[Bug 1719671] Re: [SRU][xenial] include recent version containing fips and livepatch
Andreas Hasenack
andreas at canonical.com
Thu Oct 19 20:47:57 UTC 2017
** Description changed:
+ ** description still being worked on, not done yet **
+
+
[IMPACT]
- Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
+ Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
- Note: FIPS certified modules and livepatch are only available for
- xenial. On other releases the tool will not install and configure fips
- or livepatch.
+ In addition to the new features themselves, a new "status" command was
+ added that will give a short summary about the available modules and
+ their status, at a glance.
+
+ Note: FIPS certified modules are only available for xenial. Livepatch is
+ supported on xenial and trusty. The tool will refuse to enable either
+ service on an unsupported ubuntu release.
+
+ Without this updated package, customers of those services have to enable
+ them manually by following a series of steps.
[FIPS DESCRIPTION]
- when "ubuntu-advantage enable-fips <token>" is issued from commandline,
+ When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
- TBW
+ Livepatch allows customers to apply kernel patches to a running system without rebooting it.
+
+ The current instructions live in http://ubuntu.com/livepatch and boil down to:
+ - install snapd if it's not installed already. On trusty this means a new kernel as well.
+ - install the canonical-livepatch snap
+ - obtain a livepatch token from Canonical
+ - run the enable command with the given token
+
+ The ubuntu-advantage-tools package simplifies this process by just
+ requesting the token and performing all the other steps on behalf of the
+ user. It also conveniently checks the running kernel and instructs the
+ user to reboot into a newer kernel if needed to finish the installation
+ (this is the case when running trusty).
[FIX]
- Add enable-fips to advantage script. See debdiff below.
-
- [TEST]
- A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
-
- [REGRESSION POTENTIAL]
- The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips and livepatch. Current functionality was not altered.
+ Add fips and livepatch support to the ubuntu-adadvantage-tools package.
+ See debdiff below.
[FIPS TESTCASES]
- These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
+ These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
+ 0. Install the new package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
- Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
+ Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
- Note: This will require a token or credentials to fips Private PPA, in
- the form xxx:xxx
+ You can use a dummy set of credentials like user:secret as the token:
type on commandline,
- sudo ubuntu-advantage enable-fips xxx:xxx
+ sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+
+
+ [REGRESSION POTENTIAL]
+ The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
+ This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
+
+
+ [OTHER INFO]
+ The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
+ Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1719671
Title:
[SRU][xenial] include recent version containing fips and livepatch
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
New
Status in ubuntu-advantage-tools source package in Zesty:
New
Bug description:
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was
added that will give a short summary about the available modules and
their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch
is supported on xenial and trusty. The tool will refuse to enable
either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to
enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just
requesting the token and performing all the other steps on behalf of
the user. It also conveniently checks the running kernel and instructs
the user to reboot into a newer kernel if needed to finish the
installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools
package. See debdiff below.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions
More information about the Ubuntu-sponsors
mailing list