From c04c147c80e7facdc4cf5063a229d7e6378f2b04 Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Tue, 15 Aug 2023 16:19:51 -0400 Subject: [PATCH] refactor: move help text into code --- debian/ubuntu-advantage-tools.maintscript | 1 + features/attached_commands.feature | 58 ++++++------ features/unattached_commands.feature | 14 +-- help_data.yaml | 109 ---------------------- setup.py | 2 +- uaclient/defaults.py | 1 - uaclient/entitlements/anbox.py | 9 ++ uaclient/entitlements/base.py | 32 +++---- uaclient/entitlements/cc.py | 5 + uaclient/entitlements/cis.py | 5 + uaclient/entitlements/esm.py | 14 +++ uaclient/entitlements/fips.py | 13 ++- uaclient/entitlements/landscape.py | 7 ++ uaclient/entitlements/livepatch.py | 7 ++ uaclient/entitlements/realtime.py | 7 ++ uaclient/entitlements/ros.py | 13 +++ uaclient/tests/test_cli.py | 5 +- 17 files changed, 127 insertions(+), 175 deletions(-) delete mode 100644 help_data.yaml diff --git a/debian/ubuntu-advantage-tools.maintscript b/debian/ubuntu-advantage-tools.maintscript index f4c89c9d3d..69ec4eddc5 100644 --- a/debian/ubuntu-advantage-tools.maintscript +++ b/debian/ubuntu-advantage-tools.maintscript @@ -4,3 +4,4 @@ rm_conffile /etc/update-motd.d/80-livepatch 19.1~ ubuntu-advantage-tools rm_conffile /etc/cron.daily/ubuntu-advantage-tools 19.1~ ubuntu-advantage-tools rm_conffile /etc/init/ua-auto-attach.conf 20.2~ ubuntu-advantage-tools rm_conffile /etc/update-motd.d/88-esm-announce 27.14~ ubuntu-advantage-tools +rm_conffile /etc/ubuntu-advantage/help_data.yaml 30~ ubuntu-advantage-tools diff --git a/features/attached_commands.feature b/features/attached_commands.feature index 6f5c45f557..e070270d5f 100644 --- a/features/attached_commands.feature +++ b/features/attached_commands.feature @@ -455,17 +455,17 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription Help: - Expanded Security Maintenance for Infrastructure provides access - to a private ppa which includes available high and critical CVE fixes - for Ubuntu LTS packages in the Ubuntu Main repository between the end - of the standard Ubuntu LTS security maintenance and its end of life. - It is enabled by default with Ubuntu Pro. You can find out more about - the service at https://ubuntu.com/security/esm + Expanded Security Maintenance for Infrastructure provides access to a private + PPA which includes available high and critical CVE fixes for Ubuntu LTS + packages in the Ubuntu Main repository between the end of the standard Ubuntu + LTS security maintenance and its end of life. It is enabled by default with + Ubuntu Pro. You can find out more about the service at + https://ubuntu.com/security/esm """ When I run `pro help esm-infra --format json` with sudo Then I will see the following on stdout: """ - {"name": "esm-infra", "entitled": "yes", "status": "", "help": "Expanded Security Maintenance for Infrastructure provides access\nto a private ppa which includes available high and critical CVE fixes\nfor Ubuntu LTS packages in the Ubuntu Main repository between the end\nof the standard Ubuntu LTS security maintenance and its end of life.\nIt is enabled by default with Ubuntu Pro. You can find out more about\nthe service at https://ubuntu.com/security/esm\n"} + {"name": "esm-infra", "entitled": "yes", "status": "", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} """ And I verify that running `pro help invalid-service` `with sudo` exits `1` And I will see the following on stderr: @@ -486,9 +486,8 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - esm-infra: Expanded Security Maintenance for Infrastructure \(https://ubuntu.com/security/esm\) - fips-updates: NIST-certified core packages with priority security updates - \(https://ubuntu.com/security/certifications#fips\) - - fips: NIST-certified core packages - \(https://ubuntu.com/security/certifications#fips\) + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified core packages \(https://ubuntu.com/security/fips\) - landscape: Management and administration tool for Ubuntu \(https://ubuntu.com/landscape\) - livepatch: Canonical Livepatch service @@ -508,9 +507,8 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - esm-infra: Expanded Security Maintenance for Infrastructure \(https://ubuntu.com/security/esm\) - fips-updates: NIST-certified core packages with priority security updates - \(https://ubuntu.com/security/certifications#fips\) - - fips: NIST-certified core packages - \(https://ubuntu.com/security/certifications#fips\) + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified core packages \(https://ubuntu.com/security/fips\) - landscape: Management and administration tool for Ubuntu \(https://ubuntu.com/landscape\) - livepatch: Canonical Livepatch service @@ -530,9 +528,8 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - esm-infra: Expanded Security Maintenance for Infrastructure \(https://ubuntu.com/security/esm\) - fips-updates: NIST-certified core packages with priority security updates - \(https://ubuntu.com/security/certifications#fips\) - - fips: NIST-certified core packages - \(https://ubuntu.com/security/certifications#fips\) + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified core packages \(https://ubuntu.com/security/fips\) - landscape: Management and administration tool for Ubuntu \(https://ubuntu.com/landscape\) - livepatch: Canonical Livepatch service @@ -571,17 +568,17 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription enabled Help: - Expanded Security Maintenance for Infrastructure provides access - to a private ppa which includes available high and critical CVE fixes - for Ubuntu LTS packages in the Ubuntu Main repository between the end - of the standard Ubuntu LTS security maintenance and its end of life. - It is enabled by default with Ubuntu Pro. You can find out more about - the service at https://ubuntu.com/security/esm + Expanded Security Maintenance for Infrastructure provides access to a private + PPA which includes available high and critical CVE fixes for Ubuntu LTS + packages in the Ubuntu Main repository between the end of the standard Ubuntu + LTS security maintenance and its end of life. It is enabled by default with + Ubuntu Pro. You can find out more about the service at + https://ubuntu.com/security/esm """ When I run `pro help esm-infra --format json` with sudo Then I will see the following on stdout: """ - {"name": "esm-infra", "entitled": "yes", "status": "enabled", "help": "Expanded Security Maintenance for Infrastructure provides access\nto a private ppa which includes available high and critical CVE fixes\nfor Ubuntu LTS packages in the Ubuntu Main repository between the end\nof the standard Ubuntu LTS security maintenance and its end of life.\nIt is enabled by default with Ubuntu Pro. You can find out more about\nthe service at https://ubuntu.com/security/esm\n"} + {"name": "esm-infra", "entitled": "yes", "status": "enabled", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} """ And I verify that running `pro help invalid-service` `with sudo` exits `1` And I will see the following on stderr: @@ -600,9 +597,8 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - esm-infra: Expanded Security Maintenance for Infrastructure \(https://ubuntu.com/security/esm\) - fips-updates: NIST-certified core packages with priority security updates - \(https://ubuntu.com/security/certifications#fips\) - - fips: NIST-certified core packages - \(https://ubuntu.com/security/certifications#fips\) + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified core packages \(https://ubuntu.com/security/fips\) - landscape: Management and administration tool for Ubuntu \(https://ubuntu.com/landscape\) - livepatch: Canonical Livepatch service @@ -628,9 +624,8 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - esm-infra: Expanded Security Maintenance for Infrastructure \(https://ubuntu.com/security/esm\) - fips-updates: NIST-certified core packages with priority security updates - \(https://ubuntu.com/security/certifications#fips\) - - fips: NIST-certified core packages - \(https://ubuntu.com/security/certifications#fips\) + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified core packages \(https://ubuntu.com/security/fips\) - landscape: Management and administration tool for Ubuntu \(https://ubuntu.com/landscape\) - livepatch: Canonical Livepatch service @@ -656,9 +651,8 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription - esm-infra: Expanded Security Maintenance for Infrastructure \(https://ubuntu.com/security/esm\) - fips-updates: NIST-certified core packages with priority security updates - \(https://ubuntu.com/security/certifications#fips\) - - fips: NIST-certified core packages - \(https://ubuntu.com/security/certifications#fips\) + \(https://ubuntu.com/security/fips\) + - fips: NIST-certified core packages \(https://ubuntu.com/security/fips\) - landscape: Management and administration tool for Ubuntu \(https://ubuntu.com/landscape\) - livepatch: Canonical Livepatch service diff --git a/features/unattached_commands.feature b/features/unattached_commands.feature index d22c13719c..c06a8c4bc4 100644 --- a/features/unattached_commands.feature +++ b/features/unattached_commands.feature @@ -76,17 +76,17 @@ Feature: Command behaviour when unattached Help: - Expanded Security Maintenance for Infrastructure provides access - to a private ppa which includes available high and critical CVE fixes - for Ubuntu LTS packages in the Ubuntu Main repository between the end - of the standard Ubuntu LTS security maintenance and its end of life. - It is enabled by default with Ubuntu Pro. You can find out more about - the service at https://ubuntu.com/security/esm + Expanded Security Maintenance for Infrastructure provides access to a private + PPA which includes available high and critical CVE fixes for Ubuntu LTS + packages in the Ubuntu Main repository between the end of the standard Ubuntu + LTS security maintenance and its end of life. It is enabled by default with + Ubuntu Pro. You can find out more about the service at + https://ubuntu.com/security/esm """ When I run `pro help esm-infra --format json` with sudo Then I will see the following on stdout: """ - {"name": "esm-infra", "available": "", "help": "Expanded Security Maintenance for Infrastructure provides access\nto a private ppa which includes available high and critical CVE fixes\nfor Ubuntu LTS packages in the Ubuntu Main repository between the end\nof the standard Ubuntu LTS security maintenance and its end of life.\nIt is enabled by default with Ubuntu Pro. You can find out more about\nthe service at https://ubuntu.com/security/esm\n"} + {"name": "esm-infra", "available": "", "help": "Expanded Security Maintenance for Infrastructure provides access to a private\nPPA which includes available high and critical CVE fixes for Ubuntu LTS\npackages in the Ubuntu Main repository between the end of the standard Ubuntu\nLTS security maintenance and its end of life. It is enabled by default with\nUbuntu Pro. You can find out more about the service at\nhttps://ubuntu.com/security/esm"} """ When I verify that running `pro help invalid-service` `with sudo` exits `1` Then I will see the following on stderr: diff --git a/help_data.yaml b/help_data.yaml deleted file mode 100644 index 61b81df466..0000000000 --- a/help_data.yaml +++ /dev/null @@ -1,109 +0,0 @@ -anbox-cloud: - help: | - Anbox Cloud lets you stream mobile apps securely, at any scale, to any - device, letting you focus on your apps. Run Android in system - containers on public or private clouds with ultra low streaming - latency. When the anbox-cloud service is enabled, by default, the - Appliance variant is enabled. Enabling this service allows - orchestration to provision a PPA with the Anbox Cloud resources. This - step also configures the Anbox Management Service (AMS) with the - necessary image server credentials. To learn more about Anbox Cloud, - see https://anbox-cloud.io - -cc-eal: - help: | - Common Criteria is an Information Technology Security Evaluation standard - (ISO/IEC IS 15408) for computer security certification. Ubuntu 16.04 has - been evaluated to assurance level EAL2 through CSEC. The evaluation was - performed on Intel x86_64, IBM Power8 and IBM Z hardware platforms. - -cis: - help: | - Ubuntu Security Guide is a tool for hardening and auditing and allows for - environment-specific customizations. It enables compliance with profiles - such as DISA-STIG and the CIS benchmarks. Find out more at - https://ubuntu.com/security/certifications/docs/usg - - -esm-apps: - help: | - Expanded Security Maintenance for Applications is enabled by default - on entitled workloads. It provides access to a private PPA which includes - available high and critical CVE fixes for Ubuntu LTS packages in the Ubuntu - Main and Ubuntu Universe repositories from the Ubuntu LTS release date until - its end of life. You can find out more about the esm service at - https://ubuntu.com/security/esm - -esm-infra: - help: | - Expanded Security Maintenance for Infrastructure provides access - to a private ppa which includes available high and critical CVE fixes - for Ubuntu LTS packages in the Ubuntu Main repository between the end - of the standard Ubuntu LTS security maintenance and its end of life. - It is enabled by default with Ubuntu Pro. You can find out more about - the service at https://ubuntu.com/security/esm - -fips: - help: | - FIPS 140-2 is a set of publicly announced cryptographic standards - developed by the National Institute of Standards and Technology - applicable for FedRAMP, HIPAA, PCI and ISO compliance use cases. - Note that "fips" does not provide security patching. For fips certified - modules with security patches please refer to fips-updates. The modules - are certified on Intel x86_64 and IBM Z hardware platforms for Ubuntu - 18.04 and Intel x86_64, IBM Power8 and IBM Z hardware platforms for - Ubuntu 16.04. Below is the list of fips certified components per an - Ubuntu Version. You can find out more at - https://ubuntu.com/security/certifications#fips - -fips-updates: - help: | - fips-updates installs fips modules including all security patches - for those modules that have been provided since their certification date. - You can find out more at https://ubuntu.com/security/certifications#fips. - -landscape: - help: | - Landscape Client can be installed on this machine and enrolled in - Canonical's Landscape SaaS: https://landscape.canonical.com - or a self-hosted Landscape: https://ubuntu.com/landscape/install - Landscape allows you to manage many machines as easily as one, - with an intuitive dashboard and API interface for automation, - hardening, auditing, and more. Find out more about Landscape at - https://ubuntu.com/landscape - -livepatch: - help: | - Livepatch provides selected high and critical kernel CVE fixes and other - non-security bug fixes as kernel livepatches. Livepatches are applied - without rebooting a machine which drastically limits the need for - unscheduled system reboots. Due to the nature of fips compliance, - livepatches cannot be enabled on fips-enabled systems. You can find out - more about Ubuntu Kernel Livepatch service at - https://ubuntu.com/security/livepatch - -realtime-kernel: - help: | - The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. - It services latency-dependent use cases by providing deterministic response times. - The Real-time kernel meets stringent preemption specifications and is suitable for - telco applications and dedicated devices in industrial automation and robotics. - The Real-time kernel is currently incompatible with FIPS and Livepatch. - -ros: - help: | - ros provides access to a private PPA which includes security-related - updates for available high and critical CVE fixes for Robot Operating - System (ROS) packages. For access to ROS ESM and security updates, both - esm-infra and esm-apps services will also be enabled. To get additional - non-security updates, enable ros-updates. You can find out more about the - ROS ESM service at https://ubuntu.com/robotics/ros-esm - -ros-updates: - help: | - ros-updates provides access to a private PPA which includes - non-security-related updates for Robot Operating System (ROS) packages. - For full access to ROS ESM, security and non-security updates, - the esm-infra, esm-apps, and ros services will also be enabled. You can - find out more about the ROS ESM service at - https://ubuntu.com/robotics/ros-esm diff --git a/setup.py b/setup.py index bccdfed9c2..2628f7b36a 100644 --- a/setup.py +++ b/setup.py @@ -32,7 +32,7 @@ def split_link_deps(reqs_filename): def _get_data_files(): return [ - ("/etc/ubuntu-advantage", ["uaclient.conf", "help_data.yaml"]), + ("/etc/ubuntu-advantage", ["uaclient.conf"]), ("/etc/update-motd.d", glob.glob("update-motd.d/*")), ("/usr/lib/ubuntu-advantage", glob.glob("lib/[!_]*")), ("/usr/share/keyrings", glob.glob("keyrings/*")), diff --git a/uaclient/defaults.py b/uaclient/defaults.py index 0dc0a26574..3263073253 100644 --- a/uaclient/defaults.py +++ b/uaclient/defaults.py @@ -18,7 +18,6 @@ MESSAGES_DIR = DEFAULT_DATA_DIR + MESSAGES_SUBDIR CANDIDATE_CACHE_PATH = UAC_RUN_PATH + "candidate-version" DEFAULT_CONFIG_FILE = UAC_ETC_PATH + "uaclient.conf" -DEFAULT_HELP_FILE = UAC_ETC_PATH + "help_data.yaml" DEFAULT_USER_CONFIG_JSON_FILE = DEFAULT_DATA_DIR + "/user-config.json" DEFAULT_UPGRADE_CONTRACT_FLAG_FILE = UAC_ETC_PATH + "request-update-contract" BASE_CONTRACT_URL = "https://contracts.canonical.com" diff --git a/uaclient/entitlements/anbox.py b/uaclient/entitlements/anbox.py index 33e94ab69a..c1bc043dda 100644 --- a/uaclient/entitlements/anbox.py +++ b/uaclient/entitlements/anbox.py @@ -16,6 +16,15 @@ class AnboxEntitlement(RepoEntitlement): title = "Anbox Cloud" description = "Scalable Android in the cloud" help_doc_url = "https://anbox-cloud.io" + help_text = """\ +Anbox Cloud lets you stream mobile apps securely, at any scale, to any device, +letting you focus on your apps. Run Android in system containers on public or +private clouds with ultra low streaming latency. When the anbox-cloud service +is enabled, by default, the Appliance variant is enabled. Enabling this service +allows orchestration to provision a PPA with the Anbox Cloud resources. This +step also configures the Anbox Management Service (AMS) with the necessary +image server credentials. To learn more about Anbox Cloud, see +https://anbox-cloud.io""" repo_key_file = "ubuntu-pro-anbox-cloud.gpg" repo_url_tmpl = "{}" affordance_check_series = True diff --git a/uaclient/entitlements/base.py b/uaclient/entitlements/base.py index 8d38c2636c..e972bde7f1 100644 --- a/uaclient/entitlements/base.py +++ b/uaclient/entitlements/base.py @@ -1,7 +1,6 @@ import abc import copy import logging -import os import sys from datetime import datetime from typing import Any, Dict, List, Optional, Set, Tuple, Type, Union @@ -19,7 +18,6 @@ util, ) from uaclient.api.u.pro.status.is_attached.v1 import _is_attached -from uaclient.defaults import DEFAULT_HELP_FILE from uaclient.entitlements.entitlement_status import ( ApplicabilityStatus, ApplicationStatus, @@ -32,7 +30,6 @@ ) from uaclient.types import MessagingOperationsDict, StaticAffordance from uaclient.util import is_config_value_true -from uaclient.yaml import safe_load event = event_logger.get_event_logger() LOG = logging.getLogger(util.replace_top_level_logger_name(__name__)) @@ -61,8 +58,8 @@ class UAEntitlement(metaclass=abc.ABCMeta): # Whether the entitlement supports the --access-only flag supports_access_only = False - # Help info message for the entitlement - _help_info = None # type: str + # Help text for the entitlement + help_text = "" # List of services that are incompatible with this service _incompatible_services = () # type: Tuple[IncompatibleService, ...] @@ -139,25 +136,18 @@ def verify_platform_checks( @property def help_info(self) -> str: """Help information for the entitlement""" - if self._help_info is None: - help_dict = {} + help_text = self.help_text - if os.path.exists(DEFAULT_HELP_FILE): - with open(DEFAULT_HELP_FILE, "r") as f: - help_dict = safe_load(f) + if self.variants: + variant_items = [ + " * {}: {}".format(variant_name, variant_cls.description) + for variant_name, variant_cls in self.variants.items() + ] - self._help_info = help_dict.get(self.name, {}).get("help", "") + variant_text = "\n".join(["\nVariants:\n"] + variant_items) + help_text += variant_text - if self.variants: - variant_items = [ - " * {}: {}".format(variant_name, variant_cls.description) - for variant_name, variant_cls in self.variants.items() - ] - - variant_text = "\n".join(["\nVariants:\n"] + variant_items) - self._help_info += variant_text - - return self._help_info + return help_text # A tuple of 3-tuples with (failure_message, functor, expected_results) # If any static_affordance does not match expected_results fail with diff --git a/uaclient/entitlements/cc.py b/uaclient/entitlements/cc.py index b8588574df..15d74c091a 100644 --- a/uaclient/entitlements/cc.py +++ b/uaclient/entitlements/cc.py @@ -15,6 +15,11 @@ class CommonCriteriaEntitlement(repo.RepoEntitlement): name = "cc-eal" title = "CC EAL2" description = "Common Criteria EAL2 Provisioning Packages" + help_text = """\ +Common Criteria is an Information Technology Security Evaluation standard +(ISO/IEC IS 15408) for computer security certification. Ubuntu 16.04 has been +evaluated to assurance level EAL2 through CSEC. The evaluation was performed +on Intel x86_64, IBM Power8 and IBM Z hardware platforms.""" repo_key_file = "ubuntu-pro-cc-eal.gpg" apt_noninteractive = True supports_access_only = True diff --git a/uaclient/entitlements/cis.py b/uaclient/entitlements/cis.py index c8fa618632..817b2f5414 100644 --- a/uaclient/entitlements/cis.py +++ b/uaclient/entitlements/cis.py @@ -12,6 +12,11 @@ class CISEntitlement(repo.RepoEntitlement): help_doc_url = USG_DOCS_URL name = "cis" description = "Security compliance and audit tools" + help_text = """\ +Ubuntu Security Guide is a tool for hardening and auditing and allows for +environment-specific customizations. It enables compliance with profiles such +as DISA-STIG and the CIS benchmarks. Find out more at +https://ubuntu.com/security/certifications/docs/usg""" repo_key_file = "ubuntu-pro-cis.gpg" apt_noninteractive = True supports_access_only = True diff --git a/uaclient/entitlements/esm.py b/uaclient/entitlements/esm.py index d4b0da9915..aacf4268ec 100644 --- a/uaclient/entitlements/esm.py +++ b/uaclient/entitlements/esm.py @@ -73,6 +73,13 @@ class ESMAppsEntitlement(ESMBaseEntitlement): name = "esm-apps" title = "Ubuntu Pro: ESM Apps" description = "Expanded Security Maintenance for Applications" + help_text = """\ +Expanded Security Maintenance for Applications is enabled by default on +entitled workloads. It provides access to a private PPA which includes +available high and critical CVE fixes for Ubuntu LTS packages in the Ubuntu +Main and Ubuntu Universe repositories from the Ubuntu LTS release date until +its end of life. You can find out more about the esm service at +https://ubuntu.com/security/esm""" repo_key_file = "ubuntu-pro-esm-apps.gpg" def disable( @@ -93,6 +100,13 @@ class ESMInfraEntitlement(ESMBaseEntitlement): origin = "UbuntuESM" title = "Ubuntu Pro: ESM Infra" description = "Expanded Security Maintenance for Infrastructure" + help_text = """\ +Expanded Security Maintenance for Infrastructure provides access to a private +PPA which includes available high and critical CVE fixes for Ubuntu LTS +packages in the Ubuntu Main repository between the end of the standard Ubuntu +LTS security maintenance and its end of life. It is enabled by default with +Ubuntu Pro. You can find out more about the service at +https://ubuntu.com/security/esm""" repo_key_file = "ubuntu-pro-esm-infra.gpg" def disable( diff --git a/uaclient/entitlements/fips.py b/uaclient/entitlements/fips.py index 1c8d2f711b..75b9c670a7 100644 --- a/uaclient/entitlements/fips.py +++ b/uaclient/entitlements/fips.py @@ -92,7 +92,7 @@ class FIPSCommonEntitlement(repo.RepoEntitlement): # services. And security/CPC signoff on expected conf behavior. apt_noninteractive = True - help_doc_url = "https://ubuntu.com/security/certifications#fips" + help_doc_url = "https://ubuntu.com/security/fips" fips_pro_package_holds = [ "fips-initramfs", @@ -362,6 +362,13 @@ class FIPSEntitlement(FIPSCommonEntitlement): name = "fips" title = "FIPS" description = "NIST-certified core packages" + help_text = """\ +FIPS 140-2 is a set of publicly announced cryptographic standards developed by +the National Institute of Standards and Technology applicable for FedRAMP, +HIPAA, PCI and ISO compliance use cases. Note that "fips" does not provide +security patching. For FIPS certified modules with security patches please +see "fips-updates". You can find out more at https://ubuntu.com/security/fips\ +""" origin = "UbuntuFIPS" @property @@ -470,6 +477,10 @@ class FIPSUpdatesEntitlement(FIPSCommonEntitlement): title = "FIPS Updates" origin = "UbuntuFIPSUpdates" description = "NIST-certified core packages with priority security updates" + help_text = """\ +fips-updates installs fips modules including all security patches for those +modules that have been provided since their certification date. You can find +out more at https://ubuntu.com/security/fips""" @property def incompatible_services(self) -> Tuple[IncompatibleService, ...]: diff --git a/uaclient/entitlements/landscape.py b/uaclient/entitlements/landscape.py index d225142952..5e1a9a7e1a 100644 --- a/uaclient/entitlements/landscape.py +++ b/uaclient/entitlements/landscape.py @@ -21,6 +21,13 @@ class LandscapeEntitlement(UAEntitlement): title = "Landscape" description = "Management and administration tool for Ubuntu" help_doc_url = "https://ubuntu.com/landscape" + help_text = """\ +Landscape Client can be installed on this machine and enrolled in Canonical's +Landscape SaaS: https://landscape.canonical.com or a self-hosted Landscape: +https://ubuntu.com/landscape/install +Landscape allows you to manage many machines as easily as one, with an +intuitive dashboard and API