[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04

Renan Rodrigo Thu, 23 Sep 2021 06:11:19 -0700

** Description changed:

+ [Impact]
+ 
+ This bug impacts users on AWS, trying to enable FIPS/FIPS updates on
+ Focal images. There is a missing package, 'ubuntu-aws-fips', which
+ causes the installation to fail.
+ 
+ This package is missing because, although Focal has a FIPS certified
+ kernel, the AWS adapted kernel is not ready yet. There will be in the
+ future a cloud-optimized version of the FIPS kernel, and then users will
+ be able to install it.
+ 
+ Right now, UA will show a message saying that the kernel is not
+ available instead of showing an error. If the user really wants to
+ install FIPS, there is a feature override
+ ("allow_default_fips_metapackage_on_focal_cloud") which will install the
+ default kernel.
+ 
+ 
+ [Test Case]
+ To reproduce
+ - Spin an AWS instance using the Ubuntu 20.04 image.
+ - Attach a valid token
+ - Run `$ sudo ua enable fips` (or `fips-updates`)
+ 
+ To verify the fix:
+ 1. Update to ubuntu-advantage-tools 27.3, and run the same procedure. Verify 
that a message is displayed saying that the kernel is not available for the 
Focal release.
+ 2. Append the following to '/etc/ubuntu-advantage/uaclient.conf':
+ """
+ features:
+     allow_default_fips_metapackage_on_focal_cloud: true
+ """
+ and then run the command again. Verify that it installs a base FIPS kernel, 
without the -aws prefix.
+ 
+ [Regression Potential]
+ This change needs to make sure that we indeed prevent the installation of the 
non-existent package. If a corner case shows up, the user might end up with a 
wrong kernel. This is unlikely because we are using cloud-init tools, present 
in AWS, to detect the cloud instance and effective blocking the install. If 
this detection fails, it means cloud-init has some problem and then, on AWS, 
the instance will have more problems than this one.
+ 
+ We need to make sure to keep track of the certification progress for the
+ cloud adapted FIPS package, so we can enable it in the future, when it
+ becomes available.
+ 
+ [Original Description]
  Using AWS AMI: ami-0193aa0a9df84a08b
  
  Attempting to enable fips-updates with the ua command line tool fails
  with error that apt "Unable to locate package ubuntu-aws-fips."
  
  Canonical has told me directly 20.04 is now FIPS 140-2 Level 1
  certified.
  
  Output:
  
  ubuntu@ip-xx-xx-xx-xx:~$ lsb_release -rd
- Description:  Ubuntu 20.04.2 LTS
- Release:      20.04
+ Description: Ubuntu 20.04.2 LTS
+ Release: 20.04
  
  ubuntu@ip-xx-xx-xx-xx:~$ ua version
  27.2.2~20.04.1
  
  ubuntu@ip-xx-xx-xx-xx:~$ sudo ua status --all
- SERVICE       ENTITLED  STATUS    DESCRIPTION
- cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
- cis           yes       disabled  Center for Internet Security Audit Tools
- esm-apps      yes       disabled  UA Apps: Extended Security Maintenance (ESM)
- esm-infra     yes       disabled  UA Infra: Extended Security Maintenance 
(ESM)
- fips          yes       disabled  NIST-certified core packages
- fips-updates  yes       disabled  NIST-certified core packages with priority 
security updates
- livepatch     yes       disabled  Canonical Livepatch service
+ SERVICE ENTITLED STATUS DESCRIPTION
+ cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
+ cis yes disabled Center for Internet Security Audit Tools
+ esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
+ esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
+ fips yes disabled NIST-certified core packages
+ fips-updates yes disabled NIST-certified core packages with priority security 
updates
+ livepatch yes disabled Canonical Livepatch service
  
  Enable services with: ua enable <service>
  
                  Account: xxxx
             Subscription: xxxx
              Valid until: 9999-12-31 00:00:00+00:00
  Technical support level: essential
  
  ubuntu@ip-xx-xx-xx-xx:~$ sudo ua --debug enable fips-updates
  DEBUG: Executed with sys.argv: ['/usr/bin/ua', '--debug', 'enable', 
'fips-updates']
  This will install the FIPS core packages and will include priority updates
  with security fixes.
  Are you sure? (y/N) y
  DEBUG: Writing file: 
/var/lib/ubuntu-advantage/private/machine-access-fips-updates
  DEBUG: Writing file: /etc/apt/preferences.d/ubuntu-fips-updates
  DEBUG: Ran cmd: apt-cache policy, rc: 0 stderr: b''
  DEBUG: Writing file: /etc/apt/sources.list.d/ubuntu-fips-updates.list
  DEBUG: Writing file: /etc/apt/auth.conf.d/90ubuntu-advantage
  DEBUG: Exporting GPG key /usr/share/keyrings/ubuntu-advantage-fips.gpg
  Updating package lists
  DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
  DEBUG: Reading file: /var/lib/ubuntu-advantage/private/machine-token.json
  Installing FIPS Updates packages
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
  
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
   Retrying 3 more times.
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
  
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
   Retrying 2 more times.
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
  
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
   Retrying 1 more times.
  DEBUG: Failed running command 'apt-get install --assume-yes 
--allow-downgrades -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-aws-fips' [exit(100)]. Message: E: 
Unable to locate package ubuntu-aws-fips
  
  DEBUG: Reading file: /etc/apt/auth.conf.d/90ubuntu-advantage
  Updating package lists
  DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
  Could not enable FIPS Updates.
  DEBUG: Reading file: /var/lib/ubuntu-advantage/notices.json
  DEBUG: Removing file: /var/lib/ubuntu-advantage/notices.json


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939449

Title:
  Ubuntu Pro UA fails to enable fips-updates on 20.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939449/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939449] Re: Ubuntu Pro UA fails to enable fips-updates on 20.04

Reply via email to