canonical / ubuntu-advantage-client Goto Github PK

Following https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/337213/comments/884844, we want to remove "bash" and anything else that could cause delays from the login path. The best solution is to probably cache the output of the ubuntu-advantage status output, and maybe even update it out-of-band, so that the script run at login time at most prints existing text instead of running potentially costly code.

Brain storm:

a) Have the motd script itself manage the ua status cache.

• if the cache is too old, call the ua status command, use its output, and update the cache at the same time
• otherwise, use the cache value
  Script might still "hickup" when updating the cache

b) have the motd script always use the cached value of ua status

• another process, like a cron job, updates that cache
• the motd script could check if the cache is too old and warn about it
• alternatively, or in addition to the above, the cache timestamp could be shown in the motd output

c) something entirely different: cache the whole output of the motd script

• the motd script would check for a cached output and print that, instead of reading a cached ua status output and parsing it
• another process, like the cron job, would run what is today the motd script and cache its output, i.e., those lines about the livepatch status, instead of caching just the output of ua status

There is a concern that the ua status hourly cron job is too frequent. It should be switched to daily.

In #1719034 filed in Launchpad Steve Langasek says:

I like that there is now a 'status' subcommand. The current output looks like:

$ ubuntu-advantage status
livepatch: disabled (not available)

esm: disabled (not available)

fips: disabled (not available)
$

I think the output format could be improved in order to make it easier to scan.

• vertical whitespace: either omit all blank lines, or include an additional blank line before the first line of output

• horizontal whitespace: align on the start of the word 'disabled'?

• ordering: why are these services listed in the order they are? they're not alphabetical, they're not in the order in which they were added to the tool, and they don't match the ordering in the --help output.

We should set the PATH variable to include /snap/bin and not rely on the system to do it for us. The recent MOTD cache work highlighted this issue, because the cron jobs by default get a very specific PATH that does not include snaps. From /etc/crontab:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
33 *	* * *	root    cd / && run-parts --report /etc/cron.hourly

Right now we are taking care of PATH in update-motd.d/99-livepatch only. Instead of also doing it in /etc/cron.hourly/ubuntu-advantage-tools, let's fix this once and for all in the main ubuntu-advantage script.

It's been requested that we make the script available as just "advantage". The simple way seems to be to add a symlink advantage -> ubuntu-advantage, and also for the manpage and other documentation.

I understand it's probably not worth to validate that the given token actually represents valid credentials, but we should at least check that it's of the right form:

$ sudo ./ubuntu-advantage enable-esm foo
Ubuntu ESM repository enabled.  Run "sudo apt-get update" to update lists.
$ cat /etc/apt/sources.list.d/ubuntu-esm-precise.list 
deb https://[email protected]/ubuntu precise main
# deb-src https://[email protected]/ubuntu precise main

dpb@helo:~[]$ sudo ubuntu-advantage enable-esm foobar:foobar
Running apt-get update... ERROR
...

(Testing on Xenial)

We should probably keep a known good whitelist of releases and check that up front.

root@helo:~# ubuntu-advantage enable-livepatch REDACTED
Livepatch already enabled.
You may use the "canonical-livepatch status" command
to verify your current patch status.
root@helo:~#

Second sentence:

Use "canonical-livepatch status" to verify current patch status.

Bionic is coming up, and it's best if we allow liveptaching there now ahead of time.

I get the following when running v10 tox testcases on trusty (14.04.5):

py34 create: /home/ubuntu/UA-10/ubuntu-advantage-script-v10/.tox/py34
py34 installdeps: flake8, fixtures
py34 runtests: commands[0] |
/home/ubuntu/UA-10/ubuntu-advantage-script-v10/.tox/py34/bin/python -m
unittest discover tests
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
"============================================================="
ERROR: test_disable_esm (test_esm.ESMTest)
The disable-esm option disables the ESM repository.
"----------------------------------------------------------------------"
Traceback (most recent call last):
  File
"/home/ubuntu/UA-10/ubuntu-advantage-script-v10/tests/testing.py", line
45, in setUp
    self.fstab.write_text('')
AttributeError: 'PosixPath' object has no attribute 'write_text'

Since trusty has python 3.4, I changed this in the tox.ini. But it seems 3.4 may not have included the write_text.

Current code:

configure_fips() {
    local bootdev fips_params result

    # if /boot has its own partition, then get the bootdevice
    # Note: /boot/efi  does not count
    bootdev=$(awk '!/^\s*#/ && $2 ~ /^\/boot\/?$/ { print $1 }' "$FSTAB")
    fips_params="fips=1"
    if [ -n "$bootdev" ]; then
        fips_params="$fips_params bootdev=$bootdev"
    fi

It look if a separate /boot partition exist in FSTAB, if nothing is return (nonzero value) it skip the bootdev portion but what if the $bootdev is nonzero and doesn't contain a UUID ?

The first field of /boot line could be a device name in the form of (/dev/sda) or a label (LABEL=Boot).
I think iff UUID is needed, then we should add a validation mechanism.

# if /boot has its own partition, then get the bootdevice
    # Note: /boot/efi  does not count
    bootdev=$(awk '!/^\s*#/ && $2 ~ /^\/boot\/?$/ { print $1 }' "$FSTAB")
    fips_params="fips=1"
    if [[ -n "$bootdev" && "$bootdev" == "UUID"* ]]; then
        fips_params="$fips_params bootdev=$bootdev"

This came up as a review comment in https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/342208

Umm, don't you want to push the FIPS version of any package being installed (or that will be later installed via the pins) instead of unconditionally installing them?
You force e.g. strongswan onto all the fips systems without any need. Most might just use kernel and libssl.
I personally think it is wrong to just install all of them.

The suggestion is to force install what is really needed for fips, but to just upgrade to the fips version in the case of other pcakages like strongswan. If the user doesn't have strongswan already installed, then we shouldn't install the fips one. Similarly for other packages.

Some awk code was written expecting gawk to be installed, but in reality we only have mawk:

FAIL: test_enable_disable_needs_root (test_script.UbuntuAdvantageScriptTest)
The script must be run as root for enable and disable actions.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/<<BUILDDIR>>/ubuntu-advantage-tools-13+82+git.291ae41~ubuntu18.04.1/tests/test_script.py", line 18, in test_enable_disable_needs_root
    self.assertIn('This command must be run as root', process.stderr)
AssertionError: 'This command must be run as root' not found in 'awk: line 3: syntax error at or near ,\nawk: line 7: syntax error at or near ,\n'

I can reproduce this in an lxd if I remove gawk and leave just mawk installed.

We should disable tests during package builds, because they use tox and python 3.5 and that is not available in precise.

From SRU comment #7, the ubuntu-advantage script should install the apt-transport-https package if it's not installed, so that apt can access the ESM archive which is behind https.

With the exception of ESM, all existing and future motd scripts should live in update-notifier and not in ubuntu-advantage-tools (see https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1710976)

When installing dependencies, we redirect stdout to /dev/null and only show stderr. This works fine for most packages, since they only write something to stderr when there is a problem. The kernel package, however, spits out a lot of noise to stderr that does not represent errors.

For example:

(...)
Installing missing dependency snapd
Done.
Running depmod.
update-initramfs: deferring update (hook will be called later)
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.4.0-89-generic /boot/vmlinuz-4.4.0-89-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.4.0-89-generic /boot/vmlinuz-4.4.0-89-generic
update-initramfs: Generating /boot/initrd.img-4.4.0-89-generic
run-parts: executing /etc/kernel/postinst.d/update-notifier 4.4.0-89-generic /boot/vmlinuz-4.4.0-89-generic
run-parts: executing /etc/kernel/postinst.d/x-grub-legacy-ec2 4.4.0-89-generic /boot/vmlinuz-4.4.0-89-generi
(...)

For this reason, we should probably redirect stderr to stdout and capture both, and then display them if $? wasn't zero.

