Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
This looks good Dan, I have a couple of comments inline.
lOne thing I think this lacks for our ability to test is the ability to adapt
ua client configuration to point to contracts.staging.canonical.com
This could be resolved by making sure we provide a #cloud-config like the
following, though I expect we'll need to base64 encode the "content" value.
write_files:
- content: |
# ua-contracts staging config
sso_auth_url: 'https://login.ubuntu.com'
contract_url: 'https://contracts.staging.canonical.com'
data_dir: /var/lib/ubuntu-advantage
log_level: info
log_file: /var/log/ubuntu-advantage.log
path: /etc/ubuntu-advantage/uaclient.conf
Diff comments:
> diff --git a/cloudinit/config/cc_ubuntu_advantage.py
> b/cloudinit/config/cc_ubuntu_advantage.py
> index 5e082bd..9732ffa 100644
> --- a/cloudinit/config/cc_ubuntu_advantage.py
> +++ b/cloudinit/config/cc_ubuntu_advantage.py
> @@ -1,150 +1,125 @@
> -# Copyright (C) 2018 Canonical Ltd.
> -#
> # This file is part of cloud-init. See LICENSE file for license information.
>
> -"""Ubuntu advantage: manage ubuntu-advantage offerings from Canonical."""
> +"""ubuntu_advantage: Configure Ubuntu Advantage support entitlements"""
>
> -import sys
> from textwrap import dedent
>
> -from cloudinit import log as logging
> from cloudinit.config.schema import (
> get_schema_doc, validate_cloudconfig_schema)
> +from cloudinit import log as logging
> from cloudinit.settings import PER_INSTANCE
> -from cloudinit.subp import prepend_base_command
> from cloudinit import util
>
>
> -distros = ['ubuntu']
> -frequency = PER_INSTANCE
> +UA_URL = 'https://ubuntu.com/advantage'
>
> -LOG = logging.getLogger(__name__)
> +distros = ['ubuntu']
>
> schema = {
> 'id': 'cc_ubuntu_advantage',
> 'name': 'Ubuntu Advantage',
> -'title': 'Install, configure and manage ubuntu-advantage offerings',
> +'title': 'Configure Ubuntu Advantage support entitlements',
> 'description': dedent("""\
> -This module provides configuration options to setup ubuntu-advantage
> -subscriptions.
> -
> -.. note::
> -Both ``commands`` value can be either a dictionary or a list. If
> -the configuration provided is a dictionary, the keys are only
> used
> -to order the execution of the commands and the dictionary is
> -merged with any vendor-data ubuntu-advantage configuration
> -provided. If a ``commands`` is provided as a list, any
> vendor-data
> -ubuntu-advantage ``commands`` are ignored.
> -
> -Ubuntu-advantage ``commands`` is a dictionary or list of
> -ubuntu-advantage commands to run on the deployed machine.
> -These commands can be used to enable or disable subscriptions to
> -various ubuntu-advantage products. See 'man ubuntu-advantage' for
> more
> -information on supported subcommands.
> -
> -.. note::
> - Each command item can be a string or list. If the item is a list,
> - 'ubuntu-advantage' can be omitted and it will automatically be
> - inserted as part of the command.
> +Attach machine to an existing Ubuntu Advantage support contract and
> +enable or disable support entitlements such as livepatch, ESM,
Livepatch is capitalized. I think we probably should mention Common Criteria
(doc reference https://docs.ubuntu.com/security-certs/en/cc-16). As far as I
know cis-audit may not make it in this release so might want to omit that.
> +FIPS, FIPS Updates and CIS Audit tools. When attaching a machine to
> +Ubuntu Advantage, one can also specify entitlements to
> +enable. When the 'entitlements' list is present, any named
> entitlement
> +will be enabled and all absent entitlements will remain disabled.
> +
> +Note that when enabling FIPS or FIPS updates you will need to
> schedule
> +a reboot to ensure the machine is running the FIPS-compliant kernel.
> +See :ref:`Power State Change` for information on how to configure
> +cloud-init to perform this reboot.
> """),
> 'distros': distros,
> 'examples': [dedent("""\
> -# Enable Extended Security Maintenance using your service auth token
> +# Attach the machine to a Ubuntu Advantage support contract with a
> +# UA user token obtained from %s.
