Ubuntu
ubuntu-advantage-tools package

Merge ~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.5-jammy into ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel

Git
lp:~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools
upload-27.5-jammy
Merge into ubuntu/devel

Proposed by Renan Rodrigo on 2022-01-04

Status:	Merged
Merged at revision:	ffc1e5c67a131126b2d4debd89eb0314f5893747
Proposed branch:	~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.5-jammy
Merge into:	ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel
Diff against target:	7955 lines (+3177/-1162) 86 files modified README.md (+3/-5) RELEASES.md (+14/-9) debian/changelog (+30/-0) debian/control (+1/-1) debian/ubuntu-advantage-tools.postinst (+4/-4) debian/ubuntu-advantage-tools.postrm (+1/-3) features/_version.feature (+22/-5) features/attach_invalidtoken.feature (+4/-2) features/attach_validtoken.feature (+56/-24) features/attached_commands.feature (+29/-13) features/attached_enable.feature (+161/-19) features/attached_status.feature (+3/-2) features/install_uninstall.feature (+1/-0) features/license_check.feature (+1/-0) features/steps/steps.py (+14/-0) features/ubuntu_pro.feature (+132/-39) features/ubuntu_upgrade.feature (+41/-0) features/ubuntu_upgrade_unattached.feature (+1/-1) features/unattached_commands.feature (+15/-4) features/unattached_status.feature (+87/-21) help_data.yaml (+5/-11) lib/reboot_cmds.py (+16/-22) sru/release-27.4.2/test-postinst-check-service-is-enabled-fix.sh (+34/-0) sru/release-27.4/test-unattached-status-job.sh (+40/-0) sru/release-27.5/test-aws-ipv6.sh (+66/-0) tools/build.sh (+1/-0) tools/create-lp-release-branches.sh (+2/-1) tools/run-integration-tests.py (+2/-1) tools/test-in-lxd.sh (+12/-0) tox.ini (+1/-0) uaclient/actions.py (+66/-0) uaclient/cli.py (+147/-150) uaclient/clouds/aws.py (+45/-7) uaclient/clouds/identity.py (+13/-12) uaclient/clouds/tests/test_aws.py (+115/-10) uaclient/clouds/tests/test_identity.py (+9/-14) uaclient/config.py (+161/-37) uaclient/contract.py (+23/-6) uaclient/defaults.py (+1/-0) uaclient/entitlements/__init__.py (+31/-12) uaclient/entitlements/base.py (+35/-10) uaclient/entitlements/cis.py (+31/-6) uaclient/entitlements/livepatch.py (+18/-34) uaclient/entitlements/repo.py (+13/-1) uaclient/entitlements/tests/conftest.py (+2/-1) uaclient/entitlements/tests/test_base.py (+48/-20) uaclient/entitlements/tests/test_cis.py (+4/-1) uaclient/entitlements/tests/test_entitlements.py (+39/-8) uaclient/entitlements/tests/test_fips.py (+9/-3) uaclient/entitlements/tests/test_livepatch.py (+19/-39) uaclient/entitlements/tests/test_repo.py (+27/-0) uaclient/exceptions.py (+33/-1) uaclient/jobs/update_messaging.py (+3/-3) uaclient/lock.py (+106/-0) uaclient/security.py (+2/-2) uaclient/security_status.py (+8/-12) uaclient/serviceclient.py (+7/-3) uaclient/status.py (+27/-7) uaclient/tests/test_actions.py (+145/-0) uaclient/tests/test_apt.py (+2/-2) uaclient/tests/test_cli.py (+45/-31) uaclient/tests/test_cli_attach.py (+11/-8) uaclient/tests/test_cli_auto_attach.py (+162/-264) uaclient/tests/test_cli_collect_logs.py (+12/-5) uaclient/tests/test_cli_config_set.py (+12/-4) uaclient/tests/test_cli_config_show.py (+3/-2) uaclient/tests/test_cli_config_unset.py (+2/-1) uaclient/tests/test_cli_detach.py (+4/-2) uaclient/tests/test_cli_disable.py (+36/-18) uaclient/tests/test_cli_enable.py (+123/-83) uaclient/tests/test_cli_fix.py (+2/-1) uaclient/tests/test_cli_refresh.py (+2/-1) uaclient/tests/test_cli_security_status.py (+14/-4) uaclient/tests/test_cli_status.py (+303/-60) uaclient/tests/test_config.py (+23/-9) uaclient/tests/test_contract.py (+44/-0) uaclient/tests/test_lock.py (+166/-0) uaclient/tests/test_reboot_cmds.py (+6/-6) uaclient/tests/test_security.py (+12/-17) uaclient/tests/test_security_status.py (+40/-15) uaclient/tests/test_update_messaging.py (+31/-22) uaclient/tests/test_upgrade_lts_contract.py (+1/-1) uaclient/tests/test_util.py (+83/-6) uaclient/util.py (+37/-12) uaclient/version.py (+1/-1) ubuntu-advantage.1 (+14/-1)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Robie Basak	sru	2022-01-04	Approve on 2022-01-06
Athos Ribeiro (community)		2022-01-04	Approve on 2022-01-06
Review via email: mp+413641@code.launchpad.net

Description of the change

This is the second release candidate for release 27.5 (LP: #1956456) of ubuntu-advantage-tools, for Jammy.

The main changes it brings are related to CLI capabilities of the tool. There is also a transition from the CIS service to USG to be applied. Please see the changelog for a broader list of changes.

From the packaging perspective, only a refactor in postinst was performed.

Please let us know if there is something that we need to fix/change for this release.

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2022-01-05:

Hi Renan,

As we discussed offline, I am leaving some notes here:

- The changes in the postrm script are missing in the changelog;

- The documentation (including help commands) changed to include a link for a page which does not exist (https://ubuntu.com/security/certifications/docs/usg);

- There are several new calls to `resource["name"]` and to resource.get("name"). This was somewhat confusing while I was reviewing the code, when I wondered if we should always expect that key to be present in that dict or not. The reason I am pointing this out is that we did need a hotfix in the past for a similar issue with a different dict key access;

- and finally, it is worth mentioning that there was a subtle behavior change when calls to `entitlements.entitlement_factory` replaced calls to `entitlements.ENTITLEMENT_CLASS_BY_NAME`. When a non-existent name would be passed to ENTITLEMENT_CLASS_BY_NAME, it would instantly raise a KeyError exception. Now, the code will either explode at a later, different point, or just present an odd behavior.

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-01-05:

Thanks for your feedback, Athos,

- Ack - will update the MR to include the missing changelog entries;

- I will ping the security team about the missing page, they should handle it;

- Yes, technically we wouldn't need those .get calls. Yes, we do always expect that every resource has a name and this is not meant to change. The .get calls were inserted based on a review to make us extra-safe where it could fail.

- Yes, this is true and the team is aware of that. The change to the factory function helped us sort out some functionality on how to get the presentation name for resources, we understand the changes and their impact, and we consider it to be aligned with what we wanted to deliver. The passing test scenarios indicate to us that our flows are working as expected.

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2022-01-06:

AFAICT, The documentation for the CIS->USG change will be performed in all series, while the change is only valid from focal (through the contract API). While updating other series documentation in this sense does not seem to be ideal, Renan did let me know this had been discussed with the security team, which did acknowledged the change.

LGTM, thanks, Renan :)

review: Approve

Revision history for this message

Robie Basak (racb) wrote on 2022-01-06:

Approved branch renanrodrigo/upload-27.5-jammy with commit ffc1e5c67a131126b2d4debd89eb0314f5893747

review: Approve (sru)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Renan Rodrigo

git-ubuntu developers

to status/vote changes:

Terrence Bobryk-Ozaki

 diff --git a/README.md b/README.md
 index c2c236b..27818e1 100644
 --- a/README.md
 +++ b/README.md
@@ -1,7 +1,5 @@
  # Ubuntu Advantage Client
--[![Build Status](https://travis-ci.com/canonical/ubuntu-advantage-client.svg?branch=master)](https://travis-ci.com/github/canonical/ubuntu-advantage-client)
--
  The Ubuntu Advantage client provides users with a simple mechanism to
  view, enable, and disable offerings from Canonical on their system. The
  following entitlements are supported:
@@ -105,7 +103,7 @@ https://ubuntu.com/advantage.
    token, service credentials, affordances, directives and obligations to allow
    enabling and disabling Ubuntu Advantage services
  * UA client writes the machine token API response to the root-readonly
--  /var/lib/ubuntu-advantage/machine-token.json
++  /var/lib/ubuntu-advantage/private/machine-token.json
  * UA client auto-enables any services defined with
    `obligations:{enableByDefault: true}`
@@ -152,7 +150,7 @@ Jobs are executed by the timer script if:
  - Their interval since last successful run is already exceeded.
  There is a random delay applied to the timer, to desynchronize job execution time
--on machines spinned at the same time, avoiding multiple synchronized calls to the
++on machines spun at the same time, avoiding multiple synchronized calls to the
  same service.
  Current jobs being checked and executed are:
@@ -576,5 +574,5 @@ sudo shutdown -h now
  * Use your cloud platform to clone or snapshot this VM as a golden image
--## Releasing ubuntu-adantage-tools
++## Releasing ubuntu-advantage-tools
  see [RELEASES.md](RELEASES.md)
 diff --git a/RELEASES.md b/RELEASES.md
 index f629962..b4948f7 100644
 --- a/RELEASES.md
 +++ b/RELEASES.md
@@ -183,22 +183,21 @@ If this is your first time releasing ubuntu-advantage-tools, you'll need to do t
      a. Ask in ~Server for a review of your MPs. Include a link to the primary MP into ubuntu/devel and mention the other MPs are only changelog MPs for the SRUs into past releases.
--    b. If they request changes, create a PR into `main` on github and ask UAClient team for review. After a merge, open another PR on github, cherry-picking the change into the release branch. After that is merged, cherry-pick the commit into your `upload-<this-version>-impish` branch and push to launchpad. Then notify the Server Team member that you have addressed their requests. (This can probably be simplified).
++    b. If they request changes, create a PR into the release branch on github and ask UAClient team for review. After that is merged, cherry-pick the commit into your `upload-<this-version>-<devel-release>` branch and push to launchpad. You'll also need to rebase the other `upload-<this-version>-<series>` branches and force push them to launchpad. Then notify the Server Team member that you have addressed their requests.
        * Some issues may just be filed for addressing in the future if they are not urgent or pertinent to this release.
        * Unless the changes are very minor, or only testing related, you should upload a new release candidate version to `ppa:ua-client/staging` as descibed in I.3.
++      * After the release is finished, any commits that were merged directly into the release branch in this way should be brought back into `main` via a single PR.
      c. Once review is complete and approved, confirm that Ubuntu Server approver will be tagging the PR with the appropriate `upload/<version>` tag so git-ubuntu will import rich commit history.
--    d. Check `rmadison ubuntu-advantage-tools` for updated version in devel release
++    d. At this point the Server Team member should **not** upload the version to the devel release.
++      * If they do, then any changes to the code after this point will require a bump in the patch version of the release.
--    e. Confirm availability in <devel>-updates pocket via `lxc launch ubuntu-daily:impish dev-i; lxc exec dev-i -- apt update; lxc exec dev-i -- apt-cache policy ubuntu-advantage-tools`
--      * Note that any changes to the code after this point will likely require a bump in the patch version of the release.
++    e. Ask Ubuntu Server approver if they also have upload rights to the proposed queue. If they do, request that they upload ubuntu-advantage-tools for all releases. If they do not, ask in ~Server channel for a Ubuntu Server team member with upload rights for an upload review of the MP for the proposed queue.
--    f. Ask Ubuntu Server approver if they also have upload rights to the proposed queue. If they do, request that they upload ubuntu-advantage-tools for all releases. If they do not, ask in ~Server channel for a Ubuntu Server team member with upload rights for an upload review of the MP for the proposed queue.
++    f. Once upload review is complete and approved, confirm that Ubuntu Server approver will upload ua-tools via dput to the `-proposed` queue.
--    g. Once upload review is complete and approved, confirm that Ubuntu Server approver will upload ua-tools via dput to the `-proposed` queue.
--
--    h. Check the [-proposed release queue](https://launchpad.net/ubuntu/xenial/+queue?queue_state=1&queue_text=ubuntu-advantage-tools) for presence of ua-tools in unapproved state for each supported release. Note: libera chat #ubuntu-release IRC channel has a bot that reports queued uploads of any package in a message like "Unapproved: ubuntu-advantage-tools .. version".
++    g. Check the [-proposed release queue](https://launchpad.net/ubuntu/xenial/+queue?queue_state=1&queue_text=ubuntu-advantage-tools) for presence of ua-tools in unapproved state for each supported release. Note: libera chat #ubuntu-release IRC channel has a bot that reports queued uploads of any package in a message like "Unapproved: ubuntu-advantage-tools .. version".
 . SRU Review
@@ -240,7 +239,13 @@ If this is your first time releasing ubuntu-advantage-tools, you'll need to do t
      h. Once all SRU bugs are tagged as `verification*-done`, all SRU-bugs should be listed as green in [the pending_sru page](https://people.canonical.com/~ubuntu-archive/pending-sru.html).
--    i. After the pending_sru page says that ubuntu-advantage-tools has been in proposed for 7 days, it is now time to ping the [current SRU vanguard](https://wiki.ubuntu.com/StableReleaseUpdates#Publishing) for acceptance of ubuntu-advantage-tools into -updates.
++    i. After the pending sru page says that ubuntu-advantage-tools has been in proposed for 7 days, it is now time to ping the [current SRU vanguard](https://wiki.ubuntu.com/StableReleaseUpdates#Publishing) for acceptance of ubuntu-advantage-tools into -updates.
++
++    j. Ping the Ubuntu Server team member who approved the version in step `II.4` to now upload to the devel release.
++
++    k. Check `rmadison ubuntu-advantage-tools` for updated version in devel release
++
++    l. Confirm availability in <devel-series>-updates pocket via `lxc launch ubuntu-daily:<devel-series> dev-i; lxc exec dev-i -- apt update; lxc exec dev-i -- apt-cache policy ubuntu-advantage-tools`
  ### III. Final release to team infrastructure
 diff --git a/debian/changelog b/debian/changelog
 index 9779f56..a55d9dd 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,33 @@
++ubuntu-advantage-tools (27.5~22.04.1) jammy; urgency=medium
++
++  * d/control:
++    - Update homepage URL
++  * d/tools.postinst:
++    - Refactor to use valid_services
++  * d/tools.postrm:
++    - Use a wildcard to remove ua related gpg files
++  * New upstream release 27.5 (LP: #1956456)
++    - aws: add support for the IPv6 metadata endpoint
++    - cis: update URL for the documentation
++    - cli:
++      + add endpoint to simulate the status using a specific contract token
++      + fix return code when attaching an already attached machine (GH: #1867)
++      + fix security-status to consider all possible origins to show updates
++      + include cloud build.info in the collect-logs tarball
++      + only show services which exist in the contracts server in ua status
++    - docs: fix typos and wrong/outdated information
++    - livepatch: always use the full path in livepatch calls (LP: #1951954)
++    - logs:
++      + improve rules to redact sensitive information from all log files
++      + redact sensitive information from older unredacted log files
++      + log errors from external software execution, for debugging purposes
++    - usg:
++      + support the presentedAs affordance from the contract server, showing
++        services in the CLI with the appropriate names
++      + replace the CIS entitlement by USG on Focal and onwards
++
++ -- Renan Rodrigo <renanrodrigo@canonical.com>  Tue, 04 Jan 2022 17:30:26 -0300
++
  ubuntu-advantage-tools (27.4.2~22.04.1) jammy; urgency=medium
    * d/tools.postinst:
 diff --git a/debian/control b/debian/control
 index 9ec72f6..6aabba2 100644
 --- a/debian/control
 +++ b/debian/control
@@ -29,7 +29,7 @@ Build-Depends: bash-completion,
                 python3-setuptools,
                 python3-yaml
  Standards-Version: 4.5.1
--Homepage: https://buy.ubuntu.com
++Homepage: https://ubuntu.com/advantage
  Vcs-Git: https://github.com/CanonicalLtd/ubuntu-advantage-script.git
  Vcs-Browser: https://github.com/CanonicalLtd/ubuntu-advantage-script
  Rules-Requires-Root: no
 diff --git a/debian/ubuntu-advantage-tools.postinst b/debian/ubuntu-advantage-tools.postinst
 index 8ba7c64..191f0db 100644
 --- a/debian/ubuntu-advantage-tools.postinst
 +++ b/debian/ubuntu-advantage-tools.postinst
@@ -57,8 +57,8 @@ MACHINE_TOKEN_FILE="/var/lib/ubuntu-advantage/private/machine-token.json"
  redact_ubuntu_release_from_ua_apt_filenames() {
      DIR=$1
      UA_SERVICES=$(/usr/bin/python3 -c "
--from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
--print(*ENTITLEMENT_CLASS_BY_NAME.keys(), sep=' ')
++from uaclient.entitlements import valid_services
++print(*valid_services(allow_beta=True, all_names=True), sep=' ')
  ")
      for file in "$DIR"/*; do
@@ -118,8 +118,8 @@ check_service_is_beta() {
      service_name=$1
      _IS_BETA_SVC=$(/usr/bin/python3 -c "
  from uaclient.config import UAConfig
--from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
--ent_cls = ENTITLEMENT_CLASS_BY_NAME.get('${service_name}')
++from uaclient.entitlements import entitlement_factory
++ent_cls = entitlement_factory('${service_name}')
  if ent_cls:
      cfg = UAConfig()
      allow_beta = cfg.features.get('allow_beta', False)
 diff --git a/debian/ubuntu-advantage-tools.postrm b/debian/ubuntu-advantage-tools.postrm
 index 978b492..ce79341 100644
 --- a/debian/ubuntu-advantage-tools.postrm
 +++ b/debian/ubuntu-advantage-tools.postrm
@@ -19,9 +19,7 @@ remove_logs(){
+ }
  remove_gpg_files(){
--    rm -f /etc/apt/trusted.gpg.d/ubuntu-advantage-esm-infra-trusty.gpg
--    rm -f /etc/apt/trusted.gpg.d/ubuntu-advantage-esm-apps.gpg
--    rm -f /etc/apt/trusted.gpg.d/ubuntu-advantage-fips.gpg
++    rm -f /etc/apt/trusted.gpg.d/ubuntu-advantage-*.gpg
+ }
  case "$1" in
 diff --git a/features/_version.feature b/features/_version.feature
 index 0ee9f1b..e265769 100644
 --- a/features/_version.feature
 +++ b/features/_version.feature
@@ -12,18 +12,27 @@ Feature: UA is expected version
      @uses.config.machine_type.gcp.pro
      Scenario Outline: Check ua version
          Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I run `ua version` with sudo
--        Then I will see the following on stdout
++        When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo
++        Then stdout matches regexp:
          """
          {UACLIENT_BEHAVE_CHECK_VERSION}
          """
++        When I run `ua version` with sudo
++        Then stdout matches regexp:
++        # We are adding that regex here to match possible config overrides
++        # we add. For example, on PRO machines we add a config override to
++        # disable auto-attach on boot
++        """
++        {UACLIENT_BEHAVE_CHECK_VERSION}.*
++        """
          Examples: version
              | release |
              | xenial  |
              | bionic  |
              | focal   |
              | hirsute |
--            | impish |
++            | impish  |
++            | jammy   |
      @series.all
      @uses.config.check_version
@@ -31,15 +40,23 @@ Feature: UA is expected version
      @upgrade
      Scenario Outline: Check ua version
          Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I run `ua version` with sudo
++        When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo
          Then I will see the following on stdout
          """
          {UACLIENT_BEHAVE_CHECK_VERSION}
          """
++        When I run `ua version` with sudo
++        Then stdout matches regexp:
++        # We are adding that regex here to match possible config overrides
++        # we add. For example, on PRO machines we add a config override to
++        # disable auto-attach on boot
++        """
++        {UACLIENT_BEHAVE_CHECK_VERSION}.*
++        """
          Examples: version
              | release |
              | xenial  |
              | bionic  |
              | focal   |
              | hirsute |
--            | impish |
++            | impish  |
 diff --git a/features/attach_invalidtoken.feature b/features/attach_invalidtoken.feature
 index 776ca00..6ad2d93 100644
 --- a/features/attach_invalidtoken.feature
 +++ b/features/attach_invalidtoken.feature
@@ -21,7 +21,8 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu
             | bionic  |
             | focal   |
             | hirsute |
--           | impish |
++           | impish  |
++           | jammy   |
      @uses.config.contract_token_staging_expired
      @series.all
@@ -41,4 +42,5 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu
             | bionic  |
             | focal   |
             | hirsute |
--           | impish |
++           | impish  |
++           | jammy   |
 diff --git a/features/attach_validtoken.feature b/features/attach_validtoken.feature
 index cfd1e44..ec4400b 100644
 --- a/features/attach_validtoken.feature
 +++ b/features/attach_validtoken.feature
@@ -2,6 +2,7 @@
  Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          subscription using a valid token
++    @series.jammy
      @series.hirsute
      @series.impish
      @uses.config.machine_type.lxd.container
@@ -13,7 +14,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes      +n/a      +Common Criteria EAL2 Provisioning Packages
--            cis           +yes      +n/a      +Center for Internet Security Audit Tools
++            cis           +yes      +n/a      +Security compliance and audit tools
              esm-apps      +yes      +n/a      +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes      +n/a      +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes      +n/a      +NIST-certified core packages
@@ -24,7 +25,8 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          Examples: ubuntu release
              | release |
              | hirsute |
--            | impish |
++            | impish  |
++            | jammy   |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -47,7 +49,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          \d+ update(s)? can be applied immediately.
          """
--        When I attach `contract_token` with sudo
++        When I attach `contract_token_staging` with sudo
          Then stdout matches regexp:
          """
          UA Infra: ESM enabled
@@ -60,17 +62,29 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          SERVICE       ENTITLED  STATUS    DESCRIPTION
          cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        cis          +yes      +disabled        +Center for Internet Security Audit Tools
++        """
++        And stdout matches regexp:
++        """
          esm-apps     +yes      +enabled  +UA Apps: Extended Security Maintenance \(ESM\)
          esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
          fips         +yes      +n/a      +NIST-certified core packages
          fips-updates +yes      +n/a      +NIST-certified core packages with priority security updates
          livepatch    +yes      +n/a      +Canonical Livepatch service
          """
++        And stdout matches regexp:
++        """
++        <cis_or_usg> +yes      +disabled        +Security compliance and audit tools
++        """
          And stderr matches regexp:
          """
          Enabling default service esm-infra
          """
++        When I verify that running `ua attach contract_token` `with sudo` exits `2`
++        Then stderr matches regexp:
++        """
++        This machine is already attached to '.+'
++        To use a different subscription first run: sudo ua detach.
++        """
          When I run `ua disable esm-apps --assume-yes` with sudo
          When I append the following on uaclient config:
              """
@@ -154,10 +168,10 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          Examples: ubuntu release packages
--           | release | downrev_pkg                 | cc_status |
--           | xenial  | libkrad0=1.13.2+dfsg-5      | disabled  |
--           | bionic  | libkrad0=1.16-2build1       | n/a       |
--           | focal   | hello=2.10-2ubuntu2         | n/a       |
++           | release | downrev_pkg                 | cc_status | cis_or_usg |
++           | xenial  | libkrad0=1.13.2+dfsg-5      | disabled  | cis        |
++           | bionic  | libkrad0=1.16-2build1       | n/a       | cis        |
++           | focal   | hello=2.10-2ubuntu2         | n/a       | usg        |
      @series.all
      @uses.config.machine_type.aws.generic
@@ -196,22 +210,28 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          SERVICE       ENTITLED  STATUS    DESCRIPTION
          cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        cis          +yes      +disabled +Center for Internet Security Audit Tools
++        """
++        And stdout matches regexp:
++        """
          esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
          fips         +yes      +<fips_status>      +NIST-certified core packages
          fips-updates +yes      +<fips_status>      +NIST-certified core packages with priority security updates
          livepatch    +yes      +<lp_status>  +<lp_desc>
          """
++        And stdout matches regexp:
++        """
++        <cis_or_usg>          +yes      +disabled +Security compliance and audit tools
++        """
          And stderr matches regexp:
          """
          Enabling default service esm-infra
          """
          Examples: ubuntu release livepatch status
--           | release | fips_status |lp_status | lp_desc                       | cc_status |
--           | xenial  | disabled    |enabled   | Canonical Livepatch service   | disabled  |
--           | bionic  | disabled    |enabled   | Canonical Livepatch service   | n/a       |
--           | focal   | n/a         |enabled   | Canonical Livepatch service   | n/a       |
++           | release | fips_status |lp_status | lp_desc                       | cc_status | cis_or_usg |
++           | xenial  | disabled    |enabled   | Canonical Livepatch service   | disabled  | cis        |
++           | bionic  | disabled    |enabled   | Canonical Livepatch service   | n/a       | cis        |
++           | focal   | n/a         |enabled   | Canonical Livepatch service   | n/a       | usg        |
      @series.all
      @uses.config.machine_type.azure.generic
@@ -250,22 +270,28 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          SERVICE       ENTITLED  STATUS    DESCRIPTION
          cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        cis          +yes      +disabled +Center for Internet Security Audit Tools
++        """
++        And stdout matches regexp:
++        """
          esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
          fips         +yes      +<fips_status> +NIST-certified core packages
          fips-updates +yes      +<fips_status> +NIST-certified core packages with priority security updates
          livepatch    +yes      +<lp_status>  +Canonical Livepatch service
          """
++        And stdout matches regexp:
++        """
++        <cis_or_usg>          +yes      +disabled +Security compliance and audit tools
++        """
          And stderr matches regexp:
          """
          Enabling default service esm-infra
          """
          Examples: ubuntu release livepatch status
--           | release | lp_status | fips_status | cc_status |
--           | xenial  | n/a       | n/a         | disabled  |
--           | bionic  | n/a       | disabled    | n/a       |
--           | focal   | enabled   | n/a         | n/a       |
++           | release | lp_status | fips_status | cc_status | cis_or_usg |
++           | xenial  | n/a       | n/a         | disabled  | cis        |
++           | bionic  | n/a       | disabled    | n/a       | cis        |
++           | focal   | enabled   | n/a         | n/a       | usg        |
      @series.all
      @uses.config.machine_type.gcp.generic
@@ -291,7 +317,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          features:
            machine_token_overlay: "/tmp/machine-token-overlay.json"
          """
--        And I attach `contract_token` with sudo
++        And I attach `contract_token_staging` with sudo
          Then stdout matches regexp:
          """
          UA Infra: ESM enabled
@@ -304,19 +330,25 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          SERVICE       ENTITLED  STATUS    DESCRIPTION
          cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        cis          +yes      +disabled +Center for Internet Security Audit Tools
++        """
++        And stdout matches regexp:
++        """
          esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
          fips         +yes      +<fips_status> +NIST-certified core packages
          fips-updates +yes      +<fips_status> +NIST-certified core packages with priority security updates
          livepatch    +yes      +<lp_status>  +Canonical Livepatch service
          """
++        And stdout matches regexp:
++        """
++        <cis_or_usg>          +yes      +disabled +Security compliance and audit tools
++        """
          And stderr matches regexp:
          """
          Enabling default service esm-infra
          """
          Examples: ubuntu release livepatch status
--           | release | lp_status | fips_status | cc_status |
--           | xenial  | n/a       | n/a         | disabled  |
--           | bionic  | n/a       | disabled    | n/a       |
--           | focal   | enabled   | n/a         | n/a       |
++           | release | lp_status | fips_status | cc_status | cis_or_usg |
++           | xenial  | n/a       | n/a         | disabled  | cis        |
++           | bionic  | n/a       | disabled    | n/a       | cis        |
++           | focal   | enabled   | n/a         | n/a       | usg        |
 diff --git a/features/attached_commands.feature b/features/attached_commands.feature
 index 0ef79db..d8718ae 100644
 --- a/features/attached_commands.feature
 +++ b/features/attached_commands.feature
@@ -49,6 +49,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -65,6 +66,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -91,6 +93,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -116,6 +119,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -161,7 +165,7 @@ Feature: Command behaviour when attached to an UA subscription
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached detach in an ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
++        When I attach `contract_token_staging` with sudo
          Then I verify that running `ua detach` `as non-root` exits `1`
          And stderr matches regexp:
              """
@@ -182,7 +186,9 @@ Feature: Command behaviour when attached to an UA subscription
            """
            SERVICE       AVAILABLE  DESCRIPTION
            cc-eal        +<cc-eal>   +Common Criteria EAL2 Provisioning Packages
--          cis           +<cis>      +Center for Internet Security Audit Tools
++          """
++       Then stdout matches regexp:
++          """
            esm-apps      +<esm-apps> +UA Apps: Extended Security Maintenance \(ESM\)
            esm-infra     +yes        +UA Infra: Extended Security Maintenance \(ESM\)
            fips          +<fips>     +NIST-certified core packages
@@ -191,6 +197,10 @@ Feature: Command behaviour when attached to an UA subscription
            ros           +<ros>      +Security Updates for the Robot Operating System
            ros-updates   +<ros>      +All Updates for the Robot Operating System
            """
++       Then stdout matches regexp:
++          """
++          <cis_or_usg>           +<cis>      +Security compliance and audit tools
++          """
         And stdout matches regexp:
            """
            This machine is not attached to a UA subscription.
@@ -198,10 +208,10 @@ Feature: Command behaviour when attached to an UA subscription
         And I verify that running `apt update` `with sudo` exits `0`
         Examples: ubuntu release
--           | release | esm-apps | cc-eal | cis | fips | fips-update | ros |
--           | bionic  | yes      | no     | yes | yes  | yes         | yes  |
--           | focal   | yes      | no     | yes | yes  | yes         | no  |
--           | xenial  | yes      | yes    | yes | yes  | yes         | yes |
++           | release | esm-apps | cc-eal | cis | fips | fips-update | ros | cis_or_usg |
++           | xenial  | yes      | yes    | yes | yes  | yes         | yes | cis        |
++           | bionic  | yes      | no     | yes | yes  | yes         | yes | cis        |
++           | focal   | yes      | no     | yes | yes  | yes         | no  | usg        |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -213,7 +223,7 @@ Feature: Command behaviour when attached to an UA subscription
              """
              This command must be run as root \(try using sudo\).
              """
--        When I run `ua auto-attach` with sudo
++        When I verify that running `ua auto-attach` `with sudo` exits `2`
          Then stderr matches regexp:
              """
              This machine is already attached
@@ -226,6 +236,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -248,6 +259,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -299,6 +311,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -389,8 +402,8 @@ Feature: Command behaviour when attached to an UA subscription
          Client to manage Ubuntu Advantage services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
--         - cis: Center for Internet Security Audit Tools
--           \(https://ubuntu.com/security/certifications#cis\)
++         - cis: Security compliance and audit tools
++           \(https://ubuntu.com/security/certifications/docs/usg\)
           - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
@@ -406,8 +419,8 @@ Feature: Command behaviour when attached to an UA subscription
          Client to manage Ubuntu Advantage services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
--         - cis: Center for Internet Security Audit Tools
--           \(https://ubuntu.com/security/certifications#cis\)
++         - cis: Security compliance and audit tools
++           \(https://ubuntu.com/security/certifications/docs/usg\)
           - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
@@ -423,8 +436,8 @@ Feature: Command behaviour when attached to an UA subscription
          Client to manage Ubuntu Advantage services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
--         - cis: Center for Internet Security Audit Tools
--           \(https://ubuntu.com/security/certifications#cis\)
++         - cis: Security compliance and audit tools
++           \(https://ubuntu.com/security/certifications/docs/usg\)
           - esm-apps: UA Apps: Extended Security Maintenance \(ESM\)
             \(https://ubuntu.com/security/esm\)
           - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
@@ -448,6 +461,7 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  | enabled      |
             | hirsute | n/a          |
             | impish  | n/a          |
++           | jammy   | n/a          |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -570,6 +584,7 @@ Feature: Command behaviour when attached to an UA subscription
             | focal   |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -591,6 +606,7 @@ Feature: Command behaviour when attached to an UA subscription
          # So the -error suffix does not appear there.
          Then stdout matches regexp:
          """
++        build.info
          cloud-id.txt
          jobs-status.json
          journalctl.txt
 diff --git a/features/attached_enable.feature b/features/attached_enable.feature
 index 289f048..2c29429 100644
 --- a/features/attached_enable.feature
 +++ b/features/attached_enable.feature
@@ -142,6 +142,7 @@ Feature: Enable command behaviour when attached to an UA subscription
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -187,11 +188,12 @@ Feature: Enable command behaviour when attached to an UA subscription
             | focal   |
             | xenial  |
--    @series.lts
