Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
This looks good Dan, I have a couple of comments inline. lOne thing I think this lacks for our ability to test is the ability to adapt ua client configuration to point to contracts.staging.canonical.com This could be resolved by making sure we provide a #cloud-config like the following, though I expect we'll need to base64 encode the "content" value. write_files: - content: | # ua-contracts staging config sso_auth_url: 'https://login.ubuntu.com' contract_url: 'https://contracts.staging.canonical.com' data_dir: /var/lib/ubuntu-advantage log_level: info log_file: /var/log/ubuntu-advantage.log path: /etc/ubuntu-advantage/uaclient.conf Diff comments: > diff --git a/cloudinit/config/cc_ubuntu_advantage.py > b/cloudinit/config/cc_ubuntu_advantage.py > index 5e082bd..9732ffa 100644 > --- a/cloudinit/config/cc_ubuntu_advantage.py > +++ b/cloudinit/config/cc_ubuntu_advantage.py > @@ -1,150 +1,125 @@ > -# Copyright (C) 2018 Canonical Ltd. > -# > # This file is part of cloud-init. See LICENSE file for license information. > > -"""Ubuntu advantage: manage ubuntu-advantage offerings from Canonical.""" > +"""ubuntu_advantage: Configure Ubuntu Advantage support entitlements""" > > -import sys > from textwrap import dedent > > -from cloudinit import log as logging > from cloudinit.config.schema import ( > get_schema_doc, validate_cloudconfig_schema) > +from cloudinit import log as logging > from cloudinit.settings import PER_INSTANCE > -from cloudinit.subp import prepend_base_command > from cloudinit import util > > > -distros = ['ubuntu'] > -frequency = PER_INSTANCE > +UA_URL = 'https://ubuntu.com/advantage' > > -LOG = logging.getLogger(__name__) > +distros = ['ubuntu'] > > schema = { > 'id': 'cc_ubuntu_advantage', > 'name': 'Ubuntu Advantage', > -'title': 'Install, configure and manage ubuntu-advantage offerings', > +'title': 'Configure Ubuntu Advantage support entitlements', > 'description': dedent("""\ > -This module provides configuration options to setup ubuntu-advantage > -subscriptions. > - > -.. note:: > -Both ``commands`` value can be either a dictionary or a list. If > -the configuration provided is a dictionary, the keys are only > used > -to order the execution of the commands and the dictionary is > -merged with any vendor-data ubuntu-advantage configuration > -provided. If a ``commands`` is provided as a list, any > vendor-data > -ubuntu-advantage ``commands`` are ignored. > - > -Ubuntu-advantage ``commands`` is a dictionary or list of > -ubuntu-advantage commands to run on the deployed machine. > -These commands can be used to enable or disable subscriptions to > -various ubuntu-advantage products. See 'man ubuntu-advantage' for > more > -information on supported subcommands. > - > -.. note:: > - Each command item can be a string or list. If the item is a list, > - 'ubuntu-advantage' can be omitted and it will automatically be > - inserted as part of the command. > +Attach machine to an existing Ubuntu Advantage support contract and > +enable or disable support entitlements such as livepatch, ESM, Livepatch is capitalized. I think we probably should mention Common Criteria (doc reference https://docs.ubuntu.com/security-certs/en/cc-16). As far as I know cis-audit may not make it in this release so might want to omit that. > +FIPS, FIPS Updates and CIS Audit tools. When attaching a machine to > +Ubuntu Advantage, one can also specify entitlements to > +enable. When the 'entitlements' list is present, any named > entitlement > +will be enabled and all absent entitlements will remain disabled. > + > +Note that when enabling FIPS or FIPS updates you will need to > schedule > +a reboot to ensure the machine is running the FIPS-compliant kernel. > +See :ref:`Power State Change` for information on how to configure > +cloud-init to perform this reboot. > """), > 'distros': distros, > 'examples': [dedent("""\ > -# Enable Extended Security Maintenance using your service auth token > +# Attach the machine to a Ubuntu Advantage support contract with a > +# UA user token obtained from %s. > +ubuntu_advantage: > + token: It is officially called a UA contact token, and currently should be obtained from UA_URL = auth.contracts.canonical.com but I *think* ubuntu.com/advantage should redirect or reference that once the service is public. Anyway it's the text we point uaclient users at as well so it's probably good as is > +""" % UA_URL), dedent("""\ > +# Attach the machine to an Ubuntu Advantage support contract enabling > +# only fips and esm entitlements. Entitlements
Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
Review: Needs Fixing continuous-integration FAILED: Continuous integration, rev:bb88e481d9e3463a110a1a55d6e4980328d9dcb8 No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself): https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366/+edit-commit-message https://jenkins.ubuntu.com/server/job/cloud-init-ci/658/ Executed test runs: SUCCESS: Checkout SUCCESS: Unit & Style Tests SUCCESS: Ubuntu LTS: Build SUCCESS: Ubuntu LTS: Integration IN_PROGRESS: Declarative: Post Actions Click here to trigger a rebuild: https://jenkins.ubuntu.com/server/job/cloud-init-ci/658/rebuild -- https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366 Your team cloud-init commiters is requested to review the proposed merge of ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
This is a re-submission of Chad's branch (which was previously reviewed at https://code.launchpad.net/~chad.smith/cloud-init/+git/cloud-init/+merge/362161). I've addressed much of the review feedback there (generally in separate commits, so review my new commits to understand the changes I've made); the remaining unaddressed item I have inserted inline here for discussion. Diff comments: > diff --git a/cloudinit/config/cc_ubuntu_advantage.py > b/cloudinit/config/cc_ubuntu_advantage.py > index 5e082bd..9732ffa 100644 > --- a/cloudinit/config/cc_ubuntu_advantage.py > +++ b/cloudinit/config/cc_ubuntu_advantage.py > @@ -159,14 +134,26 @@ def maybe_install_ua_tools(cloud): > > > def handle(name, cfg, cloud, log, args): > -cfgin = cfg.get('ubuntu-advantage') > -if cfgin is None: > +if 'ubuntu-advantage' in cfg: > +msg = ('Deprecated configuration key "ubuntu-advantage" provided.' Ryan said: > do we really want to raise runtime error on deprecated config? > I think logging a warning and doing the ua attach is a better outcome, right? > + ' Expected underscore delimited "ubuntu_advantage"') > +LOG.error(msg) > +raise RuntimeError(msg) > +ua_section = cfg.get('ubuntu_advantage') > +if ua_section is None: > LOG.debug(("Skipping module named %s," > - " no 'ubuntu-advantage' key in configuration"), name) > + " no 'ubuntu_advantage' configuration found"), name) > return > - > validate_cloudconfig_schema(cfg, schema) > +if 'commands' in ua_section: > +msg = ( > +'Deprecated configuration "ubuntu_advantage: commands" provided.' > +' Expected "token"') > +LOG.error(msg) > +raise RuntimeError(msg) > + > maybe_install_ua_tools(cloud) > -run_commands(cfgin.get('commands', [])) > +configure_ua(token=ua_section.get('token'), > + entitlements=ua_section.get('entitlements')) > > # vi: ts=4 expandtab -- https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366 Your team cloud-init commiters is requested to review the proposed merge of ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
Dan Watkins has proposed merging ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. Requested reviews: cloud-init commiters (cloud-init-dev) For more details, see: https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366 -- Your team cloud-init commiters is requested to review the proposed merge of ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. diff --git a/cloudinit/config/cc_ubuntu_advantage.py b/cloudinit/config/cc_ubuntu_advantage.py index 5e082bd..9732ffa 100644 --- a/cloudinit/config/cc_ubuntu_advantage.py +++ b/cloudinit/config/cc_ubuntu_advantage.py @@ -1,150 +1,125 @@ -# Copyright (C) 2018 Canonical Ltd. -# # This file is part of