%PDF- %PDF-
Direktori : /proc/self/root/var/lib/dpkg/info/ |
Current File : //proc/self/root/var/lib/dpkg/info/ubuntu-advantage-tools.postinst |
#!/bin/sh set -e . /etc/os-release # For VERSION_ID and UBUNTU_CODENAME # Needed even if this script doesn't call debconf, see: # https://lintian.debian.org/tags/postinst-does-not-load-confmodule.html # Note: this may re-exec the postinst script. . /usr/share/debconf/confmodule if [ -z "${VERSION_ID}" ]; then echo "Warning: missing VERSION_ID in /etc/os-release" >&2 VERSION_ID="NO-VERSION_ID" fi if [ -z "${UBUNTU_CODENAME}" ]; then echo "Warning: missing UBUNTU_CODENAME in /etc/os-release" >&2 UBUNTU_CODENAME="NO-UBUNTU_CODENAME-$VERSION_ID" fi APT_TRUSTED_KEY_DIR="/etc/apt/trusted.gpg.d" UA_KEYRING_DIR="/usr/share/keyrings/" ESM_INFRA_KEY_TRUSTY="ubuntu-advantage-esm-infra-trusty.gpg" ESM_APPS_KEY="ubuntu-advantage-esm-apps.gpg" APT_SRC_DIR="/etc/apt/sources.list.d" APT_PREFERENCES_DIR="/etc/apt/preferences.d" ESM_INFRA_OLD_APT_SOURCE_FILE_TRUSTY="$APT_SRC_DIR/ubuntu-esm-infra-trusty.list" ESM_INFRA_APT_SOURCE_FILE="$APT_SRC_DIR/ubuntu-esm-infra.list" ESM_APPS_APT_SOURCE_FILE="$APT_SRC_DIR/ubuntu-esm-apps.list" FIPS_APT_SOURCE_FILE="$APT_SRC_DIR/ubuntu-fips.list" OLD_CLIENT_FIPS_PPA="private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu" UA_TIMER_NAME="ua-timer.timer" OLD_MESSAGING_TIMER="ua-messaging.timer" OLD_MESSAGING_TIMER_MASKED_LOCATION="/etc/systemd/system/timers.target.wants/$OLD_MESSAGING_TIMER" OLD_LICENSE_CHECK_PATH="ua-license-check.path" OLD_LICENSE_CHECK_PATH_MASKED_LOCATION="/etc/systemd/system/multi-user.target.wants/$OLD_LICENSE_CHECK_PATH" XENIAL_CLOUD_ID_SHIM_UNIT_LOCATION="/etc/systemd/system/multi-user.target.wants/ubuntu-advantage-cloud-id-shim.service" ESM_APT_PREF_FILE_TRUSTY="$APT_PREFERENCES_DIR/ubuntu-esm-trusty" ESM_INFRA_OLD_APT_PREF_FILE_TRUSTY="$APT_PREFERENCES_DIR/ubuntu-esm-infra-trusty" ESM_INFRA_APT_PREF_FILE="$APT_PREFERENCES_DIR/ubuntu-esm-infra" ESM_APPS_APT_PREF_FILE="$APT_PREFERENCES_DIR/ubuntu-esm-apps" MYARCH="$(dpkg --print-architecture)" ESM_SUPPORTED_ARCHS="i386 amd64" SYSTEMD_WANTS_AUTO_ATTACH_LINK="/etc/systemd/system/multi-user.target.wants/ua-auto-attach.service" SYSTEMD_HELPER_ENABLED_AUTO_ATTACH_DSH="/var/lib/systemd/deb-systemd-helper-enabled/ua-auto-attach.service.dsh-also" SYSTEMD_HELPER_ENABLED_WANTS_LINK="/var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/ua-auto-attach.service" REBOOT_CMD_MARKER_FILE="/var/lib/ubuntu-advantage/marker-reboot-cmds-required" OLD_LICENSE_CHECK_MARKER_FILE="/var/lib/ubuntu-advantage/marker-license-check" MACHINE_TOKEN_FILE="/var/lib/ubuntu-advantage/private/machine-token.json" # Rename apt config files for ua services removing ubuntu release names redact_ubuntu_release_from_ua_apt_filenames() { DIR=$1 # It is okay if this list is outdated, because this function is only used for an old migration. # Any services that were introduced after this migration was added won't need to be migrated. UA_SERVICES="cc-eal cis esm-infra esm-apps fips fips-updates livepatch ros ros-updates" for file in "$DIR"/*; do release_name="" case "$file" in *-trusty*) release_name=trusty;; *-xenial*) release_name=xenial;; *-bionic*) release_name=bionic;; *-focal*) release_name=focal;; *-groovy*) release_name=groovy;; *) release_name="";; esac if [ "$release_name" ]; then # We have a ubuntu release name in the apt config. # Remove $release_name from original $file. new_file=${file%-${release_name}*}${file#*${release_name}} for service in ${UA_SERVICES}; do if [ "${file#*$service}" != "$file" ]; then # Valid apt cfg file for an ubuntu-advantage service mv "$file" "$new_file" fi done fi done } # Ubuntu LTS release all support-esm check_is_lts() { release_name=$1 ubuntu-distro-info --supported-esm | grep -q "${release_name}" } # Check whether this series is under active ESM check_is_active_esm() { release_name=$1 _DAYS_UNTIL_ESM=$(ubuntu-distro-info --series "${release_name}" -yeol) if [ "${_DAYS_UNTIL_ESM}" -lt "1" ]; then return 0 fi return 1 } # Check whether a given service is beta check_service_is_beta() { service_name=$1 _IS_BETA_SVC=$(/usr/bin/python3 -c " from uaclient.config import UAConfig from uaclient.entitlements import entitlement_factory try: cfg = UAConfig() ent_cls = entitlement_factory(cfg=cfg, name='${service_name}') allow_beta = cfg.features.get('allow_beta', False) print(all([ent_cls.is_beta, not allow_beta])) except Exception: print(True) ") if [ "${_IS_BETA_SVC}" = "True" ]; then return 0 else return 1 fi } # Check cached service status from status.json and return 0 if enabled else 1 check_service_is_enabled() { service_name=$1 _RET=$(/usr/bin/python3 -c " import os import json from uaclient.config import UAConfig cfg = UAConfig() status = cfg.read_cache('status-cache') if status: for service in status.get('services', []): if service.get('name', '') == '${service_name}': print(service.get('status', '')) ") if [ "${_RET}" = "enabled" ]; then return 0 else return 1 fi } unconfigure_esm() { if ! check_service_is_enabled esm-infra; then rm -f "$APT_TRUSTED_KEY_DIR/ubuntu-esm*gpg" # Remove previous esm keys rm -f "$APT_TRUSTED_KEY_DIR/$ESM_INFRA_KEY_TRUSTY" rm -f "$ESM_INFRA_APT_SOURCE_FILE" rm -f "$ESM_INFRA_OLD_APT_SOURCE_FILE_TRUSTY" rm -f "$ESM_APT_PREF_FILE_TRUSTY" "$ESM_INFRA_OLD_APT_PREF_FILE_TRUSTY" rm -f "$ESM_INFRA_APT_PREF_FILE" fi if ! check_service_is_enabled esm-apps; then rm -f "$APT_TRUSTED_KEY_DIR/$ESM_APPS_KEY" rm -f "$ESM_APPS_APT_SOURCE_FILE" rm -f "$ESM_APPS_APT_PREF_FILE" fi } # Add visibility to a disabled ESM APT source by installing a GPG key and # preferences file to Pin never so packages won't get installed by apt update. install_esm_apt_key_and_source() { service=$1 release=$2 apt_suite="${release}-${service}"; case "${service}" in apps) apt_origin="UbuntuESMApps" apt_pref_file=${ESM_APPS_APT_PREF_FILE}; apt_source_file=${ESM_APPS_APT_SOURCE_FILE}; apt_key=${ESM_APPS_KEY}; ;; infra) apt_origin="UbuntuESM" apt_pref_file=${ESM_INFRA_APT_PREF_FILE}; apt_source_file=${ESM_INFRA_APT_SOURCE_FILE}; apt_key=${ESM_INFRA_KEY_TRUSTY}; ;; esac # GPG key setup to avoid apt gpg key warnings if [ ! -f "$APT_TRUSTED_KEY_DIR/$apt_key" ]; then cp $UA_KEYRING_DIR/$apt_key $APT_TRUSTED_KEY_DIR fi # If preference file doesn't already exist, we aren't attached. # Setup unauthenticated apt source list file and never-pin preference if [ ! -e "${apt_source_file}" ]; then # Unconfigured repo, so set it up as never-pinned cat > ${apt_source_file} <<EOF # Written by ubuntu-advantage-tools deb https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-security main # deb-src https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-security main deb https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-updates main # deb-src https://esm.ubuntu.com/${service}/ubuntu ${apt_suite}-updates main EOF # Automatically disable esm sources via apt preferences until enabled cat > "${apt_pref_file}" <<EOF # Written by ubuntu-advantage-tools Package: * Pin: release