Ubuntu
ubuntu-advantage-tools package

Merge ~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.11-kinetic into ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel

Git
lp:~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools
upload-27.11-kinetic
Merge into ubuntu/devel

Proposed by Renan Rodrigo on 2022-09-12

Status:

Merged

Merge reported by:

Renan Rodrigo

Merged at revision:

69ddad099a3f8a03070499406e4fd02dfcc2fb91

Proposed branch:

~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.11-kinetic

Merge into:

ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel

Diff against target:

34580 lines (+14190/-5940)

218 files modified

.github/workflows/ci-integration.yaml (+8/-3)
.github/workflows/cla-check.yaml (+12/-0)
.readthedocs.yaml (+14/-0)
CONTRIBUTING.md (+6/-0)
Makefile (+1/-0)
README.md (+33/-32)
apport/source_ubuntu-advantage-tools.py (+29/-0)
apt-hook/hook.cc (+2/-6)
apt-hook/json-hook.cc (+3/-12)
apt-hook/json-hook.test.cc (+22/-22)
debian/changelog (+60/-0)
debian/control (+2/-2)
debian/ubuntu-advantage-tools.links (+2/-0)
debian/ubuntu-advantage-tools.postinst (+26/-3)
dev-docs/explanations/how_auto_attach_works.md (+57/-0)
dev-docs/howtoguides/how_to_use_magic_attach_endpoints.md (+168/-0)
dev-docs/howtoguides/testing.md (+12/-4)
dev-docs/howtoguides/use_staging_environment.md (+13/-0)
dev-docs/references/directory_layout.md (+11/-0)
dev-docs/references/what_happens_during_attach.md (+2/-1)
dev/null (+0/-9)
docs-requirements.txt (+4/-0)
docs/README.md (+11/-0)
docs/conf.py (+52/-0)
docs/explanations/apt_messages.md (+19/-29)
docs/explanations/how_to_interpret_the_security_status_command.md (+7/-0)
docs/explanations/motd_messages.md (+15/-18)
docs/explanations/status_columns.md (+2/-3)
docs/explanations/what_are_the_timer_jobs.md (+1/-1)
docs/howtoguides/create_pro_golden_image.md (+7/-17)
docs/howtoguides/enable_cc.md (+28/-0)
docs/howtoguides/enable_realtime_kernel.md (+62/-0)
docs/howtoguides/enable_ua_in_dockerfile.md (+1/-1)
docs/howtoguides/get_token_and_attach.md (+1/-1)
docs/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md (+1/-1)
docs/howtoguides/how_to_simulate_attach.md (+1/-1)
docs/index.rst (+58/-0)
docs/references/support_matrix.md (+3/-1)
docs/tutorials/basic_ua_commands.md (+6/-7)
docs/tutorials/create_a_fips_updates_pro_cloud_image.md (+65/-0)
docs/tutorials/ua_fix_scenarios.md (+9/-9)
features/_version.feature (+8/-8)
features/api.feature (+52/-0)
features/api_full_auto_attach.feature (+39/-0)
features/api_magic_attach.feature (+74/-0)
features/apt_messages.feature (+328/-0)
features/attach_invalidtoken.feature (+10/-10)
features/attach_validtoken.feature (+37/-170)
features/attached_commands.feature (+189/-240)
features/attached_enable.feature (+251/-183)
features/attached_status.feature (+168/-3)
features/cloud.py (+7/-15)
features/cloud_pro_clone.feature (+65/-0)
features/collect_logs.feature (+4/-14)
features/daemon.feature (+16/-16)
features/detached_auto_attach.feature (+7/-7)
features/docker.feature (+3/-3)
features/enable_fips_cloud.feature (+36/-36)
features/enable_fips_container.feature (+11/-11)
features/enable_fips_pro.feature (+15/-15)
features/enable_fips_vm.feature (+68/-66)
features/environment.py (+104/-77)
features/fix.feature (+58/-60)
features/install_uninstall.feature (+2/-2)
features/motd_messages.feature (+163/-0)
features/proxy_config.feature (+127/-127)
features/realtime_kernel.feature (+49/-12)
features/schemas/api_response.json (+64/-0)
features/schemas/magic_attach.json (+24/-0)
features/schemas/ua_security_status.json (+19/-0)
features/security_status.feature (+542/-0)
features/staging_commands.feature (+6/-53)
features/steps/steps.py (+216/-74)
features/ubuntu_pro.feature (+167/-59)
features/ubuntu_pro_fips.feature (+100/-113)
features/ubuntu_upgrade.feature (+25/-23)
features/ubuntu_upgrade_unattached.feature (+3/-5)
features/unattached_commands.feature (+135/-103)
features/unattached_status.feature (+467/-176)
features/util.py (+67/-42)
help_data.yaml (+10/-11)
integration-requirements.txt (+1/-1)
lib/auto_attach.py (+69/-0)
lib/daemon.py (+2/-2)
lib/patch_status_json.py (+4/-4)
lib/reboot_cmds.py (+10/-8)
lib/timer.py (+7/-2)
lib/upgrade_lts_contract.py (+16/-10)
setup.py (+5/-1)
systemd/ua-auto-attach.service (+2/-1)
tools/create-lp-release-branches.sh (+2/-3)
tools/refresh-aws-pro-ids (+3/-3)
tools/run-integration-tests.py (+37/-27)
tools/test-in-lxd.sh (+2/-2)
tools/ua.bash (+1/-1)
tox.ini (+4/-3)
uaclient-devel.conf (+1/-1)
uaclient.conf (+3/-3)
uaclient/actions.py (+170/-10)
uaclient/api/__init__.py (+0/-0)
uaclient/api/api.py (+144/-0)
uaclient/api/data_types.py (+69/-0)
uaclient/api/errors.py (+61/-0)
uaclient/api/exceptions.py (+40/-0)
uaclient/api/tests/__init__.py (+0/-0)
uaclient/api/tests/test_api.py (+310/-0)
uaclient/api/tests/test_api_u_pro_attach_auto_should_auto_attach.py (+49/-0)
uaclient/api/tests/test_api_u_pro_attach_magic_wait_v1.py (+147/-0)
uaclient/api/tests/test_api_u_pro_version.py (+26/-0)
uaclient/api/tests/test_u_pro_attach_auto_full_auto_attach_v1.py (+161/-0)
uaclient/api/u/__init__.py (+0/-0)
uaclient/api/u/pro/__init__.py (+0/-0)
uaclient/api/u/pro/attach/__init__.py (+0/-0)
uaclient/api/u/pro/attach/auto/__init__.py (+0/-0)
uaclient/api/u/pro/attach/auto/full_auto_attach/__init__.py (+0/-0)
uaclient/api/u/pro/attach/auto/full_auto_attach/v1.py (+149/-0)
uaclient/api/u/pro/attach/auto/should_auto_attach/__init__.py (+0/-0)
uaclient/api/u/pro/attach/auto/should_auto_attach/v1.py (+41/-0)
uaclient/api/u/pro/attach/magic/__init__.py (+0/-0)
uaclient/api/u/pro/attach/magic/initiate/__init__.py (+0/-0)
uaclient/api/u/pro/attach/magic/initiate/v1.py (+55/-0)
uaclient/api/u/pro/attach/magic/revoke/__init__.py (+0/-0)
uaclient/api/u/pro/attach/magic/revoke/v1.py (+39/-0)
uaclient/api/u/pro/attach/magic/wait/__init__.py (+0/-0)
uaclient/api/u/pro/attach/magic/wait/v1.py (+118/-0)
uaclient/api/u/pro/version/__init__.py (+0/-0)
uaclient/api/u/pro/version/v1.py (+39/-0)
uaclient/apt.py (+111/-43)
uaclient/cli.py (+244/-279)
uaclient/clouds/aws.py (+5/-5)
uaclient/clouds/azure.py (+4/-4)
uaclient/clouds/gcp.py (+9/-7)
uaclient/clouds/identity.py (+4/-4)
uaclient/clouds/tests/test_aws.py (+3/-3)
uaclient/clouds/tests/test_azure.py (+6/-6)
uaclient/clouds/tests/test_gcp.py (+9/-7)
uaclient/clouds/tests/test_identity.py (+9/-9)
uaclient/config.py (+56/-257)
uaclient/conftest.py (+30/-9)
uaclient/contract.py (+209/-34)
uaclient/contract_data_types.py (+312/-0)
uaclient/daemon.py (+8/-8)
uaclient/data_types.py (+63/-8)
uaclient/defaults.py (+11/-2)
uaclient/entitlements/__init__.py (+45/-0)
uaclient/entitlements/base.py (+58/-36)
uaclient/entitlements/cc.py (+15/-6)
uaclient/entitlements/cis.py (+3/-2)
uaclient/entitlements/entitlement_status.py (+4/-3)
uaclient/entitlements/esm.py (+36/-12)
uaclient/entitlements/fips.py (+37/-25)
uaclient/entitlements/livepatch.py (+33/-23)
uaclient/entitlements/realtime.py (+16/-8)
uaclient/entitlements/repo.py (+46/-23)
uaclient/entitlements/ros.py (+0/-1)
uaclient/entitlements/tests/conftest.py (+18/-6)
uaclient/entitlements/tests/test_base.py (+49/-14)
uaclient/entitlements/tests/test_cc.py (+30/-18)
uaclient/entitlements/tests/test_cis.py (+5/-4)
uaclient/entitlements/tests/test_esm.py (+32/-37)
uaclient/entitlements/tests/test_fips.py (+68/-48)
uaclient/entitlements/tests/test_livepatch.py (+243/-124)
uaclient/entitlements/tests/test_repo.py (+72/-32)
uaclient/event_logger.py (+8/-16)
uaclient/exceptions.py (+82/-29)
uaclient/files.py (+433/-0)
uaclient/jobs/eol_status.py (+13/-0)
uaclient/jobs/tests/__init__.py (+0/-0)
uaclient/jobs/tests/test_update_messaging.py (+111/-136)
uaclient/jobs/update_messaging.py (+102/-85)
uaclient/lock.py (+2/-2)
uaclient/messages.py (+234/-84)
uaclient/security.py (+66/-31)
uaclient/security_status.py (+498/-74)
uaclient/serviceclient.py (+16/-5)
uaclient/snap.py (+7/-7)
uaclient/status.py (+74/-41)
uaclient/system.py (+479/-0)
uaclient/tests/test_apt.py (+134/-70)
uaclient/tests/test_cli.py (+122/-28)
uaclient/tests/test_cli_api.py (+64/-0)
uaclient/tests/test_cli_attach.py (+30/-26)
uaclient/tests/test_cli_auto_attach.py (+26/-117)
uaclient/tests/test_cli_collect_logs.py (+39/-54)
uaclient/tests/test_cli_config_set.py (+20/-9)
uaclient/tests/test_cli_config_show.py (+24/-10)
uaclient/tests/test_cli_config_unset.py (+18/-7)
uaclient/tests/test_cli_detach.py (+7/-8)
uaclient/tests/test_cli_disable.py (+42/-26)
uaclient/tests/test_cli_enable.py (+38/-17)
uaclient/tests/test_cli_fix.py (+8/-4)
uaclient/tests/test_cli_refresh.py (+17/-14)
uaclient/tests/test_cli_security_status.py (+70/-33)
uaclient/tests/test_cli_status.py (+184/-98)
uaclient/tests/test_config.py (+201/-192)
uaclient/tests/test_contract.py (+457/-22)
uaclient/tests/test_daemon.py (+10/-10)
uaclient/tests/test_data_types.py (+296/-1)
uaclient/tests/test_eol_status.py (+83/-0)
uaclient/tests/test_event_logger.py (+20/-2)
uaclient/tests/test_files.py (+175/-0)
uaclient/tests/test_gpg.py (+5/-5)
uaclient/tests/test_lib_auto_attach.py (+98/-0)
uaclient/tests/test_lock.py (+2/-2)
uaclient/tests/test_patch_status_json.py (+8/-8)
uaclient/tests/test_reboot_cmds.py (+3/-3)
uaclient/tests/test_security.py (+109/-79)
uaclient/tests/test_security_status.py (+149/-53)
uaclient/tests/test_snap.py (+5/-5)
uaclient/tests/test_status.py (+117/-129)
uaclient/tests/test_system.py (+953/-0)
uaclient/tests/test_ua_timer.py (+3/-1)
uaclient/tests/test_upgrade_lts_contract.py (+6/-1)
uaclient/tests/test_util.py (+29/-795)
uaclient/tests/test_version.py (+70/-2)
uaclient/util.py (+67/-449)
uaclient/version.py (+53/-5)
ubuntu-advantage.1 (+41/-39)

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Robie Basak	ubuntu-sru	2022-09-12	Approve on 2022-09-21
Paride Legovini (community)		2022-09-12	Approve on 2022-09-15
Review via email: mp+429778@code.launchpad.net

Description of the change

Release 27.11 of ubuntu-advantage-tools.

More information about the changes can be found in the SRU bug:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1989279

Packages built from this branch can be found in the `staging` PPA:
https://launchpad.net/~ua-client/+archive/ubuntu/staging

Revision history for this message

Robie Basak (racb) wrote on 2022-09-14:

Has the namespace grab of /usr/bin/pro been approved by somebody considering the archive side - such as an AA? Notably /usr/bin/ua remains "grabbed". Are we OK to continue to grow a list of short names that will potentially collide with Debian essentially forever?

review: Needs Information

Revision history for this message

Robie Basak (racb) wrote on 2022-09-14:

Somebody also needs to search the archives for anything that might collide with "pro" in PATH please. And another risk that should be noted is that users may have installed "pro" into their PATH either via a local customisation or a third party software source, and this would then collide.

~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.11-kinetic updated on 2022-09-14

9119019... by Grant Orndorff on 2022-09-14: messaging: correct num covered packages

Revision history for this message

Paride Legovini (paride) wrote on 2022-09-15:

Hi, this diff is quite big, I tried to do a commit by commit review to get a sense of the changes, paying more attention to packaging changes and changes in behavior and less attention to changes that do not affect how to package behaves for users (e.g. tests). The gist of it is:

- New features: they look safe to me from a SRU perspective. The code looks good, so I'm +1 for inclusion in the stable releases (provided that the tests pass).

- Bug fixes: LGTM.

- Renaming from ua to pro: it's a bit confusing in some places, for example the service files and "true" filenames of the cli tool and manpage are still `ubuntu-advantage`, but then users are expected to use "pro", and then `ua` still appears here and there. In any case, given that we had to stay backwards compatible, I think you did the best that was possible to do with the rename.

- File name clash: I share Robie's concern on taking the "pro" name. I searched the archive and I don't think we have conflicts at the moment, but this is a "forever" thing. We should at least think of a way to free the "ua" name at some point, not straightforward as we want to SRU the same package to all the supported releases, but doable.

- File name clash 2: if a stable release user is using "pro" for a locally installed script/package/alias, the new "pro" command may not work as expected, or their script may stop working. Given how PATH is ordered and that `ua` will still be available this risk should be low.

- Packaging changes: the only notable is handling PUBLIC_MACHINE_TOKEN_FILE in postinst. The logic looks good, I tested a couple of use cases and it worked fine.

Overall +1 from me, ready for the next review step!

review: Approve

~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.11-kinetic updated on 2022-09-16

69ddad0... by Renan Rodrigo on 2022-09-16

jobs: don't run the EOL job

At least temporarily, until we find out if it is feasible or if there is
a better solution.

Signed-off-by: Renan Rodrigo <email address hidden>

e540ca0... by Grant Orndorff on 2022-09-16

status: set contract check timeout lower to let status finish

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-09-16:

Paride, thanks for your review! The renaming to `pro` is indeed the task with most changes, mainly in messaging, and further iterations may come in the future. About the file name, we have now the open discussion with AAs to make sure we are doing it without too much risk.

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-09-16:

Robie, thanks for the comments as well. As we have been discussing, AAs should sign off in the SRU bug that this change is feasible. Besides that, the SRU bug has also been updated ([Discussion] section) to bring the known risks about the new /usr/bin/pro symlink, and it includes a topic about the expectation to not add more names in the future.

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-09-16:

Robie, a new commit has been added disabling the EOL-Check job, as discussed earlier.

Revision history for this message

Robie Basak (racb) wrote on 2022-09-21:

+1 for SRU. I reviewed up to commit 69ddad0, tree 31ab7922fa25bcae9b4954131d592a12ae3261ff.

Review comments:

Łukasz has signed off on the use of /usr/bin/pro, and Steve has indicated his agreement that it's OK privately. Risk and mitigations have been discussed in the SRU information in the bug. So +1 to proceed on that.

> - "From Ubuntu 20.04 and onwards 'ua enable cis' has been",
> - "replaced by 'ua enable usg'. See more information at:",
> + "From Ubuntu 20.04 and onwards 'pro enable cis' has been",
> + "replaced by 'pro enable usg'. See more information at:",

[a passing comment; not within the scope of my SRU review] Isn't this going to be confusing for a user who invokes "ua enable cis"?

[Already addressed] Commit 8a5091e introduces an entry in sources.list even if a user has not opted-in. This will cause an automated "apt-get update" to start failing for users who operate production services isolated from direct access to our public apt sources. On further discussion, apparently running the postinst after Bionic reaches standard support will do this as well, on the version of ubuntu-advantage-tools already in the archive. I understand this functionality has been disabled, but the existing code that will activate this behaviour in the postinst when Bionic reaches ESM remains. With the functionality disabled, this SRU is not touching the bug, and there's no requirement to block this SRU to fix a bug introduced in a previous SRU, so this is OK for now. However it does need fixing in a future SRU so I filed bug 1990378 to track that.

[Continue if you think it's OK; no need for re-review] Commit 767dfdc: maybe overreaching a little with all timers rather than just ua-tools ones? Are all files being sent definitely bounded in size (via logrotate or equivalent?) Otherwise free disk space might become an issue. Maybe apport itself has that issue too, but no reason to double it.

[Not a blocker for SRU] Commit bd095d4: IMHO, it's preferable to guard all upgrade path code with a test against the version being upgraded from. By doing this from the beginning, it's less risky to remove it in the future. One can simply confirm that no supported users remain on the old version because the guard ensures that newer users are not relying on its behaviour. Easier future cleanup helps minimise complexity in upgrade path code.

+1 for SRU. I reviewed up to commit 69ddad0, tree 31ab7922fa25bcae9b4954131d592a12ae3261ff.

Review comments:

> -                "From Ubuntu 20.04 and onwards 'ua enable cis' has been",
> -                "replaced by 'ua enable usg'. See more information at:",
> +                "From Ubuntu 20.04 and onwards 'pro enable cis' has been",
> +                "replaced by 'pro enable usg'. See more information at:",

[a passing comment; not within the scope of my SRU review] Isn't this going to be confusing for a user who invokes "ua enable cis"?

review: Approve (ubuntu-sru)

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-09-21:

About the CIS comment, the same would happen to help or CLI hints. We discussed that with Lech and got response that it is fine to have `pro` in the text, as it is the preferred name, even if the user calls `ua`. `ua` should be there just for the backwards compatibility, so people don't need to rush changing scripts and such.

Thanks for filing the APT/ESM bug!

About the logs:
- we do logrotate our logs
- the timers list won't add that much to the tarball size
I'm adding a task to revisit this in the future, but so far we think this is ok.

For the postinst change, we added the integration test for the expected controlled situation where the file would not exist - showing the buggy output, then reconfiguring, and seeing the correct output - and we can't really expect people to not be in old versions... This code will, unfortunately, be there until Jammy goes EOL :/

Revision history for this message

Robie Basak (racb) wrote on 2022-09-26:

On Wed, Sep 21, 2022 at 01:41:04PM -0000, Renan Rodrigo wrote:
> About the CIS comment, the same would happen to help or CLI hints. We discussed that with Lech and got response that it is fine to have `pro` in the text, as it is the preferred name, even if the user calls `ua`. `ua` should be there just for the backwards compatibility, so people don't need to rush changing scripts and such.

Sure - entirely up to you and Lech as to what's acceptable to you.

> About the logs:
> - we do logrotate our logs
> - the timers list won't add that much to the tarball size
> I'm adding a task to revisit this in the future, but so far we think this is ok.

Some users might see this as outside the scope of debugging ua-tools
though, and therefore a privacy leak. It's a really minor thing but one
that erodes trust. I think the boundary of what is gathered should be
limited to what can be justified as actually needed.

> For the postinst change, we added the integration test for the expected controlled situation where the file would not exist - showing the buggy output, then reconfiguring, and seeing the correct output - and we can't really expect people to not be in old versions... This code will, unfortunately, be there until Jammy goes EOL :/

Sure, but my point is that by that time nobody will remember the
details; it's easier to remove legacy upgrade path code if the code
itself is very obviously gated on an upgrade from an (at the time)
obsolete version. That saves developers at that time from having the
spend the time to ensure that removal won't have any side effect.

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-09-26:

> Some users might see this as outside the scope of debugging ua-tools
> though, and therefore a privacy leak. It's a really minor thing but one
> that erodes trust. I think the boundary of what is gathered should be
> limited to what can be justified as actually needed.

We have a card there to revisit this in the future, and in further releases we can remove what is essentially not needed.

> Sure, but my point is that by that time nobody will remember the
> details; it's easier to remove legacy upgrade path code if the code
> itself is very obviously gated on an upgrade from an (at the time)
> obsolete version. That saves developers at that time from having the
> spend the time to ensure that removal won't have any side effect.

To best effort we can add a comment there stating in which version the change happened.

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2022-09-27:

This has been merged with a commit matching the same as HEAD from this changeset

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Renan Rodrigo

git-ubuntu developers

to status/vote changes:

