[bionic] [FFe] ubuntu-advantage-tools version 17: FIPS updates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
Please update ubuntu-
* Added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified.
* Add repository pinning for FIPS packages
* Check that all prerequisite packages are installed when enabling FIPS
* Support returning the status for a single service
All but the last bit are about FIPS, which is not enabled for Bionic. Because of that I'm not sure a feature freeze exception is required (since the new features are not enabled for bionic), but I rather error on the side of caution. We would like to have it in bionic to allow us to SRU it to xenial, where fips is enabled and supported.
The last change (status for a single service) is mostly a cosmetic general feature:
$ ua status fips
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
vs
$ ua status fips
fips: disabled (not available)
Build log: https:/
Notice that tests are run at package build time
PPA for testing: https:/
Upgrade test
============
Starting from:
ubuntu-
Installed: 16
Candidate: 16
Version table:
*** 16 500
500 http://
100 /var/lib/
ubuntu@bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
ubuntu@bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
ubuntu@bionic-ua:~$
Adding PPA:
ubuntu@bionic-ua:~$ sudo add-apt-repository ppa:ahasenack/
(...)
ubuntu@bionic-ua:~$ sudo apt install ubuntu-
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
ubuntu-
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.2 kB of archives.
After this operation, 6144 B of additional disk space will be used.
Get:1 http://
Fetched 17.2 kB in 1s (25.1 kB/s)
(Reading database ... 90710 files and directories currently installed.)
Preparing to unpack .../ubuntu-
Unpacking ubuntu-
Setting up ubuntu-
Processing triggers for man-db (2.8.2-1) ...
Post upgrade:
ubuntu@bionic-ua:~$ ua status
esm: disabled (not available)
fips: disabled (not available)
livepatch: disabled
ubuntu@bionic-ua:~$ ua status fips
fips: disabled (not available)
ubuntu@bionic-ua:~$ sudo ua enable-fips
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
ubuntu@bionic-ua:~$ sudo ua enable-fips-updates
Sorry, but Canonical FIPS 140-2 Modules is not supported on bionic
Testing
=======
Merges are gated on a test run on github. Example:https:/
Tests also run during package build.
Since fips is disabled in bionic, I tested this new code with a xenial build. This will have to be done again when the xenial sru time comes, and will be shown in more detail there.
Related branches
- Christian Ehrhardt (community): Approve
- Steve Langasek (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 779 lines (+437/-49)14 files modified.gitignore (+4/-0)
debian/changelog (+12/-0)
modules/apt.sh (+14/-2)
modules/service-esm.sh (+2/-2)
modules/service-fips.sh (+110/-17)
modules/service-livepatch.sh (+1/-1)
modules/service.sh (+6/-6)
modules/utils.sh (+20/-0)
tests/test_esm.py (+2/-2)
tests/test_fips.py (+172/-1)
tests/test_script.py (+12/-0)
tests/testing.py (+16/-3)
ubuntu-advantage (+47/-15)
ubuntu-advantage.1 (+19/-0)
description: | updated |
description: | updated |
tags: | added: patch |
description: | updated |
description: | updated |
description: | updated |
summary: |
- [FFe] version 17: FIPS updates + [bionic] [FFe] ubuntu-advantage-tools version 17: FIPS updates |
tags: | added: upgrade-software-version |
Changed in ubuntu-advantage-tools (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
importance: | Undecided → High |
status: | Triaged → Fix Committed |
debdiff, but note the binary file that was added isn't represented here. Better use the git branch for that.