diff --git a/features/attached_commands.feature b/features/attached_commands.feature index f529fccd00..8103795e32 100644 --- a/features/attached_commands.feature +++ b/features/attached_commands.feature @@ -958,6 +958,198 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription | focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://archive.ubuntu.com/ubuntu focal-updates/main | | focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://archive.ubuntu.com/ubuntu focal-updates/main | + @slow + @series.bionic + @series.focal + @uses.config.machine_type.gcp.generic + Scenario Outline: Disable and purge fips + Given a `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `apt update` with sudo + And I run `pro enable --assume-yes` with sudo + And I reboot the machine + And I run `pro status` with sudo + Then stdout matches regexp: + """ + +yes +enabled + """ + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `linux-gcp-fips` is installed from apt source `` + When I run `pro disable --purge` `with sudo` and stdin `y\ny` + Then stdout matches regexp: + """ + \(The --purge flag is still experimental - use with caution\) + + Purging the packages would uninstall the following kernel\(s\): + .* + .* is the current running kernel\. + If you cannot guarantee that other kernels in this system are bootable and + working properly, \*do not proceed\*\. You may end up with an unbootable system\. + Do you want to proceed\? \(y/N\) + """ + And stdout matches regexp: + """ + The following package\(s\) will be REMOVED: + (.|\n)+ + + The following package\(s\) will be reinstalled from the archive: + (.|\n)+ + + Do you want to proceed\? \(y/N\) + """ + When I reboot the machine + And I run `pro status` with sudo + Then stdout matches regexp: + """ + +yes +disabled + """ + When I run `uname -r` as non-root + Then stdout does not match regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `linux-gcp-fips` is not installed + Examples: ubuntu release + | release | fips-service | fips-name | fips-source | archive-source | + | bionic | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main | + + @slow + @series.bionic + @series.focal + @uses.config.machine_type.aws.generic + Scenario Outline: Disable and purge fips + Given a `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `apt update` with sudo + And I run `pro enable --assume-yes` with sudo + And I reboot the machine + And I run `pro status` with sudo + Then stdout matches regexp: + """ + +yes +enabled + """ + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `linux-aws-fips` is installed from apt source `` + When I run `pro disable --purge` `with sudo` and stdin `y\ny` + Then stdout matches regexp: + """ + \(The --purge flag is still experimental - use with caution\) + + Purging the packages would uninstall the following kernel\(s\): + .* + .* is the current running kernel\. + If you cannot guarantee that other kernels in this system are bootable and + working properly, \*do not proceed\*\. You may end up with an unbootable system\. + Do you want to proceed\? \(y/N\) + """ + And stdout matches regexp: + """ + The following package\(s\) will be REMOVED: + (.|\n)+ + + The following package\(s\) will be reinstalled from the archive: + (.|\n)+ + + Do you want to proceed\? \(y/N\) + """ + When I reboot the machine + And I run `pro status` with sudo + Then stdout matches regexp: + """ + +yes +disabled + """ + When I run `uname -r` as non-root + Then stdout does not match regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `linux-aws-fips` is not installed + Examples: ubuntu release + | release | fips-service | fips-name | fips-source | archive-source | + | bionic | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main | + + @slow + @series.bionic + @series.focal + @uses.config.machine_type.azure.generic + Scenario Outline: Disable and purge fips + Given a `` machine with ubuntu-advantage-tools installed + When I attach `contract_token` with sudo + And I run `apt update` with sudo + And I run `pro enable --assume-yes` with sudo + And I reboot the machine + And I run `pro status` with sudo + Then stdout matches regexp: + """ + +yes +enabled + """ + When I run `uname -r` as non-root + Then stdout matches regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `linux-azure-fips` is installed from apt source `` + When I run `pro disable --purge` `with sudo` and stdin `y\ny` + Then stdout matches regexp: + """ + \(The --purge flag is still experimental - use with caution\) + + Purging the packages would uninstall the following kernel\(s\): + .* + .* is the current running kernel\. + If you cannot guarantee that other kernels in this system are bootable and + working properly, \*do not proceed\*\. You may end up with an unbootable system\. + Do you want to proceed\? \(y/N\) + """ + And stdout matches regexp: + """ + The following package\(s\) will be REMOVED: + (.|\n)+ + + The following package\(s\) will be reinstalled from the archive: + (.|\n)+ + + Do you want to proceed\? \(y/N\) + """ + When I reboot the machine + And I run `pro status` with sudo + Then stdout matches regexp: + """ + +yes +disabled + """ + When I run `uname -r` as non-root + Then stdout does not match regexp: + """ + fips + """ + And I verify that `openssh-server` is installed from apt source `` + And I verify that `linux-azure-fips` is not installed + Examples: ubuntu release + | release | fips-service | fips-name | fips-source | archive-source | + | bionic | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | bionic | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main | + | focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main | + | focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main | + @slow @series.lts @uses.config.machine_type.lxd-vm diff --git a/features/steps/packages.py b/features/steps/packages.py index 16a1e4d7c0..dd954b9524 100644 --- a/features/steps/packages.py +++ b/features/steps/packages.py @@ -62,9 +62,14 @@ def verify_package_not_installed(context, package): when_i_run_command( context, "apt-cache policy {}".format(package), "as non-root" ) - assert_that( - context.process.stdout.strip(), contains_string("Installed: (none)") - ) + output = context.process.stdout.strip() + if "Installed" in output: + assert_that( + context.process.stdout.strip(), + contains_string("Installed: (none)"), + ) + # If no output or it doesn't contain installation information, + # then the package is neither installed nor known @then("I verify that `{package}` is installed from apt source `{apt_source}`") diff --git a/uaclient/entitlements/repo.py b/uaclient/entitlements/repo.py index 65633cec0b..7c72c9b3c7 100644 --- a/uaclient/entitlements/repo.py +++ b/uaclient/entitlements/repo.py @@ -164,8 +164,8 @@ def _perform_disable(self, silent=False): self.remove_apt_config(silent=silent) if self.purge and self.origin: - self.execute_removal(packages_to_remove) self.execute_reinstall(packages_to_reinstall) + self.execute_removal(packages_to_remove) return True def purge_kernel_check(self, package_list):