Mockup:

$ ubuntu-advantage status
* livepatch: enabled
<< include `canonical-livepatch status` if enabled >>
* esm: disabled (not available)

The manpage should have a section describing the possible exit codes from the ubuntu-advantage script.

All enable-<service> commands should check first if the service is already enabled.

If there is no cache file, the motd script will call ua status to create one and use it. It must not do that, ever. If there is no cache, bail.

Currently the _fips_prep_check function performs two very different checks:

• if the current CPU has the minimum flags
• if the packages are already installed

In both cases, it returns 1, which is interpreted as a failure. The whole script then, however, returns 6, which according to the man page means:

6 It was determined that FIPS has already been installed

That is incorrect if what failed was the cpu flags check. We should probably move the first check into the new check_service_support changed in PR #95 so that we can exit 7 (also introduced in that PR).

From https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1730361:

Hi,
while testing for an SRU in ua I found this which I think is less of a nice experience than it should be.

If you try FIPS via ua you might have no credentials, but want to try.
What happens is:

sudo ubuntu-advantage enable-fips xxx:xxx
Running apt-get update... ERROR
[...]
W: The repository 'https://private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu xenial Release' does not have a Release file.
E: Failed to fetch https://private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu/dists/xenial/main/binary-amd64/Packages 401 Unauthorized
E: Some index files failed to download. They have been ignored, or old ones used instead.

Fine, I get why xxx:xxx isn't working.
But then it leaves my system in a bad state.

# apt update
[...]
Err:7 https://private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu xenial Release
  401 Unauthorized
Reading package lists... Done
E: The repository 'https://private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu xenial Release' does not have a Release file.

I'd ask you to check the credentials somehow and only add the repo IF those are good.
An alternative would be that if "on enablement" the fail is at the step "Running apt-get update... ERROR" then remove the repo you configured (the one in /etc/apt/sources.list.d/ubuntu-fips-xenial.list).

So it could look either like:

sudo ubuntu-advantage enable-fips xxx:xxx
Checking Credentials... ERROR

(no add repo happening)

or:

$ sudo ubuntu-advantage enable-fips xxx:xxx
Running apt-get update... ERROR
Rolling back repository... Ok

The script should check that it's run as root

For each of the enable-* / disable-* actions, please create a third action, check-*, which prints a message to stdout and exits 0 if enabled, 1 if disabled.

For example:
$ ubuntu-advantage check-fips
FIPS is enabled
$ echo $?
0

$ ubuntu-advantage check-landscape
Landscape is disabled
$ echo $?
1

This should provide a definitive mechanism for third party tools checking if a machine is running in FIPS-enabled mode, or if a machine has Livepatch enabled, or if a machine has a support contract, etc.

Thanks!
Dustin

On machines without the AES instruction set (tested on libvirt/KVM VM) the FIPS kernel fails to boot with fips=1 on the kernel cmdline. Changing the CPU profile to include the AES instruction set (with no other changes) allows the kernel to boot.

The AES instruction's availability can be checked by "grep -m1 -o aes /proc/cpuinfo" outputting nothing if AES is not available and "aes" if it is.

The ubuntu-advantage-tools should detect if AES instruction set is present and if not output an error instead of installing, and then the host failing to boot.

From SRU comment #7:

• the key should be shipped as a key fragment in /usr/share/keyrings/ubuntu-keyring-extended-security-maintainance.gpg
• the shell script should simply copy that key fragment into /etc/apt/trusted.gpg.d/ upon enablement of the ESM repository
• there should not be encoded binary in the shell script, and no need to call apt-key; just a cp.

Additionally, the key should be removed from /etc/apt/trusted.gpg.d/ when esm is disabled.

From https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1707290:

Removing the ubuntu-advantage-tools package (not purging: removing) will leave the /etc/update-motd.d/99-esm script in place. Accordingly, it will run at login time, but since it calls out to the ubuntu-advantage script that no longer exists, it fails.

This is the sequence of events:

• ubuntu-advantage-tools is installed
• sudo ubuntu-advantage enable-esm with a valid token is run
• logout and login, confirming that the MOTD says something like "This Ubuntu 12.04 system is configured to receive extended security updates"
• remove (not purge) the ubuntu-advantage package. This will leave the sources.list.d/ file with the ESM repository in place and working, and the MOTD script, but remove the ubuntu-advantage script
• logout and login. The MOTD will now say "This Ubuntu 12.04 LTS system is past its End of Life", even though the ESM repository is still enabled and functioning.

Following the review comment from https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/337213/comments/884844, we should adapt the livepatch motd script to dash, and return the esm one to dash as well.

Right now, if you run enable-fips twice, the second time will tell you that fips is already enabled, even though that's not yet true because the machine is still running the old kernel:

root@15-89:~# ubuntu-advantage enable-fips <redacted>
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)...OK
Configuring FIPS...
Updating grub to enable fips ...OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.

root@15-89:~# ubuntu-advantage enable-fips <redacted>
ERROR: Looks like FIPS already installed.
root@15-89:~# echo $?
6

It could check the running kernel, and if it's not the fips kernel, repeat the reboot message.

$ uname -r
4.4.0-1002-fips

This came up in the review of https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/342208.

+    # add the fips-updates repo if the system is undergoing updates the first time
--
172 | +    if [ ! -f "$FIPS_UPDATES_REPO_LIST" ]; then
ChristianEhrhardt (paelzer) wrote 5 hours ago:
Do we want/need to care about other files like that. So if e.g. someone sets a new var for
FIPS_UPDATES_REPO_LIST in an export (it is initialized accepting external input) Then
I agree that we need to populate this new file, but do we have to care about the old
one?  In a similar way, if the file exists but does not have the content we expect. Do we
then want to refresh it? (A do not modify line in the file would be great) Then just
compare intended with current content, if not the same we might have to handle that.

I suggest to add a header like this:

# DO NOT MODIFY OR CHANGE THE NAME OF THIS FILE
# This file is managed by the ubuntu-advantage-tools package

After enable, please run apt-get update, and report if that fails.

Running apt-get update to refresh lists...
Ubuntu ESM Repository was enabled

Running apt-get update to refresh lists...
Warning: apt-get update failed, please investigate
Ubuntu ESM Repository was enabled

Or something similar and more user friendly.

Filed in launchpad as https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1700611

The sources.list.d entry for esm is created with the default umask, which means that all local users on the system have access to the token. Being able to read globally-readable files on the filesystem does not necessarily mean you are an ESM subscriber who should have access to this token and be able to access the ESM archive.

We should probably create this file mode 0600. (Though it is too late to fix this for precise.)

On a fresh trusty install, livepatch does not work:

(...)
canonical-livepatch 7 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

It only works with a 4.4.0 or newer kernel. In fact, looks like any snap you try to run won't work, even though it installs fine:

ubuntu@22-96:~$ snap list
Name                 Version     Rev   Developer  Notes
canonical-livepatch  7           22    canonical  -
core                 16-2.26.14  2462  canonical  -
hello-world          6.3         27    canonical  -
ubuntu@22-96:~$ hello-world
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

When you install snapd, it pulls in a 4.4.0 kernel (if on trusty), but it doesn't tell you to reboot into it, nor does it complain when you start installing snaps, which works. It's only when running them that a cryptic error message is shown. I filed a bug in snapd about this: https://forum.snapcraft.io/t/experience-with-an-unsupported-kernel/1588

Until that is sorted, it would make sense for ubuntu-advantage to detect this situation and tell the user that a more recent running kernel is needed.

The current ordering is weird and should be altered.

-rwxr-xr-x 1 root root 1220 Oct 22  2015 00-header*
-rwxr-xr-x 1 root root 1157 Jun 14  2016 10-help-text*
lrwxrwxrwx 1 root root   46 Mar 11 10:16 50-landscape-sysinfo -> /usr/share/landscape/landscape-sysinfo.wrapper*
-rwxr-xr-x 1 root root 4251 Jun 29  2017 50-motd-news*
-rwxr-xr-x 1 root root   97 Mar 24  2016 90-updates-available*
-rwxr-xr-x 1 root root  299 Feb  5 04:00 91-release-upgrade*
-rwxr-xr-x 1 root root  129 Nov 12 21:53 95-hwe-eol*
-rwxr-xr-x 1 root root  142 Mar 19  2012 98-fsck-at-reboot*
-rwxr-xr-x 1 root root  144 Mar 19  2012 98-reboot-required*
-rwxr-xr-x 1 root root  604 Oct 30 12:37 99-esm*
-rwxr-xr-x 1 root root 3200 Feb 14 12:21 99-livepatch*

Sample:

Welcome to Ubuntu Bionic Beaver (development branch) (GNU/Linux 4.15.0-10-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Mar 19 15:47:17 MDT 2018

  System load:  0.99               Users logged in:        1
  Usage of /:   53.7% of 92.69GB   IP address for enp0s25: 10.10.1.35
  Memory usage: 54%                IP address for virbr0:  192.168.122.1
  Swap usage:   0%                 IP address for virbr1:  192.168.100.1
  Processes:    415                IP address for lxdbr0:  10.113.42.1

 * Meltdown, Spectre and Ubuntu: What are the attack vectors,
   how the fixes work, and everything else you need to know
   - https://ubu.one/u2Know

56 packages can be updated.
0 updates are security updates.

*** System restart required ***
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

99-esm and 99-livepatch should move to 80 to be sorted before the updates 95 and above should be reserved for more time-critical messages that will not always be present -- since they will show up closer to the user's terminal.

According to https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1721272/comments/4 we should use "ua" for the short name, and keep "ubuntu-advantage" as the main script.

https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1690270

Just as apt-transport-https is not in the minimal seed and must be installed by ubuntu-advantage enable-esm to ensure its availability, ca-certificates is not part of minimal, only standard. Without ca-certificates, apt-transport-https does not have SSL CAs to verify the esm.ubuntu.com site against.

While this is non-fatal in precise, later versions of apt-transport-https (rightly!) enforce SSL certificate verification, so we should fix this to be future-proof.

For now, there is no way to disable FIPS support once it has been enabled. This should be documented in the manpage, and perhaps in the README file.

Since livepatch is only available for x86_64/amd64 (64 bits, therefore), the ua-tools script could detect that and prevent the user from trying to enable it on an unsupported architecture.

For example, on s390x it's listed as available:

ubuntu@xenial-andreas:~$ ua status
esm: disabled (not available)
livepatch: disabled
fips: disabled

But won't install:

ubuntu@xenial-andreas:~$ sudo ua enable-livepatch <redacted>
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
error: snap "canonical-livepatch" not found

uname:

ubuntu@xenial-andreas:~$ uname -a
Linux xenial-andreas 4.4.0-103-generic #126-Ubuntu SMP Mon Dec 4 16:22:13 UTC 2017 s390x s390x s390x GNU/Linux

With the reordering of the MOTD scripts, a DEP8 test needs fixing because it's still using the old motd path:

autopkgtest [15:45:41]: test update-motd-run: [-----------------------
+++ lsb_release -cs
++ codename=bionic
+++ lsb_release -ds
++ description='Ubuntu Bionic Beaver (development branch)'
+++ /bin/sh /etc/update-motd.d/99-esm
/bin/sh: 0: Can't open /etc/update-motd.d/99-esm
++ motd_text=
autopkgtest [15:45:42]: test update-motd-run: -----------------------]
update-motd-run      FAIL non-zero exit status 127

https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1757490

After enabling FIPS, several packages are replaced by their FIPS counterparts. These come from a special FIPS PPA provided by Canonical.

Normal system upgrades, however, could replace these FIPS packages with the non-FIPS ones, thus rendering the installation uncertified.

It sounds reasonable that the ubuntu-advantage script, after having enabled fips and installed these extra needed packages, should somehow mark these as having a higher priority than the normal ubuntu repositories. This could be achieved either via "holds", or by pinning the fips PPA at a higher priority.

The PPA pinning sounds more attractive at first glance because it would rank any package that comes from that PPA as having a higher priority, so it's future proof.

