Ubuntu
ubuntu-advantage-tools package

Merge ~lamoura/ubuntu/+source/ubuntu-advantage-tools:hirsute-devel-release-27 into ubuntu/+source/ubuntu-advantage-tools:ubuntu/hirsute-devel

Git
lp:~lamoura/ubuntu/+source/ubuntu-advantage-tools
hirsute-devel-release-27
Merge into ubuntu/hirsute-devel

Proposed by Lucas Albuquerque Medeiros de Moura on 2021-04-22

Status:

Needs review

Proposed branch:

~lamoura/ubuntu/+source/ubuntu-advantage-tools:hirsute-devel-release-27

Merge into:

ubuntu/+source/ubuntu-advantage-tools:ubuntu/hirsute-devel

Diff against target:

12025 lines (+8488/-712)

87 files modified

Jenkinsfile (+28/-35)
README.md (+29/-12)
RELEASES.md (+63/-4)
apt-hook/20apt-esm-hook.conf (+10/-2)
apt-hook/Makefile (+11/-4)
apt-hook/hook.cc (+264/-74)
apt-hook/json-hook-src/go.mod (+3/-0)
apt-hook/json-hook-src/json-hook.go (+253/-0)
apt-hook/json-hook-src/json-hook_test.go (+410/-0)
debian/changelog (+158/-1)
debian/control (+8/-2)
debian/lintian-overrides (+5/-0)
debian/po/templates.pot (+2/-2)
debian/rules (+10/-2)
debian/ubuntu-advantage-tools.config (+14/-0)
debian/ubuntu-advantage-tools.postinst (+150/-40)
debian/ubuntu-advantage-tools.templates (+1/-1)
dev/null (+0/-0)
features/attach_invalidtoken.feature (+1/-1)
features/attach_validtoken.feature (+63/-28)
features/attached_commands.feature (+12/-12)
features/attached_enable.feature (+62/-118)
features/cloud.py (+0/-12)
features/environment.py (+27/-17)
features/gcp-ids.yaml (+3/-3)
features/staging_commands.feature (+50/-5)
features/steps/steps.py (+75/-3)
features/ubuntu_pro.feature (+39/-9)
features/unattached_commands.feature (+388/-3)
features/util.py (+0/-81)
integration-requirements.txt (+1/-1)
lib/reboot_cmds.py (+12/-8)
lib/ua_update_messaging.py (+302/-0)
setup.py (+1/-0)
systemd/ua-messaging.service (+8/-0)
systemd/ua-messaging.timer (+11/-0)
tools/test_xenial_upgrade.sh (+224/-0)
tools/tox-lxd-runner (+2/-2)
tox.ini (+2/-2)
uaclient-devel.conf (+1/-0)
uaclient.conf (+1/-0)
uaclient/apt.py (+1/-0)
uaclient/cli.py (+87/-18)
uaclient/clouds/identity.py (+12/-0)
uaclient/clouds/tests/test_identity.py (+31/-0)
uaclient/config.py (+136/-8)
uaclient/contract.py (+1/-2)
uaclient/defaults.py (+10/-1)
uaclient/entitlements/esm.py (+53/-7)
uaclient/entitlements/fips.py (+9/-3)
uaclient/entitlements/livepatch.py (+3/-3)
uaclient/entitlements/repo.py (+3/-3)
uaclient/entitlements/tests/test_base.py (+2/-2)
uaclient/entitlements/tests/test_cc.py (+1/-1)
uaclient/entitlements/tests/test_esm.py (+145/-34)
uaclient/entitlements/tests/test_fips.py (+38/-1)
uaclient/entitlements/tests/test_livepatch.py (+8/-6)
uaclient/entitlements/tests/test_repo.py (+1/-1)
uaclient/exceptions.py (+12/-0)
uaclient/gpg.py (+1/-1)
uaclient/security.py (+1179/-0)
uaclient/serviceclient.py (+19/-2)
uaclient/status.py (+237/-37)
uaclient/testing/fakes.py (+4/-1)
uaclient/tests/test_apt.py (+5/-1)
uaclient/tests/test_cli.py (+2/-0)
uaclient/tests/test_cli_attach.py (+33/-3)
uaclient/tests/test_cli_auto_attach.py (+28/-0)
uaclient/tests/test_cli_detach.py (+31/-2)
uaclient/tests/test_cli_disable.py (+27/-3)
uaclient/tests/test_cli_enable.py (+31/-7)
uaclient/tests/test_cli_fix.py (+78/-0)
uaclient/tests/test_cli_refresh.py (+20/-1)
uaclient/tests/test_cli_status.py (+81/-7)
uaclient/tests/test_config.py (+162/-31)
uaclient/tests/test_contract.py (+1/-8)
uaclient/tests/test_reboot_cmds.py (+48/-1)
uaclient/tests/test_security.py (+2344/-0)
uaclient/tests/test_serviceclient.py (+24/-0)
uaclient/tests/test_status.py (+49/-1)
uaclient/tests/test_ua_update_messaging.py (+469/-0)
uaclient/tests/test_util.py (+237/-9)
uaclient/tests/test_version.py (+10/-3)
uaclient/util.py (+101/-18)
uaclient/version.py (+2/-2)
update-motd.d/88-esm-announce (+4/-0)
update-motd.d/91-contract-ua-esm-status (+4/-0)

Medium

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Bryce Harrington (community)		2021-04-22	Approve on 2021-04-27
Review via email: mp+401650@code.launchpad.net

Description of the change

This is a branch used only as a base for reviewing release 27 of uaclient. It brings all the functionality that we are going to release across ubuntu releases (xenial to hirsute).

To reproduce it:

1. Add the main project as upstream:
git remote add upstream <email address hidden>:canonical/ubuntu-advantage-client.git

2. git fetch upstream
3. Manually cherry-pick those commits:

140d0ee657d70e22109f17de02f9cc3a3e8df529
80b4172fa4dcac4355ab72842d8a9fe082d488fb
e134dd489aed8ec3cb5f8a5510aaf8eeff1091de
985f8d1eb74512c535bbe0f03cd30c3570d6ba2b
bad262200eb38d23a2885168ad1676503ec538ef
c76dcf249adb6f300d750408275d9129c5d00a7b
c6ceeedc536c7144fb5d10463dab5692f2970ef0
bb3d8928acd4ef7e6091ba2ecf69091b733c2774

4. git cherry-pick b2de092ebeb9480c837048c7551bc50fb3a25377..bb623147c73c2984f75b35e3947595c6027350ce

Skip all of merge commits and solve the conflicts on debian/changelog and debian/control

5. Add a commit bumping the project version to 27.0

~lamoura/ubuntu/+source/ubuntu-advantage-tools:hirsute-devel-release-27 updated on 2021-04-27

7a474e8... by Chad Smith on 2021-04-23

config: avoid tracebacks on invalid features value in uaclient.conf

If /etc/ubuntu-advantage/uaclient.conf contains unexpected values
in features: settings log a warning and return an empty dict.

Avoid tracing on every ua subcommand call.

Fixes: #1564

2d4d78c... by Lucas Albuquerque Medeiros de Moura on 2021-04-23

Remove redundant messaging from uaclient

Currently, uaclient is advertising esm services by allowing
motd to show messages saying that additional packages could
be installed if esm service was enabled. We don't need those
type of messages because update-notifier will handle them.

Also, we are updating the code to always show expired message
for esm-infra services, even if the distro is not ESM

851036e... by Grant Orndorff on 2021-04-26

test: uncomment additional xenial upgrade tests

3b3e646... by Chad Smith on 2021-04-27

apt-hook: avoid reporting and counting duplicate package names

Only track unique named package upgrades in ESM.
Both esm -updates and esm-security pockets can contain same
packages. Avoid counting duplicates.

Fixes: #1578

a0dc53a... by Chad Smith on 2021-04-27

messages: add optional (s) to apt messaging to include singular/plural pkgs

5aa8c38... by Grant Orndorff on 2021-04-27

fix: dont say reboot required when unnecessary (#1577)

Before, we were assuming that if the system reboot
flag was set, then it was because of our fix operation.
Now, we are carving out a case where we can safely know
that the reboot is not required because of our fix.
Specifically, if our fix operation didn't actually install
anything, then it couldn't have caused the reboot to be
required.

LP: #1926183

bba3fd7... by Lucas Albuquerque Medeiros de Moura on 2021-04-27

changelog for release 27.0

Revision history for this message

Chad Smith (chad.smith) wrote on 2021-04-27:

Note that functional equivalent bits have been uploaded to https://launchpad.net/~orndorffgrant/+archive/ubuntu/uaclient-staging-27 for hirsute and impish for testing purposes

Revision history for this message

Chad Smith (chad.smith) wrote on 2021-04-27:

Since we are now actualy SRUing into Hirsute we have to follow the SRU exception process for ua-tools @ https://wiki.ubuntu.com/UbuntuAdvantageToolsUpdates

So the debian/changelog needs to reflect our SRU process bug (and we won't link any other LP bugs in that SRU)

diff --git a/debian/changelog b/debian/changelog
index 9db7b0de..2bae3d2b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
ubuntu-advantage-tools (27.0~21.04.1) hirsute; urgency=medium

- * New upstream release 27.0:
+ * New upstream release 27.0: (LP: #1926361)
     - messages: add optional (s) to apt messaging to include
       singular/plural pkgs
     - apt-hook: avoid reporting and counting duplicate package
       names (GH: #1578)
- - fix: dont say reboot required when unnecessary (LP: #1926183)
+ - fix: dont say reboot required when unnecessary
     - test: uncomment additional xenial upgrade tests

-- Lucas Moura <email address hidden> Tue, 27 Apr 2021 15:31:06 -0300

~lamoura/ubuntu/+source/ubuntu-advantage-tools:hirsute-devel-release-27 updated on 2021-04-27

21e6c1e... by Lucas Albuquerque Medeiros de Moura on 2021-04-27: fix changelog

Revision history for this message

Bryce Harrington (bryce) wrote on 2021-04-27:

Given that this is essentially a new upstream release, for review purposes I'm going to treat this as an upstream package merge. In other words, rather than a detailed code review I'm mainly going to focus on the packaging changes and integration testing, and assume the main codebase changes have been adequately reviewed and tested already. (The short timeframe we have really doesn't permit a full review anyway.)

However, I did do a cursory review through the 10 commits just to familiarize myself and make sure there's nothing scary. Didn't find anything notable, (other than that this impressively hits four different programming languages!)

I ran into a test failure on initial build which went away after subsequent builds. I'm ignoring that since I couldn't reproduce it, but am noting it in case it comes up again. The issue seemed to involve not recognizing one of the files in lib/ as a python module since there is not a lib/__init__.py. If that crops up anywhere else, it may need adjustment for how it imports the module.

Other than that, the build and test cases all worked fine, and the package installed and upgraded/downgraded without issue.

I did run into a problem trying to use the test case from the SRU bug to reproduce the issue. See
https://pastebin.ubuntu.com/p/WYmK6467NF/. I also tested the libcaca0 package from the original bug report, and that gave similar results. Chad suggested testing against ruby2.7=2.7.2-4ubuntu1 with `ua fix USN-4922-2`, and that worked ok. I gather the metadata provided for CVEs isn't as complete as the metadata provided with USN's. However, it seems like it may be hard to justify this SRU if the original issue is not seen to be fixed by the change... I would suggest changing the test case to one like ruby2.7 that properly demonstrates the bug + fix, and adding a discussion in the SRU text at how this will also work for CVEs once the metadata issue is resolved.

Since the SRU process isn't required for devel versions, I'll go ahead and mark this approved for impish and proceed with uploading.

Given that this is essentially a new upstream release, for review purposes I'm going to treat this as an upstream package merge.  In other words, rather than a detailed code review I'm mainly going to focus on the packaging changes and integration testing, and assume the main codebase changes have been adequately reviewed and tested already.  (The short timeframe we have really doesn't permit a full review anyway.)

However, I did do a cursory review through the 10 commits just to familiarize myself and make sure there's nothing scary.  Didn't find anything notable, (other than that this impressively hits four different programming languages!)

I ran into a test failure on initial build which went away after subsequent builds.  I'm ignoring that since I couldn't reproduce it, but am noting it in case it comes up again.  The issue seemed to involve not recognizing one of the files in lib/ as a python module since there is not a lib/__init__.py.  If that crops up anywhere else, it may need adjustment for how it imports the module.

Other than that, the build and test cases all worked fine, and the package installed and upgraded/downgraded without issue.

I did run into a problem trying to use the test case from the SRU bug to reproduce the issue.  See  
https://pastebin.ubuntu.com/p/WYmK6467NF/.  I also tested the libcaca0 package from the original bug report, and that gave similar results.  Chad suggested testing against ruby2.7=2.7.2-4ubuntu1 with `ua fix USN-4922-2`, and that worked ok.  I gather the metadata provided for CVEs isn't as complete as the metadata provided with USN's.  However, it seems like it may be hard to justify this SRU if the original issue is not seen to be fixed by the change...  I would suggest changing the test case to one like ruby2.7 that properly demonstrates the bug + fix, and adding a discussion in the SRU text at how this will also work for CVEs once the metadata issue is resolved.

Since the SRU process isn't required for devel versions, I'll go ahead and mark this approved for impish and proceed with uploading.

review: Approve

Revision history for this message

Bryce Harrington (bryce) wrote on 2021-04-28:

I also uploaded this hirsute package since the package itself is good to go. The SRU bug will need some attention though.

Unmerged commits

21e6c1e... by Lucas Albuquerque Medeiros de Moura on 2021-04-27

fix changelog

bba3fd7... by Lucas Albuquerque Medeiros de Moura on 2021-04-27

changelog for release 27.0

a0dc53a... by Chad Smith on 2021-04-27

messages: add optional (s) to apt messaging to include singular/plural pkgs

3b3e646... by Chad Smith on 2021-04-27

apt-hook: avoid reporting and counting duplicate package names

Only track unique named package upgrades in ESM.
Both esm -updates and esm-security pockets can contain same
packages. Avoid counting duplicates.

Fixes: #1578

5aa8c38... by Grant Orndorff on 2021-04-27

fix: dont say reboot required when unnecessary (#1577)

LP: #1926183

851036e... by Grant Orndorff on 2021-04-26

test: uncomment additional xenial upgrade tests

2d4d78c... by Lucas Albuquerque Medeiros de Moura on 2021-04-23

Remove redundant messaging from uaclient

Also, we are updating the code to always show expired message
for esm-infra services, even if the distro is not ESM

5ea5a1a... by Grant Orndorff on 2021-04-21

apt-hook: new json hook for security update counts

This new hook takes advantage of the newly created
"stats" json hooj in apt to print a message about the
number of security updates to be installed on
apt upgrade.

7a474e8... by Chad Smith on 2021-04-23

config: avoid tracebacks on invalid features value in uaclient.conf

If /etc/ubuntu-advantage/uaclient.conf contains unexpected values
in features: settings log a warning and return an empty dict.

Avoid tracing on every ua subcommand call.

Fixes: #1564

ede5523... by Lucas Albuquerque Medeiros de Moura on 2021-04-22

Bump version to 27

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Lucas Albuquerque Medeiros de Moura

git-ubuntu developers

to status/vote changes:

Terrence Bobryk-Ozaki

 diff --git a/Jenkinsfile b/Jenkinsfile
 index ebee6f9..2082e19 100644
 --- a/Jenkinsfile
 +++ b/Jenkinsfile
@@ -37,35 +37,28 @@ pipeline {
                  '''
+             }
+         }
--        stage ('Lint and Style') {
--            parallel {
--                stage("flake8") {
--                    steps {
--                        sh '''
--                        set +x
--                        . $TMPDIR/bin/activate
--                        tox --parallel--safe-build -e flake8
--                        '''
--                    }
--                }
--                stage("style") {
--                    steps {
--                        sh '''
--                        set +x
--                        . $TMPDIR/bin/activate
--                        tox --parallel--safe-build -e black
--                        '''
--                    }
--                }
--                stage("mypy") {
--                    steps {
--                        sh '''
--                        set +x
--                        . $TMPDIR/bin/activate
--                        tox --parallel--safe-build -e mypy
--                        '''
--                    }
--                }
++        stage("flake8") {
++            steps {
++                sh '''
++                set +x
++                tox -e flake8
++                '''
++            }
++        }
++        stage("style") {
++            steps {
++                sh '''
++                set +x
++                tox -e black
++                '''
++            }
++        }
++        stage("mypy") {
++            steps {
++                sh '''
++                set +x
++                tox -e mypy
++                '''
+             }
+         }
          stage ('Unit Tests') {
@@ -170,7 +163,7 @@ pipeline {
                  stage("lxc 14.04") {
                      environment {
                          UACLIENT_BEHAVE_DEBS_PATH = "${TMPDIR}trusty/"
--                        UACLIENT_BEHAVE_ARTIFACT_DIR = "${TMPDIR}artifacts/behave-lxd-14.04"
++                        UACLIENT_BEHAVE_ARTIFACT_DIR = "artifacts/behave-lxd-14.04"
+                     }
                      steps {
                          sh '''
@@ -183,7 +176,7 @@ pipeline {
                  stage("lxc 16.04") {
                      environment {
                          UACLIENT_BEHAVE_DEBS_PATH = "${TMPDIR}xenial/"
--                        UACLIENT_BEHAVE_ARTIFACT_DIR = "${TMPDIR}artifacts/behave-lxd-16.04"
++                        UACLIENT_BEHAVE_ARTIFACT_DIR = "artifacts/behave-lxd-16.04"
+                     }
                      steps {
                          sh '''
@@ -196,7 +189,7 @@ pipeline {
                  stage("lxc 18.04") {
                      environment {
                          UACLIENT_BEHAVE_DEBS_PATH = "${TMPDIR}bionic/"
--                        UACLIENT_BEHAVE_ARTIFACT_DIR = "${TMPDIR}artifacts/behave-lxd-18.04"
++                        UACLIENT_BEHAVE_ARTIFACT_DIR = "artifacts/behave-lxd-18.04"
+                     }
                      steps {
                          sh '''
@@ -209,7 +202,7 @@ pipeline {
                  stage("lxc vm 20.04") {
                      environment {
                          UACLIENT_BEHAVE_DEBS_PATH = "${TMPDIR}focal/"
--                        UACLIENT_BEHAVE_ARTIFACT_DIR = "${TMPDIR}artifacts/behave-vm-20.04"
++                        UACLIENT_BEHAVE_ARTIFACT_DIR = "artifacts/behave-vm-20.04"
+                     }
                      steps {
                          sh '''
@@ -222,7 +215,7 @@ pipeline {
                  stage("awspro 18.04") {
                      environment {
                          UACLIENT_BEHAVE_DEBS_PATH = "${TMPDIR}bionic/"
--                        UACLIENT_BEHAVE_ARTIFACT_DIR = "${TMPDIR}artifacts/behave-awspro-18.04"
++                        UACLIENT_BEHAVE_ARTIFACT_DIR = "artifacts/behave-awspro-18.04"
+                     }
                      steps {
                          sh '''
@@ -253,7 +246,7 @@ pipeline {
                      currentBuild.result = 'UNSTABLE'
+                 }
                  try {
--                    archiveArtifacts "/tmp/${BUILD_TAG}/artifacts/**/*"
++                    archiveArtifacts "artifacts/**/**/*"
                  } catch (Exception e) {
                      echo "No integration test artifacts found. Presume success."
+                 }
 diff --git a/README.md b/README.md
 index c45c58b..7e140c0 100644
 --- a/README.md
 +++ b/README.md
@@ -20,6 +20,15 @@ The client comes pre-installed on all Ubuntu systems in the debian packages
  images will also contain `ubuntu-advantage-pro` which automates machine attach
  on custom AWS and Azure images.
++Additionally, there are 3 PPAs with different release channels of the Ubuntu Advantage Client:
++
++1. Stable: This contains stable builds only.
++    - add with `sudo add-apt-repository ppa:ua-client/stable`
++2. Staging: This contains builds that are being prepared for release to stable.
++    - add with `sudo add-apt-repository ppa:ua-client/staging`
++3. Daily: This PPA is updated every day with the latest changes.
++    - add with `sudo add-apt-repository ppa:ua-client/daily`
++
  Users can manually run the `ua` command to learn more or view the manpage.
  ## Terminology
@@ -37,7 +46,7 @@ Ubuntu Advantage Client performs:
  ## Architecture
--Ubuntu Advantage client, hereafter "UA client", is python3-based command line
++Ubuntu Advantage client, hereafter "UA client", is a python3-based command line
  utility. It provides a CLI to attach, detach, enable,
  disable and check status of support related services.
@@ -83,7 +92,7 @@ enabled or disabled.
  If a contract entitles a machine to a service, `root` user can enable the
  service with `ua enable <service>`.  If a service can be disabled
--`ua disabled <service>` will be permitted.
++`ua disable <service>` will be permitted.
  The goal of the UA client is to remain simple and flexible and let the
  contracts backend drive dynamic changes in contract offerings and constraints.
@@ -120,7 +129,15 @@ The following describes the intent of UA client related directories:
  ## Testing
--All unit and lint tests are run using tox:
++All unit and lint tests are run using `tox`. We also use `tox-pip-version` to specify an older pip version as a workaround: we have some required dependencies that can't meet the strict compatibility checks of current pip versions.
++
++First, install `tox` and `tox-pip-version` - you'll only have to do this once.
++
++```shell
++make testdeps
++```
++
++Then you can run the unit and lint tests:
  ```shell
  tox
@@ -144,7 +161,7 @@ logic for those tests.
  By default, integration tests will do the folowing on a given cloud platform:
   * Launch an instance running latest daily image of the target Ubuntu release
-- * Add the Ubuntu advantage client daily build PPA: [ppa:canonical-server/ua-client-daily](https://code.launchpad.net/~canonical-server/+archive/ubuntu/ua-client-daily)
++ * Add the Ubuntu advantage client daily build PPA: [ppa:ua-client/daily](https://code.launchpad.net/~ua-client/+archive/ubuntu/daily)
   * Install the appropriate ubuntu-advantage-tools and ubuntu-advantage-pro deb
   * Stop the instance and snapshot it creating an updated bootable image for
     test runs
@@ -181,9 +198,9 @@ Furthermore, when developing/debugging a new scenario:
 . Add a `@wip` tag decorator on the scenario
 . To only run @wip scenarios run: `tox -e behave-20.04 -- -w`
-- 4. If you want to use a debugger:
--    a. Add ipdb to integration-requirements.txt
--    b. Add ipdb.set_trace() in the code block you wish to debug
++ 3. If you want to use a debugger:
++    1. Add ipdb to integration-requirements.txt
++    2. Add ipdb.set_trace() in the code block you wish to debug
  (If you're getting started with behave, we recommend at least reading
  through [the behave
@@ -271,7 +288,7 @@ To update `features/aws-ids.yaml`, run `./tools/refresh-aws-pro-ids` and put up
  a pull request against this repo to updated that content from the ua-contracts
  marketplace definitions.
--* To manually run EC2 integration tests using packages from `ppa:canonical-server/ua-client-daily` provide the following environment vars:
++* To manually run EC2 integration tests using packages from `ppa:ua-client/daily` provide the following environment vars:
  ```sh
  UACLIENT_BEHAVE_AWS_ACCESS_KEY_ID=<blah> UACLIENT_BEHAVE_AWS_SECRET_KEY=<blah2> tox -e behave-awspro-20.04
@@ -295,13 +312,13 @@ The following tox environments allow for testing focal on Azure:
  ```
  To run the test for a different release, just update the release version string. For example,
--to run AWS pro xenial tests, you can run:
++to run Azure pro xenial tests, you can run:
  ```
  tox -e behave-azurepro-16.04
  ```
--In order to run EC2 tests the following environment variables are required:
++In order to run Azure tests the following environment variables are required:
    - UACLIENT_BEHAVE_AZ_CLIENT_ID
    - UACLIENT_BEHAVE_AZ_CLIENT_SECRET
    - UACLIENT_BEHAVE_AZ_SUBSCRIPTION_ID
@@ -312,7 +329,7 @@ To specifically run non-ubuntu pro tests using canonical cloud-images an
  additional token obtained from https://ubuntu.com/advantage needs to be set:
    - UACLIENT_BEHAVE_CONTRACT_TOKEN=<your_token>
--* To manually run Azure integration tests using packages from `ppa:canonical-server/ua-client-daily` provide the following environment vars:
++* To manually run Azure integration tests using packages from `ppa:ua-client/daily` provide the following environment vars:
  ```sh
  UACLIENT_BEHAVE_AZ_CLIENT_ID=<blah> UACLIENT_BEHAVE_AZ_CLIENT_SECRET=<blah2> UACLIENT_BEHAVE_AZ_SUBSCRIPTION_ID=<blah3> UACLIENT_BEHAVE_AZ_TENANT_ID=<blah4> tox -e behave-azurepro-20.04
@@ -337,7 +354,7 @@ dpkg-buildpackage -us -uc
  ```
  **Note** It will build the package with dependencies for the Ubuntu release on
--which you are building, so it's best to build in a container of kvm for the
++which you are building, so it's best to build in a container or kvm for the
  release you are targeting.
  OR, if you want to build for a target release other than the release
 diff --git a/RELEASES.md b/RELEASES.md
 index e31dc37..98e8aaf 100644
 --- a/RELEASES.md
 +++ b/RELEASES.md
@@ -54,10 +54,69 @@ Previous release bugs:
  Manually perform a binary package copy from Daily PPA to Premium PPA and notify image creators
-- 1. [Open Daily PPA copy-package operation](https://code.launchpad.net/~canonical-server/+archive/ubuntu/ua-client-daily/+copy-packages)
++ 1. [Open Daily PPA copy-package operation](https://code.launchpad.net/~ua-client/+archive/ubuntu/daily/+copy-packages)
 . Check Trusty, Xenial, Bionic package
-- 3. Select Destination PPA: UA Client Premium [~canonical-server/ubuntu/ua-client-premium]
++ 3. Select Destination PPA: UA Client Premium [~ua-client/ubuntu/staging]
 . Select Destination series: The same series
-- 5. Copy options: "Copy existing binaries
++ 5. Copy options: "Copy existing binaries"
 . Click Copy packages
-- 7. Notify Pro Image creatros about expected Premium PPA version (patviafore/rcj)
++ 7. Notify Pro Image creators about expected Premium PPA version (patviafore/rcj/powersj)
++
++
++## Release to PPA
++
++We manually upload the packages to our staging/stable PPAs. If you want to cut a new release and
++upload to one of these PPAs, follow these steps:
++
++ 1. Do a `git cherry-pick` on the commits that should be included in the release
++ 2. Update the debian/changelog file:
++    * Create a new entry in the `debian/changelog` file:
++      * You can do that by running ` dch --newversion <version-name>`
++      * Remember to update the release from `UNRELEASED` to the most recently supported
++        ubuntu release
++    * Populate `debian/changelog` with the commits you have cherry-picked
++      * You can do that by running `git log <first-cherry-pick-commit>..<last-cherry-pick-commit> | log2dch`
++      * This will generate a list of commits that could be included in the changelog. If you don't
++        have `log2dch`, you can get it from the [uss-tableflip](https://github.com/canonical/uss-tableflip)
++      * You don't need to include all of the commits generated. Remember that the changelog should
++        be read by the user to understand the new features/modifications in the package. If you
++        think a commit will not add that much to the user experience, you can drop it from the
++        changelog
++      * To structure the changelog you can use the other entries as example. But we basically try
++        keep this order: debian changes, new features/modifications, testing
++ 3. Start building the package:
++    * *WARNING* Build the package in a clean environment. The reason for that is because the package
++      will contain everything that it is present in the folder. If you are storing credentials or
++      other sensible development information in your folder, they will be uploaded too when we send
++      the package to the ppa. A clean environment is the safest way to perform this.
++    * Build the necessary artifacts that allow building the package
++      * Guarantee that you have a gpg key in the system. You will use that gpg key to sign the
++        package.
++        * If you don't yet have a gpg key set up, follow the instructions
++          [here](https://help.launchpad.net/YourAccount/ImportingYourPGPKey) to create a key,
++          publish it to `hkp://keyserver.ubuntu.com`, and import it into Launchpad.
++      * We can achieve that by running the `build-package` command when your current folder is the
++        top of source tree. This script is also found on the [uss-tableflip](https://github.com/canonical/uss-tableflip) repo.
++      * This script will generate all the package artifacts in the parent directory as `../out`.
++    * Verify if we can build the package:
++      * We can achieve that by running the `sbuild-it` command. This script is also found on the
++        [uss-tableflip](https://github.com/canonical/uss-tableflip) repo.
++      * Before you run `sbuild-it` for the first time, you'll need to set up a chroot for each Ubuntu release.
++        Follow [these instructions](https://gist.github.com/smoser/14df5f0cd621e10d2282d7c90345e322#new-sbuild-creation)
++        to create a chroot for each supported release.
++      * To use it, you can just run `sbuild-it ../out/<package_name>.dsc
++      * If the package was built sucessfully, you can move to the next step.
++ 4. Repeat that for older ubuntu releases:
++    * Currently, we test this build process for `Trusty(14.04)`, `Xenial(16.04)`, `Bionic(18.04)`,
++      `Focal(20.10)`, `Groovy(20.10)` and `Hirsute(21.04)`
++    * To test this other releases, just change the changelog to target those releases.
++      PS: remember to also change the version number on the changelog. For example, suppose
++      the new version is `1.1~20.04.1`. If you want to test Bionic now, change it to
++      `1.1~18.04.1`.
++    * Commit those changes and perform the `build-package` and `sbuild-it` steps for the release.
++      * These commits are just local commits for this build process - do not push them to remote repository.
++ 5. After all of the releases are tested, we can start uploading to the ppa. For each release, run
++    the command `dput ppa:ua-client/stable ../out/<package_name>_source.changes`
++    * Run this command for each release you are going to upload
++    * Remember to have launchpad already properly configured in your system to allow you uploading
++      packages to the ppa.
 diff --git a/apt-hook/20apt-esm-hook.conf b/apt-hook/20apt-esm-hook.conf
 index d6d1ad1..c4e4ebb 100644
 --- a/apt-hook/20apt-esm-hook.conf
 +++ b/apt-hook/20apt-esm-hook.conf
@@ -1,7 +1,15 @@
  APT::Update::Post-Invoke-Stats {
--	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook";
++	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-stats";
  };
  APT::Install::Post-Invoke-Success {
--	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook";
++	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook post-invoke-success";
  };
++
++APT::Install::Pre-Invoke {
++	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke";
++}
++
++AptCli::Hooks::Upgrade {
++	"[ ! -f /usr/lib/ubuntu-advantage/apt-esm-json-hook ] || /usr/lib/ubuntu-advantage/apt-esm-json-hook";
++}
 diff --git a/apt-hook/Makefile b/apt-hook/Makefile
 index 8eeae10..15c4856 100644
 --- a/apt-hook/Makefile
 +++ b/apt-hook/Makefile
@@ -1,16 +1,23 @@
  all: build
--build: hook ubuntu-advantage.pot
++build: hook ubuntu-advantage.pot json-hook
  ubuntu-advantage.pot: hook.cc
  	xgettext hook.cc -o ubuntu-advantage.pot
  hook: hook.cc
--	$(CXX) -Wall -Wextra -pedantic $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) -g -o hook hook.cc -lapt-pkg $(LDLIBS)
++	$(CXX) -Wall -Wextra -pedantic -std=c++11 $(CXXFLAGS) $(CPPFLAGS) $(LDFLAGS) -g -o hook hook.cc -lapt-pkg $(LDLIBS)
--install: hook
++json-hook:
++	cd json-hook-src && GOCACHE=/tmp/ go build json-hook.go
++
++install: hook json-hook
  	install -D -m 644 20apt-esm-hook.conf $(DESTDIR)/etc/apt/apt.conf.d/20apt-esm-hook.conf
  	install -D -m 755 hook $(DESTDIR)/usr/lib/ubuntu-advantage/apt-esm-hook
++	install -D -m 755 json-hook-src/json-hook $(DESTDIR)/usr/lib/ubuntu-advantage/apt-esm-json-hook
  clean:
--	rm -f hook ubuntu-advantage.pot
++	rm -f hook ubuntu-advantage.pot json-hook-src/json-hook
++
++test:
++	cd json-hook-src && go test
 diff --git a/apt-hook/hook.cc b/apt-hook/hook.cc
 index ed009de..5aed078 100644
 --- a/apt-hook/hook.cc
 +++ b/apt-hook/hook.cc
@@ -23,20 +23,50 @@
  #include <apt-pkg/policy.h>
  #include <apt-pkg/strutl.h>
++#include <algorithm>
  #include <fstream>
++#include <iostream>
  #include <sstream>
  #include <string>
++#include <vector>
  #include <assert.h>
  #include <sys/stat.h>
  #include <libintl.h>
  #include <locale.h>
++#define MOTD_ESM_SERVICE_STATUS_MESSAGE_STATIC_PATH      "/var/lib/ubuntu-advantage/messages/motd-esm-service-status"
++#define MOTD_APPS_NO_PKGS_TEMPLATE_PATH                  "/var/lib/ubuntu-advantage/messages/motd-no-packages-apps.tmpl"
++#define MOTD_INFRA_NO_PKGS_TEMPLATE_PATH                 "/var/lib/ubuntu-advantage/messages/motd-no-packages-infra.tmpl"
++#define MOTD_APPS_PKGS_TEMPLATE_PATH                     "/var/lib/ubuntu-advantage/messages/motd-packages-apps.tmpl"
++#define MOTD_INFRA_PKGS_TEMPLATE_PATH                    "/var/lib/ubuntu-advantage/messages/motd-packages-infra.tmpl"
++#define MOTD_APPS_PKGS_STATIC_PATH                       "/var/lib/ubuntu-advantage/messages/motd-packages-apps"
++#define MOTD_INFRA_PKGS_STATIC_PATH                      "/var/lib/ubuntu-advantage/messages/motd-packages-infra"
++#define APT_PRE_INVOKE_APPS_NO_PKGS_TEMPLATE_PATH        "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-no-packages-apps.tmpl"
++#define APT_PRE_INVOKE_INFRA_NO_PKGS_TEMPLATE_PATH       "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-no-packages-infra.tmpl"
++#define APT_PRE_INVOKE_APPS_PKGS_TEMPLATE_PATH           "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-apps.tmpl"
++#define APT_PRE_INVOKE_APPS_PKGS_STATIC_PATH             "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-apps"
++#define APT_PRE_INVOKE_INFRA_PKGS_TEMPLATE_PATH          "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra.tmpl"
++#define APT_PRE_INVOKE_INFRA_PKGS_STATIC_PATH            "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra"
++#define APT_PRE_INVOKE_MESSAGE_STATIC_PATH               "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-esm-service-status"
++#define UBUNTU_NO_WARRANTY_STATIC_PATH                   "/var/lib/ubuntu-advantage/messages/ubuntu-no-warranty"
++
++
++#define ESM_APPS_PKGS_COUNT_TEMPLATE_VAR "{ESM_APPS_PKG_COUNT}"
++#define ESM_APPS_PACKAGES_TEMPLATE_VAR "{ESM_APPS_PACKAGES}"
++#define ESM_INFRA_PKGS_COUNT_TEMPLATE_VAR "{ESM_INFRA_PKG_COUNT}"
++#define ESM_INFRA_PACKAGES_TEMPLATE_VAR "{ESM_INFRA_PACKAGES}"
++
++enum Subcommand { PreInvoke, PostInvokeStats, PostInvokeSuccess, ProcessTemplates };
++
  struct result {
     int enabled_esms_i;
     int disabled_esms_i;
++   std::vector<std::string> esm_i_packages;
++
     int enabled_esms_a;
     int disabled_esms_a;
++   std::vector<std::string> esm_a_packages;
  };
  // Return parent pid of specified pid, using /proc (pid might be self)
@@ -56,7 +86,7 @@ static std::string getppid_of(std::string pid)
        getline(stream, line);
        if (line.find("PPid:") != 0)
--	 continue;
++         continue;
        // Erase everything before a number
        line.erase(0, line.find_first_of("0123456789"));
@@ -121,28 +151,38 @@ static void check_esm_upgrade(pkgCache::PkgIterator pkg, pkgPolicy *policy, resu
+    {
        for (pkgCache::VerFileIterator pf = ver.FileList(); !pf.end(); pf++)
+       {
--	 // TODO: Just look at the origin, not pinning.
--	 if (pf.File().Archive() != 0 && pf.File().Origin() == std::string("UbuntuESM"))
--	 {
--            // Xenial and later should not be advertising unauthenticated ESM Infra apt repos
--	    if (policy->GetPriority(pf.File()) == -32768)
--	       res.disabled_esms_i++;
--	    else
--	       res.enabled_esms_i++;
--
--	    return;
--	 }
--
--	 if (pf.File().Archive() != 0 && pf.File().Origin() == std::string("UbuntuESMApps"))
--	 {
--            // Xenial and later should not be advertising unauthenticated ESM Apps apt repos
--	    if (policy->GetPriority(pf.File()) == -32768)
--	       res.disabled_esms_a++;
--	    else
--	       res.enabled_esms_a++;
--
--	    return;
--	 }
++         if (pf.File().Archive() != 0 && pf.File().Origin() == std::string("UbuntuESM"))
++         {
++            if (std::find(res.esm_i_packages.begin(), res.esm_i_packages.end(), pkg.Name()) == res.esm_i_packages.end()) {
++                res.esm_i_packages.push_back(pkg.Name());
++
++                // Pin-Priority: never unauthenticated APT repos == -32768
++                if (policy->GetPriority(pf.File()) == -32768)
++                {
++                   res.disabled_esms_i++;
++                }
++                else
++                {
++                   res.enabled_esms_i++;
++                }
++            }
++         }
++         if (pf.File().Archive() != 0 && pf.File().Origin() == std::string("UbuntuESMApps"))
++         {
++            if (std::find(res.esm_a_packages.begin(), res.esm_a_packages.end(), pkg.Name()) == res.esm_a_packages.end()) {
++                res.esm_a_packages.push_back(pkg.Name());
++
++                // Pin-Priority: never unauthenticated APT repos == -32768
++                if (policy->GetPriority(pf.File()) == -32768)
++                {
++                   res.disabled_esms_a++;
++                }
++                else
++                {
++                   res.enabled_esms_a++;
++                }
++            }
++         }
+       }
+    }
+ }
@@ -172,6 +212,155 @@ static int get_update_count(result &res)
     return count;
+ }
++
++static void process_template_file(
++   std::string template_file_name,
++   std::string static_file_name,
++   std::string esm_a_pkgs_count,
++   std::string esm_a_pkgs,
++   std::string esm_i_pkgs_count,
++   std::string esm_i_pkgs
++) {
++   std::ifstream message_tmpl_file(template_file_name.c_str());
++   if (message_tmpl_file.is_open()) {
++      // This line loads the whole file contents into a string
++      std::string message_tmpl((std::istreambuf_iterator<char>(message_tmpl_file)), (std::istreambuf_iterator<char>()));
++
++      message_tmpl_file.close();
++
++      // Process all template variables
++      std::array<std::string, 4> tmpl_var_names = {
++         ESM_APPS_PKGS_COUNT_TEMPLATE_VAR,
++         ESM_APPS_PACKAGES_TEMPLATE_VAR,
++         ESM_INFRA_PKGS_COUNT_TEMPLATE_VAR,
++         ESM_INFRA_PACKAGES_TEMPLATE_VAR
++      };
++      std::array<std::string, 4> tmpl_var_vals = {
++         esm_a_pkgs_count,
++         esm_a_pkgs,
++         esm_i_pkgs_count,
++         esm_i_pkgs
++      };
++      for (uint i = 0; i < tmpl_var_names.size(); i++) {
++         size_t pos = message_tmpl.find(tmpl_var_names[i]);
++         if (pos != std::string::npos) {
++            message_tmpl.replace(pos, tmpl_var_names[i].size(), tmpl_var_vals[i]);
++         }
++      }
++
++      std::ofstream message_static_file(static_file_name.c_str());
++      if (message_static_file.is_open()) {
++         message_static_file << message_tmpl;
++         message_static_file.close();
++      }
++   } else {
++      remove(static_file_name.c_str());
++   }
++}
++
++static void process_all_templates(
++   int esm_a_pkgs_count,
++   std::string esm_a_pkgs,
++   int esm_i_pkgs_count,
++   std::string esm_i_pkgs
++) {
++   int bytes_written;
++   std::array<std::string, 4> static_file_names = {
++      APT_PRE_INVOKE_APPS_PKGS_STATIC_PATH,
++      MOTD_APPS_PKGS_STATIC_PATH,
++      APT_PRE_INVOKE_INFRA_PKGS_STATIC_PATH,
++      MOTD_INFRA_PKGS_STATIC_PATH,
++   };
++   std::array<std::string, 3> apt_static_files = {
++      APT_PRE_INVOKE_APPS_PKGS_STATIC_PATH,
++      APT_PRE_INVOKE_INFRA_PKGS_STATIC_PATH,
++      UBUNTU_NO_WARRANTY_STATIC_PATH
++   };
++   std::array<std::string, 3> motd_static_files = {
++      MOTD_APPS_PKGS_STATIC_PATH,
++      MOTD_INFRA_PKGS_STATIC_PATH,
++      UBUNTU_NO_WARRANTY_STATIC_PATH
++   };
++
++   std::vector<std::string> template_file_names;
++   if (esm_a_pkgs_count > 0) {
++      template_file_names.push_back(APT_PRE_INVOKE_APPS_PKGS_TEMPLATE_PATH);
++      template_file_names.push_back(MOTD_APPS_PKGS_TEMPLATE_PATH);
++   } else {
++      template_file_names.push_back(APT_PRE_INVOKE_APPS_NO_PKGS_TEMPLATE_PATH);
++      template_file_names.push_back(MOTD_APPS_NO_PKGS_TEMPLATE_PATH);
++   }
++   if (esm_i_pkgs_count > 0) {
++      template_file_names.push_back(APT_PRE_INVOKE_INFRA_PKGS_TEMPLATE_PATH);
++      template_file_names.push_back(MOTD_INFRA_PKGS_TEMPLATE_PATH);
++   } else {
++      template_file_names.push_back(APT_PRE_INVOKE_INFRA_NO_PKGS_TEMPLATE_PATH);
++      template_file_names.push_back(MOTD_INFRA_NO_PKGS_TEMPLATE_PATH);
++   }
++   for (uint i = 0; i < template_file_names.size(); i++) {
++      process_template_file(
++         template_file_names[i],
++         static_file_names[i],
++         std::to_string(esm_a_pkgs_count),
++         esm_a_pkgs,
++         std::to_string(esm_i_pkgs_count),
++         esm_i_pkgs
++      );
++   }
++
++   std::ofstream apt_pre_invoke_msg;
++   apt_pre_invoke_msg.open(APT_PRE_INVOKE_MESSAGE_STATIC_PATH);
++   for (uint i = 0; i < apt_static_files.size(); i++) {
++       std::ifstream message_file(apt_static_files[i]);
++       if (message_file.is_open()) {
++           apt_pre_invoke_msg << std::endl;
++           apt_pre_invoke_msg << message_file.rdbuf();
++           message_file.close();
++       };
++   }
++   bytes_written = apt_pre_invoke_msg.tellp();
++   if (bytes_written > 0) {
++       // Then we wrote some content add trailing newline
++       apt_pre_invoke_msg << std::endl;
++   }
++   apt_pre_invoke_msg.close();
++   if (bytes_written == 0) {
++       // We added nothing. Remove the file
++       remove(APT_PRE_INVOKE_MESSAGE_STATIC_PATH);
++   }
++
++   std::ofstream motd_msg;
++   motd_msg.open(MOTD_ESM_SERVICE_STATUS_MESSAGE_STATIC_PATH);
++   for (uint i = 0; i < motd_static_files.size(); i++) {
++       std::ifstream message_file(motd_static_files[i]);
++       if (message_file.is_open()) {
++           if ( i > 0 ) {
++               motd_msg << std::endl;
++           }
++           motd_msg << message_file.rdbuf();
++           message_file.close();
++       };
++   }
++   bytes_written = motd_msg.tellp();
++   if (bytes_written > 0) {
++       // Then we wrote some content add trailing newline
++       motd_msg << std::endl;
++   }
++   motd_msg.close();
++   if (bytes_written == 0) {
++       // We added nothing. Remove the file
++       remove(MOTD_ESM_SERVICE_STATUS_MESSAGE_STATIC_PATH);
++   }
++}
++
++static void output_file_if_present(std::string file_name) {
++   std::ifstream message_file(file_name);
++   if (message_file.is_open()) {
++      std::cout << message_file.rdbuf();
++      message_file.close();
++   }
++}
++
  // Preserves \0 bytes in a string literal
  template<std::size_t n>
  std::string make_cmdline(const char (&s)[n])
@@ -191,6 +380,9 @@ bool has_arg(char **argv, const char *arg)
  int main(int argc, char *argv[])
+ {
     (void) argc;   // unused
++   Subcommand subcommand = ProcessTemplates;
++   bool test_run = false;
++
     setlocale(LC_ALL, "");
     textdomain("ubuntu-advantage");
     // Self testing
@@ -206,69 +398,67 @@ int main(int argc, char *argv[])
     assert(cmdline_eligible(make_cmdline("aptitude\0update\0")));
     command_used = "";
--   result res = {0, 0, 0, 0};
++   if (has_arg(argv, "test")) {
++      // useful for testing
++      test_run = true;
++      command_used = "upgrade";
++   }
++   if (has_arg(argv, "pre-invoke")) {
++      subcommand = PreInvoke;
++   } else if (has_arg(argv, "post-invoke-stats")) {
++      subcommand = PostInvokeStats;
++   } else if (has_arg(argv, "post-invoke-success")) {
++      subcommand = PostInvokeSuccess;
++   } else if (has_arg(argv, "process-templates")) {
++      subcommand = ProcessTemplates;
++   }
--   // useful for testing
--   if (has_arg(argv, "test"))
--      command_used = "update";
++   if (!test_run && subcommand != ProcessTemplates && !cmdline_eligible(getcmdline(getppid_of(getppid_of("self"))))) {
++      // Only run on valid apt commands, or when being used to process templates
++      return 0;
++   }
--   if (has_arg(argv, "test") || cmdline_eligible(getcmdline(getppid_of(getppid_of("self")))))
--      get_update_count(res);
++   // Iterate over apt cache looking for esm packages
++   result res = {0, 0, std::vector<std::string>(), 0, 0, std::vector<std::string>()};
++   get_update_count(res);
     if (_error->PendingError())
+    {
        _error->DumpErrors();
        return 1;
+    }
--   if (command_used == "update")
--   {
--      if (res.enabled_esms_i > 0)
--      {
--         ioprintf(std::cout,
--                  ngettext("%d of the updates is from UA Infra: ESM.",
--                           "%d of the updates are from UA Infra: ESM.",
--                           res.enabled_esms_i),
--                  res.enabled_esms_i);
--         ioprintf(std::cout, "\n");
--      }
--      if (res.enabled_esms_a > 0)
--      {
--         ioprintf(std::cout,
--                  ngettext("%d of the updates is from UA Apps: ESM.",
--                           "%d of the updates are from UA Apps: ESM.",
--                           res.enabled_esms_a),
--                  res.enabled_esms_a);
--         ioprintf(std::cout, "\n");
++   // Compute all strings necessary to fill in templates
++   std::string space_separated_esm_i_packages = "";
++   if (res.esm_i_packages.size() > 0) {
++      for (uint i = 0; i < res.esm_i_packages.size() - 1; i++) {
++         space_separated_esm_i_packages.append(res.esm_i_packages[i]);
++         space_separated_esm_i_packages.append(" ");
+       }
++      space_separated_esm_i_packages.append(res.esm_i_packages[res.esm_i_packages.size() - 1]);
+    }
--
--   if (res.disabled_esms_i > 0 || res.disabled_esms_a > 0)
--   {
--      if (command_used != "update")
--         std::cout << std::endl;
--      if (res.disabled_esms_i > 0)
--      {
--         ioprintf(std::cout,
--                  ngettext("%d additional update is available with UA Infra: ESM.",
--                           "%d additional updates are available with UA Infra: ESM.",
--                           res.disabled_esms_i),
--                  res.disabled_esms_i);
--         ioprintf(std::cout, "\n");
++   std::string space_separated_esm_a_packages = "";
++   if (res.esm_a_packages.size() > 0) {
++      for (uint i = 0; i < res.esm_a_packages.size() - 1; i++) {
++         space_separated_esm_a_packages.append(res.esm_a_packages[i]);
++         space_separated_esm_a_packages.append(" ");
+       }
--      if (res.disabled_esms_a > 0)
--      {
--         ioprintf(std::cout,
--                  ngettext("%d additional update is available with UA Apps: ESM.",
--                           "%d additional updates are available with UA Apps ESM.",
--                           res.disabled_esms_a),
--                  res.disabled_esms_a);
--         ioprintf(std::cout, "\n");
++      space_separated_esm_a_packages.append(res.esm_a_packages[res.esm_a_packages.size() - 1]);
++   }
++   std::string esm_i_packages_count = std::to_string(res.esm_i_packages.size());
++   std::string esm_a_packages_count = std::to_string(res.esm_a_packages.size());
++
++   process_all_templates(
++      res.esm_a_packages.size(),
++      space_separated_esm_a_packages,
++      res.esm_i_packages.size(),
++      space_separated_esm_i_packages
++   );
++
++   // Execute specified subcommand
++   if (subcommand == PreInvoke) {
++      if (command_used == "upgrade" || command_used == "dist-upgrade") {
++         output_file_if_present(APT_PRE_INVOKE_MESSAGE_STATIC_PATH);
+       }
--
--      ioprintf(std::cout, gettext("To see these additional updates run: apt list --upgradable"));
--      ioprintf(std::cout, "\n");
--      ioprintf(std::cout, gettext("See https://ubuntu.com/advantage or run: sudo ua status"));
--      ioprintf(std::cout, "\n");
+    }
     return 0;
 diff --git a/apt-hook/json-hook-src/go.mod b/apt-hook/json-hook-src/go.mod
 new file mode 100644
 index 0000000..66726af
 --- /dev/null
 +++ b/apt-hook/json-hook-src/go.mod
@@ -0,0 +1,3 @@
++module json-hook
++
++go 1.2
 diff --git a/apt-hook/json-hook-src/json-hook.go b/apt-hook/json-hook-src/json-hook.go
 new file mode 100644
 index 0000000..0f2e3eb
 --- /dev/null
 +++ b/apt-hook/json-hook-src/json-hook.go
@@ -0,0 +1,253 @@
++package main
++
++import (
++	"bufio"
++	"encoding/json"
++	"fmt"
++	"io"
++	"net"
++	"os"
++	"strconv"
++)
++
++type jsonRPCPackageVersion struct {
++	Id           int    `json:"id"`
++	Version      string `json:"version"`
++	Architecture string `json:"architecture"`
++	Pin          int    `json:"pin"`
++	Origins      []struct {
++		Archive  string `json:"archive"`
++		Codename string `json:"codename"`
++		Version  string `json:"version"`
++		Origin   string `json:"origin"`
++		Label    string `json:"label"`
++		Site     string `json:"site"`
++	} `json:"origins"`
++}
++type jsonRPC struct {
++	JsonRPC string `json:"jsonrpc"`
++	Method  string `json:"method"`
++	Params  struct {
++		Command         string   `json:"command"`
++		UnknownPackages []string `json:"unknown-packages"`
++		Packages        []struct {
++			Id           int    `json:"id"`
++			Name         string `json:"name"`
++			Architecture string `json:"architecture"`
++			Mode         string `json:"mode"`
++			Automatic    bool   `json:"automatic"`
++			Versions     struct {
++				Candidate jsonRPCPackageVersion `json:"candidate"`
++				Install   jsonRPCPackageVersion `json:"install"`
++				Current   jsonRPCPackageVersion `json:"current"`
++			} `json:"versions"`
++		} `json:"packages"`
++	} `json:"params"`
++}
++
++func createUpdateMessage(standardSecurityCount int, esmInfraCount int, esmAppsCount int) string {
++	displayStandard := true
++	displayEsmInfra := true
++	displayEsmApps := true
++	if standardSecurityCount == 0 {
++		displayStandard = false
++	}
++	if esmInfraCount == 0 {
++		displayEsmInfra = false
++	}
++	if esmAppsCount == 0 {
++		displayEsmApps = false
++	}
++
++	if !displayStandard && !displayEsmInfra && !displayEsmApps {
++		return ""
++	}
++
++	esmInfraFirst := false
++	esmAppsFirst := false
++	if !displayStandard && displayEsmInfra {
++		esmInfraFirst = true
++	} else if !displayStandard && !displayEsmInfra && displayEsmApps {
++		esmAppsFirst = true
++	}
++
++	standardUpdates := ""
++	esmInfraUpdates := ""
++	esmAppsUpdates := ""
++	if displayStandard {
++		standardUpdates = fmt.Sprintf("%d standard security ", standardSecurityCount)
++		if standardSecurityCount > 1 {
++			standardUpdates += "updates"
++		} else {
++			standardUpdates += "update"
++		}
++		if displayEsmInfra && displayEsmApps {
++			standardUpdates += ","
++		}
++		if displayEsmInfra || displayEsmApps {
++			standardUpdates += " "
++		}
++		if (displayEsmInfra && !displayEsmApps) || (!displayEsmInfra && displayEsmApps) {
++			standardUpdates += "and "
++		}
++	}
++	if displayEsmInfra {
++		esmInfraUpdates = fmt.Sprintf("%d esm-infra ", esmInfraCount)
++		if esmInfraFirst {
++			esmInfraUpdates += "security "
++		}
++		if esmInfraCount > 1 {
++			esmInfraUpdates += "updates"
++		} else {
++			esmInfraUpdates += "update"
++		}
++		if displayEsmApps {
++			esmInfraUpdates += " and "
++		}
++	}
++	if displayEsmApps {
++		esmAppsUpdates = fmt.Sprintf("%d esm-apps ", esmAppsCount)
++		if esmAppsFirst {
++			esmAppsUpdates += "security "
++		}
++		if esmAppsCount > 1 {
++			esmAppsUpdates += "updates"
++		} else {
++			esmAppsUpdates += "update"
++		}
++	}
++
++	return standardUpdates + esmInfraUpdates + esmAppsUpdates
++}
++
++func fromOriginAndArchive(pkgVersion jsonRPCPackageVersion, origin string, archive string) bool {
++	for _, pkgOrigin := range pkgVersion.Origins {
++		if pkgOrigin.Origin == origin && pkgOrigin.Archive == archive {
++			return true
++		}
++	}
++	return false
++}
++
++func distroFromPackageOrigin(rpc *jsonRPC) string {
++	for _, pkg := range rpc.Params.Packages {
++		for _, origin := range pkg.Versions.Candidate.Origins {
++			if origin.Codename != "" {
++				return origin.Codename
++			}
++		}
++	}
++	return ""
++}
++
++func countSecurityUpdates(rpc *jsonRPC) (int, int, int) {
++	esmAppsCount := 0
++	esmInfraCount := 0
++	standardSecurityCount := 0
++	distro := distroFromPackageOrigin(rpc)
++	for _, pkg := range rpc.Params.Packages {
++		if pkg.Mode == "upgrade" {
++			if fromOriginAndArchive(pkg.Versions.Install, "UbuntuESMApps", fmt.Sprintf("%s-apps-security", distro)) {
++				esmAppsCount++
++			} else if fromOriginAndArchive(pkg.Versions.Install, "UbuntuESM", fmt.Sprintf("%s-infra-security", distro)) {
++				esmInfraCount++
++			} else if fromOriginAndArchive(pkg.Versions.Install, "Ubuntu", fmt.Sprintf("%s-security", distro)) {
++				standardSecurityCount++
++			}
++		}
++	}
++	return standardSecurityCount, esmInfraCount, esmAppsCount
++}
++
++// readRpc reads a apt json rpc protocol 0.2 message as described in
++// https://salsa.debian.org/apt-team/apt/blob/main/doc/json-hooks-protocol.md#wire-protocol
++func readRpc(r *bufio.Reader) (*jsonRPC, error) {
++	line, err := r.ReadBytes('\n')
++	if err != nil && err != io.EOF {
++		return nil, fmt.Errorf("cannot read json-rpc: %v", err)
++	}
++
++	var rpc jsonRPC
++	if err := json.Unmarshal(line, &rpc); err != nil {
++		return nil, err
++	}
++	// empty \n
++	emptyNL, _, err := r.ReadLine()
++	if err != nil {
++		return nil, err
++	}
++	if string(emptyNL) != "" {
++		return nil, fmt.Errorf("unexpected line: %q (empty)", emptyNL)
++	}
++
++	return &rpc, nil
++}
++
++func printEsmUpgrades() error {
++	sockFd := os.Getenv("APT_HOOK_SOCKET")
++	if sockFd == "" {
++		return fmt.Errorf("cannot find APT_HOOK_SOCKET env")
++	}
++
++	fd, err := strconv.Atoi(sockFd)
++	if err != nil {
++		return fmt.Errorf("expected APT_HOOK_SOCKET to be a decimal integer, found %q", sockFd)
++	}
++
++	f := os.NewFile(uintptr(fd), "apt-hook-socket")
++	if f == nil {
++		return fmt.Errorf("cannot open file descriptor %v", fd)
++	}
++	defer f.Close()
++
++	conn, err := net.FileConn(f)
++	if err != nil {
++		return fmt.Errorf("cannot connect to %v: %v", fd, err)
++	}
++	defer conn.Close()
++
++	r := bufio.NewReader(conn)
++
++	// handshake
++	rpc, err := readRpc(r)
++	if err != nil {
++		return err
++	}
++	if rpc.Method != "org.debian.apt.hooks.hello" {
++		return fmt.Errorf("expected 'hello' method, got: %v", rpc.Method)
++	}
++	if _, err := conn.Write([]byte(`{"jsonrpc":"2.0","id":0,"result":{"version":"0.2"}}` + "\n\n")); err != nil {
++		return err
++	}
++
++	// payload
++	rpc, err = readRpc(r)
++	if err != nil {
++		return err
++	}
++	if rpc.Method == "org.debian.apt.hooks.install.statistics" {
++		standardSecurityCount, esmInfraCount, esmAppsCount := countSecurityUpdates(rpc)
++		msg := createUpdateMessage(standardSecurityCount, esmInfraCount, esmAppsCount)
++		if msg != "" {
++			fmt.Println(msg)
++		}
++	}
++
++	// bye
++	rpc, err = readRpc(r)
++	if err != nil {
++		return err
++	}
++	if rpc.Method != "org.debian.apt.hooks.bye" {
++		return fmt.Errorf("expected 'bye' method, got: %v", rpc.Method)
++	}
++
++	return nil
++}
++
++func main() {
++	err := printEsmUpgrades()
++	if err != nil {
++		println(err.Error())
++	}
++}
 diff --git a/apt-hook/json-hook-src/json-hook_test.go b/apt-hook/json-hook-src/json-hook_test.go
 new file mode 100644
 index 0000000..cfc1788
 --- /dev/null
 +++ b/apt-hook/json-hook-src/json-hook_test.go
@@ -0,0 +1,410 @@
++package main
++
++import (
++	"encoding/json"
++	"fmt"
++	"testing"
++)
++
++func TestCreateUpdateMessages(t *testing.T) {
++	type params struct {
++		standardSecurityCount int
++		esmInfraCount         int
++		esmAppsCount          int
++		expectedMessage       string
++	}
++	testParamsList := []params{
++		params{0, 0, 0, ""},
++		params{0, 0, 1, "1 esm-apps security update"},
++		params{0, 0, 2, "2 esm-apps security updates"},
++		params{0, 1, 0, "1 esm-infra security update"},
++		params{0, 1, 1, "1 esm-infra security update and 1 esm-apps update"},
++		params{0, 1, 2, "1 esm-infra security update and 2 esm-apps updates"},
++		params{0, 2, 0, "2 esm-infra security updates"},
++		params{0, 2, 1, "2 esm-infra security updates and 1 esm-apps update"},
++		params{0, 2, 2, "2 esm-infra security updates and 2 esm-apps updates"},
++		params{1, 0, 0, "1 standard security update"},
++		params{1, 0, 1, "1 standard security update and 1 esm-apps update"},
++		params{1, 0, 2, "1 standard security update and 2 esm-apps updates"},
++		params{1, 1, 0, "1 standard security update and 1 esm-infra update"},
++		params{1, 1, 1, "1 standard security update, 1 esm-infra update and 1 esm-apps update"},
++		params{1, 1, 2, "1 standard security update, 1 esm-infra update and 2 esm-apps updates"},
++		params{1, 2, 0, "1 standard security update and 2 esm-infra updates"},
++		params{1, 2, 1, "1 standard security update, 2 esm-infra updates and 1 esm-apps update"},
++		params{1, 2, 2, "1 standard security update, 2 esm-infra updates and 2 esm-apps updates"},
++		params{2, 0, 0, "2 standard security updates"},
++		params{2, 0, 1, "2 standard security updates and 1 esm-apps update"},
++		params{2, 0, 2, "2 standard security updates and 2 esm-apps updates"},
++		params{2, 1, 0, "2 standard security updates and 1 esm-infra update"},
++		params{2, 1, 1, "2 standard security updates, 1 esm-infra update and 1 esm-apps update"},
++		params{2, 1, 2, "2 standard security updates, 1 esm-infra update and 2 esm-apps updates"},
++		params{2, 2, 0, "2 standard security updates and 2 esm-infra updates"},
++		params{2, 2, 1, "2 standard security updates, 2 esm-infra updates and 1 esm-apps update"},
++		params{2, 2, 2, "2 standard security updates, 2 esm-infra updates and 2 esm-apps updates"},
++	}
++
++	for i, testParams := range testParamsList {
++		t.Run(fmt.Sprintf("Case %d", i), func(t *testing.T) {
++			actual := createUpdateMessage(testParams.standardSecurityCount, testParams.esmInfraCount, testParams.esmAppsCount)
++			if actual != testParams.expectedMessage {
++				t.Logf("expected: \"%s\", got: \"%s\"", testParams.expectedMessage, actual)
++				t.Fail()
++			}
++		})
++	}
++}
++
++func TestCountSecurityUpdates(t *testing.T) {
++	type params struct {
++		rpc                           string
++		expectedStandardSecurityCount int
++		expectedEsmInfraCount         int
++		expectedEsmAppsCount          int
++	}
++	testParamsList := []params{
++		params{mockJson, 1, 2, 3},
++	}
++
++	for i, testParams := range testParamsList {
++		t.Run(fmt.Sprintf("Case %d", i), func(t *testing.T) {
++			rpc := &jsonRPC{}
++			if err := json.Unmarshal([]byte(mockJson), rpc); err != nil {
++				t.Error(err)
++			}
++
++			actualStandard, actualInfra, actualApps := countSecurityUpdates(rpc)
++			if actualStandard != testParams.expectedStandardSecurityCount {
++				t.Logf("expected: %d, got: %d", testParams.expectedStandardSecurityCount, actualStandard)
++				t.Fail()
++			}
++			if actualInfra != testParams.expectedEsmInfraCount {
++				t.Logf("expected: %d, got: %d", testParams.expectedEsmInfraCount, actualInfra)
++				t.Fail()
++			}
++			if actualApps != testParams.expectedEsmAppsCount {
++				t.Logf("expected: %d, got: %d", testParams.expectedEsmAppsCount, actualApps)
++				t.Fail()
++			}
++		})
++	}
++}
++
++const mockJson = `
++{
++    "jsonrpc": "2.0",
++    "method": "org.debian.apt.hooks.install.statistics",
++    "params": {
++        "command": "install",
++        "search-terms": [
++            "~U"
++        ],
++        "unknown-packages": [],
++        "packages": [
++            {
++                "id": 418,
++                "name": "base-files",
++                "architecture": "amd64",
++                "mode": "upgrade",
++                "automatic": true,
++                "versions": {
++                    "candidate": {
++                        "id": 86,
++                        "version": "11ubuntu19",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-apps-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESMApps",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "install": {
++                        "id": 86,
++                        "version": "11ubuntu19",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-apps-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESMApps",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "current": {
++                        "id": 95463,
++                        "version": "11ubuntu18",
++                        "architecture": "amd64",
++                        "pin": 100,
++                        "origins": []
++                    }
++                }
++            },
++            {
++                "id": 1085,
++                "name": "elfutils",
++                "architecture": "amd64",
++                "mode": "upgrade",
++                "automatic": true,
++                "versions": {
++                    "candidate": {
++                        "id": 371,
++                        "version": "0.183-8",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-apps-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESMApps",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "install": {
++                        "id": 371,
++                        "version": "0.183-8",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-apps-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESMApps",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "current": {
++                        "id": 95472,
++                        "version": "0.183-6",
++                        "architecture": "amd64",
++                        "pin": 100,
++                        "origins": []
++                    }
++                }
++            },
++            {
++                "id": 24709,
++                "name": "fdroidserver",
++                "architecture": "amd64",
++                "mode": "upgrade",
++                "automatic": false,
++                "versions": {
++                    "candidate": {
++                        "id": 14186,
++                        "version": "2.0-1",
++                        "architecture": "all",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-infra-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESM",
++                                "label": "Ubuntu",
++                                "site": ""
++                            },
++                            {
++                                "archive": "hirsute",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "Ubuntu",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "install": {
++                        "id": 14186,
++                        "version": "2.0-1",
++                        "architecture": "all",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-infra-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESM",
++                                "label": "Ubuntu",
++                                "site": ""
++                            },
++                            {
++                                "archive": "hirsute",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "Ubuntu",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "current": {
++                        "id": 95474,
++                        "version": "1.1.9-1",
++                        "architecture": "all",
++                        "pin": 100,
++                        "origins": []
++                    }
++                }
++            },
++            {
++                "id": 238,
++                "name": "gdb",
++                "architecture": "amd64",
++                "mode": "upgrade",
++                "automatic": true,
++                "versions": {
++                    "candidate": {
++                        "id": 705,
++                        "version": "10.1-2ubuntu2",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-infra-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESM",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "install": {
++                        "id": 705,
++                        "version": "10.1-2ubuntu2",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-infra-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "UbuntuESM",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "current": {
++                        "id": 95475,
++                        "version": "10.1-2ubuntu1",
++                        "architecture": "amd64",
++                        "pin": 100,
++                        "origins": []
++                    }
++                }
++            },
++            {
++                "id": 126271,
++                "name": "google-chrome-stable",
++                "architecture": "amd64",
++                "mode": "upgrade",
++                "automatic": true,
++                "versions": {
++                    "candidate": {
++                        "id": 95416,
++                        "version": "90.0.4430.85-1",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-apps-security",
++                                "codename": "hirsute",
++                                "version": "1.0",
++                                "origin": "UbuntuESMApps",
++                                "label": "Google",
++                                "site": "dl.google.com"
++                            }
++                        ]
++                    },
++                    "install": {
++                        "id": 95416,
++                        "version": "90.0.4430.85-1",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-apps-security",
++                                "codename": "hirsute",
++                                "version": "1.0",
++                                "origin": "UbuntuESMApps",
++                                "label": "Google",
++                                "site": "dl.google.com"
++                            }
++                        ]
++                    },
++                    "current": {
++                        "id": 95477,
++                        "version": "90.0.4430.72-1",
++                        "architecture": "amd64",
++                        "pin": 100,
++                        "origins": []
++                    }
++                }
++            },
++            {
++                "id": 1499,
++                "name": "libasm1",
++                "architecture": "amd64",
++                "mode": "upgrade",
++                "automatic": true,
++                "versions": {
++                    "candidate": {
++                        "id": 1763,
++                        "version": "0.183-8",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "Ubuntu",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "install": {
++                        "id": 1763,
++                        "version": "0.183-8",
++                        "architecture": "amd64",
++                        "pin": 500,
++                        "origins": [
++                            {
++                                "archive": "hirsute-security",
++                                "codename": "hirsute",
++                                "version": "21.04",
++                                "origin": "Ubuntu",
++                                "label": "Ubuntu",
++                                "site": ""
++                            }
++                        ]
++                    },
++                    "current": {
++                        "id": 95482,
++                        "version": "0.183-6",
++                        "architecture": "amd64",
++                        "pin": 100,
++                        "origins": []
++                    }
++                }
++            }
++        ]
++    }
++}
++`
 diff --git a/debian/changelog b/debian/changelog
 index ee90158..3f0715e 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,10 +1,167 @@
++ubuntu-advantage-tools (27.0~21.04.1) hirsute; urgency=medium
++
++  * New upstream release 27.0: (LP: #1926361)
++    - messages: add optional (s) to apt messaging to include
++      singular/plural pkgs
++    - apt-hook: avoid reporting and counting duplicate package
++      names (GH: #1578)
++    - fix: dont say reboot required when unnecessary
++    - test: uncomment additional xenial upgrade tests
++
++ -- Lucas Moura <lucas.moura@canonical.com>  Tue, 27 Apr 2021 15:31:06 -0300
++
++ubuntu-advantage-tools (27.0~21.04.1~beta3) hirsute; urgency=medium
++
++  * New upstream beta3 release:
++    - config: avoid tracebacks on invalid features value in uaclient.conf
++      (GH: #1564)
++    - apt-hook: new json hook for security update counts
++    - Remove redundant messaging from uaclient
++
++ -- Chad Smith <chad.smith@canonical.com>  Fri, 23 Apr 2021 15:28:44 -0600
++
++ubuntu-advantage-tools (27.0~21.04.1~beta2) hirsute; urgency=medium
++
++  * d/control:
++    - add distro-info dependency
++    - add new debianutils dependency
++    - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute
++      and later when dh-systemd is not present
++  * d/rules: enable and start ua-messaging.timer on package install
++  * d/postinst:
++    - configure esm on any LTS release avoid beta services
++    - configure esm-infra when is_active_esm and apps on LTS
++    - xenial enable unauthenticated apt source for apps/infra
++  * New upstream release 27.0~beta:
++    - apt-hook:
++      + adapt hook to process separate message templates
++      + esm-apps and esm-infra pkg counts not mutually-exclusive
++      + print static messages on apt upgrade/dist-upgrade (GH: #1546)
++    - config: create settings_overrides on config (GH: #1507)
++    - docs: add entry for uploading new version to ppa
++    - esm:
++      + add pin never when disabling esm-infra/apps on xenial
