ua status incorrectly lists reboot required for pre-built FIPS cloud image
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
This bug causes users to see an inaccurate message saying that a reboot is required when that is not true. It doesn't affect the operation of FIPS mode, but it is confusing.
The bug occurs because of a case we have in our postinst which checks for a certain condition where certain fips-related packages have an apt hold. In that scenario, we recommend a reboot where we remove the apt hold, using this method. This is from the original implementation of Pro FIPS images. The bug was introduced during a refactor of how we organize all of our strings in the package.
The fix is to remove the notice when it is no longer applicable. The updated version removes it on the suggested reboot, as well on calls to `ua status`, if it is not longer applicable.
[Test Plan]
To Reproduce:
```
lxc launch ubuntu-daily:focal f-1972026 --vm
lxc exec f-1972026 -- ua attach $YOUR_TOKEN
lxc exec f-1972026 -- ua enable fips
lxc exec f-1972026 -- apt-mark hold openssl
lxc exec f-1972026 -- dpkg-reconfigure ubuntu-
lxc exec f-1972026 -- ua status
# see "Reboot to FIPS kernel required"
lxc exec f-1972026 -- reboot
lxc exec f-1972026 -- ua status
# still see "Reboot to FIPS kernel required"
lxc exec f-1972026 -- apt-mark unhold openssl
lxc exec f-1972026 -- ua status
# still see "Reboot to FIPS kernel required"
```
To see that release 27.9 of ubuntu-
Continuing in the same VM from reproducing the bug:
```
lxc exec f-1972026 -- add-apt-repository ppa:ua-
lxc exec f-1972026 -- apt install ubuntu-
lxc exec f-1972026 -- ua status
# no longer see "Reboot to FIPS kernel required"
```
[Where problems could occur]
The fix is to call a function to remove the notice in a few places.
If we are removing the wrong notice, then this bug will continue to occur.
If we were overzealous in our calls to remove the notice, or missed a certain condition, we may now remove the notice when it is actually still pertinent.
By introducing new function calls in a couple places that read/write files and parse json, we introduce the risk of failures during those function calls. This could potentially cause an error during `ua status`.
[Other Info]
In the future, we should evaluate if this message is still needed in this scenario at all. It may no longer be necessary in the current implementations of Pro FIPS.
[Original Description]
Checking UA status on new Ubuntu 20.04 FIPS cloud image incorrectly lists "Reboot to FIPS kernel required"
Deploy a cloud FIPS image such as https:/
After VM creation and booting perform:
----
>lsb_release -rd
Description: Ubuntu 20.04.4 LTS
Release: 20.04
>ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes enabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service
usg yes disabled Security compliance and audit tools
NOTICES
Reboot to FIPS kernel required
Enable services with: ua enable <service>
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
----
----
>ua version
u27.7~20.04.1
>cat /etc/cloud/
build_name: pro-fips-server
serial: 20220215.1
----
After reboot, perform the same "ua status" command and the same notice "Reboot to FIPS kernel required" is displayed. However, FIPS kernel is loaded and UA shows enabled.
-------
>uname -a
Linux temp-test-01 5.4.0-1022-
-------
Running apt shows no applicable updates available.
-------------
>apt-get update
Hit:1 http://
Hit:2 http://
Hit:3 http://
Hit:4 http://
Get:5 https:/
Get:6 https:/
Hit:7 https:/
Hit:8 https:/
Hit:9 https:/
Fetched 14.9 kB in 6s (2357 B/s)
Reading package lists... Done
root@temp-
Listing... Done
libgcrypt20-
libgcrypt20/focal 1.8.5-5ubuntu1.
snapd/focal-updates 2.54.3+
------------
Expected results:
1) ua status should properly report that a FIPS kernel is active.
Is this a check that is failing?
2) lsb_release -rd should show that it is not just 20.04.4 LTS but 20.04.4 LTS FIPS
Is this appropriate? FIPS is an enhancement of the mainstream LTS deployment. The more clear that it is a FIPS installation the better, no matter how you go about querying the system information.
Is #1 seeing the results of #2 and thus reporting that a reboot to FIPS kernel is required?
description: | updated |
Hi Eric,
No, the problem here is that the FIPS message you are seeing:
Reboot to FIPS kernel required
Is not being properly removed by our tool. We will fix this in a subsequent release of UA. advantage- tools at all.
Not that this doesn't cause the lsb_release issue you mentioned at all. Additionally, the lsb_release command output is not related to ubuntu-
Also, `lsb_release` source the information from /etc/lsb-release, which fields identify the OS distribution and FIPS enablement is not a separate OS product. However, we can discuss this more if needed