> +ubuntu_advantage:
> + token:
It is officially called a UA contact token, and currently should be obtained
from UA_URL = auth.contracts.canonical.com but I *think* ubuntu.com/advantage
should redirect or reference that once the service is public. Anyway it's the
text we point uaclient users at as well so it's probably good as is
> +""" % UA_URL), dedent("""\
> +# Attach the machine to an Ubuntu Advantage support contract enabling
> +# only fips and esm entitlements. Entitlements
Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
Review: Needs Fixing continuous-integration FAILED: Continuous integration, rev:bb88e481d9e3463a110a1a55d6e4980328d9dcb8 No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself): https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366/+edit-commit-message https://jenkins.ubuntu.com/server/job/cloud-init-ci/658/ Executed test runs: SUCCESS: Checkout SUCCESS: Unit & Style Tests SUCCESS: Ubuntu LTS: Build SUCCESS: Ubuntu LTS: Integration IN_PROGRESS: Declarative: Post Actions Click here to trigger a rebuild: https://jenkins.ubuntu.com/server/job/cloud-init-ci/658/rebuild -- https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366 Your team cloud-init commiters is requested to review the proposed merge of ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
This is a re-submission of Chad's branch (which was previously reviewed at
https://code.launchpad.net/~chad.smith/cloud-init/+git/cloud-init/+merge/362161).
I've addressed much of the review feedback there (generally in separate
commits, so review my new commits to understand the changes I've made); the
remaining unaddressed item I have inserted inline here for discussion.
Diff comments:
> diff --git a/cloudinit/config/cc_ubuntu_advantage.py
> b/cloudinit/config/cc_ubuntu_advantage.py
> index 5e082bd..9732ffa 100644
> --- a/cloudinit/config/cc_ubuntu_advantage.py
> +++ b/cloudinit/config/cc_ubuntu_advantage.py
> @@ -159,14 +134,26 @@ def maybe_install_ua_tools(cloud):
>
>
> def handle(name, cfg, cloud, log, args):
> -cfgin = cfg.get('ubuntu-advantage')
> -if cfgin is None:
> +if 'ubuntu-advantage' in cfg:
> +msg = ('Deprecated configuration key "ubuntu-advantage" provided.'
Ryan said:
> do we really want to raise runtime error on deprecated config?
> I think logging a warning and doing the ua attach is a better outcome, right?
> + ' Expected underscore delimited "ubuntu_advantage"')
> +LOG.error(msg)
> +raise RuntimeError(msg)
> +ua_section = cfg.get('ubuntu_advantage')
> +if ua_section is None:
> LOG.debug(("Skipping module named %s,"
> - " no 'ubuntu-advantage' key in configuration"), name)
> + " no 'ubuntu_advantage' configuration found"), name)
> return
> -
> validate_cloudconfig_schema(cfg, schema)
> +if 'commands' in ua_section:
> +msg = (
> +'Deprecated configuration "ubuntu_advantage: commands" provided.'
> +' Expected "token"')
> +LOG.error(msg)
> +raise RuntimeError(msg)
> +
> maybe_install_ua_tools(cloud)
> -run_commands(cfgin.get('commands', []))
> +configure_ua(token=ua_section.get('token'),
> + entitlements=ua_section.get('entitlements'))
>
> # vi: ts=4 expandtab
--
https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366
Your team cloud-init commiters is requested to review the proposed merge of
~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into
cloud-init:master.
___
Mailing list: https://launchpad.net/~cloud-init-dev
Post to : cloud-init-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~cloud-init-dev
More help : https://help.launchpad.net/ListHelp
[Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
Dan Watkins has proposed merging
~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into
cloud-init:master.
Requested reviews:
cloud-init commiters (cloud-init-dev)
For more details, see:
https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366
--
Your team cloud-init commiters is requested to review the proposed merge of
~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into
cloud-init:master.
diff --git a/cloudinit/config/cc_ubuntu_advantage.py b/cloudinit/config/cc_ubuntu_advantage.py
index 5e082bd..9732ffa 100644
--- a/cloudinit/config/cc_ubuntu_advantage.py
+++ b/cloudinit/config/cc_ubuntu_advantage.py
@@ -1,150 +1,125 @@
-# Copyright (C) 2018 Canonical Ltd.
-#
# This file is part of cloud-init. See LICENSE file for license information.
-"""Ubuntu advantage: manage ubuntu-advantage offerings from Canonical."""