++    @series.xenial
++    @series.bionic
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached enable of cis service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
++        When I attach `contract_token_staging` with sudo
          And I verify that running `ua enable cis` `with sudo` exits `0`
          Then I will see the following on stdout:
              """
@@ -199,7 +201,7 @@ Feature: Enable command behaviour when attached to an UA subscription
              Updating package lists
              Installing CIS Audit packages
              CIS Audit enabled
--            Visit https://security-certs.docs.ubuntu.com/en/cis to learn how to use CIS
++            Visit https://ubuntu.com/security/cis to learn how to use CIS
              """
          When I run `apt-cache policy usg-cisbenchmark` as non-root
          Then stdout does not match regexp:
@@ -208,7 +210,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          And stdout matches regexp:
          """
--        \s* 500 https://esm.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
++        \s* 500 https://esm.staging.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
          """
          When I run `apt-cache policy usg-common` as non-root
          Then stdout does not match regexp:
@@ -217,7 +219,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          And stdout matches regexp:
          """
--        \s* 500 https://esm.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
++        \s* 500 https://esm.staging.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
          """
          When I verify that running `ua enable cis` `with sudo` exits `1`
          Then stdout matches regexp
@@ -256,29 +258,171 @@ Feature: Enable command behaviour when attached to an UA subscription
          CIS audit scan completed
          """
--        Examples: not entitled services
++        Examples: cis script
             | release | cis_script                                  |
--           | focal   | Canonical_Ubuntu_20.04_CIS-harden.sh        |
             | bionic  | Canonical_Ubuntu_18.04_CIS-harden.sh        |
             | xenial  | Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh |
      @series.focal
--    @uses.config.machine_type.lxd.vm
--    Scenario: Attached enable of vm-based services in a focal lxd vm
--        Given a `focal` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
--        Then I verify that running `ua enable fips --assume-yes` `with sudo` exits `1`
--        And I will see the following on stdout:
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Attached enable of cis service in a ubuntu machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token_staging` with sudo
++        And I verify that running `ua enable cis` `with sudo` exits `0`
++        Then I will see the following on stdout:
              """
              One moment, checking your subscription first
--            FIPS is not available for Ubuntu 20.04 LTS (Focal Fossa).
++            From Ubuntu 20.04 and onwards 'ua enable cis' has been
++            replaced by 'ua enable usg'. See more information at:
++            https://ubuntu.com/security/certifications/docs/usg
++            Updating package lists
++            Installing CIS Audit packages
++            CIS Audit enabled
++            Visit https://ubuntu.com/security/cis to learn how to use CIS
              """
--        And I verify that running `ua enable fips-updates --assume-yes` `with sudo` exits `1`
--        And I will see the following on stdout:
++        When I run `apt-cache policy usg-cisbenchmark` as non-root
++        Then stdout does not match regexp:
++        """
++        .*Installed: \(none\)
++        """
++        And stdout matches regexp:
++        """
++        \s* 500 https://esm.staging.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
++        """
++        When I run `apt-cache policy usg-common` as non-root
++        Then stdout does not match regexp:
++        """
++        .*Installed: \(none\)
++        """
++        And stdout matches regexp:
++        """
++        \s* 500 https://esm.staging.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
++        """
++        When I verify that running `ua enable cis` `with sudo` exits `1`
++        Then stdout matches regexp
++        """
++        One moment, checking your subscription first
++        From Ubuntu 20.04 and onwards 'ua enable cis' has been
++        replaced by 'ua enable usg'. See more information at:
++        https://ubuntu.com/security/certifications/docs/usg
++        CIS Audit is already enabled.
++        See: sudo ua status
++        """
++        When I run `cis-audit level1_server` with sudo
++        Then stdout matches regexp
++        """
++        Title.*Ensure no duplicate UIDs exist
++        Rule.*xccdf_com.ubuntu.<release>.cis_rule_CIS-.*
++        Result.*pass
++        """
++        And stdout matches regexp:
++        """
++        Title.*Ensure default user umask is 027 or more restrictive
++        Rule.*xccdf_com.ubuntu.<release>.cis_rule_CIS-.*
++        Result.*fail
++        """
++        And stdout matches regexp
++        """
++        CIS audit scan completed
++        """
++        When I verify that running `/usr/share/ubuntu-scap-security-guides/cis-hardening/<cis_script> lvl1_server` `with sudo` exits `0`
++        And I run `cis-audit level1_server` with sudo
++        Then stdout matches regexp:
++        """
++        Title.*Ensure default user umask is 027 or more restrictive
++        Rule.*xccdf_com.ubuntu.<release>.cis_rule_CIS-.*
++        Result.*pass
++        """
++        And stdout matches regexp
++        """
++        CIS audit scan completed
++        """
++
++        Examples: cis script
++           | release | cis_script                                  |
++           | focal   | Canonical_Ubuntu_20.04_CIS-harden.sh        |
++
++    @series.bionic
++    @series.xenial
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Attached enable of usg service in a ubuntu machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token_staging` with sudo
++        And I verify that running `ua enable usg` `with sudo` exits `1`
++        Then I will see the following on stdout:
              """
              One moment, checking your subscription first
--            FIPS Updates is not available for Ubuntu 20.04 LTS (Focal Fossa).
              """
++        Then I will see the following on stderr:
++            """
++            Cannot enable unknown service 'usg'.
++            Try cc-eal, cis, esm-infra, fips, fips-updates, livepatch.
++            """
++
++        Examples: cis service
++           | release |
++           | bionic  |
++           | xenial  |
++
++    @series.focal
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Attached enable of usg service in a focal machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token_staging` with sudo
++        And I run `ua enable usg` with sudo
++        Then I will see the following on stdout:
++            """
++            One moment, checking your subscription first
++            Updating package lists
++            Ubuntu Security Guide enabled
++            Visit https://ubuntu.com/security/certifications/docs/usg for the next steps
++            """
++        When I run `ua status` with sudo
++        Then stdout matches regexp:
++            """
++            usg         +yes    +enabled   +Security compliance and audit tools
++            """
++        When I run `ua disable usg` with sudo
++        Then stdout matches regexp:
++            """
++            Updating package lists
++            """
++        When I run `ua status` with sudo
++        Then stdout matches regexp:
++            """
++            usg         +yes    +disabled   +Security compliance and audit tools
++            """
++        When I run `ua enable cis` with sudo
++        Then I will see the following on stdout:
++            """
++            One moment, checking your subscription first
++            From Ubuntu 20.04 and onwards 'ua enable cis' has been
++            replaced by 'ua enable usg'. See more information at:
++            https://ubuntu.com/security/certifications/docs/usg
++            Updating package lists
++            Installing CIS Audit packages
++            CIS Audit enabled
++            Visit https://ubuntu.com/security/cis to learn how to use CIS
++            """
++        When I run `ua status` with sudo
++        Then stdout matches regexp:
++            """
++            usg         +yes    +enabled   +Security compliance and audit tools
++            """
++        When I run `ua disable usg` with sudo
++        Then stdout matches regexp:
++            """
++            Updating package lists
++            """
++        When I run `ua status` with sudo
++        Then stdout matches regexp:
++            """
++            usg         +yes    +disabled   +Security compliance and audit tools
++            """
++
++        Examples: cis service
++           | release |
++           | focal  |
      @series.bionic
      @series.xenial
@@ -289,7 +433,6 @@ Feature: Enable command behaviour when attached to an UA subscription
          And I run `ua status` with sudo
          Then stdout matches regexp:
          """
--        cis          +yes      +disabled +Center for Internet Security Audit Tools
          esm-apps     +yes      +enabled  +UA Apps: Extended Security Maintenance \(ESM\)
          esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
          fips         +yes      +disabled +NIST-certified core packages
@@ -306,7 +449,6 @@ Feature: Enable command behaviour when attached to an UA subscription
          When I run `ua status` with sudo
          Then stdout matches regexp:
          """
--        cis          +yes      +disabled +Center for Internet Security Audit Tools
          esm-apps     +yes      +enabled  +UA Apps: Extended Security Maintenance \(ESM\)
          esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
          fips         +yes      +disabled +NIST-certified core packages
 diff --git a/features/attached_status.feature b/features/attached_status.feature
 index db826a7..78483ed 100644
 --- a/features/attached_status.feature
 +++ b/features/attached_status.feature
@@ -11,14 +11,14 @@ Feature: Attached status
              """
              _doc _schema_version account attached config config_path contract effective
              environment_vars execution_details execution_status expires machine_id notices
--            services version
++            services version simulated
              """
          When I run `ua status --format yaml` as non-root
          Then stdout is formatted as `yaml` and has keys:
              """
              _doc _schema_version account attached config config_path contract effective
              environment_vars execution_details execution_status expires machine_id notices
--            services version
++            services version simulated
              """
          Examples: ubuntu release
@@ -28,3 +28,4 @@ Feature: Attached status
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
 diff --git a/features/install_uninstall.feature b/features/install_uninstall.feature
 index 586f2ef..66426c8 100644
 --- a/features/install_uninstall.feature
 +++ b/features/install_uninstall.feature
@@ -14,6 +14,7 @@ Feature: UA Install and Uninstall related tests
             | focal   |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.lts
      @uses.config.contract_token
 diff --git a/features/license_check.feature b/features/license_check.feature
 index 37c5bd0..4f41279 100644
 --- a/features/license_check.feature
 +++ b/features/license_check.feature
@@ -92,6 +92,7 @@ Feature: License check timer only runs in environments where necessary
              | focal   |
              | hirsute |
              | impish  |
++            | jammy   |
      @series.lts
      @uses.config.machine_type.aws.pro
 diff --git a/features/steps/steps.py b/features/steps/steps.py
 index e69595b..2c0d5bf 100644
 --- a/features/steps/steps.py
 +++ b/features/steps/steps.py
@@ -229,6 +229,20 @@ def when_i_run_command_with_stdin(
+     )
++@when("I do a preflight check for `{contract_token}` {user_spec}")
++def when_i_preflight(context, contract_token, user_spec):
++    token = getattr(context.config, contract_token)
++    command = "ua status --simulate-with-token {}".format(token)
++    if user_spec == "with the all flag":
++        command += " --all"
++    if "formatted as" in user_spec:
++        output_format = user_spec.split()[2]
++        command += " --format {}".format(output_format)
++    when_i_run_command(
++        context=context, command=command, user_spec="as non-root"
++    )
++
++
  @when("I run `{command}` {user_spec}")
  def when_i_run_command(
      context,
 diff --git a/features/ubuntu_pro.feature b/features/ubuntu_pro.feature
 index fca719a..cd95c86 100644
 --- a/features/ubuntu_pro.feature
 +++ b/features/ubuntu_pro.feature
@@ -27,13 +27,19 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +enabled  +Canonical Livepatch service
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
          When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine
          Then stdout matches regexp:
          """
@@ -44,10 +50,10 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
          .*CONNECT 169.254.169.254.*
          """
          Examples: ubuntu release
--           | release | fips-s   | cc-eal-s | cis-s    |
--           | xenial  | disabled | disabled | disabled |
--           | bionic  | disabled | n/a      | disabled |
--           | focal   | n/a      | n/a      | disabled |
++           | release | fips-s   | cc-eal-s | cis-s    | cis_or_usg |
++           | xenial  | disabled | disabled | disabled | cis        |
++           | bionic  | disabled | n/a      | disabled | cis        |
++           | focal   | n/a      | n/a      | disabled | usg        |
      @series.lts
      @uses.config.machine_type.azure.pro
@@ -76,13 +82,19 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +<livepatch-s>  +Canonical Livepatch service
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
          When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine
          Then stdout matches regexp:
          """
@@ -93,10 +105,10 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
          .*CONNECT 169.254.169.254.*
          """
          Examples: ubuntu release
--           | release | fips-s   | cc-eal-s | cis-s    | livepatch-s |
--           | xenial  | n/a      | disabled | disabled | enabled     |
--           | bionic  | disabled | n/a      | disabled | n/a         |
--           | focal   | n/a      | n/a      | disabled | enabled     |
++           | release | fips-s   | cc-eal-s | cis-s    | livepatch-s | cis_or_usg |
++           | xenial  | n/a      | disabled | disabled | enabled     | cis        |
++           | bionic  | disabled | n/a      | disabled | n/a         | cis        |
++           | focal   | n/a      | n/a      | disabled | enabled     | usg        |
      @series.lts
      @uses.config.machine_type.gcp.pro
@@ -125,13 +137,19 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +<livepatch-s> +Canonical Livepatch service
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
          When I run `cat /var/log/squid/access.log` `with sudo` on the `proxy` machine
          Then stdout matches regexp:
          """
@@ -142,10 +160,10 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
          .*CONNECT metadata.*
          """
          Examples: ubuntu release
--           | release | fips-s   | cc-eal-s | cis-s    | livepatch-s |
--           | xenial  | n/a      | disabled | disabled | n/a         |
--           | bionic  | disabled | n/a      | disabled | n/a         |
--           | focal   | n/a      | n/a      | disabled | enabled     |
++           | release | fips-s   | cc-eal-s | cis-s    | livepatch-s | cis_or_usg |
++           | xenial  | n/a      | disabled | disabled | n/a         | cis        |
++           | bionic  | disabled | n/a      | disabled | n/a         | cis        |
++           | focal   | n/a      | n/a      | disabled | enabled     | usg        |
      @series.lts
      @uses.config.machine_type.aws.pro
@@ -165,27 +183,52 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +enabled  +Canonical Livepatch service
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
          When I run `ua status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +enabled  +Canonical Livepatch service
--            ros           +no  +(-|—) +Security Updates for the Robot Operating System
--            ros-updates   +no  +(-|—) +All Updates for the Robot Operating System
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
++        When I run `systemctl start ua-auto-attach.service` with sudo
++        And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3`
++        Then stdout matches regexp:
++        """
++        .*status=0\/SUCCESS.*
++        """
++        And stdout matches regexp:
++        """
++        Skipping attach: Instance '[0-9a-z\-]+' is already attached.
++        """
++        When I run `ua auto-attach` with sudo
++        Then stderr matches regexp:
++        """
++        Skipping attach: Instance '[0-9a-z\-]+' is already attached.
++        """
          When I run `apt-cache policy` with sudo
          Then apt-cache policy for the following url has permission `500`
          """
@@ -235,10 +278,10 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
          Examples: ubuntu release
--           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg |
--           | xenial  | disabled | disabled | disabled | libkrad0  | jq       |
--           | bionic  | disabled | n/a      | disabled | libkrad0  | bundler  |
--           | focal   | n/a      | n/a      | disabled | hello     | ant      |
++           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg | cis_or_usg |
++           | xenial  | disabled | disabled | disabled | libkrad0  | jq       | cis        |
++           | bionic  | disabled | n/a      | disabled | libkrad0  | bundler  | cis        |
++           | focal   | n/a      | n/a      | disabled | hello     | ant      | usg        |
      @series.lts
      @uses.config.machine_type.azure.pro
@@ -258,27 +301,52 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes +<cis-s> +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +<livepatch>  +Canonical Livepatch service
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes +<cis-s> +Security compliance and audit tools
++            """
          When I run `ua status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +<livepatch>  +Canonical Livepatch service
--            ros           +no  +(-|—) +Security Updates for the Robot Operating System
--            ros-updates   +no  +(-|—) +All Updates for the Robot Operating System
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
++        When I run `systemctl start ua-auto-attach.service` with sudo
++        And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3`
++        Then stdout matches regexp:
++        """
++        .*status=0\/SUCCESS.*
++        """
++        And stdout matches regexp:
++        """
++        Skipping attach: Instance '[0-9a-z\-]+' is already attached.
++        """
++        When I run `ua auto-attach` with sudo
++        Then stderr matches regexp:
++        """
++        Skipping attach: Instance '[0-9a-z\-]+' is already attached.
++        """
          When I run `apt-cache policy` with sudo
          Then apt-cache policy for the following url has permission `500`
          """
@@ -328,10 +396,10 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
          Examples: ubuntu release
--           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg | livepatch |
--           | xenial  | n/a      | disabled | disabled | libkrad0  | jq       | enabled   |
--           | bionic  | disabled | n/a      | disabled | libkrad0  | bundler  | n/a       |
--           | focal   | n/a      | n/a      | disabled | hello     | ant      | enabled   |
++           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg | livepatch | cis_or_usg |
++           | xenial  | n/a      | disabled | disabled | libkrad0  | jq       | enabled   | cis        |
++           | bionic  | disabled | n/a      | disabled | libkrad0  | bundler  | n/a       | cis        |
++           | focal   | n/a      | n/a      | disabled | hello     | ant      | enabled   | usg        |
      @series.lts
      @uses.config.machine_type.gcp.pro
@@ -351,27 +419,52 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes +<cis-s> +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +<livepatch>  +Canonical Livepatch service
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes +<cis-s> +Security compliance and audit tools
++            """
          When I run `ua status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes +<cc-eal-s>  +Common Criteria EAL2 Provisioning Packages
--            cis           +yes  +<cis-s>  +Center for Internet Security Audit Tools
++            """
++        Then stdout matches regexp:
++            """
              esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
              esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
              fips          +yes +<fips-s> +NIST-certified core packages
              fips-updates  +yes +<fips-s> +NIST-certified core packages with priority security updates
              livepatch     +yes +<livepatch>  +Canonical Livepatch service
--            ros           +no  +(-|—) +Security Updates for the Robot Operating System
--            ros-updates   +no  +(-|—) +All Updates for the Robot Operating System
              """
++        Then stdout matches regexp:
++            """
++            <cis_or_usg>           +yes  +<cis-s>  +Security compliance and audit tools
++            """
++        When I run `systemctl start ua-auto-attach.service` with sudo
++        And I verify that running `systemctl status ua-auto-attach.service` `as non-root` exits `0,3`
++        Then stdout matches regexp:
++        """
++        .*status=0\/SUCCESS.*
++        """
++        And stdout matches regexp:
++        """
++        Skipping attach: Instance '[0-9a-z\-]+' is already attached.
++        """
++        When I run `ua auto-attach` with sudo
++        Then stderr matches regexp:
++        """
++        Skipping attach: Instance '[0-9a-z\-]+' is already attached.
++        """
          When I run `apt-cache policy` with sudo
          Then apt-cache policy for the following url has permission `500`
          """
@@ -421,7 +514,7 @@ Feature: Command behaviour when auto-attached in an ubuntu PRO image
              """
          Examples: ubuntu release
--           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg | livepatch |
--           | xenial  | n/a      | disabled | disabled | libkrad0  | jq       | n/a       |
--           | bionic  | disabled | n/a      | disabled | libkrad0  | bundler  | n/a       |
--           | focal   | n/a      | n/a      | disabled | hello     | ant      | enabled   |
++           | release | fips-s   | cc-eal-s | cis-s    | infra-pkg | apps-pkg | livepatch | cis_or_usg |
++           | xenial  | n/a      | disabled | disabled | libkrad0  | jq       | n/a       | cis        |
++           | bionic  | disabled | n/a      | disabled | libkrad0  | bundler  | n/a       | cis        |
++           | focal   | n/a      | n/a      | disabled | hello     | ant      | enabled   | usg        |
 diff --git a/features/ubuntu_upgrade.feature b/features/ubuntu_upgrade.feature
 index d565d77..d987975 100644
 --- a/features/ubuntu_upgrade.feature
 +++ b/features/ubuntu_upgrade.feature
@@ -162,3 +162,44 @@ Feature: Upgrade between releases when uaclient is attached
          | release | next_release | fips-service  | fips-name    | source-file         |
          | xenial  | bionic       | fips          | FIPS         | ubuntu-fips         |
          | xenial  | bionic       | fips-updates  | FIPS Updates | ubuntu-fips-updates |
++
++    @slow
++    @series.bionic
++    @uses.config.machine_type.lxd.container
++    @upgrade
++    Scenario Outline: Attached upgrade with cis enabled across LTS releases
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token_staging` with sudo
++        And I run `ua enable cis` with sudo
++        # update-manager-core requires ua < 28. Our tests that build the package will
++        # generate ua with version 28. We are removing that package here to make sure
++        # do-release-upgrade will be able to run
++        And I run `apt remove update-manager-core -y` with sudo
++        And I run `apt-get dist-upgrade --assume-yes` with sudo
++        # Some packages upgrade may require a reboot
++        And I reboot the `<release>` machine
++        And I create the file `/etc/update-manager/release-upgrades.d/ua-test.cfg` with the following
++        """
++        [Sources]
++        AllowThirdParty=yes
++        """
++        Then I verify that running `do-release-upgrade --frontend DistUpgradeViewNonInteractive` `with sudo` exits `0`
++        When I reboot the `<release>` machine
++        And I run `lsb_release -cs` as non-root
++        Then I will see the following on stdout:
++        """
++        <next_release>
++        """
++        And I verify that running `egrep "<release>|disabled" /etc/apt/sources.list.d/*` `as non-root` exits `2`
++        And I will see the following on stdout:
++        """
++        """
++        When I run `ua status` with sudo
++        Then stdout matches regexp:
++        """
++        usg     +yes                +enabled
++        """
++
++        Examples: ubuntu release
++        | release | next_release |
++        | bionic  | focal        |
 diff --git a/features/ubuntu_upgrade_unattached.feature b/features/ubuntu_upgrade_unattached.feature
 index 9db750f..5195d2b 100644
 --- a/features/ubuntu_upgrade_unattached.feature
 +++ b/features/ubuntu_upgrade_unattached.feature
@@ -73,7 +73,7 @@ Feature: Upgrade between releases when uaclient is unattached
          When I run `ua status` with sudo
          Then stdout matches regexp:
          """
--        cis           yes      +Center for Internet Security Audit Tools
++        cis           yes      +Security compliance and audit tools
          esm-infra     yes      +UA Infra: Extended Security Maintenance \(ESM\)
          """
          When I attach `contract_token` with sudo
 diff --git a/features/unattached_commands.feature b/features/unattached_commands.feature
 index 77a90e0..bda7597 100644
 --- a/features/unattached_commands.feature
 +++ b/features/unattached_commands.feature
@@ -29,6 +29,7 @@ Feature: Command behaviour when unattached
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.xenial
      @uses.config.machine_type.lxd.container
@@ -134,6 +135,8 @@ Feature: Command behaviour when unattached
             | hirsute | refresh |
             | impish  | detach  |
             | impish  | refresh |
++           | jammy   | detach  |
++           | jammy   | refresh |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -174,6 +177,10 @@ Feature: Command behaviour when unattached
             | impish  | disable  | livepatch |
             | impish  | enable   | unknown   |
             | impish  | disable  | unknown   |
++           | jammy  | enable   | livepatch |
++           | jammy  | disable  | livepatch |
++           | jammy  | enable   | unknown   |
++           | jammy  | disable  | unknown   |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -215,6 +222,7 @@ Feature: Command behaviour when unattached
             | xenial   | yes          |
             | hirsute  | no           |
             | impish   | no           |
++           | jammy    | no           |
      @series.all
@@ -223,18 +231,18 @@ Feature: Command behaviour when unattached
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I run `apt remove ca-certificates -y` with sudo
          When I verify that running `ua fix CVE-1800-123456` `as non-root` exits `1`
--        Then I will see the following on stderr:
++        Then stderr matches regexp:
              """
--            Failed to access URL: https://ubuntu.com/security/cves/CVE-1800-123456.json
++            Failed to access URL: https://.*
              Cannot verify certificate of server
              Please install "ca-certificates" and try again.
              """
          When I run `apt install ca-certificates -y` with sudo
          When I run `mv /etc/ssl/certs /etc/ssl/wronglocation` with sudo
          When I verify that running `ua fix CVE-1800-123456` `as non-root` exits `1`
--        Then I will see the following on stderr:
++        Then stderr matches regexp:
              """
--            Failed to access URL: https://ubuntu.com/security/cves/CVE-1800-123456.json
++            Failed to access URL: https://.*
              Cannot verify certificate of server
              Please check your openssl configuration.
              """
@@ -245,6 +253,7 @@ Feature: Command behaviour when unattached
             | focal   |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.focal
