[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.10.1 --- ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests -- Grant Orndorff Tue, 21 Sep 2021 09:02:06 -0400 ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~16.04.1 --- ubuntu-advantage-tools (27.3~16.04.1) xenial; urgency=medium * Backport new upstream release: (LP: #1942929) to xenial ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests -- Grant Orndorff Thu, 23 Sep 2021 16:41:51 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~20.04.1 --- ubuntu-advantage-tools (27.3~20.04.1) focal; urgency=medium * Backport new upstream release: (LP: #1942929) to focal ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests -- Grant Orndorff Thu, 23 Sep 2021 16:42:04 -0400 ** Changed in: ubuntu-advantage-tools (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~18.04.1 --- ubuntu-advantage-tools (27.3~18.04.1) bionic; urgency=medium * Backport new upstream release: (LP: #1942929) to bionic ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests -- Grant Orndorff Thu, 23 Sep 2021 16:41:57 -0400 ** Changed in: ubuntu-advantage-tools (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.04.1 --- ubuntu-advantage-tools (27.3~21.04.1) hirsute; urgency=medium * Backport new upstream release: (LP: #1942929) to hirsute ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests -- Grant Orndorff Thu, 23 Sep 2021 16:42:08 -0400 ** Changed in: ubuntu-advantage-tools (Ubuntu Hirsute) Status: Fix Committed => Fix Released ** Changed in: ubuntu-advantage-tools (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
This bug was fixed in the package ubuntu-advantage-tools - 27.3~21.10.1 --- ubuntu-advantage-tools (27.3~21.10.1) impish; urgency=medium * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests -- Grant Orndorff Tue, 21 Sep 2021 09:02:06 -0400 ** Changed in: ubuntu-advantage-tools (Ubuntu Impish) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Bug verified with the following script:
---
import logging
import os
from pycloudlib.ec2.cloud import EC2
api = EC2(
tag="test-ec2",
access_key_id=os.getenv("UACLIENT_BEHAVE_AWS_ACCESS_KEY_ID"),
secret_access_key=os.getenv("UACLIENT_BEHAVE_AWS_SECRET_ACCESS_KEY")
)
image_id = "ami-0193aa0a9df84a08b" # Focal pro image
private_key_path = "ec2-{}.pem".format("test-key")
key_name = "test-key"
if key_name in api.list_keys():
api.delete_key(key_name)
keypair = api.client.create_key_pair(KeyName=key_name)
with open(private_key_path, "w") as stream:
stream.write(keypair["KeyMaterial"])
os.chmod(private_key_path, 0o600)
api.use_key(private_key_path, private_key_path, key_name)
vpc = api.get_or_create_vpc(name="test-ec2-pro")
instance = api.launch(image_id, vpc=vpc)
print("--- Creating base instance")
print(instance.execute("lsb_release -a"))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools >
/dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("--")
print("--- Updating ua package")
cmd = "sudo sh -c \"echo 'deb http://archive.ubuntu.com/ubuntu/ {}-proposed
restricted main multiverse universe' >>
/etc/apt/sources.list.d/proposed-repositories.list\""
instance.execute(cmd.format("focal"))
instance.execute("sh -c 'sudo apt-get update > /dev/null'")
instance.execute("sh -c 'sudo apt-get install ubuntu-advantage-tools >
/dev/null'")
print(instance.execute("ua version"))
print(instance.execute("sudo ua enable fips --assume-yes"))
print("--")
instance.delete()
---
To run that script, you need the pycloudlib dependency, which can be found here:
https://github.com/canonical/pycloudlib/tree/main/pycloudlib
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939449
Title:
Ubuntu Pro UA fails to enable fips-updates on 20.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Test output: --- Creating base instance Distributor ID: Ubuntu Description:Ubuntu 20.04.2 LTS Release:20.04 Codename: focal 27.2.2~20.04.1 One moment, checking your subscription first Updating package lists Installing FIPS packages Updating package lists Could not enable FIPS. -- --- Updating ua package 27.3~20.04.1 One moment, checking your subscription first Ubuntu Focal does not provide an AWS optimized FIPS kernel For help see: https://ubuntu.com/advantage. -- PS: This bug only affects focal ** Tags removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-hirsute verification-needed-impish verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-focal verification-done-hirsute verification-done-impish verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Hello Brad, or anyone else affected, Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ubuntu-advantage-tools (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Hello Brad, or anyone else affected, Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~18.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ubuntu-advantage-tools (Ubuntu Bionic) Status: New => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Hello Brad, or anyone else affected, Accepted ubuntu-advantage-tools into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~21.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ubuntu-advantage-tools (Ubuntu Hirsute) Status: New => Fix Committed ** Tags added: verification-needed-hirsute ** Changed in: ubuntu-advantage-tools (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Hello Brad, or anyone else affected, Accepted ubuntu-advantage-tools into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/27.3~21.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-impish. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ubuntu-advantage-tools (Ubuntu Impish) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-impish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
** Description changed:
[Impact]
This bug impacts users on AWS, trying to enable FIPS/FIPS updates on
Focal images. There is a missing package, 'ubuntu-aws-fips', which
causes the installation to fail.
This package is missing because, although Focal has a FIPS certified
kernel, the AWS adapted kernel is not ready yet. There will be in the
future a cloud-optimized version of the FIPS kernel, and then users will
be able to install it.
- Right now, UA will show a message saying that the kernel is not
- available instead of showing an error. If the user really wants to
+ With the applied fix, UA will show a message saying that the kernel is
+ not available instead of showing an error. If the user really wants to
install FIPS, there is a feature override
("allow_default_fips_metapackage_on_focal_cloud") which will install the
default kernel.
-
[Test Case]
To reproduce
- Spin an AWS instance using the Ubuntu 20.04 image.
- Attach a valid token
- Run `$ sudo ua enable fips` (or `fips-updates`)
To verify the fix:
1. Update to ubuntu-advantage-tools 27.3, and run the same procedure. Verify
that a message is displayed saying that the kernel is not available for the
Focal release.
2. Append the following to '/etc/ubuntu-advantage/uaclient.conf':
"""
features:
- allow_default_fips_metapackage_on_focal_cloud: true
+ allow_default_fips_metapackage_on_focal_cloud: true
"""
and then run the command again. Verify that it installs a base FIPS kernel,
without the -aws prefix.
[Regression Potential]
This change needs to make sure that we indeed prevent the installation of the
non-existent package. If a corner case shows up, the user might end up with a
wrong kernel. This is unlikely because we are using cloud-init tools, present
in AWS, to detect the cloud instance and effective blocking the install. If
this detection fails, it means cloud-init has some problem and then, on AWS,
the instance will have more problems than this one.
We need to make sure to keep track of the certification progress for the
cloud adapted FIPS package, so we can enable it in the future, when it
becomes available.
[Original Description]
Using AWS AMI: ami-0193aa0a9df84a08b
Attempting to enable fips-updates with the ua command line tool fails
with error that apt "Unable to locate package ubuntu-aws-fips."
Canonical has told me directly 20.04 is now FIPS 140-2 Level 1
certified.
Output:
ubuntu@ip-xx-xx-xx-xx:~$ lsb_release -rd
Description: Ubuntu 20.04.2 LTS
Release: 20.04
ubuntu@ip-xx-xx-xx-xx:~$ ua version
27.2.2~20.04.1
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua status --all
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security
updates
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable
- Account:
-Subscription:
- Valid until: -12-31 00:00:00+00:00
+ Account:
+ Subscription:
+ Valid until: -12-31 00:00:00+00:00
Technical support level: essential
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua --debug enable fips-updates
DEBUG: Executed with sys.argv: ['/usr/bin/ua', '--debug', 'enable',
'fips-updates']
This will install the FIPS core packages and will include priority updates
with security fixes.
