[SRU] include recent version containing fips and livepatch

Please note in the debdiff that the ubuntu-advantage script has been renamed to advantage. Links are created for backward compatibility.

If build log is required for P8 and s390x, please let me know and I will attach them.

Travis CI test results
https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/283705244

Will attach install.log shortly...

PPA with daily builds for ubuntu-advantage-tools
https://code.launchpad.net/~ahasenack/+recipe/ubuntu-advantage-script-daily

The attachment "debdiff between v2 (curently in xenial) and v11" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Sorry, the attachment is a debdiff. I removed the patch flag.

My apologies, still kinda new at this. But yes, the debdiff is a patch. So I put the patch flag back.

@j-latten: It's unclear to me if this is actually intended for all releases (based upon the nominated tasks by Manoj and Andreas) or just Xenial (based upon the bug description). Can you clarify?

After chatting on IRC, this was fixed in Artful in LP: #1718291.

After chatting on IRC, realized new version of tool is being worked on for #1721272 (artful). Will wait for this to complete and use this bug to SRU the changes which include enabling fips. Will also redo the data for this SRU.

Hopefully it is ok that I deleted prior attachments so that there is no confusion. This bug will be to add support for v10 (which includes fips support) of ubuntu-advantage-tool to xenial and zesty.

Travis CI test results for v10
https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/277507150

Note that binary files (the key rings) are not represented in the debdiffs above.

@nacc: I have "re-done" things and have included data for both xenial and zesty.

I'm updating the SRU template with livepatch bits, since livepatch is also included in this update.

trusty tarball

xenial tarball

zesty tarball

trusty debdiff

xenial debdiff

zesty debdiff

Sponsored for Zesty, Xenial & Trusty in their respective upload queue.
Now waiting for SRU verification team to approve the upload for the packages to enter in the test phase ($RELEASE-proposed)

- Eric

I had a quick look at the zesty package in the queue. In generally I can understand and accept the idea of pushing a new upstream version to the stable series, considering the current and planned use of the package. One thing that caught my eye though is that build-time tests are disabled in the packaging for all series - why is that?

They are disabled because not all ubuntu releases have the python version we need to run the tests. Note that python is not used at runtime, but it's needed for the tests.

Ok, we managed to change the code a bit to support running tests with python 3.4, which is in trusty. But we did that for master only:
https://github.com/CanonicalLtd/ubuntu-advantage-script/commit/4f6740e1a9b6106eb5567f4be057baca82f23b91

Then a following packaging change to run the tests at package build time:
https://github.com/CanonicalLtd/ubuntu-advantage-script/commit/f3b6bfac5911f248499c79a42a0d18f12ca9065a

Here is our recipe for daily builds with those two incorporated:
https://code.launchpad.net/~ahasenack/+recipe/ubuntu-advantage-script-daily

All binary builds there have a test run incorporated.

This is not contemplated in this SRU, but is a step in the right direction.

The SRU started with backporting what's in artful, and there the tests don't run at package build time. Would such a change be accepted in the SRU'ed packages only? I.e., add tests at package build time for xenial and zesty, while artful (and bionic) don't have them yet?

Or maybe just a manual test run for trusty, xenial and zesty, and attach the logs to this bug? Given that upstream is now running tests at package build time for all of these. In trusty I can run the tests from this package as long as I install python 3.5 or 3.6 on it.

I'm working to release v13 into bionic. That is master as of now, and has tests running during package build.

https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1721272 has v13 attached to it, which fixes that bug specifically and also runs the tests at package build time.

As we speak 'ubuntu-advantage-tools' is stuck in the autopkgtest ... auto-sync and there are transitions still in progress and put the autopkgtest environment under heavy load.

It may take severals day and maybe weeks before it catch-up.

Current status :
ubuntu-advantage-tools (10 to 13)

    Maintainer: Ubuntu Developers
    2 days old
    autopkgtest for ubuntu-advantage-tools/13: amd64: Test in progress, armhf: Test in progress, i386: Test in progress, ppc64el: Pass, s390x: Pass
    Not considered

After a discussion with SRU verification team (sil2100), in this situation we can proceed with the SRU :

--
[07:18:54] <slashd> We are waiting for 3 days for the autopkgtest to complete, but apparently the infra is under a big load of testing and it may take 2 weeks to catch up apparently
[07:19:27] <slashd> What are our options ? Wait until the autopkgtest for bionic finish and goes to -releases ?
[07:19:45] <slashd> or there is something we can do to start the SRU and not having to wait another week or so for bionic to complete
[07:27:50] <sil2100> Hey!
[07:28:33] <sil2100> So the new version is in bionic-proposed right now, right?
[07:28:41] <slashd> yeah
[07:28:45] <sil2100> I'd say that's 'good enough' for this situation, autopkgtests are swarmed right now and will be so for a while

I had reviewed the uploads and only still waiting to appear in bionic, per former comment and review/sru-template/tests being good sponsoring SRUs into T/X/Z/A now.

Hello Joy, or anyone else affected,

Accepted ubuntu-advantage-tools into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/10ubuntu0.17.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Joy, or anyone else affected,

Accepted ubuntu-advantage-tools into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/10ubuntu0.17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Joy, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/10ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Joy, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/10ubuntu0.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Zesty verification:
  Version table:
 *** 10ubuntu0.17.04.1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages

status shows everything unavailable as expected:
ubuntu@04-57:~$ ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)

And they cannot be enabled:ubuntu@04-57:~$ sudo ubuntu-advantage enable-fips foo:bar
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
ubuntu@04-57:~$ sudo ubuntu-advantage enable-livepatch xxx
Sorry, but Canonical Livepatch is not supported on zesty

Verification successful for zesty.

Artful verification:
  Version table:
 *** 10ubuntu0.17.10.1 500
        500 http://br.archive.ubuntu.com/ubuntu artful-proposed/main amd64 Packages

status shows everything unavailable as expected:
andreas@nsnx:~$ ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)

And they cannot be enabled:
andreas@nsnx:~$ sudo ubuntu-advantage enable-fips foo:bar
Sorry, but Canonical FIPS 140-2 Modules is not supported on artful
andreas@nsnx:~$ sudo ubuntu-advantage enable-livepatch xxx
Sorry, but Canonical Livepatch is not supported on artful
andreas@nsnx:~$

Verification successful for artful.

There is no trusty build of ubuntu-advantage-tools in trusty-proposed. Looks like it failed to build:
https://launchpadlibrarian.net/344718911/buildlog_ubuntu-trusty-i386.ubuntu-advantage-tools_10ubuntu0.14.04.1_BUILDING.txt.gz

The following packages have unmet dependencies:
 sbuild-build-depends-ubuntu-advantage-tools-dummy : Depends: flake8 but it is not installable or
                                                              python3-flake8 but it is not installable
E: Unable to correct problems, you have held broken packages.

Trusty has no flake8, but python3-flake8 is there. But in universe. Is that the problem? Then how did the other packages build, since flake8 is also in universe, in xenial, zesty and artful?

Policy changed in xenial to allow source packages in main to build-depend on universe, but that change was not retroactive.

Xenial verification:

  Version table:
 *** 10ubuntu0.16.04.1 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages

status shows that both fips and livepatch are available:

ubuntu@10-e2:~$ ubuntu-advantage status
livepatch: disabled

esm: disabled (not available)

fips: disabled

a) enabling livepatch
ubuntu@10-e2:~$ sudo ubuntu-advantage enable-livepatch <redacted>
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <redacted>
Use "canonical-livepatch status" to verify current patch status.

status now includes livepatch information:
ubuntu@10-e2:~$ ubuntu-advantage status
livepatch: enabled
  client-version: "7.23"
  architecture: x86_64
  cpu-model: Intel Core Processor (Skylake)
  last-check: 2017-11-07T13:50:09.110003132Z
  boot-time: 2017-11-07T13:44:56Z
  uptime: 5m51s
  status:
  - kernel: 4.4.0-98.121-generic
    running: true
    livepatch:
      checkState: checked
      patchState: nothing-to-apply
      version: ""
      fixes: ""

esm: disabled (not available)

fips: disabled

b) FIPSubuntu@10-e2:~$ sudo ubuntu-advantage enable-fips <redacted>
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.

(reboot)

status shows fips enabled:
ubuntu@10-e2:~$ ubuntu-advantage status
livepatch: disabled

esm: disabled (not available)

fips: enabled

And uname confirms the fips kernel:
ubuntu@10-e2:~$ uname -r
4.4.0-1002-fips

Xenial verification on x86_64 successful.

xenial fips verification on s390:

ubuntu@xenial-andreas:~$ sudo ubuntu-advantage enable-fips <redacted>
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating zipl to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.

We can see the extra "Updating zipl to enable fips" line.

And after issuing the reboot we are running a fips kernel on s390:
ubuntu@xenial-andreas:~$ ubuntu-advantage status
livepatch: disabled

esm: disabled (not available)

fips: enabled
ubuntu@xenial-andreas:~$ uname -a
Linux xenial-andreas 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:35:14 UTC 2017 s390x s390x s390x GNU/Linux

Hello Joy, or anyone else affected,

Accepted ubuntu-advantage-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/10ubuntu0.14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Based on the above discussion about Trusty package

A new version of "ubuntu-advantage-tools [10ubuntu0.14.04.2]" has been uploaded for Trusty :

* Skipping tests during package builds.
    - d/rules: Disabling the tests.
    - d/control: Removing tests dependencies.

- Eric

Xenial Verification:

root@test3:/home/ubuntu# dpkg -l ubuntu-advantage-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==============-==============-===========================================
ii ubuntu-advantage-to 10ubuntu0.16.0 all management tools for Ubuntu Advantage

root@test3:/home/ubuntu# ubuntu-advantage enable-livepatch <redacted>
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-11-07T16:35:23Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <redacted>
Use "canonical-livepatch status" to verify current patch status.

root@test3:/home/ubuntu# ubuntu-advantage enable-fips chris-8k:<redacted>
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.

ubuntu@test3:~$ uname -r
4.4.0-1002-fips

ubuntu@test3:~$ ubuntu-advantage status
livepatch: enabled
  client-version: "7.23"
  architecture: x86_64
  cpu-model: Intel Core Processor (Haswell, no TSX)
  last-check: 2017-11-07T16:51:03.482519271Z
  boot-time: 2017-11-07T16:45:05Z
  uptime: 6m36s
  status:
  - kernel: 4.4.0-1002.2-fips
    running: true
    livepatch:
      checkState: checked
      patchState: nothing-to-apply
      version: ""
      fixes: ""

esm: disabled (not available)

fips: enabled

Artful verification:

root@test1:~# dpkg -l ubuntu-advantage-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=============================-===================-===================-================================================================
ii ubuntu-advantage-tools 10ubuntu0.17.10.1 all management tools for Ubuntu Advantage

root@test1:~# ubuntu-advantage enable-livepatch <redacted>
Sorry, but Canonical Livepatch is not supported on artful

root@test1:~# ubuntu-advantage enable-fips chris-8k:<redacted>
Sorry, but Canonical FIPS 140-2 Modules is not supported on artful

root@test1:~# ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)

Zesty verification:

root@test2:~# dpkg -l ubuntu-advantage-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================================-=====================-=====================-=====================================================================
ii ubuntu-advantage-tools 10ubuntu0.17.04.1 all management tools for Ubuntu Advantage

root@test2:~# ubuntu-advantage enable-livepatch <redacted>
Sorry, but Canonical Livepatch is not supported on zesty

root@test2:~# ubuntu-advantage enable-fips chris-8k:<redacted>
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty

root@test2:~# ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)

Trusty verification
 *** 10ubuntu0.14.04.2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages

status correctly shows just livepatch available:

ubuntu@04-57:~$ ubuntu-advantage status
livepatch: disabled

esm: disabled (not available)

fips: disabled (not available)

fips can't be enabled, which is correct:
ubuntu@04-57:~$ sudo ubuntu-advantage enable-fips foo:bar
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty

Enabling livepatch:
ubuntu@04-57:~$ sudo ubuntu-advantage enable-livepatch <redacted>
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed

Your currently running kernel (3.13.0-135-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.

Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:

sudo ubuntu-advantage enable-livepatch <redacted>

The snap is installed, but you indeed need to reboot into the newer kernel that ubuntu-advantage-tools installed for you.

(reboot)

ubuntu@04-57:~$ uname -a
Linux 04-57 4.4.0-100-generic #123~14.04.1-Ubuntu SMP Fri Nov 3 09:36:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@04-57:~$ sudo ubuntu-advantage enable-livepatch <redacted>
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <redacted>
Use "canonical-livepatch status" to verify current patch status.

status now shows livepatch information:
ubuntu@04-57:~$ ubuntu-advantage status
livepatch: enabled
  client-version: "7.23"
  architecture: x86_64
  cpu-model: Intel Core Processor (Skylake)
  last-check: 2017-11-07T18:19:10.452071038Z
  boot-time: 2017-11-07T18:18:05Z
  uptime: 1m25s
  status:
  - kernel: 4.4.0-100.123~14.04.1-generic
    running: true
    livepatch:
      checkState: checked
      patchState: nothing-to-apply
      version: ""
      fixes: ""

esm: disabled (not available)

fips: disabled (not available)
ubuntu@04-57:~$

trusty verification successful.

Trusty:

NOTE: This is a pass for the ubuntu-advantage-tools script. The duplicate machine-id issue I had was traced back to the canonical-livepatch snap.

root@test4:~# dpkg -l ubuntu-advantage-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=================================-=====================-=====================-=======================================================================
ii ubuntu-advantage-tools 10ubuntu0.14.04.2 all management tools for Ubuntu Advantage

root@test4:~# ubuntu-advantage enable-livepatch <redacted>
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed

Your currently running kernel (3.13.0-135-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.

Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:

sudo ubuntu-advantage enable-livepatch <redacted>

root@test4:~# ubuntu-advantage enable-fips chris-8k:<redacted>
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty

root@test4:~# ubuntu-advantage enable-livepatch <redacted>
Enabling Livepatch with the given token, stand by...
2017/11/07 19:16:15 Error executing enable?auth-token=<redacted>
This machine ID is already enabled with a different key or is non-unique. Either "sudo canonical-livepatch disable" on the other machine, or regenerate a unique /etc/machine-id on this machine with "sudo rm /etc/machine-id /var/lib/dbus/machine-id && sudo systemd-machine-id-setup" : {"error": "Conflicting machine-id"}

root@test4:~# ubuntu-advantage status
livepatch: disabled

esm: disabled (not available)

fips: disabled (not available)

root@test4:~# sudo rm /etc/machine-id /var/lib/dbus/machine-id && sudo systemd-machine-id-setup
Initializing machine ID from KVM UUID.

root@test4:~# ubuntu-advantage enable-livepatch <redacted>
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <redacted>
Use "canonical-livepatch status" to verify current patch status.

root@test4:~# ubuntu-advantage status
livepatch: enabled
  client-version: "7.23"
  architecture: x86_64
  cpu-model: Intel Core Processor (Haswell, no TSX)
  last-check: 2017-11-07T19:17:36.506320725Z
  boot-time: 2017-11-07T19:15:15Z
  uptime: 2m58s
  status:
  - kernel: 4.4.0-100.123~14.04.1-generic
    running: true
    livepatch:
      checkState: checked
      patchState: nothing-to-apply
      version: ""
      fixes: ""

esm: disabled (not available)

fips: disabled (not available)

As per discussion, I approve of an earlier release of this update to -updates. The testing done is sufficient. Let me take care of this. Please inform me instantly if there's any regression noticed after the release.

This bug was fixed in the package ubuntu-advantage-tools - 10ubuntu0.17.10.1

---------------
ubuntu-advantage-tools (10ubuntu0.17.10.1) artful; urgency=medium

  * Backports from upstream version 13 (LP: #1719671):
    - support older python3 versions in the test suite
    - d/control, d/rules: run tests at package build time
    - default FIPS tests to the x86_64 architecture
    - add FIPS test for unsupported architecture

 -- Andreas Hasenack <email address hidden> Sun, 05 Nov 2017 18:45:21 -0200

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ubuntu-advantage-tools - 10ubuntu0.17.04.1

---------------
ubuntu-advantage-tools (10ubuntu0.17.04.1) zesty; urgency=medium

  * Backport version 10 to zesty.
  * Backports from upstream version 13 (LP: #1719671):
    - support older python3 versions in the test suite
    - d/control, d/rules: run tests at package build time
    - default FIPS tests to the x86_64 architecture
    - add FIPS test for unsupported architecture

 -- Andreas Hasenack <email address hidden> Sun, 05 Nov 2017 18:41:46 -0200

This bug was fixed in the package ubuntu-advantage-tools - 10ubuntu0.16.04.1

---------------
ubuntu-advantage-tools (10ubuntu0.16.04.1) xenial; urgency=medium

  * Backport version 10 to xenial.
  * Backports from upstream version 13 (LP: #1719671):
    - support older python3 versions in the test suite
    - d/control, d/rules: run tests at package build time
    - default FIPS tests to the x86_64 architecture
    - add FIPS test for unsupported architecture

 -- Andreas Hasenack <email address hidden> Sun, 05 Nov 2017 18:37:47 -0200

This bug was fixed in the package ubuntu-advantage-tools - 10ubuntu0.14.04.2

---------------
ubuntu-advantage-tools (10ubuntu0.14.04.2) trusty; urgency=medium

  * Skipping tests during package builds.
    - d/rules: Disabling the tests.
    - d/control: Removing tests dependencies.

ubuntu-advantage-tools (10ubuntu0.14.04.1) trusty; urgency=medium

  * Backport version 10 to trusty.
  * Backports from upstream version 13 (LP: #1719671):
    - support older python3 versions in the test suite
    - d/control, d/rules: run tests at package build time
    - default FIPS tests to the x86_64 architecture
    - add FIPS test for unsupported architecture

 -- Eric Desrochers <email address hidden> Tue, 07 Nov 2017 10:07:49 -0500

TEST RESULTS for Trusty, Xenial, Zesty and Artful:

===== 14.04.5 =====

ubuntu@ua-trusty:~$ ubuntu-advantage status
livepatch: disabled

esm: disabled (not available)

fips: disabled (not available)

$ sudo ubuntu-advantage enable-fips alexmoldovan:<REDACTED>
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty

===== 16.04.3 =====

$ ubuntu-advantage status
livepatch: disabled
esm: disabled (not available)
fips: disabled

$ sudo ubuntu-advantage enable-livepatch <REDACTED>
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-11-07T22:46:53Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <REDACTED>
Use "canonical-livepatch status" to verify current patch status.

$ ubuntu-advantage status
livepatch: enabled
  client-version: "7.23"
  architecture: x86_64
  cpu-model: Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz
  last-check: 2017-11-07T22:46:59.875848798Z
  boot-time: 2017-11-07T22:13:25Z
  uptime: 34m41s
  status:
  - kernel: 4.4.0-100.123-generic
    running: true
    livepatch:
      checkState: checked
      patchState: nothing-to-apply
      version: ""
      fixes: ""

esm: disabled (not available)
fips: disabled

$ sudo ubuntu-advantage enable-fips alexmoldovan:<REDACTED>
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.

$ ubuntu-advantage status
livepatch: enabled
  client-version: "7.23"
  architecture: x86_64
  cpu-model: Intel Core Processor (Haswell, no TSX)
  last-check: 2017-11-08T10:44:39.356-05:00
  boot-time: 2017-11-08T10:44:32-05:00
  uptime: 1m39s
  status:
  - kernel: 4.4.0-1002.2-fips
    running: true
    livepatch:
      checkState: checked
      patchState: nothing-to-apply
      version: ""
      fixes: ""

esm: disabled (not available)
fips: enabled

$ uname -a
Linux ubuntu1604 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

===== 17.04 =====

$ ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)

$ sudo ubuntu-advantage enable-livepatch foobar
Sorry, but Canonical Livepatch is not supported on zesty

===== 17.10 =====

$ ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)

$ sudo ubuntu-advantage enable-livepatch foobar
Sorry, but Canonical Livepatch is not supported on artful

$ sudo ubuntu-advantage enable-fips alexmoldovan:<REDACTED>
Sorry, but Canonical FIPS 140-2 Modules is not supported on artful