      @uses.config.machine_type.lxd.container
@@ -503,6 +512,7 @@ Feature: Command behaviour when unattached
          When I run `ls -1 logs/` as non-root
          Then stdout matches regexp:
          """
++        build.info
          cloud-id.txt
          jobs-status.json
          journalctl.txt
@@ -527,3 +537,4 @@ Feature: Command behaviour when unattached
            | focal   |
            | hirsute |
            | impish  |
++          | jammy   |
 diff --git a/features/unattached_status.feature b/features/unattached_status.feature
 index 5d26e27..7284afb 100644
 --- a/features/unattached_status.feature
 +++ b/features/unattached_status.feature
@@ -9,14 +9,14 @@ Feature: Unattached status
              """
              _doc _schema_version account attached config config_path contract effective
              environment_vars execution_details execution_status expires machine_id notices
--            services version
++            services version simulated
              """
          When I run `ua status --format yaml` as non-root
          Then stdout is formatted as `yaml` and has keys:
              """
              _doc _schema_version account attached config config_path contract effective
              environment_vars execution_details execution_status expires machine_id notices
--            services version
++            services version simulated
              """
          Examples: ubuntu release
@@ -26,21 +26,24 @@ Feature: Unattached status
             | xenial  |
             | hirsute |
             | impish  |
++           | jammy   |
      @series.all
      @uses.config.machine_type.lxd.container
      Scenario Outline: Unattached status in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo
          When I run `ua status` as non-root
          Then stdout matches regexp:
              """
              SERVICE       AVAILABLE  DESCRIPTION
              cc-eal        <cc-eal>    +Common Criteria EAL2 Provisioning Packages
--            cis           <cis>       +Center for Internet Security Audit Tools
--            esm-infra     <infra>     +UA Infra: Extended Security Maintenance \(ESM\)
++            ?<cis>( +<cis-available> +Security compliance and audit tools)?
++            ?esm-infra     <esm-infra>     +UA Infra: Extended Security Maintenance \(ESM\)
              fips          <fips>      +NIST-certified core packages
              fips-updates  <fips>      +NIST-certified core packages with priority security updates
              livepatch     <livepatch> +Canonical Livepatch service
++            ?<usg>( +<cis-available> +Security compliance and audit tools)?
              This machine is not attached to a UA subscription.
              See https://ubuntu.com/advantage
@@ -50,14 +53,15 @@ Feature: Unattached status
              """
              SERVICE       AVAILABLE  DESCRIPTION
              cc-eal        <cc-eal>    +Common Criteria EAL2 Provisioning Packages
--            cis           <cis>       +Center for Internet Security Audit Tools
--            esm-apps      <esm-apps>  +UA Apps: Extended Security Maintenance \(ESM\)
--            esm-infra     <infra>     +UA Infra: Extended Security Maintenance \(ESM\)
++            ?<cis>( +<cis-available> +Security compliance and audit tools)?
++            ?esm-apps      <esm-apps>  +UA Apps: Extended Security Maintenance \(ESM\)
++            esm-infra     <esm-infra>     +UA Infra: Extended Security Maintenance \(ESM\)
              fips          <fips>      +NIST-certified core packages
              fips-updates  <fips>      +NIST-certified core packages with priority security updates
              livepatch     <livepatch> +Canonical Livepatch service
              ros           <ros>       +Security Updates for the Robot Operating System
              ros-updates   <ros>       +All Updates for the Robot Operating System
++            ?<usg>( +<cis-available> +Security compliance and audit tools)?
              This machine is not attached to a UA subscription.
              See https://ubuntu.com/advantage
@@ -67,11 +71,12 @@ Feature: Unattached status
              """
              SERVICE       AVAILABLE  DESCRIPTION
              cc-eal        <cc-eal>    +Common Criteria EAL2 Provisioning Packages
--            cis           <cis>       +Center for Internet Security Audit Tools
--            esm-infra     <infra>     +UA Infra: Extended Security Maintenance \(ESM\)
++            ?<cis>( +<cis-available> +Security compliance and audit tools)?
++            ?esm-infra     <esm-infra>     +UA Infra: Extended Security Maintenance \(ESM\)
              fips          <fips>      +NIST-certified core packages
              fips-updates  <fips>      +NIST-certified core packages with priority security updates
              livepatch     <livepatch> +Canonical Livepatch service
++            ?<usg>( +<cis-available> +Security compliance and audit tools)?
              This machine is not attached to a UA subscription.
              See https://ubuntu.com/advantage
@@ -81,14 +86,15 @@ Feature: Unattached status
              """
              SERVICE       AVAILABLE  DESCRIPTION
              cc-eal        <cc-eal>    +Common Criteria EAL2 Provisioning Packages
--            cis           <cis>       +Center for Internet Security Audit Tools
--            esm-apps      <esm-apps>  +UA Apps: Extended Security Maintenance \(ESM\)
--            esm-infra     <infra>     +UA Infra: Extended Security Maintenance \(ESM\)
++            ?<cis>( +<cis-available> +Security compliance and audit tools)?
++            ?esm-apps      <esm-apps>  +UA Apps: Extended Security Maintenance \(ESM\)
++            esm-infra     <esm-infra>     +UA Infra: Extended Security Maintenance \(ESM\)
              fips          <fips>      +NIST-certified core packages
              fips-updates  <fips>      +NIST-certified core packages with priority security updates
              livepatch     <livepatch> +Canonical Livepatch service
              ros           <ros>       +Security Updates for the Robot Operating System
              ros-updates   <ros>       +All Updates for the Robot Operating System
++            ?<usg>( +<cis-available> +Security compliance and audit tools)?
              This machine is not attached to a UA subscription.
              See https://ubuntu.com/advantage
@@ -103,23 +109,83 @@ Feature: Unattached status
              """
              SERVICE       AVAILABLE  DESCRIPTION
              cc-eal        <cc-eal>    +Common Criteria EAL2 Provisioning Packages
--            cis           <cis>       +Center for Internet Security Audit Tools
--            esm-apps      <esm-apps>  +UA Apps: Extended Security Maintenance \(ESM\)
--            esm-infra     <infra>     +UA Infra: Extended Security Maintenance \(ESM\)
++            ?<cis>( +<cis-available> +Security compliance and audit tools)?
++            ?esm-apps      <esm-apps>  +UA Apps: Extended Security Maintenance \(ESM\)
++            esm-infra     <esm-infra>     +UA Infra: Extended Security Maintenance \(ESM\)
              fips          <fips>      +NIST-certified core packages
              fips-updates  <fips>      +NIST-certified core packages with priority security updates
              livepatch     <livepatch> +Canonical Livepatch service
              ros           <ros>       +Security Updates for the Robot Operating System
              ros-updates   <ros>       +All Updates for the Robot Operating System
++            ?<usg>( +<cis-available> +Security compliance and audit tools)?
              This machine is not attached to a UA subscription.
              See https://ubuntu.com/advantage
              """
          Examples: ubuntu release
--           | release | esm-apps | cc-eal | cis | fips | fips-update | infra | ros | livepatch |
--           | xenial  | yes      | yes    | yes | yes  | yes         | yes   | yes | yes       |
--           | bionic  | yes      | no     | yes | yes  | yes         | yes   | yes  | yes       |
--           | focal   | yes      | no     | yes | yes  | yes         | yes   | no  | yes       |
--           | hirsute | no       | no     | no  | no   | no          | no    | no  | no        |
--           | impish  | no       | no     | no  | no   | no          | no    | no  | no        |
++           | release | esm-apps | cc-eal | cis | cis-available | fips | esm-infra | ros | livepatch | usg |
++           | xenial  | yes      | yes    | cis | yes           | yes  | yes       | yes | yes       |     |
++           | bionic  | yes      | no     | cis | yes           | yes  | yes       | yes | yes       |     |
++           | focal   | yes      | no     |     | yes           | yes  | yes       | no  | yes       | usg |
++           | hirsute | no       | no     | cis | yes           | no   | no        | no  | no        |     |
++           | impish  | no       | no     | cis | yes           | no   | no        | no  | no        |     |
++           | jammy   | no       | no     | cis | yes           | no   | no        | no  | no        |     |
++
++    @series.all
++    @uses.config.machine_type.lxd.container
++    @uses.config.contract_token
++    Scenario Outline: Simulate status in a ubuntu machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `sed -i 's/contracts.can/contracts.staging.can/' /etc/ubuntu-advantage/uaclient.conf` with sudo
++        When I do a preflight check for `contract_token_staging` without the all flag
++        Then stdout matches regexp:
++        """
++        SERVICE       AVAILABLE  ENTITLED   AUTO_ENABLED  DESCRIPTION
++        cc-eal        <cc-eal>    +yes  +no   +Common Criteria EAL2 Provisioning Packages
++        ?<cis>( +<cis-available> +yes +no +Security compliance and audit tools)?
++        ?esm-infra     <esm-infra> +yes  +yes  +UA Infra: Extended Security Maintenance \(ESM\)
++        fips          <fips>      +yes  +no   +NIST-certified core packages
++        fips-updates  <fips>      +yes  +no   +NIST-certified core packages with priority security updates
++        livepatch     <livepatch> +yes  +yes  +Canonical Livepatch service
++        ?<usg>( +<cis-available> +yes +no +Security compliance and audit tools)?
++        """
++        When I do a preflight check for `contract_token_staging` with the all flag
++        Then stdout matches regexp:
++        """
++        SERVICE       AVAILABLE  ENTITLED   AUTO_ENABLED  DESCRIPTION
++        cc-eal        <cc-eal>    +yes  +no   +Common Criteria EAL2 Provisioning Packages
++        ?<cis>( +<cis-available> +yes +no +Security compliance and audit tools)?
++        ?esm-apps      <esm-apps>  +yes  +yes  +UA Apps: Extended Security Maintenance \(ESM\)
++        esm-infra     <esm-infra> +yes  +yes  +UA Infra: Extended Security Maintenance \(ESM\)
++        fips          <fips>      +yes  +no   +NIST-certified core packages
++        fips-updates  <fips>      +yes  +no   +NIST-certified core packages with priority security updates
++        livepatch     <livepatch> +yes  +yes  +Canonical Livepatch service
++        ros           <ros>       +yes  +no   +Security Updates for the Robot Operating System
++        ros-updates   <ros>       +yes  +no   +All Updates for the Robot Operating System
++        ?<usg>( +<cis-available> +yes +no +Security compliance and audit tools)?
++        """
++        When I do a preflight check for `contract_token_staging` formatted as json
++        Then stdout is formatted as `json` and has keys:
++        """
++        _doc _schema_version account attached config config_path contract effective
++        environment_vars execution_details execution_status expires machine_id notices
++        services version simulated
++        """
++        When I do a preflight check for `contract_token_staging` formatted as yaml
++        Then stdout is formatted as `yaml` and has keys:
++        """
++        _doc _schema_version account attached config config_path contract effective
++        environment_vars execution_details execution_status expires machine_id notices
++        services version simulated
++        """
++
++
++        Examples: ubuntu release
++           | release | esm-apps | cc-eal | cis | cis-available | fips | esm-infra | ros | livepatch | usg |
++           | xenial  | yes      | yes    | cis | yes           | yes  | yes       | yes | yes       |     |
++           | bionic  | yes      | no     | cis | yes           | yes  | yes       | yes | yes       |     |
++           | focal   | yes      | no     |     | yes           | yes  | yes       | no  | yes       | usg |
++           | hirsute | no       | no     | cis | yes           | no   | no        | no  | no        |     |
++           | impish  | no       | no     | cis | yes           | no   | no        | no  | no        |     |
++           | jammy   | no       | no     | cis | yes           | no   | no        | no  | no        |     |
 diff --git a/help_data.yaml b/help_data.yaml
 index 3c93645..d5d6486 100644
 --- a/help_data.yaml
 +++ b/help_data.yaml
@@ -7,17 +7,11 @@ cc-eal:
  cis:
      help: |
--      CIS benchmarks locks down your systems by removing non-secure programs,
--      disabling unused filesystems, disabling unnecessary ports or services to
--      prevent cyber attacks and malware, auditing privileged operations and
--      restricting administrative privileges. The cis command installs
--      tooling needed to automate audit and hardening according to a desired
--      CIS profile - level 1 or level 2 for server or workstation on
--      Ubuntu 18.04 LTS or 16.04 LTS. The audit tooling uses OpenSCAP libraries
--      to do a scan of the system. The tool provides options to generate a
--      report in XML or a html format. The report shows compliance for all the
--      rules against the profile selected during the scan. You can find out
--      more at https://ubuntu.com/security/certifications#cis
++      Ubuntu Security Guide is a tool for hardening and auditing and allows for
++      environment-specific customizations. It enables compliance with profiles
++      such as DISA-STIG and the CIS benchmarks. Find out more at
++      https://ubuntu.com/security/certifications/docs/usg
++
  esm-apps:
      help: |
 diff --git a/lib/reboot_cmds.py b/lib/reboot_cmds.py
 index 7636f1b..569b46a 100644
 --- a/lib/reboot_cmds.py
 +++ b/lib/reboot_cmds.py
@@ -17,16 +17,17 @@ should run at next boot to process any pending/unresovled config operations.
  import logging
  import os
  import sys
--import time
--from uaclient import config, contract, entitlements, status
--from uaclient.cli import assert_lock_file, setup_logging
++from uaclient import config, contract, lock, status
++from uaclient.cli import setup_logging
++from uaclient.entitlements.fips import FIPSEntitlement
  from uaclient.exceptions import LockHeldError, UserFacingError
  from uaclient.util import ProcessExecutionError, UrlError, subp
  # Retry sleep backoff algorithm if lock is held.
  # Lock may be held by auto-attach on systems with ubuntu-advantage-pro.
--SLEEP_RETRIES_ON_LOCK_HELD = [1, 1, 5]
++SLEEP_ON_LOCK_HELD = 1
++MAX_RETRIES_ON_LOCK_HELD = 7
  def run_command(cmd, cfg):
@@ -57,9 +58,7 @@ def fix_pro_pkg_holds(cfg):
          if service.get("name") == "fips":
              service_status = service.get("status")
              if service_status == "enabled":
--                ent_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME[
--                    service.get("name")
--                ]
++                ent_cls = FIPSEntitlement
                  logging.debug(
                      "Attempting to remove Ubuntu Pro FIPS package holds"
+                 )
@@ -102,7 +101,6 @@ def process_remaining_deltas(cfg):
      cfg.remove_notice("", status.MESSAGE_LIVEPATCH_LTS_REBOOT_REQUIRED)
--@assert_lock_file("ua-reboot-cmds")
  def process_reboot_operations(cfg):
      reboot_cmd_marker_file = cfg.data_path("marker-reboot-cmds")
@@ -139,21 +137,17 @@ def main(cfg):
      :raises: LockHeldError when lock still held by auto-attach after retries.
               UserFacingError for all other errors
      """
--    while True:
--        try:
++    try:
++        with lock.SpinLock(
++            cfg=cfg,
++            lock_holder="ua-reboot-cmds",
++            sleep_time=SLEEP_ON_LOCK_HELD,
++            max_retries=MAX_RETRIES_ON_LOCK_HELD,
++        ):
              process_reboot_operations(cfg=cfg)
--            break
--        except LockHeldError as e:
--            logging.debug(
--                "Retrying ua-reboot-cmds {} times on held lock".format(
--                    len(SLEEP_RETRIES_ON_LOCK_HELD)
--                )
--            )
--            if SLEEP_RETRIES_ON_LOCK_HELD:
--                time.sleep(SLEEP_RETRIES_ON_LOCK_HELD.pop(0))
--            else:
--                logging.warning("Lock not released. %s", str(e.msg))
--                sys.exit(1)
++    except LockHeldError as e:
++        logging.warning("Lock not released. %s", str(e.msg))
++        sys.exit(1)
  if __name__ == "__main__":
 diff --git a/sru/release-27.4.2/test-postinst-check-service-is-enabled-fix.sh b/sru/release-27.4.2/test-postinst-check-service-is-enabled-fix.sh
 new file mode 100755
 index 0000000..586ea2c
 --- /dev/null
 +++ b/sru/release-27.4.2/test-postinst-check-service-is-enabled-fix.sh
@@ -0,0 +1,34 @@
++series=$1
++name=test-$series
++set -x
++lxc launch ubuntu-daily:$series $name >/dev/null 2>&1
++sleep 3
++
++echo "Confirming we are runnign a ${series} machine"
++lxc exec $name -- lsb_release -a
++
++echo "Updating to the latest version of UA"
++lxc exec $name -- apt-get update >/dev/null
++lxc exec $name -- apt-get install -y ubuntu-advantage-tools >/dev/null
++lxc exec $name -- ua version
++echo "Running ua status to persist cache"
++lxc exec $name -- ua status
++echo "Modifying ESM_SUPPORTED_ARCHS to emulate the issue"
++lxc exec $name -- sed -i "s/ESM_SUPPORTED_ARCHS=\"i386 amd64\"/ESM_SUPPORTED_ARCHS=\"\"/" /var/lib/dpkg/info/ubuntu-advantage-tools.postinst
++echo "Re-running the postinst script. Confirming that KeyError is reported on stdout"
++lxc exec $name -- dpkg-reconfigure ubuntu-advantage-tools
++
++echo "Updating UA to the version with the fix"
++lxc exec $name -- sh -c "echo \"deb http://archive.ubuntu.com/ubuntu $series-proposed main\" | tee /etc/apt/sources.list.d/proposed.list"
++lxc exec $name -- apt-get update >/dev/null
++lxc exec $name -- apt-get install -y ubuntu-advantage-tools >/dev/null
++lxc exec $name -- ua version
++
++echo "Running ua status to persist cache"
++lxc exec $name -- ua status
++echo "Modifying ESM_SUPPORTED_ARCHS to emulate the issue"
++lxc exec $name -- sed -i "s/ESM_SUPPORTED_ARCHS=\"i386 amd64\"/ESM_SUPPORTED_ARCHS=\"\"/" /var/lib/dpkg/info/ubuntu-advantage-tools.postinst
++echo "Re-running the postinst script. Confirming that KeyError is no longer reported"
++lxc exec $name -- dpkg-reconfigure ubuntu-advantage-tools
++
++lxc delete --force $name
 diff --git a/sru/release-27.4/test-unattached-status-job.sh b/sru/release-27.4/test-unattached-status-job.sh
 new file mode 100755
 index 0000000..e8e3253
 --- /dev/null
 +++ b/sru/release-27.4/test-unattached-status-job.sh
@@ -0,0 +1,40 @@
++series=$1
++set -x
++lxc launch ubuntu-daily:$series test >/dev/null 2>&1
++sleep 10
++
++echo
++echo "showing the network call in current ua version 27.3"
++lxc exec test -- apt-get update >/dev/null
++lxc exec test -- apt-get install -y ubuntu-advantage-tools >/dev/null
++lxc exec test -- ua version
++echo "disable all jobs but the status job"
++lxc exec test -- ua config set metering_timer=0
++lxc exec test -- ua config set update_messaging_timer=0
++echo "run the status update timer job by removing current timer state and executing the timer script"
++echo "and run tcpdump while executing the script, filtering by the current IPs of contracts.canonical.com"
++lxc exec test -- rm -f /var/lib/ubuntu-advantage/jobs-status.json
++lxc exec test -- sh -c "tcpdump \"(host 91.189.92.68 or host 91.189.92.69)\" & pid=\$! && sleep 5 && python3 /usr/lib/ubuntu-advantage/timer.py && kill \$pid"
++echo "Verify that tcpdump saw packets in above output"
++echo "Verify that the job was actually processed by the timer: update_status should be there."
++lxc exec test -- grep "update_status" /var/lib/ubuntu-advantage/jobs-status.json
++
++
++echo
++echo
++echo "installing new version from proposed"
++lxc exec test -- sh -c "echo \"deb http://archive.ubuntu.com/ubuntu $series-proposed main\" | tee /etc/apt/sources.list.d/proposed.list"
++lxc exec test -- apt-get update >/dev/null
++lxc exec test -- sh -c "DEBIAN_FRONTEND=noninteractive apt-get install -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" -y ubuntu-advantage-tools" > /dev/null
++lxc exec test -- ua version
++
++
++echo "run the status update timer job by removing current timer state and executing the timer script"
++echo "and run tcpdump while executing the script, filtering by the current IPs of contracts.canonical.com"
++lxc exec test -- rm -f /var/lib/ubuntu-advantage/jobs-status.json
++lxc exec test -- sh -c "tcpdump \"(host 91.189.92.68 or host 91.189.92.69)\" & pid=\$! && sleep 5 && python3 /usr/lib/ubuntu-advantage/timer.py && kill \$pid"
++echo "Verify that tcpdump DID NOT see packets in above output"
++echo "Verify that the job was actually processed by the timer: update_status should be there."
++lxc exec test -- grep "update_status" /var/lib/ubuntu-advantage/jobs-status.json
++
++lxc delete test --force
 diff --git a/sru/release-27.5/test-aws-ipv6.sh b/sru/release-27.5/test-aws-ipv6.sh
 new file mode 100644
 index 0000000..31353da
 --- /dev/null
 +++ b/sru/release-27.5/test-aws-ipv6.sh
@@ -0,0 +1,66 @@
++#!/bin/sh
++
++set -e
++
++KEY_PATH=$1
++DEB_PATH=$2
++sshopts=( -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR )
++
++REGION=us-west-2
++INSTANCE_TYPE=t3.micro
++KEY_NAME=test-ipv6
++PRO_IMAGE_ID=ami-07e00b8a1a054fdbf  # bionic PRO image for us-west-2
++
++# You need to have a subnet that supports IPv6. The easiest path here is to launch an ec2
++# instance through pycloudlib, which will already create a VPC with a subnet that supports
++# IPv6. You can also use the security group created by pycloudlib
++SUBNET_ID=<SUBNET-ID>
++SECURITY_GROUP_ID=<SG-ID>
++
++# Make sure that the awscli being used has support for the --metadata-options params, otherwise the
++# IPv6 endpoint will not work as expected
++instance_info=$(aws --region $REGION ec2 run-instances --instance-type $INSTANCE_TYPE --image-id $PRO_IMAGE_ID --subnet-id $SUBNET_ID --key-name $KEY_NAME --associate-public-ip-address --ipv6-address-count 1 --metadata-options HttpEndpoint=enabled,HttpProtocolIpv6=enabled --security-group-ids $SECURITY_GROUP_ID)
++instance_id=$(echo $instance_info | jq -r ".Instances[0].InstanceId")
++instance_ip=$(aws ec2 describe-instances --region $REGION --instance-ids $instance_id --query 'Reservations[*].Instances[*].PublicIpAddress' --output text)
++
++echo "---------------------------------------------"
++echo "Checking instance info"
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- lsb_release -a
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo ua status --wait
++echo "---------------------------------------------"
++echo -e "\n"
++
++echo "---------------------------------------------"
++echo "Detaching PRO instance"
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo ua detach --assume-yes
++echo "---------------------------------------------"
++echo -e "\n"
++
++echo "---------------------------------------------"
++echo "Installing package with IPv6 support"
++scp "${sshopts[@]}" -i $KEY_PATH $DEB_PATH ubuntu@$instance_ip:/home/ubuntu/ua.deb
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo dpkg -i ua.deb
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- ua version
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo ua status --wait
++echo "---------------------------------------------"
++echo -e "\n"
++
++echo "---------------------------------------------"
++echo "Modifying IPv4 address to make it fail"
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo rm /var/log/ubuntu-advantage.log
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo sed -i "s/169.254.169.254/169.254.169.1/g" /usr/lib/python3/dist-packages/uaclient/clouds/aws.py
++echo "---------------------------------------------"
++echo -e "\n"
++
++echo "---------------------------------------------"
++echo "Verify that auto-attach still works and IPv6 route was used instead"
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo ua auto-attach
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo ua status
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo grep -F \"Could not reach AWS IMDS at http://169.254.169.1\" /var/log/ubuntu-advantage.log
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo grep -F \"URL [PUT]: http://169.254.169.1/latest/api/token\" /var/log/ubuntu-advantage.log
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo grep -F \"URL [PUT]: http://[fd00:ec2::254]/latest/api/token\" /var/log/ubuntu-advantage.log
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo grep -F \"URL [PUT] response: http://[fd00:ec2::254]/latest/api/token\" /var/log/ubuntu-advantage.log
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo grep -F \"URL [GET]: http://[fd00:ec2::254]/latest/dynamic/instance-identity/pkcs7\" /var/log/ubuntu-advantage.log
++ssh "${sshopts[@]}" -i $KEY_PATH ubuntu@$instance_ip -- sudo grep -F \"URL [GET] response: http://[fd00:ec2::254]/latest/dynamic/instance-identity/pkcs7\" /var/log/ubuntu-advantage.log
++echo "---------------------------------------------"
++echo -e "\n"
 diff --git a/tools/build.sh b/tools/build.sh
 index 1e50767..7660908 100755
 --- a/tools/build.sh
 +++ b/tools/build.sh
@@ -1,2 +1,3 @@
  #!/usr/bin/bash
  env PYTHONPATH=. python3 tools/build.py "$@"
++notify-send "Build finished!" || true
 diff --git a/tools/create-lp-release-branches.sh b/tools/create-lp-release-branches.sh
 index 436abdf..604df74 100755
 --- a/tools/create-lp-release-branches.sh
 +++ b/tools/create-lp-release-branches.sh
@@ -32,7 +32,7 @@ else
    set -e
  fi
--for release in xenial bionic focal hirsute
++for release in xenial bionic focal hirsute impish
  do
    echo
    echo $release
@@ -49,6 +49,7 @@ do
        bionic) version=${UA_VERSION}~18.04.1;;
        focal) version=${UA_VERSION}~20.04.1;;
        hirsute) version=${UA_VERSION}~21.04.1;;
++      impish) version=${UA_VERSION}~21.10.1;;
    esac
    dch_cmd=(dch -v ${version} -D ${release} -b  "Backport new upstream release: (LP: #${SRU_BUG}) to $release")
    if [ -z "$DO_IT" ]; then
 diff --git a/tools/run-integration-tests.py b/tools/run-integration-tests.py
 index 2ab8786..10b4a55 100644
 --- a/tools/run-integration-tests.py
 +++ b/tools/run-integration-tests.py
@@ -14,6 +14,7 @@ SERIES_TO_VERSION = {
      "focal": "20.04",
      "hirsute": "21.04",
      "impish": "21.10",
++    "jammy": "22.04",
+ }
  TOKEN_TO_ENVVAR = {
@@ -30,7 +31,7 @@ PLATFORM_SERIES_TESTS = {
      "gcpgeneric": ["xenial", "bionic", "focal", "hirsute"],
      "gcppro": ["xenial", "bionic", "focal"],
      "vm": ["xenial", "bionic", "focal"],
--    "lxd": ["xenial", "bionic", "focal", "hirsute", "impish"],
++    "lxd": ["xenial", "bionic", "focal", "hirsute", "impish", "jammy"],
      "upgrade": ["xenial", "bionic", "focal", "hirsute", "impish"],
+ }
 diff --git a/tools/test-in-lxd.sh b/tools/test-in-lxd.sh
 index 17d40cf..86ffdfe 100755
 --- a/tools/test-in-lxd.sh
 +++ b/tools/test-in-lxd.sh
@@ -12,5 +12,17 @@ lxc delete $name --force
  lxc launch ubuntu-daily:$series $name
  sleep 5
  lxc file push $deb $name/tmp/ua.deb
++
++if [ -n "$SHELL_BEFORE" ]; then
++    set +x
++    echo
++    echo
++    echo "New version of ua has not been installed yet."
++    echo "After you exit the shell we'll upgrade ua and bring you right back."
++    echo
++    set -x
++    lxc exec $name bash
++fi
++
  lxc exec $name -- dpkg -i /tmp/ua.deb
  lxc exec $name bash
 diff --git a/tox.ini b/tox.ini
 index 701eae3..9c98f03 100644
 --- a/tox.ini
 +++ b/tox.ini
@@ -54,6 +54,7 @@ commands =
      behave-lxd-20.04: behave -v {posargs} --tags="uses.config.machine_type.lxd.container" --tags="series.focal,series.lts,series.all" --tags="~upgrade"
      behave-lxd-21.04: behave -v {posargs} --tags="uses.config.machine_type.lxd.container" --tags="series.hirsute,series.all" --tags="~upgrade"
      behave-lxd-21.10: behave -v {posargs} --tags="uses.config.machine_type.lxd.container" --tags="series.impish,series.all" --tags="~upgrade"
++    behave-lxd-22.04: behave -v {posargs} --tags="uses.config.machine_type.lxd.container" --tags="series.jammy,series.all" --tags="~upgrade"
      behave-vm-16.04: behave -v {posargs} --tags="uses.config.machine_type.lxd.vm" --tags="series.xenial,series.all,series.lts" --tags="~upgrade"
      behave-vm-18.04: behave -v {posargs} --tags="uses.config.machine_type.lxd.vm" --tags="series.bionic,series.all,series.lts" --tags="~upgrade"
      behave-vm-20.04: behave -v {posargs} --tags="uses.config.machine_type.lxd.vm" --tags="series.focal,series.all,series.lts" --tags="~upgrade"
 diff --git a/uaclient/actions.py b/uaclient/actions.py
 new file mode 100644
 index 0000000..3f98c7f
 --- /dev/null
 +++ b/uaclient/actions.py