Terrence Bobryk-Ozaki

 diff --git a/.github/workflows/ci-integration.yaml b/.github/workflows/ci-integration.yaml
 index 972eeeb..fa698df 100644
 --- a/.github/workflows/ci-integration.yaml
 +++ b/.github/workflows/ci-integration.yaml
@@ -24,10 +24,10 @@ jobs:
      name: Packaging
      needs: check-secrets
      if: ${{ needs.check-secrets.outputs.has-secrets == 'true' }}
--    runs-on: ubuntu-20.04
++    runs-on: ubuntu-22.04
      strategy:
        matrix:
--        release: ['xenial', 'bionic', 'focal', 'jammy']
++        release: ['xenial', 'bionic', 'focal', 'jammy', 'kinetic']
      steps:
        - name: Prepare build tools
          env:
@@ -41,6 +41,9 @@ jobs:
        - name: Git checkout
          uses: actions/checkout@v2
        - name: Build package
++        env:
++          DEBFULLNAME: GitHub CI Auto Builder
++          DEBEMAIL: nobody@nowhere.invalid
          run: |
            gbp dch --ignore-branch --snapshot --distribution=${{ matrix.release }}
            dch --local=~${{ matrix.release }} ""
@@ -69,6 +72,8 @@ jobs:
              platform: awspro
            - release: bionic
              platform: gcppro
++          - release: bionic
++            platform: awspro-fips
      steps:
        - name: Prepare test tools
          run: |
@@ -99,7 +104,7 @@ jobs:
            UACLIENT_BEHAVE_DEBS_PATH: '${{ runner.temp }}'
            UACLIENT_BEHAVE_ARTIFACT_DIR: '${{ runner.temp }}/artifacts/behave-${{ matrix.platform }}-${{ matrix.release }}'
            UACLIENT_BEHAVE_SNAPSHOT_STRATEGY: '1'
--          UACLIENT_BEHAVE_BUILD_PR: '1'
++          UACLIENT_BEHAVE_INSTALL_FROM: 'local'
            UACLIENT_BEHAVE_CONTRACT_TOKEN: '${{ secrets.UACLIENT_BEHAVE_CONTRACT_TOKEN }}'
            UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING: '${{ secrets.UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING }}'
            UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING_EXPIRED: '${{ secrets.UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING_EXPIRED }}'
 diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml
 new file mode 100644
 index 0000000..67923a7
 --- /dev/null
 +++ b/.github/workflows/cla-check.yaml
@@ -0,0 +1,12 @@
++---
++
++name: cla-check
++
++on: [pull_request_target]
++
++jobs:
++  cla-check:
++    runs-on: ubuntu-latest
++    steps:
++      - name: Check if CLA signed
++        uses: canonical/has-signed-canonical-cla@v1
 diff --git a/.readthedocs.yaml b/.readthedocs.yaml
 new file mode 100644
 index 0000000..5090ca0
 --- /dev/null
 +++ b/.readthedocs.yaml
@@ -0,0 +1,14 @@
++version: 2
++
++sphinx:
++   configuration: docs/conf.py
++
++build:
++  os: ubuntu-22.04
++  tools:
++    python: "3.10"
++
++python:
++   install:
++   - requirements: docs-requirements.txt
++   - requirements: requirements.txt
 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
 index 229cf47..724e330 100644
 --- a/CONTRIBUTING.md
 +++ b/CONTRIBUTING.md
@@ -11,6 +11,8 @@ from the architecture of the project to how you should test any code changes.
  * [How to run the code formatting tools](./dev-docs/howtoguides/code_formatting.md)
  * [How to run the tests](./dev-docs/howtoguides/testing.md)
  * [How to release a new version of UA](./dev-docs/howtoguides/how_to_release_a_new_version_of_ua.md)
++* [How to use the contract staging environment](./dev-docs/howtoguides/use_staging_environment.md)
++* [How to use the magic attach endpoints](./dev-docs/howtoguides/how_to_use_magic_attach_endpoints.md)
  ### Reference
@@ -26,3 +28,7 @@ from the architecture of the project to how you should test any code changes.
  * [Directory layout](./dev-docs/references/directory_layout.md)
  * [Daily Builds](./dev-docs/references/daily_builds.md)
  * [Version String Formatting](./contributing-docs/references/version_string_formatting.md)
++
++### Explanation
++
++* [How auto-attach works](./dev-docs/explanations/how_auto_attach_works.md)
 diff --git a/Makefile b/Makefile
 index d5ca5c8..a08c890 100644
 --- a/Makefile
 +++ b/Makefile
@@ -8,6 +8,7 @@ clean:
  	rm -f *.build *.buildinfo *.changes .coverage *.deb *.dsc *.tar.gz *.tar.xz
  	rm -f azure-*-uaclient-ci-* ec2-uaclient-ci-* gcp-*-uaclient-ci-* lxd-container-*-uaclient-ci-* lxd-virtual-machine-*-uaclient-ci-*
  	rm -rf *.egg-info/ .tox/ .cache/ .mypy_cache/
++	rm -rf docs/build/
  	find . -type f -name '*.pyc' -delete
  	find . -type d -name '*__pycache__' -delete
  	$(MAKE) -C apt-hook clean
 diff --git a/README.md b/README.md
 index ca80474..866f7bd 100644
 --- a/README.md
 +++ b/README.md
@@ -15,7 +15,7 @@
  ![Released Focal Version](https://img.shields.io/ubuntu/v/ubuntu-advantage-tools/focal?label=Focal&logo=ubuntu&logoColor=white)
  ![Released Jammy Version](https://img.shields.io/ubuntu/v/ubuntu-advantage-tools/jammy?label=Jammy&logo=ubuntu&logoColor=white)
--The Ubuntu Advantage (UA) Client is the offical tool to enable Canonical offerings on your
++The Ubuntu Advantage (UA) Client is the official tool to enable Canonical offerings on your
  system.
  UA provides support to view, enable, and disable the following Canonical services:
@@ -23,8 +23,8 @@ UA provides support to view, enable, and disable the following Canonical service
  - [Common Criteria EAL2 Certification Tooling](https://ubuntu.com/security/cc)
  - [CIS Benchmark Audit Tooling](https://ubuntu.com/security/cis)
  - [Ubuntu Security Guide (USG) Tooling](https://ubuntu.com/security/certifications/docs/usg)
--- [Ubuntu Extended Security Maintenance (ESM)](https://ubuntu.com/security/esm)
--- [Robot Operating System (ROS) Extended Security Maintenance](https://ubuntu.com/robotics/ros-esm)
++- [Ubuntu Expanded Security Maintenance (ESM)](https://ubuntu.com/security/esm)
++- [Robot Operating System (ROS) Expanded Security Maintenance](https://ubuntu.com/robotics/ros-esm)
  - [FIPS 140-2 Certified Modules (and optional non-certified patches)](https://ubuntu.com/security/fips)
  - [Livepatch Service](https://ubuntu.com/security/livepatch)
@@ -36,44 +36,45 @@ Furthermore, UA is already installed on every Ubuntu system. Try it out by runni
  ### Tutorials
--* [Getting started with UA](./docs/tutorials/basic_ua_commands.md)
--* [Create a FIPS compliant Ubuntu Docker image](./docs/tutorials/create_a_fips_docker_image.md)
--* [Fixing vulnerabilities by CVE or USN using `ua fix`](./docs/tutorials/ua_fix_scenarios.md)
++* [Getting started with UA](./docs/source/tutorials/basic_ua_commands.md)
++* [Create a FIPS compliant Ubuntu Docker image](./docs/source/tutorials/create_a_fips_docker_image.md)
++* [Fixing vulnerabilities by CVE or USN using `ua fix`](./docs/source/tutorials/ua_fix_scenarios.md)
++* [Create a Custom Ubuntu Pro Cloud Image with FIPS Updates](./docs/source/tutorials/create_a_fips_updates_pro_cloud_image.md)
  ### How To Guides
--* [How to get an UA token and attach to a subscription](./docs/howtoguides/get_token_and_attach.md)
--* [How to Configure Proxies](./docs/howtoguides/configure_proxies.md)
--* [How to Enable Ubuntu Advantage Services in a Dockerfile](./docs/howtoguides/enable_ua_in_dockerfile.md)
--* [How to Create a custom Golden Image based on Ubuntu Pro](./docs/howtoguides/create_pro_golden_image.md)
--* [How to Manually update MOTD and APT messages](./docs/howtoguides/update_motd_messages.md)
--* [How to enable CIS](./docs/howtoguides/enable_cis.md)
--* [How to enable CC EAL](./docs/howtoguides/enable_cc.md)
--* [How to enable ESM Infra](./docs/howtoguides/enable_esm_infra.md)
--* [How to enable FIPS](./docs/howtoguides/enable_fips.md)
--* [How to enable Livepatch](./docs/howtoguides/enable_livepatch.md)
--* [How to configure a timer job](./docs/howtoguides/configuring_timer_jobs.md)
--* [How to attach with a configuration file](./docs/howtoguides/how_to_attach_with_config_file.md)
--* [How to collect UA logs](./docs/howtoguides/how_to_collect_ua_logs.md)
--* [How to Simulate attach operation](./docs/howtoguides/how_to_simulate_attach.md)
--* [How to run ua fix in dry-run mode](./docs/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md)
++* [How to get an UA token and attach to a subscription](./docs/source/howtoguides/get_token_and_attach.md)
++* [How to Configure Proxies](./docs/howtoguides/source/configure_proxies.md)
++* [How to Enable Ubuntu Advantage Services in a Dockerfile](./docs/source/howtoguides/enable_ua_in_dockerfile.md)
++* [How to Create a custom Golden Image based on Ubuntu Pro](./docs/source/howtoguides/create_pro_golden_image.md)
++* [How to Manually update MOTD and APT messages](./docs/source/howtoguides/update_motd_messages.md)
++* [How to enable CIS](./docs/source/howtoguides/enable_cis.md)
++* [How to enable CC EAL](./docs/source/howtoguides/enable_cc.md)
++* [How to enable ESM Infra](./docs/source/howtoguides/enable_esm_infra.md)
++* [How to enable FIPS](./docs/source/howtoguides/enable_fips.md)
++* [How to enable Livepatch](./docs/source/howtoguides/enable_livepatch.md)
++* [How to configure a timer job](./docs/source/howtoguides/configuring_timer_jobs.md)
++* [How to attach with a configuration file](./docs/source/howtoguides/how_to_attach_with_config_file.md)
++* [How to collect UA logs](./docs/source/howtoguides/how_to_collect_ua_logs.md)
++* [How to Simulate attach operation](./docs/source/howtoguides/how_to_simulate_attach.md)
++* [How to run ua fix in dry-run mode](./docs/source/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md)
  ### Reference
--* [Ubuntu Release and Architecture Support Matrix](./docs/references/support_matrix.md)
--* [UA Network Requirements](./docs/references/network_requirements.md)
--* [PPAs with different versions of `ua`](./docs/references/ppas.md)
++* [Ubuntu Release and Architecture Support Matrix](./docs/source/references/support_matrix.md)
++* [UA Network Requirements](./docs/source/references/network_requirements.md)
++* [PPAs with different versions of `ua`](./docs/source/references/ppas.md)
  ### Explanation
--* [What is the daemon for? (And how to disable it)](./docs/explanations/what_is_the_daemon.md)
--* [What is Ubuntu PRO?](./docs/explanations/what_is_ubuntu_pro.md)
--* [What is the ubuntu-advantage-pro package?](./docs/explanations/what_is_the_ubuntu_advantage_pro_package.md)
--* [What are the timer jobs?](./docs/explanations/what_are_the_timer_jobs.md)
--* [What are the UA related MOTD messages?](./docs/explanations/motd_messages.md)
--* [What are the UA related APT messages?](./docs/explanations/apt_messages.md)
--* [How to interpret the security-status command](./docs/explanations/how_to_interpret_the_security_status_command.md)
--* [Why Trusty (14.04) is no longer supported](./docs/explanations/why_trusty_is_no_longer_supported.md)
++* [What is the daemon for? (And how to disable it)](./docs/source/explanations/what_is_the_daemon.md)
++* [What is Ubuntu PRO?](./docs/source/explanations/what_is_ubuntu_pro.md)
++* [What is the ubuntu-advantage-pro package?](./docs/source/explanations/what_is_the_ubuntu_advantage_pro_package.md)
++* [What are the timer jobs?](./docs/source/explanations/what_are_the_timer_jobs.md)
++* [What are the UA related MOTD messages?](./docs/source/explanations/motd_messages.md)
++* [What are the UA related APT messages?](./docs/source/explanations/apt_messages.md)
++* [How to interpret the security-status command](./docs/source/explanations/how_to_interpret_the_security_status_command.md)
++* [Why Trusty (14.04) is no longer supported](./docs/source/explanations/why_trusty_is_no_longer_supported.md)
  ## Project and community
 diff --git a/apport/source_ubuntu-advantage-tools.py b/apport/source_ubuntu-advantage-tools.py
 new file mode 100644
 index 0000000..193d557
 --- /dev/null
 +++ b/apport/source_ubuntu-advantage-tools.py
@@ -0,0 +1,29 @@
++import os
++import tempfile
++
++from apport.hookutils import attach_file_if_exists
++from uaclient.actions import collect_logs
++from uaclient.config import UAConfig
++
++
++def add_info(report, ui=None):
++    report["LaunchpadPrivate"] = "1"
++    report["LaunchpadSubscribe"] = "ua-client"
++    cfg = UAConfig()
++    with tempfile.TemporaryDirectory() as output_dir:
++        collect_logs(cfg, output_dir)
++        auto_include_log_files = [
++            "cloud-id.txt",
++            "cloud-id.txt-error",
++            "ua-status.json",
++            "ua-status.json-error",
++            "livepatch-status.txt",
++            "livepatch-status.txt-error",
++            os.path.basename(cfg.cfg_path),
++            os.path.basename(cfg.log_file),
++            os.path.basename(cfg.timer_log_file),
++            os.path.basename(cfg.daemon_log_file),
++            os.path.basename(cfg.data_path("jobs-status")),
++        ]
++        for f in auto_include_log_files:
++            attach_file_if_exists(report, os.path.join(output_dir, f), key=f)
 diff --git a/apt-hook/hook.cc b/apt-hook/hook.cc
 index f0589d2..156e1c3 100644
 --- a/apt-hook/hook.cc
 +++ b/apt-hook/hook.cc
@@ -50,7 +50,6 @@
  #define APT_PRE_INVOKE_INFRA_PKGS_TEMPLATE_PATH          "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra.tmpl"
  #define APT_PRE_INVOKE_INFRA_PKGS_STATIC_PATH            "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-packages-infra"
  #define APT_PRE_INVOKE_MESSAGE_STATIC_PATH               "/var/lib/ubuntu-advantage/messages/apt-pre-invoke-esm-service-status"
--#define UBUNTU_NO_WARRANTY_STATIC_PATH                   "/var/lib/ubuntu-advantage/messages/ubuntu-no-warranty"
  #define ESM_APPS_PKGS_COUNT_TEMPLATE_VAR "{ESM_APPS_PKG_COUNT}"
@@ -273,15 +272,13 @@ static void process_all_templates(
        APT_PRE_INVOKE_INFRA_PKGS_STATIC_PATH,
        MOTD_INFRA_PKGS_STATIC_PATH,
     };
--   std::array<std::string, 3> apt_static_files = {
++   std::array<std::string, 2> apt_static_files = {
        APT_PRE_INVOKE_APPS_PKGS_STATIC_PATH,
        APT_PRE_INVOKE_INFRA_PKGS_STATIC_PATH,
--      UBUNTU_NO_WARRANTY_STATIC_PATH
     };
--   std::array<std::string, 3> motd_static_files = {
++   std::array<std::string, 2> motd_static_files = {
        MOTD_APPS_PKGS_STATIC_PATH,
        MOTD_INFRA_PKGS_STATIC_PATH,
--      UBUNTU_NO_WARRANTY_STATIC_PATH
     };
     std::vector<std::string> template_file_names;
@@ -315,7 +312,6 @@ static void process_all_templates(
     for (uint i = 0; i < apt_static_files.size(); i++) {
         std::ifstream message_file(apt_static_files[i]);
         if (message_file.is_open()) {
--           apt_pre_invoke_msg << std::endl;
             apt_pre_invoke_msg << message_file.rdbuf();
             message_file.close();
         };
 diff --git a/apt-hook/json-hook.cc b/apt-hook/json-hook.cc
 index 20946e5..0efaa81 100644
 --- a/apt-hook/json-hook.cc
 +++ b/apt-hook/json-hook.cc
@@ -147,7 +147,6 @@ bool count_security_packages_from_apt_stats_json(json_object *stats, security_pa
  std::string create_count_message(security_package_counts &counts) {
      std::vector<std::string> count_msgs;
--    bool wrote_security = false;
      if (counts.standard + counts.esm_infra + counts.esm_apps == 0) {
          return "";
@@ -155,32 +154,24 @@ std::string create_count_message(security_package_counts &counts) {
      if (counts.standard > 0) {
          std::stringstream ss;
--        ss << counts.standard << " standard security update";
++        ss << counts.standard << " standard LTS security update";
          if (counts.standard != 1) {
              ss << "s";
+         }
          count_msgs.push_back(ss.str());
--        wrote_security = true;
+     }
      if (counts.esm_infra > 0) {
          std::stringstream ss;
--        ss << counts.esm_infra << " esm-infra ";
--        if (!wrote_security) {
--            ss << "security ";
--        }
++        ss << counts.esm_infra << " esm-infra security ";
          ss << "update";
          if (counts.esm_infra != 1) {
              ss << "s";
+         }
          count_msgs.push_back(ss.str());
--        wrote_security = true;
+     }
      if (counts.esm_apps > 0) {
          std::stringstream ss;
--        ss << counts.esm_apps << " esm-apps ";
--        if (!wrote_security) {
--            ss << "security ";
--        }
++        ss << counts.esm_apps << " esm-apps security ";
          ss << "update";
          if (counts.esm_apps != 1) {
              ss << "s";
 diff --git a/apt-hook/json-hook.test.cc b/apt-hook/json-hook.test.cc
 index 8df9738..eeeca37 100644
 --- a/apt-hook/json-hook.test.cc
 +++ b/apt-hook/json-hook.test.cc
@@ -21,29 +21,29 @@ BOOST_AUTO_TEST_CASE(Test1) { count_message_test(0, 0, 0, ""); }
  BOOST_AUTO_TEST_CASE(Test2) { count_message_test(0, 0, 1, "1 esm-apps security update"); }
  BOOST_AUTO_TEST_CASE(Test3) { count_message_test(0, 0, 2, "2 esm-apps security updates"); }
  BOOST_AUTO_TEST_CASE(Test4) { count_message_test(0, 1, 0, "1 esm-infra security update"); }
--BOOST_AUTO_TEST_CASE(Test5) { count_message_test(0, 1, 1, "1 esm-infra security update and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test6) { count_message_test(0, 1, 2, "1 esm-infra security update and 2 esm-apps updates"); }
++BOOST_AUTO_TEST_CASE(Test5) { count_message_test(0, 1, 1, "1 esm-infra security update and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test6) { count_message_test(0, 1, 2, "1 esm-infra security update and 2 esm-apps security updates"); }
  BOOST_AUTO_TEST_CASE(Test7) { count_message_test(0, 2, 0, "2 esm-infra security updates"); }
--BOOST_AUTO_TEST_CASE(Test8) { count_message_test(0, 2, 1, "2 esm-infra security updates and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test9) { count_message_test(0, 2, 2, "2 esm-infra security updates and 2 esm-apps updates"); }
--BOOST_AUTO_TEST_CASE(Test10) { count_message_test(1, 0, 0, "1 standard security update"); }
--BOOST_AUTO_TEST_CASE(Test11) { count_message_test(1, 0, 1, "1 standard security update and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test12) { count_message_test(1, 0, 2, "1 standard security update and 2 esm-apps updates"); }
--BOOST_AUTO_TEST_CASE(Test13) { count_message_test(1, 1, 0, "1 standard security update and 1 esm-infra update"); }
--BOOST_AUTO_TEST_CASE(Test14) { count_message_test(1, 1, 1, "1 standard security update, 1 esm-infra update and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test15) { count_message_test(1, 1, 2, "1 standard security update, 1 esm-infra update and 2 esm-apps updates"); }
--BOOST_AUTO_TEST_CASE(Test16) { count_message_test(1, 2, 0, "1 standard security update and 2 esm-infra updates"); }
--BOOST_AUTO_TEST_CASE(Test17) { count_message_test(1, 2, 1, "1 standard security update, 2 esm-infra updates and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test18) { count_message_test(1, 2, 2, "1 standard security update, 2 esm-infra updates and 2 esm-apps updates"); }
--BOOST_AUTO_TEST_CASE(Test19) { count_message_test(2, 0, 0, "2 standard security updates"); }
--BOOST_AUTO_TEST_CASE(Test20) { count_message_test(2, 0, 1, "2 standard security updates and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test21) { count_message_test(2, 0, 2, "2 standard security updates and 2 esm-apps updates"); }
--BOOST_AUTO_TEST_CASE(Test22) { count_message_test(2, 1, 0, "2 standard security updates and 1 esm-infra update"); }
--BOOST_AUTO_TEST_CASE(Test23) { count_message_test(2, 1, 1, "2 standard security updates, 1 esm-infra update and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test24) { count_message_test(2, 1, 2, "2 standard security updates, 1 esm-infra update and 2 esm-apps updates"); }
--BOOST_AUTO_TEST_CASE(Test25) { count_message_test(2, 2, 0, "2 standard security updates and 2 esm-infra updates"); }
--BOOST_AUTO_TEST_CASE(Test26) { count_message_test(2, 2, 1, "2 standard security updates, 2 esm-infra updates and 1 esm-apps update"); }
--BOOST_AUTO_TEST_CASE(Test27) { count_message_test(2, 2, 2, "2 standard security updates, 2 esm-infra updates and 2 esm-apps updates"); }
++BOOST_AUTO_TEST_CASE(Test8) { count_message_test(0, 2, 1, "2 esm-infra security updates and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test9) { count_message_test(0, 2, 2, "2 esm-infra security updates and 2 esm-apps security updates"); }
++BOOST_AUTO_TEST_CASE(Test10) { count_message_test(1, 0, 0, "1 standard LTS security update"); }
++BOOST_AUTO_TEST_CASE(Test11) { count_message_test(1, 0, 1, "1 standard LTS security update and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test12) { count_message_test(1, 0, 2, "1 standard LTS security update and 2 esm-apps security updates"); }
++BOOST_AUTO_TEST_CASE(Test13) { count_message_test(1, 1, 0, "1 standard LTS security update and 1 esm-infra security update"); }
++BOOST_AUTO_TEST_CASE(Test14) { count_message_test(1, 1, 1, "1 standard LTS security update, 1 esm-infra security update and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test15) { count_message_test(1, 1, 2, "1 standard LTS security update, 1 esm-infra security update and 2 esm-apps security updates"); }
++BOOST_AUTO_TEST_CASE(Test16) { count_message_test(1, 2, 0, "1 standard LTS security update and 2 esm-infra security updates"); }
++BOOST_AUTO_TEST_CASE(Test17) { count_message_test(1, 2, 1, "1 standard LTS security update, 2 esm-infra security updates and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test18) { count_message_test(1, 2, 2, "1 standard LTS security update, 2 esm-infra security updates and 2 esm-apps security updates"); }
++BOOST_AUTO_TEST_CASE(Test19) { count_message_test(2, 0, 0, "2 standard LTS security updates"); }
++BOOST_AUTO_TEST_CASE(Test20) { count_message_test(2, 0, 1, "2 standard LTS security updates and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test21) { count_message_test(2, 0, 2, "2 standard LTS security updates and 2 esm-apps security updates"); }
++BOOST_AUTO_TEST_CASE(Test22) { count_message_test(2, 1, 0, "2 standard LTS security updates and 1 esm-infra security update"); }
++BOOST_AUTO_TEST_CASE(Test23) { count_message_test(2, 1, 1, "2 standard LTS security updates, 1 esm-infra security update and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test24) { count_message_test(2, 1, 2, "2 standard LTS security updates, 1 esm-infra security update and 2 esm-apps security updates"); }
++BOOST_AUTO_TEST_CASE(Test25) { count_message_test(2, 2, 0, "2 standard LTS security updates and 2 esm-infra security updates"); }
++BOOST_AUTO_TEST_CASE(Test26) { count_message_test(2, 2, 1, "2 standard LTS security updates, 2 esm-infra security updates and 1 esm-apps security update"); }
++BOOST_AUTO_TEST_CASE(Test27) { count_message_test(2, 2, 2, "2 standard LTS security updates, 2 esm-infra security updates and 2 esm-apps security updates"); }
  BOOST_AUTO_TEST_SUITE_END()
 diff --git a/debian/changelog b/debian/changelog
 index 99e1d33..0d85b03 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,63 @@
++ubuntu-advantage-tools (27.11~22.10.1) kinetic; urgency=medium
++
++  * d/control:
++    - Update VCS references
++  * d/links:
++    - add usr/bin/pro as an alias to ubuntu-advantage
++  * d/postinst:
++    - include root_mode parameter when creating UAConfig instances
++    - change calls to add_notice to notice_file.add
++    - create public machine-token file if it does not exist
++  * New upstream release 27.11 (LP: #1989279)
++    - api:
++      + new `pro api` command to access the public client API
++      + 'version' endpoint returning version information
++      + 'should auto attach' endpoint informing if a system should run
++        auto-attach on startup
++      + 'full auto attach' endpoint performing auto-attach
++      + 'magic attach' endpoints for the Magic Attach flow
++    - auto-attach:
++      + better errors for invalid pro images (GH: #2180, #1833)
++      + don't detach on already auto-attached instances
++      + no-op when ubuntu-advantage information is present on cloud-init
++        userdata
++      + change systemd unit to run after cloud-config
++    - cli:
++      + cli: better error message on unrecognized flags (GH: #672)
++    - collect-logs:
++      + can now be executed as a non-root user
++      + is executed automatically and result is appended when using apport to
++        report a bug
++    - docs: now formatted to be built with sphinx, and published in readthedocs
++    - enable:
++      + new access-only flag for usecases where auto-install is undesired
++      + fix apt auth line replacement (LP: #1985863)
++    - esm-apps: generally available as non-beta as part of Ubuntu Pro
++    - fix: check if livepatch has already fixed a CVE before attempting a fix
++    - jobs: new timer job to check if the release reached end of support
++    - pro:
++      + Ubuntu Pro is released as a product
++      + make `pro` the recommended executable for the client
++      + client, apt and motd messages updated/rewritten to show Pro
++        information
++      + base URL changed from /advantage to /pro
++      + ESM services renamed as part of Pro
++    - ros: released as a non-beta entitlement
++    - security-status
++      + does not require the --format flag anymore
++      + human readable output added based on ubuntu-security-status
++      + machine readable output contains CVEs fixed by Livepatch
++      + package counts include all esm-infra and esm-apps repositories
++    - status:
++      + don't show unavailable services by default (GH: #2156, #2159)
++      + expiry date formatted based on timezone (GH: #695)
++      + non-root users get the current status instead of a cached version
++      + --wait flag now working for non-root users
++    - version: warn about new available versions of the client in CLI command
++      output and API calls
++
++ -- Renan Rodrigo <renanrodrigo@canonical.com>  Thu, 08 Sep 2022 18:02:55 -0300
++
  ubuntu-advantage-tools (27.10.1~22.10.1) kinetic; urgency=medium
    * apt-hook: Fix missing import warning when compiling
 diff --git a/debian/control b/debian/control
 index c754ed1..2572d32 100644
 --- a/debian/control
 +++ b/debian/control
@@ -26,8 +26,8 @@ Build-Depends: bash-completion,
                 python3-yaml
  Standards-Version: 4.5.1
  Homepage: https://ubuntu.com/advantage
--Vcs-Git: https://github.com/CanonicalLtd/ubuntu-advantage-script.git
--Vcs-Browser: https://github.com/CanonicalLtd/ubuntu-advantage-script
++Vcs-Git: https://github.com/canonical/ubuntu-advantage-client.git
++Vcs-Browser: https://github.com/canonical/ubuntu-advantage-client
  Rules-Requires-Root: no
  Package: ubuntu-advantage-tools
 diff --git a/debian/ubuntu-advantage-tools.links b/debian/ubuntu-advantage-tools.links
 index 7a4416e..dd31a08 100644
 --- a/debian/ubuntu-advantage-tools.links
 +++ b/debian/ubuntu-advantage-tools.links
@@ -1,2 +1,4 @@
  usr/bin/ubuntu-advantage usr/bin/ua
++usr/bin/ubuntu-advantage usr/bin/pro
  usr/share/man/man1/ubuntu-advantage.1 usr/share/man/man1/ua.1
++usr/share/man/man1/ubuntu-advantage.1 usr/share/man/man1/pro.1
 diff --git a/debian/ubuntu-advantage-tools.postinst b/debian/ubuntu-advantage-tools.postinst
 index 2f26afc..4330448 100644
 --- a/debian/ubuntu-advantage-tools.postinst
 +++ b/debian/ubuntu-advantage-tools.postinst
@@ -54,6 +54,9 @@ SYSTEMD_HELPER_ENABLED_WANTS_LINK="/var/lib/systemd/deb-systemd-helper-enabled/m
  REBOOT_CMD_MARKER_FILE="/var/lib/ubuntu-advantage/marker-reboot-cmds-required"
  OLD_LICENSE_CHECK_MARKER_FILE="/var/lib/ubuntu-advantage/marker-license-check"
++MACHINE_TOKEN_FILE="/var/lib/ubuntu-advantage/private/machine-token.json"
++PUBLIC_MACHINE_TOKEN_FILE="/var/lib/ubuntu-advantage/machine-token.json"
++
  # Rename apt config files for ua services removing ubuntu release names
  redact_ubuntu_release_from_ua_apt_filenames() {
@@ -118,7 +121,7 @@ check_service_is_beta() {
  from uaclient.config import UAConfig
  from uaclient.entitlements import entitlement_factory
  try:
--    cfg = UAConfig()
++    cfg = UAConfig(root_mode=True)
      ent_cls = entitlement_factory(cfg=cfg, name='${service_name}')
      allow_beta = cfg.features.get('allow_beta', False)
      print(all([ent_cls.is_beta, not allow_beta]))
@@ -245,8 +248,8 @@ add_notice() {
      /usr/bin/python3 -c "
  from uaclient.config import UAConfig
  from uaclient.messages import ${msg_name}
--cfg = UAConfig()
--cfg.add_notice(label='', description=${msg_name})
++cfg = UAConfig(root_mode=True)
++cfg.notice_file.add(label='', description=${msg_name})
+ "
+ }
@@ -368,6 +371,19 @@ remove_old_systemd_units() {
      fi
+ }
++create_public_machine_token_file() {
++    # When we perform the write operation through
++    # MachineTokenFile we already write the public
++    # version of the machine-token file with all the
++    # sensitive data removed.
++    /usr/bin/python3 -c "
++from uaclient.files import MachineTokenFile
++machine_token_file = MachineTokenFile()
++content = machine_token_file.read()
++machine_token_file.write(content=content)
++"
++}
++
  case "$1" in
      configure)
        PREVIOUS_PKG_VER=$2
@@ -439,6 +455,13 @@ case "$1" in
        disable_new_timer_if_old_timer_already_disabled $PREVIOUS_PKG_VER
        remove_old_systemd_units $PREVIOUS_PKG_VER
        /usr/lib/ubuntu-advantage/cloud-id-shim.sh || true
++
++      # On old version of ubuntu-advantange-tools, we don't have a public
++      # machine_token.json file on attached machines. Since the non-root
++      # status now needs that file, we need to create it during the upgrade
++      if [ -f $MACHINE_TOKEN_FILE ] && [ ! -f $PUBLIC_MACHINE_TOKEN_FILE ]; then
++          create_public_machine_token_file
++      fi
        ;;
  esac
 diff --git a/dev-docs/explanations/how_auto_attach_works.md b/dev-docs/explanations/how_auto_attach_works.md
 new file mode 100644
 index 0000000..3350c8d
 --- /dev/null
 +++ b/dev-docs/explanations/how_auto_attach_works.md
@@ -0,0 +1,57 @@
++# How auto-attach works
++
++The `pro auto-attach` command follows a specific flow on every **Ubuntu Pro** image:
++
++1. Identify which cloud the command is running on. This is achieved by running
++   the `cloud-id` command provided by the [cloud-init](https://cloudinit.readthedocs.io/en/latest/)
++   package. Currently, we only support the following clouds when
++   running the command: AWS, Azure and GCP. The command will fail if performed on other
++   cloud types.
++
++2. Fetch the cloud metadata. This metadata is a cryptographically signed json blob
++   that provides the necessary information for the contract server to validate
++   the machine and return a valid pro token. To fetch that metadata, every cloud
++   provide a different endpoint to reach it:
++
++   * **AWS**: http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
++   * **Azure**: http://169.254.169.254/metadata/attested/document?api-version=2020-09-01
++   * **GCP**: http://metadata/computeMetadata/v1/instance/service-accounts/default/identity
++
++> **Note**
++> On some instances, like AWS, we can also use the IPv6 address to fetch the metadata
++
++3. Send this metadata json blob to the contract server at:
++
++   * https://contracts.canonical.com/v1/clouds/CLOUD-TYPE/token
++
++   Where CLOUD-TYPE is the cloud name we identified on step 1.
++
++   The contract server will verify if the metadata is signed correctly based on the cloud
++   it is stored. Additionally, some other checks are performed to see if the metadata is valid.
++   For example, the contract server checks the product id provided in the metadata is a
++   valid product. If any problems is found on the metadata, the contract server will produce
++   an error response.
++
