[Bug 1759280] Re: [FFe] version 17: FIPS updates
Andreas Hasenack
andreas at canonical.com
Tue Mar 27 17:57:09 UTC 2018
** Description changed:
Please update ubuntu-advantage-tools to version 17. These are the changes:
* Added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified.
* Add repository pinning for FIPS packages
* Check that all prerequisite packages are installed when enabling FIPS
* Support returning the status for a single service
All but the last bit are about FIPS, which is not enabled for Bionic. We
would like to have it in bionic to allow us to SRU it to xenial, where
fips is enabled and supported.
The last change (status for a single service) is mostly a cosmetic general feature:
$ ua status fips
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
vs
$ ua status fips
fips: disabled (not available)
Build log: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-fips-updates-1759280/+build/14502245
Notice that tests are run at package build time
PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-
tools-fips-updates-1759280
+
+
+ Upgrade test
+ ============
+ Starting from:
+ ubuntu-advantage-tools:
+ Installed: 16
+ Candidate: 16
+ Version table:
+ *** 16 500
+ 500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
+ 100 /var/lib/dpkg/status
+
+ ubuntu at bionic-ua:~$ ua status
+ esm: disabled (not available)
+ fips: disabled (not available)
+ livepatch: disabled
+
+ ubuntu at bionic-ua:~$ sudo ua enable-fips
+ Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
+ ubuntu at bionic-ua:~$
+
+
+ Adding PPA:
+ ubuntu at bionic-ua:~$ sudo add-apt-repository ppa:ahasenack/ua-tools-fips-updates-1759280 -y -u
+ (...)
+ ubuntu at bionic-ua:~$ sudo apt install ubuntu-advantage-tools
+ Reading package lists... Done
+ Building dependency tree
+ Reading state information... Done
+ The following package was automatically installed and is no longer required:
+ grub-pc-bin
+ Use 'sudo apt autoremove' to remove it.
+ The following packages will be upgraded:
+ ubuntu-advantage-tools
+ 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+ Need to get 17.2 kB of archives.
+ After this operation, 6144 B of additional disk space will be used.
+ Get:1 http://ppa.launchpad.net/ahasenack/ua-tools-fips-updates-1759280/ubuntu bionic/main amd64 ubuntu-advantage-tools all 17~ppa1 [17.2 kB]
+ Fetched 17.2 kB in 1s (25.1 kB/s)
+ (Reading database ... 90710 files and directories currently installed.)
+ Preparing to unpack .../ubuntu-advantage-tools_17~ppa1_all.deb ...
+ Unpacking ubuntu-advantage-tools (17~ppa1) over (16) ...
+ Setting up ubuntu-advantage-tools (17~ppa1) ...
+ Processing triggers for man-db (2.8.2-1) ...
+
+ Post upgrade:
+ ubuntu at bionic-ua:~$ ua status
+ esm: disabled (not available)
+ fips: disabled (not available)
+ livepatch: disabled
+
+ ubuntu at bionic-ua:~$ ua status fips
+ fips: disabled (not available)
+
+ ubuntu at bionic-ua:~$ sudo ua enable-fips
+ Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
+
+ ubuntu at bionic-ua:~$ sudo ua enable-fips-updates
+ Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
** Description changed:
Please update ubuntu-advantage-tools to version 17. These are the changes:
* Added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified.
* Add repository pinning for FIPS packages
* Check that all prerequisite packages are installed when enabling FIPS
* Support returning the status for a single service
All but the last bit are about FIPS, which is not enabled for Bionic. We
would like to have it in bionic to allow us to SRU it to xenial, where
fips is enabled and supported.
The last change (status for a single service) is mostly a cosmetic general feature:
$ ua status fips
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
vs
$ ua status fips
fips: disabled (not available)
Build log: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-fips-updates-1759280/+build/14502245
Notice that tests are run at package build time
PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-
tools-fips-updates-1759280
-
Upgrade test
============
Starting from:
ubuntu-advantage-tools:
- Installed: 16
- Candidate: 16
- Version table:
- *** 16 500
- 500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
- 100 /var/lib/dpkg/status
+ Installed: 16
+ Candidate: 16
+ Version table:
+ *** 16 500
+ 500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
+ 100 /var/lib/dpkg/status
ubuntu at bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
ubuntu at bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
- ubuntu at bionic-ua:~$
-
+ ubuntu at bionic-ua:~$
Adding PPA:
ubuntu at bionic-ua:~$ sudo add-apt-repository ppa:ahasenack/ua-tools-fips-updates-1759280 -y -u
(...)
ubuntu at bionic-ua:~$ sudo apt install ubuntu-advantage-tools
Reading package lists... Done
- Building dependency tree
+ Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
- grub-pc-bin
+ grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
- ubuntu-advantage-tools
+ ubuntu-advantage-tools
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.2 kB of archives.
After this operation, 6144 B of additional disk space will be used.
Get:1 http://ppa.launchpad.net/ahasenack/ua-tools-fips-updates-1759280/ubuntu bionic/main amd64 ubuntu-advantage-tools all 17~ppa1 [17.2 kB]
- Fetched 17.2 kB in 1s (25.1 kB/s)
+ Fetched 17.2 kB in 1s (25.1 kB/s)
(Reading database ... 90710 files and directories currently installed.)
Preparing to unpack .../ubuntu-advantage-tools_17~ppa1_all.deb ...
Unpacking ubuntu-advantage-tools (17~ppa1) over (16) ...
Setting up ubuntu-advantage-tools (17~ppa1) ...
Processing triggers for man-db (2.8.2-1) ...
Post upgrade:
ubuntu at bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
ubuntu at bionic-ua:~$ ua status fips
fips: disabled (not available)
ubuntu at bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
ubuntu at bionic-ua:~$ sudo ua enable-fips-updates
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
+
+
+ Testing
+ =======
+ Merges are gated on a test run on github. Example:https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/358429122
+
+ Tests also run during package build.
+
+ Since fips is disabled in bionic, I tested this new code with a xenial
+ build. This will have to be done again when the xenial sru time comes,
+ and will be shown in more detail there.
** Description changed:
Please update ubuntu-advantage-tools to version 17. These are the changes:
* Added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified.
* Add repository pinning for FIPS packages
* Check that all prerequisite packages are installed when enabling FIPS
* Support returning the status for a single service
- All but the last bit are about FIPS, which is not enabled for Bionic. We
- would like to have it in bionic to allow us to SRU it to xenial, where
- fips is enabled and supported.
+ All but the last bit are about FIPS, which is not enabled for Bionic.
+ Because of that I'm not sure a feature freeze exception is required
+ (since the new features are not enabled for bionic), but I rather error
+ on the side of caution. We would like to have it in bionic to allow us
+ to SRU it to xenial, where fips is enabled and supported.
The last change (status for a single service) is mostly a cosmetic general feature:
$ ua status fips
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
vs
$ ua status fips
fips: disabled (not available)
Build log: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-fips-updates-1759280/+build/14502245
Notice that tests are run at package build time
PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-
tools-fips-updates-1759280
Upgrade test
============
Starting from:
ubuntu-advantage-tools:
Installed: 16
Candidate: 16
Version table:
*** 16 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
ubuntu at bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
ubuntu at bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
ubuntu at bionic-ua:~$
Adding PPA:
ubuntu at bionic-ua:~$ sudo add-apt-repository ppa:ahasenack/ua-tools-fips-updates-1759280 -y -u
(...)
ubuntu at bionic-ua:~$ sudo apt install ubuntu-advantage-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
ubuntu-advantage-tools
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.2 kB of archives.
After this operation, 6144 B of additional disk space will be used.
Get:1 http://ppa.launchpad.net/ahasenack/ua-tools-fips-updates-1759280/ubuntu bionic/main amd64 ubuntu-advantage-tools all 17~ppa1 [17.2 kB]
Fetched 17.2 kB in 1s (25.1 kB/s)
(Reading database ... 90710 files and directories currently installed.)
Preparing to unpack .../ubuntu-advantage-tools_17~ppa1_all.deb ...
Unpacking ubuntu-advantage-tools (17~ppa1) over (16) ...
Setting up ubuntu-advantage-tools (17~ppa1) ...
Processing triggers for man-db (2.8.2-1) ...
Post upgrade:
ubuntu at bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
ubuntu at bionic-ua:~$ ua status fips
fips: disabled (not available)
ubuntu at bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
ubuntu at bionic-ua:~$ sudo ua enable-fips-updates
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
-
Testing
=======
Merges are gated on a test run on github. Example:https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/358429122
Tests also run during package build.
Since fips is disabled in bionic, I tested this new code with a xenial
build. This will have to be done again when the xenial sru time comes,
and will be shown in more detail there.
** Summary changed:
- [FFe] version 17: FIPS updates
+ [bionic] [FFe] ubuntu-advantage-tools version 17: FIPS updates
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1759280
Title:
[bionic] [FFe] ubuntu-advantage-tools version 17: FIPS updates
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1759280/+subscriptions
More information about the Ubuntu-server-bugs
mailing list