@@ -0,0 +1,66 @@
++import logging
++
++from uaclient import clouds, config, contract, exceptions, status, util
++from uaclient.clouds import identity
++
++LOG = logging.getLogger("ua.actions")
++
++
++def attach_with_token(
++    cfg: config.UAConfig, token: str, allow_enable: bool
++) -> None:
++    """
++    Common functionality to take a token and attach via contract backend
++    :raise UrlError: On unexpected connectivity issues to contract
++        server or inability to access identity doc from metadata service.
++    :raise ContractAPIError: On unexpected errors when talking to the contract
++        server.
++    """
++    try:
++        contract.request_updated_contract(
++            cfg, token, allow_enable=allow_enable
++        )
++    except util.UrlError as exc:
++        with util.disable_log_to_console():
++            LOG.exception(exc)
++        cfg.status()  # Persist updated status in the event of partial attach
++        config.update_ua_messages(cfg)
++        raise exc
++    except exceptions.UserFacingError as exc:
++        LOG.warning(exc.msg)
++        cfg.status()  # Persist updated status in the event of partial attach
++        config.update_ua_messages(cfg)
++        raise exc
++
++    config.update_ua_messages(cfg)
++
++
++def auto_attach(
++    cfg: config.UAConfig, cloud: clouds.AutoAttachCloudInstance
++) -> None:
++    """
++    :raise UrlError: On unexpected connectivity issues to contract
++        server or inability to access identity doc from metadata service.
++    :raise ContractAPIError: On unexpected errors when talking to the contract
++        server.
++    :raise NonAutoAttachImageError: If this cloud type does not have
++        auto-attach support.
++    """
++    contract_client = contract.UAContractClient(cfg)
++    try:
++        tokenResponse = contract_client.request_auto_attach_contract_token(
++            instance=cloud
++        )
++    except contract.ContractAPIError as e:
++        if e.code and 400 <= e.code < 500:
++            raise exceptions.NonAutoAttachImageError(
++                status.MESSAGE_UNSUPPORTED_AUTO_ATTACH
++            )
++        raise e
++    current_iid = identity.get_instance_id()
++    if current_iid:
++        cfg.write_cache("instance-id", current_iid)
++
++    token = tokenResponse["contractToken"]
++
++    attach_with_token(cfg, token=token, allow_enable=True)
 diff --git a/uaclient/cli.py b/uaclient/cli.py
 index 77af6f7..f76e570 100644
 --- a/uaclient/cli.py
 +++ b/uaclient/cli.py
@@ -15,23 +15,36 @@ import tempfile
  import textwrap
  import time
  from functools import wraps
++from typing import Optional  # noqa: F401
  from typing import List
  import yaml
  from uaclient import (
++    actions,
      config,
      contract,
      entitlements,
      exceptions,
      jobs,
++    lock,
      security,
      security_status,
+ )
  from uaclient import status as ua_status
  from uaclient import util, version
++from uaclient.clouds import AutoAttachCloudInstance  # noqa: F401
  from uaclient.clouds import identity
--from uaclient.defaults import CONFIG_FIELD_ENVVAR_ALLOWLIST
++from uaclient.defaults import (
++    CLOUD_BUILD_INFO,
++    CONFIG_FIELD_ENVVAR_ALLOWLIST,
++    DEFAULT_CONFIG_FILE,
++)
++
++# TODO: Better address service commands running on cli
++# It is not ideal for us to import an entitlement directly on the cli module.
++# We need to refactor this to avoid that type of coupling in the code.
++from uaclient.entitlements.livepatch import LIVEPATCH_CMD
  NAME = "ua"
@@ -67,11 +80,6 @@ UA_SERVICES = (
      "ua-license-check.timer",
+ )
--# Set a module-level callable here so we don't have to reinstantiate
--# UAConfig in order to determine dynamic data_path exception handling of
--# main_error_handler
--_CLEAR_LOCK_FILE = None
--
  class UAArgumentParser(argparse.ArgumentParser):
      def __init__(
@@ -114,41 +122,13 @@ class UAArgumentParser(argparse.ArgumentParser):
  def assert_lock_file(lock_holder=None):
--    """Decorator asserting exclusive access to lock file
--
--    Create a lock file if absent. The lock file will contain a pid of the
--        running process, and a customer-visible description of the lock holder.
--
--    :param lock_holder: String with the service name or command which is
--        holding the lock.
--
--        This lock_holder string will be customer visible in status.json.
--
--    :raises: LockHeldError if lock is held.
--    """
++    """Decorator asserting exclusive access to lock file"""
      def wrapper(f):
          @wraps(f)
          def new_f(*args, cfg, **kwargs):
--            global _CLEAR_LOCK_FILE
--            (lock_pid, cur_lock_holder) = cfg.check_lock_info()
--            if lock_pid > 0:
--                raise exceptions.LockHeldError(
--                    lock_request=lock_holder,
--                    lock_holder=cur_lock_holder,
--                    pid=lock_pid,
--                )
--            cfg.write_cache("lock", "{}:{}".format(os.getpid(), lock_holder))
--            notice_msg = "Operation in progress: {}".format(lock_holder)
--            cfg.add_notice("", notice_msg)
--            _CLEAR_LOCK_FILE = cfg.delete_cache_key
--
--            try:
++            with lock.SingleAttemptLock(cfg=cfg, lock_holder=lock_holder):
                  retval = f(*args, cfg=cfg, **kwargs)
--            finally:
--                cfg.delete_cache_key("lock")
--                _CLEAR_LOCK_FILE = None  # Unset due to successful lock delete
--
              return retval
          return new_f
@@ -584,6 +564,14 @@ def status_parser(parser):
          * AVAILABLE: whether this service would be available if this machine
            were attached. The possible values are yes or no.
++
++        If --simulate-with-token is used, then the output has five
++        columns. SERVICE, AVAILABLE, ENTITLED and DESCRIPTION are the same
++        as mentioned above, and AUTO_ENABLED shows whether the service is set
++        to be enabled when that token is attached.
++
++        If the --all flag is set, beta and unavailable services are also
++        listed in the output.
          """
+     )
@@ -605,6 +593,12 @@ def status_parser(parser):
          ),
+     )
      parser.add_argument(
++        "--simulate-with-token",
++        metavar="TOKEN",
++        action="store",
++        help=("simulate the output status using a provided token"),
++    )
++    parser.add_argument(
          "--all",
          action="store_true",
          help="Allow the visualization of beta services",
@@ -623,7 +617,7 @@ def _perform_disable(entitlement_name, cfg, *, assume_yes):
      @return: True on success, False otherwise
      """
--    ent_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME[entitlement_name]
++    ent_cls = entitlements.entitlement_factory(entitlement_name)
      entitlement = ent_cls(cfg, assume_yes=assume_yes)
      ret = entitlement.disable()
      cfg.status()  # Update the status cache
@@ -639,7 +633,9 @@ def get_valid_entitlement_names(names: List[str]):
      entitlements_found = []
      for ent_name in names:
--        if ent_name in entitlements.ENTITLEMENT_CLASS_BY_NAME:
++        if ent_name in entitlements.valid_services(
++            allow_beta=True, all_names=True
++        ):
              entitlements_found.append(ent_name)
      entitlements_not_found = sorted(set(names) - set(entitlements_found))
@@ -878,12 +874,14 @@ def action_enable(args, *, cfg, **kwargs):
+     )
      valid_services_names = entitlements.valid_services(allow_beta=args.beta)
      ret = True
--
      for ent_name in entitlements_found:
          try:
--            ent_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME[ent_name]
++            ent_cls = entitlements.entitlement_factory(ent_name)
              entitlement = ent_cls(
--                cfg, assume_yes=args.assume_yes, allow_beta=args.beta
++                cfg,
++                assume_yes=args.assume_yes,
++                allow_beta=args.beta,
++                called_name=ent_name,
+             )
              ent_ret, reason = entitlement.enable()
              cfg.status()  # Update the status cache
@@ -991,27 +989,7 @@ def _detach(cfg: config.UAConfig, assume_yes: bool) -> int:
      return 0
--def _attach_with_token(
--    cfg: config.UAConfig, token: str, allow_enable: bool
--) -> int:
--    """Common functionality to take a token and attach via contract backend"""
--    try:
--        contract.request_updated_contract(
--            cfg, token, allow_enable=allow_enable
--        )
--    except util.UrlError as exc:
--        with util.disable_log_to_console():
--            logging.exception(exc)
--        print(ua_status.MESSAGE_ATTACH_FAILURE)
--        cfg.status()  # Persist updated status in the event of partial attach
--        config.update_ua_messages(cfg)
--        return 1
--    except exceptions.UserFacingError as exc:
--        logging.warning(exc.msg)
--        cfg.status()  # Persist updated status in the event of partial attach
--        config.update_ua_messages(cfg)
--        return 1
--
++def _post_cli_attach(cfg: config.UAConfig) -> None:
      contract_name = cfg.machine_token["machineTokenInfo"]["contractInfo"][
          "name"
+     ]
@@ -1025,75 +1003,74 @@ def _attach_with_token(
      else:
          print(ua_status.MESSAGE_ATTACH_SUCCESS_NO_CONTRACT_NAME)
--    config.update_ua_messages(cfg)
--    jobs.disable_license_check_if_applicable(cfg)
      action_status(args=None, cfg=cfg)
--    return 0
--
--def _get_contract_token_from_cloud_identity(cfg: config.UAConfig) -> str:
--    """Detect cloud_type and request a contract token from identity info.
--    :param cfg: a ``config.UAConfig`` instance
--
--    :raise NonAutoAttachImageError: When not on an auto-attach image type.
--    :raise UrlError: On unexpected connectivity issues to contract
--        server or inability to access identity doc from metadata service.
--    :raise ContractAPIError: On unexpected errors when talking to the contract
--        server.
--    :raise NonAutoAttachImageError: If this cloud type does not have
--        auto-attach support.
++@assert_root
++@assert_lock_file("ua auto-attach")
++def action_auto_attach(args, *, cfg):
++    disable_auto_attach = util.is_config_value_true(
++        config=cfg.cfg, path_to_value="features.disable_auto_attach"
++    )
++    if disable_auto_attach:
++        msg = "Skipping auto-attach. Config disable_auto_attach is set."
++        logging.debug(msg)
++        print(msg)
++        return 0
--    :return: contract token obtained from identity doc
--    """
++    instance = None  # type: Optional[AutoAttachCloudInstance]
      try:
          instance = identity.cloud_instance_factory()
--    except exceptions.UserFacingError as e:
++    except exceptions.CloudFactoryError as e:
          if cfg.is_attached:
              # We are attached on non-Pro Image, just report already attached
              raise exceptions.AlreadyAttachedError(cfg)
--        # Unattached on non-Pro return UserFacing error msg details
--        raise e
++        if isinstance(e, exceptions.CloudFactoryNoCloudError):
++            raise exceptions.UserFacingError(
++                ua_status.MESSAGE_UNABLE_TO_DETERMINE_CLOUD_TYPE
++            )
++        if isinstance(e, exceptions.CloudFactoryNonViableCloudError):
++            raise exceptions.UserFacingError(
++                ua_status.MESSAGE_UNSUPPORTED_AUTO_ATTACH
++            )
++        if isinstance(e, exceptions.CloudFactoryUnsupportedCloudError):
++            raise exceptions.NonAutoAttachImageError(
++                ua_status.MESSAGE_UNSUPPORTED_AUTO_ATTACH_CLOUD_TYPE.format(
++                    cloud_type=e.cloud_type
++                )
++            )
++        # we shouldn't get here, but this is a reasonable default just in case
++        raise exceptions.UserFacingError(
++            ua_status.MESSAGE_UNABLE_TO_DETERMINE_CLOUD_TYPE
++        )
++
++    if not instance:
++        # we shouldn't get here, but this is a reasonable default just in case
++        raise exceptions.UserFacingError(
++            ua_status.MESSAGE_UNABLE_TO_DETERMINE_CLOUD_TYPE
++        )
++
      current_iid = identity.get_instance_id()
      if cfg.is_attached:
          prev_iid = cfg.read_cache("instance-id")
          if str(current_iid) == str(prev_iid):
--            raise exceptions.AlreadyAttachedError(cfg)
++            raise exceptions.AlreadyAttachedOnPROError(str(current_iid))
          print("Re-attaching Ubuntu Advantage subscription on new instance")
          if _detach(cfg, assume_yes=True) != 0:
              raise exceptions.UserFacingError(
                  ua_status.MESSAGE_DETACH_AUTOMATION_FAILURE
+             )
--    contract_client = contract.UAContractClient(cfg)
--    try:
--        tokenResponse = contract_client.request_auto_attach_contract_token(
--            instance=instance
--        )
--    except contract.ContractAPIError as e:
--        if e.code and 400 <= e.code < 500:
--            raise exceptions.NonAutoAttachImageError(
--                ua_status.MESSAGE_UNSUPPORTED_AUTO_ATTACH
--            )
--        raise e
--    if current_iid:
--        cfg.write_cache("instance-id", current_iid)
--
--    return tokenResponse["contractToken"]
--
--@assert_root
--@assert_lock_file("ua auto-attach")
--def action_auto_attach(args, *, cfg):
--    disable_auto_attach = util.is_config_value_true(
--        config=cfg.cfg, path_to_value="features.disable_auto_attach"
--    )
--    if disable_auto_attach:
--        msg = "Skipping auto-attach. Config disable_auto_attach is set."
--        logging.debug(msg)
--        print(msg)
++    try:
++        actions.auto_attach(cfg, instance)
++    except util.UrlError:
++        print(ua_status.MESSAGE_ATTACH_FAILURE)
++        return 1
++    except exceptions.UserFacingError:
++        return 1
++    else:
++        _post_cli_attach(cfg)
          return 0
--    token = _get_contract_token_from_cloud_identity(cfg)
--    return _attach_with_token(cfg, token=token, allow_enable=True)
  @assert_not_attached
@@ -1104,9 +1081,18 @@ def action_attach(args, *, cfg):
          raise exceptions.UserFacingError(
              ua_status.MESSAGE_ATTACH_REQUIRES_TOKEN
+         )
--    return _attach_with_token(
--        cfg, token=args.token, allow_enable=args.auto_enable
--    )
++    try:
++        actions.attach_with_token(
++            cfg, token=args.token, allow_enable=args.auto_enable
++        )
++    except util.UrlError:
++        print(ua_status.MESSAGE_ATTACH_FAILURE)
++        return 1
++    except exceptions.UserFacingError:
++        return 1
++    else:
++        _post_cli_attach(cfg)
++        return 0
  def _write_command_output_to_file(
@@ -1135,7 +1121,7 @@ def action_collect_logs(args, *, cfg: config.UAConfig):
              "ua status --format json", "{}/ua-status.json".format(output_dir)
+         )
          _write_command_output_to_file(
--            "canonical-livepatch status",
++            "{} status".format(LIVEPATCH_CMD),
              "{}/livepatch-status.txt".format(output_dir),
+         )
          _write_command_output_to_file(
@@ -1164,11 +1150,12 @@ def action_collect_logs(args, *, cfg: config.UAConfig):
+             )
          ua_logs = (
--            cfg.cfg_path or "/etc/ubuntu-advantage/uaclient.conf",
++            cfg.cfg_path or DEFAULT_CONFIG_FILE,
              cfg.log_file,
              cfg.timer_log_file,
              cfg.license_check_log_file,
              cfg.data_path("jobs-status"),
++            CLOUD_BUILD_INFO,
              *(
                  entitlement.repo_list_file_tmpl.format(name=entitlement.name)
                  for entitlement in entitlements.ENTITLEMENT_CLASSES
@@ -1178,6 +1165,9 @@ def action_collect_logs(args, *, cfg: config.UAConfig):
          for log in ua_logs:
              if os.path.isfile(log):
++                log_content = util.load_file(log)
++                log_content = util.redact_sensitive_logs(log_content)
++                util.write_file(log, log_content)
                  shutil.copy(log, output_dir)
          with tarfile.open(output_file, "w:gz") as results:
@@ -1189,29 +1179,36 @@ def get_parser():
      base_desc = __doc__
      non_beta_services_desc = []
      beta_services_desc = []
--    sorted_classes = sorted(entitlements.ENTITLEMENT_CLASS_BY_NAME.items())
--    for name, ent_cls in sorted_classes:
--        if ent_cls.help_doc_url:
--            url = " ({})".format(ent_cls.help_doc_url)
--        else:
--            url = ""
--        service_line = service_line_tmpl.format(
--            name=name, description=ent_cls.description, url=url
--        )
--        if len(service_line) <= 80:
--            service_info = [service_line]
--        else:
--            wrapped_words = []
--            line = service_line
--            while len(line) > 80:
--                [line, wrapped_word] = line.rsplit(" ", 1)
--                wrapped_words.insert(0, wrapped_word)
--            service_info = [line + "\n   " + " ".join(wrapped_words)]
--
--        if ent_cls.is_beta:
--            beta_services_desc.extend(service_info)
--        else:
--            non_beta_services_desc.extend(service_info)
++
++    resources = contract.get_available_resources(config.UAConfig())
++    for resource in resources:
++        ent_cls = entitlements.entitlement_factory(resource["name"])
++        if ent_cls:
++            # Because we are not sure of the presentation name if unattached
++            presentation_name = resource.get("presentedAs", resource["name"])
++            if ent_cls.help_doc_url:
++                url = " ({})".format(ent_cls.help_doc_url)
++            else:
++                url = ""
++            service_line = service_line_tmpl.format(
++                name=presentation_name,
++                description=ent_cls.description,
++                url=url,
++            )
++            if len(service_line) <= 80:
++                service_info = [service_line]
++            else:
++                wrapped_words = []
++                line = service_line
++                while len(line) > 80:
++                    [line, wrapped_word] = line.rsplit(" ", 1)
++                    wrapped_words.insert(0, wrapped_word)
++                service_info = [line + "\n   " + " ".join(wrapped_words)]
++
++            if ent_cls.is_beta:
++                beta_services_desc.extend(service_info)
++            else:
++                non_beta_services_desc.extend(service_info)
      parser = UAArgumentParser(
          prog=NAME,
@@ -1327,7 +1324,11 @@ def action_status(args, *, cfg):
      if not cfg:
          cfg = config.UAConfig()
      show_beta = args.all if args else False
--    status = cfg.status(show_beta=show_beta)
++    token = args.simulate_with_token if args else None
++    if token:
++        status = cfg.simulate_status(token=token, show_beta=show_beta)
++    else:
++        status = cfg.status(show_beta=show_beta)
      active_value = ua_status.UserFacingConfigStatus.ACTIVE.value
      config_active = bool(status["execution_status"] == active_value)
      if args and args.wait and config_active:
@@ -1460,8 +1461,7 @@ def main_error_handler(func):
              with util.disable_log_to_console():
                  logging.error("KeyboardInterrupt")
              print("Interrupt received; exiting.", file=sys.stderr)
--            if _CLEAR_LOCK_FILE:
--                _CLEAR_LOCK_FILE("lock")
++            lock.clear_lock_file_if_present()
              sys.exit(1)
          except util.UrlError as exc:
              if "CERTIFICATE_VERIFY_FAILED" in str(exc):
@@ -1482,23 +1482,20 @@ def main_error_handler(func):
                          msg_tmpl = ua_status.LOG_CONNECTIVITY_ERROR_TMPL
                      logging.exception(msg_tmpl.format(**msg_args))
                  print(ua_status.MESSAGE_CONNECTIVITY_ERROR, file=sys.stderr)
--            if _CLEAR_LOCK_FILE:
--                _CLEAR_LOCK_FILE("lock")
++            lock.clear_lock_file_if_present()
              sys.exit(1)
          except exceptions.UserFacingError as exc:
              with util.disable_log_to_console():
                  logging.error(exc.msg)
              print("{}".format(exc.msg), file=sys.stderr)
--            if _CLEAR_LOCK_FILE:
--                if not isinstance(exc, exceptions.LockHeldError):
--                    # Only clear the lock if it is ours.
--                    _CLEAR_LOCK_FILE("lock")
++            if not isinstance(exc, exceptions.LockHeldError):
++                # Only clear the lock if it is ours.
++                lock.clear_lock_file_if_present()
              sys.exit(exc.exit_code)
          except Exception:
              with util.disable_log_to_console():
                  logging.exception("Unhandled exception, please file a bug")
--            if _CLEAR_LOCK_FILE:
--                _CLEAR_LOCK_FILE("lock")
++            lock.clear_lock_file_if_present()
              print(ua_status.MESSAGE_UNEXPECTED_ERROR, file=sys.stderr)
              sys.exit(1)
 diff --git a/uaclient/clouds/aws.py b/uaclient/clouds/aws.py
 index 120ded6..e8a1c07 100644
 --- a/uaclient/clouds/aws.py
 +++ b/uaclient/clouds/aws.py
@@ -1,11 +1,17 @@
++import logging
  from typing import Any, Dict
  from urllib.error import HTTPError
--from uaclient import util
++from uaclient import exceptions, util
  from uaclient.clouds import AutoAttachCloudInstance
--IMDS_V2_TOKEN_URL = "http://169.254.169.254/latest/api/token"
--IMDS_URL = "http://169.254.169.254/latest/dynamic/instance-identity/pkcs7"
++IMDS_IPV4_ADDRESS = "169.254.169.254"
++IMDS_IPV6_ADDRESS = "[fd00:ec2::254]"
++
++IMDS_IP_ADDRESS = (IMDS_IPV4_ADDRESS, IMDS_IPV6_ADDRESS)
++IMDS_V2_TOKEN_URL = "http://{}/latest/api/token"
++IMDS_URL = "http://{}/latest/dynamic/instance-identity/pkcs7"
++
  SYS_HYPERVISOR_PRODUCT_UUID = "/sys/hypervisor/uuid"
  DMI_PRODUCT_SERIAL = "/sys/class/dmi/id/product_serial"
  DMI_PRODUCT_UUID = "/sys/class/dmi/id/product_uuid"
@@ -18,27 +24,58 @@ AWS_TOKEN_REQ_HEADER = AWS_TOKEN_PUT_HEADER + "-ttl-seconds"
  class UAAutoAttachAWSInstance(AutoAttachCloudInstance):
      _api_token = None
++    _ip_address = None
++
++    def _get_imds_url_response(self):
++        headers = self._request_imds_v2_token_headers()
++        return util.readurl(
++            IMDS_URL.format(self._ip_address), headers=headers, timeout=1
++        )
      # mypy does not handle @property around inner decorators
      # https://github.com/python/mypy/issues/1362
      @property  # type: ignore
      @util.retry(HTTPError, retry_sleeps=[1, 2, 5])
      def identity_doc(self) -> Dict[str, Any]:
--        headers = self._get_imds_v2_token_headers()
--        response, _headers = util.readurl(IMDS_URL, headers=headers)
++        response, _headers = self._get_imds_url_response()
          return {"pkcs7": response}
++    def _request_imds_v2_token_headers(self):
++        for address in IMDS_IP_ADDRESS:
++            try:
++                headers = self._get_imds_v2_token_headers(ip_address=address)
++            except HTTPError as e:
++                raise e
++            except Exception as e:
++                msg = (
++                    "Could not reach AWS IMDS at http://{endpoint}:"
++                    " {reason}\n".format(
++                        endpoint=address, reason=getattr(e, "reason", "")
++                    )
++                )
++                logging.debug(msg)
++            else:
++                self._ip_address = address
++                break
++        if self._ip_address is None:
++            raise exceptions.UserFacingError(
++                "No valid AWS IMDS endpoint discovered at addresses: %s"
++                % ", ".join(IMDS_IP_ADDRESS)
++            )
++        return headers
++
      @util.retry(HTTPError, retry_sleeps=[1, 2, 5])
--    def _get_imds_v2_token_headers(self):
++    def _get_imds_v2_token_headers(self, ip_address):
          if self._api_token == "IMDSv1":
              return None
          elif self._api_token:
              return {AWS_TOKEN_PUT_HEADER: self._api_token}
          try:
              response, _headers = util.readurl(
--                IMDS_V2_TOKEN_URL,
++                IMDS_V2_TOKEN_URL.format(ip_address),
                  method="PUT",
                  headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
+             )
          except HTTPError as e:
              if e.code == 404:
@@ -46,6 +83,7 @@ class UAAutoAttachAWSInstance(AutoAttachCloudInstance):
                  return None
              else:
                  raise
++
          self._api_token = response
          return {AWS_TOKEN_PUT_HEADER: self._api_token}
 diff --git a/uaclient/clouds/identity.py b/uaclient/clouds/identity.py
 index dee23f6..cd8f7b4 100644
 --- a/uaclient/clouds/identity.py
 +++ b/uaclient/clouds/identity.py
@@ -2,7 +2,7 @@ import logging
  from enum import Enum
  from typing import Dict, Optional, Tuple, Type  # noqa: F401
--from uaclient import clouds, exceptions, status, util
++from uaclient import clouds, exceptions, util
  from uaclient.config import apply_config_settings_override
  # Mapping of datasource names to cloud-id responses. Trusty compat with Xenial+
@@ -50,6 +50,15 @@ def get_cloud_type() -> Tuple[Optional[str], Optional[NoCloudTypeReason]]:
  def cloud_instance_factory() -> clouds.AutoAttachCloudInstance:
++    """
++    :raises CloudFactoryError: if no cloud instance object can be constructed
++    :raises CloudFactoryNoCloudError: if no cloud instance object can be
++        constructed because we are not on a cloud
++    :raises CloudFactoryUnsupportedCloudError: if no cloud instance object can
++        be constructed because we don't have a class for the cloud we're on
++    :raises CloudFactoryNonViableCloudError: if no cloud instance object can be
++        constructed because we explicitly do not support the cloud we're on
++    """
      from uaclient.clouds import aws, azure, gcp
      cloud_instance_map = {
@@ -62,19 +71,11 @@ def cloud_instance_factory() -> clouds.AutoAttachCloudInstance:
      cloud_type, _ = get_cloud_type()
      if not cloud_type:
--        raise exceptions.UserFacingError(
--            status.MESSAGE_UNABLE_TO_DETERMINE_CLOUD_TYPE
--        )
++        raise exceptions.CloudFactoryNoCloudError(cloud_type)
      cls = cloud_instance_map.get(cloud_type)
      if not cls:
--        raise exceptions.NonAutoAttachImageError(
--            status.MESSAGE_UNSUPPORTED_AUTO_ATTACH_CLOUD_TYPE.format(
--                cloud_type=cloud_type
--            )
--        )
++        raise exceptions.CloudFactoryUnsupportedCloudError(cloud_type)
      instance = cls()
      if not instance.is_viable:
--        raise exceptions.UserFacingError(
--            status.MESSAGE_UNSUPPORTED_AUTO_ATTACH
--        )
++        raise exceptions.CloudFactoryNonViableCloudError(cloud_type)
      return instance
 diff --git a/uaclient/clouds/tests/test_aws.py b/uaclient/clouds/tests/test_aws.py
 index 68aa555..d319427 100644
 --- a/uaclient/clouds/tests/test_aws.py
 +++ b/uaclient/clouds/tests/test_aws.py
@@ -1,4 +1,5 @@
  import logging
++import re
  from io import BytesIO
  from urllib.error import HTTPError
@@ -9,8 +10,13 @@ from uaclient.clouds.aws import (
      AWS_TOKEN_PUT_HEADER,
      AWS_TOKEN_REQ_HEADER,
      AWS_TOKEN_TTL_SECONDS,
++    IMDS_IPV4_ADDRESS,
++    IMDS_IPV6_ADDRESS,
++    IMDS_URL,
++    IMDS_V2_TOKEN_URL,
      UAAutoAttachAWSInstance,
+ )
++from uaclient.exceptions import UserFacingError
  M_PATH = "uaclient.clouds.aws."
@@ -27,10 +33,12 @@ class TestUAAutoAttachAWSInstance:
              "http://me", 404, "No IMDSv2 support", None, BytesIO()
+         )
          instance = UAAutoAttachAWSInstance()
--        assert None is instance._get_imds_v2_token_headers()
++        assert None is instance._get_imds_v2_token_headers(
++            ip_address=IMDS_IPV4_ADDRESS
++        )
          assert "IMDSv1" == instance._api_token
          # No retries on 404. It is a permanent indication of no IMDSv2 support.
--        instance._get_imds_v2_token_headers()
++        instance._get_imds_v2_token_headers(ip_address=IMDS_IPV4_ADDRESS)
          assert 1 == readurl.call_count
      @mock.patch(M_PATH + "util.readurl")
@@ -41,14 +49,15 @@ class TestUAAutoAttachAWSInstance:
          readurl.return_value = "somebase64token==", {"header": "stuff"}
          assert {
              AWS_TOKEN_PUT_HEADER: "somebase64token=="
--        } == instance._get_imds_v2_token_headers()
--        instance._get_imds_v2_token_headers()
++        } == instance._get_imds_v2_token_headers(ip_address=IMDS_IPV4_ADDRESS)
++        instance._get_imds_v2_token_headers(ip_address=IMDS_IPV4_ADDRESS)
          assert "somebase64token==" == instance._api_token
          assert [
              mock.call(
                  url,
                  method="PUT",
                  headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
+             )
          ] == readurl.call_args_list
@@ -61,7 +70,7 @@ class TestUAAutoAttachAWSInstance:
      ):
          """Retry backoff before failing _get_imds_v2_token_headers."""
--        def fake_someurlerrors(url, method=None, headers=None):
++        def fake_someurlerrors(url, method=None, headers=None, timeout=1):