++4. After the contract server validates the metadata, it returns a token that will be used
++   to attach the machine to a pro subscription. To attach the machine we will reach the
++   following contract server endpoint:
++
++   * https://contracts.canonical.com/v1/context/machines/token
++
++   We will pass the token provided on step 3 as header bearer token for this request
++
++5. The contract returns a json specification based on the provided token. This json
++   contains all the directives the pro client needs to setup the machine and enable
++   the necessary services the token is associated with.
++
++6. Disable the ubuntu-advantage [daemon](../explanations/what_is_the_daemon.md).
++   If the machine is detached, this daemon will be started again.
++
++Additionally, you can disable the `pro auto-attach` command by adding
++the following lines on your `uaclient.conf` configuration file, (by default located at
++`/etc/ubuntu-advantage/uaclient.conf`):
++
++```bash
++features:
++  disable_auto_attach: true
++```
 diff --git a/dev-docs/howtoguides/how_to_use_magic_attach_endpoints.md b/dev-docs/howtoguides/how_to_use_magic_attach_endpoints.md
 new file mode 100644
 index 0000000..9d30b28
 --- /dev/null
 +++ b/dev-docs/howtoguides/how_to_use_magic_attach_endpoints.md
@@ -0,0 +1,168 @@
++# How to use magic attach API endpoints
++
++> **Notice:**
++> Minimum version: 27.11
++
++Th UA Client provides three distinct endpoints to make it easier to perform
++the magic attach flow. They are:
++
++* u.pro.attach.magic.initiate.v1
++* u.pro.attach.magic.wait.v1
++* u.pro.attach.magic.revoke.v1
++
++We will explain how to use each endpoint and what is the expected output for each of them.
++
++## Initiate endpoint
++
++To start the magic attach flow, we need to create a token for it. The initiate endpoint
++will perform exactly that. When you run:
++
++```console
++$ ua api u.pro.attach.magic.initiate.v1
++```
++
++It is expected for you to see the following json response:
++
++```json
++{
++  "_schema_version": "v1",
++  "data": {
++    "meta": {
++       "environment_vars": []}
++    },
++    "attributes": {
++      "expires": "EXPIRE_DATE",
++      "expires_in": 10000,
++      "token": "MAGIC_ATTACH_TOKEN",
++      "user_code": "USER_CODE"
++    }
++    "type": "MagicAttachInitiate"
++  },
++  "errors": [],
++  "result": "success",
++  "version": "UA CLIENT VERSION",
++  "warnings": []
++}
++```
++
++It is noteworthy here that the `attributes` contain both the `user_code` and `token`. The `user_code`
++is the information that will be presented to the user, which it will make possible for the user
++to validate the magic attach on the advantage portal. Additionally, the `token` information is required
++for the other two API endpoints which will be described next.
++
++
++## Wait endpoint
++
++After we initiate the magic attach procedure, the user must go to the advantage portal and validate
++the `user_code` it received. Once that is done, a ua token will be generated for the user, allowing
++the attach procedure to begin. The wait endpoint will wait for the user to perform all of those
++steps on the advantage portal. To call it, use:
++
++```console
++$ ua api u.pro.attach.magic.wait.v1 --args magic_token=MAGIC_ATTACH_TOKEN
++```
++
++Note here that the command requires the `token` that was generated in the initiate step. This command
++will block and poll the server until there are any updates for that token. If the
++user successfully performed the necessary steps on the advantage portal, we should see the following
++response:
++
++```json
++{
++  "_schema_version": "v1",
++  "data": {
++    "attributes": {
++      "contract_id": "CONTRACT_ID",
++      "contract_token": "CONTRACT_TOKEN",
++      "expires": "EXPIRE_DATE",
++      "expires_in": 10000,
++      "token": "MAGIC_ATTACH_TOKEN",
++      "user_code": "USER_CODE"
++    }
++    "type": "MagicAttachInitiate"
++  },
++  "errors": [],
++  "result": "success",
++  "version": "UA CLIENT VERSION",
++  "warnings": []
++}
++```
++
++The `contract_token` is the token that can be used to perform an attach operation.
++
++If the provided token is invalid or has expired, we will see the following response:
++
++```json
++{
++  "_schema_version": "v1",
++  "data": {
++    "meta": {
++      "environment_vars": []
++    }
++  },
++  "errors": [
++    {
++      "code": "magic-attach-token-error",
++      "meta": {},
++      "title": "The magic attach token is invalid, has expired or never existed"
++    }
++  ],
++  "result": "failure",
++  "version": "UA CLIENT VERSION",
++  "warnings": []
++}
++```
++
++It is expected that the token will be valid for about 10 minutes. Therefore, we expect the wait
++command to keep polling for about that amount of time.
++
++
++## Revoke
++
++If we want to revoke the token created during the initiate call, we can use the revoke command:
++
++```console
++$ ua api u.pro.attach.magic.revoke.v1 --args magic_token=MAGIC_ATTACH_TOKEN
++```
++
++If the token is valid, we should see the following output:
++
++```json
++{
++  "_schema_version": "v1",
++  "data": {
++    "attributes": {},
++    "meta": {
++      "environment_vars": []
++    },
++    "type": "MagicAttachRevoke"
++  },
++  "errors": [],
++  "result": "success",
++  "version": "PRO CLIENT VERSION",
++  "warnings": []
++}
++```
++
++However, if the token is already expired or even invalid, we will see the following output:
++
++```json
++{
++  "_schema_version": "v1",
++  "data": {
++    "meta": {
++      "environment_vars": []
++    }
++  },
++  "errors": [
++    {
++      "code": "magic-attach-token-error",
++      "meta": {},
++      "title": "The magic attach token is invalid, has expired or never existed"
++    }
++  ],
++  "result": "failure",
++  "version": "PRO CLIENT VERSION",
++  "warnings": []
++}
++```
 diff --git a/dev-docs/howtoguides/testing.md b/dev-docs/howtoguides/testing.md
 index 78791e6..d7c3cf3 100644
 --- a/dev-docs/howtoguides/testing.md
 +++ b/dev-docs/howtoguides/testing.md
@@ -38,10 +38,18 @@ By default, integration tests will do the following on a given cloud platform:
   * Install the appropriate ubuntu-advantage-tools and ubuntu-advantage-pro deb
   * Run the integration tests on that instance.
--The testing can be overridden to run using a local copy of the ubuntu-advantage-client source code instead of the daily PPA by providing the following environment variable to the behave test runner:
--```UACLIENT_BEHAVE_BUILD_PR=1```
++The testing can be overridden to install ubuntu-advantage-tools from other sources instead of the daily PPA by providing `UACLIENT_BEHAVE_INSTALL_FROM` to the behave test runner. The default is `UACLIENT_BEHAVE_INSTALL_FROM=daily`, and the other available options are:
--> Note that, by default, we cache the source even when `UACLIENT_BEHAVE_BUILD_PR=1`. This means that if you change the python code locally and want to run the behave tests against your new version, you need to either delete the cache (`rm /tmp/uaclient_behave`) or also set `UACLIENT_BEHAVE_CACHE_SOURCE=0`.
++- `staging`: install from the [staging PPA](https://code.launchpad.net/~ua-client/+archive/ubuntu/staging)
++- `stable`: install from the [stable PPA](https://code.launchpad.net/~ua-client/+archive/ubuntu/stable)
++- `archive`: install the latest version available in the archive, not adding any PPA
++- `proposed`: install the package from the -proposed pocket - specially useful for SRU testing (see [the release guide](how_to_release_a_new_version_of_ua.md))
++- `custom`: install from a custom provided PPA. If set, then two other variables need to be set: `UACLIENT_BEHAVE_CUSTOM_PPA=<PPA URL>` and `UACLIENT_BEHAVE_CUSTOM_PPA_KEYID=<signing key for the PPA>`.
++- `local`: install from a local copy of the ubuntu-advantage-client source code
++
++`local` is particularly useful, as it runs the suite against the local code, thus including and validating the latest changes made. It is advised to run any related integration tests against local code changes before pushing them to be reviewed.
++
++> Note that we cache the source when running with `UACLIENT_BEHAVE_INSTALL_FROM=local` based on a hash, calculated from the repository state. If you change the python code locally and run the behave tests against your new version, there will be new debs in the cache source with the new repo state hash.
  To run the tests, you can use `tox`:
@@ -59,8 +67,8 @@ tox -e behave-lxd-20.04 features/unattached_commands.feature:55
  As can be seen, this will run behave tests only for release 20.04 (Focal Fossa). We are currently
  supporting 5 distinct releases:
++* 21.10 (Kinetic Kudu)
  * 22.04 (Jammy Jellyfish)
--* 21.10 (Impish Indri)
  * 20.04 (Focal Fossa)
  * 18.04 (Bionic Beaver)
  * 16.04 (Xenial Xerus)
 diff --git a/dev-docs/howtoguides/use_staging_environment.md b/dev-docs/howtoguides/use_staging_environment.md
 new file mode 100644
 index 0000000..b616fce
 --- /dev/null
 +++ b/dev-docs/howtoguides/use_staging_environment.md
@@ -0,0 +1,13 @@
++# Use the contracts staging environment
++
++You can change the contract server that the Pro Client will use by setting the
++following option in your `uaclient.conf` configuration file, (by default located at
++`/etc/ubuntu-advantage/uaclient.conf`).
++
++```yaml
++contract_url: https://contracts.staging.canonical.com
++```
++
++> **Note**
++> You might be using a local `uaclient.conf` file when running the pro client.
++> If that is the case, remember to change that file instead.
 diff --git a/dev-docs/references/directory_layout.md b/dev-docs/references/directory_layout.md
 index 4978673..69c9ee7 100644
 --- a/dev-docs/references/directory_layout.md
 +++ b/dev-docs/references/directory_layout.md
@@ -17,4 +17,15 @@ The following describes the intent of UA client related directories:
  | ./apt-conf.d/ | apt config files delivered to /etc/apt/apt-conf.d to automatically allow unattended upgrades of ESM security-related components. If apt proxy settings are configured, an additional apt config file will be placed here to configure the apt proxy. |
  | /etc/ubuntu-advantage/uaclient.conf | Configuration file for the UA client.|
  | /var/lib/ubuntu-advantage/private | `root` read-only directory containing Contract API responses, machine-tokens and service credentials |
++| /var/lib/ubuntu-advantage/machine-token.json | `world` readable file containing redacted Contract API responses, machine-tokens and service credentials |
  | /var/log/ubuntu-advantage.log | `root` read-only log of ubuntu-advantage operations |
++
++## Note
++
++We have two `machine-token.json` files, located at:
++- /var/lib/ubuntu-advantage/private/machine-token.json
++- /var/lib/ubuntu-advantage/machine-token.json
++
++The first file, located in the `private` directory, is root read-only. We have another world readable file in the `/var/lib/ubuntu-advantage` directory.
++
++The latter is currently being used when calling the `pro status` command as a non-root user. This file is redacted to remove any sensitive user data.
 diff --git a/dev-docs/references/what_happens_during_attach.md b/dev-docs/references/what_happens_during_attach.md
 index 232e033..ceb5221 100644
 --- a/dev-docs/references/what_happens_during_attach.md
 +++ b/dev-docs/references/what_happens_during_attach.md
@@ -9,6 +9,7 @@ After running the command `ua attach TOKEN`, UA will perform the following steps
    token, service credentials, affordances, directives and obligations to allow
    enabling and disabling Ubuntu Advantage services
  * UA client writes the machine token API response to the root-readonly
--  /var/lib/ubuntu-advantage/private/machine-token.json
++  /var/lib/ubuntu-advantage/private/machine-token.json and a version with secrets redacted to the world-readable
++  file /var/lib/ubuntu-advantage/machine-token.json.
  * UA client auto-enables any services defined with
    `obligations:{enableByDefault: true}`
 diff --git a/docs-requirements.txt b/docs-requirements.txt
 new file mode 100644
 index 0000000..b2a85a8
 --- /dev/null
 +++ b/docs-requirements.txt
@@ -0,0 +1,4 @@
++sphinx==5.1.1
++m2r2
++myst-parser
++sphinx_rtd_theme
 diff --git a/docs/README.md b/docs/README.md
 new file mode 100644
 index 0000000..ccdc9e2
 --- /dev/null
 +++ b/docs/README.md
@@ -0,0 +1,11 @@
++# How to generate Ubuntu Advantage user documentation
++
++To build the docs for Ubuntu Advantage, you can use a dedicated `tox` command for it.
++You can install `tox` on your machine by running the `make test` command. Once tox is
++installed just run the command:
++
++```console
++$ tox -e docs
++```
++
++The command will generate the html pages inside `docs/build`
 diff --git a/docs/conf.py b/docs/conf.py
 new file mode 100644
 index 0000000..d90095e
 --- /dev/null
 +++ b/docs/conf.py
@@ -0,0 +1,52 @@
++# Configuration file for the Sphinx documentation builder.
++#
++# This file only contains a selection of the most common options. For a full
++# list see the documentation:
++# https://www.sphinx-doc.org/en/master/usage/configuration.html
++
++# -- Path setup --------------------------------------------------------------
++
++# If extensions (or modules to document with autodoc) are in another directory,
++# add these directories to sys.path here. If the directory is relative to the
++# documentation root, use os.path.abspath to make it absolute, like shown here.
++#
++# import os
++# import sys
++# sys.path.insert(0, os.path.abspath('.'))
++
++
++# -- Project information -----------------------------------------------------
++
++project = "Ubuntu Advantage Client"
++copyright = "2022, Canonical Ltd."
++
++
++# -- General configuration ---------------------------------------------------
++
++# Add any Sphinx extension module names here, as strings. They can be
++# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
++# ones.
++extensions = [
++    "myst_parser",
++]
++
++# Add any paths that contain templates here, relative to this directory.
++templates_path = ["_templates"]
++
++# List of patterns, relative to source directory, that match files and
++# directories to ignore when looking for source files.
++# This pattern also affects html_static_path and html_extra_path.
++exclude_patterns = []
++
++
++# -- Options for HTML output -------------------------------------------------
++
++# The theme to use for HTML and HTML Help pages.  See the documentation for
++# a list of builtin themes.
++#
++html_theme = "sphinx_rtd_theme"
++
++# Add any paths that contain custom static files (such as style sheets) here,
++# relative to this directory. They are copied after the builtin static files,
++# so a file named "default.css" will overwrite the builtin "default.css".
++html_static_path = ["_static"]
 diff --git a/docs/explanations/apt_messages.md b/docs/explanations/apt_messages.md
 index 04ff1f1..dc9a0b8 100644
 --- a/docs/explanations/apt_messages.md
 +++ b/docs/explanations/apt_messages.md
@@ -17,22 +17,17 @@ where we deliver those messages are:
    The following package was automatically installed and is no longer required:
      libfreetype6
      Use 'apt autoremove' to remove it.
--
--     *The following packages could receive security updates with UA Infra: ESM service enabled:
--       libpam0g libpam-modules openssl ntfs-3g git-man libsystemd0 squashfs-tools git
--       openssh-sftp-server udev libpam-runtime isc-dhcp-common libx11-6 libudev1 apport
--       python3-apport systemd-sysv liblz4-1 libpam-systemd systemd libpam-modules-bin openssh-server
--       libx11-data openssh-client libxml2 curl isc-dhcp-client python3-problem-report
--       libcurl3-gnutls libssl1.0.0
--       Learn more about UA Infra: ESM service for Ubuntu 16.04 at https://ubuntu.com/16-04
++  The following security updates require Ubuntu Pro with 'esm-infra' enabled:
++    libpam0g libpam-modules openssl ntfs-3g git-man libsystemd0 squashfs-tools git openssh-sftp-server udev libpam-runtime isc-dhcp-common libx11-6 libudev1 apport python3-apport systemd-sysv liblz4-1 libpam-systemd systemd libpam-modules-bin openssh-server libx11-data openssh-client libxml2 curl isc-dhcp-client python3-problem-report libcurl3-gnutls libssl1.0.0
++  Learn more about Ubuntu Pro for 16.04 at https://ubuntu.com/16-04
    ```
    Note that the ESM message is located in the middle of the `apt-get` command output. Additionally,
    if there are no packages to upgrade at the moment, we would instead deliver:
    ```
--  Enable UA Infra: ESM to receive additional future security updates.
--  See https://ubuntu.com/16-04 or run: sudo ua status
++  Receive additional future security updates with Ubuntu Pro.
++  Learn more about Ubuntu Pro for 16.04 at https://ubuntu.com/16-04
    ```
    > **Note**
@@ -42,46 +37,41 @@ where we deliver those messages are:
    we deliver a package count related to each service near the end of the `apt-get` command:
    ```
--  1 standard security update, 29 esm-infra updates and 8 esm-apps updates
++  1 standard LTS security update, 29 esm-infra security updates and 8 esm-apps security updates
    ```
    We only deliver that message if the service is enabled and we did upgrade packages related
    to it. For example, if we had no `esm-infra` package upgrades, the message would be:
    ```
--  1 standard security updates and 8 esm-apps updates
++  1 standard LTS security update and 8 esm-apps security updates
    ```
  * **expired contract**: If we detect that your contract is expired, we will deliver the following
    message advertising `esm-infra` in the middle of the `apt` command:
    ```
--  *Your UA Infra: ESM subscription has EXPIRED*
--  Enabling UA Infra: ESM service would provide security updates for following packages:
--    libpam0g libpam-modules openssl ntfs-3g git-man libsystemd0 squashfs-tools git
--    openssh-sftp-server udev libpam-runtime isc-dhcp-common libx11-6 libudev1 apport python3-apport
--    systemd-sysv liblz4-1 libpam-systemd systemd libpam-modules-bin openssh-server libx11-data
--    openssh-client libxml2 curl isc-dhcp-client python3-problem-report libcurl3-gnutls libssl1.0.0
--    30 esm-infra security update(s) NOT APPLIED. Renew your UA services at
--    https://ubuntu.com/advantage
++  *Your Ubuntu Pro subscription has EXPIRED*
++  The following security updates require Ubuntu Pro with 'esm-infra' enabled:
++    libpam0g libpam-modules openssl ntfs-3g git-man libsystemd0 squashfs-tools git openssh-sftp-server udev libpam-runtime isc-dhcp-common libx11-6 libudev1 apport python3-apport systemd-sysv liblz4-1 libpam-systemd systemd libpam-modules-bin openssh-server libx11-data openssh-client libxml2 curl isc-dhcp-client python3-problem-report libcurl3-gnutls libssl1.0.0
++  Renew your service at https://ubuntu.com/pro
    ```
    Note that if we don't have any package to upgrade related to `esm-infra`, we would deliver instead
    the message:
    ```
--  *Your UA Infra: ESM subscription has EXPIRED*
--  Enable UA Infra: ESM to receive additional future security updates.
--  See https://ubuntu.com/advantage or run: sudo ua status
++  *Your Ubuntu Pro subscription has EXPIRED*
++  Renew your service at https://ubuntu.com/pro
    ```
  * **contract is about to expire**: Similarly, if we detect that your contract is about to expire,
    we deliver the following message in the middle of the `apt-get` command:
    ```
--  CAUTION: Your UA Infra: ESM service will expire in 14 days.
--  Renew UA subscription at https://ubuntu.com/advantage to ensure
--  continued security coverage for your applications.
++  CAUTION: Your Ubuntu Pro subscription will expire in 2 days.
++  Renew your subscription at https://ubuntu.com/pro to ensure continued security
++  coverage for your applications.
    ```
  * **contract expired, but in grace period**: Additionally, if we detect that the contract is
@@ -89,9 +79,9 @@ where we deliver those messages are:
    of the `apt-get` command:
    ```
--  CAUTION: Your UA Infra: ESM service expired on 10 Sep 2021.
--  Renew UA subscription at https://ubuntu.com/advantage to ensure
--  continued security coverage for your applications.
++  CAUTION: Your Ubuntu Pro subscription expired on 10 Sep 2021.
++  Renew your subscription at https://ubuntu.com/pro to ensure continued security
++  coverage for your applications.
    Your grace period will expire in 8 days.
    ```
 diff --git a/docs/explanations/how_to_interpret_the_security_status_command.md b/docs/explanations/how_to_interpret_the_security_status_command.md
 index 2237245..9fd282d 100644
 --- a/docs/explanations/how_to_interpret_the_security_status_command.md
 +++ b/docs/explanations/how_to_interpret_the_security_status_command.md
@@ -36,6 +36,10 @@ packages:
    status: upgrade_available
    version: 1:1.2.8.dfsg-2ubuntu4.3+esm1
    download_size: 123456
++livepatch:
++  fixed_cves:
++    - Name: cve-2013-1798
++      Patched: true
  ```
  Let's understand what each key mean on the output of the `ua security-status` command:
@@ -101,3 +105,6 @@ Let's understand what each key mean on the output of the `ua security-status` co
        the service which provides the upgrade.
    * **`version`**: The update version.
    * **`download_size`**: The number of bytes that would be downloaded in order to install the update.
++
++* **`livepatch`**: Livepatch related information. Currently, the only information
++presented is **`fixed_cves`** - a list of CVEs that were fixed by Livepatches applied to the kernel.
 diff --git a/docs/explanations/motd_messages.md b/docs/explanations/motd_messages.md
 index 56221bc..04a5f14 100644
 --- a/docs/explanations/motd_messages.md
 +++ b/docs/explanations/motd_messages.md
@@ -14,7 +14,7 @@ Those messages are generated directly by two different sources:
    those services are enabled:
    ```
--  UA Apps: Extended Security Maintenance (ESM) is enabled.
++  UA Apps: Expanded Security Maintenance (ESM) is enabled.
 updates can be applied immediately.
 of these updates are UA Apps: ESM security updates.
@@ -27,7 +27,7 @@ Those messages are generated directly by two different sources:
    advertised:
    ```
--  UA Infra: Extended Security Maintenance (ESM) is enabled.
++  UA Infra: Expanded Security Maintenance (ESM) is enabled.
 updates can be applied immediately.
 of these updates are UA Apps: ESM security updates.
@@ -40,7 +40,7 @@ Those messages are generated directly by two different sources:
    `esm-apps` was not enabled, the output will be:
    ```
--  UA Apps: Extended Security Maintenance (ESM) is not enabled.
++  UA Apps: Expanded Security Maintenance (ESM) is not enabled.
 updates can be applied immediately.
 of these updates is a UA Infra: ESM security update.
@@ -66,21 +66,18 @@ Those messages are generated directly by two different sources:
      message after the `update-notifier` message:
      ```
--    *Your UA Infra: ESM subscription has EXPIRED*
--
--    2 additional security updates could have been applied via UA Apps: ESM.
--    Renew your UA services at https://ubuntu.com/advantage
--
--    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
++    *Your Ubuntu Pro subscription has EXPIRED*
++    2 additional security update(s) require Ubuntu Pro with 'esm-infra' enabled.
++    Renew your service at https://ubuntu.com/pro
      ```
    * **subscription about to expire**: When the UA subscription is about to expire, we deliver the
      following message after the `update-notifier` message:
      ```
--    CAUTION: Your UA Infra: ESM service will expire in 5 days.
--    Renew UA subscription at https://ubuntu.com/advantage to ensure
--    continued security coverage for your applications.
++    CAUTION: Your Ubuntu Pro subscription will expire in 2 days.
++    Renew your subscription at https://ubuntu.com/pro to ensure continued security
++    coverage for your applications.
      ```
    * **subscription expired but within grace period**: When the UA subscription is expired, but is
@@ -88,9 +85,9 @@ Those messages are generated directly by two different sources:
      script:
      ```
--    CAUTION: Your UA Infra: ESM service expired on 10 Sep 2021.
--    Renew UA subscription at https://ubuntu.com/advantage to ensure
--    continued security coverage for your applications.
++    CAUTION: Your Ubuntu Pro subscription expired on 10 Sep 2021.
++    Renew your subscription at https://ubuntu.com/pro to ensure continued security
++    coverage for your applications.
      Your grace period will expire in 9 days.
      ```
@@ -99,9 +96,9 @@ Those messages are generated directly by two different sources:
      `update-notifier` message:
      ```
--    * Introducing Extended Security Maintenance for Applications.
--      Receive updates to over 30,000 software packages with your
--      Ubuntu Advantage subscription. Free for personal use
++    * Introducing Expanded Security Maintenance for Applications.
++      Receive updates to over 25,000 software packages with your
++      Ubuntu Pro subscription. Free for personal use
          https://ubuntu.com/16-04
      ```
 diff --git a/docs/explanations/status_columns.md b/docs/explanations/status_columns.md
 index d6848fe..b09007f 100644
 --- a/docs/explanations/status_columns.md
 +++ b/docs/explanations/status_columns.md
@@ -7,7 +7,7 @@ When unattached, users will see the status table containing only three columns:
  SERVICE          AVAILABLE  DESCRIPTION
  cc-eal           no         Common Criteria EAL2 Provisioning Packages
  cis              no         Security compliance and audit tools
--esm-infra        yes        UA Infra: Extended Security Maintenance (ESM)
++esm-infra        yes        Expanded Security Maintenance for Infrastructure
  fips             no         NIST-certified core packages
  fips-updates     no         NIST-certified core packages with priority security updates
  livepatch        yes        Canonical Livepatch service
@@ -25,8 +25,7 @@ However, if we run the same command when attached, we have an output with 4 colu
  ```
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       disabled  Center for Internet Security Audit Tools
--esm-apps      yes       enabled   UA Apps: Extended Security Maintenance (ESM)
--esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes       enabled   Expanded Security Maintenance for Infrastructure
  fips          yes       n/a       NIST-certified core packages
  fips-updates  yes       n/a       NIST-certified core packages with priority security updates
  livepatch     yes       n/a       Canonical Livepatch service
 diff --git a/docs/explanations/what_are_the_timer_jobs.md b/docs/explanations/what_are_the_timer_jobs.md
 index 4a818c7..348920a 100644
 --- a/docs/explanations/what_are_the_timer_jobs.md
 +++ b/docs/explanations/what_are_the_timer_jobs.md
@@ -20,4 +20,4 @@ packages or security updates.
  - The `update_status` job makes sure the `ua status` command will have the latest
  information even when executed by a non-root user, updating the
  `/var/lib/ubuntu-advantage/status.json` file.
--- The `metering` will inform Canonical on which services are enable on the machine.
++- The `metering` will inform Canonical on which services are enabled on the machine.
 diff --git a/docs/howtoguides/create_pro_golden_image.md b/docs/howtoguides/create_pro_golden_image.md
 index a5d297a..dc6b835 100644
 --- a/docs/howtoguides/create_pro_golden_image.md
 +++ b/docs/howtoguides/create_pro_golden_image.md
@@ -1,19 +1,9 @@
--# Remastering custom golden images based on Ubuntu PRO
++# How to create a customized Cloud Ubuntu Pro image
--Vendors who wish to provide custom images based on Ubuntu PRO images can
--follow the procedure below:
--
--* Launch the Ubuntu PRO golden image
--* Customize your golden image as you see fit
--* If `ua status` shows attached, remove the UA artifacts to allow clean
--  auto-attach on subsequent cloned VM launches
--```bash
--sudo ua detach
--sudo rm -rf /var/log/ubuntu-advantage.log  # to remove credentials and tokens from logs
--```
--* Remove `cloud-init` first boot artifacts so the cloned VM boot is seen as a first boot
--```bash
--sudo cloud-init clean --logs
--sudo shutdown -h now
--```
++* Launch a Ubuntu Pro instance on your cloud of choice
++* Customize the instance as you see fit
++* `sudo rm /etc/machine-id`
  * Use your cloud platform to clone or snapshot this VM as a golden image
++
++> **Note**
++> Prior to version 27.11 - when launching instances based on this instance, you will need to re-enable any non-standard UA services that you enabled on the image. This will be faster on the new instance because it was already enabled on the image. You will not need to reboot for e.g. `fips` or `fips-updates`.
 diff --git a/docs/howtoguides/enable_cc.md b/docs/howtoguides/enable_cc.md
 index 02e46ff..23709f4 100644
 --- a/docs/howtoguides/enable_cc.md
 +++ b/docs/howtoguides/enable_cc.md
@@ -7,6 +7,8 @@ point releases.
  Common Criteria is supported only on 16.04 and 18.04. For more information on it,
  please see https://ubuntu.com/security/cc
++## Enable and auto-install
++
  To enable it through UA, please run:
  ```console
@@ -22,3 +24,29 @@ Installing CC EAL2 packages
  CC EAL2 enabled
  Please follow instructions in /usr/share/doc/ubuntu-commoncriteria/README to configure EAL2
  ```
++
++## Enable and manually install
++
++> **Note**
++> The --access-only flag is introduced in version 27.11
++
++If you would like to enable access to the CC EAL apt repository but not install the packages right away, use the `--access-only` flag while enabling.
++
++```console
++$ sudo ua enable cc-eal --access-only
++```
++
++With that extra flag you'll see output like the following:
++
++```
++One moment, checking your subscription first
++Updating package lists
++Skipping installing packages: ubuntu-commoncriteria
++CC EAL2 access enabled
++```
++
++To install the packages you can then run:
++
++```console
++$ sudo apt install ubuntu-commoncriteria
++```
 diff --git a/docs/howtoguides/enable_realtime_kernel.md b/docs/howtoguides/enable_realtime_kernel.md
 new file mode 100644
 index 0000000..626513e
 --- /dev/null
 +++ b/docs/howtoguides/enable_realtime_kernel.md
@@ -0,0 +1,62 @@
++# How to enable Real-Time Kernel
++
++> **Warning**:
++> Real-Time Kernel is currently in beta.
++
++Real-Time Kernel is supported only on 22.04. For more information on it,
++please see https://ubuntu.com/realtime-kernel
++
++## Enable and auto-install
++
++To enable it through UA, please run:
++
++```console
++$ sudo ua enable realtime-kernel --beta
++```
++
++You'll need to acknowledge a warning and then you should see output like the following, indicating that the Real-Time Kernel package has been installed.
++
++```
++One moment, checking your subscription first
++The real-time kernel is a beta version of the 22.04 Ubuntu kernel with the
++PREEMPT_RT patchset integrated for x86_64 and ARM64.
++
++This will change your kernel. You will need to manually configure grub to
++revert back to your original kernel after enabling real-time.
++
++Do you want to continue? [ default = Yes ]: (Y/n) yes
++Updating package lists
++Installing Real-Time Kernel packages
++Real-Time Kernel enabled
++A reboot is required to complete install.
++```
++
++After rebooting you'll be running the Real-Time Kernel!
++
++## Enable and manually install
++
++> **Note**
++> The --access-only flag is introduced in version 27.11
++
++If you would like to enable access to the Real-Time Kernel apt repository but not install the kernel right away, use the `--access-only` flag while enabling.
