HYPERVISOR_PRODUCT_UUID - aws-pro: support for aws ubuntu pro auto-attach - pro: add cloud identity module and fix unit tests - pro: update systemd service and upstart boot scripts to auto-attach - pro: esm do not do apt pin never on disable on xenial or bionic - pro: esm-apps has origin UbuntuESMApps and esm-infra is UbuntuESM - status: dynamic status available now from refreshed machine-token - uaclient: update customer visible messages after UX review - esm-apps: allow unattended security upgrades for esm-apps - systemd: needs WantedBy=multi-user.target to get pulled into boot - cli: update docstring to describe errors raised from auto-attach - keyrings: update ubuntu-advantage-esm-apps.gpg with correct key - repo: match strict repo url in apt-policy to avoid esm substring matches - esm: don't disable_apt_auth_only for ESM entitlements - initial implementation of esm-apps - repo: don't raise exception in application_status if aptURL missing - entitlements: rely solely on contract server for repo_url - cli: exit 0 if already attached - cli: use decorators for action_attach and action_attach_premium - cli: add assert_not_attached decorator - status: custom descriptions for n/a service status * New upstream release. Main changes: - drop SSO interactive login support - d/control: no longer depend on pymacaroons, which was only needed for the SSO interactive login support - drop keyrings for services not supported in trusty: cc-eal, fips, fips-updates, cis audit - make sure /var/lib/ubuntu-advantage/private has 0700 perms - rename esm to esm-infra. Also handle upgrades - don't unecessarily remove config files that are already handled by dpkg - expand the apt related runtime dependencies - handle sources.list.d esm snippet when release upgrading from precise - ua status now reports availability of services even in unattached state - the "ua status" output was changed, including the json format option - drop "ua status" call in postinst as it now requires internet access and that is restricted in LP builders and test runners. - fix the d/t/usage DEP8 test that was also using status * d/t/usage: fix dep8 test ("entitlements" was renamed to "services") * New upstream release (LP: #1832757): - packaging: + d/control: depend on libapt-pkg to use pin-priority never + d/postinst: adjust logfile permissions + d/postinst: remove public files and generate status cache on upgrade + d/postinst: Remove the old CACHE_DIR in postinst + d/postrm: remove log files on package purge + d/postrm: remove the ESM pinning file on purge + trusty should remove v1 esm key if present after upgrade + keyrings: regenerate keyrings on a trusty host + refresh keyrings to match current production for fips and cc-eal - apt: + all repo entitlements now call apt-get update on enable + enable -updates if -updates from the Ubuntu archive is enabled + Add basic i18n (good enough for lang packs) + retry apt install and update commands 3 times simple backoff + write commented -updates lines instead of omitting them - attach/detach: + added --no-auto-enable option + suppress messages from inapplicable default entitlements + two-factor auth reprompt only two-factor auth on failed 2fa + honour enableByDefault obligations from contract server + livepatch: no auto-enable on attach for trusty + don't attempt to disable inapplicable entitlements during detach + check for root before checking for attach in assert_attached_root - status: + add --json cli formatting option + emit a SERVICE header in status output + redact technical support and expiry for free contracts + unentitled services will report n/a - cc-eal: + add a warning about download size before install + change cc to cc-eal in docs, parameters and commandline help - esm: + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive + and livepatch auto enabled on attach where supported + on upgrade do not install preferences to pin never if esm enabled + remove only the apt auth entry on disable, leaving sources.list + use Pin-Priority never apt preference file to disable esm initially - fips: + display as pending when linux-fips is not the running kernel + only install/upgrade optional packages that are already on the system - logs: + no longer redact secrets as logfile is root read-only + separate console log devel from logfile level + remove level from messages to the console - add subcommand to refresh all contract details - config: allow contract_url and sso_auth_url to have a trailing slash - docker: fix persisting generated uuid on images without machine-id files - environ: allow lowercase ua_ overrides - repo: un-comment ESM sources.list lines on repo disable - updated manpage and help docs * apt-hook: Add missing headers for APT 1.9 * Drop the self-test assert in the apt-hook, it's making the subiquity server install fail (LP: #1824523) * apt-hook: Do not crash/fail if we can't read /proc/self/status (LP: #1824523) * Ubuntu Advantage Tools rewrite in Python (LP: #1814157): - Allow attaching a system to a contract or account - More complete status output, dropping MOTD updates - Easily enable and disable services offered * Have ua status cope with the additional livepatch of running a kernel that is not supported for livepatches. * Have an option for enable-livepatch to install a compatible kernel if needed. [ Vineetha Kamath ] * Add support to common criteria EAL2 artifacts installation #144 * New upstream release - added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified. * d/t/update-motd-run: fix path to the esm motd (LP: #1757490) * Rename motd scripts so they are shown a bit earlier (LP: #1757171) * Move empty line placement in the livepatch motd to the beginning of the message to avoid double blank lines. * New upstream release: - repositories are only added after credentials are verified (LP: #1730361) - Livepatch MOTD script (LP: #1710976) - better "status" command output formatting (LP: #1719034) - sources.list.d files no longer contain credentials. The "auth.conf" facility is used instead. (LP: #1700611) - enabled Livepatch support for Bionic 18.04 LTS * New upstream release: - run tests during package build * New upstream release: - revert the latest name changes - instead of "advantage", add a "ua" symlink pointing at the ubuntu-advantage script. Likewise for its manpage. (LP: #1721272) * New upstream release: - rename the ubuntu-advantage script to advantage, including where it's mentioned in the documentation. Also provide symlinks pointing at the previous name. (LP: #1721272) - slightly reword some of the FIPS messages * New upstream release with FIPS support (LP: #1718291) * New upstream release: - call apt-get with the non-interactive frontend variable set, and tell dpkg to keep the old config file by default should there be any prompts about that. (LP: #1715012) - split the one big test file into multiple smaller files, for better maintainability. * Release to artful (LP: #1711369) * d/control: update package description * New release version 6. Main changes: - document return codes on the manpage (Fixes: #33) - new status command (Fixes: #40) - restrict esm to precise only (Fixes: #43) - drop the livepatch motd update, only esm has motd output now (Fixes: #44) - skip tests during package building (Fixes #49) * Only display apt output in the case of errors (Fixes #34). * Check running kernel version before enabling the Livepatch service (Fixes #30). * Add livepatch support: - New commands: + enable-livepatch + disable-livepatch + is-livepatch-enabled - new tests - new manpage - new help output - new README.md - new MOTD * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet on non-precise release. (LP: #1686183) * Add simple dep8 tests. * Also install ca-certificates (LP: #1690270) * Initial Release. LP: #1686183 -- [1] http://cloud-images.ubuntu.com/releases/hirsute/release-20210622.1/ [2] http://cloud-images.ubuntu.com/releases/hirsute/release-20210616/