interface for automation, hardening, auditing, and +more. Find out more about Landscape at https://ubuntu.com/landscape""" def _perform_enable(self, silent: bool = False) -> bool: cmd = ["landscape-config"] + self.extra_args diff --git a/uaclient/entitlements/livepatch.py b/uaclient/entitlements/livepatch.py index 879926ec6e..50dc5943b1 100644 --- a/uaclient/entitlements/livepatch.py +++ b/uaclient/entitlements/livepatch.py @@ -31,6 +31,13 @@ class LivepatchEntitlement(UAEntitlement): name = "livepatch" title = "Livepatch" description = "Canonical Livepatch service" + help_text = """\ +Livepatch provides selected high and critical kernel CVE fixes and other +non-security bug fixes as kernel livepatches. Livepatches are applied without +rebooting a machine which drastically limits the need for unscheduled system +reboots. Due to the nature of fips compliance, livepatches cannot be enabled +on fips-enabled systems. You can find out more about Ubuntu Kernel Livepatch +service at https://ubuntu.com/security/livepatch""" affordance_check_kernel_min_version = False affordance_check_kernel_flavor = False # we do want to check series because livepatch errors on non-lts releases diff --git a/uaclient/entitlements/realtime.py b/uaclient/entitlements/realtime.py index 0a2fe4d980..a3e8325d66 100644 --- a/uaclient/entitlements/realtime.py +++ b/uaclient/entitlements/realtime.py @@ -18,6 +18,13 @@ class RealtimeKernelEntitlement(repo.RepoEntitlement): name = "realtime-kernel" title = "Real-time kernel" description = "Ubuntu kernel with PREEMPT_RT patches integrated" + help_text = """\ +The Real-time kernel is an Ubuntu kernel with PREEMPT_RT patches integrated. It +services latency-dependent use cases by providing deterministic response times. +The Real-time kernel meets stringent preemption specifications and is suitable +for telco applications and dedicated devices in industrial automation and +robotics. The Real-time kernel is currently incompatible with FIPS and +Livepatch.""" help_doc_url = REALTIME_KERNEL_DOCS_URL repo_key_file = "ubuntu-pro-realtime-kernel.gpg" apt_noninteractive = True diff --git a/uaclient/entitlements/ros.py b/uaclient/entitlements/ros.py index ab7077a976..e71a34ef16 100644 --- a/uaclient/entitlements/ros.py +++ b/uaclient/entitlements/ros.py @@ -13,6 +13,13 @@ class ROSEntitlement(ROSCommonEntitlement): name = "ros" title = "ROS ESM Security Updates" description = "Security Updates for the Robot Operating System" + help_text = """\ +ros provides access to a private PPA which includes security-related updates +for available high and critical CVE fixes for Robot Operating System (ROS) +packages. For access to ROS ESM and security updates, both esm-infra and +esm-apps services will also be enabled. To get additional non-security updates, +enable ros-updates. You can find out more about the ROS ESM service at +https://ubuntu.com/robotics/ros-esm""" @property def required_services(self) -> Tuple[Type[UAEntitlement], ...]: @@ -35,6 +42,12 @@ class ROSUpdatesEntitlement(ROSCommonEntitlement): name = "ros-updates" title = "ROS ESM All Updates" description = "All Updates for the Robot Operating System" + help_text = """\ +ros-updates provides access to a private PPA that includes non-security-related +updates for Robot Operating System (ROS) packages. For full access to ROS ESM, +security and non-security updates, the esm-infra, esm-apps, and ros services +will also be enabled. You can find out more about the ROS ESM service at +https://ubuntu.com/robotics/ros-esm""" @property def required_services(self) -> Tuple[Type[UAEntitlement], ...]: diff --git a/uaclient/tests/test_cli.py b/uaclient/tests/test_cli.py index 4accb2dc46..f016bfbbb3 100644 --- a/uaclient/tests/test_cli.py +++ b/uaclient/tests/test_cli.py @@ -57,9 +57,8 @@ - esm-infra: Expanded Security Maintenance for Infrastructure (https://ubuntu.com/security/esm) - fips-updates: NIST-certified core packages with priority security updates - (https://ubuntu.com/security/certifications#fips) - - fips: NIST-certified core packages - (https://ubuntu.com/security/certifications#fips) + (https://ubuntu.com/security/fips) + - fips: NIST-certified core packages (https://ubuntu.com/security/fips) - livepatch: Canonical Livepatch service (https://ubuntu.com/security/livepatch) - ros-updates: All Updates for the Robot Operating System