If installting apt-transport-https fails, currently the script will abort.

Instead the error should be cought, and it should be non critical warning. something like this:

"Warning: Attempt to install apt-transprot-https failed, but is required to access ESM repository. Please investiage" - or something more friendly.

Replace exit calls in functions with return, since the script is executed with -e anyway.

From the SRU comment #6, we should update the GPG key with a more descriptive email address.

RT #101190 was filed requesting this change, and as soon as we have the new key contents the copy in the ubuntu-advantage script should be updated.

root@helo:~# ubuntu-advantage enable-livepatch foobar
Invalid or missing Livepatch token
Please visit https://ubuntu.com/livepatch to obtain a
Livepatch token.

"Livepatch token" should not be wrapped.

I tried to enable livepatch on a trusty machine, but it got stuck:

ubuntu@61-b1:~$ sudo ubuntu-advantage enable-livepatch <redacted>
Installing missing dependency snapd... 

Behind the scenes, what happened is that dpkg issued a prompt:

2228 pts/0    S+     0:00  |           \_ sudo ubuntu-advantage enable-livepatch redacted
2229 pts/0    S+     0:00  |               \_ /bin/sh -e /usr/bin/ubuntu-advantage enable-livepatch redacted
2236 pts/0    S+     0:01  |                   \_ apt-get install -y snapd
3269 pts/0    S+     0:00  |                       \_ /usr/bin/dpkg --status-fd 43 --configure liblzo2-2:amd64 libsystemd-journal0:amd64 linux-image-4.4.0-92-generic:amd64 linux-image-extra-4.4.0-92-generic:amd64 linux-image-generic-lts-xenial:amd64 linux-headers-4.4.0-92:all linux-headers-4.4.0-92-generic:amd64 linux-headers-generic-lts-xenial:amd64 linux-generic-lts-xenial:amd64 cgroup-lite:all squashfs-tools:amd64 systemd:amd64 snapd:amd64 thermald:amd64
3278 pts/0    S+     0:00  |                           \_ /usr/bin/perl /var/lib/dpkg/info/linux-image-4.4.0-92-generic.postinst configure 
3304 pts/0    S+     0:00  |                               \_ run-parts --verbose --exit-on-error --arg=4.4.0-92-generic --arg=/boot/vmlinuz-4.4.0-92-generic /etc/kernel/postinst.d
11905 pts/0    S+     0:00  |                                   \_ /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-grub-legacy-ec2
11911 pts/0    S+     0:00  |                                       \_ /bin/bash /usr/sbin/update-grub-legacy-ec2
12312 pts/0    S+     0:00  |                                       |   \_ /bin/bash /usr/bin/ucf --debconf-ok --debconf-template grub/update_grub_changeprompt_threeway --three-way /tmp/filez4NBAU /var/run/grub/menu.lst
12362 pts/0    S+     0:00  |                                       \_ whiptail --backtitle Package configuration --title  --output-fd 11 --nocancel --default-item keep the local version currently installed --menu A new version of /boot/grub/menu.lst is available, but the version installed currently has been locally modified.  What would you like to do about menu.lst? 17 118 7 -- install the package maintainer's version  keep the local version currently installed  show the differences between the versions  show a side-by-side difference between the versions  show a 3-way difference between available versions  do a 3-way merge between available versions (experimental)  start a new shell to examine the situation 

Hitting ENTER at the stuck screen accepted whatever was the default choice and moved on.

Note that this can happen in any Ubuntu release, not just trusty.

This project needs a LICENSE and/or COPYRIGHT file.

13:51 ahasenack: in apt.sh, if you're using --force-confold you should probably also use the matching ucf flag

I think. I haven't checked but am making a note in case it bites later.

The check for installed fips packages in _fips_prep_check(), later changed to _fips_check_packages_installed() in PR #101, should iterate over all packages before proceeding. It should check that all packages are installed before moving on to fips_is_enabled, because if there is a missing package, we will want to fix it by installing it. And we definitely shouldn't tell the user to reboot if we find out just one package is installed and not the rest.