Anbox support on containers

debian/changelog

@@ -1,3 +1,9 @@
+ubuntu-advantage-tools (29.1) mantic; urgency=medium
+
+  * anbox: allow enabling service on container using the --access-only flag
+
+ -- Lucas Moura <[email protected]>  Thu, 10 Aug 2023 11:08:46 -0300
+
 ubuntu-advantage-tools (29) mantic; urgency=medium
 
   * d/control:

features/anbox.feature

@@ -6,16 +6,46 @@ Feature: Enable anbox on Ubuntu
     Scenario Outline: Enable Anbox cloud service in a container
         Given a `<release>` machine with ubuntu-advantage-tools installed
         When I attach `contract_token` with sudo and options `--no-auto-enable`
+        When I run `pro status` as non-root
+        Then stdout matches regexp:
+        """
+        anbox-cloud +yes +disabled
+        """
         Then I verify that running `pro enable anbox-cloud` `as non-root` exits `1`
         And I will see the following on stderr:
         """
         This command must be run as root (try using sudo).
         """
-        Then I verify that running `pro enable anbox-cloud` `with sudo` exits `1`
+        When I verify that running `pro enable anbox-cloud` `with sudo` exits `1`
+        Then I will see the following on stdout:
+        """
+        One moment, checking your subscription first
+        It is only possible to enable Anbox Cloud on a container using
+        the --access-only flag.
+        """
+        When I run `pro enable anbox-cloud --access-only` with sudo
         Then I will see the following on stdout:
         """
         One moment, checking your subscription first
-        Cannot install Anbox Cloud on a container.
+        Updating package lists
+        Skipping installing packages
+        Anbox Cloud access enabled
+        """
+        When I run `pro status` as non-root
+        Then stdout matches regexp:
+        """
+        anbox-cloud +yes +enabled
+        """
+        When I run `apt-cache policy` with sudo
+        Then apt-cache policy for the following url has permission `500`
+        """
+        https://archive.anbox-cloud.io/stable <release>/main amd64 Packages
+        """
+        When I run `pro disable anbox-cloud` with sudo
+        And I run `pro status` as non-root
+        Then stdout matches regexp:
+        """
+        anbox-cloud +yes +disabled
         """
 
         Examples: ubuntu release

features/attached_status.feature

@@ -182,6 +182,7 @@ Feature: Attached status
         Then stdout matches regexp:
         """
         SERVICE         +ENTITLED +STATUS   +DESCRIPTION
+        anbox-cloud     +yes      +disabled +.*
         esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
         esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure
         usg             +yes      +disabled +Security compliance and audit tools
@@ -194,7 +195,7 @@ Feature: Attached status
         Then stdout matches regexp:
         """
         SERVICE         +ENTITLED +STATUS   +DESCRIPTION
-        anbox-cloud     +yes      +n/a      +.*
+        anbox-cloud     +yes      +disabled +.*
         cc-eal          +yes      +n/a      +Common Criteria EAL2 Provisioning Packages
         esm-apps        +yes      +enabled  +Expanded Security Maintenance for Applications
         esm-infra       +yes      +enabled  +Expanded Security Maintenance for Infrastructure

uaclient/entitlements/anbox.py

@@ -1,12 +1,16 @@
 from typing import Any, Dict, Optional, Tuple
 
 from uaclient import contract, event_logger, messages, system
+from uaclient.entitlements.entitlement_status import (
+    CanEnableFailure,
+    CanEnableFailureReason,
+)
 from uaclient.entitlements.repo import RepoEntitlement
 from uaclient.files.state_files import (
     AnboxCloudData,
     anbox_cloud_credentials_file,
 )
-from uaclient.types import MessagingOperationsDict, StaticAffordance
+from uaclient.types import MessagingOperationsDict
 
 event = event_logger.get_event_logger()
 
@@ -21,25 +25,30 @@ class AnboxEntitlement(RepoEntitlement):
     affordance_check_series = True
     supports_access_only = True
 
-    @property
-    def static_affordances(self) -> Tuple[StaticAffordance, ...]:
-        return (
-            (
-                messages.SERVICE_ERROR_INSTALL_ON_CONTAINER.format(
-                    title=self.title
-                ),
-                lambda: system.is_container(),
-                False,
-            ),
-        )
-
     @property
     def messaging(self) -> MessagingOperationsDict:
         if not self.access_only:
             return {"post_enable": [messages.ANBOX_RUN_INIT_CMD.msg]}
         else:
             return {}
 
+    def can_enable(self) -> Tuple[bool, Optional[CanEnableFailure]]:
+        ret, reason = super().can_enable()
+
+        if not ret:
+            return ret, reason
+
+        if system.is_container() and not self.access_only:
+            return (
+                False,
+                CanEnableFailure(
+                    CanEnableFailureReason.ONLY_ACCESS_ONLY_SUPPORTED,
+                    messages.ANBOX_FAIL_TO_ENABLE_ON_CONTAINER,
+                ),
+            )
+
+        return True, None
+
     def _perform_enable(self, silent: bool = False) -> bool:
         ret = super()._perform_enable(silent=silent)
 

uaclient/entitlements/entitlement_status.py

@@ -96,6 +96,7 @@ class CanEnableFailureReason(enum.Enum):
     INCOMPATIBLE_SERVICE = object()
     INACTIVE_REQUIRED_SERVICES = object()
     ACCESS_ONLY_NOT_SUPPORTED = object()
+    ONLY_ACCESS_ONLY_SUPPORTED = object()
 
 
 class CanEnableFailure:

uaclient/messages.py

@@ -1384,6 +1384,13 @@ class TxtColor:
 """,
 )
 
+ANBOX_FAIL_TO_ENABLE_ON_CONTAINER = NamedMessage(
+    "anbox-fail-to-enable-on-container",
+    """\
+It is only possible to enable Anbox Cloud on a container using
+the --access-only flag.""",
+)
+
 INSTALLING_PACKAGES = "Installing {}"
 UNINSTALLING_PACKAGES = "Uninstalling {}"
 UNINSTALLING_PACKAGES_FAILED = "Failure when uninstalling {}"

uaclient/version.py

@@ -15,7 +15,7 @@
 from uaclient.exceptions import ProcessExecutionError
 from uaclient.system import subp
 
-__VERSION__ = "29"
+__VERSION__ = "29.1"
 PACKAGED_VERSION = "@@PACKAGED_VERSION@@"
 
 CANDIDATE_REGEX = r"Candidate: (?P<candidate>.*?)\n"