++      + enable infra when EOL LTS and apps on all LTS (GH: #1558)
++    - fips: add notice when installing over old fips
++    - fix:
++      + add links to ubuntu.com/gcp/aws in messaging when on non-PRO
++      + add notice to reboot operation on ua fix
++      + do not prompt user for beta services (GH: #1544)
++      + notify users if reboot is required  (GH: #1476)
++      + update how the expired token logic works
++      + wrap output greater than 80 chars (GH: #1487)
++    - lib: fix notice handling on reboot script
++    - messages
++      + provide static message files for use in APT and MOTD
++      + update_ua_messages on attach/detach/disable
++    - mypy: add lib/ dir for coverage
++    - status: do not remove notices on non-root call (GH: #1518)
++    - subp: separate % format strings when logging (GH: #1520)
++    - systemd: add ua-messaging.timer to update ua MOTD and APT msgs
++    - update-motd.d: add conditional hooks for motd to source ua messages
++    - util: add is_lts and is_active_esm funtions to support ESM
++    - test
++      + add integration tests asserting esm-apps setup due to postinst
++      + manual test script for xenial upgrade
++      + trusty and xenial infra and apps disabled in pkg install
++    - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA
++    - jenkins: make lint and style stage run sequentially
++
++ -- Lucas Moura <lucas.moura@canonical.com>  Thu, 22 Apr 2021 14:16:26 -0300
++
++ubuntu-advantage-tools (27.0~21.04.1~beta) hirsute; urgency=medium
++
++  * d/*: prefix all the debhelper conf files with the package name
++  * d/control:
++    - add Rules-Requires-Root: no
++    - bump Standards-Version to 4.5.1
++    - make ubuntu-advantage-pro Architecture: all
++  * d/lintian-overrides:
++    - override maintainer-script-calls-service
++    - package-supports-alternative-init-but-no-init.d-script
++  * d/postinst: move the u-a-pro note to a config script
++  * d/ubuntu-advantage-tools.templates: suggest the use of apt
++  * New upstream release 27.0~beta:
++    - apt: add retry for apt-helper command (GH: #1431)
++    - cli: drop subcommand repeated help output, fix enable & refresh
++      (GH: #1440)
++    - config:
++      + allow parsing yaml delivered from env values
++      + environment variable support for feature overrides (GH: #1395)
++      + create config to add extra params to security url
++    - docs:
++      + add ppas and fix typos
++      + use Ubuntu Pro not Ubuntu PRO
++      + add stop "." punctuation to messages (GH: #1320)
++    - fips: fix FIPS message when disable operation fails
++    - fix:
++      + add basic UASecurityClient to which queries CVE and USNs
++      + add security_url to config
++      + check if service is enabled during ua fix (GH: #1462)
++      + closer representation of cve and usn responses
++      + filter usns by cve details (GH: #1470)
++      + fix regex to be more permissive and strict
++      + get_cve_affected_source_packages_status won't list not-affected
++        (GH: #1467)
++      + handle other package status when running ua fix (GH: #1435)
++      + improve error message for ua fix (GH: #1420)
++      + install pkg fixes when they are on standard pocket (GH: #1401)
++      + move timeout and retries to security client only
++      + only prompt for subscription attach for UA-related pkg updates
++      + parse all related USNS to a given CVE when fixing
++      + parse full API responses for related CVEs and USNs
++      + prefer USN.release_packages binary pkg versions to CVE src ver
++        (GH: #1436)
++      + prompt for new ua token when expired one is used (GH: #1475)
++      + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386)
++      + prompt to enable service during ua fix (GH: #1455)
++      + provide related CVE URLs instead of USNs (GH: #1456)
++      + raise errors when source_link is null or unexpected format
++      + show packages that were not fixed in the output
++      + update output for released packages in ua fix (GH: #1438)
++      + update message for invalid issue in ua fix (GH: #1433)
++      + use pocket values from USNs (GH: #1439)
++    - logs: emit error response on API errors and redact sensitive logs
++      (GH: #1424)
++    - serviceclient: add 10 second timeout and two retries to API calls
++      (GH: #1374)
++    - util:
++      + add error prompts on invalid selection
++      + add timeout to readurl
++    - tests:
++      + Add disable_auto_attach config to all test PRO vms
++      + add merge_usn_released_binary_package_versions tests
++      + add unittest coverage for override_usn_release_package_status
++      + drop traceback checks on fips integration tests
++      + refactor integration tests for ua fix cmd
++      + run status wait before detach in PRO tests
++      + use ssh to run commands on lxd containers
++    - jenkins: archiveArtifacts can only reference paths within workspace
++
++ -- Lucas Moura <lucas.moura@canonical.com>  Tue, 30 Mar 2021 14:16:03 -0300
++
++ubuntu-advantage-tools (26.3~21.04.1) hirsute; urgency=medium
++
++  * d/control: add new debianutils dependency
++  * New upstream release 26.3
++    - util: improve is_container check for chroot
++    - cli: pass assume_yes param to services on detach (GH: #1530)
++
++ -- Grant Orndorff <grant.orndorff@canonical.com>  Tue, 06 Apr 2021 14:26:20 -0300
++
  ubuntu-advantage-tools (26.2) hirsute; urgency=medium
    * Drop dh-systemd build dependency.
   -- Matthias Klose <doko@ubuntu.com>  Wed, 10 Mar 2021 16:54:12 +0100
--ubuntu-advantage-tools (26.1) hirsute; urgency=medium
++ubuntu-advantage-tools (26.2~21.04.1) hirsute; urgency=medium
++
++  * status: show beta services in status if enabled (GH: #1410)
++
++ -- Lucas Moura <lucas.moura@canonical.com>  Tue, 02 Mar 2021 10:11:53 -0300
++
++ubuntu-advantage-tools (26.1~21.04.1) hirsute; urgency=medium
    *  New upstream release 26.1
       - contract: block detach call to contract if machine-id change
 diff --git a/debian/control b/debian/control
 index 87595b8..cd28a1f 100644
 --- a/debian/control
 +++ b/debian/control
@@ -4,27 +4,33 @@ Priority: important
  Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
  Build-Depends: bash-completion,
                 debhelper (>=9),
++               debianutils,
                 dh-python,
++               dh-systemd | debhelper (>= 13.3),
                 gettext,
                 git,
++               golang,
                 libapt-pkg-dev,
                 po-debconf,
                 python3 (>= 3.4),
++               distro-info,
                 python3-flake8,
                 python3-mock,
                 python3-pytest,
                 python3-setuptools,
                 python3-yaml
--Standards-Version: 4.3.0
++Standards-Version: 4.5.1
  Homepage: https://buy.ubuntu.com
  Vcs-Git: https://github.com/CanonicalLtd/ubuntu-advantage-script.git
  Vcs-Browser: https://github.com/CanonicalLtd/ubuntu-advantage-script
++Rules-Requires-Root: no
  Package: ubuntu-advantage-tools
  Architecture: any
  Depends: ${misc:Depends},
           ${python3:Depends},
           ${shlibs:Depends},
++         distro-info,
           python3-pkg-resources,
           ${extra:Depends},
  Description: management tools for Ubuntu Advantage
@@ -36,7 +42,7 @@ Description: management tools for Ubuntu Advantage
   services in this package.
  Package: ubuntu-advantage-pro
--Architecture: any
++Architecture: all
  Depends: ${misc:Depends}, ubuntu-advantage-tools (>=20.2)
  Replaces: ubuntu-advantage-tools (<<20.2)
  Breaks: ubuntu-advantage-tools (<<20.2)
 diff --git a/debian/lintian-overrides b/debian/lintian-overrides
 new file mode 100644
 index 0000000..0d8ba20
 --- /dev/null
 +++ b/debian/lintian-overrides
@@ -0,0 +1,5 @@
++# False positive
++ubuntu-advantage-tools: maintainer-script-calls-service postinst:*
++
++# Ubuntu doesn't require init.d scripts
++ubuntu-advantage-tools: package-supports-alternative-init-but-no-init.d-script
 diff --git a/debian/po/templates.pot b/debian/po/templates.pot
 index 9dd5145..ffd2763 100644
 --- a/debian/po/templates.pot
 +++ b/debian/po/templates.pot
@@ -8,7 +8,7 @@ msgid ""
  msgstr ""
  "Project-Id-Version: ubuntu-advantage-tools\n"
  "Report-Msgid-Bugs-To: ubuntu-advantage-tools@packages.debian.org\n"
--"POT-Creation-Date: 2020-10-02 15:07-0600\n"
++"POT-Creation-Date: 2021-02-26 16:29+0100\n"
  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
  "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -32,5 +32,5 @@ msgstr ""
  #. Type: note
  #. Description
  #: ../ubuntu-advantage-tools.templates:1001
--msgid "sudo apt-get install ubuntu-advantage-pro"
++msgid "sudo apt install ubuntu-advantage-pro"
  msgstr ""
 diff --git a/debian/rules b/debian/rules
 index 888dcde..9bea522 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -19,8 +19,7 @@ APT_PKG_DEPS="apt (>= 1.8.1), apt-utils (>= 1.8.1), libapt-pkg5.90 (>= 1.8.1)"
  endif
  %:
--	dh $@ --with python3,bash-completion,systemd --buildsystem=pybuild \
--		--no-start
++	dh $@ --with python3,bash-completion,systemd --buildsystem=pybuild
  override_dh_auto_build:
  	dh_auto_build
@@ -42,6 +41,15 @@ override_dh_gencontrol:
  	echo extra:Depends=$(APT_PKG_DEPS) >> debian/ubuntu-advantage-tools.substvars
  	dh_gencontrol
++override_dh_systemd_enable:
++	dh_systemd_enable -pubuntu-advantage-pro ua-auto-attach.service
++	dh_systemd_enable -pubuntu-advantage-tools ua-reboot-cmds.service
++	dh_systemd_enable -pubuntu-advantage-tools ua-messaging.timer
++	dh_systemd_enable -pubuntu-advantage-tools ua-messaging.service
++
++override_dh_systemd_start:
++	dh_systemd_start -pubuntu-advantage-tools ua-messaging.timer
++
  override_dh_auto_install:
  	dh_auto_install --destdir=debian/ubuntu-advantage-tools
  	flist=$$(find $(CURDIR)/debian/ -type f -name version.py) && sed -i 's,@@PACKAGED_VERSION@@,$(DEB_VERSION),' $${flist:-did-not-find-version-py-for-replacement}
 diff --git a/debian/ubuntu-advantage-tools.config b/debian/ubuntu-advantage-tools.config
 new file mode 100644
 index 0000000..92f4ee2
 --- /dev/null
 +++ b/debian/ubuntu-advantage-tools.config
@@ -0,0 +1,14 @@
++#!/bin/sh
++
++set -e
++
++. /usr/share/debconf/confmodule
++
++if dpkg --compare-versions "$PREVIOUS_PKG_VER" lt-nl "20.2~"; then
++    if dpkg --compare-versions "$PREVIOUS_PKG_VER" ge-nl "19.7~"; then
++        # Use debconf to alert the user to the additional
++        # ubuntu-advantage-pro package that should be installed
++        db_input high ubuntu-advantage-tools/suggest_pro_pkg || true
++        db_go || true
++    fi
++fi
 diff --git a/debian/links b/debian/ubuntu-advantage-tools.links
 similarity index 100%
 rename from debian/links
 rename to debian/ubuntu-advantage-tools.links
 diff --git a/debian/manpages b/debian/ubuntu-advantage-tools.manpages
 similarity index 100%
 rename from debian/manpages
 rename to debian/ubuntu-advantage-tools.manpages
 diff --git a/debian/postinst b/debian/ubuntu-advantage-tools.postinst
 similarity index 50%
 rename from debian/postinst
 rename to debian/ubuntu-advantage-tools.postinst
 index 5d942f9..75581e3 100644
 --- a/debian/postinst
 +++ b/debian/ubuntu-advantage-tools.postinst
@@ -4,22 +4,39 @@ set -e
  . /etc/os-release  # For VERSION_ID
++# Since UBUNTU_CODENAME isn't on trusty set it set a default if unknown
++if [ "" = "${UBUNTU_CODENAME}" ]; then
++   case "$VERSION_ID" in
++       14.04) UBUNTU_CODENAME="trusty";;
++       *) UBUNTU_CODENAME="NO-UBUNTU_CODENAME-$VERSION_ID";;
++   esac
++fi
++
++# Needed even if this script doesn't call debconf, see:
++# https://lintian.debian.org/tags/postinst-does-not-load-confmodule.html
++. /usr/share/debconf/confmodule
  APT_TRUSTED_KEY_DIR="/etc/apt/trusted.gpg.d"
  UA_KEYRING_DIR="/usr/share/keyrings/"
  ESM_INFRA_KEY_TRUSTY="ubuntu-advantage-esm-infra-trusty.gpg"
++ESM_APPS_KEY="ubuntu-advantage-esm-apps.gpg"
  APT_SRC_DIR="/etc/apt/sources.list.d"
  APT_PREFERENCES_DIR="/etc/apt/preferences.d"
  ESM_APT_SOURCE_FILE_PRECISE="$APT_SRC_DIR/ubuntu-esm-precise.list"
  ESM_APT_SOURCE_FILE_TRUSTY="$APT_SRC_DIR/ubuntu-esm-trusty.list"
  ESM_INFRA_OLD_APT_SOURCE_FILE_TRUSTY="$APT_SRC_DIR/ubuntu-esm-infra-trusty.list"
--ESM_INFRA_APT_SOURCE_FILE_TRUSTY="$APT_SRC_DIR/ubuntu-esm-infra.list"
++ESM_INFRA_APT_SOURCE_FILE="$APT_SRC_DIR/ubuntu-esm-infra.list"
++ESM_APPS_APT_SOURCE_FILE="$APT_SRC_DIR/ubuntu-esm-apps.list"
++FIPS_APT_SOURCE_FILE="$APT_SRC_DIR/ubuntu-fips.list"
--ESM_APT_PREF_FILE_TRUSTY="/etc/apt/preferences.d/ubuntu-esm-trusty"
--ESM_INFRA_OLD_APT_PREF_FILE_TRUSTY="/etc/apt/preferences.d/ubuntu-esm-infra-trusty"
--ESM_INFRA_APT_PREF_FILE_TRUSTY="/etc/apt/preferences.d/ubuntu-esm-infra"
++OLD_CLIENT_FIPS_PPA="private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu"
++
++ESM_APT_PREF_FILE_TRUSTY="$APT_PREFERENCES_DIR/ubuntu-esm-trusty"
++ESM_INFRA_OLD_APT_PREF_FILE_TRUSTY="$APT_PREFERENCES_DIR/ubuntu-esm-infra-trusty"
++ESM_INFRA_APT_PREF_FILE="$APT_PREFERENCES_DIR/ubuntu-esm-infra"
++ESM_APPS_APT_PREF_FILE="$APT_PREFERENCES_DIR/ubuntu-esm-apps"
  MYARCH="$(dpkg --print-architecture)"
  ESM_SUPPORTED_ARCHS="i386 amd64"
@@ -68,6 +85,50 @@ print(*ENTITLEMENT_CLASS_BY_NAME.keys(), sep=' ')
+ }
++# Ubuntu LTS release all support-esm
++check_is_lts() {
++    release_name=$1
++    ubuntu-distro-info --supported-esm | grep -q "${release_name}"
++}
++
++
++# Check whether this series is under active ESM
++check_is_active_esm() {
++    release_name=$1
++    # Trusty doesn't support --series param
++    if [ "${release_name}" = "trusty" ]; then
++        return 0
++    else
++        _DAYS_UNTIL_ESM=$(ubuntu-distro-info --series "${release_name}" -yeol)
++        if [ "${_DAYS_UNTIL_ESM}" -lt "1" ]; then
++            return 0
++        fi
++    fi
++    return 1
++}
++
++# Check whether a given service is beta
++check_service_is_beta() {
++    service_name=$1
++    _IS_BETA_SVC=$(python3 -c "
++from uaclient.config import UAConfig
++from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++ent_cls = ENTITLEMENT_CLASS_BY_NAME.get('${service_name}')
++if ent_cls:
++    cfg = UAConfig()
++    allow_beta = cfg.features.get('allow_beta', False)
++    print(all([ent_cls.is_beta, not allow_beta]))
++else:
++    print(True)
++")
++if [ "${_IS_BETA_SVC}" = "True" ]; then
++    return 0
++else
++    return 1
++fi
++}
++
++
  # Check cached service status from status.json and return 0 if enabled else 1
  check_service_is_enabled() {
      service_name=$1
@@ -92,47 +153,90 @@ if status:
  unconfigure_esm() {
      if ! check_service_is_enabled esm-infra; then
--        rm -f $APT_TRUSTED_KEY_DIR/ubuntu-esm*gpg  # Remove previous esm keys
--        rm -f $APT_TRUSTED_KEY_DIR/$ESM_INFRA_KEY_TRUSTY
--        rm -f $ESM_INFRA_APT_SOURCE_FILE_TRUSTY
--        rm -f $ESM_INFRA_OLD_APT_SOURCE_FILE_TRUSTY
--        rm -f $ESM_APT_PREF_FILE_TRUSTY $ESM_INFRA_OLD_APT_PREF_FILE_TRUSTY
--        rm -f $ESM_INFRA_APT_PREF_FILE_TRUSTY
++        rm -f "$APT_TRUSTED_KEY_DIR/ubuntu-esm*gpg"  # Remove previous esm keys
++        rm -f "$APT_TRUSTED_KEY_DIR/$ESM_INFRA_KEY_TRUSTY"
++        rm -f "$ESM_INFRA_APT_SOURCE_FILE"
++        rm -f "$ESM_INFRA_OLD_APT_SOURCE_FILE_TRUSTY"
++        rm -f "$ESM_APT_PREF_FILE_TRUSTY" "$ESM_INFRA_OLD_APT_PREF_FILE_TRUSTY"
++        rm -f "$ESM_INFRA_APT_PREF_FILE"
++    fi
++    if ! check_service_is_enabled esm-apps; then
++        rm -f "$APT_TRUSTED_KEY_DIR/$ESM_APPS_KEY"
++        rm -f "$ESM_APPS_APT_SOURCE_FILE"
++        rm -f "$ESM_APPS_APT_PREF_FILE"
      fi
+ }
--configure_esm() {
--    rm -f $APT_TRUSTED_KEY_DIR/ubuntu-esm*gpg  # Remove previous esm keys
--    if [ ! -f "$APT_TRUSTED_KEY_DIR/$ESM_INFRA_KEY_TRUSTY" ]; then
--        cp $UA_KEYRING_DIR/$ESM_INFRA_KEY_TRUSTY $APT_TRUSTED_KEY_DIR
++# Add visibility to a disabled ESM APT source by installing a GPG key and
++# preferences file to Pin never so packages won't get installed by apt update.
++install_esm_apt_key_and_source() {
++    service=$1 release=$2
++    apt_suite="${release}-${service}";
++    case "${service}" in
++        apps)
++            apt_origin="UbuntuESMApps"
++            apt_pref_file=${ESM_APPS_APT_PREF_FILE};
++            apt_source_file=${ESM_APPS_APT_SOURCE_FILE};
++            apt_key=${ESM_APPS_KEY};
++            ;;
++        infra)
++            apt_origin="UbuntuESM"
++            apt_pref_file=${ESM_INFRA_APT_PREF_FILE};
++            apt_source_file=${ESM_INFRA_APT_SOURCE_FILE};
++            apt_key=${ESM_INFRA_KEY_TRUSTY};
++            ;;
++    esac
++
++    # GPG key setup to avoid apt gpg key warnings
++    if [ ! -f "$APT_TRUSTED_KEY_DIR/$apt_key" ]; then
++        cp $UA_KEYRING_DIR/$apt_key $APT_TRUSTED_KEY_DIR
      fi
--    if [ -e "$ESM_APT_SOURCE_FILE_TRUSTY" ]; then
--        mv $ESM_APT_SOURCE_FILE_TRUSTY $ESM_INFRA_APT_SOURCE_FILE_TRUSTY
--    fi
--    if [ -e "$ESM_APT_PREF_FILE_TRUSTY" ]; then
--        mv $ESM_APT_PREF_FILE_TRUSTY $ESM_INFRA_APT_PREF_FILE_TRUSTY
++    # Migrate trusty legacy source list and preference file names
++    if [ "14.04" = "$VERSION_ID" ]; then
++        if [ -e "$ESM_APT_SOURCE_FILE_TRUSTY" ]; then
++            mv $ESM_APT_SOURCE_FILE_TRUSTY $ESM_INFRA_APT_SOURCE_FILE
++        fi
++        if [ -e "$ESM_APT_PREF_FILE_TRUSTY" ]; then
++            mv "$ESM_APT_PREF_FILE_TRUSTY" "$ESM_INFRA_APT_PREF_FILE"
++        fi
      fi
--    if [ ! -e "$ESM_INFRA_APT_SOURCE_FILE_TRUSTY" ]; then
--        cat > $ESM_INFRA_APT_SOURCE_FILE_TRUSTY <<EOF
++    # If preference file doesn't already exist, we aren't attached.
++    # Setup unauthenticated apt source list file and never-pin preference
++    if [ ! -e "${apt_source_file}" ]; then
++        # Unconfigured repo, so set it up as never-pinned
++        cat > ${apt_source_file} <<EOF
  # Written by ubuntu-advantage-tools
--deb https://esm.ubuntu.com/ubuntu trusty-infra-security main
--# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-security main
++deb https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-security main
++# deb-src https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-security main
--deb https://esm.ubuntu.com/ubuntu trusty-infra-updates main
--# deb-src https://esm.ubuntu.com/ubuntu trusty-infra-updates main
++deb https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-updates main
++# deb-src https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-updates main
  EOF
++
          # Automatically disable esm sources via apt preferences until enabled
--        cat > $ESM_INFRA_APT_PREF_FILE_TRUSTY <<EOF
++        cat > "${apt_pref_file}" <<EOF
  # Written by ubuntu-advantage-tools
  Package: *
--Pin: release o=UbuntuESM, n=trusty
++Pin: release o=${apt_origin}, n=${release}
  Pin-Priority: never
  EOF
      fi
+ }
++configure_esm() {
++    rm -f $APT_TRUSTED_KEY_DIR/ubuntu-esm*gpg  # Remove legacy esm keys
++    if check_is_active_esm "${UBUNTU_CODENAME}"; then
++        install_esm_apt_key_and_source "infra" "$UBUNTU_CODENAME"
++    fi
++    if ! check_service_is_beta esm-apps; then
++        if [ "${UBUNTU_CODENAME}" != "trusty" ]; then
++            install_esm_apt_key_and_source "apps" "$UBUNTU_CODENAME"
++        fi
++    fi
++}
++
  # If held fips packages exist, we are on a FIPS PRO machine with FIPS enabled
  mark_reboot_for_fips_pro() {
@@ -143,11 +247,8 @@ mark_reboot_for_fips_pro() {
+ }
--mark_reboot_cmds_as_needed() {
++add_notice() {
      msg_name=$1
--    if [ ! -f "$REBOOT_CMD_MARKER_FILE" ]; then
--      touch $REBOOT_CMD_MARKER_FILE
--    fi
      python3 -c "
  from uaclient.config import UAConfig
  from uaclient.status import ${msg_name}
@@ -156,6 +257,14 @@ cfg.add_notice(label='', description=${msg_name})
+ "
+ }
++mark_reboot_cmds_as_needed() {
++    msg_name=$1
++    if [ ! -f "$REBOOT_CMD_MARKER_FILE" ]; then
++      touch $REBOOT_CMD_MARKER_FILE
++    fi
++    add_notice "$msg_name"
++}
++
  case "$1" in
      configure)
        PREVIOUS_PKG_VER=$2
@@ -165,7 +274,7 @@ case "$1" in
        # https://github.com/CanonicalLtd/ubuntu-advantage-client/issues/693
        if [ -e "$ESM_APT_SOURCE_FILE_PRECISE" ]; then
            mv $ESM_APT_SOURCE_FILE_PRECISE \
--              $ESM_INFRA_APT_SOURCE_FILE_TRUSTY
++              $ESM_INFRA_APT_SOURCE_FILE
        fi
        # We changed the way we store public files in 19.5
@@ -182,11 +291,6 @@ case "$1" in
                rm -f $SYSTEMD_WANTS_AUTO_ATTACH_LINK
                rm -f $SYSTEMD_HELPER_ENABLED_AUTO_ATTACH_DSH
                rm -f $SYSTEMD_HELPER_ENABLED_WANTS_LINK
--              # Use debconf to alert the user to the additional
--              # ubuntu-advantage-pro package that should be installed
--              . /usr/share/debconf/confmodule
--              db_input high ubuntu-advantage-tools/suggest_pro_pkg || true
--              db_go || true
            fi
        fi
@@ -195,17 +299,23 @@ case "$1" in
        redact_ubuntu_release_from_ua_apt_filenames $APT_SRC_DIR
        redact_ubuntu_release_from_ua_apt_filenames $APT_PREFERENCES_DIR
++      # Repo for FIPS packages changed from old client
++      if [ -f $FIPS_APT_SOURCE_FILE ]; then
++        if grep -q $OLD_CLIENT_FIPS_PPA $FIPS_APT_SOURCE_FILE; then
++            add_notice MESSAGE_FIPS_INSTALL_OUT_OF_DATE
++        fi
++      fi
++
        # CACHE_DIR is no longer present or used since 19.1
        rm -rf /var/cache/ubuntu-advantage-tools
        # machine-access cache files no longer present or used since 20.1
        rm -f /var/lib/ubuntu-advantage/private/machine-access-*.json
--      if [ "14.04" = "$VERSION_ID" ]; then
++      if check_is_lts "${UBUNTU_CODENAME}"; then
          if echo "$ESM_SUPPORTED_ARCHS" | grep -qw "$MYARCH"; then
--          # 14.04 and supported arch
            configure_esm
          else
--          # 14.04 and unsupported arch
++          # ESM supported release but unsupported arch
            unconfigure_esm
          fi
        fi
 diff --git a/debian/postrm b/debian/ubuntu-advantage-tools.postrm
 similarity index 100%
 rename from debian/postrm
 rename to debian/ubuntu-advantage-tools.postrm
 diff --git a/debian/prerm b/debian/ubuntu-advantage-tools.prerm
 similarity index 100%
 rename from debian/prerm
 rename to debian/ubuntu-advantage-tools.prerm
 diff --git a/debian/ubuntu-advantage-tools.templates b/debian/ubuntu-advantage-tools.templates
 index 1b5c6f8..ce1a66a 100644
 --- a/debian/ubuntu-advantage-tools.templates
 +++ b/debian/ubuntu-advantage-tools.templates
@@ -3,4 +3,4 @@ Type: note
  _Description: Ubuntu Pro support now requires ubuntu-advantage-pro
   To install run the following:
+  .
-- sudo apt-get install ubuntu-advantage-pro
++ sudo apt install ubuntu-advantage-pro
 diff --git a/features/attach_invalidtoken.feature b/features/attach_invalidtoken.feature
 index 4f3fc9a..6b8db52 100644
 --- a/features/attach_invalidtoken.feature
 +++ b/features/attach_invalidtoken.feature
@@ -12,7 +12,7 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu
          When I verify that running `ua attach INVALID_TOKEN` `as non-root` exits `1`
          Then I will see the following on stderr:
               """
--             This command must be run as root (try using sudo)
++             This command must be run as root (try using sudo).
               """
          Examples: ubuntu release
             | release |
 diff --git a/features/attach_validtoken.feature b/features/attach_validtoken.feature
 index a25234f..d0e9612 100644
 --- a/features/attach_validtoken.feature
 +++ b/features/attach_validtoken.feature
@@ -2,26 +2,15 @@
  Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          subscription using a valid token
--    @series.all
++    @series.xenial
++    @series.bionic
++    @series.focal
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attach command in a ubuntu lxd container
         Given a `<release>` machine with ubuntu-advantage-tools installed
          When I run `apt-get update` with sudo, retrying exit [100]
          And I run `apt-get install -y <downrev_pkg>` with sudo, retrying exit [100]
--        When I verify that running ` --assume-yes --beta` `with sudo` exits `1`
--        And I run `/usr/lib/update-notifier/apt-check  --human-readable` as non-root
--        Then if `<release>` in `trusty` and stdout matches regexp:
--        """
--        UA Infrastructure Extended Security Maintenance \(ESM\) is not enabled.
--
--        \d+ update(s)? can be installed immediately.
--        \d+ of these updates (is a|are) security update(s)?.
--        """
--        Then if `<release>` in `trusty` and stdout matches regexp:
--        """
--        Enable UA Infrastructure ESM to receive \d+ additional security update(s)?.
--        See https://ubuntu.com/advantage or run: sudo ua status
--        """
++        And I run `run-parts /etc/update-motd.d/` with sudo
          Then if `<release>` in `xenial or bionic` and stdout matches regexp:
          """
          \d+ package(s)? can be updated.
@@ -35,7 +24,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        ESM Infra enabled
++        UA Infra: ESM enabled
          """
          And stdout matches regexp:
          """
@@ -53,28 +42,74 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          Enabling default service esm-infra
          """
--        When I run `/usr/lib/update-notifier/apt-check  --human-readable` as non-root
--        Then if `<release>` in `trusty` and stdout matches regexp:
++        When I append the following on uaclient config:
++            """
++            features:
++              allow_beta: true
++            """
++        And I run `apt update` with sudo
++        And I run `python3 /usr/lib/ubuntu-advantage/ua_update_messaging.py` with sudo
++        And I run `apt install update-motd` with sudo, retrying exit [100]
++        And I run `update-motd` with sudo
++        Then if `<release>` in `focal` and stdout matches regexp:
          """
++        \* Introducing Extended Security Maintenance for Applications.
++          +Receive updates to over 30,000 software packages with your
++          +Ubuntu Advantage subscription. Free for personal use.
++
++            +https:\/\/ubuntu.com\/esm
++
          UA (Infra:|Infrastructure) Extended Security Maintenance \(ESM\) is enabled.
          \d+ update(s)? can be installed immediately.
          \d+ of these updates (is|are) (fixed|provided) through UA (Infra:|Infrastructure) ESM.
          \d+ of these updates (is a|are) security update(s)?.
++        To see these additional updates run: apt list --upgradable
          """
--        Then if `<release>` in `focal` and stdout matches regexp:
++        Then if `<release>` in `xenial or bionic` and stdout matches regexp:
          """
--        UA (Infra:|Infrastructure) Extended Security Maintenance \(ESM\) is enabled.
++        \* Introducing Extended Security Maintenance for Applications.
++          +Receive updates to over 30,000 software packages with your
++          +Ubuntu Advantage subscription. Free for personal use.
--        \d+ update(s)? can be installed immediately.
--        \d+ of these updates (is|are) (fixed|provided) through UA (Infra:|Infrastructure) ESM.
++            +https:\/\/ubuntu.com\/esm
++
++        UA Infra: Extended Security Maintenance \(ESM\) is enabled.
++
++        \d+ package(s)? can be updated.
          \d+ of these updates (is a|are) security update(s)?.
          To see these additional updates run: apt list --upgradable
          """
++        When I update contract to use `effectiveTo` as `days=-20`
++        And I run `python3 /usr/lib/ubuntu-advantage/ua_update_messaging.py` with sudo
++        And I run `update-motd` with sudo
          Then if `<release>` in `xenial or bionic` and stdout matches regexp:
          """
--        \d+ package(s)? can be updated.
--        \d+ of these updates (is a|are) security update(s)?.
++
++        \*Your UA Infra: ESM subscription has EXPIRED\*
++
++        \d+ additional security update\(s\) could have been applied via UA Infra: ESM.
++
++        Renew your UA services at https:\/\/ubuntu.com\/esm
++
++        """
++        Then if `<release>` in `xenial` and stdout matches regexp:
++        """
++
++        Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
++        applicable law.
++
++        """
++        When I run `apt upgrade --dry-run` with sudo
++        Then if `<release>` in `xenial` and stdout matches regexp:
++        """
++        \*Your UA Infra: ESM subscription has EXPIRED\*
++        Enabling UA Infra: ESM service would provide security updates for following
++        packages:
++          libkrad0
++        1 esm-infra security update\(s\) NOT APPLIED. Renew your UA services at
++        https:\/\/ubuntu.com\/advantage
++
          """
          Examples: ubuntu release packages
             | release | downrev_pkg                 |
@@ -85,12 +120,12 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
      @series.all
      @uses.config.machine_type.aws.generic
--    Scenario Outline: Attach command in a ubuntu lxd container
++    Scenario Outline: Attach command in an generic AWS Ubuntu VM
         Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        ESM Infra enabled
++        UA Infra: ESM enabled
          """
          And stdout matches regexp:
          """
@@ -123,7 +158,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        ESM Infra enabled
++        UA Infra: ESM enabled
          """
          And stdout matches regexp:
          """
@@ -156,7 +191,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        ESM Infra enabled
++        UA Infra: ESM enabled
          """
          And stdout matches regexp:
          """
 diff --git a/features/attached_commands.feature b/features/attached_commands.feature
 index 4b48f76..48b69eb 100644
 --- a/features/attached_commands.feature
 +++ b/features/attached_commands.feature
@@ -8,12 +8,12 @@ Feature: Command behaviour when attached to an UA subscription
          Then I verify that running `ua refresh` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          When I run `ua refresh` with sudo
          Then I will see the following on stdout:
              """
--            Successfully refreshed your subscription
++            Successfully refreshed your subscription.
              """
          Examples: ubuntu release
@@ -30,7 +30,7 @@ Feature: Command behaviour when attached to an UA subscription
          Then I verify that running `ua disable livepatch` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          And I verify that running `ua disable livepatch` `with sudo` exits `1`
          And I will see the following on stdout:
@@ -53,18 +53,18 @@ Feature: Command behaviour when attached to an UA subscription
          Then I verify that running `ua disable foobar` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          And I verify that running `ua disable foobar` `with sudo` exits `1`
          And stderr matches regexp:
              """
              Cannot disable unknown service 'foobar'.
--            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch
++            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch.
              """
          And I verify that running `ua disable esm-infra` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          When I run `ua disable esm-infra` with sudo
          Then I will see the following on stdout:
@@ -91,7 +91,7 @@ Feature: Command behaviour when attached to an UA subscription
          Then I verify that running `ua detach` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          When I run `ua detach --assume-yes` with sudo
          Then I will see the following on stdout:
@@ -99,7 +99,7 @@ Feature: Command behaviour when attached to an UA subscription
              Detach will disable the following service:
                  esm-infra
              Updating package lists
--            This machine is now detached
++            This machine is now detached.
              """
         When I run `ua status --all` as non-root
         Then stdout matches regexp:
@@ -133,7 +133,7 @@ Feature: Command behaviour when attached to an UA subscription
          Then I verify that running `ua auto-attach` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          When I run `ua auto-attach` with sudo
          Then stderr matches regexp:
@@ -236,7 +236,7 @@ Feature: Command behaviour when attached to an UA subscription
          And stderr matches regexp:
              """
              Cannot disable unknown service 'foobar'.
--            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch
++            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch.
              """
          When I run `ua status` with sudo
          Then stdout matches regexp:
@@ -258,13 +258,13 @@ Feature: Command behaviour when attached to an UA subscription
          Then I verify that running `ua disable foobar` `as non-root` exits `1`
          And stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          And I verify that running `ua disable foobar` `with sudo` exits `1`
          And stderr matches regexp:
              """
              Cannot disable unknown service 'foobar'.
--            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch
++            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch.
              """
          And I verify that running `ua disable esm-infra` `as non-root` exits `1`
          And stderr matches regexp:
 diff --git a/features/attached_enable.feature b/features/attached_enable.feature
 index 8a36fce..f6f0ec9 100644
 --- a/features/attached_enable.feature
 +++ b/features/attached_enable.feature
@@ -8,7 +8,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then I verify that running `ua enable cc-eal` `as non-root` exits `1`
          And I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
              """
          And I verify that running `ua enable cc-eal --beta` `with sudo` exits `1`
          And I will see the following on stdout
@@ -24,7 +24,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          And stderr matches regexp:
              """
              Cannot enable unknown service 'cc-eal'.
--            Try esm-infra, fips, fips-updates, livepatch
++            Try esm-infra, fips, fips-updates, livepatch.
              """
          Examples: ubuntu release
@@ -34,73 +34,39 @@ Feature: Enable command behaviour when attached to an UA subscription
             | trusty  | CC EAL2 is not available for Ubuntu 14.04 LTS (Trusty Tahr).   |
      @series.all
--    Scenario Outline: Attached enable a disabled beta service and unknown service in a ubuntu machine
++    Scenario Outline: Attached enable of a service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable cc-eal foobar` `as non-root` exits `1`
++        Then I verify that running `ua enable foobar` `as non-root` exits `1`
          And I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
              """
--        And I verify that running `ua enable cc-eal foobar` `with sudo` exits `1`
++        And I verify that running `ua enable foobar` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              One moment, checking your subscription first
              """
          And stderr matches regexp:
              """
--            Cannot enable unknown service 'foobar, cc-eal'.
--            Try esm-infra, fips, fips-updates, livepatch
--            """
--
--        Examples: ubuntu release
--           | release |
--           | bionic  |
--           | focal   |
--           | trusty  |
--           | xenial  |
--
--    @series.all
--    Scenario Outline: Attached enable of an unknown service in a ubuntu machine
--        Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
--        Then I verify that running `ua enable foobar` `as non-root` exits `1`
--        And I will see the following on stderr:
--            """
--            This command must be run as root (try using sudo)
++            Cannot enable unknown service 'foobar'.
++            Try esm-infra, fips, fips-updates, livepatch.
              """
--        And I verify that running `ua enable foobar` `with sudo` exits `1`
++        And I verify that running `ua enable cc-eal foobar` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              One moment, checking your subscription first
              """
          And stderr matches regexp:
              """
--            Cannot enable unknown service 'foobar'.
--            Try esm-infra, fips, fips-updates, livepatch
--            """
--
--        Examples: ubuntu release
--           | release |
--           | bionic  |
--           | focal   |
--           | trusty  |
--           | xenial  |
--
--    @series.all
--    Scenario Outline: Attached enable of a known service already enabled (UA Infra) in a ubuntu machine
--        Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
--        Then I verify that running `ua enable esm-infra` `as non-root` exits `1`
--        And I will see the following on stderr:
--            """
--            This command must be run as root (try using sudo)
++            Cannot enable unknown service 'foobar, cc-eal'.
++            Try esm-infra, fips, fips-updates, livepatch.
              """
          And I verify that running `ua enable esm-infra` `with sudo` exits `1`
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
--            ESM Infra is already enabled.
++            UA Infra: ESM is already enabled.
              See: sudo ua status
              """
          When I run `apt-cache policy` with sudo
@@ -124,69 +90,41 @@ Feature: Enable command behaviour when attached to an UA subscription
             | trusty  | libgit2-0 | https://esm.ubuntu.com/ubuntu/      |
             | xenial  | libkrad0  | https://esm.ubuntu.com/infra/ubuntu |
--    @series.xenial
--    @series.bionic
--    @series.focal
--    Scenario Outline: Attached enable of a know service shows update in a ubuntu machine
--        Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
--        Then I verify that running `ua enable esm-infra` `with sudo` exits `1`
--        And I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            ESM Infra is already enabled.
--            See: sudo ua status
--            """
--        When I run `apt install -y <pkg-version>` with sudo, retrying exit [100]
--        And I run `apt update` with sudo
--        Then stdout matches regexp
--        """
--        \d+ of the updates (is|are) from UA Infra: ESM
--        """
--        When I run `ua disable esm-infra` with sudo
--        And I run `apt update` with sudo
--        Then stdout does not match regexp
--        """
--        \d+ of the updates (is|are) from UA Infra: ESM
--        """
--
--        Examples: ubuntu release
--           | release | pkg-version            |
--           | bionic  | libkrad0=1.16-2build1  |
--           | focal   | hello=2.10-2ubuntu2    |
--           | xenial  | libkrad0=1.13.2+dfsg-5 |
--
      @series.all
      @uses.config.machine_type.lxd.container
      Scenario Outline:  Attached enable of non-container services in a ubuntu lxd container
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable <service> <flag>` `as non-root` exits `1`
++        Then I verify that running `ua enable livepatch` `as non-root` exits `1`
          And I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
++            """
++        And I verify that running `ua enable livepatch` `with sudo` exits `1`
++        And I will see the following on stdout:
++            """
++            One moment, checking your subscription first
++            Cannot install Livepatch on a container.
++            """
++        And I verify that running `ua enable fips --assume-yes` `with sudo` exits `1`
++        And I will see the following on stdout:
++            """
++            One moment, checking your subscription first
++            Cannot install FIPS on a container.
              """
--        And I verify that running `ua enable <service> <flag>` `with sudo` exits `1`
++        And I verify that running `ua enable fips-updates --assume-yes` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              One moment, checking your subscription first
--            Cannot install <title> on a container
++            Cannot install FIPS Updates on a container.
              """
          Examples: Un-supported services in containers
--           | release | service      | title        | flag         |
--           | bionic  | livepatch    | Livepatch    |              |
--           | bionic  | fips         | FIPS         | --assume-yes |
--           | bionic  | fips-updates | FIPS Updates | --assume-yes |
--           | focal   | livepatch    | Livepatch    |              |
--           | focal   | fips         | FIPS         | --assume-yes |
--           | focal   | fips-updates | FIPS Updates | --assume-yes |
--           | trusty  | livepatch    | Livepatch    |              |
--           | trusty  | fips         | FIPS         | --assume-yes |
--           | trusty  | fips-updates | FIPS Updates | --assume-yes |
--           | xenial  | livepatch    | Livepatch    |              |
--           | xenial  | fips         | FIPS         | --assume-yes |
--           | xenial  | fips-updates | FIPS Updates | --assume-yes |
++           | release |
++           | bionic  |
++           | focal   |
++           | trusty  |
++           | xenial  |
      @series.all
      Scenario Outline: Attached enable not entitled service in a ubuntu machine
@@ -195,26 +133,29 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then I verify that running `ua enable <service>` `as non-root` exits `1`
          And I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
++            """
++        And I verify that running `ua enable cis --beta` `with sudo` exits `1`
++        And I will see the following on stdout:
++            """
++            One moment, checking your subscription first
++            This subscription is not entitled to CIS Audit
++            For more information see: https://ubuntu.com/advantage.
              """
--        And I verify that running `ua enable <service> --beta` `with sudo` exits `1`
++        And I verify that running `ua enable esm-apps --beta` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              One moment, checking your subscription first
--            This subscription is not entitled to <title>.
--            For more information see: https://ubuntu.com/advantage
++            This subscription is not entitled to UA Apps: ESM
++            For more information see: https://ubuntu.com/advantage.
              """
          Examples: not entitled services
--           | release | service      | title        |
--           | bionic  | cis          | CIS Audit    |
--           | bionic  | esm-apps     | ESM Apps     |
--           | focal   | cis          | CIS Audit    |
--           | focal   | esm-apps     | ESM Apps     |
--           | trusty  | cis          | CIS Audit    |
--           | trusty  | esm-apps     | ESM Apps     |
--           | xenial  | cis          | CIS Audit    |
--           | xenial  | esm-apps     | ESM Apps     |
++           | release |
++           | bionic  |
++           | focal   |
++           | trusty  |
++           | xenial  |
      @series.focal
      @uses.config.machine_type.lxd.vm
@@ -309,7 +250,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then stdout matches regexp:
              """
              Updating package lists
--            ESM Infra enabled
++            UA Infra: ESM enabled
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
@@ -321,7 +262,7 @@ Feature: Enable command behaviour when attached to an UA subscription
              Updating package lists
              Installing FIPS packages
              FIPS enabled
--            A reboot is required to complete install
++            A reboot is required to complete install.
              """
          When I append the following on uaclient config:
              """
@@ -332,7 +273,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          And I will see the following on stdout
              """
              One moment, checking your subscription first
--            Cannot enable Livepatch when FIPS is enabled
++            Cannot enable Livepatch when FIPS is enabled.
              """
      @series.bionic
@@ -343,7 +284,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then stdout matches regexp:
              """
              Updating package lists
--            ESM Infra enabled
++            UA Infra: ESM enabled
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
@@ -356,7 +297,10 @@ Feature: Enable command behaviour when attached to an UA subscription
          And I will see the following on stdout
              """
              One moment, checking your subscription first
--            Cannot enable FIPS when Livepatch is enabled
++            """
++        And I will see the following on stderr
++            """
++            Cannot enable FIPS when Livepatch is enabled.
              """
      @series.xenial
@@ -368,7 +312,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then stdout matches regexp:
              """
              Updating package lists
--            ESM Infra enabled
++            UA Infra: ESM enabled
              """
          And stdout matches regexp:
              """
@@ -382,7 +326,7 @@ Feature: Enable command behaviour when attached to an UA subscription
              Updating package lists
              Installing FIPS packages
              FIPS enabled
--            A reboot is required to complete install
++            A reboot is required to complete install.
              """
          When I run `ua status` with sudo
          Then stdout matches regexp:
@@ -407,7 +351,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
              """
--            ESM Infra enabled
++            UA Infra: ESM enabled
              """
          And stdout matches regexp:
              """
@@ -422,13 +366,13 @@ Feature: Enable command behaviour when attached to an UA subscription
              Updating package lists
              Installing FIPS Updates packages
              FIPS Updates enabled
--            A reboot is required to complete install
++            A reboot is required to complete install.
              """
          When I verify that running `ua enable fips --assume-yes` `with sudo` exits `1`
          Then I will see the following on stdout
              """
              One moment, checking your subscription first
--            Cannot enable FIPS when FIPS Updates is enabled
++            Cannot enable FIPS when FIPS Updates is enabled.
              """
          Examples: ubuntu release
 diff --git a/features/cloud.py b/features/cloud.py
 index 4443345..13d3ea4 100644
 --- a/features/cloud.py
 +++ b/features/cloud.py
@@ -730,15 +730,3 @@ class LXDContainer(_LXD):
      def pycloudlib_cls(self):
          """Return the pycloudlib cls to be used as an api."""
          return pycloudlib.LXDContainer
--
--    def manage_ssh_key(self, private_key_path: "Optional[str]" = None) -> None:
--        """Create and manage ssh key pairs to be used in the cloud provider.
--
--        On a LXD container, we do not use ssh keys to communicate with the
--        instance. Therefore, this method should not be used.
--
--        :param private_key_path:
--            Location of the private key path to use. If None, the location
--            will be a default location.
--        """
--        pass
 diff --git a/features/environment.py b/features/environment.py
 index 9a53933..0df3632 100644
 --- a/features/environment.py
 +++ b/features/environment.py
@@ -1,5 +1,4 @@
  import datetime
--import errno
  import os
  import itertools
  import tempfile
@@ -23,8 +22,8 @@ from features.util import emit_spinner_on_travis, lxc_get_property, build_debs
  ALL_SUPPORTED_SERIES = ["bionic", "focal", "trusty", "xenial"]
--DAILY_PPA = "http://ppa.launchpad.net/canonical-server/ua-client-daily/ubuntu"
--DAILY_PPA_KEYID = "8A295C4FB8B190B7"
++DAILY_PPA = "http://ppa.launchpad.net/ua-client/daily/ubuntu"
++DAILY_PPA_KEYID = "6E34E7116C0BC933"
  USERDATA_BLOCK_AUTO_ATTACH_IMG = """\
  #cloud-config
@@ -500,18 +499,14 @@ def after_step(context, step):
+                 )
                  print("-- pull instance:{} {}".format(log_file, artifact_file))
                  try:
--                    context.instance.pull_file(log_file, artifact_file)
--                except IOError as e:
--                    if e.errno == errno.EACCES:
--                        result = context.instance.execute(
--                            ["cat", log_file], use_sudo=True
--                        )
--                        with open(artifact_file, "w") as stream:
--                            stream.write(result.stdout)
++                    result = context.instance.execute(
++                        ["cat", log_file], use_sudo=True
++                    )
++                    content = result.stdout if result.ok else ""
                  except RuntimeError:
--                    # File did not exist
--                    with open(artifact_file, "w") as stream:
--                        stream.write("")
++                    content = ""
++                with open(artifact_file, "w") as stream:
++                    stream.write(content)
              for artifact_file, cmd in FAILURE_CMDS.items():
                  result = context.instance.execute(cmd, use_sudo=True)
                  artifact_file = os.path.join(artifacts_dir, artifact_file)
@@ -520,7 +515,9 @@ def after_step(context, step):
  def after_all(context):
--    if context.config.image_clean:
++    if context.config.ppa == "":
++        print(" No custom images to delete. UACLIENT_BEHAVE_PPA is unset.")
++    elif context.config.image_clean:
          for key, image in context.series_image_name.items():
              if key == context.series_reuse_image:
                  print(
@@ -635,6 +632,16 @@ def create_uat_image(context: Context, series: str) -> None:
              context.reuse_container[series],
+         )
          return
++    ppa = context.config.ppa
++    if ppa == "":
++        image_name = context.config.cloud_manager.locate_image_name(series)
++        print(
++            "--- Unset UACLIENT_BEHAVE_PPA. Using ubuntu-advantage-tools "
++            + "from image: {}".format(image_name)
++        )
++        context.series_image_name[series] = image_name
++        return
++
      time_suffix = datetime.datetime.now().strftime("%s%f")
      deb_paths = []
      if context.config.build_pr:
@@ -741,11 +748,14 @@ def _install_uat_in_container(
      if "pro" in config.machine_type:
          features = "features:\n  disable_auto_attach: true\n"
          conf_path = "/etc/ubuntu-advantage/uaclient.conf"
--        cmd = "printf '{}' > /tmp/uaclient.conf".format(features)
++        cmd = "printf '{}' > /var/tmp/uaclient.conf".format(features)
          cmds.append('sh -c "{}"'.format(cmd))
          cmds.append(
--            'sudo -- sh -c "cat /tmp/uaclient.conf >> {}"'.format(conf_path)
++            'sudo -- sh -c "cat /var/tmp/uaclient.conf >> {}"'.format(
++                conf_path
++            )
+         )
++        cmds.append("sudo ua status --wait")
          cmds.append("sudo ua detach --assume-yes")
      cmds.append(["ua", "version"])
 diff --git a/features/gcp-ids.yaml b/features/gcp-ids.yaml
 index a3ca5bd..fe37cfb 100644
 --- a/features/gcp-ids.yaml
 +++ b/features/gcp-ids.yaml
@@ -1,3 +1,3 @@
--xenial: "projects/ubuntu-os-cloud-image-proposed/global/images/testing-ubuntu-pro-1604-xenial-v20210205"
--bionic: "projects/ubuntu-os-cloud-image-proposed/global/images/testing-ubuntu-pro-1804-bionic-v20210205"
--focal: "projects/ubuntu-os-cloud-image-proposed/global/images/testing-ubuntu-pro-2004-focal-v20210205"
++xenial: "projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-1604-xenial-v20210329"
++bionic: "projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-1804-bionic-v20210329"
++focal: "projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210329"
 diff --git a/features/staging_commands.feature b/features/staging_commands.feature
 index 90c212f..8946977 100644
 --- a/features/staging_commands.feature
 +++ b/features/staging_commands.feature
@@ -8,14 +8,15 @@ Feature: Enable command behaviour when attached to an UA staging subscription
          Then I verify that running `ua enable cc-eal` `as non-root` exits `1`
          And I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
              """
          When I run `ua enable cc-eal --beta` with sudo
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
--            GPG key '/usr/share/keyrings/ubuntu-cc-keyring.gpg' not found
++            GPG key '/usr/share/keyrings/ubuntu-cc-keyring.gpg' not found.
              """
++
      @series.xenial
      @series.bionic
      @series.focal
@@ -46,6 +47,53 @@ Feature: Enable command behaviour when attached to an UA staging subscription
          \s*\*\*\* .* 500
          \s*500 https://esm.staging.ubuntu.com/apps/ubuntu <release>-apps-security/main amd64 Packages
          """
++        When I run `mkdir -p /var/lib/ubuntu-advantage/messages` with sudo
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-no-packages-infra.tmpl` with the following
++        """
++        esm-infra-no {ESM_INFRA_PKG_COUNT}:{ESM_INFRA_PACKAGES}
++        """
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra.tmpl` with the following
++        """
++        esm-infra {ESM_INFRA_PKG_COUNT}:{ESM_INFRA_PACKAGES}
++        """
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-apps.tmpl` with the following
++        """
++        esm-apps {ESM_APPS_PKG_COUNT}:{ESM_APPS_PACKAGES}
++        """
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-no-packages-apps.tmpl` with the following
++        """
++        esm-apps-no {ESM_APPS_PKG_COUNT}:{ESM_APPS_PACKAGES}
++        """
++        When I run `/usr/lib/ubuntu-advantage/apt-esm-hook process-templates` with sudo
++        When I run `cat /var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-apps` with sudo
++        Then stdout matches regexp:
++        """
++        esm-apps(-no)? \d+:(.*)?
++        """
++        When I run `cat /var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra` with sudo
++        Then stdout matches regexp:
++        """
++        esm-infra(-no)? \d+:(.*)?
++        """
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra.tmpl` with the following
++        """
++        esm-infra {ESM_INFRA_PKG_COUNT} {ESM_INFRA_PACKAGES}
++        """
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-no-packages-infra.tmpl` with the following
++        """
++        esm-infra-no {ESM_INFRA_PKG_COUNT} {ESM_INFRA_PACKAGES}
++        """
++        When I create the file `/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-apps.tmpl` with the following
++        """
++        esm-apps {ESM_APPS_PKG_COUNT} {ESM_APPS_PACKAGES}
++        """
++        When I run `apt upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        esm-apps(-no)? \d+.*
++
++        esm-infra(-no)? \d+.*
++        """