Are you sure? (y/N) y
DEBUG: Writing file:
/var/lib/ubuntu-advantage/private/machine-access-fips-updates
DEBUG: Writing file: /etc/apt/preferences.d/ubuntu-fips-updates
DEBUG: Ran cmd: apt-cache policy, rc: 0 stderr: b''
DEBUG: Writing file: /etc/apt/sources.list.d/ubuntu-fips-updates.list
DEBUG: Writing file: /etc/apt/auth.conf.d/90ubuntu-advantage
DEBUG: Exporting GPG key /usr/share/keyrings/ubuntu-advantage-fips.gpg
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
DEBUG: Reading file: /var/lib/ubuntu-advantage/private/machine-token.json
Installing FIPS Updates packages
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
- Retrying 3 more times.
+ Retrying 3 more times.
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-d
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
** Description changed:
+ [Impact]
+
+ This bug impacts users on AWS, trying to enable FIPS/FIPS updates on
+ Focal images. There is a missing package, 'ubuntu-aws-fips', which
+ causes the installation to fail.
+
+ This package is missing because, although Focal has a FIPS certified
+ kernel, the AWS adapted kernel is not ready yet. There will be in the
+ future a cloud-optimized version of the FIPS kernel, and then users will
+ be able to install it.
+
+ Right now, UA will show a message saying that the kernel is not
+ available instead of showing an error. If the user really wants to
+ install FIPS, there is a feature override
+ ("allow_default_fips_metapackage_on_focal_cloud") which will install the
+ default kernel.
+
+
+ [Test Case]
+ To reproduce
+ - Spin an AWS instance using the Ubuntu 20.04 image.
+ - Attach a valid token
+ - Run `$ sudo ua enable fips` (or `fips-updates`)
+
+ To verify the fix:
+ 1. Update to ubuntu-advantage-tools 27.3, and run the same procedure. Verify
that a message is displayed saying that the kernel is not available for the
Focal release.
+ 2. Append the following to '/etc/ubuntu-advantage/uaclient.conf':
+ """
+ features:
+ allow_default_fips_metapackage_on_focal_cloud: true
+ """
+ and then run the command again. Verify that it installs a base FIPS kernel,
without the -aws prefix.
+
+ [Regression Potential]
+ This change needs to make sure that we indeed prevent the installation of the
non-existent package. If a corner case shows up, the user might end up with a
wrong kernel. This is unlikely because we are using cloud-init tools, present
in AWS, to detect the cloud instance and effective blocking the install. If
this detection fails, it means cloud-init has some problem and then, on AWS,
the instance will have more problems than this one.
+
+ We need to make sure to keep track of the certification progress for the
+ cloud adapted FIPS package, so we can enable it in the future, when it
+ becomes available.
+
+ [Original Description]
Using AWS AMI: ami-0193aa0a9df84a08b
Attempting to enable fips-updates with the ua command line tool fails
with error that apt "Unable to locate package ubuntu-aws-fips."
Canonical has told me directly 20.04 is now FIPS 140-2 Level 1
certified.
Output:
ubuntu@ip-xx-xx-xx-xx:~$ lsb_release -rd
- Description: Ubuntu 20.04.2 LTS
- Release: 20.04
+ Description: Ubuntu 20.04.2 LTS
+ Release: 20.04
ubuntu@ip-xx-xx-xx-xx:~$ ua version
27.2.2~20.04.1
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua status --all
- SERVICE ENTITLED STATUSDESCRIPTION
- cc-ealyes n/a Common Criteria EAL2 Provisioning Packages
- cis yes disabled Center for Internet Security Audit Tools
- esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
- esm-infra yes disabled UA Infra: Extended Security Maintenance
(ESM)
- fips yes disabled NIST-certified core packages
- fips-updates yes disabled NIST-certified core packages with priority
security updates
- livepatch yes disabled Canonical Livepatch service
+ SERVICE ENTITLED STATUS DESCRIPTION
+ cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
+ cis yes disabled Center for Internet Security Audit Tools
+ esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
+ esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
+ fips yes disabled NIST-certified core packages
+ fips-updates yes disabled NIST-certified core packages with priority security
updates
+ livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable
Account:
Subscription:
Valid until: -12-31 00:00:00+00:00
Technical support level: essential
ubuntu@ip-xx-xx-xx-xx:~$ sudo ua --debug enable fips-updates
DEBUG: Executed with sys.argv: ['/usr/bin/ua', '--debug', 'enable',
'fips-updates']
This will install the FIPS core packages and will include priority updates
with security fixes.
