ubuntu-advantage enable fips will fail due to missing --assume-yes

Bug #1954842 reported by John Chittum
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Unassigned

Bug Description

cloud-provider: AWS
cloud-init configuration (relevant section):

ubuntu-advantage:
  token: <ua_contract_token>
  enable:
  - fips

(no reports attached, as bug is viewable in the code, however I can reproduce if you'd like)

ubuntu-advantage (ua) calls often have prompts. the ubuntu_advantage directive runs without the `--assume-yes` flag from ua

    for service in enable:
        try:
            cmd = ['ua', 'enable', service]
            subp.subp(cmd, capture=True)
        except subp.ProcessExecutionError as e:
            enable_errors.append((service, e))

https://github.com/canonical/cloud-init/blob/bedac77e9348e7a54c0ec364fb61df90cd893972/cloudinit/config/cc_ubuntu_advantage.py#L124

This will not work with FIPS, as running `ua enable fips` without `--assume-yes` will result in prompts.

I propose having `ua enable --assume-yes $service` be the default call in cloud-init

Revision history for this message
Chad Smith (chad.smith) wrote :

Confirmed on your suggested approach. Even services which don't have prompts will allow you to passe --assume-yes without error. It is ok to provide this param to all enable calls.
$ ua enable cis --assume-yes
One moment, checking your subscription first
Updating package lists
Installing CIS Audit packages
CIS Audit enabled
Visit https://security-certs.docs.ubuntu.com/en/cis to learn how to use CIS
$ echo $?
0

Changed in cloud-init:
status: New → Triaged
importance: Undecided → Critical
importance: Critical → Medium
Revision history for this message
Brett Holman (holmanb) wrote : Fixed in cloud-init version 22.1.

This bug is believed to be fixed in cloud-init in version 22.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Triaged → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.