o=${apt_origin}, n=${release} Pin-Priority: never EOF fi } configure_esm() { rm -f $APT_TRUSTED_KEY_DIR/ubuntu-esm*gpg # Remove legacy esm keys if check_is_active_esm "${UBUNTU_CODENAME}"; then install_esm_apt_key_and_source "infra" "$UBUNTU_CODENAME" fi if ! check_service_is_beta esm-apps; then install_esm_apt_key_and_source "apps" "$UBUNTU_CODENAME" fi } # If held fips packages exist, we are on a FIPS PRO machine with FIPS enabled mark_reboot_for_fips_pro() { FIPS_HOLDS=$(apt-mark showholds | grep -E 'fips|libssl1|openssh-client|openssh-server|linux-fips|openssl|strongswan' || exit 0) if [ "$FIPS_HOLDS" ]; then mark_reboot_cmds_as_needed FIPS_REBOOT_REQUIRED_MSG fi } add_notice() { msg_name=$1 /usr/bin/python3 -c " from uaclient.config import UAConfig from uaclient.messages import ${msg_name} cfg = UAConfig() cfg.add_notice(label='', description=${msg_name}) " } mark_reboot_cmds_as_needed() { msg_name=$1 if [ ! -f "$REBOOT_CMD_MARKER_FILE" ]; then touch $REBOOT_CMD_MARKER_FILE fi add_notice "$msg_name" } patch_status_json_0_1_for_non_root() { # UA client 27.2 broke status.json schema backward-compatibility for # non-root users. Apply a patch to allow non-root user to run `ua status` # without Tracebacks if dpkg --compare-versions "$PREVIOUS_PKG_VER" gt-nl "27.2"; then return fi if [ ! -e "/var/lib/ubuntu-advantage/status.json" ]; then return fi /usr/lib/ubuntu-advantage/patch_status_json.py || true } notify_wrong_fips_metapackage_on_cloud() { # On xenial, we don't have FIPS optimized kernels on the clouds. # Because of that, we block enabling FIPS on xenial clouds. However, # we do have a config override that allows users to install the generic # FIPS packages into the cloud instance. We don't want to notify those users if [ "$VERSION_ID" = "16.04" ]; then return fi fips_metapkg="ubuntu-fips" cloud_id=$(cloud-id 2>/dev/null) || cloud_id="" # If the package is not installed, we don't want the postinst script to fail fips_installed=$(dpkg-query -W --showformat='${db:Status-Status}\n' $fips_metapkg 2>/dev/null || true) if echo "$cloud_id" | grep -E -q "^(azure|aws)"; then if echo "$fips_installed" | grep -E -q "installed"; then add_notice NOTICE_WRONG_FIPS_METAPACKAGE_ON_CLOUD fi fi } rm_old_license_check_marker() { rm -f $OLD_LICENSE_CHECK_MARKER_FILE } disable_new_timer_if_old_timer_already_disabled() { # If the user has disabled the ua-messaging # then we will assume that the user would want the # ua-timer to be disabled as well. In that case, we will # disable the ua-timer here. PREVIOUS_PKG_VER=$1 # We should only perform this check on UA version that have the # ua-messaging.timer: 27.0 until 27.2. This will also guarantee # that on 27.3 and forward, we will not run this logic. if dpkg --compare-versions "$PREVIOUS_PKG_VER" lt "27.0~" \ || dpkg --compare-versions "$PREVIOUS_PKG_VER" ge "27.3~"; then return fi if ! deb-systemd-helper --quiet was-enabled $OLD_MESSAGING_TIMER; then # We have the following entry on our rules file: # dh_systemd_enable -pubuntu-advantage-tools ua-timer.timer # This rule will append some code at the end of the postinst script # that checks if the ua-timer.timer was already enabled on the system. # This means that if we manually disable the service here, that logic will # still enable it in the end of the postinst script. # Because of this logic we are now manually enabling ua-timer.timer here # and then we manually disable it. This will guarantee that the was-enabled # logic introduced by the rules file will not be triggered and we will not # re-enable the ua-timer.timer service after calling this function. echo "$OLD_MESSAGING_TIMER was disabled. Disabling $UA_TIMER_NAME." >&2 deb-systemd-helper enable $UA_TIMER_NAME > /dev/null 2>&1 || true deb-systemd-helper disable $UA_TIMER_NAME > /dev/null 2>&1 || true fi } remove_old_systemd_units() { PREVIOUS_PKG_VER=$1 # These are the commands that are run when the package is purged. # Since we actually want to remove this service from now on # we have replicated that behavior here if [ -L $OLD_MESSAGING_TIMER_MASKED_LOCATION ]; then deb-systemd-helper purge ua-messaging.timer > /dev/null || true deb-systemd-helper unmask ua-messaging.timer > /dev/null || true fi if [ -L $OLD_LICENSE_CHECK_PATH_MASKED_LOCATION ]; then if [ -d /run/systemd/system ]; then # If the old ua-license-check.timer was running during upgrade # then it will be in a failed state because the files were removed # The failed state is ephemeral and only needs to be cleared if # it is there so that the system doesn't say it is degraded. # If the old timer was not running, then this is a noop. systemctl --system daemon-reload > /dev/null || true systemctl reset-failed ua-license-check.timer > /dev/null 2>&1 || true # In rare race-condition scenarios, the service can also get into # the same failed state. systemctl reset-failed ua-license-check.service > /dev/null 2>&1 || true fi deb-systemd-helper purge ua-license-check.path > /dev/null || true deb-systemd-helper unmask ua-license-check.path > /dev/null || true fi # If we're do-release-upgrad-ing to bionic, then clean up the xenial-only # cloud-id-shim unit if [ "$VERSION_ID" = "18.04" ]; then if echo "$PREVIOUS_PKG_VER" | grep -q "16.04"; then if [ -L $XENIAL_CLOUD_ID_SHIM_UNIT_LOCATION ]; then deb-systemd-helper purge ubuntu-advantage-cloud-id-shim.service > /dev/null || true deb-systemd-helper unmask ubuntu-advantage-cloud-id-shim.service > /dev/null || true fi fi fi } case "$1" in configure) PREVIOUS_PKG_VER=$2 # We changed the way we store public files in 19.5 if dpkg --compare-versions "$PREVIOUS_PKG_VER" lt-nl "19.5~"; then # Remove all publicly-readable files find /var/lib/ubuntu-advantage/ -maxdepth 1 -type f -delete fi # Are we upgrading from a previously release Ubuntu Advantage Pro pkg? # We broke package compatibility in 20.2 for any image with 19.7 if dpkg --compare-versions "$PREVIOUS_PKG_VER" lt-nl "20.2~"; then if dpkg --compare-versions "$PREVIOUS_PKG_VER" ge-nl "19.7~"; then # Drop stale symlinks for migrated auto-attach-service rm -f $SYSTEMD_WANTS_AUTO_ATTACH_LINK rm -f $SYSTEMD_HELPER_ENABLED_AUTO_ATTACH_DSH rm -f $SYSTEMD_HELPER_ENABLED_WANTS_LINK fi fi patch_status_json_0_1_for_non_root # UA service PPAs support all ubuntu releases, no need to # specialize apt config filenames per ubuntu release. redact_ubuntu_release_from_ua_apt_filenames $APT_SRC_DIR redact_ubuntu_release_from_ua_apt_filenames $APT_PREFERENCES_DIR # Repo for FIPS packages changed from old client if [ -f $FIPS_APT_SOURCE_FILE ]; then if grep -q $OLD_CLIENT_FIPS_PPA $FIPS_APT_SOURCE_FILE; then add_notice FIPS_INSTALL_OUT_OF_DATE fi fi notify_wrong_fips_metapackage_on_cloud # CACHE_DIR is no longer present or used since 19.1 rm -rf /var/cache/ubuntu-advantage-tools # machine-access cache files no longer present or used since 20.1 rm -f /var/lib/ubuntu-advantage/private/machine-access-*.json if check_is_lts "${UBUNTU_CODENAME}"; then if echo "$ESM_SUPPORTED_ARCHS" | grep -qw "$MYARCH"; then configure_esm else # ESM