++
++```console
++$ sudo ua enable realtime-kernel --beta --access-only
++```
++
++With that extra flag you'll see output like the following:
++
++```
++One moment, checking your subscription first
++Updating package lists
++Skipping installing packages: ubuntu-realtime
++Real-Time Kernel access enabled
++```
++
++To install the kernel you can then run:
++
++```console
++$ sudo apt install ubuntu-realtime
++```
++
++You'll need to reboot after installing to boot into the Real-Time Kernel.
 diff --git a/docs/howtoguides/enable_ua_in_dockerfile.md b/docs/howtoguides/enable_ua_in_dockerfile.md
 index 9ca0302..e371337 100644
 --- a/docs/howtoguides/enable_ua_in_dockerfile.md
 +++ b/docs/howtoguides/enable_ua_in_dockerfile.md
@@ -2,7 +2,7 @@
  > Requires at least UA Client version 27.7
--Ubuntu Advantage (UA) comes with several services, some of which can be useful in docker. For example, Extended Security Maintenance of packages and FIPS certified packages may be desirable in a docker image. In this how-to-guide, we show how you can use the `ua` tool to take advantage of these services in your Dockerfile.
++Ubuntu Advantage (UA) comes with several services, some of which can be useful in docker. For example, Expanded Security Maintenance of packages and FIPS certified packages may be desirable in a docker image. In this how-to-guide, we show how you can use the `ua` tool to take advantage of these services in your Dockerfile.
  ## Step 1: Create a UA Attach Config file
 diff --git a/docs/howtoguides/get_token_and_attach.md b/docs/howtoguides/get_token_and_attach.md
 index eb1e3ce..4cb49eb 100644
 --- a/docs/howtoguides/get_token_and_attach.md
 +++ b/docs/howtoguides/get_token_and_attach.md
@@ -21,7 +21,7 @@ This machine is now attached to 'UA Infra - Essential (Virtual)'
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       disabled  Center for Internet Security Audit Tools
--esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes       enabled   Expanded Security Maintenance for Infrastructure
  fips          yes       n/a       NIST-certified FIPS modules
  fips-updates  yes       n/a       Uncertified security updates to FIPS modules
  livepatch     yes       n/a       Canonical Livepatch service
 diff --git a/docs/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md b/docs/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md
 index b792eeb..e53e4f9 100644
 --- a/docs/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md
 +++ b/docs/howtoguides/how_to_run_ua_fix_in_dry_run_mode.md
@@ -13,7 +13,7 @@ https://ubuntu.com/security/CVE-2021-22946
  https://ubuntu.com/security/CVE-2021-22947
 affected source package is installed: curl
  (1/1) curl:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  The machine is not attached to an Ubuntu Advantage (UA) subscription.
  To proceed with the fix, a prompt would ask for a valid UA token.
  { ua attach TOKEN }
 diff --git a/docs/howtoguides/how_to_simulate_attach.md b/docs/howtoguides/how_to_simulate_attach.md
 index 0a3aa14..2de4923 100644
 --- a/docs/howtoguides/how_to_simulate_attach.md
 +++ b/docs/howtoguides/how_to_simulate_attach.md
@@ -14,7 +14,7 @@ one:
  SERVICE          AVAILABLE  ENTITLED   AUTO_ENABLED  DESCRIPTION
  cc-eal           yes        yes        no            Common Criteria EAL2 Provisioning Packages
  cis              yes        yes        no            Security compliance and audit tools
--esm-infra        yes        yes        yes           UA Infra: Extended Security Maintenance (ESM)
++esm-infra        yes        yes        yes           Expanded Security Maintenance for Infrastructure
  fips             yes        yes        no            NIST-certified core packages
  fips-updates     yes        yes        no            NIST-certified core packages with priority security updates
  livepatch        yes        yes        yes           Canonical Livepatch service
 diff --git a/docs/index.rst b/docs/index.rst
 new file mode 100644
 index 0000000..06cf94e
 --- /dev/null
 +++ b/docs/index.rst
@@ -0,0 +1,58 @@
++Ubuntu Advantage Client
++===================================
++
++The Ubuntu Advantage (UA) Client is the offical tool to enable Canonical offerings on your
++system.
++
++UA provides support to view, enable, and disable the following Canonical services:
++
++- `Common Criteria EAL2 Certification Tooling <https://ubuntu.com/security/cc>`_
++- `CIS Benchmark Audit Tooling <https://ubuntu.com/security/cis>`_
++- `Ubuntu Security Guide (USG) Tooling <https://ubuntu.com/security/certifications/docs/usg>`_
++- `Ubuntu Expanded Security Maintenance (ESM) <https://ubuntu.com/security/esm>`_
++- `Robot Operating System (ROS) Expanded Security Maintenance <https://ubuntu.com/robotics/ros-esm>`_
++- `FIPS 140-2 Certified Modules (and optional non-certified patches <https://ubuntu.com/security/fips>`_
++- `Livepatch <https://ubuntu.com/security/livepatch>`_
++
++If you need any of those services for your machine, UA is the right tool for you.
++Furthermore, UA is already installed on every Ubuntu system. Try it out by running ``ua help``!
++
++Getting help
++************
++
++Having trouble? We would like to help!
++
++- Ask a question in the ``#ubuntu-server`` IRC channel on Libera
++- Find a bug? `Report bugs on Launchpad <https://bugs.launchpad.net/ubuntu-advantage-tools/+filebug>`_
++
++.. toctree::
++   :hidden:
++   :titlesonly:
++   :caption: Tutorials
++   :glob:
++
++   tutorials/*
++
++.. toctree::
++   :hidden:
++   :titlesonly:
++   :caption: How to guides
++   :glob:
++
++   howtoguides/*
++
++.. toctree::
++   :hidden:
++   :titlesonly:
++   :caption: Explanations
++   :glob:
++
++   explanations/*
++
++.. toctree::
++   :hidden:
++   :titlesonly:
++   :caption: References
++   :glob:
++
++   references/*
 diff --git a/docs/references/support_matrix.md b/docs/references/support_matrix.md
 index 9935665..cdf4e97 100644
 --- a/docs/references/support_matrix.md
 +++ b/docs/references/support_matrix.md
@@ -14,6 +14,8 @@ Below is a list of platforms and releases ubuntu-advantage-tools supports
  | Focal          | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Active SRU of all features |
  | Groovy         | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Last release 27.1          |
  | Hirsute        | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Last release 27.5          |
--| Impish         | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Active SRU of all features |
++| Impish         | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Last release 27.9          |
++| Jammy          | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Active SRU of all features |
++| Kinetic        | amd64, arm64, armhf, ppc64el, riscv64, s390x       | Active SRU of all features |
  Note: ppc64el will not have all APT messaging due to insufficient golang support
 diff --git a/docs/tutorials/basic_ua_commands.md b/docs/tutorials/basic_ua_commands.md
 index b856541..6304fdf 100644
 --- a/docs/tutorials/basic_ua_commands.md
 +++ b/docs/tutorials/basic_ua_commands.md
@@ -1,4 +1,4 @@
--# Tutorial: cover base UA commands
++# Getting Started with UA
  The Ubuntu Advantage (UA) Tools provides users with a simple mechanism to
  view, enable, and disable offerings from Canonical on their system. In this tutorial
@@ -59,7 +59,7 @@ It is expected for you to see an output similar to this one:
  ```
  SERVICE       AVAILABLE  DESCRIPTION
  cis           yes        Center for Internet Security Audit Tools
--esm-infra     yes        UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes        Expanded Security Maintenance for Infrastructure
  fips          yes        NIST-certified core packages
  fips-updates  yes        NIST-certified core packages with priority security updates
  livepatch     yes        Canonical Livepatch service
@@ -96,12 +96,12 @@ It is expected for you to see an output similar to this one:
  ```
  Enabling default service esm-infra
  Updating package lists
--UA Infra: ESM enabled
++Ubuntu Pro: ESM Infra enabled
  This machine is now attached to 'USER ACCOUNT'
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       disabled  Center for Internet Security Audit Tools
--esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes       enabled   Expanded Security Maintenance for Infrastructure
  fips          yes       n/a       NIST-certified core packages
  fips-updates  yes       n/a       NIST-certified core packages with priority security updates
  livepatch     yes       n/a       Canonical Livepatch service
@@ -194,7 +194,7 @@ And you should see:
  ```
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       enabled   Center for Internet Security Audit Tools
--esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes       enabled   Expanded Security Maintenance for Infrastructure
  fips          yes       n/a       NIST-certified core packages
  fips-updates  yes       n/a       NIST-certified core packages with priority security updates
  livepatch     yes       n/a       Canonical Livepatch service
@@ -217,8 +217,7 @@ After running that command, let's now run `ua status` to see what happened to `c
  ```
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       disabled  Center for Internet Security Audit Tools
--esm-apps      yes       enabled   UA Apps: Extended Security Maintenance (ESM)
--esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes       enabled   Expanded Security Maintenance for Infrastructure
  fips          yes       n/a       NIST-certified core packages
  fips-updates  yes       n/a       NIST-certified core packages with priority security updates
  livepatch     yes       n/a       Canonical Livepatch service
 diff --git a/docs/tutorials/create_a_fips_updates_pro_cloud_image.md b/docs/tutorials/create_a_fips_updates_pro_cloud_image.md
 new file mode 100644
 index 0000000..51a566a
 --- /dev/null
 +++ b/docs/tutorials/create_a_fips_updates_pro_cloud_image.md
@@ -0,0 +1,65 @@
++# Create a customized Cloud Ubuntu Pro image with FIPS Updates
++
++## Step 1: Launch an Ubuntu Pro instance on your cloud
++
++See the following links for up to date information for each supported cloud:
++* https://ubuntu.com/aws/pro
++* https://ubuntu.com/azure/pro
++* https://ubuntu.com/gcp/pro
++
++## Step 2: Enable FIPS Updates
++
++First wait for the standard Ubuntu Pro services to be set up.
++
++```bash
++sudo ua status --wait
++```
++
++Then use [the enable command](../howtoguides/enable_fips.md) to setup FIPS Updates.
++```bash
++sudo ua enable fips-updates --assume-yes
++```
++
++Now reboot the instance
++```bash
++sudo reboot
++```
++
++And verify that `fips-updates` is enabled in the output of `ua status`
++```bash
++sudo ua status
++```
++
++Also remove the machine-id so that it is regenerated for each instance launch from the snapshot.
++```bash
++sudo rm /etc/machine-id
++```
++
++## Step 3: Snapshot the instance as a cloud image
++
++Cloud-specific instructions are here:
++* [AWS](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-create-ami-from-instance.html)
++* [Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource)
++* [GCP](https://cloud.google.com/compute/docs/machine-images/create-machine-images)
++
++## Step 4: Launch your custom image!
++
++Use your specific cloud to launch a new instance from your custom image.
++
++> **Note**
++> For versions prior to 27.11, you will need to re-enable fips-updates on each instance that is launched from the custom image.
++>
++> This won't require a reboot and is only necessary to ensure the instance gets updates to fips packages when they become available.
++>
++> ```bash
++> sudo ua enable fips-updates --assume-yes
++> ```
++>
++> You can easily script this using [cloud-init user-data](https://cloudinit.readthedocs.io/en/latest/topics/modules.html#runcmd) at launch time
++> ```yaml
++> #cloud-config
++> # Enable fips-updates after pro auto-attach and reboot after cloud-init completes
++> runcmd:
++>   - 'ua status --wait'
++>   - 'ua enable fips-updates --assume-yes'
++> ```
 diff --git a/docs/tutorials/ua_fix_scenarios.md b/docs/tutorials/ua_fix_scenarios.md
 index d66e004..4be0eec 100644
 --- a/docs/tutorials/ua_fix_scenarios.md
 +++ b/docs/tutorials/ua_fix_scenarios.md
@@ -161,7 +161,7 @@ https://ubuntu.com/security/CVE-2021-22946
  https://ubuntu.com/security/CVE-2021-22947
 affected package is installed: curl
  (1/1) curl:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  The update is not installed because this system is not attached to a
  subscription.
@@ -187,7 +187,7 @@ https://ubuntu.com/security/CVE-2021-22946
  https://ubuntu.com/security/CVE-2021-22947
 affected package is installed: curl
  (1/1) curl:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  The update is not installed because this system is not attached to a
  subscription.
@@ -200,12 +200,12 @@ Enter your token (from https://ubuntu.com/advantage) to attach this system:
  { ua attach TOKEN }
  Enabling default service esm-infra
  Updating package lists
--UA Infra: ESM enabled
++Ubuntu Pro: ESM Infra enabled
  This machine is now attached to 'SUBSCRIPTION'
  SERVICE       ENTITLED  STATUS    DESCRIPTION
  cis           yes       disabled  Center for Internet Security Audit Tools
--esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
++esm-infra     yes       enabled   Expanded Security Maintenance for Infrastructure
  fips          yes       n/a       NIST-certified core packages
  fips-updates  yes       n/a       NIST-certified core packages with priority security updates
  livepatch     yes       n/a       Canonical Livepatch service
@@ -234,7 +234,7 @@ https://ubuntu.com/security/CVE-2021-22946
  https://ubuntu.com/security/CVE-2021-22947
 affected package is installed: curl
  (1/1) curl:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  The update is already installed.
  ✔ USN-5079-2 is resolved.
  ```
@@ -268,7 +268,7 @@ CVE-2021-44731: snapd vulnerabilities
  https://ubuntu.com/security/CVE-2021-44731
 affected package is installed: snapd
  (1/1) snapd:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  The update is not installed because this system does not have
  esm-infra enabled.
@@ -277,7 +277,7 @@ Choose: [E]nable esm-infra [C]ancel
  { ua enable esm-infra }
  One moment, checking your subscription first
  Updating package lists
--UA Infra: ESM enabled
++Ubuntu Pro: ESM Infra enabled
  { apt update && apt install --only-upgrade -y ubuntu-core-launcher snapd }
  ✔ CVE-2021-44731 is resolved.
  ```
@@ -304,7 +304,7 @@ VE-2022-0778: OpenSSL vulnerability
  https://ubuntu.com/security/CVE-2022-0778
 affected package is installed: openssl
  (1/1) openssl:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  { apt update && apt install --only-upgrade -y libssl1.0.0 openssl }
  A reboot is required to complete fix operation.
  ✘ CVE-2022-0778 is not resolved.
@@ -317,7 +317,7 @@ CVE-2022-0778: OpenSSL vulnerability
  https://ubuntu.com/security/CVE-2022-0778
 affected package is installed: openssl
  (1/1) openssl:
--A fix is available in UA Infra.
++A fix is available in Ubuntu Pro: ESM Infra.
  The update is already installed.
  ✔ CVE-2022-0778 is resolved.
  ```
 diff --git a/features/_version.feature b/features/_version.feature
 index 42454c2..7a0633b 100644
 --- a/features/_version.feature
 +++ b/features/_version.feature
@@ -1,4 +1,4 @@
--Feature: UA is expected version
++Feature: Pro is expected version
      @series.all
      @uses.config.check_version
@@ -13,14 +13,14 @@ Feature: UA is expected version
      @uses.config.machine_type.gcp.generic
      @uses.config.machine_type.gcp.pro
      @uses.config.machine_type.gcp.pro.fips
--    Scenario Outline: Check ua version
++    Scenario Outline: Check pro version
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo
          Then I will see the following on stdout
          """
          {UACLIENT_BEHAVE_CHECK_VERSION}
          """
--        When I run `ua version` with sudo
++        When I run `pro version` with sudo
          Then I will see the following on stdout
          """
          {UACLIENT_BEHAVE_CHECK_VERSION}
@@ -30,21 +30,21 @@ Feature: UA is expected version
              | xenial  |
              | bionic  |
              | focal   |
--            | impish  |
              | jammy   |
++            | kinetic |
      @series.all
      @uses.config.check_version
      @uses.config.machine_type.lxd.container
      @upgrade
--    Scenario Outline: Check ua version
++    Scenario Outline: Check pro version
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I run `dpkg-query --showformat='${Version}' --show ubuntu-advantage-tools` with sudo
          Then I will see the following on stdout
          """
          {UACLIENT_BEHAVE_CHECK_VERSION}
          """
--        When I run `ua version` with sudo
++        When I run `pro version` with sudo
          Then I will see the following on stdout
          """
          {UACLIENT_BEHAVE_CHECK_VERSION}
@@ -54,5 +54,5 @@ Feature: UA is expected version
              | xenial  |
              | bionic  |
              | focal   |
--            | impish  |
--            | jammy  |
++            | jammy   |
++            | kinetic |
 diff --git a/features/api.feature b/features/api.feature
 new file mode 100644
 index 0000000..ad4ee97
 --- /dev/null
 +++ b/features/api.feature
@@ -0,0 +1,52 @@
++Feature: Client behaviour for the API endpoints
++
++    @series.all
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: API invalid endpoint or args
++    Given a `<release>` machine with ubuntu-advantage-tools installed
++    When I verify that running `pro api invalid.endpoint` `with sudo` exits `1`
++    Then stdout matches regexp:
++    """
++    {\"_schema_version\": \"v1\", \"data\": {\"meta\": {\"environment_vars\": \[]}}, \"errors\": \[{\"code\": \"api\-invalid\-endpoint", \"meta\": {}, \"title\": \"'invalid\.endpoint' is not a valid endpoint\"}], \"result\": \"failure\", \"version\": \".*\", \"warnings\": \[]}
++    """
++    When I verify that running `pro api u.pro.version.v1 --args extra=arg` `with sudo` exits `1`
++    Then stdout matches regexp:
++    """
++    {\"_schema_version\": \"v1\", \"data\": {\"meta\": {\"environment_vars\": \[]}}, \"errors\": \[{\"code\": \"api\-no\-argument\-for\-endpoint\", \"meta\": {}, \"title\": \"u\.pro\.version\.v1 accepts no arguments\"}], \"result\": \"failure\", \"version\": \".*\", \"warnings\": \[]}
++    """
++
++    Examples: ubuntu release
++           | release |
++           | bionic  |
++           | focal   |
++           | xenial  |
++           | jammy   |
++           | kinetic |
++
++    @series.all
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Basic endpoints
++    Given a `<release>` machine with ubuntu-advantage-tools installed
++    When I run `pro api u.pro.version.v1` with sudo
++    Then stdout matches regexp:
++    """
++    {\"_schema_version\": \"v1\", \"data\": {\"attributes\": {\"installed_version\": \".*\"}, \"meta\": {\"environment_vars\": \[]}, \"type\": \"Version\"}, \"errors\": \[], \"result\": \"success\", \"version\": \".*\", \"warnings\": \[]}
++    """
++    When I run `UA_LOG_FILE=/tmp/some_file OTHER_ENVVAR=not_there pro api u.pro.version.v1` with sudo
++    Then stdout matches regexp:
++    """
++    {\"_schema_version\": \"v1\", \"data\": {\"attributes\": {\"installed_version\": \".*\"}, \"meta\": {\"environment_vars\": \[{\"name\": \"UA_LOG_FILE\", \"value\": \"\/tmp\/some_file\"}]}, \"type\": \"Version\"}, \"errors\": \[], \"result\": \"success\", \"version\": \".*\", \"warnings\": \[]}
++    """
++    When I run `ua api u.pro.attach.auto.should_auto_attach.v1` with sudo
++    Then stdout matches regexp:
++    """
++    {"_schema_version": "v1", "data": {"attributes": {"should_auto_attach": false}, "meta": {"environment_vars": \[\]}, "type": "ShouldAutoAttach"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]}
++    """
++
++    Examples: ubuntu release
++           | release |
++           | bionic  |
++           | focal   |
++           | xenial  |
++           | jammy   |
++           | kinetic |
 diff --git a/features/api_full_auto_attach.feature b/features/api_full_auto_attach.feature
 new file mode 100644
 index 0000000..1aac22e
 --- /dev/null
 +++ b/features/api_full_auto_attach.feature
@@ -0,0 +1,39 @@
++Feature: Full Auto-Attach Endpoint
++
++    @series.lts
++    @uses.config.machine_type.aws.pro
++    @uses.config.machine_type.azure.pro
++    @uses.config.machine_type.gcp.pro
++    Scenario Outline: Run auto-attach on cloud instance.
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following:
++        """
++        contract_url: 'https://contracts.canonical.com'
++        data_dir: /var/lib/ubuntu-advantage
++        log_level: debug
++        log_file: /var/log/ubuntu-advantage.log
++        """
++        When I create the file `/tmp/full_auto_attach.py` with the following:
++        """
++        from uaclient.api.u.pro.attach.auto.full_auto_attach.v1 import full_auto_attach, FullAutoAttachOptions
++
++        full_auto_attach(FullAutoAttachOptions(enable=["esm-infra", "esm-apps"]))
++        """
++        And I run `python3 /tmp/full_auto_attach.py` with sudo
++        And I run `pro status --all` with sudo
++        Then stdout matches regexp:
++        """
++        esm-apps      +yes +enabled +Expanded Security Maintenance for Applications
++        esm-infra     +yes +enabled +Expanded Security Maintenance for Infrastructure
++        """
++        Then stdout matches regexp:
++        """
++        livepatch     +yes +disabled  +Canonical Livepatch service
++        """
++        Examples:
++           | release |
++           | xenial  |
++           | bionic  |
++           | focal   |
++           | jammy   |
++
 diff --git a/features/api_magic_attach.feature b/features/api_magic_attach.feature
 new file mode 100644
 index 0000000..4ab6592
 --- /dev/null
 +++ b/features/api_magic_attach.feature
@@ -0,0 +1,74 @@
++Feature: Magic Attach endpoints
++
++    @series.lts
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Call magic attach endpoints
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I change contract to staging with sudo
++        And I verify that running `pro api u.pro.attach.magic.revoke.v1` `as non-root` exits `1`
++        Then stdout is a json matching the `api_response` schema
++        And stdout matches regexp:
++        """
++        {"_schema_version": "v1", "data": {"meta": {\"environment_vars\": \[]}}, "errors": \[{"code": "api-missing-argument", "meta": {}, "title": "Missing argument \'magic_token\' for endpoint u.pro.attach.magic.revoke.v1"}\], "result": "failure", "version": ".*", "warnings": \[\]}
++        """
++        When I verify that running `pro api u.pro.attach.magic.wait.v1 --args magic_token=INVALID` `as non-root` exits `1`
++        Then stdout is a json matching the `api_response` schema
++        And stdout matches regexp:
++        """
++        {"_schema_version": "v1", "data": {"meta": {"environment_vars": \[\]}}, "errors": \[{"code": "magic-attach-token-error", "meta": {}, "title": "The magic attach token is invalid, has expired or never existed"}\], "result": "failure", "version": ".*", "warnings": \[\]}
++        """
++        When I verify that running `pro api u.pro.attach.magic.revoke.v1 --args magic_token=INVALID` `as non-root` exits `1`
++        Then stdout is a json matching the `api_response` schema
++        And stdout matches regexp:
++        """
++        {"_schema_version": "v1", "data": {"meta": {"environment_vars": \[\]}}, "errors": \[{"code": "magic-attach-token-error", "meta": {}, "title": "The magic attach token is invalid, has expired or never existed"}\], "result": "failure", "version": ".*", "warnings": \[\]}
++        """
++        When I initiate the magic attach flow
++        Then stdout is a json matching the `api_response` schema
++        And the json API response data matches the `magic_attach` schema
++        And stdout matches regexp:
++        """
++        {"_schema_version": "v1", "data": {"attributes": {"expires": ".*", "expires_in": .*, "token": ".*", "user_code": ".*"}, "meta": {\"environment_vars\": \[]}, "type": "MagicAttachInitiate"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]}
++        """
++        When I create the file `/tmp/response-overlay.json` with the following:
++        """
++        {
++            "https://contracts.staging.canonical.com/v1/magic-attach": [
++            {
++              "code": 200,
++              "response": {
++                "userCode": "123",
++                "token": "testToken",
++                "expires": "expire-date",
++                "expiresIn": 2000,
++                "contractID": "test-contract-id",
++                "contractToken": "contract-token"
++              }
++            }]
++        }
++        """
++        And I append the following on uaclient config:
++        """
++        features:
++          serviceclient_url_responses: "/tmp/response-overlay.json"
++        """
++        And I wait for the magic attach token to be activated
++        Then stdout is a json matching the `api_response` schema
++        And the json API response data matches the `magic_attach` schema
++        And stdout matches regexp:
++        """
++        {"_schema_version": "v1", "data": {"attributes": {"contract_id": "test-contract-id", "contract_token": "contract-token", "expires": "expire-date", "expires_in": 2000, "token": "testToken", "user_code": "123"}, "meta": {\"environment_vars\": \[]}, "type": "MagicAttachWait"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]}
++        """
++        When I revoke the magic attach token
++        Then stdout is a json matching the `api_response` schema
++        And stdout matches regexp:
++        """
++        {"_schema_version": "v1", "data": {"attributes": {}, "meta": {\"environment_vars\": \[]}, "type": "MagicAttachRevoke"}, "errors": \[\], "result": "success", "version": ".*", "warnings": \[\]}
++        """
++
++        Examples: ubuntu release
++            | release |
++            | xenial  |
++            | bionic  |
++            | focal   |
++            | jammy   |
 diff --git a/features/apt_json_hook.feature b/features/apt_json_hook.feature
 deleted file mode 100644
 index 5a1317e..0000000
 --- a/features/apt_json_hook.feature
 +++ /dev/null
@@ -1,99 +0,0 @@
--Feature: APT JSON Hook
--
--    @series.xenial
--    @uses.config.machine_type.lxd.container
--    Scenario Outline: APT JSON Hook prints package counts correctly on xenial
--        Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I attach `contract_token` with sudo
--        When I run `apt-get update` with sudo
--        When I run `apt-get upgrade -y` with sudo
--
--        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        2 standard security updates
--
--        """
--
--        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        2 esm-infra security updates
--
--        """
--
--        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        1 esm-apps security update
--
--        """
--
--        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
--        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        4 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        2 standard security updates and 2 esm-infra updates
--
--        """
--
--        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
--        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        2 standard security updates and 1 esm-apps update
--
--        """
--
--        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
--        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        2 esm-infra security updates and 1 esm-apps update
--
--        """
--
--        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
--        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
--        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        2 standard security updates, 2 esm-infra updates and 1 esm-apps update
--
--        """
--
--        When I run `apt-get upgrade -y` with sudo
--        Then stdout matches regexp:
--        """
--        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
--        """
--        Then stdout does not match regexp:
--        """
--        standard security update
--        """
--        Then stdout does not match regexp:
--        """
--        esm-infra
--        """
--        Then stdout does not match regexp:
--        """
--        esm-apps
--        """
--
--        Examples: ubuntu release
--           | release | standard-pkg                                                          | infra-pkg                                            | apps-pkg |
--           | xenial  | accountsservice=0.6.40-2ubuntu10 libaccountsservice0=0.6.40-2ubuntu10 | curl=7.47.0-1ubuntu2 libcurl3-gnutls=7.47.0-1ubuntu2 | libzstd1=1.3.1+dfsg-1~ubuntu0.16.04.1 |
 diff --git a/features/apt_messages.feature b/features/apt_messages.feature
 new file mode 100644
 index 0000000..af9b17e
 --- /dev/null
 +++ b/features/apt_messages.feature
@@ -0,0 +1,328 @@
++Feature: APT Messages
++
++    @series.xenial
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: APT JSON Hook prints package counts correctly on xenial
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        When I run `apt-get update` with sudo
++        When I run `apt-get upgrade -y` with sudo
++
++        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        2 standard LTS security updates
++
++        """
++
++        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        2 esm-infra security updates
++
++        """
++
++        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        1 esm-apps security update
++
++        """
++
++        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
++        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        4 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        2 standard LTS security updates and 2 esm-infra security updates
++
++        """
++
++        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
++        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        2 standard LTS security updates and 1 esm-apps security update
++
++        """
++
++        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
++        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        2 esm-infra security updates and 1 esm-apps security update
++
++        """
++
++        When I run `apt-get install -y --allow-downgrades <standard-pkg>` with sudo
++        When I run `apt-get install -y --allow-downgrades <infra-pkg>` with sudo
++        When I run `apt-get install -y --allow-downgrades <apps-pkg>` with sudo
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        2 standard LTS security updates, 2 esm-infra security updates and 1 esm-apps security update
++
++        """
++
++        When I run `apt-get upgrade -y` with sudo
++        Then stdout matches regexp:
++        """
++        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        """
++        Then stdout does not match regexp:
++        """
++        standard LTS security update
++        """
++        Then stdout does not match regexp:
++        """
++        esm-infra
++        """
++        Then stdout does not match regexp:
++        """
++        esm-apps
++        """
++
++        Examples: ubuntu release
++           | release | standard-pkg                                                          | infra-pkg                                            | apps-pkg     |
++           | xenial  | accountsservice=0.6.40-2ubuntu10 libaccountsservice0=0.6.40-2ubuntu10 | curl=7.47.0-1ubuntu2 libcurl3-gnutls=7.47.0-1ubuntu2 | hello=2.10-1 |
++
++    @series.xenial
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: APT Hook advertises esm-infra on upgrade
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt-get update` with sudo
++        When I run `apt-get -y upgrade` with sudo
++        When I run `apt-get -y autoremove` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++        The following security updates require Ubuntu Pro with 'esm-infra' enabled:
++          .*
++        Learn more about Ubuntu Pro for 16\.04 at https:\/\/ubuntu\.com\/16-04
++        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\.
++        """
++        When I attach `contract_token` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++        The following packages will be upgraded:
++        """
++        When I update contract to use `effectiveTo` as `days=+2`
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++
++        CAUTION: Your Ubuntu Pro subscription will expire in 2 days.
++        Renew your subscription at https:\/\/ubuntu.com\/pro to ensure continued security
++        coverage for your applications.
++
++        The following packages will be upgraded:
++        """
++        When I update contract to use `effectiveTo` as `days=-3`
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++
++        CAUTION: Your Ubuntu Pro subscription expired on \d+ \w+ \d+.
++        Renew your subscription at https:\/\/ubuntu.com\/pro to ensure continued security
++        coverage for your applications.
++        Your grace period will expire in 11 days.
++
++        The following packages will be upgraded:
++        """
++        When I update contract to use `effectiveTo` as `days=-20`
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++
++        \*Your Ubuntu Pro subscription has EXPIRED\*
++        The following security updates require Ubuntu Pro with 'esm-infra' enabled:
++          .*
++        Renew your service at https:\/\/ubuntu.com\/pro
++
++        The following packages will be upgraded:
++        """
++        When I run `apt-get upgrade -y` with sudo
++        When I run `apt-get upgrade` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++
++        \*Your Ubuntu Pro subscription has EXPIRED\*
++        Renew your service at https:\/\/ubuntu.com\/pro
++
++        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\.
++        """
++        When I run `pro detach --assume-yes` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++        Receive additional future security updates with Ubuntu Pro.
++        Learn more about Ubuntu Pro for 16\.04 at https:\/\/ubuntu\.com\/16-04
++        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\.
++        """
++        Examples: ubuntu release
++          | release |
++          | xenial  |
++
++    @series.focal
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: APT Hook advertises esm-apps on upgrade
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt-get update` with sudo
++        When I run `apt-get -y upgrade` with sudo
++        When I run `apt-get -y autoremove` with sudo
++        When I run `apt-get install hello` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade` with sudo
++        Then I will see the following on stdout:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++        The following security updates require Ubuntu Pro with 'esm-apps' enabled:
++          hello
++        Learn more about Ubuntu Pro at https://ubuntu.com/pro
++        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
++        """
++        When I attach `contract_token` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++        The following packages will be upgraded:
++          hello
++        """
++        When I update contract to use `effectiveTo` as `days=-20`
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++
++        \*Your Ubuntu Pro subscription has EXPIRED\*
++        The following security updates require Ubuntu Pro with 'esm-apps' enabled:
++          hello
++        Renew your service at https:\/\/ubuntu.com\/pro
++
++        The following packages will be upgraded:
++        """
++        When I run `apt-get upgrade -y` with sudo
++        When I run `pro detach --assume-yes` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade` with sudo
++        Then stdout matches regexp:
++        """
++        Reading package lists...
++        Building dependency tree...
++        Reading state information...
++        Calculating upgrade...
++        Receive additional future security updates with Ubuntu Pro.
++        Learn more about Ubuntu Pro at https:\/\/ubuntu\.com\/pro
++        0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded\.
++        """
++        Examples: ubuntu release
++          | release |
++          | focal   |
++
++    @series.xenial
++    @series.bionic
++    @uses.config.machine_type.aws.generic
++    Scenario Outline: AWS URLs
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt-get update` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        <msg>
++        """
++        Examples: ubuntu release
++          | release | msg                                                                    |
++          | xenial  | Learn more about Ubuntu Pro for 16\.04 at https:\/\/ubuntu\.com\/16-04 |
++          | bionic  | Learn more about Ubuntu Pro on AWS at https:\/\/ubuntu\.com\/aws\/pro  |
++
++    @series.xenial
++    @series.bionic
++    @uses.config.machine_type.azure.generic
++    Scenario Outline: Azure URLs
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt-get update` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        <msg>
++        """
++        Examples: ubuntu release
++          | release | msg                                                                                    |
++          | xenial  | Learn more about Ubuntu Pro for 16\.04 on Azure at https:\/\/ubuntu\.com\/16-04\/azure |
++          | bionic  | Learn more about Ubuntu Pro on Azure at https:\/\/ubuntu\.com\/azure\/pro              |
++
++    @series.xenial
++    @series.bionic
++    @uses.config.machine_type.gcp.generic
++    Scenario Outline: GCP URLs
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I run `apt-get update` with sudo
++        When I run `pro refresh messages` with sudo
++        When I run `apt-get upgrade --dry-run` with sudo
++        Then stdout matches regexp:
++        """
++        <msg>
++        """
++        Examples: ubuntu release
++          | release | msg                                                                    |
++          | xenial  | Learn more about Ubuntu Pro for 16\.04 at https:\/\/ubuntu\.com\/16-04 |
++          | bionic  | Learn more about Ubuntu Pro on GCP at https:\/\/ubuntu\.com\/gcp\/pro  |
 diff --git a/features/attach_invalidtoken.feature b/features/attach_invalidtoken.feature
 index 5c552fc..95cc47d 100644
 --- a/features/attach_invalidtoken.feature
 +++ b/features/attach_invalidtoken.feature
@@ -1,25 +1,25 @@
  Feature: Command behaviour when trying to attach a machine to an Ubuntu
--         Advantage subscription using an invalid token
++         Pro subscription using an invalid token
      @series.all
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attach command failure on invalid token
          Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I verify that running `ua attach INVALID_TOKEN` `with sudo` exits `1`
++        When I verify that running `pro attach INVALID_TOKEN` `with sudo` exits `1`
          Then stderr matches regexp:
              """
--            Invalid token. See https://ubuntu.com/advantage
++            Invalid token. See https://ubuntu.com/pro
              """
--        When I verify that running `ua attach INVALID_TOKEN` `as non-root` exits `1`
++        When I verify that running `pro attach INVALID_TOKEN` `as non-root` exits `1`
          Then I will see the following on stderr:
               """
               This command must be run as root (try using sudo).
               """
--        When I verify that running `ua attach invalid-token --format json` `with sudo` exits `1`
++        When I verify that running `pro attach invalid-token --format json` `with sudo` exits `1`
          Then stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
--            {"_schema_version": "0.1", "errors": [{"message": "Invalid token. See https://ubuntu.com/advantage", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
++            {"_schema_version": "0.1", "errors": [{"message": "Invalid token. See https://ubuntu.com/pro", "message_code": "attach-invalid-token", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
          Examples: ubuntu release
@@ -27,8 +27,8 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu
             | xenial  |
             | bionic  |
             | focal   |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -40,13 +40,13 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu
               """
               Attach denied:
               Contract ".*" .*
--             Visit https://ubuntu.com/advantage to manage contract tokens.
++             Visit https://ubuntu.com/pro to manage contract tokens.
               """
          When I verify that running attach `with sudo` using expired token with json response fails
          Then stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
--            {"_schema_version": "0.1", "errors": [{"additional_info": {"contract_expiry_date": "12-31-2019", "contract_id": "cAJ4NHcl2qAld2CbJt5cufzZNHgVZ0YTPIH96Ihsy4bU"}, "message": "Attach denied:\nContract \"cAJ4NHcl2qAld2CbJt5cufzZNHgVZ0YTPIH96Ihsy4bU\" expired on December 31, 2019\nVisit https://ubuntu.com/advantage to manage contract tokens.", "message_code": "attach-forbidden-expired", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
++            {"_schema_version": "0.1", "errors": [{"additional_info": {"contract_expiry_date": "12-31-2019", "contract_id": "cAJ4NHcl2qAld2CbJt5cufzZNHgVZ0YTPIH96Ihsy4bU"}, "message": "Attach denied:\nContract \"cAJ4NHcl2qAld2CbJt5cufzZNHgVZ0YTPIH96Ihsy4bU\" expired on December 31, 2019\nVisit https://ubuntu.com/pro to manage contract tokens.", "message_code": "attach-forbidden-expired", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
          Examples: ubuntu release
@@ -54,5 +54,5 @@ Feature: Command behaviour when trying to attach a machine to an Ubuntu
             | xenial  |
             | bionic  |
             | focal   |
--           | impish  |
             | jammy   |
++           | kinetic |
 diff --git a/features/attach_validtoken.feature b/features/attach_validtoken.feature
 index 1223f25..ea0d05b 100644
 --- a/features/attach_validtoken.feature
 +++ b/features/attach_validtoken.feature
@@ -1,20 +1,20 @@
  @uses.config.contract_token
--Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
++Feature: Command behaviour when attaching a machine to an Ubuntu Pro
          subscription using a valid token
--    @series.impish
++    @series.kinetic
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached command in a non-lts ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua status --all` as non-root
++        And I run `pro status --all` as non-root
          Then stdout matches regexp:
              """
              SERVICE       +ENTITLED  STATUS    DESCRIPTION
              cc-eal        +yes      +n/a      +Common Criteria EAL2 Provisioning Packages
              cis           +yes      +n/a      +Security compliance and audit tools
--            esm-apps      +yes      +n/a      +UA Apps: Extended Security Maintenance \(ESM\)
--            esm-infra     +yes      +n/a      +UA Infra: Extended Security Maintenance \(ESM\)
++            esm-apps      +yes      +n/a      +Expanded Security Maintenance for Applications
++            esm-infra     +yes      +n/a      +Expanded Security Maintenance for Infrastructure
              fips          +yes      +n/a      +NIST-certified core packages
              fips-updates  +yes      +n/a      +NIST-certified core packages with priority security updates
              livepatch     +yes      +n/a      +Canonical Livepatch service
@@ -22,7 +22,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          Examples: ubuntu release
              | release |
--            | impish  |
++            | kinetic |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -31,10 +31,10 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          When I run `apt-get update` with sudo, retrying exit [100]
          And I run `apt install update-motd` with sudo, retrying exit [100]
          And I run `DEBIAN_FRONTEND=noninteractive apt-get install -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -y <downrev_pkg>` with sudo, retrying exit [100]
--        And I run `ua refresh messages` with sudo
++        And I run `pro refresh messages` with sudo
          Then stdout matches regexp:
          """
--        Successfully updated UA related APT and MOTD messages.
++        Successfully updated Ubuntu Pro related APT and MOTD messages.
          """
          When I run `update-motd` with sudo
          Then if `<release>` in `xenial` and stdout matches regexp:
@@ -54,7 +54,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        UA Infra: ESM enabled
++        Ubuntu Pro: ESM Infra enabled
          """
          And stdout matches regexp:
          """
@@ -62,110 +62,18 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          And stdout matches regexp:
          """
--        SERVICE      +ENTITLED  STATUS    DESCRIPTION
--        cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        """
--        And stdout matches regexp:
--        """
--        esm-apps     +yes      +enabled  +UA Apps: Extended Security Maintenance \(ESM\)
--        esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
--        fips         +yes      +<fips> +NIST-certified core packages
--        fips-updates +yes      +<fips> +NIST-certified core packages with priority security updates
--        livepatch    +yes      +n/a      +<livepatch_desc>
--        """
--        And stdout matches regexp:
--        """
--        <cis_or_usg> +yes      +<cis>        +Security compliance and audit tools
++        esm-apps     +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
          """
          And stderr matches regexp:
          """
          Enabling default service esm-infra
          """
--        When I verify that running `ua attach contract_token` `with sudo` exits `2`
++        When I verify that running `pro attach contract_token` `with sudo` exits `2`
          Then stderr matches regexp:
          """
          This machine is already attached to '.+'
--        To use a different subscription first run: sudo ua detach.
--        """
--        When I run `ua disable esm-apps --assume-yes` with sudo
--        When I append the following on uaclient config:
--            """
--            features:
--              allow_beta: true
--            """
--        And I run `apt update` with sudo
--        And I run `ua refresh messages` with sudo
--        And I run `update-motd` with sudo
--        Then if `<release>` in `focal` and stdout matches regexp:
--        """
--        \* Introducing Extended Security Maintenance for Applications.
--          +Receive updates to over 30,000 software packages with your
--          +Ubuntu Advantage subscription. Free for personal use.
--
--            +https:\/\/ubuntu.com\/esm
--
--        \d+ update(s)? can be applied immediately.
--        \d+ of these updates (is|are) (a|an)? UA Infra: ESM security update(s)?.
--        (\d+ of these updates (is a|are) standard security update(s)?.)?
--        ?To see these additional updates run: apt list --upgradable
--        """
--        Then if `<release>` in `bionic` and stdout matches regexp:
--        """
--        \* Introducing Extended Security Maintenance for Applications.
--          +Receive updates to over 30,000 software packages with your
--          +Ubuntu Advantage subscription. Free for personal use.
--
--            +https:\/\/ubuntu.com\/esm
--
--        \d+ update(s)? can be applied immediately.
--        \d+ of these updates (is a|are) standard security update(s)?.
--        To see these additional updates run: apt list --upgradable
--        """
--        Then if `<release>` in `xenial` and stdout matches regexp:
--        """
--        \* Introducing Extended Security Maintenance for Applications.
--          +Receive updates to over 30,000 software packages with your
--          +Ubuntu Advantage subscription. Free for personal use.
--
--            +https:\/\/ubuntu.com\/16-04
--
--        UA Infra: Extended Security Maintenance \(ESM\) is enabled.
--
--        \d+ update(s)? can be applied immediately.
--        \d+ of these updates (is|are) UA Infra: ESM security update(s)?.
--        \d+ of these updates (is a|are) standard security update(s)?.
--        To see these additional updates run: apt list --upgradable
--        """
--        When I update contract to use `effectiveTo` as `days=-20`
--        And I delete the file `/var/lib/ubuntu-advantage/jobs-status.json`
--        And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo
--        And I run `update-motd` with sudo
--        Then if `<release>` in `xenial` and stdout matches regexp:
--        """
--
--        \*Your UA Infra: ESM subscription has EXPIRED\*
--
--        \d+ additional security update\(s\) could have been applied via UA Infra: ESM.
--
--        Renew your UA services at https:\/\/ubuntu.com\/advantage
--
--        """
--        Then if `<release>` in `xenial` and stdout matches regexp:
--        """
--
--        Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
--        applicable law.
--
--        """
--        When I run `apt upgrade --dry-run` with sudo
--        Then if `<release>` in `xenial` and stdout matches regexp:
--        """
--        \*Your UA Infra: ESM subscription has EXPIRED\*
--        Enabling UA Infra: ESM service would provide security updates for following packages:
--          .*
--        \d+ esm-infra security update\(s\) NOT APPLIED. Renew your UA services at
--        https:\/\/ubuntu.com\/advantage
--
++        To use a different subscription first run: sudo pro detach.
          """
          Examples: ubuntu release packages
@@ -185,7 +93,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          token: <contract_token>
          """
          When I replace `<contract_token>` in `/tmp/attach.yaml` with token `contract_token`
--        When I run `ua attach --attach-config /tmp/attach.yaml` with sudo
++        When I run `pro attach --attach-config /tmp/attach.yaml` with sudo
          Then stdout matches regexp:
          """
          esm-apps +yes +enabled
@@ -198,9 +106,9 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          <cis_or_usg> +yes +disabled
          """
--        When I run `ua detach --assume-yes` with sudo
++        When I run `pro detach --assume-yes` with sudo
          # don't allow both token on cli and config
--        Then I verify that running `ua attach TOKEN --attach-config /tmp/attach.yaml` `with sudo` exits `1`
++        Then I verify that running `pro attach TOKEN --attach-config /tmp/attach.yaml` `with sudo` exits `1`
          Then stderr matches regexp:
          """
          Do not pass the TOKEN arg if you are using --attach-config.
@@ -215,7 +123,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
            - <cis_or_usg>
          """
          When I replace `<contract_token>` in `/tmp/attach.yaml` with token `contract_token`
--        When I run `ua attach --attach-config /tmp/attach.yaml` with sudo
++        When I run `pro attach --attach-config /tmp/attach.yaml` with sudo
          Then stdout matches regexp:
          """
          esm-apps +yes +enabled
@@ -228,7 +136,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          <cis_or_usg> +yes +enabled
          """
--        When I run `ua detach --assume-yes` with sudo
++        When I run `pro detach --assume-yes` with sudo
          # missing token
          When I create the file `/tmp/attach.yaml` with the following
          """
@@ -236,7 +144,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
            - esm-apps
            - <cis_or_usg>
          """
--        Then I verify that running `ua attach --attach-config /tmp/attach.yaml` `with sudo` exits `1`
++        Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1`
          Then stderr matches regexp:
          """
          Error while reading /tmp/attach.yaml: Got value with incorrect type for field
@@ -249,7 +157,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          enable_services: {cis: true}
          """
          When I replace `<contract_token>` in `/tmp/attach.yaml` with token `contract_token`
--        Then I verify that running `ua attach --attach-config /tmp/attach.yaml` `with sudo` exits `1`
++        Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1`
          Then stderr matches regexp:
          """
          Error while reading /tmp/attach.yaml: Got value with incorrect type for field
@@ -265,7 +173,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
            - nonexistent2
          """
          When I replace `<contract_token>` in `/tmp/attach.yaml` with token `contract_token`
--        Then I verify that running `ua attach --attach-config /tmp/attach.yaml` `with sudo` exits `1`
++        Then I verify that running `pro attach --attach-config /tmp/attach.yaml` `with sudo` exits `1`
          Then stdout matches regexp:
          """
          esm-apps +yes +enabled
@@ -311,7 +219,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          And I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        UA Infra: ESM enabled
++        Ubuntu Pro: ESM Infra enabled
          """
          And stdout matches regexp:
          """
@@ -319,19 +227,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          And stdout matches regexp:
          """
--        SERVICE      +ENTITLED  STATUS    DESCRIPTION
--        cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        """
--        And stdout matches regexp:
--        """
--        esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
--        fips         +yes      +<fips_status>      +NIST-certified core packages
--        fips-updates +yes      +<fips_status>      +NIST-certified core packages with priority security updates
--        livepatch    +yes      +<lp_status>  +<lp_desc>
--        """
--        And stdout matches regexp:
--        """
--        <cis_or_usg>          +yes      +<cis_status> +Security compliance and audit tools
++        esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
          """
          And stderr matches regexp:
          """
@@ -372,7 +268,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          And I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        UA Infra: ESM enabled
++        Ubuntu Pro: ESM Infra enabled
          """
          And stdout matches regexp:
          """
@@ -380,19 +276,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          And stdout matches regexp:
          """
--        SERVICE      +ENTITLED  STATUS    DESCRIPTION
--        cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        """
--        And stdout matches regexp:
--        """
--        esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
--        fips         +yes      +<fips_status> +NIST-certified core packages
--        fips-updates +yes      +<fips_status> +NIST-certified core packages with priority security updates
--        livepatch    +yes      +<lp_status>  +Canonical Livepatch service
--        """
--        And stdout matches regexp:
--        """
--        <cis_or_usg>          +yes      +<cis_status> +Security compliance and audit tools
++        esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
          """
          And stderr matches regexp:
          """
@@ -433,7 +317,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          And I attach `contract_token` with sudo
          Then stdout matches regexp:
          """
--        UA Infra: ESM enabled
++        Ubuntu Pro: ESM Infra enabled
          """
          And stdout matches regexp:
          """
@@ -441,19 +325,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
          """
          And stdout matches regexp:
          """
--        SERVICE      +ENTITLED  STATUS    DESCRIPTION
--        cc-eal       +yes      +<cc_status>     +Common Criteria EAL2 Provisioning Packages
--        """
--        And stdout matches regexp:
--        """
--        esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
--        fips         +yes      +<fips_status> +NIST-certified core packages
--        fips-updates +yes      +<fips_status> +NIST-certified core packages with priority security updates
--        livepatch    +yes      +<lp_status>  +Canonical Livepatch service
--        """
--        And stdout matches regexp:
--        """
--        <cis_or_usg>          +yes      +<cis_status> +Security compliance and audit tools
++        esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
          """
          And stderr matches regexp:
          """
@@ -481,16 +353,11 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
              """
              {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []}
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
          """
--        SERVICE      +ENTITLED  STATUS    DESCRIPTION
--        cc-eal        +yes +<cc-eal>  +Common Criteria EAL2 Provisioning Packages
--        """
--        And stdout matches regexp:
--        """
--        esm-apps      +yes +enabled +UA Apps: Extended Security Maintenance \(ESM\)
--        esm-infra     +yes +enabled +UA Infra: Extended Security Maintenance \(ESM\)
++        esm-apps      +yes +enabled +Expanded Security Maintenance for Applications
++        esm-infra     +yes +enabled +Expanded Security Maintenance for Infrastructure
          """
          Examples: ubuntu release
@@ -507,7 +374,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
         When I attach `contract_token` with sudo
         Then stdout matches regexp:
         """
--       UA Infra: ESM enabled
++       Ubuntu Pro: ESM Infra enabled
         """
         And stdout matches regexp:
         """
@@ -515,7 +382,7 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
         """
         And stdout matches regexp:
         """
--       esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
++       esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
         """
         When I create the file `/tmp/machine-token-overlay.json` with the following:
         """
@@ -532,23 +399,23 @@ Feature: Command behaviour when attaching a machine to an Ubuntu Advantage
         features:
           machine_token_overlay: "/tmp/machine-token-overlay.json"
         """
--       When I run `ua status` with sudo
++       When I run `pro status` with sudo
         Then stdout matches regexp:
         """
         A change has been detected in your contract.
--       Please run `sudo ua refresh`.
++       Please run `sudo pro refresh`.
         """
--       When I run `ua refresh contract` with sudo
++       When I run `pro refresh contract` with sudo
         Then stdout matches regexp:
         """
         Successfully refreshed your subscription.
         """
         When I run `sed -i '/^.*machine_token_overlay:/d' /etc/ubuntu-advantage/uaclient.conf` with sudo
--       And I run `ua status` with sudo
++       And I run `pro status` with sudo
         Then stdout does not match regexp:
         """
         A change has been detected in your contract.
--       Please run `sudo ua refresh`.
++       Please run `sudo pro refresh`.
         """
          Examples: ubuntu release livepatch status
 diff --git a/features/attached_commands.feature b/features/attached_commands.feature
 index 2707f5c..faa8d52 100644
 --- a/features/attached_commands.feature
 +++ b/features/attached_commands.feature
@@ -1,37 +1,37 @@
  @uses.config.contract_token
--Feature: Command behaviour when attached to an UA subscription
++Feature: Command behaviour when attached to an Ubuntu Pro subscription
      @series.all
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached refresh in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua refresh` `as non-root` exits `1`
++        Then I verify that running `pro refresh` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        When I run `ua refresh` with sudo
++        When I run `pro refresh` with sudo
          Then I will see the following on stdout:
              """
--            Successfully processed your ua configuration.
++            Successfully processed your pro configuration.
              Successfully refreshed your subscription.
--            Successfully updated UA related APT and MOTD messages.
++            Successfully updated Ubuntu Pro related APT and MOTD messages.
              """
--        When I run `ua refresh config` with sudo
++        When I run `pro refresh config` with sudo
          Then I will see the following on stdout:
              """
--            Successfully processed your ua configuration.
++            Successfully processed your pro configuration.
              """
--        When I run `ua refresh contract` with sudo
++        When I run `pro refresh contract` with sudo
          Then I will see the following on stdout:
              """
              Successfully refreshed your subscription.
              """
--        When I run `ua refresh messages` with sudo
++        When I run `pro refresh messages` with sudo
          Then I will see the following on stdout:
              """
--            Successfully updated UA related APT and MOTD messages.
++            Successfully updated Ubuntu Pro related APT and MOTD messages.
              """
          When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo
          And I run `sh -c "ls /var/log/ubuntu-advantage* | sort -d"` as non-root
@@ -55,25 +55,24 @@ Feature: Command behaviour when attached to an UA subscription
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
             | jammy   |
--
++           | kinetic |
      @series.all
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached disable of an already disabled service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua disable livepatch` `as non-root` exits `1`
++        Then I verify that running `pro disable livepatch` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        And I verify that running `ua disable livepatch` `with sudo` exits `1`
++        And I verify that running `pro disable livepatch` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              Livepatch is not currently enabled
--            See: sudo ua status
++            See: sudo pro status
              """
          Examples: ubuntu release
@@ -81,52 +80,52 @@ Feature: Command behaviour when attached to an UA subscription
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.lts
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached disable with json format
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua disable foobar --format json` `as non-root` exits `1`
++        Then I verify that running `pro disable foobar --format json` `as non-root` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        Then I verify that running `ua disable foobar --format json` `with sudo` exits `1`
++        Then I verify that running `pro disable foobar --format json` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        Then I verify that running `ua disable foobar --format json --assume-yes` `as non-root` exits `1`
++        Then I verify that running `pro disable foobar --format json --assume-yes` `as non-root` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        And I verify that running `ua disable foobar --format json --assume-yes` `with sudo` exits `1`
++        And I verify that running `pro disable foobar --format json --assume-yes` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "Cannot disable unknown service 'foobar'.\nTry <valid_services>", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        And I verify that running `ua disable livepatch --format json --assume-yes` `with sudo` exits `1`
++        And I verify that running `pro disable livepatch --format json --assume-yes` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
--        {"_schema_version": "0.1", "errors": [{"message": "Livepatch is not currently enabled\nSee: sudo ua status", "message_code": "service-already-disabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
++        {"_schema_version": "0.1", "errors": [{"message": "Livepatch is not currently enabled\nSee: sudo pro status", "message_code": "service-already-disabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
          """
--        And I verify that running `ua disable esm-infra esm-apps --format json --assume-yes` `with sudo` exits `0`
++        And I verify that running `pro disable esm-infra esm-apps --format json --assume-yes` `with sudo` exits `0`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
          {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-apps", "esm-infra"], "result": "success", "warnings": []}
          """
--        When I run `ua enable esm-infra` with sudo
--        Then I verify that running `ua disable esm-infra foobar --format json --assume-yes` `with sudo` exits `1`
++        When I run `pro enable esm-infra` with sudo
++        Then I verify that running `pro disable esm-infra foobar --format json --assume-yes` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
@@ -147,31 +146,31 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Attached disable of a service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua disable foobar` `as non-root` exits `1`
++        Then I verify that running `pro disable foobar` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        And I verify that running `ua disable foobar` `with sudo` exits `1`
++        And I verify that running `pro disable foobar` `with sudo` exits `1`
          And stderr matches regexp:
              """
              Cannot disable unknown service 'foobar'.
              <msg>
              """
--        And I verify that running `ua disable esm-infra` `as non-root` exits `1`
++        And I verify that running `pro disable esm-infra` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        When I run `ua disable esm-infra` with sudo
++        When I run `pro disable esm-infra` with sudo
          Then I will see the following on stdout:
              """
              Updating package lists
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
--            esm-infra    +yes      +disabled +UA Infra: Extended Security Maintenance \(ESM\)
++            esm-infra    +yes      +disabled +Expanded Security Maintenance for Infrastructure
              """
          And I verify that running `apt update` `with sudo` exits `0`
@@ -186,32 +185,32 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario: Attached disable of a service in a ubuntu machine
          Given a `focal` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua disable foobar` `as non-root` exits `1`
++        Then I verify that running `pro disable foobar` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        And I verify that running `ua disable foobar` `with sudo` exits `1`
++        And I verify that running `pro disable foobar` `with sudo` exits `1`
          And stderr matches regexp:
              """
              Cannot disable unknown service 'foobar'.
              Try cc-eal, esm-apps, esm-infra, fips, fips-updates, livepatch, realtime-kernel,
              ros, ros-updates, usg.
              """
--        And I verify that running `ua disable esm-infra` `as non-root` exits `1`
++        And I verify that running `pro disable esm-infra` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        When I run `ua disable esm-infra` with sudo
++        When I run `pro disable esm-infra` with sudo
          Then I will see the following on stdout:
              """
              Updating package lists
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
--            esm-infra    +yes      +disabled +UA Infra: Extended Security Maintenance \(ESM\)
++            esm-infra    +yes      +disabled +Expanded Security Maintenance for Infrastructure
              """
          And I verify that running `apt update` `with sudo` exits `0`
@@ -221,12 +220,12 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Attached detach in an ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua detach` `as non-root` exits `1`
++        Then I verify that running `pro detach` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        When I run `ua detach --assume-yes` with sudo
++        When I run `pro detach --assume-yes` with sudo
          Then I will see the following on stdout:
              """
              Detach will disable the following services:
@@ -236,7 +235,7 @@ Feature: Command behaviour when attached to an UA subscription
              Updating package lists
              This machine is now detached.
              """
--       When I run `ua status --all` as non-root
++       When I run `pro status --all` as non-root
         Then stdout matches regexp:
            """
            SERVICE       +AVAILABLE  DESCRIPTION
@@ -244,8 +243,8 @@ Feature: Command behaviour when attached to an UA subscription
            """
         Then stdout matches regexp:
            """
--          esm-apps      +<esm-apps> +UA Apps: Extended Security Maintenance \(ESM\)
--          esm-infra     +yes        +UA Infra: Extended Security Maintenance \(ESM\)
++          esm-apps      +<esm-apps> +Expanded Security Maintenance for Applications
++          esm-infra     +yes        +Expanded Security Maintenance for Infrastructure
            fips          +<fips>     +NIST-certified core packages
            fips-updates  +<fips>     +NIST-certified core packages with priority security updates
            livepatch     +(yes|no)   +Canonical Livepatch service
@@ -259,29 +258,29 @@ Feature: Command behaviour when attached to an UA subscription
            """
         And stdout matches regexp:
            """
--          This machine is not attached to a UA subscription.
++          This machine is not attached to an Ubuntu Pro subscription.
            """
         And I verify that running `apt update` `with sudo` exits `0`
         When I attach `contract_token` with sudo
--       Then I verify that running `ua enable foobar --format json` `as non-root` exits `1`
++       Then I verify that running `pro enable foobar --format json` `as non-root` exits `1`
         And stdout is a json matching the `ua_operation` schema
         And I will see the following on stdout:
             """
             {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--       Then I verify that running `ua enable foobar --format json` `with sudo` exits `1`
++       Then I verify that running `pro enable foobar --format json` `with sudo` exits `1`
         And stdout is a json matching the `ua_operation` schema
         And I will see the following on stdout:
             """
             {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
             """
--       Then I verify that running `ua detach --format json --assume-yes` `as non-root` exits `1`
++       Then I verify that running `pro detach --format json --assume-yes` `as non-root` exits `1`
         And stdout is a json matching the `ua_operation` schema
         And I will see the following on stdout:
             """
             {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
             """
--       When I run `ua detach --format json --assume-yes` with sudo
++       When I run `pro detach --format json --assume-yes` with sudo
         Then stdout is a json matching the `ua_operation` schema
         And I will see the following on stdout:
             """
@@ -300,15 +299,15 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Attached auto-attach in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua auto-attach` `as non-root` exits `1`
++        Then I verify that running `pro auto-attach` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\).
              """
--        When I verify that running `ua auto-attach` `with sudo` exits `2`
++        When I verify that running `pro auto-attach` `with sudo` exits `0`
          Then stderr matches regexp:
              """
--            This machine is already attached
++            Skipping auto-attach: Instance is already attached.
              """
          Examples: ubuntu release
@@ -316,21 +315,21 @@ Feature: Command behaviour when attached to an UA subscription
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.all
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached show version in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua version` as non-root
++        And I run `pro version` as non-root
          Then I will see the uaclient version on stdout
--        When I run `ua version` with sudo
++        When I run `pro version` with sudo
          Then I will see the uaclient version on stdout
--        When I run `ua --version` as non-root
++        When I run `pro --version` as non-root
          Then I will see the uaclient version on stdout
--        When I run `ua --version` with sudo
++        When I run `pro --version` with sudo
          Then I will see the uaclient version on stdout
          Examples: ubuntu release
@@ -338,8 +337,8 @@ Feature: Command behaviour when attached to an UA subscription
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.all
      @uses.config.machine_type.lxd.container
@@ -368,7 +367,7 @@ Feature: Command behaviour when attached to an UA subscription
            other: false
          """
          And I attach `contract_token` with sudo
--        And I run `ua status --all` with sudo
++        And I run `pro status --all` with sudo
          Then stdout matches regexp:
          """
          SERVICE       +ENTITLED  STATUS    DESCRIPTION
@@ -381,7 +380,7 @@ Feature: Command behaviour when attached to an UA subscription
          machine_token_overlay: /tmp/machine-token-overlay.json
          other: False
          """
--        When I run `ua status --all` as non-root
++        When I run `pro status --all` as non-root
          Then stdout matches regexp:
          """
          SERVICE       +ENTITLED  STATUS    DESCRIPTION
@@ -394,7 +393,8 @@ Feature: Command behaviour when attached to an UA subscription
          machine_token_overlay: /tmp/machine-token-overlay.json
          other: False
          """
--        When I run `ua auto-attach` with sudo
++        When I run `pro detach --assume-yes` with sudo
++        When I run `pro auto-attach` with sudo
          Then stdout matches regexp:
          """
          Skipping auto-attach. Config disable_auto_attach is set.
@@ -405,8 +405,8 @@ Feature: Command behaviour when attached to an UA subscription
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.xenial
      @series.bionic
@@ -414,17 +414,17 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Attached disable of different services in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua disable esm-infra livepatch foobar` `as non-root` exits `1`
++        Then I verify that running `pro disable esm-infra livepatch foobar` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\)
              """
--        And I verify that running `ua disable esm-infra livepatch foobar` `with sudo` exits `1`
++        And I verify that running `pro disable esm-infra livepatch foobar` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              Updating package lists
              Livepatch is not currently enabled
--            See: sudo ua status
++            See: sudo pro status
              """
          And stderr matches regexp:
              """
@@ -432,18 +432,18 @@ Feature: Command behaviour when attached to an UA subscription
              Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch,
              realtime-kernel, ros, ros-updates.
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
--            esm-infra    +yes      +disabled +UA Infra: Extended Security Maintenance \(ESM\)
++            esm-infra    +yes      +disabled +Expanded Security Maintenance for Infrastructure
              """
          When I run `touch /var/run/reboot-required` with sudo
          And I run `touch /var/run/reboot-required.pkgs` with sudo
--        And I run `ua enable esm-infra` with sudo
++        And I run `pro enable esm-infra` with sudo
          Then stdout matches regexp:
              """
              Updating package lists
--            UA Infra: ESM enabled
++            Ubuntu Pro: ESM Infra enabled
              """
          And stdout does not match regexp:
              """
@@ -461,17 +461,17 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario: Attached disable of different services in a ubuntu machine
          Given a `focal` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua disable esm-infra livepatch foobar` `as non-root` exits `1`
++        Then I verify that running `pro disable esm-infra livepatch foobar` `as non-root` exits `1`
          And stderr matches regexp:
              """
              This command must be run as root \(try using sudo\)
              """
--        And I verify that running `ua disable esm-infra livepatch foobar` `with sudo` exits `1`
++        And I verify that running `pro disable esm-infra livepatch foobar` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              Updating package lists
              Livepatch is not currently enabled
--            See: sudo ua status
++            See: sudo pro status
              """
          And stderr matches regexp:
              """
@@ -479,18 +479,18 @@ Feature: Command behaviour when attached to an UA subscription
              Try cc-eal, esm-apps, esm-infra, fips, fips-updates, livepatch, realtime-kernel,
              ros, ros-updates, usg.
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
--            esm-infra    +yes      +disabled +UA Infra: Extended Security Maintenance \(ESM\)
++            esm-infra    +yes      +disabled +Expanded Security Maintenance for Infrastructure
              """
          When I run `touch /var/run/reboot-required` with sudo
          And I run `touch /var/run/reboot-required.pkgs` with sudo
--        And I run `ua enable esm-infra` with sudo
++        And I run `pro enable esm-infra` with sudo
          Then stdout matches regexp:
              """
              Updating package lists
--            UA Infra: ESM enabled
++            Ubuntu Pro: ESM Infra enabled
              """
          And stdout does not match regexp:
              """
@@ -502,46 +502,47 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Help command on an attached machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua help esm-infra` with sudo
++        And I run `pro help esm-infra` with sudo
          Then I will see the following on stdout:
--            """
--            Name:
--            esm-infra
++        """
++        Name:
++        esm-infra
--            Entitled:
--            yes
++        Entitled:
++        yes
--            Status:
--            <infra-status>
++        Status:
++        <infra-status>
--            Help:
--            esm-infra provides access to a private ppa which includes available high
--            and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main
--            repository between the end of the standard Ubuntu LTS security
--            maintenance and its end of life. It is enabled by default with
--            Extended Security Maintenance (ESM) for UA Apps and UA Infra.
--            You can find our more about the esm service at
--            https://ubuntu.com/security/esm
--            """
--        When I run `ua help esm-infra --format json` with sudo
++        Help:
++        Expanded Security Maintenance for Infrastructure provides access
++        to a private ppa which includes available high and critical CVE fixes
++        for Ubuntu LTS packages in the Ubuntu Main repository between the end
++        of the standard Ubuntu LTS security maintenance and its end of life.
++        It is enabled by default with Ubuntu Pro. You can find out more about
++        the service at https://ubuntu.com/security/esm
++        """
++        When I run `pro help esm-infra --format json` with sudo
          Then I will see the following on stdout:
--            """
--            {"name": "esm-infra", "entitled": "yes", "status": "<infra-status>", "help": "esm-infra provides access to a private ppa which includes available high\nand critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main\nrepository between the end of the standard Ubuntu LTS security\nmaintenance and its end of life. It is enabled by default with\nExtended Security Maintenance (ESM) for UA Apps and UA Infra.\nYou can find our more about the esm service at\nhttps://ubuntu.com/security/esm\n"}
--            """
--        And I verify that running `ua help invalid-service` `with sudo` exits `1`
++        """
++        {"name": "esm-infra", "entitled": "yes", "status": "<infra-status>", "help": "Expanded Security Maintenance for Infrastructure provides access\nto a private ppa which includes available high and critical CVE fixes\nfor Ubuntu LTS packages in the Ubuntu Main repository between the end\nof the standard Ubuntu LTS security maintenance and its end of life.\nIt is enabled by default with Ubuntu Pro. You can find out more about\nthe service at https://ubuntu.com/security/esm\n"}
++        """
++        And I verify that running `pro help invalid-service` `with sudo` exits `1`
          And I will see the following on stderr:
--            """
--            No help available for 'invalid-service'
--            """
--        When I run `ua --help` as non-root
++        """
++        No help available for 'invalid-service'
++        """
++        When I run `pro --help` as non-root
          Then stdout matches regexp:
          """
--        Client to manage Ubuntu Advantage services on a machine.
++        Client to manage Ubuntu Pro services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
           - cis: Security compliance and audit tools
             \(https://ubuntu.com/security/certifications/docs/usg\)
--         - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
++         - esm-apps: Expanded Security Maintenance for Applications
++           \(https://ubuntu.com/security/esm\)
++         - esm-infra: Expanded Security Maintenance for Infrastructure
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
             \(https://ubuntu.com/security/certifications#fips\)
@@ -549,16 +550,22 @@ Feature: Command behaviour when attached to an UA subscription
             \(https://ubuntu.com/security/certifications#fips\)
           - livepatch: Canonical Livepatch service
             \(https://ubuntu.com/security/livepatch\)
++         - ros-updates: All Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
++         - ros: Security Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
          """
--        When I run `ua help` with sudo
++        When I run `pro help` with sudo
          Then stdout matches regexp:
          """
--        Client to manage Ubuntu Advantage services on a machine.
++        Client to manage Ubuntu Pro services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
           - cis: Security compliance and audit tools
             \(https://ubuntu.com/security/certifications/docs/usg\)
--         - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
++         - esm-apps: Expanded Security Maintenance for Applications
++           \(https://ubuntu.com/security/esm\)
++         - esm-infra: Expanded Security Maintenance for Infrastructure
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
             \(https://ubuntu.com/security/certifications#fips\)
@@ -566,18 +573,22 @@ Feature: Command behaviour when attached to an UA subscription
             \(https://ubuntu.com/security/certifications#fips\)
           - livepatch: Canonical Livepatch service
             \(https://ubuntu.com/security/livepatch\)
++         - ros-updates: All Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
++         - ros: Security Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
          """
--        When I run `ua help --all` as non-root
++        When I run `pro help --all` as non-root
          Then stdout matches regexp:
          """
--        Client to manage Ubuntu Advantage services on a machine.
++        Client to manage Ubuntu Pro services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
           - cis: Security compliance and audit tools
             \(https://ubuntu.com/security/certifications/docs/usg\)
--         - esm-apps: UA Apps: Extended Security Maintenance \(ESM\)
++         - esm-apps: Expanded Security Maintenance for Applications
             \(https://ubuntu.com/security/esm\)
--         - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
++         - esm-infra: Expanded Security Maintenance for Infrastructure
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
             \(https://ubuntu.com/security/certifications#fips\)
@@ -597,7 +608,7 @@ Feature: Command behaviour when attached to an UA subscription
             | release | infra-status |
             | bionic  | enabled      |
             | xenial  | enabled      |
--           | impish  | n/a          |
++           | kinetic | n/a          |
      @series.jammy
      @series.focal
@@ -605,44 +616,45 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Help command on an attached machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua help esm-infra` with sudo
++        And I run `pro help esm-infra` with sudo
          Then I will see the following on stdout:
--            """
--            Name:
--            esm-infra
++        """
++        Name:
++        esm-infra
--            Entitled:
--            yes
++        Entitled:
++        yes
--            Status:
--            enabled
++        Status:
++        enabled
--            Help:
--            esm-infra provides access to a private ppa which includes available high
--            and critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main
--            repository between the end of the standard Ubuntu LTS security
--            maintenance and its end of life. It is enabled by default with
--            Extended Security Maintenance (ESM) for UA Apps and UA Infra.
--            You can find our more about the esm service at
--            https://ubuntu.com/security/esm
--            """
--        When I run `ua help esm-infra --format json` with sudo
++        Help:
++        Expanded Security Maintenance for Infrastructure provides access
++        to a private ppa which includes available high and critical CVE fixes
++        for Ubuntu LTS packages in the Ubuntu Main repository between the end
++        of the standard Ubuntu LTS security maintenance and its end of life.
++        It is enabled by default with Ubuntu Pro. You can find out more about
++        the service at https://ubuntu.com/security/esm
++        """
++        When I run `pro help esm-infra --format json` with sudo
          Then I will see the following on stdout:
--            """
--            {"name": "esm-infra", "entitled": "yes", "status": "enabled", "help": "esm-infra provides access to a private ppa which includes available high\nand critical CVE fixes for Ubuntu LTS packages in the Ubuntu Main\nrepository between the end of the standard Ubuntu LTS security\nmaintenance and its end of life. It is enabled by default with\nExtended Security Maintenance (ESM) for UA Apps and UA Infra.\nYou can find our more about the esm service at\nhttps://ubuntu.com/security/esm\n"}
--            """
--        And I verify that running `ua help invalid-service` `with sudo` exits `1`
++        """
++        {"name": "esm-infra", "entitled": "yes", "status": "enabled", "help": "Expanded Security Maintenance for Infrastructure provides access\nto a private ppa which includes available high and critical CVE fixes\nfor Ubuntu LTS packages in the Ubuntu Main repository between the end\nof the standard Ubuntu LTS security maintenance and its end of life.\nIt is enabled by default with Ubuntu Pro. You can find out more about\nthe service at https://ubuntu.com/security/esm\n"}
++        """
++        And I verify that running `pro help invalid-service` `with sudo` exits `1`
          And I will see the following on stderr:
--            """
--            No help available for 'invalid-service'
--            """
--        When I run `ua --help` as non-root
++        """
++        No help available for 'invalid-service'
++        """
++        When I run `pro --help` as non-root
          Then stdout matches regexp:
          """
--        Client to manage Ubuntu Advantage services on a machine.
++        Client to manage Ubuntu Pro services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
--         - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
++         - esm-apps: Expanded Security Maintenance for Applications
++           \(https://ubuntu.com/security/esm\)
++         - esm-infra: Expanded Security Maintenance for Infrastructure
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
             \(https://ubuntu.com/security/certifications#fips\)
@@ -650,16 +662,22 @@ Feature: Command behaviour when attached to an UA subscription
             \(https://ubuntu.com/security/certifications#fips\)
           - livepatch: Canonical Livepatch service
             \(https://ubuntu.com/security/livepatch\)
++         - ros-updates: All Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
++         - ros: Security Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
           - usg: Security compliance and audit tools
             \(https://ubuntu.com/security/certifications/docs/usg\)
          """
--        When I run `ua help` with sudo
++        When I run `pro help` with sudo
          Then stdout matches regexp:
          """
--        Client to manage Ubuntu Advantage services on a machine.
++        Client to manage Ubuntu Pro services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
--         - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
++         - esm-apps: Expanded Security Maintenance for Applications
++           \(https://ubuntu.com/security/esm\)
++         - esm-infra: Expanded Security Maintenance for Infrastructure
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
             \(https://ubuntu.com/security/certifications#fips\)
@@ -667,18 +685,22 @@ Feature: Command behaviour when attached to an UA subscription
             \(https://ubuntu.com/security/certifications#fips\)
           - livepatch: Canonical Livepatch service
             \(https://ubuntu.com/security/livepatch\)
++         - ros-updates: All Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
++         - ros: Security Updates for the Robot Operating System
++           \(https://ubuntu.com/robotics/ros-esm\)
           - usg: Security compliance and audit tools
             \(https://ubuntu.com/security/certifications/docs/usg\)
          """
--        When I run `ua help --all` as non-root
++        When I run `pro help --all` as non-root
          Then stdout matches regexp:
          """
--        Client to manage Ubuntu Advantage services on a machine.
++        Client to manage Ubuntu Pro services on a machine.
           - cc-eal: Common Criteria EAL2 Provisioning Packages
             \(https://ubuntu.com/cc-eal\)
--         - esm-apps: UA Apps: Extended Security Maintenance \(ESM\)
++         - esm-apps: Expanded Security Maintenance for Applications
             \(https://ubuntu.com/security/esm\)
--         - esm-infra: UA Infra: Extended Security Maintenance \(ESM\)
++         - esm-infra: Expanded Security Maintenance for Infrastructure
             \(https://ubuntu.com/security/esm\)
           - fips-updates: NIST-certified core packages with priority security updates
             \(https://ubuntu.com/security/certifications#fips\)
@@ -706,11 +728,11 @@ Feature: Command behaviour when attached to an UA subscription
      Scenario Outline: Enable command with invalid repositories in user machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua disable esm-infra` with sudo
++        And I run `pro disable esm-infra` with sudo
          And I run `add-apt-repository ppa:cloud-init-dev/daily -y` with sudo, retrying exit [1]
          And I run `apt update` with sudo
          And I run `sed -i 's/ubuntu/ubun/' /etc/apt/sources.list.d/<ppa_file>.list` with sudo
--        And I verify that running `ua enable esm-infra` `with sudo` exits `1`
++        And I verify that running `pro enable esm-infra` `with sudo` exits `1`
          Then stdout matches regexp:
          """
          One moment, checking your subscription first
@@ -733,7 +755,7 @@ Feature: Command behaviour when attached to an UA subscription
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I run `systemctl stop ua-timer.timer` with sudo
          And I attach `contract_token` with sudo
--        Then I verify that running `ua config set update_messaging_timer=-2` `with sudo` exits `1`
++        Then I verify that running `pro config set update_messaging_timer=-2` `with sudo` exits `1`
          And stderr matches regexp:
          """
          Cannot set update_messaging_timer to -2: <value> for interval must be a positive integer.
@@ -748,14 +770,14 @@ Feature: Command behaviour when attached to an UA subscription
          """"
          "update_status":
          """
--        When I run `ua config show` with sudo
++        When I run `pro config show` with sudo
          Then stdout matches regexp:
          """
          update_messaging_timer  +21600
          update_status_timer     +43200
          """
          When I delete the file `/var/lib/ubuntu-advantage/jobs-status.json`
--        And I run `ua config set update_messaging_timer=0` with sudo
++        And I run `pro config set update_messaging_timer=0` with sudo
          And I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo
          And I run `cat /var/lib/ubuntu-advantage/jobs-status.json` with sudo
          Then stdout does not match regexp:
@@ -821,8 +843,8 @@ Feature: Command behaviour when attached to an UA subscription
             | xenial  |
             | bionic  |
             | focal   |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -895,101 +917,28 @@ Feature: Command behaviour when attached to an UA subscription
             | focal   |
             | jammy   |
--    @series.xenial
--    @series.bionic
++    @series.lts
      @uses.config.machine_type.lxd.container
--    Scenario Outline: Run security-status on an Ubuntu machine
++    Scenario Outline: Run timer script to valid machine activity endpoint
          Given a `<release>` machine with ubuntu-advantage-tools installed
--        When I append the following on uaclient config:
--            """
--            features:
--              allow_beta: true
--            """
--        And I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo
--        And I run `apt-get update` with sudo
--        When I run `ua security-status --format json` as non-root
--        Then stdout is a json matching the `ua_security_status` schema
--        And stdout matches regexp:
--        """
--        "_schema_version": "0.1"
--        """
--        And stdout matches regexp:
--        """
--        "attached": false
--        """
--        And stdout matches regexp:
--        """
--        "enabled_services": \[\]
--        """
--        And stdout matches regexp:
--        """
--        "entitled_services": \[\]
--        """
--        And stdout matches regexp:
--        """
--        "package": "<package>"
--        """
--        And stdout matches regexp:
--        """
--        "service_name": "<service>"
--        """
--        And stdout matches regexp:
--        """
--        "origin": "esm.ubuntu.com"
--        """
--        And stdout matches regexp:
--        """
--        "status": "pending_attach"
--        """
--        And stdout matches regexp:
--        """
--        "download_size": \d+
--        """
          When I attach `contract_token` with sudo
--        And I run `ua security-status --format json` as non-root
++        And I run `rm /var/lib/ubuntu-advantage/machine-token.json` with sudo
++        And I run `ua status` as non-root
          Then stdout matches regexp:
          """
--        "_schema_version": "0.1"
--        """
--        And stdout matches regexp:
--        """
--        "attached": true
--        """
--        And stdout matches regexp:
--        """
--        "enabled_services": \["esm-apps", "esm-infra"\]
--        """
--        And stdout matches regexp:
--        """
--        "entitled_services": \["esm-apps", "esm-infra"\]
--        """
--        And stdout matches regexp:
--        """
--        "status": "upgrade_available"
--        """
--        And stdout matches regexp:
++        SERVICE +AVAILABLE +DESCRIPTION
          """
--        "download_size": \d+
--        """
--        When I run `ua security-status --format yaml` as non-root
--        Then stdout is a yaml matching the `ua_security_status` schema
--        And stdout matches regexp:
--        """
--        _schema_version: '0.1'
--        """
--        When I verify that running `ua security-status --format unsupported` `as non-root` exits `2`
--        Then I will see the following on stderr:
--        """
--        usage: security-status [-h] --format {json,yaml}
--        argument --format: invalid choice: 'unsupported' (choose from 'json', 'yaml')
--        """
--        When I verify that running `ua security-status` `as non-root` exits `2`
--        Then I will see the following on stderr:
++        When I run `dpkg-reconfigure ubuntu-advantage-tools` with sudo
++        Then I verify that files exist matching `/var/lib/ubuntu-advantage/machine-token.json`
++        When I run `ua status` as non-root
++        Then stdout matches regexp:
          """
--        usage: security-status [-h] --format {json,yaml}
--        the following arguments are required: --format
++        SERVICE +ENTITLED +STATUS +DESCRIPTION
          """
++
          Examples: ubuntu release
--           | release | package   | service   |
--           | xenial  | apport    | esm-infra |
--           | bionic  | libkrb5-3 | esm-apps  |
++           | release |
++           | xenial  |
++           | bionic  |
++           | focal   |
++           | jammy   |
 diff --git a/features/attached_enable.feature b/features/attached_enable.feature
 index 03c18bf..b68f8c0 100644
 --- a/features/attached_enable.feature
 +++ b/features/attached_enable.feature
@@ -1,5 +1,5 @@
  @uses.config.contract_token
--Feature: Enable command behaviour when attached to an UA subscription
++Feature: Enable command behaviour when attached to an Ubuntu Pro subscription
      @slow
      @series.xenial
@@ -8,12 +8,12 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable Common Criteria service in an ubuntu lxd container
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable cc-eal` `as non-root` exits `1`
++        Then I verify that running `pro enable cc-eal` `as non-root` exits `1`
          And I will see the following on stderr:
              """
              This command must be run as root (try using sudo).
              """
--        When I run `ua enable cc-eal` with sudo
++        When I run `pro enable cc-eal` with sudo
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
@@ -28,18 +28,39 @@ Feature: Enable command behaviour when attached to an UA subscription
              | xenial  |
              | bionic  |
++    @series.xenial
++    @series.bionic
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Enable cc-eal with --access-only
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        When I run `pro enable cc-eal --access-only` with sudo
++        Then I will see the following on stdout:
++        """
++        One moment, checking your subscription first
++        Updating package lists
++        Skipping installing packages: ubuntu-commoncriteria
++        CC EAL2 access enabled
++        """
++        Then I verify that running `apt-get install ubuntu-commoncriteria` `with sudo` exits `0`
++        Examples: ubuntu release
++            | release |
++            | xenial  |
++            | bionic  |
++
      @series.focal
--    @series.impish
++    @series.jammy
++    @series.kinetic
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached enable Common Criteria service in an ubuntu lxd container
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable cc-eal` `as non-root` exits `1`
++        Then I verify that running `pro enable cc-eal` `as non-root` exits `1`
          And I will see the following on stderr:
              """
              This command must be run as root (try using sudo).
              """
--        When I verify that running `ua enable cc-eal` `with sudo` exits `1`
++        When I verify that running `pro enable cc-eal` `with sudo` exits `1`
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
@@ -48,8 +69,8 @@ Feature: Enable command behaviour when attached to an UA subscription
          Examples: ubuntu release
              | release | version    | full_name        |
              | focal   | 20.04 LTS  | Focal Fossa      |
--            | impish  | 21.10      | Impish Indri     |
--            | jammy   | 22.04      | Jammy Jellyfish  |
++            | jammy   | 22.04 LTS  | Jammy Jellyfish  |
++            | kinetic | 22.10      | Kinetic Kudu     |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -78,11 +99,11 @@ Feature: Enable command behaviour when attached to an UA subscription
          features:
            machine_token_overlay: "/tmp/machine-token-overlay.json"
          """
--        When I verify that running `ua enable esm-infra` `with sudo` exits `1`
++        When I verify that running `pro enable esm-infra` `with sudo` exits `1`
          Then stdout matches regexp:
          """
          One moment, checking your subscription first
--        UA Infra: ESM is not available for Ubuntu .*
++        Ubuntu Pro: ESM Infra is not available for Ubuntu .*
          """
          When I create the file `/tmp/machine-token-overlay.json` with the following:
          """
@@ -101,12 +122,12 @@ Feature: Enable command behaviour when attached to an UA subscription
+             }
+         }
          """
--        When I verify that running `ua enable esm-infra` `with sudo` exits `0`
++        When I verify that running `pro enable esm-infra` `with sudo` exits `0`
          Then stdout matches regexp:
          """
          One moment, checking your subscription first
          Updating package lists
--        UA Infra: ESM enabled
++        Ubuntu Pro: ESM Infra enabled
          """
          Examples: ubuntu release
              | release |
@@ -120,58 +141,58 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable of different services using json format
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable foobar --format json` `as non-root` exits `1`
++        Then I verify that running `pro enable foobar --format json` `as non-root` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        Then I verify that running `ua enable foobar --format json` `with sudo` exits `1`
++        Then I verify that running `pro enable foobar --format json` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "json formatted response requires --assume-yes flag.", "message_code": "json-format-require-assume-yes", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        Then I verify that running `ua enable foobar --format json --assume-yes` `as non-root` exits `1`
++        Then I verify that running `pro enable foobar --format json --assume-yes` `as non-root` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "This command must be run as root (try using sudo).", "message_code": "nonroot-user", "service": null, "type": "system"}], "failed_services": [], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        And I verify that running `ua enable foobar --format json --assume-yes` `with sudo` exits `1`
++        And I verify that running `pro enable foobar --format json --assume-yes` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
              """
              {"_schema_version": "0.1", "errors": [{"message": "Cannot enable unknown service 'foobar'.\nTry <valid_services>", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
              """
--        And I verify that running `ua enable ros foobar --format json --assume-yes` `with sudo` exits `1`
++        And I verify that running `pro enable realtime-kernel foobar --format json --assume-yes` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
--        {"_schema_version": "0.1", "errors": [{"message": "Cannot enable unknown service 'foobar, ros'.\nTry <valid_services>", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar", "ros"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
++        {"_schema_version": "0.1", "errors": [{"message": "Cannot enable unknown service 'foobar, realtime-kernel'.\nTry <valid_services>", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar", "realtime-kernel"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
          """
--        And I verify that running `ua enable esm-infra --format json --assume-yes` `with sudo` exits `1`
++        And I verify that running `pro enable esm-infra --format json --assume-yes` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          Then I will see the following on stdout:
--            """
--            {"_schema_version": "0.1", "errors": [{"message": "UA Infra: ESM is already enabled.\nSee: sudo ua status", "message_code": "service-already-enabled", "service": "esm-infra", "type": "service"}], "failed_services": ["esm-infra"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
--            """
--        When I run `ua disable esm-infra` with sudo
--        And I run `ua enable esm-infra --format json --assume-yes` with sudo
++        """
++        {"_schema_version": "0.1", "errors": [{"message": "Ubuntu Pro: ESM Infra is already enabled.\nSee: sudo pro status", "message_code": "service-already-enabled", "service": "esm-infra", "type": "service"}], "failed_services": ["esm-infra"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
++        """
++        When I run `pro disable esm-infra` with sudo
++        And I run `pro enable esm-infra --format json --assume-yes` with sudo
          Then stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
          {"_schema_version": "0.1", "errors": [], "failed_services": [], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "success", "warnings": []}
          """
--        When I run `ua disable esm-infra` with sudo
--        And I verify that running `ua enable esm-infra foobar --format json --assume-yes` `with sudo` exits `1`
++        When I run `pro disable esm-infra` with sudo
++        And I verify that running `pro enable esm-infra foobar --format json --assume-yes` `with sudo` exits `1`
          Then stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
          {"_schema_version": "0.1", "errors": [{"message": "Cannot enable unknown service 'foobar'.\nTry <valid_services>", "message_code": "invalid-service-or-failure", "service": null, "type": "system"}], "failed_services": ["foobar"], "needs_reboot": false, "processed_services": ["esm-infra"], "result": "failure", "warnings": []}
          """
--        When I run `ua disable esm-infra esm-apps` with sudo
--        And I run `ua enable esm-infra esm-apps --beta --format json --assume-yes` with sudo
++        When I run `pro disable esm-infra esm-apps` with sudo
++        And I run `pro enable esm-infra esm-apps --beta --format json --assume-yes` with sudo
          Then stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
@@ -179,49 +200,49 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          Examples: ubuntu release
--           | release | valid_services                                         |
--           | xenial  | cc-eal, cis, esm-infra, fips, fips-updates, livepatch. |
--           | bionic  | cc-eal, cis, esm-infra, fips, fips-updates, livepatch. |
--           | focal   | cc-eal, esm-infra, fips, fips-updates, livepatch, usg. |
--           | jammy   | cc-eal, esm-infra, fips, fips-updates, livepatch, usg. |
++           | release | valid_services                                                                       |
++           | xenial  | cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates. |
++           | bionic  | cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates. |
++           | focal   | cc-eal, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates, usg. |
++           | jammy   | cc-eal, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates, usg. |
      @series.lts
      @uses.config.machine_type.lxd.container
      Scenario Outline: Attached enable of a service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable foobar` `as non-root` exits `1`
++        Then I verify that running `pro enable foobar` `as non-root` exits `1`
          And I will see the following on stderr:
--            """
--            This command must be run as root (try using sudo).
--            """
--        And I verify that running `ua enable foobar` `with sudo` exits `1`
++        """
++        This command must be run as root (try using sudo).
++        """
++        And I verify that running `pro enable foobar` `with sudo` exits `1`
          And I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            """
++        """
++        One moment, checking your subscription first
++        """
          And stderr matches regexp:
--            """
--            Cannot enable unknown service 'foobar'.
--            Try cc-eal, cis, esm-infra, fips, fips-updates, livepatch.
--            """
--        And I verify that running `ua enable ros foobar` `with sudo` exits `1`
++        """
++        Cannot enable unknown service 'foobar'.
++        Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates.
++        """
++        And I verify that running `pro enable realtime-kernel foobar` `with sudo` exits `1`
          And I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            """
++        """
++        One moment, checking your subscription first
++        """
          And stderr matches regexp:
--            """
--            Cannot enable unknown service 'foobar, ros'.
--            Try cc-eal, cis, esm-infra, fips, fips-updates, livepatch.
--            """
--        And I verify that running `ua enable esm-infra` `with sudo` exits `1`
++        """
++        Cannot enable unknown service 'foobar, realtime-kernel'.
++        Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates.
++        """
++        And I verify that running `pro enable esm-infra` `with sudo` exits `1`
          And I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            UA Infra: ESM is already enabled.
--            See: sudo ua status
--            """
++        """
++        One moment, checking your subscription first
++        Ubuntu Pro: ESM Infra is already enabled.
++        See: sudo pro status
++        """
          When I run `apt-cache policy` with sudo
          Then apt-cache policy for the following url has permission `500`
          """
@@ -246,38 +267,38 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario: Attached enable of a service in a ubuntu machine
          Given a `focal` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable foobar` `as non-root` exits `1`
++        Then I verify that running `pro enable foobar` `as non-root` exits `1`
          And I will see the following on stderr:
--            """
--            This command must be run as root (try using sudo).
--            """
--        And I verify that running `ua enable foobar` `with sudo` exits `1`
++        """
++        This command must be run as root (try using sudo).
++        """
++        And I verify that running `pro enable foobar` `with sudo` exits `1`
          And I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            """
++        """
++        One moment, checking your subscription first
++        """
          And stderr matches regexp:
--            """
--            Cannot enable unknown service 'foobar'.
--            Try cc-eal, esm-infra, fips, fips-updates, livepatch, usg.
--            """
--        And I verify that running `ua enable ros foobar` `with sudo` exits `1`
++        """
++        Cannot enable unknown service 'foobar'.
++        Try cc-eal, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates, usg.
++        """
++        And I verify that running `pro enable realtime-kernel foobar` `with sudo` exits `1`
          And I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            """
++        """
++        One moment, checking your subscription first
++        """
          And stderr matches regexp:
--            """
--            Cannot enable unknown service 'foobar, ros'.
--            Try cc-eal, esm-infra, fips, fips-updates, livepatch, usg.
--            """
--        And I verify that running `ua enable esm-infra` `with sudo` exits `1`
++        """
++        Cannot enable unknown service 'foobar, realtime-kernel'.
++        Try cc-eal, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates, usg.
++        """
++        And I verify that running `pro enable esm-infra` `with sudo` exits `1`
          Then I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            UA Infra: ESM is already enabled.
--            See: sudo ua status
--            """
++        """
++        One moment, checking your subscription first
++        Ubuntu Pro: ESM Infra is already enabled.
++        See: sudo pro status
++        """
          When I run `apt-cache policy` with sudo
          Then apt-cache policy for the following url has permission `500`
          """
@@ -297,12 +318,12 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline:  Attached enable of non-container services in a ubuntu lxd container
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable livepatch` `as non-root` exits `1`
++        Then I verify that running `pro enable livepatch` `as non-root` exits `1`
          And I will see the following on stderr:
              """
              This command must be run as root (try using sudo).
              """
--        And I verify that running `ua enable livepatch` `with sudo` exits `1`
++        And I verify that running `pro enable livepatch` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              One moment, checking your subscription first
@@ -314,8 +335,8 @@ Feature: Enable command behaviour when attached to an UA subscription
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
             | jammy   |
++           | kinetic |
      @series.lts
      @uses.config.machine_type.lxd.container
@@ -342,17 +363,17 @@ Feature: Enable command behaviour when attached to an UA subscription
            machine_token_overlay: "/tmp/machine-token-overlay.json"
          """
          When I attach `contract_token` with sudo
--        Then I verify that running `ua enable esm-apps` `as non-root` exits `1`
++        Then I verify that running `pro enable esm-apps` `as non-root` exits `1`
          And I will see the following on stderr:
              """
              This command must be run as root (try using sudo).
              """
--        And I verify that running `ua enable esm-apps --beta` `with sudo` exits `1`
++        And I verify that running `pro enable esm-apps --beta` `with sudo` exits `1`
          And I will see the following on stdout:
              """
              One moment, checking your subscription first
--            This subscription is not entitled to UA Apps: ESM
--            For more information see: https://ubuntu.com/advantage.
++            This subscription is not entitled to Ubuntu Pro: ESM Apps
++            For more information see: https://ubuntu.com/pro.
              """
          Examples: not entitled services
@@ -368,15 +389,25 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable of cis service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I verify that running `ua enable cis` `with sudo` exits `0`
++        And I verify that running `pro enable cis --access-only` `with sudo` exits `0`
          Then I will see the following on stdout:
--            """
--            One moment, checking your subscription first
--            Updating package lists
--            Installing CIS Audit packages
--            CIS Audit enabled
--            Visit https://ubuntu.com/security/cis to learn how to use CIS
--            """
++        """
++        One moment, checking your subscription first
++        Updating package lists
++        Skipping installing packages: usg-cisbenchmark usg-common
++        CIS Audit access enabled
++        Visit https://ubuntu.com/security/cis to learn how to use CIS
++        """
++        When I run `pro disable cis` with sudo
++        And I verify that running `pro enable cis` `with sudo` exits `0`
++        Then I will see the following on stdout:
++        """
++        One moment, checking your subscription first
++        Updating package lists
++        Installing CIS Audit packages
++        CIS Audit enabled
++        Visit https://ubuntu.com/security/cis to learn how to use CIS
++        """
          When I run `apt-cache policy usg-cisbenchmark` as non-root
          Then stdout does not match regexp:
          """
@@ -395,12 +426,12 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          \s* 500 https://esm.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
          """
--        When I verify that running `ua enable cis` `with sudo` exits `1`
++        When I verify that running `pro enable cis` `with sudo` exits `1`
          Then stdout matches regexp
          """
          One moment, checking your subscription first
          CIS Audit is already enabled.
--        See: sudo ua status
++        See: sudo pro status
          """
          When I run `cis-audit level1_server` with sudo
          Then stdout matches regexp
@@ -442,12 +473,12 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable of cis service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I verify that running `ua enable cis` `with sudo` exits `0`
++        And I verify that running `pro enable cis` `with sudo` exits `0`
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
--            From Ubuntu 20.04 and onwards 'ua enable cis' has been
--            replaced by 'ua enable usg'. See more information at:
++            From Ubuntu 20.04 and onwards 'pro enable cis' has been
++            replaced by 'pro enable usg'. See more information at:
              https://ubuntu.com/security/certifications/docs/usg
              Updating package lists
              Installing CIS Audit packages
@@ -472,15 +503,15 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          \s* 500 https://esm.ubuntu.com/cis/ubuntu <release>/main amd64 Packages
          """
--        When I verify that running `ua enable cis` `with sudo` exits `1`
++        When I verify that running `pro enable cis` `with sudo` exits `1`
          Then stdout matches regexp
          """
          One moment, checking your subscription first
--        From Ubuntu 20.04 and onwards 'ua enable cis' has been
--        replaced by 'ua enable usg'. See more information at:
++        From Ubuntu 20.04 and onwards 'pro enable cis' has been
++        replaced by 'pro enable usg'. See more information at:
          https://ubuntu.com/security/certifications/docs/usg
          CIS Audit is already enabled.
--        See: sudo ua status
++        See: sudo pro status
          """
          When I run `cis-audit level1_server` with sudo
          Then stdout matches regexp
@@ -522,15 +553,15 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable of usg service in a ubuntu machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I verify that running `ua enable usg` `with sudo` exits `1`
++        And I verify that running `pro enable usg` `with sudo` exits `1`
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
              """
--        Then I will see the following on stderr:
++        And stderr matches regexp:
              """
              Cannot enable unknown service 'usg'.
--            Try cc-eal, cis, esm-infra, fips, fips-updates, livepatch.
++            Try cc-eal, cis, esm-apps, esm-infra, fips, fips-updates, livepatch, ros,\nros-updates.
              """
          Examples: cis service
@@ -543,7 +574,7 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable of usg service in a focal machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua enable usg` with sudo
++        And I run `pro enable usg` with sudo
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
@@ -551,44 +582,44 @@ Feature: Enable command behaviour when attached to an UA subscription
              Ubuntu Security Guide enabled
              Visit https://ubuntu.com/security/certifications/docs/usg for the next steps
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
              usg         +yes    +enabled   +Security compliance and audit tools
              """
--        When I run `ua disable usg` with sudo
++        When I run `pro disable usg` with sudo
          Then stdout matches regexp:
              """
              Updating package lists
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
              usg         +yes    +disabled   +Security compliance and audit tools
              """
--        When I run `ua enable cis` with sudo
++        When I run `pro enable cis` with sudo
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
--            From Ubuntu 20.04 and onwards 'ua enable cis' has been
--            replaced by 'ua enable usg'. See more information at:
++            From Ubuntu 20.04 and onwards 'pro enable cis' has been
++            replaced by 'pro enable usg'. See more information at:
              https://ubuntu.com/security/certifications/docs/usg
              Updating package lists
              Installing CIS Audit packages
              CIS Audit enabled
              Visit https://ubuntu.com/security/cis to learn how to use CIS
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
              usg         +yes    +enabled   +Security compliance and audit tools
              """
--        When I run `ua disable usg` with sudo
++        When I run `pro disable usg` with sudo
          Then stdout matches regexp:
              """
              Updating package lists
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
              usg         +yes    +disabled   +Security compliance and audit tools
@@ -604,31 +635,37 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached disable of livepatch in a lxd vm
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua status` with sudo
++        And I run `pro status` with sudo
          Then stdout matches regexp:
          """
--        esm-apps     +yes      +enabled  +UA Apps: Extended Security Maintenance \(ESM\)
--        esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
++        esm-apps     +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
          fips         +yes      +disabled +NIST-certified core packages
          fips-updates +yes      +disabled +NIST-certified core packages with priority security updates
          livepatch    +yes      +enabled  +Canonical Livepatch service
          """
--        When I run `ua disable livepatch` with sudo
++        When I run `pro disable livepatch` with sudo
          Then I verify that running `canonical-livepatch status` `with sudo` exits `1`
          And stderr matches regexp:
          """
          Machine is not enabled. Please run 'sudo canonical-livepatch enable' with the
          token obtained from https://ubuntu.com/livepatch.
          """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
          """
--        esm-apps     +yes      +enabled  +UA Apps: Extended Security Maintenance \(ESM\)
--        esm-infra    +yes      +enabled  +UA Infra: Extended Security Maintenance \(ESM\)
++        esm-apps     +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra    +yes      +enabled  +Expanded Security Maintenance for Infrastructure
          fips         +yes      +disabled +NIST-certified core packages
          fips-updates +yes      +disabled +NIST-certified core packages with priority security updates
          livepatch    +yes      +disabled +Canonical Livepatch service
          """
++        When I verify that running `pro enable livepatch --access-only` `with sudo` exits `1`
++        Then I will see the following on stdout:
++        """
++        One moment, checking your subscription first
++        Livepatch does not support being enabled with --access-only
++        """
          Examples: ubuntu release
             | release |
@@ -651,7 +688,7 @@ Feature: Enable command behaviour when attached to an UA subscription
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
              livepatch +yes +enabled
@@ -678,12 +715,12 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then stdout matches regexp:
              """
              Updating package lists
--            UA Infra: ESM enabled
++            Ubuntu Pro: ESM Infra enabled
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
--        When I run `ua disable livepatch` with sudo
--        And I run `ua enable fips --assume-yes` with sudo
++        When I run `pro disable livepatch` with sudo
++        And I run `pro enable fips --assume-yes` with sudo
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
@@ -697,13 +734,13 @@ Feature: Enable command behaviour when attached to an UA subscription
              features:
                block_disable_on_enable: true
              """
--        Then I verify that running `ua enable livepatch` `with sudo` exits `1`
++        Then I verify that running `pro enable livepatch` `with sudo` exits `1`
          And I will see the following on stdout
              """
              One moment, checking your subscription first
              Cannot enable Livepatch when FIPS is enabled.
              """
--        Then I verify that running `ua enable livepatch --format json --assume-yes` `with sudo` exits `1`
++        Then I verify that running `pro enable livepatch --format json --assume-yes` `with sudo` exits `1`
          And I will see the following on stdout
              """
              {"_schema_version": "0.1", "errors": [{"message": "Cannot enable Livepatch when FIPS is enabled.", "message_code": "livepatch-error-when-fips-enabled", "service": "livepatch", "type": "service"}], "failed_services": ["livepatch"], "needs_reboot": false, "processed_services": [], "result": "failure", "warnings": []}
@@ -717,7 +754,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then stdout matches regexp:
              """
              Updating package lists
--            UA Infra: ESM enabled
++            Ubuntu Pro: ESM Infra enabled
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
@@ -726,13 +763,13 @@ Feature: Enable command behaviour when attached to an UA subscription
          features:
            block_disable_on_enable: true
          """
--        Then I verify that running `ua enable fips --assume-yes` `with sudo` exits `1`
++        Then I verify that running `pro enable fips --assume-yes` `with sudo` exits `1`
          And I will see the following on stdout
              """
              One moment, checking your subscription first
              Cannot enable FIPS when Livepatch is enabled.
              """
--        Then I verify that running `ua enable fips --assume-yes --format json` `with sudo` exits `1`
++        Then I verify that running `pro enable fips --assume-yes --format json` `with sudo` exits `1`
          And stdout is a json matching the `ua_operation` schema
          And I will see the following on stdout:
          """
@@ -749,14 +786,14 @@ Feature: Enable command behaviour when attached to an UA subscription
          Then stdout matches regexp:
              """
              Updating package lists
--            UA Infra: ESM enabled
++            Ubuntu Pro: ESM Infra enabled
              """
          And stdout matches regexp:
              """
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
--        When I run `ua enable fips --assume-yes` with sudo
++        When I run `pro enable fips --assume-yes` with sudo
          Then I will see the following on stdout
              """
              One moment, checking your subscription first
@@ -766,7 +803,7 @@ Feature: Enable command behaviour when attached to an UA subscription
              FIPS enabled
              A reboot is required to complete install.
              """
--        When I run `ua status` with sudo
++        When I run `pro status` with sudo
          Then stdout matches regexp:
              """
              fips +yes +enabled
@@ -790,15 +827,15 @@ Feature: Enable command behaviour when attached to an UA subscription
          When I attach `contract_token` with sudo
          Then stdout matches regexp:
              """
--            UA Infra: ESM enabled
++            Ubuntu Pro: ESM Infra enabled
              """
          And stdout matches regexp:
              """
              Installing canonical-livepatch snap
              Canonical livepatch enabled
              """
--        When I run `ua disable livepatch` with sudo
--        And I run `ua enable fips-updates --assume-yes` with sudo
++        When I run `pro disable livepatch` with sudo
++        And I run `pro enable fips-updates --assume-yes` with sudo
          Then I will see the following on stdout:
              """
              One moment, checking your subscription first
@@ -807,7 +844,7 @@ Feature: Enable command behaviour when attached to an UA subscription
              FIPS Updates enabled
              A reboot is required to complete install.
              """
--        When I verify that running `ua enable fips --assume-yes` `with sudo` exits `1`
++        When I verify that running `pro enable fips --assume-yes` `with sudo` exits `1`
          Then I will see the following on stdout
              """
              One moment, checking your subscription first
@@ -826,75 +863,75 @@ Feature: Enable command behaviour when attached to an UA subscription
      Scenario Outline: Attached enable ros on a machine
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua status --all` as non-root
++        And I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros           +yes                disabled           Security Updates for the Robot Operating System
          """
--        When I run `ua enable ros --assume-yes --beta` with sudo
--        And I run `ua status --all` as non-root
++        When I run `pro enable ros --assume-yes` with sudo
++        And I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros           +yes                enabled            Security Updates for the Robot Operating System
          """
          And stdout matches regexp
          """
--        esm-apps      +yes                enabled            UA Apps: Extended Security Maintenance \(ESM\)
++        esm-apps      +yes                enabled            Expanded Security Maintenance for Applications
          """
          And stdout matches regexp
          """
--        esm-infra     +yes                enabled            UA Infra: Extended Security Maintenance \(ESM\)
++        esm-infra     +yes                enabled            Expanded Security Maintenance for Infrastructure
          """
--        When I verify that running `ua disable esm-apps` `with sudo` and stdin `N` exits `1`
++        When I verify that running `pro disable esm-apps` `with sudo` and stdin `N` exits `1`
          Then stdout matches regexp
          """
--        ROS ESM Security Updates depends on UA Apps: ESM.
--        Disable ROS ESM Security Updates and proceed to disable UA Apps: ESM\? \(y\/N\) Cannot disable UA Apps: ESM when ROS ESM Security Updates is enabled.
++        ROS ESM Security Updates depends on Ubuntu Pro: ESM Apps.
++        Disable ROS ESM Security Updates and proceed to disable Ubuntu Pro: ESM Apps\? \(y\/N\) Cannot disable Ubuntu Pro: ESM Apps when ROS ESM Security Updates is enabled.
          """
--        When I run `ua disable esm-apps` `with sudo` and stdin `y`
++        When I run `pro disable esm-apps` `with sudo` and stdin `y`
          Then stdout matches regexp
          """
--        ROS ESM Security Updates depends on UA Apps: ESM.
--        Disable ROS ESM Security Updates and proceed to disable UA Apps: ESM\? \(y\/N\) Disabling dependent service: ROS ESM Security Updates
++        ROS ESM Security Updates depends on Ubuntu Pro: ESM Apps.
++        Disable ROS ESM Security Updates and proceed to disable Ubuntu Pro: ESM Apps\? \(y\/N\) Disabling dependent service: ROS ESM Security Updates
          Updating package lists
          """
--        When I run `ua status --all` as non-root
++        When I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros           +yes                disabled           Security Updates for the Robot Operating System
          """
          And stdout matches regexp
          """
--        esm-apps      +yes                disabled           UA Apps: Extended Security Maintenance \(ESM\)
++        esm-apps      +yes                disabled           Expanded Security Maintenance for Applications
          """
--        When I verify that running `ua enable ros --beta` `with sudo` and stdin `N` exits `1`
++        When I verify that running `pro enable ros` `with sudo` and stdin `N` exits `1`
          Then stdout matches regexp
          """
--        ROS ESM Security Updates cannot be enabled with UA Apps: ESM disabled.
--        Enable UA Apps: ESM and proceed to enable ROS ESM Security Updates\? \(y\/N\) Cannot enable ROS ESM Security Updates when UA Apps: ESM is disabled.
++        ROS ESM Security Updates cannot be enabled with Ubuntu Pro: ESM Apps disabled.
++        Enable Ubuntu Pro: ESM Apps and proceed to enable ROS ESM Security Updates\? \(y\/N\) Cannot enable ROS ESM Security Updates when Ubuntu Pro: ESM Apps is disabled.
          """
--        When I run `ua enable ros --beta` `with sudo` and stdin `y`
++        When I run `pro enable ros` `with sudo` and stdin `y`
          Then stdout matches regexp
          """
          One moment, checking your subscription first
--        ROS ESM Security Updates cannot be enabled with UA Apps: ESM disabled.
--        Enable UA Apps: ESM and proceed to enable ROS ESM Security Updates\? \(y\/N\) Enabling required service: UA Apps: ESM
--        UA Apps: ESM enabled
++        ROS ESM Security Updates cannot be enabled with Ubuntu Pro: ESM Apps disabled.
++        Enable Ubuntu Pro: ESM Apps and proceed to enable ROS ESM Security Updates\? \(y\/N\) Enabling required service: Ubuntu Pro: ESM Apps
++        Ubuntu Pro: ESM Apps enabled
          Updating package lists
          ROS ESM Security Updates enabled
          """
--        When I run `ua status --all` as non-root
++        When I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros           +yes                enabled            Security Updates for the Robot Operating System
          """
          And stdout matches regexp
          """
--        esm-apps      +yes                enabled            UA Apps: Extended Security Maintenance \(ESM\)
++        esm-apps      +yes                enabled            Expanded Security Maintenance for Applications
          """
          And stdout matches regexp
          """
--        esm-infra     +yes                enabled            UA Infra: Extended Security Maintenance \(ESM\)
++        esm-infra     +yes                enabled            Expanded Security Maintenance for Infrastructure
          """
          When I run `apt-cache policy` as non-root
          Then apt-cache policy for the following url has permission `500`
@@ -904,8 +941,8 @@ Feature: Enable command behaviour when attached to an UA subscription
          When I run `apt install python3-catkin-pkg -y` with sudo
          Then I verify that `python3-catkin-pkg` is installed from apt source `<ros-security-source>`
--        When I run `ua enable ros-updates --assume-yes --beta` with sudo
--        And I run `ua status --all` as non-root
++        When I run `pro enable ros-updates --assume-yes` with sudo
++        And I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros-updates   +yes                enabled            All Updates for the Robot Operating System
@@ -917,14 +954,14 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          When I run `apt install python3-catkin-pkg -y` with sudo
          Then I verify that `python3-catkin-pkg` is installed from apt source `<ros-updates-source>`
--        When I run `ua disable ros` `with sudo` and stdin `y`
++        When I run `pro disable ros` `with sudo` and stdin `y`
          Then stdout matches regexp
          """
          ROS ESM All Updates depends on ROS ESM Security Updates.
          Disable ROS ESM All Updates and proceed to disable ROS ESM Security Updates\? \(y\/N\) Disabling dependent service: ROS ESM All Updates
          Updating package lists
          """
--        When I run `ua enable ros-updates --beta` `with sudo` and stdin `y`
++        When I run `pro enable ros-updates` `with sudo` and stdin `y`
          Then stdout matches regexp
          """
          One moment, checking your subscription first
@@ -934,7 +971,7 @@ Feature: Enable command behaviour when attached to an UA subscription
          Updating package lists
          ROS ESM All Updates enabled
          """
--        When I run `ua status --all` as non-root
++        When I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros-updates   +yes                enabled            All Updates for the Robot Operating System
@@ -943,12 +980,12 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          ros           +yes                enabled            Security Updates for the Robot Operating System
          """
--        When I run `ua disable ros-updates --assume-yes` with sudo
--        When I run `ua disable ros --assume-yes` with sudo
--        When I run `ua disable esm-apps --assume-yes` with sudo
--        When I run `ua disable esm-infra --assume-yes` with sudo
--        When I run `ua enable ros-updates --assume-yes --beta` with sudo
--        When I run `ua status --all` as non-root
++        When I run `pro disable ros-updates --assume-yes` with sudo
++        When I run `pro disable ros --assume-yes` with sudo
++        When I run `pro disable esm-apps --assume-yes` with sudo
++        When I run `pro disable esm-infra --assume-yes` with sudo
++        When I run `pro enable ros-updates --assume-yes` with sudo
++        When I run `pro status --all` as non-root
          Then stdout matches regexp
          """
          ros-updates   +yes                enabled            All Updates for the Robot Operating System
@@ -959,13 +996,13 @@ Feature: Enable command behaviour when attached to an UA subscription
          """
          And stdout matches regexp
          """
--        esm-apps      +yes                enabled            UA Apps: Extended Security Maintenance \(ESM\)
++        esm-apps      +yes                enabled            Expanded Security Maintenance for Applications
          """
          And stdout matches regexp
          """
--        esm-infra     +yes                enabled            UA Infra: Extended Security Maintenance \(ESM\)
++        esm-infra     +yes                enabled            Expanded Security Maintenance for Infrastructure
          """
--        When I run `ua detach` `with sudo` and stdin `y`
++        When I run `pro detach` `with sudo` and stdin `y`
          Then stdout matches regexp:
          """
          Updating package lists
@@ -1059,8 +1096,39 @@ Feature: Enable command behaviour when attached to an UA subscription
            machine_token_overlay: "/tmp/machine-token-overlay.json"
          """
          And I attach `contract_token` with sudo
--        And I verify that running `ua enable fips --assume-yes` `with sudo` exits `1`
++        And I verify that running `pro enable fips --assume-yes` `with sudo` exits `1`
          Then stderr matches regexp:
          """
          Stderr: E: Unable to locate package some-package-aws
          """
++
++    @series.xenial
++    @uses.config.contract_token
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: APT auth file is edited correctly on enable
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo
++        Then I will see the following on stdout:
++        """
++        2 /etc/apt/auth.conf.d/90ubuntu-advantage
++        """
++        # simulate a scenario where the line should get replaced
++        When I run `cp /etc/apt/auth.conf.d/90ubuntu-advantage /etc/apt/auth.conf.d/90ubuntu-advantage.backup` with sudo
++        When I run `pro disable esm-infra` with sudo
++        When I run `cp /etc/apt/auth.conf.d/90ubuntu-advantage.backup /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo
++        When I run `pro enable esm-infra` with sudo
++        When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo
++        Then I will see the following on stdout:
++        """
++        2 /etc/apt/auth.conf.d/90ubuntu-advantage
++        """
++        When I run `pro enable cis` with sudo
++        When I run `wc -l /etc/apt/auth.conf.d/90ubuntu-advantage` with sudo
++        Then I will see the following on stdout:
++        """
++        3 /etc/apt/auth.conf.d/90ubuntu-advantage
++        """
++        Examples: ubuntu release
++           | release |
++           | xenial  |
 diff --git a/features/attached_status.feature b/features/attached_status.feature
 index 59406e7..b6cf42d 100644
 --- a/features/attached_status.feature
 +++ b/features/attached_status.feature
@@ -6,9 +6,9 @@ Feature: Attached status
      Scenario Outline: Attached status in a ubuntu machine - formatted
          Given a `<release>` machine with ubuntu-advantage-tools installed
          When I attach `contract_token` with sudo
--        And I run `ua status --format json` as non-root
++        And I run `pro status --format json` as non-root
          Then stdout is a json matching the `ua_status` schema
--        When I run `ua status --format yaml` as non-root
++        When I run `pro status --format yaml` as non-root
          Then stdout is a yaml matching the `ua_status` schema
          Examples: ubuntu release
@@ -16,5 +16,170 @@ Feature: Attached status
             | bionic  |
             | focal   |
             | xenial  |
--           | impish  |
++           | jammy   |
++           | kinetic |
++
++    @series.xenial
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Non-root status can see in-progress operations
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        When I run shell command `sudo pro enable cis >/dev/null & pro status` as non-root
++        Then stdout matches regexp:
++        """
++        NOTICES
++        Operation in progress: pro enable
++        """
++        When I run `pro status --wait` as non-root
++        When I run `pro disable cis --assume-yes` with sudo
++        When I run shell command `sudo pro enable cis & pro status --wait` as non-root
++        Then stdout matches regexp:
++        """
++        One moment, checking your subscription first
++        Updating package lists
++        Installing CIS Audit packages
++        CIS Audit enabled
++        Visit https://ubuntu.com/security/cis to learn how to use CIS
++        \.+
++        SERVICE +ENTITLED +STATUS +DESCRIPTION
++        """
++        Then stdout does not match regexp:
++        """
++        NOTICES
++        Operation in progress: pro enable
++        """
++        When I run `pro disable cis --assume-yes` with sudo
++        When I run `apt-get install jq -y` with sudo
++        When I run shell command `sudo pro enable cis >/dev/null & pro status --format json | jq -r .execution_status` as non-root
++        Then I will see the following on stdout:
++        """
++        active
++        """
++        Examples: ubuntu release
++           | release |
++           | xenial  |
++
++    @series.xenial
++    @series.bionic
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Attached status in a ubuntu machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        And I verify root and non-root `pro status` calls have the same output
++        And I run `pro status` as non-root
++        Then stdout matches regexp:
++        """
++        SERVICE         +ENTITLED +STATUS   +DESCRIPTION
++        cc-eal          +yes      +disabled +Common Criteria EAL2 Provisioning Packages
++        cis             +yes      +disabled +Security compliance and audit tools
++        esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
++        fips            +yes      +disabled +NIST-certified core packages
++        fips-updates    +yes      +disabled +NIST-certified core packages with priority security updates
++        ros             +yes      +disabled +Security Updates for the Robot Operating System
++        ros-updates     +yes      +disabled +All Updates for the Robot Operating System
++
++        Enable services with: pro enable <service>
++        """
++        When I verify root and non-root `pro status --all` calls have the same output
++        And I run `pro status --all` as non-root
++        Then stdout matches regexp:
++        """
++        SERVICE         +ENTITLED +STATUS   +DESCRIPTION
++        cc-eal          +yes      +disabled +Common Criteria EAL2 Provisioning Packages
++        cis             +yes      +disabled +Security compliance and audit tools
++        esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
++        fips            +yes      +disabled +NIST-certified core packages
++        fips-updates    +yes      +disabled +NIST-certified core packages with priority security updates
++        livepatch       +yes      +n/a      +Canonical Livepatch service
++        realtime-kernel +yes      +n/a      +Beta-version Ubuntu Kernel with PREEMPT_RT patches
++        ros             +yes      +disabled +Security Updates for the Robot Operating System
++        ros-updates     +yes      +disabled +All Updates for the Robot Operating System
++
++        Enable services with: pro enable <service>
++        """
++
++        Examples: ubuntu release
++           | release |
++           | xenial  |
++           | bionic  |
++
++    @series.focal
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Attached status in a ubuntu machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        And I verify root and non-root `pro status` calls have the same output
++        And I run `pro status` as non-root
++        Then stdout matches regexp:
++        """
++        SERVICE         +ENTITLED +STATUS   +DESCRIPTION
++        esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
++        fips            +yes      +disabled +NIST-certified core packages
++        fips-updates    +yes      +disabled +NIST-certified core packages with priority security updates
++        usg             +yes      +disabled +Security compliance and audit tools
++
++        Enable services with: pro enable <service>
++        """
++        When I verify root and non-root `pro status --all` calls have the same output
++        And I run `pro status --all` as non-root
++        Then stdout matches regexp:
++        """
++        SERVICE         +ENTITLED +STATUS   +DESCRIPTION
++        cc-eal          +yes      +n/a      +Common Criteria EAL2 Provisioning Packages
++        esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
++        fips            +yes      +disabled +NIST-certified core packages
++        fips-updates    +yes      +disabled +NIST-certified core packages with priority security updates
++        livepatch       +yes      +n/a      +Canonical Livepatch service
++        realtime-kernel +yes      +n/a      +Beta-version Ubuntu Kernel with PREEMPT_RT patches
++        ros             +yes      +n/a      +Security Updates for the Robot Operating System
++        ros-updates     +yes      +n/a      +All Updates for the Robot Operating System
++        usg             +yes      +disabled +Security compliance and audit tools
++
++        Enable services with: pro enable <service>
++        """
++
++        Examples: ubuntu release
++           | release |
++           | focal   |
++
++    @series.jammy
++    @uses.config.machine_type.lxd.container
++    Scenario Outline: Attached status in the latest LTS ubuntu machine
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I attach `contract_token` with sudo
++        And I verify root and non-root `pro status` calls have the same output
++        And I run `pro status` as non-root
++        Then stdout matches regexp:
++        """
++        SERVICE         +ENTITLED +STATUS   +DESCRIPTION
++        esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
++
++        Enable services with: pro enable <service>
++        """
++        When I verify root and non-root `pro status --all` calls have the same output
++        And I run `pro status --all` as non-root
++        Then stdout matches regexp:
++        """
++        SERVICE         +ENTITLED +STATUS   +DESCRIPTION
++        cc-eal          +yes      +n/a      +Common Criteria EAL2 Provisioning Packages
++        esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
++        esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
++        fips            +yes      +n/a      +NIST-certified core packages
++        fips-updates    +yes      +n/a      +NIST-certified core packages with priority security updates
++        livepatch       +yes      +n/a      +Canonical Livepatch service
++        realtime-kernel +yes      +n/a      +Beta-version Ubuntu Kernel with PREEMPT_RT patches
++        ros             +yes      +n/a      +Security Updates for the Robot Operating System
++        ros-updates     +yes      +n/a      +All Updates for the Robot Operating System
++        usg             +yes      +n/a      +Security compliance and audit tools
++
++        Enable services with: pro enable <service>
++        """
++
++        Examples: ubuntu release
++           | release |
             | jammy   |
 diff --git a/features/aws-ids.yaml b/features/aws-ids.yaml
 deleted file mode 100644
 index 803f9ef..0000000
 --- a/features/aws-ids.yaml
 +++ /dev/null
@@ -1,7 +0,0 @@
--bionic: ami-0ab76d42180343ad1
--bionic-fips: ami-03b75f613f80bcff1
--focal: ami-098bbb131bcc971d9
--focal-fips: ami-02782bf2569bf457c
--jammy: ami-0e6235eb0fe67fd3c
--xenial: ami-011bcfe2bea365b6a
--xenial-fips: ami-077e4c339a098fc9f
 diff --git a/features/azure-ids.yaml b/features/azure-ids.yaml
 deleted file mode 100644
 index 5443e05..0000000
 --- a/features/azure-ids.yaml
 +++ /dev/null
@@ -1,7 +0,0 @@
--bionic: "Canonical:0001-com-ubuntu-pro-bionic:pro-18_04-lts"
--focal: "Canonical:0001-com-ubuntu-pro-focal:pro-20_04-lts"
--jammy: "Canonical:0001-com-ubuntu-pro-jammy:pro-22_04-lts"
--xenial: "Canonical:0001-com-ubuntu-pro-xenial:pro-16_04-lts"
--bionic-fips: "Canonical:0001-com-ubuntu-pro-bionic-fips:pro-fips-18_04"
--xenial-fips: "Canonical:0001-com-ubuntu-pro-xenial-fips:pro-fips-16_04-private"
--focal-fips: "Canonical:0001-com-ubuntu-pro-focal-fips:pro-fips-20_04"
 diff --git a/features/cloud.py b/features/cloud.py
 index 29d8924..ea030b6 100644
 --- a/features/cloud.py
 +++ b/features/cloud.py
@@ -6,7 +6,7 @@ from typing import List, Optional
  import pycloudlib  # type: ignore
  import toml
--import yaml
++from pycloudlib.cloud import ImageType  # type: ignore
  DEFAULT_CONFIG_PATH = "~/.config/pycloudlib.toml"
@@ -28,7 +28,6 @@ class Cloud:
      """
      name = ""
--    pro_ids_path = ""
      def __init__(
          self,
@@ -195,17 +194,13 @@ class Cloud:
                  "Must provide either series or image_name to launch azure"
+             )
--        if "pro" in self.machine_type:
--            with open(self.pro_ids_path, "r") as stream:
--                pro_ids = yaml.safe_load(stream.read())
--            if "fips" in self.machine_type:
--                image_name = pro_ids[series + "-fips"]
--            else:
--                image_name = pro_ids[series]
--        else:
--            image_name = self.api.daily_image(release=series)
++        image_type = ImageType.GENERIC
++        if "pro.fips" in self.machine_type:
++            image_type = ImageType.PRO_FIPS
++        elif "pro" in self.machine_type:
++            image_type = ImageType.PRO
--        return image_name
++        return self.api.daily_image(release=series, image_type=image_type)
      def manage_ssh_key(
          self,
@@ -243,7 +238,6 @@ class EC2(Cloud):
      """Class that represents the EC2 cloud provider."""
      name = "aws"
--    pro_ids_path = "features/aws-ids.yaml"
      @property
      def pycloudlib_cls(self):
@@ -334,7 +328,6 @@ class Azure(Cloud):
      """Class that represents the Azure cloud provider."""
      name = "Azure"
--    pro_ids_path = "features/azure-ids.yaml"
      @property
      def pycloudlib_cls(self):
@@ -439,7 +432,6 @@ class GCP(Cloud):
      """Class that represents the Google Cloud Platform cloud provider."""
      name = "gcp"
--    pro_ids_path = "features/gcp-ids.yaml"
      cls_type = pycloudlib.GCE
      @property
 diff --git a/features/cloud_pro_clone.feature b/features/cloud_pro_clone.feature
 new file mode 100644
 index 0000000..f08bff0
 --- /dev/null
 +++ b/features/cloud_pro_clone.feature
@@ -0,0 +1,65 @@
++Feature: Creating golden images based on Cloud Ubuntu Pro instances
++
++    @series.lts
++    @uses.config.machine_type.aws.pro
++    @uses.config.machine_type.azure.pro
++    @uses.config.machine_type.gcp.pro
++    Scenario Outline: Create a Pro fips-updates image and launch
++        Given a `<release>` machine with ubuntu-advantage-tools installed
++        When I create the file `/etc/ubuntu-advantage/uaclient.conf` with the following:
++        """
++        contract_url: 'https://contracts.canonical.com'
++        data_dir: /var/lib/ubuntu-advantage
++        log_level: debug
++        log_file: /var/log/ubuntu-advantage.log
++        """
++        When I run `pro auto-attach` with sudo
++        And I run `pro status --format yaml` with sudo
++        Then stdout matches regexp:
++        """
++        attached: true
++        """
++        When I run `apt install -y jq` with sudo
++        When I save the `activityInfo.activityToken` value from the contract
++        When I save the `activityInfo.activityID` value from the contract
++        When I run `pro enable fips-updates --assume-yes` with sudo
++        And I run `pro status --format yaml` with sudo
++        Then stdout matches regexp:
++        """
++          name: fips-updates
++          status: enabled
++        """
++        When I reboot the machine
++        When I take a snapshot of the machine
++        When I reboot the machine
++        When I run `python3 /usr/lib/ubuntu-advantage/timer.py` with sudo
++        Then I verify that `activityInfo.activityToken` value has been updated on the contract
++        Then I verify that `activityInfo.activityID` value has not been updated on the contract
++        When I launch a `clone` machine from the snapshot
++        # The clone will run auto-attach on boot
++        When I run `pro status --wait` `with sudo` on the `clone` machine
++        When I run `pro status --format yaml` `with sudo` on the `clone` machine
++        Then stdout matches regexp:
++        """
++        attached: true
++        """
++        When I run `python3 /usr/lib/ubuntu-advantage/timer.py` `with sudo` on the `clone` machine
++        Then I verify that `activityInfo.activityToken` value has been updated on the contract on the `clone` machine
++        Then I verify that `activityInfo.activityID` value has been updated on the contract on the `clone` machine
++        When I run `pro status --format yaml` `with sudo` on the `clone` machine

Ubuntuubuntu-advantage-tools package

Merge ~renanrodrigo/ubuntu/+source/ubuntu-advantage-tools:upload-27.11-kinetic into ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
ubuntu-advantage-tools package