          Examples: ubuntu release
             | release | apps-pkg |
@@ -81,7 +129,6 @@ Feature: Enable command behaviour when attached to an UA staging subscription
              FIPS support requires system reboot to complete configuration
              """
          And I verify that running `apt update` `with sudo` exits `0`
--        And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1`
          And I verify that `openssh-server` is installed from apt source `<fips-apt-source>`
          And I verify that `openssh-client` is installed from apt source `<fips-apt-source>`
          And I verify that `strongswan` is installed from apt source `<fips-apt-source>`
@@ -171,7 +218,6 @@ Feature: Enable command behaviour when attached to an UA staging subscription
              <fips-service> +yes                enabled
              """
          And I verify that running `apt update` `with sudo` exits `0`
--        And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1`
          And I verify that `openssh-server` is installed from apt source `<fips-apt-source>`
          And I verify that `openssh-client` is installed from apt source `<fips-apt-source>`
          And I verify that `strongswan` is installed from apt source `<fips-apt-source>`
@@ -370,7 +416,6 @@ Feature: Enable command behaviour when attached to an UA staging subscription
              """
          When I reboot the `<release>` machine
          Then I verify that running `apt update` `with sudo` exits `0`
--        And I verify that running `grep Traceback /var/log/ubuntu-advantage.log` `with sudo` exits `1`
          And I verify that `ubuntu-fips` is installed from apt source `<fips-apt-source>`
          And I verify that `openssh-server` is installed from apt source `<fips-apt-source>`
          And I verify that `openssh-client` is installed from apt source `<fips-apt-source>`
 diff --git a/features/steps/steps.py b/features/steps/steps.py
 index 928cfd7..8555ad6 100644
 --- a/features/steps/steps.py
 +++ b/features/steps/steps.py
@@ -18,7 +18,7 @@ from hamcrest import (
  from features.environment import create_uat_image
  from features.util import SLOW_CMDS, emit_spinner_on_travis, nullcontext
--from uaclient.defaults import DEFAULT_CONFIG_FILE
++from uaclient.defaults import DEFAULT_CONFIG_FILE, DEFAULT_MACHINE_TOKEN_PATH
  CONTAINER_PREFIX = "ubuntu-behave-test-"
@@ -74,6 +74,16 @@ def given_a_machine(context, series):
          context.instance
+     )
++    if series == "trusty":
++        # On trusty, the distro-info package is not directly
++        # installed when we install the ubuntu-advantage-client
++        # deb. This is fixing that problem on trusty
++        when_i_run_command(
++            context=context,
++            command="apt-get install -f -y",
++            user_spec="with sudo",
++        )
++
      def cleanup_instance() -> None:
          if not context.config.destroy_instances:
              print(
@@ -118,7 +128,9 @@ def when_i_retry_run_command(context, command, user_spec, exit_codes):
  @when("I run `{command}` {user_spec}")
--def when_i_run_command(context, command, user_spec, verify_return=True):
++def when_i_run_command(
++    context, command, user_spec, verify_return=True, stdin=None
++):
      prefix = get_command_prefix_for_user_spec(user_spec)
      slow_cmd_spinner = nullcontext
      for slow_cmd in SLOW_CMDS:
@@ -128,7 +140,7 @@ def when_i_run_command(context, command, user_spec, verify_return=True):
      full_cmd = prefix + shlex.split(command)
      with slow_cmd_spinner():
--        result = context.instance.execute(full_cmd)
++        result = context.instance.execute(full_cmd, stdin=stdin)
      process = subprocess.CompletedProcess(
          args=full_cmd,
@@ -148,6 +160,59 @@ def when_i_run_command(context, command, user_spec, verify_return=True):
      context.process = process
++@when("I fix `{issue}` by attaching to a subscription with `{token_type}`")
++def when_i_fix_a_issue_by_attaching(context, issue, token_type):
++    token = getattr(context.config, token_type)
++    when_i_run_command(
++        context=context,
++        command="ua fix {}".format(issue),
++        user_spec="with sudo",
++        stdin="a\n{}\n".format(token),
++    )
++
++
++@when("I fix `{issue}` by enabling required service")
++def when_i_fix_a_issue_by_enabling_service(context, issue):
++    when_i_run_command(
++        context=context,
++        command="ua fix {}".format(issue),
++        user_spec="with sudo",
++        stdin="e\n",
++    )
++
++
++@when("I fix `{issue}` by updating expired token")
++def when_i_fix_a_issue_by_updating_expired_token(context, issue):
++    token = getattr(context.config, "contract_token")
++    when_i_run_command(
++        context=context,
++        command="ua fix {}".format(issue),
++        user_spec="with sudo",
++        stdin="r\n{}\n".format(token),
++    )
++
++
++@when("I update contract to use `{contract_field}` as `{new_value}`")
++def when_i_update_contract_field_to_new_value(
++    context, contract_field, new_value
++):
++    if contract_field == "effectiveTo":
++        if "days=" in new_value:  # Set timedelta offset from current day
++            now = datetime.datetime.utcnow()
++            contract_expiry = now + datetime.timedelta(days=int(new_value[5:]))
++            new_value = contract_expiry.strftime("%Y-%m-%dT00:00:00Z")
++    when_i_run_command(
++        context,
++        'sed -i \'s/"{}": "[^"]*"/"{}": "{}"/g\' {}'.format(
++            contract_field,
++            contract_field,
++            new_value,
++            DEFAULT_MACHINE_TOKEN_PATH,
++        ),
++        user_spec="with sudo",
++    )
++
++
  @when("I attach `{token_type}` {user_spec}")
  def when_i_attach_staging_token(context, token_type, user_spec):
      token = getattr(context.config, token_type)
@@ -225,6 +290,13 @@ def then_conditional_stdout_matches_regexp(context, value1, value2):
          then_stdout_matches_regexp(context)
++@then("if `{value1}` in `{value2}` and stdout does not match regexp")
++def then_conditional_stdout_does_not_match_regexp(context, value1, value2):
++    """Only apply regex assertion if value1 in value2."""
++    if value1 in value2.split(" or "):
++        then_stdout_does_not_match_regexp(context)
++
++
  @then("stdout matches regexp")
  def then_stdout_matches_regexp(context):
      assert_that(context.process.stdout.strip(), matches_regexp(context.text))
 diff --git a/features/ubuntu_pro.feature b/features/ubuntu_pro.feature
 index 5dd0dbb..522781e 100644
 --- a/features/ubuntu_pro.feature
 +++ b/features/ubuntu_pro.feature
@@ -15,7 +15,17 @@ Feature: Command behaviour when attached to an UA subscription
          """
          And I run `ua auto-attach` with sudo
          And I run `ua status --wait` as non-root
--        And I run `ua status --all` as non-root
++        And I run `ua status` as non-root
++        Then stdout matches regexp:
++            """
++            SERVICE       ENTITLED  STATUS    DESCRIPTION
++            esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
++            esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
++            fips          +yes +<fips-s> +NIST-certified FIPS modules
++            fips-updates  +yes +<fips-s> +Uncertified security updates to FIPS modules
++            livepatch     +yes +enabled  +Canonical Livepatch service
++            """
++        When I run `ua status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
@@ -96,7 +106,17 @@ Feature: Command behaviour when attached to an UA subscription
          """
          And I run `ua auto-attach` with sudo
          And I run `ua status --wait` as non-root
--        And I run `ua status --all` as non-root
++        And I run `ua status` as non-root
++        Then stdout matches regexp:
++            """
++            SERVICE       ENTITLED  STATUS    DESCRIPTION
++            esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
++            esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
++            fips          +yes +<fips-s> +NIST-certified FIPS modules
++            fips-updates  +yes +<fips-s> +Uncertified security updates to FIPS modules
++            livepatch     +yes +enabled  +Canonical Livepatch service
++            """
++        When I run `ua status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
@@ -177,7 +197,17 @@ Feature: Command behaviour when attached to an UA subscription
          """
          And I run `ua auto-attach` with sudo
          And I run `ua status --wait` as non-root
--        And I run `ua status --all` as non-root
++        And I run `ua status` as non-root
++        Then stdout matches regexp:
++            """
++            SERVICE       ENTITLED  STATUS    DESCRIPTION
++            esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
++            esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
++            fips          +yes +<fips-s> +NIST-certified FIPS modules
++            fips-updates  +yes +<fips-s> +Uncertified security updates to FIPS modules
++            livepatch     +yes +enabled  +Canonical Livepatch service
++            """
++        When I run `ua status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
@@ -207,7 +237,7 @@ Feature: Command behaviour when attached to an UA subscription
          https://esm.ubuntu.com/apps/ubuntu <release>-apps-security/main amd64 Packages
          """
          And I verify that running `apt update` `with sudo` exits `0`
--        When I run `apt install -y <infra-pkg>/<release>-infra-security>` with sudo, retrying exit [100]
++        When I run `apt install -y <infra-pkg>/<release>-infra-security` with sudo, retrying exit [100]
          And I run `apt-cache policy <infra-pkg>` as non-root
          Then stdout matches regexp:
          """
@@ -218,7 +248,7 @@ Feature: Command behaviour when attached to an UA subscription
          """
          Installed: .*[~+]esm
          """
--        When I run `apt install -y <apps-pkg>/<release>-apps-security>` with sudo, retrying exit [100]
++        When I run `apt install -y <apps-pkg>/<release>-apps-security` with sudo, retrying exit [100]
          And I run `apt-cache policy <apps-pkg>` as non-root
          Then stdout matches regexp:
          """
@@ -238,10 +268,10 @@ Feature: Command behaviour when attached to an UA subscription
              """
          Examples: ubuntu release
--           | release | cc-eal-s | cis-s    | infra-pkg | apps-pkg |
--           | xenial  | disabled | disabled | libkrad0  | jq       |
--           | bionic  | n/a      | disabled | libkrad0  | bundler  |
--           | focal   | n/a      | n/a      | hello     | ant      |
++           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg |
++           | xenial  | n/a      | disabled | disabled | libkrad0  | jq       |
++           | bionic  | n/a      | n/a      | disabled | libkrad0  | bundler  |
++           | focal   | n/a      | n/a      | n/a      | hello     | ant      |
      @series.trusty
      @uses.config.machine_type.aws.pro
 diff --git a/features/unattached_commands.feature b/features/unattached_commands.feature
 index 0f73393..e2877ba 100644
 --- a/features/unattached_commands.feature
 +++ b/features/unattached_commands.feature
@@ -6,7 +6,7 @@ Feature: Command behaviour when unattached
          When I verify that running `ua auto-attach` `as non-root` exits `1`
          Then stderr matches regexp:
              """
--            This command must be run as root \(try using sudo\)
++            This command must be run as root \(try using sudo\).
              """
          When I run `ua auto-attach` with sudo
          Then stderr matches regexp:
@@ -22,13 +22,93 @@ Feature: Command behaviour when unattached
             | trusty  | nocloudnet |
             | xenial  | lxd        |
++    @series.trusty
++    @series.xenial
++    Scenario Outline: Disabled unattached APT policy apt-hook for infra and apps
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt update` with sudo
++        When I run `apt-cache policy` with sudo
++        Then if `<release>` in `trusty` and stdout matches regexp:
++        """
++        -32768 <esm-infra-url> <release>-infra-security/main amd64 Packages
++        """
++        Then if `<release>` in `xenial` and stdout matches regexp:
++        """
++        -32768 <esm-infra-url> <release>-infra-updates/main amd64 Packages
++        """
++        Then if `<release>` in `trusty or xenial` and stdout does not match regexp:
++        """
++        -32768 <esm-apps-url> <release>-apps-updates/main amd64 Packages
++        """
++        Then if `<release>` in `trusty or xenial` and stdout does not match regexp:
++        """
++        -32768 <esm-apps-url> <release>-apps-security/main amd64 Packages
++        """
++        When I append the following on uaclient config:
++            """
++            features:
++              allow_beta: true
++            """
++        And I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo
++        And I run `apt-get update` with sudo
++        When I run `apt-cache policy` with sudo
++        Then if `<release>` in `trusty` and stdout does not match regexp:
++        """
++        -32768 <esm-apps-url> <release>-apps-updates/main amd64 Packages
++        """
++        Then if `<release>` in `trusty` and stdout does not match regexp:
++        """
++        -32768 <esm-apps-url> <release>-apps-security/main amd64 Packages
++        """
++        Then if `<release>` in `xenial` and stdout matches regexp:
++        """
++        -32768 <esm-apps-url> <release>-apps-updates/main amd64 Packages
++        """
++        Then if `<release>` in `xenial` and stdout matches regexp:
++        """
++        -32768 <esm-apps-url> <release>-apps-security/main amd64 Packages
++        """
++        When I append the following on uaclient config:
++            """
++            features:
++              allow_beta: true
++            """
++        And I run `python3 /usr/lib/ubuntu-advantage/ua_update_messaging.py` with sudo
++        And I run `run-parts /etc/update-motd.d/` with sudo
++        Then if `<release>` in `xenial` and stdout matches regexp:
++        """
++        \* Introducing Extended Security Maintenance for Applications.
++          +Receive updates to over 30,000 software packages with your
++          +Ubuntu Advantage subscription. Free for personal use.
++
++            +https:\/\/ubuntu.com\/esm
++
++        UA Infra: Extended Security Maintenance \(ESM\) is not enabled.
++        """
++        # Check that json hook is installed properly
++        When I run `ls /usr/lib/ubuntu-advantage` with sudo
++        Then stdout matches regexp:
++        """
++        apt-esm-json-hook
++        """
++        When I run `cat /etc/apt/apt.conf.d/20apt-esm-hook.conf` with sudo
++        Then stdout matches regexp:
++        """
++        apt-esm-json-hook
++        """
++
++        Examples: ubuntu release
++           | release | esm-infra-url                       | esm-apps-url |
++           | trusty  | https://esm.ubuntu.com/ubuntu/      | NOTTESTED                           |
++           | xenial  | https://esm.ubuntu.com/infra/ubuntu | https://esm.ubuntu.com/apps/ubuntu |
++
      @series.all
      Scenario Outline: Unattached commands that requires enabled user in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I verify that running `ua <command>` `as non-root` exits `1`
          Then I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
              """
          When I verify that running `ua <command>` `with sudo` exits `1`
          Then stderr matches regexp:
@@ -54,7 +134,7 @@ Feature: Command behaviour when unattached
          When I verify that running `ua <command> <service>` `as non-root` exits `1`
          Then I will see the following on stderr:
              """
--            This command must be run as root (try using sudo)
++            This command must be run as root (try using sudo).
              """
          When I verify that running `ua <command> <service>` `with sudo` exits `1`
          Then stderr matches regexp:
@@ -121,3 +201,308 @@ Feature: Command behaviour when unattached
             | focal   |
             | trusty  |
             | xenial  |
++
++    @series.focal
++    Scenario Outline: Fix command on an unattached machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I verify that running `ua fix CVE-1800-123456` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: CVE-1800-123456 not found.
++            """
++        When I verify that running `ua fix USN-12345-12` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: USN-12345-12 not found.
++            """
++        When I verify that running `ua fix CVE-12345678-12` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: issue "CVE-12345678-12" is not recognized.
++            Usage: "ua fix CVE-yyyy-nnnn" or "ua fix USN-nnnn"
++            """
++        When I verify that running `ua fix USN-12345678-12` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: issue "USN-12345678-12" is not recognized.
++            Usage: "ua fix CVE-yyyy-nnnn" or "ua fix USN-nnnn"
++            """
++        When I run `apt install -y libawl-php=0.60-1 --allow-downgrades` with sudo
++        And I run `ua fix USN-4539-1` with sudo
++        Then stdout matches regexp:
++            """
++            USN-4539-1: AWL vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2020-11728
++            1 affected package is installed: awl
++            \(1/1\) awl:
++            A fix is available in Ubuntu standard updates.
++            .*\{ apt update && apt install --only-upgrade -y libawl-php \}.*
++            .*✔.* USN-4539-1 is resolved.
++            """
++        When I run `ua fix CVE-2020-28196` as non-root
++        Then stdout matches regexp:
++            """
++            CVE-2020-28196: Kerberos vulnerability
++            https://ubuntu.com/security/CVE-2020-28196
++            1 affected package is installed: krb5
++            \(1/1\) krb5:
++            A fix is available in Ubuntu standard updates.
++            The update is already installed.
++            .*✔.* CVE-2020-28196 is resolved.
++            """
++
++        Examples: ubuntu release details
++           | release |
++           | focal   |
++
++    @series.xenial
++    Scenario Outline: Fix command on an unattached machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt install -y libawl-php` with sudo
++        And I run `ua fix USN-4539-1` as non-root
++        Then stdout matches regexp:
++            """
++            USN-4539-1: AWL vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2020-11728
++            1 affected package is installed: awl
++            \(1/1\) awl:
++            Ubuntu security engineers are investigating this issue.
++            1 package is still affected: awl
++            .*✘.* USN-4539-1 is not resolved.
++            """
++        When I run `ua fix CVE-2020-28196` as non-root
++        Then stdout matches regexp:
++            """
++            CVE-2020-28196: Kerberos vulnerability
++            https://ubuntu.com/security/CVE-2020-28196
++            1 affected package is installed: krb5
++            \(1/1\) krb5:
++            A fix is available in Ubuntu standard updates.
++            The update is already installed.
++            .*✔.* CVE-2020-28196 is resolved.
++            """
++        When I run `DEBIAN_FRONTEND=noninteractive apt-get install -y expat=2.1.0-7 swish-e matanza ghostscript` with sudo
++        And I verify that running `ua fix CVE-2017-9233` `with sudo` exits `1`
++        Then stdout matches regexp:
++            """
++            CVE-2017-9233: Expat vulnerability
++            https://ubuntu.com/security/CVE-2017-9233
++            3 affected packages are installed: expat, matanza, swish-e
++            \(1/3, 2/3\) matanza, swish-e:
++            Ubuntu security engineers are investigating this issue.
++            """
++        And stderr matches regexp:
++            """
++            Error: CVE-2017-9233 metadata defines no fixed version for expat.
++            3 packages are still affected: expat, matanza, swish-e
++            .*✘.* CVE-2017-9233 is not resolved.
++            """
++
++        Examples: ubuntu release details
++           | release |
++           | xenial  |
++
++    @uses.config.contract_token
++    @series.trusty
++    Scenario Outline: Fix command on an unattached machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `ua fix USN-4539-1` as non-root
++        Then stdout matches regexp:
++            """
++            USN-4539-1: AWL vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2020-11728
++            No affected packages are installed.
++            .*✔.* USN-4539-1 does not affect your system.
++            """
++        When I run `ua fix CVE-2020-15180` as non-root
++        Then stdout matches regexp:
++            """
++            CVE-2020-15180: MariaDB vulnerabilities
++            https://ubuntu.com/security/CVE-2020-15180
++            No affected packages are installed.
++            .*✔.* CVE-2020-15180 does not affect your system.
++            """
++        When I run `ua fix CVE-2020-28196` as non-root
++        Then stdout matches regexp:
++            """
++            CVE-2020-28196: Kerberos vulnerability
++            https://ubuntu.com/security/CVE-2020-28196
++            1 affected package is installed: krb5
++            \(1/1\) krb5:
++            A fix is available in UA Infra.
++            Package fixes cannot be installed.
++            To install them, run this command as root \(try using sudo\)
++            1 package is still affected: krb5
++            .*✘.* CVE-2020-28196 is not resolved.
++            """
++        When I fix `USN-4747-2` by attaching to a subscription with `contract_token`
++        Then stdout matches regexp:
++            """
++            USN-4747-2: GNU Screen vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2021-26937
++            1 affected package is installed: screen
++            \(1/1\) screen:
++            A fix is available in UA Infra.
++            The update is not installed because this system is not attached to a
++            subscription.
++
++            Choose: \[S\]ubscribe at ubuntu.com \[A\]ttach existing token \[C\]ancel
++            > Enter your token \(from https://ubuntu.com/advantage\) to attach this system:
++            > .*\{ ua attach .*\}.*
++            Updating package lists
++            UA Infra: ESM enabled
++            """
++        And stdout matches regexp:
++            """
++            .*\{ apt update && apt install --only-upgrade -y screen \}.*
++            .*✔.* USN-4747-2 is resolved.
++            """
++        When I run `apt-get install -y screen=4.1.0~20120320gitdb59704-9 --force-yes` with sudo
++        And I run `ua disable esm-infra` with sudo
++        And I fix `USN-4747-2` by enabling required service
++        Then stdout matches regexp:
++            """
++            USN-4747-2: GNU Screen vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2021-26937
++            1 affected package is installed: screen
++            \(1/1\) screen:
++            A fix is available in UA Infra.
++            The update is not installed because this system does not have
++            esm-infra enabled.
++
++            Choose: \[E\]nable esm-infra \[C\]ancel
++            > .*\{ ua enable esm-infra \}.*
++            One moment, checking your subscription first
++            Updating package lists
++            UA Infra: ESM enabled
++            """
++        And stdout matches regexp:
++            """
++            .*\{ apt update && apt install --only-upgrade -y screen \}.*
++            .*✔.* USN-4747-2 is resolved.
++            """
++        When I run `apt-get install -y screen=4.1.0~20120320gitdb59704-9 --force-yes` with sudo
++        And I update contract to use `effectiveTo` as `1999-12-01T00:00:00Z`
++        And I fix `USN-4747-2` by updating expired token
++        Then stdout matches regexp:
++            """
++            USN-4747-2: GNU Screen vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2021-26937
++            1 affected package is installed: screen
++            \(1/1\) screen:
++            A fix is available in UA Infra.
++            The update is not installed because this system is attached to an
++            expired subscription.
++
++            Choose: \[R\]enew your subscription \(at https://ubuntu.com/advantage\) \[C\]ancel
++            > Enter your new token to renew UA subscription on this system:
++            > .*\{ ua detach \}.*
++            Detach will disable the following service:
++                esm-infra
++            Updating package lists
++            This machine is now detached.
++            .*\{ ua attach .* \}.*
++            Updating package lists
++            UA Infra: ESM enabled
++            """
++        And stdout matches regexp:
++            """
++            .*\{ apt update && apt install --only-upgrade -y screen \}.*
++            .*✔.* USN-4747-2 is resolved.
++            """
++
++        Examples: ubuntu release
++           | release |
++           | trusty  |
++
++    @series.bionic
++    Scenario: Fix command on an unattached machine
++        Given a `bionic` machine with ubuntu-advantage-tools installed
++        When I verify that running `ua fix CVE-1800-123456` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: CVE-1800-123456 not found.
++            """
++        When I verify that running `ua fix USN-12345-12` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: USN-12345-12 not found.
++            """
++        When I verify that running `ua fix CVE-12345678-12` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: issue "CVE-12345678-12" is not recognized.
++            Usage: "ua fix CVE-yyyy-nnnn" or "ua fix USN-nnnn"
++            """
++        When I verify that running `ua fix USN-12345678-12` `as non-root` exits `1`
++        Then I will see the following on stderr:
++            """
++            Error: issue "USN-12345678-12" is not recognized.
++            Usage: "ua fix CVE-yyyy-nnnn" or "ua fix USN-nnnn"
++            """
++        When I run `apt install -y libawl-php` with sudo
++        And I run `ua fix USN-4539-1` as non-root
++        Then stdout matches regexp:
++            """
++            USN-4539-1: AWL vulnerability
++            Found CVEs:
++            https://ubuntu.com/security/CVE-2020-11728
++            1 affected package is installed: awl
++            \(1/1\) awl:
++            Ubuntu security engineers are investigating this issue.
++            1 package is still affected: awl
++            .*✘.* USN-4539-1 is not resolved.
++            """
++        When I run `ua fix CVE-2020-28196` as non-root
++        Then stdout matches regexp:
++            """
++            CVE-2020-28196: Kerberos vulnerability
++            https://ubuntu.com/security/CVE-2020-28196
++            1 affected package is installed: krb5
++            \(1/1\) krb5:
++            A fix is available in Ubuntu standard updates.
++            The update is already installed.
++            .*✔.* CVE-2020-28196 is resolved.
++            """
++        When I run `apt-get install xterm=330-1ubuntu2 -y` with sudo
++        And I run `ua fix CVE-2021-27135` as non-root
++        Then stdout matches regexp:
++        """
++        CVE-2021-27135: xterm vulnerability
++        https://ubuntu.com/security/CVE-2021-27135
