group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #41557
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~20.04.1
---------------
ubuntu-advantage-tools (27.3~20.04.1) focal; urgency=medium
* Backport new upstream release: (LP: #1942929) to focal
ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium
* d/tools.postinst:
- consider cloud to be "none" on any cloud-id error
- purge old ua-messaging.timer/service files
- keep ua-timer.timer disabled if ua-messaging.timer was disabled by
the user
- properly configure both ubuntu-advantage-timer and
ubuntu-advantage-licence-check logs
* d/tools.postrm:
- remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs
during purge
* systemd:
- remove ua-messaging.timer/service
- add new ua-timer.timer that runs every 6 hours
- add new ua-license_check.timer that runs every 5 minutes only if
activated by ua-license-check.path
* New upstream release 27.3 (LP: #1942929)
- ros:
+ add beta support to enable ros and ros-updates
+ add support for "required services" so that esm-infra and esm-apps
get auto-enabled when enabling ros or ros-updates
+ add support for "dependent services" so that user gets prompted to
disable ros/ros-updates if they disable esm-infra/esm-apps
- fips:
+ allow fips on GCP bionic now that optimized kernel is ready
+ disallow enabling fips on focal on clouds until cloud-optimized focal
fips-certified kernel is ready (LP: #1939449, LP: #1939932)
+ print warning about generic fips kernel if cloud-id fails
- cloud:
+ rely only on cloud-id to determine cloud type (LP: #1940131)
+ catch errors when determining cloud type
(LP: #1938207, LP: #1944676) (GH: #1541)
- azure:
+ bump IMDS API version to support Azure published images
- cli:
+ collect-logs command that creates a tar file with debug-relevant logs
and status info (GH: #463)
+ clean locks on exceptions more thoroughly to avoid false "Operation in
progress" status messages
+ retain past service state after detach
+ shows better error message when a port value in a proxy is invalid
- non-unicode locale support:
+ remove unicode-only characters from help file
+ don't print unicode-only characters in ua fix if non-utf8 locale
(GH: #1463)
- logrotate:
+ add logrotate functionality for ubuntu-advantage-timer.log.
+ Fix root:root logrotate permissions.
- ua-timer.timer:
+ introduce a single systemd timer to handle ua recurring jobs
+ timer runs every 2 hours to support most frequent timer job
+ recurring job intervals are configurable in uaclient.conf
+ individual jobs are disabled if their interval is set to 0
- status job:
+ update ua status every 12 hours
- messaging job:
+ update APT/MOTD ESM messaging every 6 hours
- metering job:
+ disabled until infrastructure is ready
+ for attached machines only, periodically update contract server with
status information for proper contract metering
- ua-license-check.timer:
+ only runs on LTS GCP instances that are not attached
+ runs every 5 minutes to check if gcp instance has license required to
auto-attach
- logs:
+ fixes duplicate logging (GH: #553)
- tests and support:
+ remove groovy integration tests
+ various improvements to integration tests
-- Grant Orndorff <grant.orndorff@xxxxxxxxxxxxx> Thu, 23 Sep 2021
16:42:04 -0400
** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1939449
Title:
Ubuntu Pro UA fails to enable fips-updates on 20.04
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Committed
Status in ubuntu-advantage-tools source package in Xenial:
Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Hirsute:
Fix Released
Status in ubuntu-advantage-tools source package in Impish:
Fix Released
Bug description:
[Impact]
This bug impacts users on AWS, trying to enable FIPS/FIPS updates on
Focal images. There is a missing package, 'ubuntu-aws-fips', which
causes the installation to fail.
This package is missing because, although Focal has a FIPS certified
kernel, the AWS adapted kernel is not ready yet. There will be in the
future a cloud-optimized version of the FIPS kernel, and then users
will be able to install it.
With the applied fix, UA will show a message saying that the kernel is
not available instead of showing an error. If the user really wants to
install FIPS, there is a feature override
("allow_default_fips_metapackage_on_focal_cloud") which will install
the default kernel.
[Test Case]
To reproduce
- Spin an AWS instance using the Ubuntu 20.04 image.
- Attach a valid token
- Run `$ sudo ua enable fips` (or `fips-updates`)
To verify the fix:
1. Update to ubuntu-advantage-tools 27.3, and run the same procedure. Verify that a message is displayed saying that the kernel is not available for the Focal release.
2. Append the following to '/etc/ubuntu-advantage/uaclient.conf':
"""
features:
allow_default_fips_metapackage_on_focal_cloud: true
"""
and then run the command again. Verify that it installs a base FIPS kernel, without the -aws prefix.
[Regression Potential]
This change needs to make sure that we indeed prevent the installation of the non-existent package. If a corner case shows up, the user might end up with a wrong kernel. This is unlikely because we are using cloud-init tools, present in AWS, to detect the cloud instance and effective blocking the install. If this detection fails, it means cloud-init has some problem and then, on AWS, the instance will have more problems than this one.
We need to make sure to keep track of the certification progress for
the cloud adapted FIPS package, so we can enable it in the future,
when it becomes available.
[Original Description]
Using AWS AMI: ami-0193aa0a9df84a08b
Attempting to enable fips-updates with the ua command line tool fails
with error that apt "Unable to locate package ubuntu-aws-fips."
Canonical has told me directly 20.04 is now FIPS 140-2 Level 1
certified.
Output:
ubuntu@ip-xx-xx-xx-xx:~$ lsb_release -rd
Description: Ubuntu 20.04.2 LTS
Release: 20.04
ubuntu@ip-xx-xx-xx-xx:~$ ua version
27.2.2~20.04.1
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua status --all
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Account: xxxx
Subscription: xxxx
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua --debug enable fips-updates
DEBUG: Executed with sys.argv: ['/usr/bin/ua', '--debug', 'enable', 'fips-updates']
This will install the FIPS core packages and will include priority updates
with security fixes.
Are you sure? (y/N) y
DEBUG: Writing file: /var/lib/ubuntu-advantage/private/machine-access-fips-updates
DEBUG: Writing file: /etc/apt/preferences.d/ubuntu-fips-updates
DEBUG: Ran cmd: apt-cache policy, rc: 0 stderr: b''
DEBUG: Writing file: /etc/apt/sources.list.d/ubuntu-fips-updates.list
DEBUG: Writing file: /etc/apt/auth.conf.d/90ubuntu-advantage
DEBUG: Exporting GPG key /usr/share/keyrings/ubuntu-advantage-fips.gpg
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
DEBUG: Reading file: /var/lib/ubuntu-advantage/private/machine-token.json
Installing FIPS Updates packages
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
Retrying 3 more times.
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
Retrying 2 more times.
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
Retrying 1 more times.
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: Unable to locate package ubuntu-aws-fips
DEBUG: Reading file: /etc/apt/auth.conf.d/90ubuntu-advantage
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
Could not enable FIPS Updates.
DEBUG: Reading file: /var/lib/ubuntu-advantage/notices.json
DEBUG: Removing file: /var/lib/ubuntu-advantage/notices.json
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions
