** Description changed:
[Impact]
This bug impacts users on AWS, trying to enable FIPS/FIPS updates on
Focal images. There is a missing package, 'ubuntu-aws-fips', which
causes the installation to fail.
This package is missing because, although Focal has a FIPS certified
kernel, the AWS adapted kernel is not ready yet. There will be in the
future a cloud-optimized version of the FIPS kernel, and then users will
be able to install it.
- Right now, UA will show a message saying that the kernel is not
- available instead of showing an error. If the user really wants to
+ With the applied fix, UA will show a message saying that the kernel is
+ not available instead of showing an error. If the user really wants to
install FIPS, there is a feature override
("allow_default_fips_metapackage_on_focal_cloud") which will install the
default kernel.
-
[Test Case]
To reproduce
- Spin an AWS instance using the Ubuntu 20.04 image.
- Attach a valid token
- Run `$ sudo ua enable fips` (or `fips-updates`)
To verify the fix:
1. Update to ubuntu-advantage-tools 27.3, and run the same procedure. Verify
that a message is displayed saying that the kernel is not available for the
Focal release.
2. Append the following to '/etc/ubuntu-advantage/uaclient.conf':
"""
features:
- allow_default_fips_metapackage_on_focal_cloud: true
+ allow_default_fips_metapackage_on_focal_cloud: true
"""
and then run the command again. Verify that it installs a base FIPS kernel,
without the -aws prefix.
[Regression Potential]
This change needs to make sure that we indeed prevent the installation of the
non-existent package. If a corner case shows up, the user might end up with a
wrong kernel. This is unlikely because we are using cloud-init tools, present
in AWS, to detect the cloud instance and effective blocking the install. If
this detection fails, it means cloud-init has some problem and then, on AWS,
the instance will have more problems than this one.
We need to make sure to keep track of the certification progress for the
cloud adapted FIPS package, so we can enable it in the future, when it
becomes available.
[Original Description]
Using AWS AMI: ami-0193aa0a9df84a08b
Attempting to enable fips-updates with the ua command line tool fails
with error that apt "Unable to locate package ubuntu-aws-fips."
Canonical has told me directly 20.04 is now FIPS 140-2 Level 1
certified.
Output:
ubuntu@ip-xx-xx-xx-xx:~$ lsb_release -rd
Description: Ubuntu 20.04.2 LTS
Release: 20.04
ubuntu@ip-xx-xx-xx-xx:~$ ua version
27.2.2~20.04.1
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua status --all
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security
updates
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
- Account: xxxx
- Subscription: xxxx
- Valid until: 9999-12-31 00:00:00+00:00
+ Account: xxxx
+ Subscription: xxxx
+ Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua --debug enable fips-updates
DEBUG: Executed with sys.argv: ['/usr/bin/ua', '--debug', 'enable',
'fips-updates']
This will install the FIPS core packages and will include priority updates
with security fixes.
Are you sure? (y/N) y
DEBUG: Writing file:
/var/lib/ubuntu-advantage/private/machine-access-fips-updates
DEBUG: Writing file: /etc/apt/preferences.d/ubuntu-fips-updates
DEBUG: Ran cmd: apt-cache policy, rc: 0 stderr: b''
DEBUG: Writing file: /etc/apt/sources.list.d/ubuntu-fips-updates.list
DEBUG: Writing file: /etc/apt/auth.conf.d/90ubuntu-advantage
DEBUG: Exporting GPG key /usr/share/keyrings/ubuntu-advantage-fips.gpg
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
DEBUG: Reading file: /var/lib/ubuntu-advantage/private/machine-token.json
Installing FIPS Updates packages
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
- Retrying 3 more times.
+ Retrying 3 more times.
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
- Retrying 2 more times.
+ Retrying 2 more times.
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
- Retrying 1 more times.
+ Retrying 1 more times.
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
DEBUG: Reading file: /etc/apt/auth.conf.d/90ubuntu-advantage
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
Could not enable FIPS Updates.
DEBUG: Reading file: /var/lib/ubuntu-advantage/notices.json
DEBUG: Removing file: /var/lib/ubuntu-advantage/notices.json
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939449
Title:
Ubuntu Pro UA fails to enable fips-updates on 20.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