cloud-init. See LICENSE file for license information. -"""Ubuntu advantage: manage ubuntu-advantage offerings from Canonical.""" +"""ubuntu_advantage: Configure Ubuntu Advantage support entitlements""" -import sys from textwrap import dedent -from cloudinit import log as logging from cloudinit.config.schema import ( get_schema_doc, validate_cloudconfig_schema) +from cloudinit import log as logging from cloudinit.settings import PER_INSTANCE -from cloudinit.subp import prepend_base_command from cloudinit import util -distros = ['ubuntu'] -frequency = PER_INSTANCE +UA_URL = 'https://ubuntu.com/advantage' -LOG = logging.getLogger(__name__) +distros = ['ubuntu'] schema = { 'id': 'cc_ubuntu_advantage', 'name': 'Ubuntu Advantage', -'title': 'Install, configure and manage ubuntu-advantage offerings', +'title': 'Configure Ubuntu Advantage support entitlements', 'description': dedent("""\ -This module provides configuration options to setup ubuntu-advantage -subscriptions. - -.. note:: -Both ``commands`` value can be either a dictionary or a list. If -the configuration provided is a dictionary, the keys are only used -to order the execution of the commands and the dictionary is -merged with any vendor-data ubuntu-advantage configuration -provided. If a ``commands`` is provided as a list, any vendor-data -ubuntu-advantage ``commands`` are ignored. - -Ubuntu-advantage ``commands`` is a dictionary or list of -ubuntu-advantage commands to run on the deployed machine. -These commands can be used to enable or disable subscriptions to -various ubuntu-advantage products. See 'man ubuntu-advantage' for more -information on supported subcommands. - -.. note:: - Each command item can be a string or list. If the item is a list, - 'ubuntu-advantage' can be omitted and it will automatically be - inserted as part of the command. +Attach machine to an existing Ubuntu Advantage support contract and +enable or disable support entitlements such as livepatch, ESM, +FIPS, FIPS Updates and CIS Audit tools. When attaching a machine to +Ubuntu Advantage, one can also specify entitlements to +enable. When the 'entitlements' list is present, any named entitlement +will be enabled and all absent entitlements will remain disabled. + +Note that when enabling FIPS or FIPS updates you will need to schedule +a reboot to ensure the machine is running the FIPS-compliant kernel. +See :ref:`Power State Change` for information on how to configure +cloud-init to perform this reboot. """), 'distros': distros, 'examples': [dedent("""\ -# Enable Extended Security Maintenance using your service auth token +# Attach the machine to a Ubuntu Advantage support contract with a +# UA user token obtained from %s. +ubuntu_advantage: + token: +""" % UA_URL), dedent("""\ +# Attach the machine to an Ubuntu Advantage support contract enabling +# only fips and esm entitlements. Entitlements will only be enabled if +# the environment supports said entitlement. Otherwise warnings will +# be logged for incompatible entitlements specified. ubuntu-advantage: -commands: - 00: ubuntu-advantage enable-esm + token: + entitlements: + - fips + - esm """), dedent("""\ -# Enable livepatch by providing your livepatch token +# Attach the machine to an Ubuntu Advantage support contract and enable +# the FIPS entitlement. Perform a reboot once cloud-init has +# completed. +power_state: + mode: reboot ubuntu-advantage: -commands: -00: ubuntu-advantage enable-livepatch - -"""), dedent("""\ -# Convenience: the ubuntu-advantage command can be omitted when -# specifying commands as a list and 'ubuntu-advantage' will -# automatically be prepended. -
Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
(Moving this to Needs Review, but please leave me to mark it Approved; it hasn't yet received any integration testing, and I would like to do some before it lands.) -- https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366 Your team cloud-init commiters is requested to review the proposed merge of ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp