Azure · SathishMSFT · Jun 15, 2023 · Feb 6, 2023 · Feb 8, 2023 · Feb 8, 2023
@@ -206,6 +206,7 @@ class PackageClassification(EnumBackport):
         UNCLASSIFIED = 'Unclassified'
         CRITICAL = 'Critical'
         SECURITY = 'Security'
+        SECURITY_ESM = 'Security-ESM'
         OTHER = 'Other'
 
     PKG_MGR_SETTING_FILTER_CRITSEC_ONLY = 'FilterCritSecOnly'
@@ -264,6 +265,7 @@ class PatchOperationErrorCodes(EnumBackport):
         OPERATION_FAILED = "OPERATION_FAILED"
         PACKAGE_MANAGER_FAILURE = "PACKAGE_MANAGER_FAILURE"
         NEWER_OPERATION_SUPERSEDED = "NEWER_OPERATION_SUPERSEDED"
+        UA_ESM_REQUIRED = "UA_ESM_REQUIRED"
 
     ERROR_ADDED_TO_STATUS = "Error_added_to_status"
 
@@ -312,8 +314,9 @@ class EnvLayer(EnumBackport):
     PackageClassificationOrderInStatusReporting = {
         PackageClassification.CRITICAL: 1,
         PackageClassification.SECURITY: 2,
-        PackageClassification.OTHER: 3,
-        PackageClassification.UNCLASSIFIED: 4
+        PackageClassification.SECURITY_ESM: 3,
+        PackageClassification.OTHER: 4,
+        PackageClassification.UNCLASSIFIED: 5
     }
 
     PatchStateOrderInStatusReporting = {
@@ -330,4 +333,5 @@ class UbuntuProClientSettings(EnumBackport):
         FEATURE_ENABLED = True
         MINIMUM_PYTHON_VERSION_REQUIRED = (3, 5)  # using tuple as we can compare this with sys.version_info. The comparison will happen in the same order. Major version checked first. Followed by Minor version.
         MAX_OS_MAJOR_VERSION_SUPPORTED = 18
+        MINIMUM_CLIENT_VERSION = "27.14.4"
 
@@ -161,7 +161,7 @@ def is_msft_other_classification_only(self):
     def is_msft_all_classification_included(self):
         """Returns true if all classifications were individually selected *OR* (nothing was selected AND no inclusion list is present) -- business logic"""
         all_classifications = [key for key in Constants.PackageClassification.__dict__.keys() if not key.startswith('__')]
-        all_classifications_explicitly_selected = bool(len(self.installation_included_classifications) == (len(all_classifications) - 1))
+        all_classifications_explicitly_selected = bool(len(self.installation_included_classifications) == (len(all_classifications) - 2))  # all_classifications has "UNCLASSIFIED" and "SECURITY-ESM" that should be ignored. Hence -2
         no_classifications_selected = bool(len(self.installation_included_classifications) == 0)
         only_unclassified_selected = bool('Unclassified' in self.installation_included_classifications and len(self.installation_included_classifications) == 1)
         return all_classifications_explicitly_selected or ((no_classifications_selected or only_unclassified_selected) and not self.is_inclusion_list_present())

@@ -78,7 +78,10 @@ def start_assessment(self):
 
                 # Tag security updates
                 self.telemetry_writer.write_event("Security assessment: " + str(sec_packages), Constants.TelemetryEventLevel.Verbose)
-                self.status_handler.set_package_assessment_status(sec_packages, sec_package_versions, "Security")
+                self.status_handler.set_package_assessment_status(sec_packages, sec_package_versions, Constants.PackageClassification.SECURITY)
+
+                # Set the security-esm packages in status.
+                self.package_manager.set_security_esm_package_status(Constants.ASSESSMENT)
 
                 # ensure reboot status is set
                 reboot_pending = self.package_manager.is_reboot_pending()

@@ -46,6 +46,10 @@ def __init__(self, env_layer, execution_config, composite_logger, telemetry_writ
         self.attempted_parent_package_install_count = 0
         self.successful_parent_package_install_count = 0
         self.failed_parent_package_install_count = 0
+        self.skipped_esm_packages = []
+        self.skipped_esm_package_versions = []
+        self.esm_packages_found_without_attach = False  # Flag used to record if esm packages excluded as ubuntu vm not attached.
+
         self.stopwatch = Stopwatch(self.env_layer, self.telemetry_writer, self.composite_logger)
 
     def start_installation(self, simulate=False):
@@ -150,20 +154,31 @@ def install_updates(self, maintenance_window, package_manager, simulate=False):
         excluded_packages, excluded_package_versions = self.get_excluded_updates(package_manager, packages, package_versions)
         self.telemetry_writer.write_event("Excluded package list: " + str(excluded_packages), Constants.TelemetryEventLevel.Verbose)
 
-        packages, package_versions = self.filter_out_excluded_updates(packages, package_versions, excluded_packages)  # Final, honoring exclusions
+        packages, package_versions = self.filter_out_excluded_updates(packages, package_versions, excluded_packages)  # honoring exclusions
+
+        # For ubuntu VMs, filter out esm_packages, if the VM is not attached.
+        # These packages will already be marked with version as 'UA_ESM_REQUIRED'.
+        # Esm packages will not be dependent packages to non-esm packages. This is confirmed by Canonical. So, once these are removed from processing, we need not worry about handling it in our batch / sequential patch processing logic.
+        # Adding this after filtering excluded packages, so we don`t un-intentionally mark excluded esm-package status as failed.
+        packages, package_versions, self.skipped_esm_packages, self.skipped_esm_package_versions, self.esm_packages_found_without_attach = package_manager.filter_out_esm_packages(packages, package_versions)
+
         self.telemetry_writer.write_event("Final package list: " + str(packages), Constants.TelemetryEventLevel.Verbose)
 
         # Set initial statuses
         if not package_manager.get_package_manager_setting(Constants.PACKAGE_MGR_SETTING_REPEAT_PATCH_OPERATION, False):  # 'Not included' list is not accurate when a repeat is required
             self.status_handler.set_package_install_status(not_included_packages, not_included_package_versions, Constants.NOT_SELECTED)
         self.status_handler.set_package_install_status(excluded_packages, excluded_package_versions, Constants.EXCLUDED)
         self.status_handler.set_package_install_status(packages, package_versions, Constants.PENDING)
+        self.status_handler.set_package_install_status(self.skipped_esm_packages, self.skipped_esm_package_versions, Constants.FAILED)
         self.composite_logger.log("\nList of packages to be updated: \n" + str(packages))
 
         sec_packages, sec_package_versions = self.package_manager.get_security_updates()
         self.telemetry_writer.write_event("Security packages out of the final package list: " + str(sec_packages), Constants.TelemetryEventLevel.Verbose)
         self.status_handler.set_package_install_status_classification(sec_packages, sec_package_versions, classification="Security")
 
+        # Set the security-esm package status.
+        package_manager.set_security_esm_package_status(Constants.INSTALLATION)
+
         self.composite_logger.log("\nNote: Packages that are neither included nor excluded may still be installed if an included package has a dependency on it.")
         # We will see this as packages going from NotSelected --> Installed. We could remove them preemptively from not_included_packages, but we're explicitly choosing not to.
 
@@ -237,15 +252,11 @@ def install_updates(self, maintenance_window, package_manager, simulate=False):
             # point in time status
             progress_status = self.progress_template.format(str(datetime.timedelta(minutes=remaining_time)), str(self.attempted_parent_package_install_count), str(self.successful_parent_package_install_count), str(self.failed_parent_package_install_count), str(installed_update_count - self.successful_parent_package_install_count),
                                                             "Processing package: " + str(package) + " (" + str(version) + ")")
-            if version == Constants.UA_ESM_REQUIRED:
-                progress_status += "[Skipping - requires Ubuntu Advantage for Infrastructure with Extended Security Maintenance]"
-                self.composite_logger.log(progress_status)
-                self.status_handler.set_package_install_status(package_manager.get_product_name(package), str(version), Constants.NOT_SELECTED)     # may be changed to Failed in the future
-                continue
+
             self.composite_logger.log(progress_status)
 
             # include all dependencies (with specified versions) explicitly
-            # package_and_dependencies initially conains only one package. The dependencies are added in the list by method include_dependencies
+            # package_and_dependencies initially contains only one package. The dependencies are added in the list by method include_dependencies
             package_and_dependencies = [package]
             package_and_dependency_versions = [version]
 
@@ -435,14 +446,10 @@ def install_packages_in_batches(self, all_packages, all_package_versions, packag
 
             packages_in_batch = []
             package_versions_in_batch = []
-            skip_packages = []
             already_installed_packages = []
 
             for index in range(begin_index, end_index + 1):
-                if package_versions[index] == Constants.UA_ESM_REQUIRED:
-                    skip_packages.append(packages[index])
-                    self.status_handler.set_package_install_status(package_manager.get_product_name(packages[index]), str(package_versions[index]), Constants.NOT_SELECTED)
-                elif packages[index] not in self.last_still_needed_packages:
+                if packages[index] not in self.last_still_needed_packages:
                     # Could have got installed as dependent package of some other package. Package installation status could also have been set.
                     already_installed_packages.append(packages[index])
                     self.attempted_parent_package_install_count += 1
@@ -454,9 +461,6 @@ def install_packages_in_batches(self, all_packages, all_package_versions, packag
             if len(already_installed_packages) > 0:
                 self.composite_logger.log("Following packages are already installed. Could have got installed as dependent package of some other package " + str(already_installed_packages))
 
-            if len(skip_packages) > 0:
-                self.composite_logger.log("[Skipping packages " + str(skip_packages) + " - requires Ubuntu Advantage for Infrastructure with Extended Security Maintenance]")
-
             if len(packages_in_batch) == 0:
                 continue
 
@@ -553,10 +557,16 @@ def mark_installation_completed(self):
 
         # RebootNever is selected and pending, set status warning else success
         if self.reboot_manager.reboot_setting == Constants.REBOOT_NEVER and self.reboot_manager.is_reboot_pending():
+            # Set error details inline with windows extension when setting warning status. This message will be shown in portal.
+            self.status_handler.add_error_to_status("Machine is Required to reboot. However, the customer-specified reboot setting doesn't allow reboots.", Constants.PatchOperationErrorCodes.DEFAULT_ERROR)
             self.status_handler.set_installation_substatus_json(status=Constants.STATUS_WARNING)
         else:
             self.status_handler.set_installation_substatus_json(status=Constants.STATUS_SUCCESS)
 
+        # If esm packages are found, set the status as warning. This will show up in portal along with the error message we already set.
+        if self.esm_packages_found_without_attach:
+            self.status_handler.set_installation_substatus_json(status=Constants.STATUS_WARNING)
+
         # Update patch metadata in status for auto patching request, to be reported to healthStore
         # When available, HealthStoreId always takes precedence over the 'overriden' Maintenance Run Id that is being re-purposed for other reasons
         # In the future, maintenance run id will be completely deprecated for health store reporting.