[SRU] include recent version containing fips and livepatch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Xenial |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Zesty |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Artful |
Fix Released
|
Medium
|
Andreas Hasenack |
Bug Description
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we had build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
PPA with test packages: https:/
[IMPACT]
Most recent version of ubuntu-
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-
[FIX]
Add fips and livepatch support to the ubuntu-
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-
1. Collect status before enabling livepatch
type on commandline:
ubuntu-
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https:/
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-
Your currently running kernel (3.13.0-
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-
3. Verify livepatch status
type on commandline,
ubuntu-
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-
boot-time: 2017-10-
uptime: 1m19s
status:
- kernel: 4.4.0-97.
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-
1. Collect status before enabling livepatch
type on commandline,
ubuntu-
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https:/
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-
canonical-
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxx
Use "canonical-
3. Verify livepatch status
type on commandline,
ubuntu-
expect an output like the following,
livepatch: enabled
client-
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-
boot-time: 2017-10-
uptime: 15m30s
status:
- kernel: 4.4.0-97.
running: true
livepatch:
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-
1. Collect status before enabling livepatch
type on commandline:
ubuntu-
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-
1. Collect status before enabling fips
type on commandline,
ubuntu-
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-
Changed in ubuntu-advantage-tools (Ubuntu): | |
importance: | Undecided → High |
description: | updated |
summary: |
- [SRU][xenial] include fips enablement into ubuntu-advantage + [SRU][xenial] include new version |
summary: |
- [SRU][xenial] include new version + [SRU][xenial] include recent version containing fips |
tags: | added: sts |
description: | updated |
summary: |
- [SRU][xenial] include recent version containing fips + [SRU][xenial] include recent version containing fips and livepatch |
description: | updated |
description: | updated |
description: | updated |
tags: | added: livepatch |
description: | updated |
summary: |
- [SRU][xenial] include recent version containing fips and livepatch + [SRU] include recent version containing fips and livepatch |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Zesty): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Zesty): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: sts-sponsor-slashd |
description: | updated |
summary: |
- [SRU] include recent version containing fips and livepatch + [SRU] Microrelease : include recent version containing fips and + livepatch |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Zesty): | |
importance: | Undecided → Medium |
description: | updated |
summary: |
- [SRU] Microrelease : include recent version containing fips and - livepatch + [SRU] include recent version containing fips and livepatch |
Changed in ubuntu-advantage-tools (Ubuntu Artful): | |
status: | New → Fix Released |
Changed in ubuntu-advantage-tools (Ubuntu Artful): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
importance: | Undecided → Medium |
status: | Fix Released → In Progress |
description: | updated |
description: | updated |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Please note in the debdiff that the ubuntu-advantage script has been renamed to advantage. Links are created for backward compatibility.