sts-sponsors team mailing list archive
-
sts-sponsors team
-
Mailing list archive
-
Message #00042
[Bug 1719671] [NEW] [SRU] include recent version containing fips and livepatch
You have been subscribed to a public bug by Eric Desrochers (slashd):
This bug has some history that may be confusing from the comments.
Basically it started out as a Feature Freeze Exception, that's why we
have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this
package: the ubuntu-advantage name was kept, no new aliases were added.
This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z:
https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671
(ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was
added that will give a short summary about the available modules and
their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is
supported on xenial and trusty. The tool will refuse to enable either
service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable
them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just
requesting the token and performing all the other steps on behalf of the
user. It also conveniently checks the running kernel and instructs the
user to reboot into a newer kernel if needed to finish the installation
(this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package.
See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note
that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum).
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: High
Status: Fix Released
** Affects: ubuntu-advantage-tools (Ubuntu Trusty)
Importance: Medium
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Affects: ubuntu-advantage-tools (Ubuntu Xenial)
Importance: Medium
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Affects: ubuntu-advantage-tools (Ubuntu Zesty)
Importance: Medium
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Affects: ubuntu-advantage-tools (Ubuntu Artful)
Importance: Undecided
Status: Fix Released
** Tags: fips livepatch patch sts sts-sponsor-slashd-done
--
[SRU] include recent version containing fips and livepatch
https://bugs.launchpad.net/bugs/1719671
You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report.
