UA backend(s) unreachable during live filesystem builds
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Confirmed
|
High
|
Unassigned |
Bug Description
[context]
VM instances started, from Ubuntu FIPS cloud offers, need to boot with FIPS modules. This is why CPC needs to pre-install FIPS components (kernel + crypto libraries) on FIPS cloud images.
To do so, the CPC team is manually adding FIPS PPAs, installing and holding back packages, etc... By doing so, we are trying to mock what UA client is usually doing on running machines (with "ua enable fips"). Since FIPS installation process is sometimes updated, keeping it up-to-date across different clouds requires maintenance work. Also, because these changes also happen in UA client, the work is duplicated.
To avoid this duplication and also prevent any potential "conflict" between what is done during image build and UA client, the CPC team would like to install FIPS using UA client in the images.
[request]
To do so, UA client running on LP needs to be able to access the following domains:
for staging:
contracts.
esm.staging.
for production:
contracts.
esm.canonical.com
[security considerations]
Since those domains are maintained by Canonical, my security concerns are limited. However, I also have a limited knowledge of LP and of its security considerations in general.
NB: I don't know for sure if this is the only endpoints we need to allow, I will check UA client's logs to confirm.
Changed in launchpad: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Colin Watson (cjwatson) |
> NB: I don't know for sure if this is the only endpoints we need to allow, I will check UA client's logs to confirm.
Requests to 'https:/ /contracts. canonical. com' should be allowed as this is required to run "ua attach"