supported release but unsupported arch unconfigure_esm fi fi # log files need to be world-readable if [ ! -f /var/log/ubuntu-advantage.log ]; then touch /var/log/ubuntu-advantage.log # We are only making new log files world readable chmod 0644 /var/log/ubuntu-advantage.log fi chown root:root /var/log/ubuntu-advantage.log private_dir="/var/lib/ubuntu-advantage/private" if [ -d "$private_dir" ]; then chmod 0700 "$private_dir" fi if [ "$VERSION_ID" = "16.04" ]; then if echo "$PREVIOUS_PKG_VER" | grep -q "14.04"; then mark_reboot_cmds_as_needed LIVEPATCH_LTS_REBOOT_REQUIRED fi fi mark_reboot_for_fips_pro rm_old_license_check_marker disable_new_timer_if_old_timer_already_disabled $PREVIOUS_PKG_VER remove_old_systemd_units $PREVIOUS_PKG_VER /usr/lib/ubuntu-advantage/cloud-id-shim.sh || true ;; esac # Automatically added by dh_python3 if command -v py3compile >/dev/null 2>&1; then py3compile -p ubuntu-advantage-tools:amd64 fi if command -v pypy3compile >/dev/null 2>&1; then pypy3compile -p ubuntu-advantage-tools:amd64 || true fi # End automatically added section # Automatically added by dh_systemd_enable/13.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'ua-reboot-cmds.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'ua-reboot-cmds.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'ua-reboot-cmds.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'ua-reboot-cmds.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_enable/13.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'ua-timer.timer' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'ua-timer.timer'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'ua-timer.timer' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'ua-timer.timer' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_enable/13.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. deb-systemd-helper unmask 'ubuntu-advantage.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'ubuntu-advantage.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'ubuntu-advantage.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'ubuntu-advantage.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_start/13.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true deb-systemd-invoke start 'ua-timer.timer' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_systemd_start/13.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -z "${DPKG_ROOT:-}" ] && [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true deb-systemd-invoke start 'ubuntu-advantage.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installdeb/13.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/update-motd.d/99-esm 19.1~ ubuntu-advantage-tools -- "$@" # End automatically added section # Automatically added by dh_installdeb/13.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/update-motd.d/80-esm 19.1~ ubuntu-advantage-tools -- "$@" # End automatically added section # Automatically added by dh_installdeb/13.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/update-motd.d/80-livepatch 19.1~ ubuntu-advantage-tools -- "$@" # End automatically added section # Automatically added by dh_installdeb/13.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/cron.daily/ubuntu-advantage-tools 19.1~ ubuntu-advantage-tools -- "$@" # End automatically added section # Automatically added by dh_installdeb/13.6ubuntu1 dpkg-maintscript-helper rm_conffile /etc/init/ua-auto-attach.conf 20.2~ ubuntu-advantage-tools -- "$@" # End automatically added section exit 0