              if readurl.call_count <= fail_count:
                  raise HTTPError(
                      "http://me",
@@ -76,12 +85,16 @@ class TestUAAutoAttachAWSInstance:
          instance = UAAutoAttachAWSInstance()
          if exception:
              with pytest.raises(HTTPError) as excinfo:
--                instance._get_imds_v2_token_headers()
++                instance._get_imds_v2_token_headers(
++                    ip_address=IMDS_IPV4_ADDRESS
++                )
              assert 704 == excinfo.value.code
          else:
              assert {
                  AWS_TOKEN_PUT_HEADER: "base64token=="
--            } == instance._get_imds_v2_token_headers()
++            } == instance._get_imds_v2_token_headers(
++                ip_address=IMDS_IPV4_ADDRESS
++            )
          expected_sleep_calls = [mock.call(1), mock.call(2), mock.call(5)]
          assert expected_sleep_calls == sleep.call_args_list
@@ -107,12 +120,15 @@ class TestUAAutoAttachAWSInstance:
                  token_url,
                  method="PUT",
                  headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
++            ),
++            mock.call(
++                url, headers={AWS_TOKEN_PUT_HEADER: "pkcs7WOOT!=="}, timeout=1
              ),
--            mock.call(url, headers={AWS_TOKEN_PUT_HEADER: "pkcs7WOOT!=="}),
          ] == readurl.call_args_list
      @pytest.mark.parametrize("caplog_text", [logging.DEBUG], indirect=True)
--    @pytest.mark.parametrize("fail_count,exception", ((3, False), (4, True)))
++    @pytest.mark.parametrize("fail_count,exception", ((3, False),))
      @mock.patch(M_PATH + "util.time.sleep")
      @mock.patch(M_PATH + "util.readurl")
      def test_retry_backoff_on_failed_identity_doc(
@@ -120,7 +136,7 @@ class TestUAAutoAttachAWSInstance:
      ):
          """Retry backoff is attempted before failing to get AWS.identity_doc"""
--        def fake_someurlerrors(url, method=None, headers=None):
++        def fake_someurlerrors(url, method=None, headers=None, timeout=1):
              # due to _get_imds_v2_token_headers
              if "latest/api/token" in url:
                  return "base64token==", {"header": "stuff"}
@@ -195,3 +211,92 @@ class TestUAAutoAttachAWSInstance:
          load_file.side_effect = fake_load_file
          instance = UAAutoAttachAWSInstance()
          assert viable is instance.is_viable
++
++    @pytest.mark.parametrize("caplog_text", [logging.DEBUG], indirect=True)
++    @mock.patch(M_PATH + "util.readurl")
++    def test_identity_doc_default_to_ipv6_if_ipv4_fail(
++        self, readurl, caplog_text
++    ):
++        instance = UAAutoAttachAWSInstance()
++        ipv4_address = IMDS_IPV4_ADDRESS
++        ipv6_address = IMDS_IPV6_ADDRESS
++
++        def fake_someurlerrors(url, method=None, headers=None, timeout=1):
++            if ipv4_address in url:
++                raise Exception("IPv4 exception")
++
++            if url == IMDS_V2_TOKEN_URL.format(ipv6_address):
++                return "base64token==", {"header": "stuff"}
++
++            if url == IMDS_URL.format(ipv6_address):
++                return "pkcs7WOOT!==", {"header": "stuff"}
++
++        readurl.side_effect = fake_someurlerrors
++        assert {"pkcs7": "pkcs7WOOT!=="} == instance.identity_doc
++        expected = [
++            mock.call(
++                IMDS_V2_TOKEN_URL.format(ipv4_address),
++                method="PUT",
++                headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
++            ),
++            mock.call(
++                IMDS_V2_TOKEN_URL.format(ipv6_address),
++                method="PUT",
++                headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
++            ),
++            mock.call(
++                IMDS_URL.format(ipv6_address),
++                headers={AWS_TOKEN_PUT_HEADER: "base64token=="},
++                timeout=1,
++            ),
++        ]
++
++        assert expected == readurl.call_args_list
++
++        expected_log = "Could not reach AWS IMDS at http://169.254.169.254:"
++        assert expected_log in caplog_text()
++
++    @pytest.mark.parametrize("caplog_text", [logging.DEBUG], indirect=True)
++    @mock.patch(M_PATH + "util.readurl")
++    def test_identity_doc_logs_error_if_both_ipv4_and_ipv6_fails(
++        self, readurl, caplog_text
++    ):
++
++        instance = UAAutoAttachAWSInstance()
++        ipv4_address = IMDS_IPV4_ADDRESS
++        ipv6_address = IMDS_IPV6_ADDRESS
++
++        readurl.side_effect = Exception("Exception")
++
++        expected_error = (
++            "No valid AWS IMDS endpoint discovered at "
++            "addresses: {}, {}".format(IMDS_IPV4_ADDRESS, IMDS_IPV6_ADDRESS)
++        )
++        with pytest.raises(UserFacingError, match=re.escape(expected_error)):
++            instance.identity_doc
++
++        expected = [
++            mock.call(
++                IMDS_V2_TOKEN_URL.format(ipv4_address),
++                method="PUT",
++                headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
++            ),
++            mock.call(
++                IMDS_V2_TOKEN_URL.format(ipv6_address),
++                method="PUT",
++                headers={AWS_TOKEN_REQ_HEADER: AWS_TOKEN_TTL_SECONDS},
++                timeout=1,
++            ),
++        ]
++        assert expected == readurl.call_args_list
++
++        expected_logs = [
++            "Could not reach AWS IMDS at http://169.254.169.254:",
++            "Could not reach AWS IMDS at http://[fd00:ec2::254]:",
++        ]
++
++        for expected_log in expected_logs:
++            assert expected_log in caplog_text()
 diff --git a/uaclient/clouds/tests/test_identity.py b/uaclient/clouds/tests/test_identity.py
 index 79faf0d..f223f80 100644
 --- a/uaclient/clouds/tests/test_identity.py
 +++ b/uaclient/clouds/tests/test_identity.py
@@ -1,13 +1,17 @@
  import mock
  import pytest
--from uaclient import exceptions, status
  from uaclient.clouds.identity import (
      NoCloudTypeReason,
      cloud_instance_factory,
      get_cloud_type,
      get_instance_id,
+ )
++from uaclient.exceptions import (
++    CloudFactoryNoCloudError,
++    CloudFactoryNonViableCloudError,
++    CloudFactoryUnsupportedCloudError,
++)
  from uaclient.util import ProcessExecutionError
  M_PATH = "uaclient.clouds.identity."
@@ -89,22 +93,15 @@ class TestCloudInstanceFactory:
              None,
              NoCloudTypeReason.NO_CLOUD_DETECTED,
+         )
--        with pytest.raises(exceptions.UserFacingError) as excinfo:
++        with pytest.raises(CloudFactoryNoCloudError):
              cloud_instance_factory()
          assert 1 == m_get_cloud_type.call_count
--        assert status.MESSAGE_UNABLE_TO_DETERMINE_CLOUD_TYPE == str(
--            excinfo.value
--        )
--    def test_raise_error_when_not_aws_or_azure(self, m_get_cloud_type):
++    def test_raise_error_when_not_supported(self, m_get_cloud_type):
          """Raise appropriate error when unable to determine cloud_type."""
          m_get_cloud_type.return_value = ("unsupported-cloud", None)
--        with pytest.raises(exceptions.UserFacingError) as excinfo:
++        with pytest.raises(CloudFactoryUnsupportedCloudError):
              cloud_instance_factory()
--        error_msg = status.MESSAGE_UNSUPPORTED_AUTO_ATTACH_CLOUD_TYPE.format(
--            cloud_type="unsupported-cloud"
--        )
--        assert error_msg == str(excinfo.value)
      @pytest.mark.parametrize("cloud_type", ("aws", "azure"))
      def test_raise_error_when_not_viable_for_ubuntu_pro(
@@ -125,10 +122,8 @@ class TestCloudInstanceFactory:
          with mock.patch(M_INSTANCE_PATH) as m_instance:
              m_instance.side_effect = fake_invalid_instance
--            with pytest.raises(exceptions.UserFacingError) as excinfo:
++            with pytest.raises(CloudFactoryNonViableCloudError):
                  cloud_instance_factory()
--        error_msg = status.MESSAGE_UNSUPPORTED_AUTO_ATTACH
--        assert error_msg == str(excinfo.value)
      @pytest.mark.parametrize(
          "cloud_type", ("aws", "aws-gov", "aws-china", "azure")
 diff --git a/uaclient/config.py b/uaclient/config.py
 index 6275839..f66322e 100644
 --- a/uaclient/config.py
 +++ b/uaclient/config.py
@@ -7,7 +7,7 @@ import sys
  from collections import OrderedDict, namedtuple
  from datetime import datetime
  from functools import wraps
--from typing import Any, Dict, Optional, Tuple, cast
++from typing import Any, Dict, List, Optional, Tuple, cast
  import yaml
@@ -47,6 +47,7 @@ DEFAULT_STATUS = {
          "created_at": "",
          "external_account_ids": [],
      },
++    "simulated": False,
  }  # type: Dict[str, Any]
  LOG = logging.getLogger(__name__)
@@ -326,13 +327,19 @@ class UAConfig:
              return {}
          self._entitlements = {}
--        contractInfo = machine_token["machineTokenInfo"]["contractInfo"]
++        contractInfo = machine_token.get("machineTokenInfo", {}).get(
++            "contractInfo"
++        )
++        if not contractInfo:
++            return {}
++
          tokens_by_name = dict(
--            (e["type"], e["token"])
++            (e.get("type"), e.get("token"))
              for e in machine_token.get("resourceTokens", [])
+         )
          ent_by_name = dict(
--            (e["type"], e) for e in contractInfo["resourceEntitlements"]
++            (e.get("type"), e)
++            for e in contractInfo.get("resourceEntitlements", [])
+         )
          for entitlement_name, ent_value in ent_by_name.items():
              entitlement_cfg = {"entitlement": ent_value}
@@ -551,16 +558,23 @@ class UAConfig:
                  mode = 0o644
          util.write_file(filepath, content, mode=mode)
--    def _remove_beta_resources(self, response) -> Dict[str, Any]:
--        """Remove beta services from response dict"""
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++    def _handle_beta_resources(self, show_beta, response) -> Dict[str, Any]:
++        """Remove beta services from response dict if needed"""
++        from uaclient.entitlements import entitlement_factory
++
++        config_allow_beta = util.is_config_value_true(
++            config=self.cfg, path_to_value="features.allow_beta"
++        )
++        show_beta |= config_allow_beta
++        if show_beta:
++            return response
          new_response = copy.deepcopy(response)
          released_resources = []
          for resource in new_response.get("services", {}):
              resource_name = resource["name"]
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(resource_name)
++            ent_cls = entitlement_factory(resource_name)
              if ent_cls is None:
                  """
@@ -624,34 +638,36 @@ class UAConfig:
      def _unattached_status(self) -> Dict[str, Any]:
          """Return unattached status as a dict."""
          from uaclient.contract import get_available_resources
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          response = copy.deepcopy(DEFAULT_STATUS)
          response["version"] = version.get_version(features=self.features)
          resources = get_available_resources(self)
--        for resource in sorted(resources, key=lambda x: x["name"]):
--            if resource["available"]:
++        for resource in resources:
++            if resource.get("available"):
                  available = status.UserFacingAvailability.AVAILABLE.value
              else:
                  available = status.UserFacingAvailability.UNAVAILABLE.value
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(resource["name"])
++            ent_cls = entitlement_factory(resource.get("name", ""))
              if not ent_cls:
                  LOG.debug(
                      "Ignoring availability of unknown service %s"
                      " from contract server",
--                    resource["name"],
++                    resource.get("name", "without a 'name' key"),
+                 )
                  continue
              response["services"].append(
+                 {
--                    "name": resource["name"],
++                    "name": resource.get("presentedAs", resource["name"]),
                      "description": ent_cls.description,
                      "available": available,
+                 }
+             )
++        response["services"].sort(key=lambda x: x.get("name", ""))
++
          return response
      def _attached_service_status(
@@ -670,7 +686,7 @@ class UAConfig:
                  ent_status, details = ent.user_facing_status()
          return {
--            "name": ent.name,
++            "name": ent.presentation_name,
              "description": ent.description,
              "entitled": contract_status.value,
              "status": ent_status.value,
@@ -684,7 +700,7 @@ class UAConfig:
      def _attached_status(self) -> Dict[str, Any]:
          """Return configuration of attached status as a dictionary."""
          from uaclient.contract import get_available_resources
--        from uaclient.entitlements import ENTITLEMENT_CLASSES
++        from uaclient.entitlements import entitlement_factory
          response = copy.deepcopy(DEFAULT_STATUS)
          machineTokenInfo = self.machine_token["machineTokenInfo"]
@@ -725,15 +741,18 @@ class UAConfig:
          inapplicable_resources = {
              resource["name"]: resource.get("description")
--            for resource in sorted(resources, key=lambda x: x["name"])
--            if not resource["available"]
++            for resource in sorted(resources, key=lambda x: x.get("name", ""))
++            if not resource.get("available")
+         }
--        for ent_cls in ENTITLEMENT_CLASSES:
--            ent = ent_cls(self)
--            response["services"].append(
--                self._attached_service_status(ent, inapplicable_resources)
--            )
++        for resource in resources:
++            ent_cls = entitlement_factory(resource.get("name", ""))
++            if ent_cls:
++                ent = ent_cls(self)
++                response["services"].append(
++                    self._attached_service_status(ent, inapplicable_resources)
++                )
++        response["services"].sort(key=lambda x: x.get("name", ""))
          support = self.entitlements.get("support", {}).get("entitlement")
          if support:
@@ -742,7 +761,115 @@ class UAConfig:
                  response["contract"]["tech_support_level"] = supportLevel
          return response
--    def status(self, show_beta=False) -> Dict[str, Any]:
++    def _get_entitlement_information(
++        self, entitlements: List[Dict[str, Any]], entitlement_name: str
++    ) -> Dict[str, Any]:
++        """Extract information from the entitlements array."""
++        for entitlement in entitlements:
++            if entitlement.get("type") == entitlement_name:
++                return {
++                    "entitled": "yes" if entitlement.get("entitled") else "no",
++                    "auto_enabled": "yes"
++                    if entitlement.get("obligations", {}).get(
++                        "enableByDefault"
++                    )
++                    else "no",
++                    "affordances": entitlement.get("affordances", {}),
++                }
++        return {"entitled": "no", "auto_enabled": "no", "affordances": {}}
++
++    def simulate_status(
++        self, token: str, show_beta: bool = False
++    ) -> Dict[str, Any]:
++        """Return a status dictionary based on a token."""
++        from uaclient.contract import (
++            get_available_resources,
++            get_contract_information,
++        )
++        from uaclient.entitlements import entitlement_factory
++
++        response = copy.deepcopy(DEFAULT_STATUS)
++
++        contract_information = get_contract_information(self, token)
++
++        contract_info = contract_information.get("contractInfo", {})
++        account_info = contract_information.get("accountInfo", {})
++
++        response.update(
++            {
++                "version": version.get_version(features=self.features),
++                "contract": {
++                    "id": contract_info.get("id", ""),
++                    "name": contract_info.get("name", ""),
++                    "created_at": contract_info.get("createdAt", ""),
++                    "products": contract_info.get("products", []),
++                },
++                "account": {
++                    "name": account_info.get("name", ""),
++                    "id": account_info.get("id"),
++                    "created_at": account_info.get("createdAt", ""),
++                    "external_account_ids": account_info.get(
++                        "externalAccountIDs", []
++                    ),
++                },
++                "simulated": True,
++            }
++        )
++
++        if contract_info.get("effectiveTo"):
++            response["expires"] = contract_info.get("effectiveTo")
++        if contract_info.get("effectiveFrom"):
++            response["effective"] = contract_info.get("effectiveFrom")
++
++        status_cache = self.read_cache("status-cache")
++        if status_cache:
++            resources = status_cache.get("services")
++        else:
++            resources = get_available_resources(self)
++
++        entitlements = contract_info.get("resourceEntitlements", [])
++
++        inapplicable_resources = [
++            resource["name"]
++            for resource in sorted(resources, key=lambda x: x["name"])
++            if not resource["available"]
++        ]
++
++        for resource in resources:
++            entitlement_name = resource.get("name", "")
++            ent_cls = entitlement_factory(entitlement_name)
++            if ent_cls:
++                ent = ent_cls(self)
++                entitlement_information = self._get_entitlement_information(
++                    entitlements, entitlement_name
++                )
++                response["services"].append(
++                    {
++                        "name": resource.get("presentedAs", ent.name),
++                        "description": ent.description,
++                        "entitled": entitlement_information["entitled"],
++                        "auto_enabled": entitlement_information[
++                            "auto_enabled"
++                        ],
++                        "available": "yes"
++                        if ent.name not in inapplicable_resources
++                        else "no",
++                    }
++                )
++        response["services"].sort(key=lambda x: x.get("name", ""))
++
++        support = self._get_entitlement_information(entitlements, "support")
++        if support["entitled"]:
++            supportLevel = support["affordances"].get("supportLevel")
++            if supportLevel:
++                response["contract"]["tech_support_level"] = supportLevel
++
++        response.update(self._get_config_status())
++        response = self._handle_beta_resources(show_beta, response)
++
++        return response
++
++    def status(self, show_beta: bool = False) -> Dict[str, Any]:
          """Return status as a dict, using a cache for non-root users
          When unattached, get available resources from the contract service
@@ -751,7 +878,6 @@ class UAConfig:
          Write the status-cache when called by root.
          """
--
          if os.getuid() != 0:
              response = cast("Dict[str, Any]", self.read_cache("status-cache"))
              if not response:
@@ -760,7 +886,9 @@ class UAConfig:
              response = self._unattached_status()
          else:
              response = self._attached_status()
++
          response.update(self._get_config_status())
++
          if os.getuid() == 0:
              self.write_cache("status-cache", response)
@@ -773,12 +901,7 @@ class UAConfig:
                      ),
+                 )
--        config_allow_beta = util.is_config_value_true(
--            config=self.cfg, path_to_value="features.allow_beta"
--        )
--        show_beta |= config_allow_beta
--        if not show_beta:
--            response = self._remove_beta_resources(response)
++        response = self._handle_beta_resources(show_beta, response)
          return response
@@ -790,7 +913,7 @@ class UAConfig:
          :raises: UserFacingError when no help is available.
          """
          from uaclient.contract import get_available_resources
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          resources = get_available_resources(self)
          help_resource = None
@@ -802,11 +925,12 @@ class UAConfig:
          response_dict["name"] = name
          for resource in resources:
--            if resource["name"] == name and name in ENTITLEMENT_CLASS_BY_NAME:
--                help_resource = resource
--                help_ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(name)
--                help_ent = help_ent_cls(self)
--                break
++            if resource["name"] == name or resource.get("presentedAs") == name:
++                help_ent_cls = entitlement_factory(resource["name"])
++                if help_ent_cls:
++                    help_resource = resource
++                    help_ent = help_ent_cls(self)
++                    break
          if help_resource is None:
              raise exceptions.UserFacingError(
 diff --git a/uaclient/contract.py b/uaclient/contract.py
 index 0390bf4..f29c5d4 100644
 --- a/uaclient/contract.py
 +++ b/uaclient/contract.py
@@ -2,6 +2,7 @@ import logging
  from typing import Any, Dict, List, Optional
  from uaclient import clouds, exceptions, serviceclient, status, util
++from uaclient.config import UAConfig
  API_V1_CONTEXT_MACHINE_TOKEN = "/v1/context/machines/token"
  API_V1_TMPL_CONTEXT_MACHINE_TOKEN_RESOURCE = (
@@ -13,6 +14,7 @@ API_V1_TMPL_RESOURCE_MACHINE_ACCESS = (
+ )
  API_V1_AUTO_ATTACH_CLOUD_TOKEN = "/v1/clouds/{cloud_type}/token"
  API_V1_MACHINE_ACTIVITY = "/v1/contracts/{contract}/machine-activity/{machine}"
++API_V1_CONTRACT_INFORMATION = "/v1/contract"
  ATTACH_FAIL_DATE_FORMAT = "%B %d, %Y"
@@ -100,6 +102,16 @@ class UAContractClient(serviceclient.UAServiceClient):
+         )
          return resource_response
++    def request_contract_information(
++        self, contract_token: str
++    ) -> Dict[str, Any]:
++        headers = self.headers()
++        headers.update({"Authorization": "Bearer {}".format(contract_token)})
++        response_data, _response_headers = self.request_url(
++            API_V1_CONTRACT_INFORMATION, headers=headers
++        )
++        return response_data
++
      def request_auto_attach_contract_token(
          self, *, instance: clouds.AutoAttachCloudInstance
      ):
@@ -355,7 +367,7 @@ def process_entitlement_delta(
      :raise UserFacingError: on failure to process deltas.
      :return: Dict of processed deltas
      """
--    from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++    from uaclient.entitlements import entitlement_factory
      if series_overrides:
          util.apply_series_overrides(new_access)
@@ -371,9 +383,8 @@ def process_entitlement_delta(
                      orig_access, new_access
+                 )
+             )
--        try:
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME[name]
--        except KeyError:
++        ent_cls = entitlement_factory(name)
++        if not ent_cls:
              logging.debug(
                  'Skipping entitlement deltas for "%s". No such class', name
+             )
@@ -469,8 +480,14 @@ def request_updated_contract(
+     )
--def get_available_resources(cfg) -> List[Dict]:
--    """Query available resources from the contrct server for this machine."""
++def get_available_resources(cfg: UAConfig) -> List[Dict]:
++    """Query available resources from the contract server for this machine."""
      client = UAContractClient(cfg)
      resources = client.request_resources()
      return resources.get("resources", [])
++
++
++def get_contract_information(cfg: UAConfig, token: str) -> Dict[str, Any]:
++    """Query contract information for a specific token"""
++    client = UAContractClient(cfg)
++    return client.request_contract_information(token)
 diff --git a/uaclient/defaults.py b/uaclient/defaults.py
 index ee218de..e556abc 100644
 --- a/uaclient/defaults.py
 +++ b/uaclient/defaults.py
@@ -16,6 +16,7 @@ BASE_SECURITY_URL = "https://ubuntu.com/security"
  BASE_UA_URL = "https://ubuntu.com/advantage"
  EOL_UA_URL_TMPL = "https://ubuntu.com/{hyphenatedrelease}"
  BASE_ESM_URL = "https://ubuntu.com/esm"
++CLOUD_BUILD_INFO = "/etc/cloud/build.info"
  DOCUMENTATION_URL = (
      "https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788"
+ )
 diff --git a/uaclient/entitlements/__init__.py b/uaclient/entitlements/__init__.py
 index d8cc495..18b0b3d 100644
 --- a/uaclient/entitlements/__init__.py
 +++ b/uaclient/entitlements/__init__.py
@@ -1,4 +1,4 @@
--from typing import Dict, List, Type, cast  # noqa: F401
++from typing import List, Type  # noqa: F401
  from uaclient.config import UAConfig
  from uaclient.entitlements import fips
@@ -23,27 +23,46 @@ ENTITLEMENT_CLASSES = [
  ]  # type: List[Type[UAEntitlement]]
--ENTITLEMENT_CLASS_BY_NAME = dict(
--    (cast(str, cls.name), cls) for cls in ENTITLEMENT_CLASSES
--)  # type: Dict[str, Type[UAEntitlement]]
++def entitlement_factory(name: str):
++    """Returns a UAEntitlement class based on the provided name.
++
++    The return type is Optional[Type[UAEntitlement]].
++    It cannot be explicit because of the Python version on Xenial (3.5.2).
++    """
++    for entitlement in ENTITLEMENT_CLASSES:
++        if name in entitlement().valid_names:
++            return entitlement
++    return None
--def valid_services(allow_beta: bool = False) -> List[str]:
++def valid_services(
++    allow_beta: bool = False, all_names: bool = False
++) -> List[str]:
      """Return a list of valid (non-beta) services.
      @param allow_beta: if we should allow beta services to be marked as valid
++    @param all_names: if we should return all the names for a service instead
++        of just the presentation_name
      """
      cfg = UAConfig()
      allow_beta_cfg = is_config_value_true(cfg.cfg, "features.allow_beta")
      allow_beta |= allow_beta_cfg
--    if allow_beta:
--        return sorted(ENTITLEMENT_CLASS_BY_NAME.keys())
++    entitlements = ENTITLEMENT_CLASSES
++    if not allow_beta:
++        entitlements = [
++            entitlement
++            for entitlement in entitlements
++            if not entitlement.is_beta
++        ]
++
++    if all_names:
++        names = []
++        for entitlement in entitlements:
++            names.extend(entitlement().valid_names)
++
++        return sorted(names)
      return sorted(
--        [
--            ent_name
--            for ent_name, ent_cls in ENTITLEMENT_CLASS_BY_NAME.items()
--            if not ent_cls.is_beta
--        ]
++        [entitlement().presentation_name for entitlement in entitlements]
+     )
 diff --git a/uaclient/entitlements/base.py b/uaclient/entitlements/base.py
 index 4bbe943..42376d4 100644
 --- a/uaclient/entitlements/base.py
 +++ b/uaclient/entitlements/base.py
@@ -58,6 +58,14 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          pass
      @property
++    def valid_names(self) -> List[str]:
++        """The list of names this entitlement may be called."""
++        valid_names = [self.name]
++        if self.presentation_name != self.name:
++            valid_names.append(self.presentation_name)
++        return valid_names
++
++    @property
      @abc.abstractmethod
      def title(self) -> str:
          """The human readable title of this entitlement"""
@@ -70,6 +78,16 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          pass
      @property
++    def presentation_name(self) -> str:
++        """The user-facing name shown for this entitlement"""
++        return (
++            self.cfg.entitlements.get(self.name, {})
++            .get("entitlement", {})
++            .get("affordances", {})
++            .get("presentedAs", self.name)
++        )
++
++    @property
      def help_info(self) -> str:
          """Help information for the entitlement"""
          if self._help_info is None:
@@ -132,6 +150,7 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          cfg: Optional[config.UAConfig] = None,
          assume_yes: bool = False,
          allow_beta: bool = False,
++        called_name: str = "",
      ) -> None:
          """Setup UAEntitlement instance
@@ -142,6 +161,7 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          self.cfg = cfg
          self.assume_yes = assume_yes
          self.allow_beta = allow_beta
++        self._called_name = called_name
          self._valid_service = None
      @property
@@ -310,10 +330,10 @@ class UAEntitlement(metaclass=abc.ABCMeta):
              True if all required services are active
              False is at least one of the required services is disabled
          """
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          for required_service in self.required_services:
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(required_service)
++            ent_cls = entitlement_factory(required_service)
              if ent_cls:
                  ent_status, _ = ent_cls(self.cfg).application_status()