Are you sure? (y/N) y
DEBUG: Writing file:
/var/lib/ubuntu-advantage/private/machine-access-fips-updates
DEBUG: Writing file: /etc/apt/preferences.d/ubuntu-fips-updates
DEBUG: Ran cmd: apt-cache policy, rc: 0 stderr: b''
DEBUG: Writing file: /etc/apt/sources.list.d/ubuntu-fips-updates.list
DEBUG: Writing file: /etc/apt/auth.conf.d/90ubuntu-advantage
DEBUG: Exporting GPG key /usr/share/keyrings/ubuntu-advantage-fips.gpg
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
DEBUG: Reading file: /var/lib/ubuntu-advantage/private/machine-token.json
Installing FIPS Updates packages
DEBUG: Failed running command 'apt-get install --assume-yes
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E:
Unable to locate package ubuntu-aws-fips
DEBUG: Failed running command 'ap
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Note upstream change has landed related to this request/bug[1] which will prevent people from enabling FIPS on AWS and/or Azure on Focal until the cloud-optimized version of FIPS kernel clears certification for AWS and Azure. This "fix" will be present in ubuntu-advantage-tools version 27.3 expected to start release verification next week. [1] https://github.com/canonical/ubuntu-advantage-client/commit/5a670a1de409c8daeafd35ac8437c78779157fb1 ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Triaged => Fix Committed ** Changed in: ubuntu-advantage-tools (Ubuntu) Assignee: (unassigned) => Lucas Albuquerque Medeiros de Moura (lamoura) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Thanks sincerely for the detailed response. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
The reasoning is that FIPS is only for customers who need that specific requirement. It requires using a kernel and other modules that are certified and are therefore often slightly older than the latest versions available in the release. The lack of 20.04 versions is that Ubuntu images in the AWS cloud use a slightly tweaked kernel that you can see the UA client is attempting to install. This kernel includes performance and other changes to help it run best on AWS as a platform. 20.04's base kernel has been FIPS certified and gone through the process, however, the -aws tweaked one is still going to take some time as it needs additional certification as a derivative of the base kernel. We typically don't suggest using the base kernel on AWS as there could be specific performance impacts or other issues that the -aws customized kernel is intended to help with. The short answer to your question is you're attempting to use FIPS in between the gap of getting the base kernel certified but before the -aws specific one has completed certification. All that said, you should not get the error and the team is looking into how best to proceed given that if a user REALLY wants to use the base FIPS kernel on -aws they should be able to. ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: New => Triaged ** Changed in: ubuntu-advantage-tools (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04
Searching AWS marketplace I see that for Ubuntu 18, there are: - Ubuntu Pro FIPS 18.04 LTS (offered by Canonical Group Ltd) - Ubuntu Pro 18.04 LTS (offered by Amazon Web Services) But for Ubuntu 20.04, a "Pro FIPS" variety does not exist, only Ubuntu Pro 20.04 LTS. This is confusing from a user perspective. - Why are there two separate AMIs if Ubuntu Pro is supposed to include the fips modules enabled through UA in the first place? - Why can `fips` or `fips-updates` not be enabled using the Ubuntu Pro 20.04 LTS image? - Why is an Ubuntu Pro FIPS 20.04 LTS missing entirely? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939449 Title: Ubuntu Pro UA fails to enable fips-updates on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