++        1 affected package is installed: xterm
++        \(1/1\) xterm:
++        A fix is available in Ubuntu standard updates.
++        Package fixes cannot be installed.
++        To install them, run this command as root \(try using sudo\)
++        1 package is still affected: xterm
++        .*✘.* CVE-2021-27135 is not resolved.
++        """
++        When I run `ua fix CVE-2021-27135` with sudo
++        Then stdout matches regexp:
++        """
++        CVE-2021-27135: xterm vulnerability
++        https://ubuntu.com/security/CVE-2021-27135
++        1 affected package is installed: xterm
++        \(1/1\) xterm:
++        A fix is available in Ubuntu standard updates.
++        .*\{ apt update && apt install --only-upgrade -y xterm \}.*
++        .*✔.* CVE-2021-27135 is resolved.
++        """
++        When I run `ua fix CVE-2021-27135` with sudo
++        Then stdout matches regexp:
++        """
++        CVE-2021-27135: xterm vulnerability
++        https://ubuntu.com/security/CVE-2021-27135
++        1 affected package is installed: xterm
++        \(1/1\) xterm:
++        A fix is available in Ubuntu standard updates.
++        The update is already installed.
++        .*✔.* CVE-2021-27135 is resolved.
++        """
 diff --git a/features/util.py b/features/util.py
 index 8af945c..cacd992 100644
 --- a/features/util.py
 +++ b/features/util.py
@@ -18,33 +18,6 @@ LXC_PROPERTY_MAP = {
  SLOW_CMDS = ["do-release-upgrade"]  # Commands which will emit dots on travis
  SOURCE_PR_TGZ = os.path.join(tempfile.gettempdir(), "pr_source.tar.gz")
  UA_DEBS = frozenset({"ubuntu-advantage-tools.deb", "ubuntu-advantage-pro.deb"})
--VM_PROFILE_TMPL = "behave-{}"
--
--
--# For Xenial and Bionic vendor-data required to setup lxd-agent
--# Additionally xenial needs to launch images:ubuntu/16.04/cloud
--# because it contains the HWE kernel which has vhost-vsock support
--LXC_SETUP_VENDORDATA = textwrap.dedent(
--    """\
--    config:
--      user.vendor-data: |
--        #cloud-config
--        {custom_cfg}
--        write_files:
--        - path: /var/lib/cloud/scripts/per-once/setup-lxc.sh
--          encoding: b64
--          permissions: '0755'
--          owner: root:root
--          content: |
--              IyEvYmluL3NoCmlmICEgZ3JlcCBseGRfY29uZmlnIC9wcm9jL21vdW50czsgdGhlbgogICAgbWtk
--              aXIgLXAgL3J1bi9seGRhZ2VudAogICAgbW91bnQgLXQgOXAgY29uZmlnIC9ydW4vbHhkYWdlbnQK
--              ICAgIFZJUlQ9JChzeXN0ZW1kLWRldGVjdC12aXJ0KQogICAgY2FzZSAkVklSVCBpbgogICAgICAg
--              IHFlbXV8a3ZtKQogICAgICAgICAgICAoY2QgL3J1bi9seGRhZ2VudC8gJiYgLi9pbnN0YWxsLnNo
--              KQogICAgICAgICAgICB1bW91bnQgL3J1bi9seGRhZ2VudAogICAgICAgICAgICBzeXN0ZW1jdGwg
--              c3RhcnQgbHhkLWFnZW50LTlwIGx4ZC1hZ2VudAogICAgICAgICAgICA7OwogICAgICAgICopCiAg
--              ICBlc2FjCmZpCg==
--   """
--)
  BUILD_FROM_TGZ = textwrap.dedent(
@@ -65,60 +38,6 @@ BUILD_FROM_TGZ = textwrap.dedent(
+ )
--def lxc_create_vm_profile(series: str):
--    """Create a vm profile to enable launching kvm instances"""
--
--    content_tmpl = textwrap.dedent(
--        """\
--        {vendordata}
--        description: Default LXD profile for {series} VMs
--        devices:
--          config:
--            source: cloud-init:config
--            type: disk
--          eth0:
--            name: eth0
--            network: lxdbr0
--            type: nic
--          root:
--            path: /
--            pool: default
--            type: disk
--        name: vm
--    """
--    )
--    if series == "xenial":
--        # FIXME: Xenial images from images:ubuntu/16.04/cloud have HWE kernel
--        # but no openssh-server (which fips testing would expect)
--        # Work with CPC to get vhost-vsock support if possible to use
--        # ubuntu-daily:xenial images
--        content = content_tmpl.format(
--            vendordata=LXC_SETUP_VENDORDATA.format(
--                custom_cfg="packages: [openssh-server]"
--            ),
--            series=series,
--        )
--    elif series == "bionic":
--        content = content_tmpl.format(
--            vendordata=LXC_SETUP_VENDORDATA.format(custom_cfg=""),
--            series=series,
--        )
--    elif series == "focal":
--        content = content_tmpl.format(vendordata="config: {}", series=series)
--    else:
--        raise RuntimeError(
--            "===No lxc mv support for series {}====".format(series)
--        )
--    output = subprocess.check_output(["lxc", "profile", "list"])
--    profile_name = VM_PROFILE_TMPL.format(series)
--    if " {} ".format(profile_name) not in output.decode("utf-8"):
--        subprocess.run(["lxc", "profile", "create", profile_name])
--        proc = subprocess.Popen(
--            ["lxc", "profile", "edit", profile_name], stdin=subprocess.PIPE
--        )
--        proc.communicate(content.encode())
--
--
  def lxc_get_property(name: str, property_name: str, image: bool = False):
      """Check series name of either an image or a container.
 diff --git a/integration-requirements.txt b/integration-requirements.txt
 index e29790e..b4e36d7 100644
 --- a/integration-requirements.txt
 +++ b/integration-requirements.txt
@@ -1,7 +1,7 @@
  # Integration testing
  behave
  PyHamcrest
--pycloudlib @ git+https://github.com/canonical/pycloudlib.git@1ac9d4c82fdfd5cb1407f70b8a2b17e02953569d
++pycloudlib @ git+https://github.com/canonical/pycloudlib.git@cab5db70bdd5588aabcf7217e655ff90d2dee487
  # Simplestreams is not found on PyPi so pull from repo directly
 diff --git a/lib/__init__.py b/lib/__init__.py
 deleted file mode 100644
 index e69de29..0000000
 --- a/lib/__init__.py
 +++ /dev/null
 diff --git a/lib/reboot_cmds.py b/lib/reboot_cmds.py
 index 6a753d5..7cc5dfd 100644
 --- a/lib/reboot_cmds.py
 +++ b/lib/reboot_cmds.py
@@ -120,15 +120,19 @@ def process_reboot_operations(args, cfg):
      if os.path.exists(reboot_cmd_marker_file):
          logging.debug("Running process contract deltas on reboot ...")
--        fix_pro_pkg_holds(cfg)
--        refresh_contract(cfg)
--        process_remaining_deltas(cfg)
--
--        cfg.delete_cache_key("marker-reboot-cmds")
++        try:
++            fix_pro_pkg_holds(cfg)
++            refresh_contract(cfg)
++            process_remaining_deltas(cfg)
--        logging.debug(
--            "Completed running process contract deltas on reboot ..."
--        )
++            cfg.delete_cache_key("marker-reboot-cmds")
++            cfg.remove_notice("", status.MESSAGE_REBOOT_SCRIPT_FAILED)
++            logging.debug("Successfully ran all commands on reboot.")
++        except Exception as e:
++            msg = "Failed running commands on reboot."
++            msg += str(e)
++            logging.error(msg)
++            cfg.add_notice("", status.MESSAGE_REBOOT_SCRIPT_FAILED)
  def main(cfg):
 diff --git a/lib/ua_update_messaging.py b/lib/ua_update_messaging.py
 new file mode 100644
 index 0000000..d8e645e
 --- /dev/null
 +++ b/lib/ua_update_messaging.py
@@ -0,0 +1,302 @@
++#!/usr/bin/env python3
++
++"""
++Update messaging text for use in MOTD and APT custom Ubuntu Advantage messages.
++
++Messaging files will be emitted to /var/lib/ubuntu-advantage/message-* which
++will be sourced by apt-hook/hook.cc and various /etc/update-motd.d/ hooks to
++present updated text about Ubuntu Advantage service and token state.
++"""
++
++import enum
++import logging
++import os
++
++try:
++    from typing import Dict, List, Optional, Tuple  # noqa
++except ImportError:
++    # typing isn't available on trusty, so ignore its absence
++    pass
++
++from uaclient.cli import setup_logging
++from uaclient import config
++from uaclient import entitlements
++from uaclient import defaults
++from uaclient.status import (
++    MESSAGE_ANNOUNCE_ESM,
++    MESSAGE_CONTRACT_EXPIRED_APT_NO_PKGS_TMPL,
++    MESSAGE_CONTRACT_EXPIRED_APT_PKGS_TMPL,
++    MESSAGE_CONTRACT_EXPIRED_GRACE_PERIOD_TMPL,
++    MESSAGE_CONTRACT_EXPIRED_MOTD_PKGS_TMPL,
++    MESSAGE_CONTRACT_EXPIRED_SOON_TMPL,
++    MESSAGE_DISABLED_MOTD_NO_PKGS_TMPL,
++    MESSAGE_DISABLED_APT_PKGS_TMPL,
++    MESSAGE_UBUNTU_NO_WARRANTY,
++    ApplicationStatus,
++)
++from uaclient import util
++
++
++@enum.unique
++class ContractExpiryStatus(enum.Enum):
++    NONE = 0
++    ACTIVE = 1
++    ACTIVE_EXPIRED_SOON = 2
++    EXPIRED_GRACE_PERIOD = 3
++    EXPIRED = 4
++
++
++# Type of message file used for external messaging (APT and MOTD)
++@enum.unique
++class ExternalMessage(enum.Enum):
++    MOTD_APPS_NO_PKGS = "motd-no-packages-apps.tmpl"
++    MOTD_INFRA_NO_PKGS = "motd-no-packages-infra.tmpl"
++    MOTD_APPS_PKGS = "motd-packages-apps.tmpl"
++    MOTD_INFRA_PKGS = "motd-packages-infra.tmpl"
++    APT_PRE_INVOKE_APPS_NO_PKGS = "apt-pre-invoke-no-packages-apps.tmpl"
++    APT_PRE_INVOKE_INFRA_NO_PKGS = "apt-pre-invoke-no-packages-infra.tmpl"
++    APT_PRE_INVOKE_APPS_PKGS = "apt-pre-invoke-packages-apps.tmpl"
++    APT_PRE_INVOKE_INFRA_PKGS = "apt-pre-invoke-packages-infra.tmpl"
++    APT_PRE_INVOKE_SERVICE_STATUS = "apt-pre-invoke-esm-service-status"
++    MOTD_ESM_SERVICE_STATUS = "motd-esm-service-status"
++    ESM_ANNOUNCE = "motd-esm-announce"
++    UBUNTU_NO_WARRANTY = "ubuntu-no-warranty"
++
++
++def get_contract_expiry_status(
++    cfg: config.UAConfig
++) -> "Tuple[ContractExpiryStatus, int]":
++    """Return a tuple [ContractExpiryStatus, num_days]"""
++    if not cfg.is_attached:
++        return ContractExpiryStatus.NONE, 0
++
++    grace_period = defaults.CONTRACT_EXPIRY_GRACE_PERIOD_DAYS
++    pending_expiry = defaults.CONTRACT_EXPIRY_PENDING_DAYS
++    remaining_days = cfg.contract_remaining_days
++    if 0 <= remaining_days <= pending_expiry:
++        return ContractExpiryStatus.ACTIVE_EXPIRED_SOON, remaining_days
++    elif -grace_period <= remaining_days < 0:
++        return ContractExpiryStatus.EXPIRED_GRACE_PERIOD, remaining_days
++    elif remaining_days < -grace_period:
++        return ContractExpiryStatus.EXPIRED, remaining_days
++    return ContractExpiryStatus.ACTIVE, remaining_days
++
++
++def _write_template_or_remove(msg: str, tmpl_file: str):
++    """Write a template to tmpl_file.
++
++    When msg is empty, remove both tmpl_file and the generated msg.
++    """
++    if msg:
++        util.write_file(tmpl_file, msg)
++    else:
++        util.remove_file(tmpl_file)
++        if tmpl_file.endswith(".tmpl"):
++            util.remove_file(tmpl_file.replace(".tmpl", ""))
++
++
++def _write_esm_service_msg_templates(
++    cfg: config.UAConfig,
++    ent: entitlements.base.UAEntitlement,
++    expiry_status: ContractExpiryStatus,
++    remaining_days: int,
++    pkgs_file: str,
++    no_pkgs_file: str,
++    motd_pkgs_file: str,
++    motd_no_pkgs_file: str,
++    no_warranty_file: str,
++):
++
++    pkgs_msg = no_pkgs_msg = motd_pkgs_msg = motd_no_pkgs_msg = ""
++    no_warranty_msg = ""
++    tmpl_prefix = ent.name.upper().replace("-", "_")
++    tmpl_pkg_count_var = "{{{}_PKG_COUNT}}".format(tmpl_prefix)
++    tmpl_pkg_names_var = "{{{}_PACKAGES}}".format(tmpl_prefix)
++    if ent.application_status()[0] == ApplicationStatus.ENABLED:
++        if expiry_status == ContractExpiryStatus.ACTIVE_EXPIRED_SOON:
++            pkgs_msg = MESSAGE_CONTRACT_EXPIRED_SOON_TMPL.format(
++                title=ent.title,
++                remaining_days=remaining_days,
++                url=defaults.BASE_UA_URL,
++            )
++            # Same cautionary message when contract is about to expire
++            motd_pkgs_msg = motd_no_pkgs_msg = no_pkgs_msg = pkgs_msg
++        elif expiry_status == ContractExpiryStatus.EXPIRED_GRACE_PERIOD:
++            grace_period_remaining = (
++                defaults.CONTRACT_EXPIRY_GRACE_PERIOD_DAYS + remaining_days
++            )
++            pkgs_msg = MESSAGE_CONTRACT_EXPIRED_GRACE_PERIOD_TMPL.format(
++                title=ent.title,
++                expired_date=cfg.contract_expiry_datetime.strftime("%d %b %Y"),
++                remaining_days=grace_period_remaining,
++                url=defaults.BASE_UA_URL,
++            )
++            # Same cautionary message when in grace period
++            motd_pkgs_msg = motd_no_pkgs_msg = no_pkgs_msg = pkgs_msg
++        elif expiry_status == ContractExpiryStatus.EXPIRED:
++            if util.is_active_esm(util.get_platform_info()["series"]):
++                no_warranty_msg = MESSAGE_UBUNTU_NO_WARRANTY
++            pkgs_msg = MESSAGE_CONTRACT_EXPIRED_APT_PKGS_TMPL.format(
++                pkg_num=tmpl_pkg_count_var,
++                pkg_names=tmpl_pkg_names_var,
++                title=ent.title,
++                name=ent.name,
++                url=defaults.BASE_UA_URL,
++            )
++            no_pkgs_msg = MESSAGE_CONTRACT_EXPIRED_APT_NO_PKGS_TMPL.format(
++                title=ent.title, url=defaults.BASE_ESM_URL
++            )
++            motd_no_pkgs_msg = no_pkgs_msg
++            motd_pkgs_msg = MESSAGE_CONTRACT_EXPIRED_MOTD_PKGS_TMPL.format(
++                title=ent.title,
++                pkg_num=tmpl_pkg_count_var,
++                url=defaults.BASE_ESM_URL,
++            )
++    elif expiry_status != ContractExpiryStatus.EXPIRED:  # Service not enabled
++        pkgs_msg = MESSAGE_DISABLED_APT_PKGS_TMPL.format(
++            title=ent.title,
++            pkg_num=tmpl_pkg_count_var,
++            pkg_names=tmpl_pkg_names_var,
++            url=defaults.BASE_ESM_URL,
++        )
++        no_pkgs_msg = MESSAGE_DISABLED_MOTD_NO_PKGS_TMPL.format(
++            title=ent.title, url=defaults.BASE_ESM_URL
++        )
++
++    msg_dir = os.path.join(cfg.data_dir, "messages")
++    _write_template_or_remove(
++        no_warranty_msg, os.path.join(msg_dir, no_warranty_file)
++    )
++    _write_template_or_remove(no_pkgs_msg, os.path.join(msg_dir, no_pkgs_file))
++    _write_template_or_remove(pkgs_msg, os.path.join(msg_dir, pkgs_file))
++    _write_template_or_remove(
++        motd_no_pkgs_msg, os.path.join(msg_dir, motd_no_pkgs_file)
++    )
++    _write_template_or_remove(
++        motd_pkgs_msg, os.path.join(msg_dir, motd_pkgs_file)
++    )
++
++
++def write_apt_and_motd_templates(cfg: config.UAConfig, series: str) -> None:
++    """Write messaging templates about available esm packages.
++
++    :param cfg: UAConfig instance for this environment.
++    :param series: string of Ubuntu release series: 'xenial'.
++    """
++    apps_no_pkg_file = ExternalMessage.APT_PRE_INVOKE_APPS_NO_PKGS.value
++    apps_pkg_file = ExternalMessage.APT_PRE_INVOKE_APPS_PKGS.value
++    infra_no_pkg_file = ExternalMessage.APT_PRE_INVOKE_INFRA_NO_PKGS.value
++    infra_pkg_file = ExternalMessage.APT_PRE_INVOKE_INFRA_PKGS.value
++    motd_apps_no_pkg_file = ExternalMessage.MOTD_APPS_NO_PKGS.value
++    motd_apps_pkg_file = ExternalMessage.MOTD_APPS_PKGS.value
++    motd_infra_no_pkg_file = ExternalMessage.MOTD_INFRA_NO_PKGS.value
++    motd_infra_pkg_file = ExternalMessage.MOTD_INFRA_PKGS.value
++    no_warranty_file = ExternalMessage.UBUNTU_NO_WARRANTY.value
++
++    apps_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME["esm-apps"]
++    apps_inst = apps_cls(cfg)
++    config_allow_beta = util.is_config_value_true(
++        config=cfg.cfg, path_to_value="features.allow_beta"
++    )
++    apps_not_beta = bool(config_allow_beta or not apps_cls.is_beta)
++    infra_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME["esm-infra"]
++    infra_inst = infra_cls(cfg)
++
++    expiry_status, remaining_days = get_contract_expiry_status(cfg)
++
++    if series != "trusty" and apps_not_beta:
++        _write_esm_service_msg_templates(
++            cfg,
++            apps_inst,
++            expiry_status,
++            remaining_days,
++            apps_pkg_file,
++            apps_no_pkg_file,
++            motd_apps_pkg_file,
++            motd_apps_no_pkg_file,
++            no_warranty_file,
++        )
++
++    # We only have esm-infra apt alerts for esm distros.
++    # However, if we have expired credentials, we will
++    # produce esm-infra message showing that the contract is
++    # expiring/expired.
++    infra_status, _ = infra_inst.application_status()
++    is_infra_enabled = infra_status == ApplicationStatus.ENABLED
++    if is_infra_enabled or util.is_active_esm(series):
++        _write_esm_service_msg_templates(
++            cfg,
++            infra_inst,
++            expiry_status,
++            remaining_days,
++            infra_pkg_file,
++            infra_no_pkg_file,
++            motd_infra_pkg_file,
++            motd_infra_no_pkg_file,
++            no_warranty_file,
++        )
++
++
++def write_esm_announcement_message(cfg: config.UAConfig, series: str) -> None:
++    """Write human-readable messages if ESM is offered on this LTS release.
++
++    Do not write ESM announcements on trusty, esm-apps is enable or beta.
++
++    :param cfg: UAConfig instance for this environment.
++    :param series: string of Ubuntu release series: 'xenial'.
++    """
++    apps_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME["esm-apps"]
++    apps_inst = apps_cls(cfg)
++    enabled_status = ApplicationStatus.ENABLED
++    apps_not_enabled = apps_inst.application_status()[0] != enabled_status
++    config_allow_beta = util.is_config_value_true(
++        config=cfg.cfg, path_to_value="features.allow_beta"
++    )
++    apps_not_beta = bool(config_allow_beta or not apps_cls.is_beta)
++
++    msg_dir = os.path.join(cfg.data_dir, "messages")
++    esm_news_file = os.path.join(msg_dir, ExternalMessage.ESM_ANNOUNCE.value)
++    if all([series != "trusty", apps_not_beta, apps_not_enabled]):
++        util.write_file(esm_news_file, "\n" + MESSAGE_ANNOUNCE_ESM)
++    else:
++        util.remove_file(esm_news_file)
++
++
++def update_apt_and_motd_messages(cfg: config.UAConfig) -> None:
++    """Emit templates and human-readable status messages in msg_dir.
++
++    These structured messages will be sourced by both /etc/update.motd.d
++    and APT UA-configured hooks. APT hook content will orginate from
++    apt-hook/hook.cc
++
++    Call esm-apt-hook process-templates to render final human-readable
++    messages.
++
++    :param cfg: UAConfig instance for this environment.
++    """
++    setup_logging(logging.INFO, logging.DEBUG)
++    logging.debug("Updating UA messages for APT and MOTD.")
++    msg_dir = os.path.join(cfg.data_dir, "messages")
++    if not os.path.exists(msg_dir):
++        os.makedirs(msg_dir)
++
++    series = util.get_platform_info()["series"]
++    if not util.is_lts(series):
++        # ESM is only on LTS releases. Remove all messages and templates.
++        for msg_enum in ExternalMessage:
++            msg_path = os.path.join(msg_dir, msg_enum.value)
++            util.remove_file(msg_path)
++            if msg_path.endswith(".tmpl"):
++                util.remove_file(msg_path.replace(".tmpl", ""))
++        return
++
++    # Announce ESM availabilty on active ESM LTS releases
++    write_esm_announcement_message(cfg, series)
++    write_apt_and_motd_templates(cfg, series)
++    # Now that we've setup/cleanedup templates render them with apt-hook
++    util.subp(["/usr/lib/ubuntu-advantage/apt-esm-hook", "process-templates"])
++
++
++if __name__ == "__main__":
++    cfg = config.UAConfig()
++    update_apt_and_motd_messages(cfg=cfg)
 diff --git a/setup.py b/setup.py
 index a8a597c..0702d03 100644
 --- a/setup.py
 +++ b/setup.py
@@ -40,6 +40,7 @@ def _get_version():
  def _get_data_files():
      data_files = [
          ("/etc/ubuntu-advantage", ["uaclient.conf", "help_data.yaml"]),
++        ("/etc/update-motd.d", glob.glob("update-motd.d/*")),
          ("/usr/lib/ubuntu-advantage", glob.glob("lib/[!_]*")),
          ("/usr/share/keyrings", glob.glob("keyrings/*")),
+         (
 diff --git a/systemd/ua-messaging.service b/systemd/ua-messaging.service
 new file mode 100644
 index 0000000..7bc57d2
 --- /dev/null
 +++ b/systemd/ua-messaging.service
@@ -0,0 +1,8 @@
++[Unit]
++Description=Ubuntu Advantage APT and MOTD Messages
++After=network.target network-online.target systemd-networkd.service ua-auto-attach.service
++Wants=ua-auto-attach.service
++
++[Service]
++Type=oneshot
++ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/ua_update_messaging.py
 diff --git a/systemd/ua-messaging.timer b/systemd/ua-messaging.timer
 new file mode 100644
 index 0000000..fee91b7
 --- /dev/null
 +++ b/systemd/ua-messaging.timer
@@ -0,0 +1,11 @@
++[Unit]
++Description=Ubuntu Advantage update messaging
++
++[Timer]
++OnCalendar=*-*-* 3,15:00
++RandomizedDelaySec=1h
++Persistent=true
++OnStartupSec=1min
++
++[Install]
++WantedBy=timers.target
 diff --git a/tools/test_xenial_upgrade.sh b/tools/test_xenial_upgrade.sh
 new file mode 100644
 index 0000000..691581b
 --- /dev/null
 +++ b/tools/test_xenial_upgrade.sh
@@ -0,0 +1,224 @@
++#!/usr/bin/bash
++
++set -x
++set -e
++name=test-xenial-ua-upgrade
++
++function h1() {
++    set +x
++    echo ""
++    echo ""
++    echo ""
++    echo "############################################################################"
++    echo "## $1"
++    echo "############################################################################"
++    echo ""
++    set -x
++}
++function h2() {
++    set +x
++    echo ""
++    echo ""
++    echo "-> $1"
++    echo "----------------------------------------------------------------------------"
++    echo ""
++    set -x
++}
++
++
++function setup() {
++    tool=$1
++
++    h2 "Make sure we're up to date"
++    $tool exec $name -- sudo apt update
++    $tool exec $name -- sudo apt upgrade -y
++    $tool exec $name -- sudo apt install ubuntu-advantage-tools -y
++
++    h2 "Initial State"
++    $tool exec $name -- apt-cache policy ubuntu-advantage-tools
++    $tool exec $name -- sudo ubuntu-advantage status
++    $tool exec $name -- dpkg-query -L ubuntu-advantage-tools
++}
++function setup_container() {
++    h1 "Setting up fresh container"
++    lxc delete --force $name || true
++    lxc launch ubuntu-daily:xenial $name
++    sleep 10
++
++    setup lxc
++}
++function setup_vm() {
++    h1 "Setting up fresh vm"
++    multipass delete -p $name || true
++    multipass launch -n $name xenial
++    sleep 10
++
++    setup multipass
++}
++function teardown_container() {
++    lxc delete --force $name || true
++}
++function teardown_vm() {
++    multipass delete -p $name || true
++}
++
++function install_new_ua() {
++    tool=$1
++    h2 "Set up to use daily ppa"
++    $tool exec $name -- sudo add-apt-repository ppa:ua-client/daily -y
++    $tool exec $name -- sudo apt update
++
++    h2 "Actually install - verify there are no errors"
++    $tool exec $name -- sudo apt install ubuntu-advantage-tools -y
++}
++
++function attach_ua() {
++    tool=$1
++    set +x
++    echo "+ $tool exec $name -- sudo ua attach \$UACLIENT_BEHAVE_CONTRACT_TOKEN"
++    $tool exec $name -- sudo ua attach $UACLIENT_BEHAVE_CONTRACT_TOKEN
++    set -x
++}
++
++
++
++
++function test_upgrade_in_container() {
++    setup_container
++
++    h1 "Upgrade to UA 27 while unattached"
++
++    install_new_ua lxc
++
++    h2 "Check for leftover files from old version - verify nothing unexpected is left behind"
++    lxc exec $name -- ls -l /etc/update-motd.d/99-esm /usr/share/keyrings/ubuntu-esm-keyring.gpg /usr/share/keyrings/ubuntu-fips-keyring.gpg /usr/share/man/man1/ubuntu-advantage.1.gz /usr/share/doc/ubuntu-advantage-tools/copyright /usr/share/doc/ubuntu-advantage-tools/changelog.gz /usr/bin/ubuntu-advantage || true
++
++    h2 "New Status - verify esm-infra available but not enabled; esm-apps not visible"
++    lxc exec $name -- ua status
++
++    h2 "Attach - verify esm-infra automatically enabled; esm-apps not visible"
++    attach_ua lxc
++
++    h2 "Detaching before destruction"
++    lxc exec $name -- ua detach --assume-yes
++
++    teardown_container
++}
++
++
++function test_upgrade_with_livepatch_in_vm() {
++
++    setup_vm
++
++    h1 "Upgrade to UA 27 while old version has livepatch enabled"
++
++    h2 "Enable livepatch on old version"
++    set +x
++    echo "+ multipass exec $name -- ubuntu-advantage enable-livepatch \$LIVEPATCH_TOKEN"
++    multipass exec $name -- sudo ubuntu-advantage enable-livepatch $LIVEPATCH_TOKEN
++    set -x
++
++    h2 "Status before - old UA and livepatch say enabled"
++    multipass exec $name -- sudo canonical-livepatch status
++    multipass exec $name -- sudo ubuntu-advantage status
++
++    install_new_ua multipass
++
++    h2 "Status after upgrade - livepatch still enabled but new UA doesn't report it"
++    multipass exec $name -- sudo canonical-livepatch status
++    multipass exec $name -- sudo ua status
++
++    h2 "Attach - verify that livepatch is disabled and re-enabled"
++    attach_ua multipass
++
++    h2 "Status after attach - both livepatch and UA should say enabled"
++    multipass exec $name -- sudo canonical-livepatch status
++    multipass exec $name -- sudo ua status
++
++    h2 "Detaching before destruction"
++    multipass exec $name -- sudo ua detach --assume-yes
++
++    teardown_vm
++}
++
++function test_upgrade_with_fips_in_vm() {
++
++    setup_vm
++
++    h1 "Upgrade to UA 27 while old version has fips enabled"
++
++    h2 "Manual fips check says disabled (file doesn't exist)"
++    multipass exec $name -- sudo cat /proc/sys/crypto/fips_enabled || true
++
++    h2 "Enable fips on old version"
++    set +x
++    echo "+ multipass exec $name -- ubuntu-advantage enable-fips \$FIPS_CREDS"
++    multipass exec $name -- sudo ubuntu-advantage enable-fips $FIPS_CREDS
++    set -x
++
++    h2 "Reboot to finish fips activation"
++    multipass exec $name -- sudo reboot || true
++    sleep 20
++
++    h2 "Status before upgrade - old UA says fips is enabled, manual check agrees"
++    multipass exec $name -- sudo ubuntu-advantage status
++    multipass exec $name -- sudo cat /proc/sys/crypto/fips_enabled
++
++    h2 "Source added by old client is present"
++    multipass exec $name -- sudo ls /etc/apt/sources.list.d
++    multipass exec $name -- sudo grep -o private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu /etc/apt/sources.list.d/ubuntu-fips-xenial.list
++
++    install_new_ua multipass
++
++    h2 "Status after upgrade - new UA won't say anything is enabled, but a manual check still says fips is enabled"
++    multipass exec $name -- sudo ua status
++    multipass exec $name -- sudo cat /proc/sys/crypto/fips_enabled
++
++    h2 "Source file added by old client is renamed but contents left unchanged"
++    multipass exec $name -- sudo ls /etc/apt/sources.list.d
++    multipass exec $name -- sudo grep -o private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu /etc/apt/sources.list.d/ubuntu-fips.list
++
++    h2 "Attach - only esm-infra will be auto-enabled"
++    attach_ua multipass
++
++    h2 "Status after attach - new UA will say fips is disabled, livepatch is n/a, and there is a notice to enable fips"
++    multipass exec $name -- sudo ua status
++    multipass exec $name -- sudo cat /proc/sys/crypto/fips_enabled
++
++    h2 "Enable fips on new UA - This will re-install fips packages and ask to reboot again"
++    multipass exec $name -- sudo ua enable fips --assume-yes
++
++
++    h2 "Status after enabled but before reboot - UA says fips enabled, notice to enable fips is gone"
++    multipass exec $name -- sudo ua status
++    multipass exec $name -- sudo cat /proc/sys/crypto/fips_enabled
++
++    h2 "Source added by old client is replaced with new source"
++    set +x
++    echo "multipass exec $name -- sudo grep \$FIPS_CREDS /etc/apt/sources.list.d/ubuntu-fips.list && echo \"FAIL: found oldclient FIPS creds\" || echo \"SUCCESS: Migrated to new client creds\""
++    multipass exec $name -- sudo grep $FIPS_CREDS /etc/apt/sources.list.d/ubuntu-fips.list && echo "FAIL: found oldclient FIPS creds" || echo "SUCCESS: Migrated to new client creds"
++    set -x
++    multipass exec $name -- sudo ls /etc/apt/sources.list.d
++    multipass exec $name -- sudo cat /etc/apt/sources.list.d/ubuntu-fips.list
++    multipass exec $name -- sudo apt update
++
++    h2 "Check to make sure we have a valid ubuntu-*-fips metapackage installed"
++    multipass exec $name -- sudo grep "install" /var/log/ubuntu-advantage.log
++
++    h2 "Reboot to finish second fips activation"
++    multipass exec $name -- sudo reboot || true
++    sleep 20
++
++    h2 "Status after reboot - new UA will say fips is enabled, manual check agrees"
++    multipass exec $name -- sudo ua status
++    multipass exec $name -- sudo cat /proc/sys/crypto/fips_enabled
++
++    h2 "Detaching before destruction"
++    multipass exec $name -- sudo ua detach --assume-yes
++
++    teardown_vm
++}
++
++test_upgrade_in_container
++test_upgrade_with_livepatch_in_vm
++test_upgrade_with_fips_in_vm
 diff --git a/tools/tox-lxd-runner b/tools/tox-lxd-runner
 index 40c5e48..cd80af0 100755
 --- a/tools/tox-lxd-runner
 +++ b/tools/tox-lxd-runner
@@ -57,9 +57,9 @@ python_minor=$(lxc exec "$container" -- python3 -c 'import sys; print(sys.versio
  if ((python_minor > 5)); then
      get_pip_url="https://bootstrap.pypa.io/get-pip.py"
  elif ((python_minor == 5)); then
--    get_pip_url="https://bootstrap.pypa.io/3.5/get-pip.py"
++    get_pip_url="https://bootstrap.pypa.io/pip/3.5/get-pip.py"
  elif ((python_minor == 4)); then
--    get_pip_url="https://bootstrap.pypa.io/3.4/get-pip.py"
++    get_pip_url="https://bootstrap.pypa.io/pip/3.4/get-pip.py"
  else
      echo "Unsupported Python version (3.$python_minor)"
      exit 1
 diff --git a/tox.ini b/tox.ini
 index fa53bb5..19a5b56 100644
 --- a/tox.ini
 +++ b/tox.ini
@@ -46,8 +46,8 @@ commands =
      flake8-bionic: flake8 features
      mypy: mypy --python-version 3.4 uaclient/
      mypy: mypy --python-version 3.5 uaclient/
--    mypy: mypy --python-version 3.6 uaclient/ features/
--    mypy-focal: mypy --python-version 3.7 uaclient/ features/
++    mypy: mypy --python-version 3.6 uaclient/ features/ lib/
++    mypy-focal: mypy --python-version 3.7 uaclient/ features/ lib/
      black: black --check --diff uaclient/ features/ lib/ setup.py
      behave-lxd-14.04: behave -v {posargs} --tags="series.trusty,series.all"  --tags="~upgrade"
      behave-lxd-16.04: behave -v {posargs} --tags="series.xenial,series.all" --tags="~upgrade"
 diff --git a/uaclient-devel.conf b/uaclient-devel.conf
 index e21d64d..c8386c8 100644
 --- a/uaclient-devel.conf
 +++ b/uaclient-devel.conf
@@ -1,5 +1,6 @@
  # Development UA Client config file. YAML
  contract_url: 'https://contracts.staging.canonical.com'
++security_url: 'https://ubuntu.com/security'
  data_dir: /var/tmp/uaclient
  log_level: debug
  log_file: ubuntu-advantage-devel.log
 diff --git a/uaclient.conf b/uaclient.conf
 index 8dc2f1a..9e5def8 100644
 --- a/uaclient.conf
 +++ b/uaclient.conf
@@ -1,5 +1,6 @@
  # Ubuntu-Advantage client config file.
  contract_url: 'https://contracts.canonical.com'
++security_url: 'https://ubuntu.com/security'
  data_dir: /var/lib/ubuntu-advantage
  log_level: debug
  log_file: /var/log/ubuntu-advantage.log
 diff --git a/uaclient/apt.py b/uaclient/apt.py
 index 93630b4..7b80d87 100644
 --- a/uaclient/apt.py
 +++ b/uaclient/apt.py
@@ -58,6 +58,7 @@ def assert_valid_apt_credentials(repo_url, username, password):
                      os.path.join(tmpd, "apt-helper-output"),
                  ],
                  timeout=APT_HELPER_TIMEOUT,
++                retry_sleeps=APT_RETRIES,
+             )
      except util.ProcessExecutionError as e:
          if e.exit_code == 100:
 diff --git a/uaclient/cli.py b/uaclient/cli.py
 index 87dc767..b6a4ed5 100644
 --- a/uaclient/cli.py
 +++ b/uaclient/cli.py
@@ -8,6 +8,7 @@ import json
  import logging
  import os
  import pathlib
++import re
  import sys
  import textwrap
  import time
@@ -23,6 +24,7 @@ from uaclient import config
  from uaclient import contract
  from uaclient import entitlements
  from uaclient import exceptions
++from uaclient import security
  from uaclient import status as ua_status
  from uaclient import util
  from uaclient import version
@@ -88,19 +90,11 @@ class UAArgumentParser(argparse.ArgumentParser):
              self.non_beta_services_desc,
              self.beta_services_desc,
+         ]
--
--        if all([desc_var is None for desc_var in desc_vars]):
--            super().print_help(file=file)
--        elif show_all:
--            self.description = "\n".join(
--                [self.base_desc]
--                + sorted(self.non_beta_services_desc + self.beta_services_desc)
--            )
--        else:
--            self.description = "\n".join(
--                [self.base_desc] + sorted(self.non_beta_services_desc)
--            )
--
++        if any(desc_vars):
++            services = sorted(self.non_beta_services_desc)
++            if show_all:
++                services = sorted(services + self.beta_services_desc)
++            self.description = "\n".join([self.base_desc] + services)
          super().print_help(file=file)
@@ -195,6 +189,10 @@ def assert_not_attached(f):
  def auto_attach_parser(parser):
      """Build or extend an arg parser for auto-attach subcommand."""
      parser.prog = "auto-attach"
++    parser.description = (
++        "Automatically attach an Ubuntu Advantage token on Ubuntu Pro"
++        " images."
++    )
      parser.usage = USAGE_TMPL.format(name=NAME, command=parser.prog)
      parser._optionals.title = "Flags"
      return parser
@@ -204,6 +202,10 @@ def attach_parser(parser):
      """Build or extend an arg parser for attach subcommand."""
      parser.usage = USAGE_TMPL.format(name=NAME, command="attach <token>")
      parser.prog = "attach"
++    parser.description = (
++        "Attach this machine to Ubuntu Advantage with a token obtained"
++        " from https://ubuntu.com/advantage"
++    )
      parser._optionals.title = "Flags"
      parser.add_argument(
          "token",
@@ -221,11 +223,56 @@ def attach_parser(parser):
      return parser
++def fix_parser(parser):
++    """Build or extend an arg parser for fix subcommand."""
++    parser.usage = USAGE_TMPL.format(
++        name=NAME, command="fix <CVE-yyyy-nnnn+>|<USN-nnnn-d+>"
++    )
++    parser.prog = "fix"
++    parser.description = (
++        "Inspect and resolve CVEs and USNs (Ubuntu Security Notices) on this"
++        " machine."
++    )
++    parser._optionals.title = "Flags"
++    parser.add_argument(
++        "security_issue",
++        help=(
++            "Security vulnerability ID to inspect and resolve on this system."
++            " Format: CVE-yyyy-nnnn, CVE-yyyy-nnnnnnn or USN-nnnn-dd"
++        ),
++    )
++    return parser
++
++
++def refresh_parser(parser):
++    """Build or extend an arg parser for refresh subcommand."""
++    parser.prog = "refresh"
++    parser.description = (
++        "Refresh existing Ubuntu Advantage contract and update services."
++    )
++    parser.usage = USAGE_TMPL.format(name=NAME, command=parser.prog)
++    parser._optionals.title = "Flags"
++    return parser
++
++
++def action_fix(args, cfg, **kwargs):
++    if not re.match(security.CVE_OR_USN_REGEX, args.security_issue):
++        msg = (
++            'Error: issue "{}" is not recognized.\n'
++            'Usage: "ua fix CVE-yyyy-nnnn" or "ua fix USN-nnnn"'
++        ).format(args.security_issue)
++        raise exceptions.UserFacingError(msg)
++
++    security.fix_security_issue_id(cfg, args.security_issue)
++    return 0
++
++
  def detach_parser(parser):
      """Build or extend an arg parser for detach subcommand."""
      usage = USAGE_TMPL.format(name=NAME, command="detach")
      parser.usage = usage
      parser.prog = "detach"
++    parser.description = "Detach this machine from Ubuntu Advantage services."
      parser._optionals.title = "Flags"
      parser.add_argument(
          "--assume-yes",
@@ -240,6 +287,9 @@ def help_parser(parser):
      usage = USAGE_TMPL.format(name=NAME, command="help [service]")
      parser.usage = usage
      parser.prog = "help"
++    parser.description = (
++        "Provide detailed information about Ubuntu Advantage services."
++    )
      parser._positionals.title = "Arguments"
      parser.add_argument(
          "service",
@@ -276,6 +326,7 @@ def enable_parser(parser):
      usage = USAGE_TMPL.format(
          name=NAME, command="enable <service> [<service>]"
+     )
++    parser.description = "Enable an Ubuntu Advantage service."
      parser.usage = usage
      parser.prog = "enable"
      parser._positionals.title = "Arguments"
@@ -286,7 +337,7 @@ def enable_parser(parser):
          nargs="+",
          help=(
              "the name(s) of the Ubuntu Advantage services to enable."
--            " One of: {}".format(entitlements.RELEASED_ENTITLEMENTS_STR),
++            " One of: {}".format(entitlements.RELEASED_ENTITLEMENTS_STR)
          ),
+     )
      parser.add_argument(
@@ -305,6 +356,7 @@ def disable_parser(parser):
      usage = USAGE_TMPL.format(
          name=NAME, command="disable <service> [<service>]"
+     )
++    parser.description = "Disable an Ubuntu Advantage service."
      parser.usage = usage
      parser.prog = "disable"
      parser._positionals.title = "Arguments"
@@ -330,6 +382,9 @@ def status_parser(parser):
      """Build or extend an arg parser for status subcommand."""
      usage = USAGE_TMPL.format(name=NAME, command="status")
      parser.usage = usage
++    parser.description = (
++        "Output the status information for Ubuntu Advantage services."
++    )
      parser.prog = "status"
      # This formatter_class ensures that our formatting below isn't lost
      parser.formatter_class = argparse.RawDescriptionHelpFormatter
@@ -441,7 +496,7 @@ def action_disable(args, cfg, **kwargs):
          ret &= _perform_disable(entitlement, cfg, assume_yes=args.assume_yes)
      if entitlements_not_found:
--        valid_names = "Try " + entitlements.ALL_ENTITLEMENTS_STR
++        valid_names = "Try " + entitlements.ALL_ENTITLEMENTS_STR + "."
          service_msg = "\n".join(
              textwrap.wrap(valid_names, width=80, break_long_words=False)
+         )
@@ -542,7 +597,7 @@ def action_enable(args, cfg, **kwargs):
              valid_names = entitlements.RELEASED_ENTITLEMENTS_STR
          service_msg = "\n".join(
              textwrap.wrap(
--                "Try " + valid_names, width=80, break_long_words=False
++                "Try " + valid_names + ".", width=80, break_long_words=False
+             )
+         )
          tmpl = ua_status.MESSAGE_INVALID_SERVICE_OP_FAILURE_TMPL
@@ -580,7 +635,7 @@ def _detach(cfg: config.UAConfig, assume_yes: bool) -> int:
      """
      to_disable = []
      for ent_cls in entitlements.ENTITLEMENT_CLASSES:
--        ent = ent_cls(cfg)
++        ent = ent_cls(cfg=cfg, assume_yes=assume_yes)
          if ent.can_disable(silent=True):
              to_disable.append(ent)
      if to_disable:
@@ -597,6 +652,7 @@ def _detach(cfg: config.UAConfig, assume_yes: bool) -> int:
      contract_id = cfg.machine_token["machineTokenInfo"]["contractInfo"]["id"]
      contract_client.detach_machine_from_contract(machine_token, contract_id)
      cfg.delete_cache()
++    config.update_ua_messages(cfg)
      print(ua_status.MESSAGE_DETACH_SUCCESS)
      return 0
@@ -614,10 +670,12 @@ def _attach_with_token(
              logging.exception(exc)
          print(ua_status.MESSAGE_ATTACH_FAILURE)
          cfg.status()  # Persist updated status in the event of partial attach
++        config.update_ua_messages(cfg)
          return 1
      except exceptions.UserFacingError as exc:
          logging.warning(exc.msg)
          cfg.status()  # Persist updated status in the event of partial attach
++        config.update_ua_messages(cfg)
          return 1
      contract_name = cfg.machine_token["machineTokenInfo"]["contractInfo"][
          "name"
@@ -628,6 +686,7 @@ def _attach_with_token(
+         )
+     )
++    config.update_ua_messages(cfg)
      action_status(args=None, cfg=cfg)
      return 0
@@ -804,6 +863,13 @@ def get_parser():
          help="refresh Ubuntu Advantage services from contracts server",
+     )
      parser_refresh.set_defaults(action=action_refresh)
++    refresh_parser(parser_refresh)
++    parser_fix = subparsers.add_parser(
++        "fix",
++        help="check for and mitigate the impact of a CVE/USN on this system",
++    )
++    parser_fix.set_defaults(action=action_fix)
++    fix_parser(parser_fix)
      parser_version = subparsers.add_parser(
          "version", help="show version of {}".format(NAME)
+     )
@@ -869,6 +935,7 @@ def action_refresh(args, cfg):
          with util.disable_log_to_console():
              logging.exception(exc)
          raise exceptions.UserFacingError(ua_status.MESSAGE_REFRESH_FAILURE)
++
      print(ua_status.MESSAGE_REFRESH_SUCCESS)
      return 0
@@ -989,7 +1056,9 @@ def main(sys_argv=None):
      log_level = cfg.log_level
      console_level = logging.DEBUG if args.debug else logging.INFO
      setup_logging(console_level, log_level, cfg.log_file)
--    logging.debug("Executed with sys.argv: %r", sys_argv)
++    logging.debug(
++        util.redact_sensitive_logs("Executed with sys.argv: %r" % sys_argv)
++    )
      return args.action(args, cfg)
 diff --git a/uaclient/clouds/identity.py b/uaclient/clouds/identity.py
 index fa24c36..95f9a19 100644
 --- a/uaclient/clouds/identity.py
 +++ b/uaclient/clouds/identity.py
@@ -6,6 +6,7 @@ from uaclient import exceptions
  from uaclient import clouds
  from uaclient import status
  from uaclient import util
++from uaclient.config import apply_config_settings_override
  try:
      from typing import Dict, Optional, Type  # noqa: F401
@@ -21,6 +22,16 @@ CLOUDINIT_INSTANCE_ID_FILE = "/var/lib/cloud/data/instance-id"
  # Mapping of datasource names to cloud-id responses. Trusty compat with Xenial+
  DATASOURCE_TO_CLOUD_ID = {"azurenet": "azure", "ec2": "aws", "gce": "gcp"}
++CLOUD_TYPE_TO_TITLE = {
++    "aws": "AWS",
++    "aws-china": "AWS China",
++    "aws-gov": "AWS Gov",
++    "azure": "Azure",
++    "gcp": "GCP",
++}
++
++PRO_CLOUDS = ["aws", "azure", "gcp"]
++
  def get_instance_id(
      _iid_file: str = CLOUDINIT_INSTANCE_ID_FILE
@@ -47,6 +58,7 @@ def get_cloud_type_from_result_file(
      return DATASOURCE_TO_CLOUD_ID.get(dsname, dsname)
++@apply_config_settings_override("cloud_type")
  def get_cloud_type() -> "Optional[str]":
      if util.which("cloud-id"):
          # Present in cloud-init on >= Xenial
 diff --git a/uaclient/clouds/tests/test_identity.py b/uaclient/clouds/tests/test_identity.py
 index af320e1..3b8e494 100644
 --- a/uaclient/clouds/tests/test_identity.py
 +++ b/uaclient/clouds/tests/test_identity.py
@@ -97,6 +97,37 @@ class TestGetCloudType:
      ):
          assert get_cloud_type() is None
++    @pytest.mark.parametrize(
++        "settings_overrides",
++        (
++            (
++                """
++                settings_overrides:
++                  cloud_type: "azure"
++                """
++            ),
++            (
++                """
++                settings_overrides:
++                  other_setting: "blah"
++                """
++            ),
++        ),
++    )
++    @mock.patch("uaclient.util.load_file")
++    @mock.patch(M_PATH + "util.which", return_value="/usr/bin/cloud-id")
++    @mock.patch(M_PATH + "util.subp", return_value=("test", ""))
++    def test_cloud_type_when_using_settings_override(
++        self, m_subp, m_which, m_load_file, settings_overrides
++    ):
++        if "azure" in settings_overrides:
++            expected_value = "azure"
++        else:
++            expected_value = "test"
++
++        m_load_file.return_value = settings_overrides
++        assert get_cloud_type() == expected_value
++
  @mock.patch(M_PATH + "get_cloud_type")
  class TestCloudInstanceFactory:
 diff --git a/uaclient/config.py b/uaclient/config.py
 index 5b2de5e..e4b2f0c 100644
 --- a/uaclient/config.py
 +++ b/uaclient/config.py
@@ -1,9 +1,11 @@
  import copy
  from datetime import datetime
++from functools import wraps
  import json
  import logging
  import os
  import re
++import sys
  import yaml
  from collections import namedtuple, OrderedDict
@@ -47,6 +49,7 @@ MERGE_ID_KEY_MAP = {
      "availableResources": "name",
      "resourceEntitlements": "type",
+ }
++UNSET_SETTINGS_OVERRIDE_KEY = "_unset"
  # A data path is a filename, and an attribute ("private") indicating whether it
@@ -69,6 +72,7 @@ class UAConfig:
      _entitlements = None  # caching to avoid repetitive file reads
      _machine_token = None  # caching to avoid repetitive file reading
++    _contract_expiry_datetime = None
      def __init__(
          self, cfg: "Dict[str, Any]" = None, series: str = None
@@ -93,6 +97,10 @@ class UAConfig:
      def contract_url(self):
          return self.cfg.get("contract_url", "https://contracts.canonical.com")
++    @property
++    def security_url(self):
++        return self.cfg.get("security_url", "https://ubuntu.com/security")
++
      def check_lock_info(self) -> "Tuple[int, str]":
          """Return lock info if config lock file is present the lock is active.
@@ -209,14 +217,48 @@ class UAConfig:
          return self._entitlements
      @property
++    def contract_expiry_datetime(self) -> "datetime":
++        """Return a datetime of the attached contract expiration."""
++        if not self._contract_expiry_datetime:
++            contractInfo = self.machine_token["machineTokenInfo"][
++                "contractInfo"
++            ]
++            self._contract_expiry_datetime = datetime.strptime(
++                contractInfo["effectiveTo"], "%Y-%m-%dT%H:%M:%SZ"
++            )
++
++        return self._contract_expiry_datetime
++
++    @property
      def is_attached(self):
          """Report whether this machine configuration is attached to UA."""
          return bool(self.machine_token)  # machine_token is removed on detach
      @property
++    def contract_remaining_days(self) -> int:
++        """Report num days until contract expiration based on effectiveTo
++
++        :return: A positive int representing the number of days the attached
++            contract remains in effect. Return a negative int for the number
++            of days beyond contract's effectiveTo date.
++        """
++        delta = self.contract_expiry_datetime.date() - datetime.utcnow().date()
++        return delta.days
++
++    @property
      def features(self):
          """Return a dictionary of any features provided in uaclient.conf."""
--        return self.cfg.get("features", {})
++        features = self.cfg.get("features")
++        if features:
++            if isinstance(features, dict):
++                return features
++            else:
++                logging.warning(
++                    "Unexpected uaclient.conf features value."
++                    " Expected dict, but found %s",
++                    features,
++                )
++        return {}
      @property
      def machine_token(self):
@@ -364,7 +406,11 @@ class UAConfig:
                  released_resources.append(resource)
                  continue
--            if not ent_cls.is_beta:
++            enabled_status = status.UserFacingStatus.ACTIVE.value
++            if (
++                not ent_cls.is_beta
++                or resource.get("status", "") == enabled_status
++            ):
                  released_resources.append(resource)
          if released_resources:
@@ -518,6 +564,7 @@ class UAConfig:
          Write the status-cache when called by root.
          """
++
          if os.getuid() != 0:
              response = cast("Dict[str, Any]", self.read_cache("status-cache"))
              if not response:
@@ -530,6 +577,15 @@ class UAConfig:
          if os.getuid() == 0:
              self.write_cache("status-cache", response)
++            # Try to remove fix reboot notices if not applicable
++            if not util.should_reboot():
++                self.remove_notice(
++                    "",
++                    status.MESSAGE_ENABLE_REBOOT_REQUIRED_TMPL.format(
++                        operation="fix operation"
++                    ),
++                )
++
          config_allow_beta = util.is_config_value_true(
              config=self.cfg, path_to_value="features.allow_beta"
+         )
@@ -620,19 +676,69 @@ def parse_config(config_path=None):
      for key, value in os.environ.items():
          key = key.lower()
          if key.startswith("ua_"):
--            env_keys[key[3:]] = value  # Strip leading UA_
++            if "ua_features_" in key:
++                key = key[12:]  # String leading UA_FEATURES_
++
++                # Users can provide a yaml file to override
++                # config behavor. If they do, we are going
++                # to load that yaml and update the config
++                # with it
++                if value.endswith("yaml"):
++                    if os.path.exists(value):
++                        value = yaml.safe_load(util.load_file(value))
++                    else:
++                        raise exceptions.UserFacingError(
++                            "Could not find yaml file: {}".format(value)
++                        )
++
++                if "features" not in cfg:
++                    cfg["features"] = {key: value}
++                else:
++                    cfg["features"][key] = value
++            else:
++                env_keys[key[3:]] = value  # Strip leading UA_
      cfg.update(env_keys)
      cfg["log_level"] = cfg["log_level"].upper()
      cfg["data_dir"] = os.path.expanduser(cfg["data_dir"])
--    if not util.is_service_url(cfg["contract_url"]):
--        raise exceptions.UserFacingError(
--            "Invalid url in config. contract_url: {}".format(
--                cfg["contract_url"]
++    for key in ("contract_url", "security_url"):
++        if not util.is_service_url(cfg[key]):
++            raise exceptions.UserFacingError(
++                "Invalid url in config. {}: {}".format(key, cfg[key])
+             )
--        )
      return cfg
++def apply_config_settings_override(override_key: str):
++    """Decorator used to override function return by config settings.
++
++    To identify if we should override the function return, we check
++    if the config object has the expected override key, we use it
++    has, we will use the key value as the function return. Otherwise
++    we will call the function normally.
++
++    @param override_key: key to be looked for in the settings_override
++     entry in the config dict. If that key is present, we will return
++     its value as the function return.
++    """
++
++    def wrapper(f):
++        @wraps(f)
++        def new_f():
++            cfg = parse_config()
++            value_override = cfg.get("settings_overrides", {}).get(
++                override_key, UNSET_SETTINGS_OVERRIDE_KEY
++            )
++
++            if value_override != UNSET_SETTINGS_OVERRIDE_KEY:
++                return value_override
++
++            return f()
++
++        return new_f
++
++    return wrapper
++
++
  def depth_first_merge_overlay_dict(base_dict, overlay_dict):
      """Merge the contents of overlay dict into base_dict not only on top-level
      keys, but on all on the depths of the overlay_dict object. For example,
@@ -678,3 +784,25 @@ def depth_first_merge_overlay_dict(base_dict, overlay_dict):
                  base_dict[key] = value
          else:
              base_dict[key] = value
++
++
++def update_ua_messages(cfg: UAConfig):
++    """Helper to load and run ua_update_messaging.
++
++    This is needed because we don't have /usr/lib/ubuntu-advantage
++    python scripts in our path and we don't want to shell out with
++    subp to call python3 /path/to/ua_update_messaging.py.
++    """
++    sys.path.append("/usr/lib/ubuntu-advantage")
++    try:
++        __import__("ua_update_messaging")
++        update_msgs = getattr(
++            sys.modules["ua_update_messaging"], "update_apt_and_motd_messages"
++        )
++        update_msgs(cfg)
++    except ImportError:
++        logging.debug(
++            "Unable to update UA messages. Cannot import ua_update_messaging."
++        )
++    finally:
++        sys.path.pop()
 diff --git a/uaclient/contract.py b/uaclient/contract.py
 index 32c4347..a616b7a 100644
 --- a/uaclient/contract.py
 +++ b/uaclient/contract.py
@@ -1,5 +1,4 @@
  import logging
--import urllib
  from uaclient import clouds
  from uaclient import exceptions
@@ -97,7 +96,7 @@ class UAContractClient(serviceclient.UAServiceClient):
              "kernel": platform["kernel"],
+         }
          resource_response, headers = self.request_url(
--            API_V1_RESOURCES + "?" + urllib.parse.urlencode(query_params)
++            API_V1_RESOURCES, query_params=query_params
+         )
          return resource_response
 diff --git a/uaclient/defaults.py b/uaclient/defaults.py
 index 129bc14..1eef1fd 100644
 --- a/uaclient/defaults.py
 +++ b/uaclient/defaults.py
@@ -6,14 +6,23 @@ any of our dependencies installed.
  """
  UAC_ETC_PATH = "/etc/ubuntu-advantage/"
++DEFAULT_DATA_DIR = "/var/lib/ubuntu-advantage"
++DEFAULT_MACHINE_TOKEN_PATH = DEFAULT_DATA_DIR + "/private/machine-token.json"
  DEFAULT_CONFIG_FILE = UAC_ETC_PATH + "uaclient.conf"
  DEFAULT_HELP_FILE = UAC_ETC_PATH + "help_data.yaml"
  DEFAULT_UPGRADE_CONTRACT_FLAG_FILE = UAC_ETC_PATH + "request-update-contract"
  BASE_CONTRACT_URL = "https://contracts.canonical.com"
++BASE_SECURITY_URL = "https://ubuntu.com/security"
++BASE_UA_URL = "https://ubuntu.com/advantage"
++BASE_ESM_URL = "https://ubuntu.com/esm"
++PRINT_WRAP_WIDTH = 80
++CONTRACT_EXPIRY_GRACE_PERIOD_DAYS = 14
++CONTRACT_EXPIRY_PENDING_DAYS = 20
  CONFIG_DEFAULTS = {
      "contract_url": BASE_CONTRACT_URL,
--    "data_dir": "/var/lib/ubuntu-advantage",
++    "security_url": BASE_SECURITY_URL,
++    "data_dir": DEFAULT_DATA_DIR,
      "log_level": "INFO",
      "log_file": "/var/log/ubuntu-advantage.log",
+ }
 diff --git a/uaclient/entitlements/esm.py b/uaclient/entitlements/esm.py
 index 866967f..2decf4b 100644
 --- a/uaclient/entitlements/esm.py
 +++ b/uaclient/entitlements/esm.py
@@ -1,5 +1,6 @@
  from uaclient.entitlements import repo
  from uaclient import util
++from uaclient.config import update_ua_messages
  try:
      from typing import Optional  # noqa: F401
@@ -11,31 +12,76 @@ except ImportError:
  class ESMBaseEntitlement(repo.RepoEntitlement):
      help_doc_url = "https://ubuntu.com/security/esm"
++    def enable(self, *, silent_if_inapplicable: bool = False) -> bool:
++        enable_performed = super().enable(
++            silent_if_inapplicable=silent_if_inapplicable
++        )
++        if enable_performed:
++            update_ua_messages(self.cfg)
++        return enable_performed
++
++    def disable(self, silent=False) -> bool:
++        disable_performed = super().disable(silent=silent)
++        if disable_performed:
++            update_ua_messages(self.cfg)
++        return disable_performed
++
  class ESMAppsEntitlement(ESMBaseEntitlement):
      origin = "UbuntuESMApps"
      name = "esm-apps"

Ubuntuubuntu-advantage-tools package

Merge ~lamoura/ubuntu/+source/ubuntu-advantage-tools:hirsute-devel-release-27 into ubuntu/+source/ubuntu-advantage-tools:ubuntu/hirsute-devel

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

Ubuntu
ubuntu-advantage-tools package