2017-09-26 15:39:01 |
Joy Latten |
bug |
|
|
added bug |
2017-09-26 15:48:52 |
Manoj Iyer |
nominated for series |
|
Ubuntu Artful |
|
2017-09-26 15:48:52 |
Manoj Iyer |
nominated for series |
|
Ubuntu Xenial |
|
2017-09-26 15:49:01 |
Manoj Iyer |
ubuntu-advantage-tools (Ubuntu): importance |
Undecided |
High |
|
2017-09-30 01:28:15 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2017-09-30 01:28:37 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Zesty |
|
2017-10-09 16:25:30 |
Joy Latten |
description |
[IMPACT]
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
[TEST]
A test package is available in the following PPA: and it was tested by me on S390, PPC64EL and AMD64 architectures.
-- Test results before the patch --
-- Test results after the patch --
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. No regression risks. |
[IMPACT]
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. |
|
2017-10-09 16:28:44 |
Joy Latten |
attachment added |
|
git log diff between version v2-upload3 and v11 https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966079/+files/git-log-v2-upload3..v11 |
|
2017-10-09 16:41:25 |
Joy Latten |
attachment added |
|
debdiff between v2 (curently in xenial) and v11 https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966092/+files/v2v11.debdiff |
|
2017-10-09 16:44:10 |
Joy Latten |
attachment added |
|
Build log for amd64. https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966093/+files/build.log.amd64 |
|
2017-10-09 16:47:46 |
Joy Latten |
attachment added |
|
tox results on xenial amd64 https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966094/+files/tox.results.amd64 |
|
2017-10-09 16:55:52 |
Joy Latten |
attachment added |
|
ubuntu-advantage-tools_11.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966095/+files/ubuntu-advantage-tools_11.tar.xz |
|
2017-10-09 20:24:19 |
Ubuntu Foundations Team Bug Bot |
tags |
fips |
fips patch |
|
2017-10-09 20:24:29 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-10-10 14:25:55 |
Joy Latten |
attachment added |
|
install log: shows output of running ubuntu-advantage script before and after installing v11. https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966733/+files/install.log.amd64 |
|
2017-10-12 19:10:20 |
Joy Latten |
attachment added |
|
tox test results on zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969139/+files/tox.results.amd64.zesty |
|
2017-10-12 19:13:00 |
Joy Latten |
attachment added |
|
Install log for zesty. Note FIPS is not supported on zesty. https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969144/+files/install.log.amd64.zesty |
|
2017-10-12 19:14:21 |
Joy Latten |
attachment added |
|
build log for zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969155/+files/build.log.amd64.zesty |
|
2017-10-12 19:43:17 |
Nish Aravamudan |
bug |
|
|
added subscriber Nish Aravamudan |
2017-10-12 20:06:06 |
Nish Aravamudan |
ubuntu-advantage-tools (Ubuntu): status |
New |
Fix Released |
|
2017-10-12 20:10:09 |
Nish Aravamudan |
bug task added |
|
ubuntu-advantage-tools (Ubuntu Xenial) |
|
2017-10-12 20:10:17 |
Nish Aravamudan |
bug task added |
|
ubuntu-advantage-tools (Ubuntu Zesty) |
|
2017-10-12 20:26:39 |
Joy Latten |
summary |
[SRU][xenial] include fips enablement into ubuntu-advantage |
[SRU][xenial] include new version |
|
2017-10-12 20:27:35 |
Joy Latten |
summary |
[SRU][xenial] include new version |
[SRU][xenial] include recent version containing fips |
|
2017-10-12 20:33:24 |
Joy Latten |
description |
[IMPACT]
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial
Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. |
|
2017-10-13 13:21:27 |
Chris Johnston |
tags |
fips patch |
fips patch sts |
|
2017-10-17 15:43:11 |
Joy Latten |
attachment removed |
debdiff between v2 (curently in xenial) and v11 https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966092/+files/v2v11.debdiff |
|
|
2017-10-17 15:43:30 |
Joy Latten |
attachment removed |
git log diff between version v2-upload3 and v11 https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966079/+files/git-log-v2-upload3..v11 |
|
|
2017-10-17 15:44:27 |
Joy Latten |
attachment removed |
Build log for amd64. https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966093/+files/build.log.amd64 |
|
|
2017-10-17 15:44:43 |
Joy Latten |
attachment removed |
tox results on xenial amd64 https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966094/+files/tox.results.amd64 |
|
|
2017-10-17 15:44:57 |
Joy Latten |
attachment removed |
ubuntu-advantage-tools_11.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966095/+files/ubuntu-advantage-tools_11.tar.xz |
|
|
2017-10-17 15:49:04 |
Joy Latten |
attachment added |
|
build log for xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973778/+files/build.log.xenial |
|
2017-10-17 15:49:27 |
Joy Latten |
attachment removed |
tox test results on zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969139/+files/tox.results.amd64.zesty |
|
|
2017-10-17 15:49:46 |
Joy Latten |
attachment removed |
Install log for zesty. Note FIPS is not supported on zesty. https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969144/+files/install.log.amd64.zesty |
|
|
2017-10-17 15:49:59 |
Joy Latten |
attachment removed |
install log: shows output of running ubuntu-advantage script before and after installing v11. https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966733/+files/install.log.amd64 |
|
|
2017-10-17 15:50:10 |
Joy Latten |
attachment removed |
build log for zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969155/+files/build.log.amd64.zesty |
|
|
2017-10-17 15:56:06 |
Joy Latten |
attachment added |
|
Install log shows before installing v10 on xenial, install steps, and afterwards https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973797/+files/install.log.xenial |
|
2017-10-17 16:00:52 |
Joy Latten |
attachment added |
|
v2v10.xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973809/+files/v2v10-xenial.debdiff |
|
2017-10-17 16:02:03 |
Joy Latten |
attachment added |
|
git-log-v2upload3..v10.xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973810/+files/git-log-v2upload3..v10.xenial |
|
2017-10-17 16:03:06 |
Joy Latten |
attachment added |
|
tox.results.xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973811/+files/tox.results.xenial |
|
2017-10-17 16:09:52 |
Joy Latten |
attachment added |
|
ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973827/+files/ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz |
|
2017-10-17 16:11:08 |
Joy Latten |
attachment added |
|
build.log.zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973828/+files/build.log.zesty |
|
2017-10-17 16:12:47 |
Joy Latten |
attachment added |
|
install.log.zesty shows before installing v10, install steps, and afterwards https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973832/+files/install.log.zesty |
|
2017-10-17 16:13:33 |
Joy Latten |
attachment added |
|
v2v10-zesty.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973833/+files/v2v10-zesty.debdiff |
|
2017-10-17 16:15:16 |
Joy Latten |
attachment added |
|
git-log-v2upload3..v10.zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973835/+files/git-log-v2upload3..v10.zesty |
|
2017-10-17 16:16:23 |
Joy Latten |
attachment added |
|
tox.results.zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973836/+files/tox.results.zesty |
|
2017-10-17 16:19:26 |
Joy Latten |
attachment added |
|
ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973837/+files/ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz |
|
2017-10-17 18:06:18 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2017-10-17 20:38:23 |
Joy Latten |
description |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial
Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial
Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
|
2017-10-18 20:11:08 |
Andreas Hasenack |
summary |
[SRU][xenial] include recent version containing fips |
[SRU][xenial] include recent version containing fips and livepatch |
|
2017-10-18 20:11:56 |
Andreas Hasenack |
description |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial
Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
|
2017-10-18 20:12:27 |
Andreas Hasenack |
description |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules and livepatch are only available for xenial. On other releases the tool will not install and configure fips or livepatch.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
|
2017-10-18 20:16:32 |
Andreas Hasenack |
description |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules and livepatch are only available for xenial. On other releases the tool will not install and configure fips or livepatch.
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules and livepatch are only available for xenial. On other releases the tool will not install and configure fips or livepatch.
[FIPS DESCRIPTION]
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
TBW
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips and livepatch. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
|
2017-10-18 20:45:30 |
Eric Desrochers |
tags |
fips patch sts |
fips livepatch patch sts |
|
2017-10-19 20:47:57 |
Andreas Hasenack |
description |
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules and livepatch are only available for xenial. On other releases the tool will not install and configure fips or livepatch.
[FIPS DESCRIPTION]
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
TBW
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips and livepatch. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-20 18:45:15 |
Andreas Hasenack |
summary |
[SRU][xenial] include recent version containing fips and livepatch |
[SRU] include recent version containing fips and livepatch |
|
2017-10-20 19:52:27 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-23 17:54:19 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-23 17:54:34 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Trusty |
|
2017-10-23 17:56:17 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-23 17:58:57 |
Seth Arnold |
bug task added |
|
ubuntu-advantage-tools (Ubuntu Trusty) |
|
2017-10-23 18:30:41 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Trusty): status |
New |
In Progress |
|
2017-10-23 18:30:42 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Xenial): status |
New |
In Progress |
|
2017-10-23 18:30:45 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Zesty): status |
New |
In Progress |
|
2017-10-23 18:30:48 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Trusty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-10-23 18:30:51 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Xenial): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-10-23 18:30:53 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Zesty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-10-23 18:41:08 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
This bug has some history that may be confusing if the comments are read linearly. Basically it started out as a Feature Freeze Exception, that's why we have build logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
For the SRU, what we need is:
* new tarball
* new debdiff, but note that binary file changes won't be shown in the debdiff
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-23 19:26:16 |
Andreas Hasenack |
attachment removed |
ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973827/+files/ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz |
|
|
2017-10-23 19:26:21 |
Andreas Hasenack |
attachment removed |
ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973837/+files/ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz |
|
|
2017-10-23 19:27:50 |
Andreas Hasenack |
attachment added |
|
ubuntu-advantage-tools_10~ubuntu0.14.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989104/+files/ubuntu-advantage-tools_10~ubuntu0.14.04.1.tar.xz |
|
2017-10-23 19:28:09 |
Andreas Hasenack |
attachment added |
|
ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989105/+files/ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz |
|
2017-10-23 19:28:30 |
Andreas Hasenack |
attachment added |
|
ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989106/+files/ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz |
|
2017-10-23 19:29:00 |
Andreas Hasenack |
attachment removed |
v2v10-zesty.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973833/+files/v2v10-zesty.debdiff |
|
|
2017-10-23 19:29:04 |
Andreas Hasenack |
attachment removed |
v2v10.xenial.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973809/+files/v2v10-xenial.debdiff |
|
|
2017-10-23 19:31:22 |
Andreas Hasenack |
attachment added |
|
trusty-v2v10.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989120/+files/trusty-v2v10.debdiff |
|
2017-10-23 19:31:45 |
Andreas Hasenack |
attachment added |
|
xenial-v2v10.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989121/+files/xenial-v2v10.debdiff |
|
2017-10-23 19:32:17 |
Andreas Hasenack |
attachment added |
|
zesty-v2v10.debdiff https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989122/+files/zesty-v2v10.debdiff |
|
2017-10-23 19:34:50 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
This bug has some history that may be confusing if the comments are read linearly. Basically it started out as a Feature Freeze Exception, that's why we have build logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
For the SRU, what we need is:
* new tarball
* new debdiff, but note that binary file changes won't be shown in the debdiff
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
This bug has some history that may be confusing if the comments are read linearly. Basically it started out as a Feature Freeze Exception, that's why we have build logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you the reader have looked at this before:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-23 20:10:13 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
This bug has some history that may be confusing if the comments are read linearly. Basically it started out as a Feature Freeze Exception, that's why we have build logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you the reader have looked at this before:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
|
2017-10-23 20:12:20 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/ |
** description still being worked on, not done yet **
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-10-23 20:12:55 |
Andreas Hasenack |
description |
** description still being worked on, not done yet **
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-10-23 20:26:16 |
Andreas Hasenack |
description |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-10-26 16:48:42 |
Eric Desrochers |
bug |
|
|
added subscriber STS Sponsors |
2017-10-26 16:53:13 |
Eric Desrochers |
tags |
fips livepatch patch sts |
fips livepatch patch sts sts-sponsor-slashd |
|
2017-10-26 17:12:38 |
Eric Desrochers |
description |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
[New upstream microreleases]
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases
...
> a reliable and credible test suite for assuring the quality of every commit or release
YES, testsuite is in tox (python virtual test env)
> the tests are covering both functionality and API/ABI stability
YES
> the tests run during package build to cover all architectures
YES
> the package has an autopkgtest to run the tests in an Ubuntu environment against the actual binary packages
YES
**
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-10-26 17:12:40 |
Eric Desrochers |
summary |
[SRU] include recent version containing fips and livepatch |
[SRU] Microrelease : include recent version containing fips and livepatch |
|
2017-10-26 17:17:24 |
Eric Desrochers |
description |
[New upstream microreleases]
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases
...
> a reliable and credible test suite for assuring the quality of every commit or release
YES, testsuite is in tox (python virtual test env)
> the tests are covering both functionality and API/ABI stability
YES
> the tests run during package build to cover all architectures
YES
> the package has an autopkgtest to run the tests in an Ubuntu environment against the actual binary packages
YES
**
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
[New upstream microreleases]
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases
...
> a reliable and credible test suite for assuring the quality of every commit or release
YES, testsuite is in tox (python virtual test env)
> the tests are covering both functionality and API/ABI stability
YES
> the tests run during package build to cover all architectures
YES
> the package has an autopkgtest to run the tests in an Ubuntu environment against the actual binary packages
YES
**
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-10-26 17:17:29 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2017-10-26 17:17:31 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-10-26 17:17:33 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-10-26 17:44:55 |
Eric Desrochers |
description |
[New upstream microreleases]
https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases
...
> a reliable and credible test suite for assuring the quality of every commit or release
YES, testsuite is in tox (python virtual test env)
> the tests are covering both functionality and API/ABI stability
YES
> the tests run during package build to cover all architectures
YES
> the package has an autopkgtest to run the tests in an Ubuntu environment against the actual binary packages
YES
**
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-10-26 17:45:02 |
Eric Desrochers |
summary |
[SRU] Microrelease : include recent version containing fips and livepatch |
[SRU] include recent version containing fips and livepatch |
|
2017-10-26 20:17:28 |
Eric Desrochers |
bug task added |
|
ubuntu-advantage-tools (Ubuntu Artful) |
|
2017-10-26 20:17:39 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Artful): status |
New |
Fix Released |
|
2017-10-26 23:28:09 |
Eric Desrochers |
tags |
fips livepatch patch sts sts-sponsor-slashd |
fips livepatch patch sts sts-sponsor-slashd-done |
|
2017-10-26 23:30:06 |
Eric Desrochers |
bug |
|
|
added subscriber SRU Verification |
2017-10-26 23:52:49 |
Eric Desrochers |
removed subscriber SRU Verification |
|
|
|
2017-10-26 23:52:53 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
2017-10-26 23:52:59 |
Eric Desrochers |
bug |
|
|
added subscriber SRU Verification |
2017-11-03 14:16:07 |
Eric Desrochers |
bug |
|
|
added subscriber STS Sponsors |
2017-11-03 18:24:07 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Artful): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-11-03 18:24:10 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Artful): importance |
Undecided |
Medium |
|
2017-11-03 18:24:12 |
Eric Desrochers |
ubuntu-advantage-tools (Ubuntu Artful): status |
Fix Released |
In Progress |
|
2017-11-05 21:04:53 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/333235 |
|
2017-11-05 21:05:44 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/333236 |
|
2017-11-05 21:06:09 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/333237 |
|
2017-11-05 21:06:27 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/ubuntu-advantage-tools/+git/ubuntu-advantage-tools/+merge/333238 |
|
2017-11-05 21:08:55 |
Andreas Hasenack |
attachment removed |
ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989106/+files/ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz |
|
|
2017-11-05 21:08:58 |
Andreas Hasenack |
attachment removed |
ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989105/+files/ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz |
|
|
2017-11-05 21:09:00 |
Andreas Hasenack |
attachment removed |
ubuntu-advantage-tools_10~ubuntu0.14.04.1.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4989104/+files/ubuntu-advantage-tools_10~ubuntu0.14.04.1.tar.xz |
|
|
2017-11-05 21:09:02 |
Andreas Hasenack |
attachment removed |
tox.results.zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973836/+files/tox.results.zesty |
|
|
2017-11-05 21:09:06 |
Andreas Hasenack |
attachment removed |
git-log-v2upload3..v10.zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973835/+files/git-log-v2upload3..v10.zesty |
|
|
2017-11-05 21:09:09 |
Andreas Hasenack |
attachment removed |
install.log.zesty shows before installing v10, install steps, and afterwards https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973832/+files/install.log.zesty |
|
|
2017-11-05 21:09:11 |
Andreas Hasenack |
attachment removed |
build.log.zesty https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973828/+files/build.log.zesty |
|
|
2017-11-05 21:09:14 |
Andreas Hasenack |
attachment removed |
tox.results.xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973811/+files/tox.results.xenial |
|
|
2017-11-05 21:09:16 |
Andreas Hasenack |
attachment removed |
git-log-v2upload3..v10.xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973810/+files/git-log-v2upload3..v10.xenial |
|
|
2017-11-05 21:09:18 |
Andreas Hasenack |
attachment removed |
Install log shows before installing v10 on xenial, install steps, and afterwards https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973797/+files/install.log.xenial |
|
|
2017-11-05 21:09:21 |
Andreas Hasenack |
attachment removed |
build log for xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973778/+files/build.log.xenial |
|
|
2017-11-05 21:10:14 |
Andreas Hasenack |
description |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we have build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we had build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-11-05 21:11:15 |
Andreas Hasenack |
description |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we had build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
I uploaded new tarballs and debdiff with these changes from what was here before, just in case you, the reader, have looked at the previous description:
* tarball with correct directory entry. The previous one had "v10" instead of "10" as the base version
* updated most recent changelog entry, just saying this is a backport of version 10. No need to say it has fips support, which neglected to mention the livepatch support. All that is in the previous d/changelog entries
PPA with built packages for t, x and z: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-sru-1719671 (ppa:ahasenack/ua-tools-sru-1719671 - no ~ppaN suffix, sorry)
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
This bug has some history that may be confusing from the comments. Basically it started out as a Feature Freeze Exception, that's why we had build logs, git logs and unit test runs attached.
Also, the "rename" that is mentioned elsewhere did not happen with this package: the ubuntu-advantage name was kept, no new aliases were added. This will happen in a later SRU, with a later version of the package.
PPA with test packages: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-1719671-take1
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot.
This SRU will cover both new features.
In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance.
Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release.
Without this updated package, customers of those services have to enable them manually by following a series of steps.
[FIPS DESCRIPTION]
When "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
Livepatch allows customers to apply kernel patches to a running system without rebooting it.
The current instructions live in http://ubuntu.com/livepatch and boil down to:
- install snapd if it's not installed already. On trusty this means a new kernel as well.
- install the canonical-livepatch snap
- obtain a livepatch token from Canonical
- run the enable command with the given token
The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty).
[FIX]
Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below.
[LIVEPATCH TESTCASES]
TRUSTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect:
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
You may be required to install a newer kernel. In that case, expect the
following output:
Installing missing dependency snapd... OK
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
canonical-livepatch 7.24 from 'canonical' installed
Your currently running kernel (3.13.0-133-generic) is too old to
support snaps. Version 4.4.0 or higher is needed.
Please reboot your system into a supported kernel version
and run the following command one more time to complete the
installation:
sudo ubuntu-advantage enable-livepatch <yourtoken>
Once you reboot and re-run the specified command, expect:
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: <sometoken>
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-23T15:10:45.640938255Z
boot-time: 2017-10-23T15:10:13Z
uptime: 1m19s
status:
- kernel: 4.4.0-97.120~14.04.1-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled (not available)
XENIAL
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable livepatch
visit https://ubuntu.com/livepatch and obtain a token
type on commandline,
sudo ubuntu-advantage enable-livepatch <yourtoken>
expect,
Installing the canonical-livepatch snap.
This may take a few minutes depending on your bandwidth.
2017-10-20T19:39:41Z INFO Waiting for restart...
canonical-livepatch 7.24 from 'canonical' installed
Enabling Livepatch with the given token, stand by...
Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Use "canonical-livepatch status" to verify current patch status.
3. Verify livepatch status
type on commandline,
ubuntu-advantage status
expect an output like the following,
livepatch: enabled
client-version: "7.23"
architecture: x86_64
cpu-model: Intel Core Processor (Skylake)
last-check: 2017-10-20T19:39:54.451499227Z
boot-time: 2017-10-20T19:28:09Z
uptime: 15m30s
status:
- kernel: 4.4.0-97.120-generic
running: true
livepatch:
checkState: checked
patchState: nothing-to-apply
version: ""
fixes: ""
esm: disabled (not available)
fips: disabled
ZESTY
0. Install the new ubuntu-advantage-tools package to add livepatch support.
1. Collect status before enabling livepatch
type on commandline:
ubuntu-advantage status
expect the livepatch service to be unavailable:
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that livepatch cannot be enabled on Zesty.
You can use a dummy set of credentials like "foobar" as the token:
type on commandline,
sudo ubuntu-advantage enable-livepatch foobar
expect,
Sorry, but Canonical Livepatch is not supported on zesty
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures.
TRUSTY
(Note that FIPS is not supported on trusty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on trusty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty
XENIAL
0. Install the new ubuntu-advantage-tools package to add fips support.
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. Please reboot into the FIPS kernel to enable it.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
You can use a dummy set of credentials like user:secret as the token:
type on commandline,
sudo ubuntu-advantage enable-fips user:secret
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
[REGRESSION POTENTIAL]
The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise.
This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases.
In case of broken core functionality or specific broken features, note that there is a manual instructions workaround if needed.
[OTHER INFO]
The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version.
Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/. The tests do not necessarily run on each ubuntu release because of the version of python that is available in each. A clean run without any changes can be obtained in xenial and higher. Trusty needs a newer python3 (3.5 at a minimum). |
|
2017-11-06 18:51:46 |
Łukasz Zemczak |
ubuntu-advantage-tools (Ubuntu Artful): status |
In Progress |
Fix Committed |
|
2017-11-06 18:51:48 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-11-06 18:51:53 |
Łukasz Zemczak |
tags |
fips livepatch patch sts sts-sponsor-slashd-done |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful |
|
2017-11-06 19:31:33 |
Łukasz Zemczak |
ubuntu-advantage-tools (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
2017-11-06 19:31:40 |
Łukasz Zemczak |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful verification-needed-zesty |
|
2017-11-06 21:06:42 |
Łukasz Zemczak |
ubuntu-advantage-tools (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2017-11-06 21:06:49 |
Łukasz Zemczak |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful verification-needed-zesty |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful verification-needed-xenial verification-needed-zesty |
|
2017-11-06 21:08:14 |
Łukasz Zemczak |
ubuntu-advantage-tools (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2017-11-06 21:08:20 |
Łukasz Zemczak |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful verification-needed-xenial verification-needed-zesty |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial verification-needed-zesty |
|
2017-11-06 21:08:56 |
Łukasz Zemczak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-11-07 13:00:36 |
Andreas Hasenack |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial verification-needed-zesty |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-zesty verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial |
|
2017-11-07 13:13:14 |
Andreas Hasenack |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-zesty verification-needed verification-needed-artful verification-needed-trusty verification-needed-xenial |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-artful verification-done-zesty verification-needed verification-needed-trusty verification-needed-xenial |
|
2017-11-07 16:26:21 |
Andreas Hasenack |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-artful verification-done-zesty verification-needed verification-needed-trusty verification-needed-xenial |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-artful verification-done-xenial verification-done-zesty verification-needed verification-needed-trusty |
|
2017-11-07 18:20:36 |
Andreas Hasenack |
tags |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-artful verification-done-xenial verification-done-zesty verification-needed verification-needed-trusty |
fips livepatch patch sts sts-sponsor-slashd-done verification-done-artful verification-done-trusty verification-done-xenial verification-done-zesty verification-needed |
|
2017-11-08 14:50:25 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2017-11-08 14:50:28 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-11-08 14:50:40 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-11-08 14:50:50 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-11-08 14:51:01 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2017-11-08 15:39:42 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|