                  if ent_status != status.ApplicationStatus.ENABLED:
@@ -329,10 +349,10 @@ class UAEntitlement(metaclass=abc.ABCMeta):
              True if there are incompatible services enabled
              False if there are no incompatible services enabled
          """
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          for incompatible_service in self.incompatible_services:
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(incompatible_service)
++            ent_cls = entitlement_factory(incompatible_service)
              if ent_cls:
                  ent_status, _ = ent_cls(self.cfg).application_status()
                  if ent_status == status.ApplicationStatus.ENABLED:
@@ -355,14 +375,14 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          features:
            block_disable_on_enable: true
          """
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          cfg_block_disable_on_enable = util.is_config_value_true(
              config=self.cfg.cfg,
              path_to_value="features.block_disable_on_enable",
+         )
          for incompatible_service in self.incompatible_services:
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(incompatible_service)
++            ent_cls = entitlement_factory(incompatible_service)
              if ent_cls:
                  ent = ent_cls(self.cfg)
@@ -412,10 +432,15 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          that must be enabled first. In that situation, we can ask the user
          if the required service should be enabled before proceeding.
          """
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          for required_service in self.required_services:
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME[required_service]
++            ent_cls = entitlement_factory(required_service)
++            if not ent_cls:
++                msg = "Required service {} not found.".format(required_service)
++                logging.error(msg)
++                return False
++
              ent = ent_cls(self.cfg, allow_beta=True)
              is_service_disabled = (
@@ -555,10 +580,10 @@ class UAEntitlement(metaclass=abc.ABCMeta):
          and prompt for confirmation to disable these services
          as well.
          """
--        from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++        from uaclient.entitlements import entitlement_factory
          for dependent_service in self.dependent_services:
--            ent_cls = ENTITLEMENT_CLASS_BY_NAME[dependent_service]
++            ent_cls = entitlement_factory(dependent_service)
              ent = ent_cls(self.cfg)
              is_service_enabled = (
 diff --git a/uaclient/entitlements/cis.py b/uaclient/entitlements/cis.py
 index 90d06b8..384bfd3 100644
 --- a/uaclient/entitlements/cis.py
 +++ b/uaclient/entitlements/cis.py
@@ -2,22 +2,47 @@ from typing import Callable, Dict, List, Tuple, Union
  from uaclient.entitlements import repo
--CIS_DOCS_URL = "https://security-certs.docs.ubuntu.com/en/cis"
++CIS_DOCS_URL = "https://ubuntu.com/security/cis"
++USG_DOCS_URL = "https://ubuntu.com/security/certifications/docs/usg"
  class CISEntitlement(repo.RepoEntitlement):
--    help_doc_url = "https://ubuntu.com/security/certifications#cis"
++    help_doc_url = USG_DOCS_URL
      name = "cis"
--    title = "CIS Audit"
--    description = "Center for Internet Security Audit Tools"
++    description = "Security compliance and audit tools"
      repo_key_file = "ubuntu-advantage-cis.gpg"
      apt_noninteractive = True
      @property
      def messaging(self,) -> Dict[str, List[Union[str, Tuple[Callable, Dict]]]]:
--        return {
++        if self._called_name == "usg":
++            return {
++                "post_enable": [
++                    "Visit {} for the next steps".format(USG_DOCS_URL)
++                ]
++            }
++        messages = {
              "post_enable": [
                  "Visit {} to learn how to use CIS".format(CIS_DOCS_URL)
+             ]
--        }
++        }  # type: Dict[str, List[Union[str, Tuple[Callable, Dict]]]]
++        if "usg" in self.valid_names:
++            messages["pre_enable"] = [
++                "From Ubuntu 20.04 and onwards 'ua enable cis' has been",
++                "replaced by 'ua enable usg'. See more information at:",
++                USG_DOCS_URL,
++            ]
++        return messages
++
++    @property
++    def packages(self) -> List[str]:
++        if self._called_name == "usg":
++            return []
++        return super().packages
++
++    @property
++    def title(self) -> str:
++        if self._called_name == "cis":
++            return "CIS Audit"
++        return "Ubuntu Security Guide"
 diff --git a/uaclient/entitlements/livepatch.py b/uaclient/entitlements/livepatch.py
 index aec4ae0..f422f32 100644
 --- a/uaclient/entitlements/livepatch.py
 +++ b/uaclient/entitlements/livepatch.py
@@ -16,6 +16,8 @@ ERROR_MSG_MAP = {
      "unsupported kernel": "Your running kernel is not supported by Livepatch.",
+ }
++LIVEPATCH_CMD = "/snap/bin/canonical-livepatch"
++
  def unconfigure_livepatch_proxy(
      protocol_type: str, retry_sleeps: Optional[List[float]] = None
@@ -29,10 +31,10 @@ def unconfigure_livepatch_proxy(
          on failure; sleeping half a second before the first retry and 1 second
          before the second retry.
      """
--    if not util.which("/snap/bin/canonical-livepatch"):
++    if not util.which(LIVEPATCH_CMD):
          return
      util.subp(
--        ["canonical-livepatch", "config", "{}-proxy=".format(protocol_type)],
++        [LIVEPATCH_CMD, "config", "{}-proxy=".format(protocol_type)],
          retry_sleeps=retry_sleeps,
+     )
@@ -61,21 +63,13 @@ def configure_livepatch_proxy(
      if http_proxy:
          util.subp(
--            [
--                "canonical-livepatch",
--                "config",
--                "http-proxy={}".format(http_proxy),
--            ],
++            [LIVEPATCH_CMD, "config", "http-proxy={}".format(http_proxy)],
              retry_sleeps=retry_sleeps,
+         )
      if https_proxy:
          util.subp(
--            [
--                "canonical-livepatch",
--                "config",
--                "https-proxy={}".format(https_proxy),
--            ],
++            [LIVEPATCH_CMD, "config", "https-proxy={}".format(https_proxy)],
              retry_sleeps=retry_sleeps,
+         )
@@ -86,7 +80,7 @@ def get_config_option_value(key: str) -> Optional[str]:
      :param protocol: can be any valid livepatch config option
      :return: the value of the livepatch config option, or None if not set
      """
--    out, _ = util.subp(["canonical-livepatch", "config"])
++    out, _ = util.subp([LIVEPATCH_CMD, "config"])
      match = re.search("^{}: (.*)$".format(key), out, re.MULTILINE)
      value = match.group(1) if match else None
      if value:
@@ -151,8 +145,8 @@ class LivepatchEntitlement(base.UAEntitlement):
+             )
          elif "snapd" not in apt.get_installed_packages():
              raise exceptions.UserFacingError(
--                "/usr/bin/snap is present but snapd is not installed;"
--                " cannot enable {}".format(self.title)
++                "{} is present but snapd is not installed;"
++                " cannot enable {}".format(snap.SNAP_CMD, self.title)
+             )
          try:
@@ -177,7 +171,7 @@ class LivepatchEntitlement(base.UAEntitlement):
              retry_sleeps=snap.SNAP_INSTALL_RETRIES,
+         )
--        if not util.which("/snap/bin/canonical-livepatch"):
++        if not util.which(LIVEPATCH_CMD):
              print("Installing canonical-livepatch snap")
              try:
                  util.subp(
@@ -230,18 +224,13 @@ class LivepatchEntitlement(base.UAEntitlement):
                      self.title,
+                 )
                  try:
--                    util.subp(["/snap/bin/canonical-livepatch", "disable"])
++                    util.subp([LIVEPATCH_CMD, "disable"])
                  except util.ProcessExecutionError as e:
                      logging.error(str(e))
                      return False
              try:
                  util.subp(
--                    [
--                        "/snap/bin/canonical-livepatch",
--                        "enable",
--                        livepatch_token,
--                    ],
--                    capture=True,
++                    [LIVEPATCH_CMD, "enable", livepatch_token], capture=True
+                 )
              except util.ProcessExecutionError as e:
                  msg = "Unable to enable Livepatch: "
@@ -261,15 +250,15 @@ class LivepatchEntitlement(base.UAEntitlement):
          @return: True on success, False otherwise.
          """
--        if not util.which("/snap/bin/canonical-livepatch"):
++        if not util.which(LIVEPATCH_CMD):
              return True
--        util.subp(["/snap/bin/canonical-livepatch", "disable"], capture=True)
++        util.subp([LIVEPATCH_CMD, "disable"], capture=True)
          return True
      def application_status(self) -> Tuple[ApplicationStatus, str]:
          status = (ApplicationStatus.ENABLED, "")
--        if not util.which("/snap/bin/canonical-livepatch"):
++        if not util.which(LIVEPATCH_CMD):
              return (
                  ApplicationStatus.DISABLED,
                  "canonical-livepatch snap is not installed.",
@@ -277,8 +266,7 @@ class LivepatchEntitlement(base.UAEntitlement):
          try:
              util.subp(
--                ["/snap/bin/canonical-livepatch", "status"],
--                retry_sleeps=LIVEPATCH_RETRIES,
++                [LIVEPATCH_CMD, "status"], retry_sleeps=LIVEPATCH_RETRIES
+             )
          except util.ProcessExecutionError as e:
              # TODO(May want to parse INACTIVE/failure assessment)
@@ -350,11 +338,7 @@ def process_config_directives(cfg):
      ca_certs = directives.get("caCerts")
      if ca_certs:
          util.subp(
--            [
--                "/snap/bin/canonical-livepatch",
--                "config",
--                "ca-certs={}".format(ca_certs),
--            ],
++            [LIVEPATCH_CMD, "config", "ca-certs={}".format(ca_certs)],
              capture=True,
+         )
      remote_server = directives.get("remoteServer", "")
@@ -363,7 +347,7 @@ def process_config_directives(cfg):
      if remote_server:
          util.subp(
+             [
--                "/snap/bin/canonical-livepatch",
++                LIVEPATCH_CMD,
                  "config",
                  "remote-server={}".format(remote_server),
              ],
 diff --git a/uaclient/entitlements/repo.py b/uaclient/entitlements/repo.py
 index 8c2e4d1..153ea09 100644
 --- a/uaclient/entitlements/repo.py
 +++ b/uaclient/entitlements/repo.py
@@ -120,10 +120,22 @@ class RepoEntitlement(base.UAEntitlement):
          :return: False if apt url is already found on the source file.
                   True otherwise.
          """
++        apt_file = self.repo_list_file_tmpl.format(name=self.name)
++        # If the apt file is commented out, we will assume that we need
++        # to regenerate the apt file, regardless of the apt url delta
++        if all(
++            line.startswith("#")
++            for line in util.load_file(apt_file).strip().split("\n")
++        ):
++            return False
++
++        # If the file is not commented out and we don't have delta,
++        # we will not do anything
          if not apt_url:
              return True
--        apt_file = self.repo_list_file_tmpl.format(name=self.name)
++        # If the delta is already in the file, we won't reconfigure it
++        # again
          return bool(apt_url in util.load_file(apt_file))
      def process_contract_deltas(
 diff --git a/uaclient/entitlements/tests/conftest.py b/uaclient/entitlements/tests/conftest.py
 index 054bc2b..03f56af 100644
 --- a/uaclient/entitlements/tests/conftest.py
 +++ b/uaclient/entitlements/tests/conftest.py
@@ -94,6 +94,7 @@ def entitlement_factory(tmpdir):
          obligations: Dict[str, Any] = None,
          entitled: bool = True,
          allow_beta: bool = False,
++        called_name: str = "",
          assume_yes: Optional[bool] = None,
          suites: List[str] = None,
          additional_packages: List[str] = None,
@@ -122,7 +123,7 @@ def entitlement_factory(tmpdir):
          if services_once_enabled:
              cfg.write_cache("services-once-enabled", services_once_enabled)
--        args = {"allow_beta": allow_beta}
++        args = {"allow_beta": allow_beta, "called_name": called_name}
          if assume_yes is not None:
              args["assume_yes"] = assume_yes
          return cls(cfg, **args)
 diff --git a/uaclient/entitlements/tests/test_base.py b/uaclient/entitlements/tests/test_base.py
 index f78f29a..76834d5 100644
 --- a/uaclient/entitlements/tests/test_base.py
 +++ b/uaclient/entitlements/tests/test_base.py
@@ -286,8 +286,6 @@ class TestUaEntitlement:
      def test_can_enable_when_incompatible_service_found(
          self, concrete_entitlement_factory
      ):
--        import uaclient.entitlements as ent
--
          base_ent = concrete_entitlement_factory(
              entitled=True,
              applicability_status=(status.ApplicabilityStatus.APPLICABLE, ""),
@@ -306,8 +304,9 @@ class TestUaEntitlement:
          with mock.patch.object(
              base_ent, "is_access_expired", return_value=False
          ):
--            with mock.patch.object(
--                ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++            with mock.patch(
++                "uaclient.entitlements.entitlement_factory",
++                return_value=m_entitlement_cls,
              ):
                  ret, reason = base_ent.can_enable()
@@ -320,8 +319,6 @@ class TestUaEntitlement:
      def test_can_enable_when_required_service_found(
          self, concrete_entitlement_factory
      ):
--        import uaclient.entitlements as ent
--
          base_ent = concrete_entitlement_factory(
              entitled=True,
              applicability_status=(status.ApplicabilityStatus.APPLICABLE, ""),
@@ -337,8 +334,9 @@ class TestUaEntitlement:
+         ]
          type(m_entitlement_obj).title = mock.PropertyMock(return_value="test")
--        with mock.patch.object(
--            ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++        with mock.patch(
++            "uaclient.entitlements.entitlement_factory",
++            return_value=m_entitlement_cls,
          ):
              ret, reason = base_ent.can_enable()
@@ -363,8 +361,6 @@ class TestUaEntitlement:
          assume_yes,
          concrete_entitlement_factory,
      ):
--        import uaclient.entitlements as ent
--
          m_prompt.return_value = assume_yes
          m_is_config_value_true.return_value = block_disable_on_enable
          base_ent = concrete_entitlement_factory(
@@ -386,8 +382,9 @@ class TestUaEntitlement:
          with mock.patch.object(
              base_ent, "is_access_expired", return_value=False
          ):
--            with mock.patch.object(
--                ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++            with mock.patch(
++                "uaclient.entitlements.entitlement_factory",
++                return_value=m_entitlement_cls,
              ):
                  ret, reason = base_ent.enable()
@@ -416,8 +413,6 @@ class TestUaEntitlement:
      def test_enable_when_required_service_found(
          self, m_prompt, assume_yes, concrete_entitlement_factory
      ):
--        import uaclient.entitlements as ent
--
          m_prompt.return_value = assume_yes
          base_ent = concrete_entitlement_factory(
              entitled=True,
@@ -436,8 +431,9 @@ class TestUaEntitlement:
          m_entitlement_obj.enable.return_value = (True, "")
          type(m_entitlement_obj).title = mock.PropertyMock(return_value="test")
--        with mock.patch.object(
--            ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++        with mock.patch(
++            "uaclient.entitlements.entitlement_factory",
++            return_value=m_entitlement_cls,
          ):
              ret, reason = base_ent.enable()
@@ -678,8 +674,6 @@ class TestUaEntitlement:
      def test_disable_when_dependent_service_found(
          self, m_prompt, concrete_entitlement_factory
      ):
--        import uaclient.entitlements as ent
--
          m_prompt.return_value = True
          base_ent = concrete_entitlement_factory(
              entitled=True,
@@ -697,8 +691,9 @@ class TestUaEntitlement:
          m_entitlement_obj.disable.return_value = True
          type(m_entitlement_obj).title = mock.PropertyMock(return_value="test")
--        with mock.patch.object(
--            ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++        with mock.patch(
++            "uaclient.entitlements.entitlement_factory",
++            return_value=m_entitlement_cls,
          ):
              ret = base_ent.disable()
@@ -710,6 +705,39 @@ class TestUaEntitlement:
          assert m_prompt.call_count == expected_prompt_call
          assert m_entitlement_obj.disable.call_count == expected_disable_call
++    @pytest.mark.parametrize(
++        "p_name,expected",
++        (
++            ("pretty_name", ["testconcreteentitlement", "pretty_name"]),
++            ("testconcreteentitlement", ["testconcreteentitlement"]),
++        ),
++    )
++    @mock.patch(
++        "uaclient.entitlements.base.UAEntitlement.presentation_name",
++        new_callable=mock.PropertyMock,
++    )
++    def test_valid_names(
++        self, m_p_name, p_name, expected, concrete_entitlement_factory
++    ):
++        m_p_name.return_value = p_name
++        entitlement = concrete_entitlement_factory(entitled=True)
++        assert expected == entitlement.valid_names
++
++    def test_presentation_name(self, concrete_entitlement_factory):
++        entitlement = concrete_entitlement_factory(entitled=True)
++        assert "testconcreteentitlement" == entitlement.presentation_name
++        m_entitlements = {
++            "testconcreteentitlement": {
++                "entitlement": {
++                    "affordances": {"presentedAs": "something_else"}
++                }
++            }
++        }
++        with mock.patch(
++            "uaclient.config.UAConfig.entitlements", m_entitlements
++        ):
++            assert "something_else" == entitlement.presentation_name
++
  class TestUaEntitlementUserFacingStatus:
      def test_inapplicable_when_not_applicable(
 diff --git a/uaclient/entitlements/tests/test_cis.py b/uaclient/entitlements/tests/test_cis.py
 index 838c784..d6f1611 100644
 --- a/uaclient/entitlements/tests/test_cis.py
 +++ b/uaclient/entitlements/tests/test_cis.py
@@ -12,7 +12,10 @@ M_REPOPATH = "uaclient.entitlements.repo."
  @pytest.fixture
  def entitlement(entitlement_factory):
      return entitlement_factory(
--        CISEntitlement, allow_beta=True, additional_packages=["pkg1"]
++        CISEntitlement,
++        allow_beta=True,
++        called_name="cis",
++        additional_packages=["pkg1"],
+     )
 diff --git a/uaclient/entitlements/tests/test_entitlements.py b/uaclient/entitlements/tests/test_entitlements.py
 index a7210fe..06e0939 100644
 --- a/uaclient/entitlements/tests/test_entitlements.py
 +++ b/uaclient/entitlements/tests/test_entitlements.py
@@ -6,23 +6,54 @@ from uaclient import entitlements
  class TestValidServices:
++    @pytest.mark.parametrize("show_all_names", ((True), (False)))
      @pytest.mark.parametrize("allow_beta", ((True), (False)))
      @pytest.mark.parametrize("is_beta", ((True), (False)))
      @mock.patch("uaclient.entitlements.is_config_value_true")
--    def test_valid_services(self, m_is_config_value, is_beta, allow_beta):
++    def test_valid_services(
++        self, m_is_config_value, show_all_names, allow_beta, is_beta
++    ):
          m_is_config_value.return_value = allow_beta
++
          m_cls_1 = mock.MagicMock()
--        type(m_cls_1).is_beta = mock.PropertyMock(return_value=False)
++        m_inst_1 = mock.MagicMock()
++        m_cls_1.is_beta = False
++        m_inst_1.presentation_name = "ent1"
++        m_inst_1.valid_names = ["ent1", "othername"]
++        m_cls_1.return_value = m_inst_1
          m_cls_2 = mock.MagicMock()
--        type(m_cls_2).is_beta = mock.PropertyMock(return_value=is_beta)
--        ents_dict = {"ent1": m_cls_1, "ent2": m_cls_2}
++        m_inst_2 = mock.MagicMock()
++        m_cls_2.is_beta = is_beta
++        m_inst_2.presentation_name = "ent2"
++        m_inst_2.valid_names = ["ent2"]
++        m_cls_2.return_value = m_inst_2
++
++        ents = {m_cls_1, m_cls_2}
--        with mock.patch.object(
--            entitlements, "ENTITLEMENT_CLASS_BY_NAME", ents_dict
--        ):
++        with mock.patch.object(entitlements, "ENTITLEMENT_CLASSES", ents):
              expected_services = ["ent1"]
              if allow_beta or not is_beta:
                  expected_services.append("ent2")
++            if show_all_names:
++                expected_services.append("othername")
++
++            assert expected_services == entitlements.valid_services(
++                all_names=show_all_names
++            )
++
++
++class TestEntitlementFactory:
++    def test_entitlement_factory(self):
++        m_cls_1 = mock.MagicMock()
++        m_cls_1.return_value.valid_names = ["ent1", "othername"]
++
++        m_cls_2 = mock.MagicMock()
++        m_cls_2.return_value.valid_names = ["ent2"]
++
++        ents = {m_cls_1, m_cls_2}
--            assert expected_services == entitlements.valid_services()
++        with mock.patch.object(entitlements, "ENTITLEMENT_CLASSES", ents):
++            assert m_cls_1 == entitlements.entitlement_factory("othername")
++            assert m_cls_2 == entitlements.entitlement_factory("ent2")
++            assert None is entitlements.entitlement_factory("nonexistent")
 diff --git a/uaclient/entitlements/tests/test_fips.py b/uaclient/entitlements/tests/test_fips.py
 index 1a040bc..4d28026 100644
 --- a/uaclient/entitlements/tests/test_fips.py
 +++ b/uaclient/entitlements/tests/test_fips.py
@@ -145,7 +145,12 @@ class TestFIPSEntitlementCanEnable:
                  "application_status",
                  return_value=(status.ApplicationStatus.DISABLED, ""),
              ):
--                assert (True, None) == entitlement.can_enable()
++                with mock.patch.object(
++                    entitlement,
++                    "detect_incompatible_services",
++                    return_value=False,
++                ):
++                    assert (True, None) == entitlement.can_enable()
          assert ("", "") == capsys.readouterr()
@@ -931,8 +936,9 @@ class TestFipsEntitlementInstallPackages:
          self, m_run_apt, entitlement
      ):
          m_run_apt.side_effect = exceptions.UserFacingError("error")
--        with pytest.raises(exceptions.UserFacingError):
--            entitlement.install_packages()
++        with mock.patch.object(entitlement, "_cleanup"):
++            with pytest.raises(exceptions.UserFacingError):
++                entitlement.install_packages()
      @mock.patch(M_PATH + "apt.get_installed_packages")
      @mock.patch(M_PATH + "apt.run_apt_command")
 diff --git a/uaclient/entitlements/tests/test_livepatch.py b/uaclient/entitlements/tests/test_livepatch.py
 index 5d6dc3a..579aa70 100644
 --- a/uaclient/entitlements/tests/test_livepatch.py
 +++ b/uaclient/entitlements/tests/test_livepatch.py
@@ -12,6 +12,7 @@ import pytest
  from uaclient import apt, exceptions, status
  from uaclient.entitlements.livepatch import (
++    LIVEPATCH_CMD,
      LivepatchEntitlement,
      configure_livepatch_proxy,
      get_config_option_value,
@@ -84,7 +85,7 @@ class TestConfigureLivepatchProxy:
              expected_calls.append(
                  mock.call(
+                     [
--                        "canonical-livepatch",
++                        LIVEPATCH_CMD,
                          "config",
                          "http-proxy={}".format(http_proxy),
                      ],
@@ -96,7 +97,7 @@ class TestConfigureLivepatchProxy:
              expected_calls.append(
                  mock.call(
+                     [
--                        "canonical-livepatch",
++                        LIVEPATCH_CMD,
                          "config",
                          "https-proxy={}".format(https_proxy),
                      ],
@@ -183,7 +184,7 @@ check-interval: 60  # minutes""",
          ret = get_config_option_value(key)
          assert ret == expected_ret
          assert [
--            mock.call(["canonical-livepatch", "config"])
++            mock.call([LIVEPATCH_CMD, "config"])
          ] == m_util_subp.call_args_list
@@ -203,7 +204,7 @@ class TestUnconfigureLivepatchProxy:
          self, subp, which, livepatch_installed, protocol_type, retry_sleeps
      ):
          if livepatch_installed:
--            which.return_value = "/snap/bin/canonical-livepatch"
++            which.return_value = LIVEPATCH_CMD
          else:
              which.return_value = None
          kwargs = {"protocol_type": protocol_type}
@@ -213,11 +214,7 @@ class TestUnconfigureLivepatchProxy:
          if livepatch_installed:
              expected_calls = [
                  mock.call(
--                    [
--                        "canonical-livepatch",
--                        "config",
--                        protocol_type + "-proxy=",
--                    ],
++                    [LIVEPATCH_CMD, "config", protocol_type + "-proxy="],
                      retry_sleeps=retry_sleeps,
+                 )
+             ]
@@ -291,7 +288,7 @@ class TestLivepatchProcessConfigDirectives:
              process_config_directives(cfg)
          expected_subp = mock.call(
+             [
--                "/snap/bin/canonical-livepatch",
++                LIVEPATCH_CMD,
                  "config",
                  livepatch_param_tmpl.format(directive_value),
              ],
@@ -314,16 +311,10 @@ class TestLivepatchProcessConfigDirectives:
              process_config_directives(cfg)
          expected_calls = [
              mock.call(
--                ["/snap/bin/canonical-livepatch", "config", "ca-certs=value2"],
--                capture=True,
++                [LIVEPATCH_CMD, "config", "ca-certs=value2"], capture=True
              ),
              mock.call(
--                [
--                    "/snap/bin/canonical-livepatch",
--                    "config",
--                    "remote-server=value1",
--                ],
--                capture=True,
++                [LIVEPATCH_CMD, "config", "remote-server=value1"], capture=True
              ),
+         ]
          assert expected_calls == m_subp.call_args_list
@@ -609,17 +600,14 @@ class TestLivepatchEntitlementEnable:
      mocks_config = [
          mock.call(
+             [
--                "/snap/bin/canonical-livepatch",
++                LIVEPATCH_CMD,
                  "config",
                  "remote-server=https://alt.livepatch.com",
              ],
              capture=True,
          ),
--        mock.call(["/snap/bin/canonical-livepatch", "disable"]),
--        mock.call(
--            ["/snap/bin/canonical-livepatch", "enable", "livepatch-token"],
--            capture=True,
--        ),
++        mock.call([LIVEPATCH_CMD, "disable"]),
++        mock.call([LIVEPATCH_CMD, "enable", "livepatch-token"], capture=True),
+     ]
      @pytest.mark.parametrize("caplog_text", [logging.DEBUG], indirect=True)
@@ -677,10 +665,7 @@ class TestLivepatchEntitlementEnable:
              assert expected_log not in caplog_text()
          else:
              assert expected_log in caplog_text()
--        expected_calls = [
--            mock.call("/usr/bin/snap"),
--            mock.call("/snap/bin/canonical-livepatch"),
--        ]
++        expected_calls = [mock.call("/usr/bin/snap"), mock.call(LIVEPATCH_CMD)]
          assert expected_calls == m_which.call_args_list
          assert m_validate_proxy.call_count == 2
          assert m_snap_proxy.call_count == 1
@@ -723,10 +708,7 @@ class TestLivepatchEntitlementEnable:
              "Canonical livepatch enabled.\n"
+         )
          assert (msg, "") == capsys.readouterr()
--        expected_calls = [
--            mock.call("/usr/bin/snap"),
--            mock.call("/snap/bin/canonical-livepatch"),
--        ]
++        expected_calls = [mock.call("/usr/bin/snap"), mock.call(LIVEPATCH_CMD)]
          assert expected_calls == m_which.call_args_list
          assert m_validate_proxy.call_count == 2
          assert m_snap_proxy.call_count == 1
@@ -801,16 +783,15 @@ class TestLivepatchEntitlementEnable:
              ),
              mock.call(
+                 [
--                    "/snap/bin/canonical-livepatch",
++                    LIVEPATCH_CMD,
                      "config",
                      "remote-server=https://alt.livepatch.com",
                  ],
                  capture=True,
              ),
--            mock.call(["/snap/bin/canonical-livepatch", "disable"]),
++            mock.call([LIVEPATCH_CMD, "disable"]),
              mock.call(
--                ["/snap/bin/canonical-livepatch", "enable", "livepatch-token"],
--                capture=True,
++                [LIVEPATCH_CMD, "enable", "livepatch-token"], capture=True
              ),
+         ]
          assert subp_calls == m_subp.call_args_list
@@ -851,15 +832,14 @@ class TestLivepatchEntitlementEnable:
              ),
              mock.call(
+                 [
--                    "/snap/bin/canonical-livepatch",
++                    LIVEPATCH_CMD,
                      "config",
                      "remote-server=https://alt.livepatch.com",
                  ],
                  capture=True,
              ),
              mock.call(
--                ["/snap/bin/canonical-livepatch", "enable", "livepatch-token"],
--                capture=True,
++                [LIVEPATCH_CMD, "enable", "livepatch-token"], capture=True
              ),
+         ]
          assert subp_no_livepatch_disable == m_subp.call_args_list
 diff --git a/uaclient/entitlements/tests/test_repo.py b/uaclient/entitlements/tests/test_repo.py
 index 34aa979..233e3d2 100644
 --- a/uaclient/entitlements/tests/test_repo.py
 +++ b/uaclient/entitlements/tests/test_repo.py
@@ -980,6 +980,33 @@ class TestSetupAptConfig:
          ] == m_run_apt_command.call_args_list
++class TestCheckAptURLIsApplied:
++    @pytest.mark.parametrize("apt_url", (("test"), (None)))
++    @mock.patch("uaclient.util.load_file")
++    def test_check_apt_url_for_commented_apt_source_file(
++        self, m_load_file, apt_url, entitlement
++    ):
++        m_load_file.return_value = "#test1\n#test2\n"
++        assert not entitlement._check_apt_url_is_applied(apt_url)
++
++    @mock.patch("uaclient.util.load_file")
++    def test_check_apt_url_when_delta_apt_url_is_none(
++        self, m_load_file, entitlement
++    ):
++        m_load_file.return_value = "test1\n#test2\n"
++        assert entitlement._check_apt_url_is_applied(apt_url=None)
++
++    @pytest.mark.parametrize(
++        "apt_url,expected", (("test", True), ("blah", False))
++    )
++    @mock.patch("uaclient.util.load_file")
++    def test_check_apt_url_inspects_apt_source_file(
++        self, m_load_file, apt_url, expected, entitlement
++    ):
++        m_load_file.return_value = "test\n#test2\n"
++        assert expected == entitlement._check_apt_url_is_applied(apt_url)
++
++
  class TestApplicationStatus:
      # TODO: Write tests for all functionality
 diff --git a/uaclient/exceptions.py b/uaclient/exceptions.py
 index 2599561..daf2b5e 100644
 --- a/uaclient/exceptions.py
 +++ b/uaclient/exceptions.py
@@ -1,3 +1,5 @@
++from typing import Optional
++
  from uaclient import status
@@ -35,10 +37,23 @@ class NonAutoAttachImageError(UserFacingError):
      exit_code = 0
++class AlreadyAttachedOnPROError(UserFacingError):
++    """Raised when a PRO machine retries attaching with the same instance-id"""
++
++    exit_code = 0
++
++    def __init__(self, instance_id: str):
++        super().__init__(
++            status.MESSAGE_ALREADY_ATTACHED_ON_PRO.format(
++                instance_id=instance_id
++            )
++        )
++
++
  class AlreadyAttachedError(UserFacingError):
      """An exception to be raised when a command needs an unattached system."""
--    exit_code = 0
++    exit_code = 2
      def __init__(self, cfg):
          super().__init__(
@@ -102,3 +117,20 @@ class SecurityAPIMetadataError(UserFacingError):
              + "\n"
              + status.MESSAGE_SECURITY_ISSUE_NOT_RESOLVED.format(issue=issue_id)
+         )
++
++
++class CloudFactoryError(Exception):
++    def __init__(self, cloud_type: Optional[str]) -> None:
++        self.cloud_type = cloud_type
++
++
++class CloudFactoryNoCloudError(CloudFactoryError):
++    pass
++
++
++class CloudFactoryUnsupportedCloudError(CloudFactoryError):
++    pass
++
++
++class CloudFactoryNonViableCloudError(CloudFactoryError):
++    pass
 diff --git a/uaclient/jobs/update_messaging.py b/uaclient/jobs/update_messaging.py
 index bfc185c..b63fa20 100644
 --- a/uaclient/jobs/update_messaging.py
 +++ b/uaclient/jobs/update_messaging.py
@@ -206,13 +206,13 @@ def write_apt_and_motd_templates(cfg: config.UAConfig, series: str) -> None:
      no_warranty_file = ExternalMessage.UBUNTU_NO_WARRANTY.value
      msg_dir = os.path.join(cfg.data_dir, "messages")
--    apps_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME["esm-apps"]
++    apps_cls = entitlements.entitlement_factory("esm-apps")
      apps_inst = apps_cls(cfg)
      config_allow_beta = util.is_config_value_true(
          config=cfg.cfg, path_to_value="features.allow_beta"
+     )
      apps_valid = bool(config_allow_beta or not apps_cls.is_beta)
--    infra_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME["esm-infra"]
++    infra_cls = entitlements.entitlement_factory("esm-infra")
      infra_inst = infra_cls(cfg)
      expiry_status, remaining_days = get_contract_expiry_status(cfg)
@@ -292,7 +292,7 @@ def write_esm_announcement_message(cfg: config.UAConfig, series: str) -> None:
      :param cfg: UAConfig instance for this environment.
      :param series: string of Ubuntu release series: 'xenial'.
      """
--    apps_cls = entitlements.ENTITLEMENT_CLASS_BY_NAME["esm-apps"]
++    apps_cls = entitlements.entitlement_factory("esm-apps")
      apps_inst = apps_cls(cfg)
      enabled_status = ApplicationStatus.ENABLED
      apps_not_enabled = apps_inst.application_status()[0] != enabled_status
 diff --git a/uaclient/lock.py b/uaclient/lock.py
 new file mode 100644
 index 0000000..77ef76f
 --- /dev/null
 +++ b/uaclient/lock.py
@@ -0,0 +1,106 @@
++import functools
++import logging
++import os
++import time
++
++from uaclient import config, exceptions
++
++LOG = logging.getLogger("ua.lock")
++
++# Set a module-level callable here so we don't have to reinstantiate
++# UAConfig in order to determine dynamic data_path exception handling of
++# main_error_handler
++clear_lock_file = None
++
++
++def clear_lock_file_if_present():
++    global clear_lock_file
++    if clear_lock_file:
++        clear_lock_file()
++
++
++class SingleAttemptLock:
++    """
++    Context manager for gaining exclusive access to the lock file.
++    Create a lock file if absent. The lock file will contain a pid of the
++    running process, and a customer-visible description of the lock holder.
++
++    :param lock_holder: String with the service name or command which is
++        holding the lock. This lock_holder string will be customer visible in
++        status.json.
++    :raises: LockHeldError if lock is held.
++    """
++
++    def __init__(self, *_args, cfg: config.UAConfig, lock_holder: str):
++        self.cfg = cfg
++        self.lock_holder = lock_holder
++
++    def __enter__(self):
++        global clear_lock_file
++        (lock_pid, cur_lock_holder) = self.cfg.check_lock_info()
++        if lock_pid > 0:
++            raise exceptions.LockHeldError(
++                lock_request=self.lock_holder,
++                lock_holder=cur_lock_holder,
++                pid=lock_pid,
++            )
++        self.cfg.write_cache(
++            "lock", "{}:{}".format(os.getpid(), self.lock_holder)
++        )
++        notice_msg = "Operation in progress: {}".format(self.lock_holder)
++        self.cfg.add_notice("", notice_msg)
++        clear_lock_file = functools.partial(self.cfg.delete_cache_key, "lock")
++
++    def __exit__(self, _exc_type, _exc_value, _traceback):
++        global clear_lock_file
++        self.cfg.delete_cache_key("lock")
++        clear_lock_file = None  # Unset due to successful lock delete
++
++
++class SpinLock(SingleAttemptLock):
++    """
++    Context manager for gaining exclusive access to the lock file. In contrast
++    to the SingleAttemptLock, the SpinLock will try several times to acquire
++    the lock before giving up. The number of times to try and how long to sleep
++    in between tries is configurable.
++
++    :param lock_holder: String with the service name or command which is
++        holding the lock. This lock_holder string will be customer visible in
++        status.json.
++    :param sleep_time: Number of seconds to sleep before retrying if the lock
++        is already held.
++    :param max_retries: Maximum number of times to try to grab the lock before
++        giving up and raising a LockHeldError.
++    :raises: LockHeldError if lock is held after (sleep_time * max_retries)
++    """
++
++    def __init__(
++        self,
++        *_args,
++        cfg: config.UAConfig,
++        lock_holder: str,
++        sleep_time: int = 10,
++        max_retries: int = 12
++    ):
++        super().__init__(cfg=cfg, lock_holder=lock_holder)
++        self.sleep_time = sleep_time
++        self.max_retries = max_retries
++
++    def __enter__(self):
++        LOG.debug("spin lock starting for {}".format(self.lock_holder))
++        tries = 0
++        while True:
++            try:
++                super().__enter__()
++                break
++            except exceptions.LockHeldError as e:
++                LOG.debug(
++                    "SpinLock Attempt {}. {}. Spinning...".format(
++                        tries + 1, e.msg
++                    )
++                )
++                tries += 1
++                if tries >= self.max_retries:
++                    raise e
++                else:
++                    time.sleep(self.sleep_time)
 diff --git a/uaclient/security.py b/uaclient/security.py
 index 818f472..94c0e3a 100644
 --- a/uaclient/security.py
 +++ b/uaclient/security.py
@@ -16,7 +16,7 @@ from uaclient.clouds.identity import (
+ )
  from uaclient.config import UAConfig
  from uaclient.defaults import BASE_UA_URL, PRINT_WRAP_WIDTH
--from uaclient.entitlements import ENTITLEMENT_CLASS_BY_NAME
++from uaclient.entitlements import entitlement_factory
  CVE_OR_USN_REGEX = (
      r"((CVE|cve)-\d{4}-\d{4,7}$|(USN|usn|LSN|lsn)-\d{1,5}-\d{1,2}$)"
@@ -763,7 +763,7 @@ def _get_service_for_pocket(pocket: str, cfg: UAConfig):
      elif pocket == UA_APPS_POCKET:
          service_to_check = "esm-apps"
--    ent_cls = ENTITLEMENT_CLASS_BY_NAME.get(service_to_check)
++    ent_cls = entitlement_factory(service_to_check)
      return ent_cls(cfg) if ent_cls else None
 diff --git a/uaclient/security_status.py b/uaclient/security_status.py
 index 0f42704..d1e9484 100644
 --- a/uaclient/security_status.py
 +++ b/uaclient/security_status.py
@@ -73,13 +73,11 @@ def filter_security_updates(
+     ]
      return [
--        package
++        version
          for package in packages
--        if max(package.versions) > package.installed
--        and any(
--            origin.archive in security_repos
--            for origin in max(package.versions).origins
--        )
++        for version in package.versions
++        if version > package.installed
++        and any(origin.archive in security_repos for origin in version.origins)
+     ]
@@ -122,20 +120,18 @@ def security_status(cfg: UAConfig) -> Dict[str, Any]:
      installed_packages = [package for package in cache if package.is_installed]
      summary["num_installed_packages"] = len(installed_packages)
--    security_upgradable_packages = filter_security_updates(installed_packages)
++    security_upgradable_versions = filter_security_updates(installed_packages)
      package_count = {"esm-infra": 0, "esm-apps": 0, "standard-security": 0}
--    for package in security_upgradable_packages:
--        candidate = max(package.versions)
--        version = candidate.version
++    for candidate in security_upgradable_versions:
          service_name = get_service_name(candidate.origins)
          status = get_update_status(service_name, ua_info)
          package_count[service_name] += 1
          packages.append(
+             {
--                "package": package.name,
--                "version": version,
++                "package": candidate.package.name,
++                "version": candidate.version,
                  "service_name": service_name,
                  "status": status,
+             }
 diff --git a/uaclient/serviceclient.py b/uaclient/serviceclient.py
 index 48a1273..09703fe 100644
 --- a/uaclient/serviceclient.py
 +++ b/uaclient/serviceclient.py
@@ -68,11 +68,15 @@ class UAServiceClient(metaclass=abc.ABCMeta):
                  timeout=self.url_timeout,
+             )
          except error.URLError as e:
--            if hasattr(e, "read"):
++            body = None
++            if hasattr(e, "body"):
++                body = e.body
++            elif hasattr(e, "read"):
++                body = e.read().decode("utf-8")
++            if body:
                  try:
                      error_details = json.loads(
--                        e.read().decode("utf-8"),
--                        cls=util.DatetimeAwareJSONDecoder,
++                        body, cls=util.DatetimeAwareJSONDecoder
+                     )
                  except ValueError:
                      error_details = None
 diff --git a/uaclient/status.py b/uaclient/status.py
 index 5dbf65e..e537150 100644
 --- a/uaclient/status.py
 +++ b/uaclient/status.py
@@ -227,6 +227,8 @@ MESSAGE_ENABLED_TMPL = "{title} enabled"
  MESSAGE_ALREADY_ATTACHED = """\
  This machine is already attached to '{account_name}'
  To use a different subscription first run: sudo ua detach."""
++MESSAGE_ALREADY_ATTACHED_ON_PRO = """\
++Skipping attach: Instance '{instance_id}' is already attached."""
  MESSAGE_ALREADY_ENABLED_TMPL = """\
  {title} is already enabled.\nSee: sudo ua status"""
  MESSAGE_INAPPLICABLE_ARCH_TMPL = """\
@@ -346,6 +348,9 @@ Open a browser to: {}/subscribe""".format(
  STATUS_UNATTACHED_TMPL = "{name: <14}{available: <11}{description}"
++STATUS_SIMULATED_TMPL = """\
++{name: <14}{available: <11}{entitled: <11}{auto_enabled: <14}{description}"""
++
  STATUS_HEADER = "SERVICE       ENTITLED  STATUS    DESCRIPTION"
  # The widths listed below for entitled and status are actually 9 characters
  # less than reality because we colorize the values in entitled and status
@@ -631,7 +636,21 @@ def get_section_column_content(
  def format_tabular(status: Dict[str, Any]) -> str:
      """Format status dict for tabular output."""
--    if not status["attached"]:
++    if not status.get("attached"):
++        if status.get("simulated"):
++            content = [
++                STATUS_SIMULATED_TMPL.format(
++                    name="SERVICE",
++                    available="AVAILABLE",
++                    entitled="ENTITLED",
++                    auto_enabled="AUTO_ENABLED",
++                    description="DESCRIPTION",
++                )
++            ]
++            for service in status["services"]:
++                content.append(STATUS_SIMULATED_TMPL.format(**service))
++            return "\n".join(content)
++
          content = [
              STATUS_UNATTACHED_TMPL.format(
                  name="SERVICE",
@@ -696,12 +715,13 @@ def _format_status_output(status: Dict[str, Any]) -> Dict[str, Any]:
          or name == "UA_CONFIG_FILE"
+     ]
--    available_services = [
--        service
--        for service in status.get("services", [])
--        if service.get("available", "yes") == "yes"
--    ]
--    status["services"] = available_services
++    if not status.get("simulated"):
++        available_services = [
++            service
++            for service in status.get("services", [])
++            if service.get("available", "yes") == "yes"
++        ]
++        status["services"] = available_services
      # We don't need the origin info in the json output
      status.pop("origin", "")
 diff --git a/uaclient/tests/test_actions.py b/uaclient/tests/test_actions.py
 new file mode 100644
 index 0000000..cc9a25f
 --- /dev/null
 +++ b/uaclient/tests/test_actions.py
@@ -0,0 +1,145 @@
++import mock
++import pytest
++
++from uaclient import exceptions, status, util
++from uaclient.actions import attach_with_token, auto_attach
++from uaclient.contract import ContractAPIError
++from uaclient.exceptions import NonAutoAttachImageError
++from uaclient.tests.test_cli_auto_attach import fake_instance_factory
++
++M_PATH = "uaclient.actions."
++
++
++class TestAttachWithToken:
++    @pytest.mark.parametrize(
++        "request_updated_contract_side_effect, expected_error_class,"
++        " expect_status_call",
++        [
++            (None, None, False),
++            (util.UrlError("cause"), util.UrlError, True),
++            (
++                exceptions.UserFacingError("test"),
++                exceptions.UserFacingError,
++                True,
++            ),
++        ],
++    )
++    @mock.patch(M_PATH + "config.update_ua_messages")
++    @mock.patch(M_PATH + "config.UAConfig.status")
++    @mock.patch(M_PATH + "contract.request_updated_contract")
++    def test_attach_with_token(
++        self,
++        m_request_updated_contract,
++        m_status,
++        m_update_ua_messages,
++        request_updated_contract_side_effect,
++        expected_error_class,
++        expect_status_call,
++        FakeConfig,
++    ):
++        cfg = FakeConfig()
++        m_request_updated_contract.side_effect = (
++            request_updated_contract_side_effect
++        )
++        if expected_error_class:
++            with pytest.raises(expected_error_class):
++                attach_with_token(cfg, "token", False)
++        else:
++            attach_with_token(cfg, "token", False)
++        if expect_status_call:
++            assert [mock.call()] == m_status.call_args_list
++        assert [mock.call(cfg)] == m_update_ua_messages.call_args_list
++
++
++class TestAutoAttach:
++    @mock.patch(M_PATH + "attach_with_token")
++    @mock.patch(M_PATH + "identity.get_instance_id", return_value="my-iid")
++    @mock.patch(
++        M_PATH
++        + "contract.UAContractClient.request_auto_attach_contract_token",
++        return_value={"contractToken": "token"},
++    )
++    @mock.patch(M_PATH + "config.update_ua_messages")
++    @mock.patch(M_PATH + "config.UAConfig.write_cache")
++    def test_happy_path_on_auto_attach(
++        self,
++        m_write_cache,
++        m_update_ua_messages,
++        m_request_auto_attach_contract_token,
++        m_get_instance_id,
++        m_attach_with_token,
++        FakeConfig,
++    ):
++        cfg = FakeConfig()
++
++        auto_attach(cfg, fake_instance_factory())
++
++        assert [
++            mock.call(cfg, token="token", allow_enable=True)
++        ] == m_attach_with_token.call_args_list
++
++        assert [
++            mock.call("instance-id", "my-iid")
++        ] == m_write_cache.call_args_list
++
++    @pytest.mark.parametrize(
++        "http_msg,http_code,http_response",
++        (
++            ("Not found", 404, {"message": "missing instance information"}),
++            (
++                "Forbidden",
++                403,
++                {"message": "forbidden: cannot verify signing certificate"},
++            ),
++        ),
++    )
++    @mock.patch(
++        M_PATH + "contract.UAContractClient.request_auto_attach_contract_token"
++    )
++    @mock.patch(M_PATH + "identity.get_instance_id", return_value="old-iid")
++    def test_handles_4XX_contract_errors(
++        self,
++        _m_get_instance_id,
++        m_request_auto_attach_contract_token,
++        http_msg,
++        http_code,
++        http_response,
++        FakeConfig,
++    ):
++        """VMs running on non-auto-attach images do not return a token."""
++        cfg = FakeConfig()
++        m_request_auto_attach_contract_token.side_effect = ContractAPIError(
++            util.UrlError(
++                http_msg, code=http_code, url="http://me", headers={}
++            ),
++            error_response=http_response,
++        )
++        with pytest.raises(NonAutoAttachImageError) as excinfo:
++            auto_attach(cfg, fake_instance_factory())
++        assert status.MESSAGE_UNSUPPORTED_AUTO_ATTACH == str(excinfo.value)
++
++    @mock.patch(
++        M_PATH + "contract.UAContractClient.request_auto_attach_contract_token"
++    )
++    @mock.patch(M_PATH + "identity.get_instance_id", return_value="my-iid")
++    def test_raise_unexpected_errors(
++        self,
++        _m_get_instance_id,
++        m_request_auto_attach_contract_token,
++        FakeConfig,
++    ):
++        """Any unexpected errors will be raised."""
++        cfg = FakeConfig()
++
++        unexpected_error = ContractAPIError(
++            util.UrlError(
++                "Server error", code=500, url="http://me", headers={}
++            ),
++            error_response={"message": "something unexpected"},
++        )
++        m_request_auto_attach_contract_token.side_effect = unexpected_error
++
++        with pytest.raises(ContractAPIError) as excinfo:
++            auto_attach(cfg, fake_instance_factory())
++
++        assert unexpected_error == excinfo.value
 diff --git a/uaclient/tests/test_apt.py b/uaclient/tests/test_apt.py
 index b440b6e..2810d7e 100644
 --- a/uaclient/tests/test_apt.py
 +++ b/uaclient/tests/test_apt.py
@@ -559,7 +559,7 @@ class TestCleanAptFiles:
          repo_tmpl = tmpdir.join("source-{name}").strpath
          pref_tmpl = tmpdir.join("pref-{name}").strpath
--        class DummyRepo(request.param):
++        class TestRepo(request.param):
              name = entitlement_name
              repo_list_file_tmpl = repo_tmpl
              repo_pref_file_tmpl = pref_tmpl
@@ -575,7 +575,7 @@ class TestCleanAptFiles:
              with open(pref_name, "w") as f:
                  f.write("")
--        return DummyRepo
++        return TestRepo
      @mock.patch("uaclient.apt.os.unlink")
      def test_no_removals_for_no_repo_entitlements(self, m_os_unlink):
 diff --git a/uaclient/tests/test_cli.py b/uaclient/tests/test_cli.py
 index 3208603..a02d2fe 100644
 --- a/uaclient/tests/test_cli.py
 +++ b/uaclient/tests/test_cli.py
@@ -34,14 +34,25 @@ from uaclient.exceptions import (
  BIG_DESC = "123456789 " * 7 + "next line"
  BIG_URL = "http://" + "adsf" * 10
++AVAILABLE_RESOURCES = [
++    {"name": "cc-eal"},
++    {"name": "cis"},
++    {"name": "esm-apps"},
++    {"name": "esm-infra"},
++    {"name": "fips-updates"},
++    {"name": "fips"},
++    {"name": "livepatch"},
++    {"name": "ros-updates"},
++    {"name": "ros"},
++]
  ALL_SERVICES_WRAPPED_HELP = textwrap.dedent(
      """
  Client to manage Ubuntu Advantage services on a machine.
   - cc-eal: Common Criteria EAL2 Provisioning Packages
     (https://ubuntu.com/cc-eal)
-- - cis: Center for Internet Security Audit Tools
--   (https://ubuntu.com/security/certifications#cis)
++ - cis: Security compliance and audit tools
++   (https://ubuntu.com/security/certifications/docs/usg)
   - esm-apps: UA Apps: Extended Security Maintenance (ESM)
     (https://ubuntu.com/security/esm)
   - esm-infra: UA Infra: Extended Security Maintenance (ESM)
@@ -64,8 +75,8 @@ SERVICES_WRAPPED_HELP = textwrap.dedent(
  Client to manage Ubuntu Advantage services on a machine.
   - cc-eal: Common Criteria EAL2 Provisioning Packages
     (https://ubuntu.com/cc-eal)
-- - cis: Center for Internet Security Audit Tools
--   (https://ubuntu.com/security/certifications#cis)
++ - cis: Security compliance and audit tools
++   (https://ubuntu.com/security/certifications/docs/usg)
   - esm-infra: UA Infra: Extended Security Maintenance (ESM)
     (https://ubuntu.com/security/esm)
   - fips-updates: NIST-certified core packages with priority security updates
@@ -119,17 +130,21 @@ class TestCLIParser:
      maxDiff = None
      @mock.patch("uaclient.cli.entitlements")
++    @mock.patch("uaclient.cli.contract")
      def test_help_descr_and_url_is_wrapped_at_eighty_chars(
--        self, m_entitlements, get_help
++        self, m_contract, m_entitlements, get_help
      ):
          """Help lines are wrapped at 80 chars"""
--        def cls_mock_factory(desc, url):
--            return mock.Mock(description=desc, help_doc_url=url, is_beta=False)
++        mocked_ent = mock.MagicMock(
++            presentation_name="test",
++            description=BIG_DESC,
++            help_doc_url=BIG_URL,
++            is_beta=False,
++        )
--        m_entitlements.ENTITLEMENT_CLASS_BY_NAME = {
--            "test": cls_mock_factory(BIG_DESC, BIG_URL)
--        }
++        m_entitlements.entitlement_factory.return_value = mocked_ent
++        m_contract.get_available_resources.return_value = [{"name": "test"}]
          lines = [
              " - test: " + " ".join(["123456789"] * 7),
@@ -138,10 +153,13 @@ class TestCLIParser:
          out, _ = get_help()
          assert "\n".join(lines) in out
--    def test_help_sourced_dynamically_from_each_entitlement(self, get_help):
++    @mock.patch("uaclient.cli.contract")
++    def test_help_sourced_dynamically_from_each_entitlement(
++        self, m_contract, get_help
++    ):
          """Help output is sourced from entitlement name and description."""
++        m_contract.get_available_resources.return_value = AVAILABLE_RESOURCES
          out, type_request = get_help()
--
          if type_request == "base":
              assert SERVICES_WRAPPED_HELP in out
          else:
@@ -167,8 +185,6 @@ class TestCLIParser:
          self, m_attached, m_available_resources, out_format, expected_return
      ):
          """Test help command for a valid service in an unnatached ua client."""
--        import uaclient.entitlements as ent
--
          m_args = mock.MagicMock()
          m_service_name = mock.PropertyMock(return_value="test")
          type(m_args).service = m_service_name
@@ -189,8 +205,9 @@ class TestCLIParser:
+         ]
          fake_stdout = io.StringIO()
--        with mock.patch.object(
--            ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++        with mock.patch(
++            "uaclient.entitlements.entitlement_factory",
++            return_value=m_entitlement_cls,
          ):
              with contextlib.redirect_stdout(fake_stdout):
                  action_help(m_args, cfg=None)
@@ -222,8 +239,6 @@ class TestCLIParser:
          self, m_attached, m_available_resources, ent_status, ent_msg, is_beta
      ):
          """Test help command for a valid service in an attached ua client."""
--        import uaclient.entitlements as ent
--
          m_args = mock.MagicMock()
          m_service_name = mock.PropertyMock(return_value="test")
          type(m_args).service = m_service_name
@@ -256,7 +271,7 @@ class TestCLIParser:
          status_msg = "enabled" if ent_msg == "yes" else "—"
          ufs_call_count = 1 if ent_msg == "yes" else 0
--        ent_name_call_count = 3 if ent_msg == "yes" else 2
++        ent_name_call_count = 2 if ent_msg == "yes" else 1
          is_beta_call_count = 1 if status_msg == "enabled" else 0
          expected_msgs = [
@@ -275,8 +290,9 @@ class TestCLIParser:
          expected_msg = "\n\n".join(expected_msgs)
          fake_stdout = io.StringIO()
--        with mock.patch.object(
--            ent, "ENTITLEMENT_CLASS_BY_NAME", {"test": m_entitlement_cls}
++        with mock.patch(
++            "uaclient.entitlements.entitlement_factory",
++            return_value=m_entitlement_cls,
          ):
              with contextlib.redirect_stdout(fake_stdout):
                  action_help(m_args, cfg=None)
@@ -527,7 +543,7 @@ class TestMain:
          "exception,expected_exit_code",
+         [
              (UserFacingError("You need to know about this."), 1),
--            (AlreadyAttachedError(mock.MagicMock()), 0),
++            (AlreadyAttachedError(mock.MagicMock()), 2),
+             (
                  LockHeldError(
                      pid="123",
@@ -653,7 +669,8 @@ class TestMain:
          assert "UA_FEATURES_WOW=XYZ" in log
          assert "NOT_UA_ENV=YES" not in log
--    def test_argparse_errors_well_formatted(self, capsys):
++    @mock.patch("uaclient.cli.contract.get_available_resources")
++    def test_argparse_errors_well_formatted(self, _m_resources, capsys):
          parser = get_parser()
          with mock.patch("sys.argv", ["ua", "enable"]):
              with pytest.raises(SystemExit) as excinfo:
@@ -834,14 +851,11 @@ class TestSetupLogging:
  class TestGetValidEntitlementNames:
--    @mock.patch("uaclient.cli.entitlements")
--    def test_get_valid_entitlements(self, m_entitlements):
--        m_entitlements.ENTITLEMENT_CLASS_BY_NAME = {
--            "ent1": True,
--            "ent2": True,
--            "ent3": True,
--        }
--
++    @mock.patch(
++        "uaclient.cli.entitlements.valid_services",
++        return_value=["ent1", "ent2", "ent3"],
++    )
++    def test_get_valid_entitlements(self, _m_valid_services):
          service = ["ent1", "ent3", "ent4"]
          expected_ents_found = ["ent1", "ent3"]
          expected_ents_not_found = ["ent4"]
 diff --git a/uaclient/tests/test_cli_attach.py b/uaclient/tests/test_cli_attach.py
 index 0be920d..49f7282 100644
 --- a/uaclient/tests/test_cli_attach.py
 +++ b/uaclient/tests/test_cli_attach.py
@@ -237,26 +237,27 @@ class TestActionAttach:
          assert [mock.call(cfg)] == update_ua_messages.call_args_list
++@mock.patch(M_PATH + "contract.get_available_resources")
  class TestParser:
--    def test_attach_parser_usage(self):
++    def test_attach_parser_usage(self, _m_resources):
          parser = attach_parser(mock.Mock())

Ubuntuubuntu-advantage-tools package

Merge ~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.5-jammy into ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
ubuntu-advantage-tools package