[bionic] [FFe] ubuntu-advantage-tools version 17: FIPS updates

Bug #1759280 reported by Andreas Hasenack on 2018-03-27
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
High
Andreas Hasenack

Bug Description

Please update ubuntu-advantage-tools to version 17. These are the changes:
  * Added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified.
  * Add repository pinning for FIPS packages
  * Check that all prerequisite packages are installed when enabling FIPS
  * Support returning the status for a single service

All but the last bit are about FIPS, which is not enabled for Bionic. Because of that I'm not sure a feature freeze exception is required (since the new features are not enabled for bionic), but I rather error on the side of caution. We would like to have it in bionic to allow us to SRU it to xenial, where fips is enabled and supported.

The last change (status for a single service) is mostly a cosmetic general feature:
$ ua status fips
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled

vs

$ ua status fips
fips: disabled (not available)

Build log: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-fips-updates-1759280/+build/14502245
Notice that tests are run at package build time

PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/ua-tools-fips-updates-1759280

Upgrade test
============
Starting from:
ubuntu-advantage-tools:
  Installed: 16
  Candidate: 16
  Version table:
 *** 16 500
        500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status

ubuntu@bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled

ubuntu@bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
ubuntu@bionic-ua:~$

Adding PPA:
ubuntu@bionic-ua:~$ sudo add-apt-repository ppa:ahasenack/ua-tools-fips-updates-1759280 -y -u
(...)
ubuntu@bionic-ua:~$ sudo apt install ubuntu-advantage-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
  ubuntu-advantage-tools
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.2 kB of archives.
After this operation, 6144 B of additional disk space will be used.
Get:1 http://ppa.launchpad.net/ahasenack/ua-tools-fips-updates-1759280/ubuntu bionic/main amd64 ubuntu-advantage-tools all 17~ppa1 [17.2 kB]
Fetched 17.2 kB in 1s (25.1 kB/s)
(Reading database ... 90710 files and directories currently installed.)
Preparing to unpack .../ubuntu-advantage-tools_17~ppa1_all.deb ...
Unpacking ubuntu-advantage-tools (17~ppa1) over (16) ...
Setting up ubuntu-advantage-tools (17~ppa1) ...
Processing triggers for man-db (2.8.2-1) ...

Post upgrade:
ubuntu@bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled

ubuntu@bionic-ua:~$ ua status fips
fips: disabled (not available)

ubuntu@bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic

ubuntu@bionic-ua:~$ sudo ua enable-fips-updates
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic

Testing
=======
Merges are gated on a test run on github. Example:https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/358429122

Tests also run during package build.

Since fips is disabled in bionic, I tested this new code with a xenial build. This will have to be done again when the xenial sru time comes, and will be shown in more detail there.

Related branches

description: updated
description: updated
Andreas Hasenack (ahasenack) wrote :

debdiff, but note the binary file that was added isn't represented here. Better use the git branch for that.

Andreas Hasenack (ahasenack) wrote :

Also attaching the build log, because that ppa I linked to in the description will be gone after the upload is done.

description: updated
description: updated
tags: added: patch
description: updated
description: updated
description: updated
summary: - [FFe] version 17: FIPS updates
+ [bionic] [FFe] ubuntu-advantage-tools version 17: FIPS updates
Steve Langasek (vorlon) wrote :

provided this is not bringing in any new package relationships: FFe approved.

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Triaged
Andreas Hasenack (ahasenack) wrote :

I removed the debdiff, since the git branch is much richer in detail.

tags: added: upgrade-software-version
Changed in ubuntu-advantage-tools (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 17

---------------
ubuntu-advantage-tools (17) bionic; urgency=medium

  * New upstream release (LP: #1759280):
    - Added enable-fips-updates command. This command enables the fips-updates
      repository to install updates to FIPS modules. The updated modules from
      fips-updates repository are non-certified.
    - Add repository pinning for FIPS packages
    - Check that all prerequisite packages are installed when enabling FIPS
    - Support returning the status for a single service

 -- Andreas Hasenack <email address hidden> Wed, 21 Mar 2018 14:20:04 -0300

Changed in ubuntu-advantage-tools (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers