** Description changed:
[Impact]
This bug impacts users on AWS or Azure, trying to enable FIPS/FIPS
updates on Focal images. Trying to install a non-cloud-optimized FIPS
kernel may lead to unwanted behavior on those clouds, including
inability to boot to the systems.
Although Focal has a FIPS certified kernel, the AWS adapted kernel is
not ready yet. There will be in the future a cloud-optimized version of
the FIPS kernel, and then users will be able to install it.
With the applied fix, UA will show a message saying that the kernel is
not available instead of showing any error. If the user really wants to
install FIPS, there is a feature override
("allow_default_fips_metapackage_on_focal_cloud") which will install the
default kernel, but this is the user's choice, and not recommended.
[Test Case]
- The original description has steps to reproduce. To verify the fix, install
ubuntu-advantage-tools 27.3 and check for the expected behavior described.
+
+ To verify that this issue is fixed by version 27.3, please run the
+ following script:
+
+ ------------------------------
+ import os
+
+ from pycloudlib.ec2.cloud import EC2
+
+
+ api = EC2(
+ tag="test-ec2",
+ access_key_id=os.getenv("UACLIENT_BEHAVE_AWS_ACCESS_KEY_ID"),
+ secret_access_key=os.getenv("UACLIENT_BEHAVE_AWS_SECRET_ACCESS_KEY")
+ )
+
+ image_id = "ami-0193aa0a9df84a08b" # Focal pro image
+ private_key_path = "ec2-{}.pem".format("test-key")
+ key_name = "test-key"
+
+ if key_name in api.list_keys():
+ api.delete_key(key_name)
+
+ keypair = api.client.create_key_pair(KeyName=key_name)
+
+ with open(private_key_path, "w") as stream:
+ stream.write(keypair["KeyMaterial"])
+
+ os.chmod(private_key_path, 0o600)
+
+ api.use_key(private_key_path, private_key_path, key_name)
+ vpc = api.get_or_create_vpc(name="test-ec2-pro")
+ instance = api.launch(image_id, vpc=vpc)
+
+ print("--- Creating base instance")
+ print(instance.execute("lsb_release -a"))
+ print(instance.execute("ua version"))
+ print(instance.execute("sudo ua enable fips --assume-yes"))
+ print("------------------")
+
+ print("--- Updating ua package")
+ instance.execute("sudo add-apt-repository ppa:ua-client/staging -y")
+ instance.execute("sh -c 'sudo apt-get update > /dev/null'")
+ instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools >
/dev/null'")
+ print(instance.execute("ua version"))
+ print(instance.execute("sudo ua enable fips --assume-yes"))
+ print("------------------")
+ instance.delete()
+ -------------------------------------------
+
+ This script depends on pycloudlib, which can be found here:
+ https://github.com/canonical/pycloudlib/tree/main/pycloudlib
+
[Regression Potential]
This change needs to make sure that we indeed prevent the installation of
non-cloud-optimized kernels. If a corner case shows up, the user might end up
with a wrong kernel. This is unlikely because we are using cloud-init tools,
present in AWS and Azure, to detect the cloud instance and effective blocking
the install. If this detection fails, it means cloud-init has some problem and
then, on AWS or Azure, the instance will have more problems than this one.
We need to make sure to keep track of the certification progress for the
cloud adapted FIPS package, so we can enable it in the future, when it
becomes available.
[Original Description]
For Ubuntu PRO on 20.04 (Focal) `ua enable fips` should only install a
cloud-optimized ubuntu-aws-fips or ubuntu-azure-fips metapackage. Installing a
non-cloud-optimized FIPS kernel on AWS and Azure could lead to inability to
boot on certain instance types. Expectation is that Focal AWS and Azure images
should disallow enabling either fips or fips-updates.
Expected behavior on Ubuntu PRO AWS and Azure Focal:
$ ua status | grep fips
fips no — NIST-certified FIPS modules
fips-updates no — Uncertified security updates to FIPS modules
$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
This subscription is not entitled to FIPS Updates.
For more information see: https://ubuntu.com/advantage
Actual behavior:
$ ua status | grep fips
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install
# see ubuntu-fips generic get installed which potentially degrades AWS and
Azure environments
$ sudo grep install /var/log/ubuntu-advantage.log
2021-08-13 22:19:07,344 - util.py:(506) [DEBUG]: Ran cmd: apt-get install
--assume-yes -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-fips openssh-client
openssh-client-hmac openssh-server openssh-server-hmac openssh-client
openssh-client-hmac openssh-server openssh-server-hmac, rc: 0 stderr: b''
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939932
Title:
Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS
kernel via ubuntu-fips metapackage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939932/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