+"""ubuntu_advantage: Configure Ubuntu Advantage support entitlements"""
-import sys
from textwrap import dedent
-from cloudinit import log as logging
from cloudinit.config.schema import (
get_schema_doc, validate_cloudconfig_schema)
+from cloudinit import log as logging
from cloudinit.settings import PER_INSTANCE
-from cloudinit.subp import prepend_base_command
from cloudinit import util
-distros = ['ubuntu']
-frequency = PER_INSTANCE
+UA_URL = 'https://ubuntu.com/advantage'
-LOG = logging.getLogger(__name__)
+distros = ['ubuntu']
schema = {
'id': 'cc_ubuntu_advantage',
'name': 'Ubuntu Advantage',
-'title': 'Install, configure and manage ubuntu-advantage offerings',
+'title': 'Configure Ubuntu Advantage support entitlements',
'description': dedent("""\
-This module provides configuration options to setup ubuntu-advantage
-subscriptions.
-
-.. note::
-Both ``commands`` value can be either a dictionary or a list. If
-the configuration provided is a dictionary, the keys are only used
-to order the execution of the commands and the dictionary is
-merged with any vendor-data ubuntu-advantage configuration
-provided. If a ``commands`` is provided as a list, any vendor-data
-ubuntu-advantage ``commands`` are ignored.
-
-Ubuntu-advantage ``commands`` is a dictionary or list of
-ubuntu-advantage commands to run on the deployed machine.
-These commands can be used to enable or disable subscriptions to
-various ubuntu-advantage products. See 'man ubuntu-advantage' for more
-information on supported subcommands.
-
-.. note::
- Each command item can be a string or list. If the item is a list,
- 'ubuntu-advantage' can be omitted and it will automatically be
- inserted as part of the command.
+Attach machine to an existing Ubuntu Advantage support contract and
+enable or disable support entitlements such as livepatch, ESM,
+FIPS, FIPS Updates and CIS Audit tools. When attaching a machine to
+Ubuntu Advantage, one can also specify entitlements to
+enable. When the 'entitlements' list is present, any named entitlement
+will be enabled and all absent entitlements will remain disabled.
+
+Note that when enabling FIPS or FIPS updates you will need to schedule
+a reboot to ensure the machine is running the FIPS-compliant kernel.
+See :ref:`Power State Change` for information on how to configure
+cloud-init to perform this reboot.
"""),
'distros': distros,
'examples': [dedent("""\
-# Enable Extended Security Maintenance using your service auth token
+# Attach the machine to a Ubuntu Advantage support contract with a
+# UA user token obtained from %s.
+ubuntu_advantage:
+ token:
+""" % UA_URL), dedent("""\
+# Attach the machine to an Ubuntu Advantage support contract enabling
+# only fips and esm entitlements. Entitlements will only be enabled if
+# the environment supports said entitlement. Otherwise warnings will
+# be logged for incompatible entitlements specified.
ubuntu-advantage:
-commands:
- 00: ubuntu-advantage enable-esm
+ token:
+ entitlements:
+ - fips
+ - esm
"""), dedent("""\
-# Enable livepatch by providing your livepatch token
+# Attach the machine to an Ubuntu Advantage support contract and enable
+# the FIPS entitlement. Perform a reboot once cloud-init has
+# completed.
+power_state:
+ mode: reboot
ubuntu-advantage:
-commands:
-00: ubuntu-advantage enable-livepatch
-
-"""), dedent("""\
-# Convenience: the ubuntu-advantage command can be omitted when
-# specifying commands as a list and 'ubuntu-advantage' will
-# automatically be prepended.
-
Re: [Cloud-init-dev] [Merge] ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master
(Moving this to Needs Review, but please leave me to mark it Approved; it hasn't yet received any integration testing, and I would like to do some before it lands.) -- https://code.launchpad.net/~daniel-thewatkins/cloud-init/+git/cloud-init/+merge/365366 Your team cloud-init commiters is requested to review the proposed merge of ~daniel-thewatkins/cloud-init/+git/cloud-init:feature/cc-uaclient into cloud-init:master. ___ Mailing list: https://launchpad.net/~cloud-init-dev Post to : cloud-init-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~cloud-init-dev More help : https://help.launchpad.net/ListHelp
