** Description changed: ** description still being worked on, not done yet ** + + This bug has some history that may be confusing if the comments are read + linearly. Basically it started out as a Feature Freeze Exception, that's + why we have build logs and unit test runs attached. + + Also, the "rename" that is mentioned elsewhere did not happen with this + package: the ubuntu-advantage name was kept, no new aliases were added. + This will happen in a later SRU, with a later version of the package. + + + For the SRU, what we need is: + * new tarball + * new debdiff, but note that binary file changes won't be shown in the debdiff [IMPACT] Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows xenial and trusty customers to patch the running kernel without a reboot. This SRU will cover both new features. In addition to the new features themselves, a new "status" command was added that will give a short summary about the available modules and their status, at a glance. Note: FIPS certified modules are only available for xenial. Livepatch is supported on xenial and trusty. The tool will refuse to enable either service on an unsupported ubuntu release. Without this updated package, customers of those services have to enable them manually by following a series of steps. [FIPS DESCRIPTION] When "ubuntu-advantage enable-fips <token>" is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. [LIVEPATCH DESCRIPTION] Livepatch allows customers to apply kernel patches to a running system without rebooting it. The current instructions live in http://ubuntu.com/livepatch and boil down to: - install snapd if it's not installed already. On trusty this means a new kernel as well. - install the canonical-livepatch snap - obtain a livepatch token from Canonical - run the enable command with the given token The ubuntu-advantage-tools package simplifies this process by just requesting the token and performing all the other steps on behalf of the user. It also conveniently checks the running kernel and instructs the user to reboot into a newer kernel if needed to finish the installation (this is the case when running trusty). [FIX] Add fips and livepatch support to the ubuntu-adadvantage-tools package. See debdiff below. [LIVEPATCH TESTCASES] TRUSTY 0. Install the new ubuntu-advantage-tools package to add livepatch support. 1. Collect status before enabling livepatch type on commandline: - ubuntu-advantage status + ubuntu-advantage status expect: livepatch: disabled esm: disabled (not available) fips: disabled (not available) 2. Enable livepatch visit https://ubuntu.com/livepatch and obtain a token type on commandline, sudo ubuntu-advantage enable-livepatch <yourtoken> You may be required to install a newer kernel. In that case, expect the following output: - Installing missing dependency snapd... OK - Installing the canonical-livepatch snap. - This may take a few minutes depending on your bandwidth. - canonical-livepatch 7.24 from 'canonical' installed - - Your currently running kernel (3.13.0-133-generic) is too old to - support snaps. Version 4.4.0 or higher is needed. - - Please reboot your system into a supported kernel version - and run the following command one more time to complete the - installation: - - sudo ubuntu-advantage enable-livepatch <yourtoken> + Installing missing dependency snapd... OK + Installing the canonical-livepatch snap. + This may take a few minutes depending on your bandwidth. + canonical-livepatch 7.24 from 'canonical' installed + + Your currently running kernel (3.13.0-133-generic) is too old to + support snaps. Version 4.4.0 or higher is needed. + + Please reboot your system into a supported kernel version + and run the following command one more time to complete the + installation: + + sudo ubuntu-advantage enable-livepatch <yourtoken> Once you reboot and re-run the specified command, expect: - Enabling Livepatch with the given token, stand by... - Successfully enabled device. Using machine-token: <sometoken> - Use "canonical-livepatch status" to verify current patch status. - + Enabling Livepatch with the given token, stand by... + Successfully enabled device. Using machine-token: <sometoken> + Use "canonical-livepatch status" to verify current patch status. 3. Verify livepatch status type on commandline, ubuntu-advantage status expect an output like the following, - livepatch: enabled - client-version: "7.23" - architecture: x86_64 - cpu-model: Intel Core Processor (Skylake) - last-check: 2017-10-23T15:10:45.640938255Z - boot-time: 2017-10-23T15:10:13Z - uptime: 1m19s - status: - - kernel: 4.4.0-97.120~14.04.1-generic - running: true - livepatch: - checkState: checked - patchState: nothing-to-apply - version: "" - fixes: "" - - esm: disabled (not available) - - fips: disabled (not available) - + livepatch: enabled + client-version: "7.23" + architecture: x86_64 + cpu-model: Intel Core Processor (Skylake) + last-check: 2017-10-23T15:10:45.640938255Z + boot-time: 2017-10-23T15:10:13Z + uptime: 1m19s + status: + - kernel: 4.4.0-97.120~14.04.1-generic + running: true + livepatch: + checkState: checked + patchState: nothing-to-apply + version: "" + fixes: "" + + esm: disabled (not available) + + fips: disabled (not available) XENIAL 0. Install the new ubuntu-advantage-tools package to add livepatch support. 1. Collect status before enabling livepatch type on commandline, ubuntu-advantage status expect, livepatch: disabled esm: disabled (not available) fips: disabled 2. Enable livepatch visit https://ubuntu.com/livepatch and obtain a token type on commandline, sudo ubuntu-advantage enable-livepatch <yourtoken> expect, Installing the canonical-livepatch snap. This may take a few minutes depending on your bandwidth. 2017-10-20T19:39:41Z INFO Waiting for restart... canonical-livepatch 7.24 from 'canonical' installed Enabling Livepatch with the given token, stand by... Successfully enabled device. Using machine-token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Use "canonical-livepatch status" to verify current patch status. 3. Verify livepatch status type on commandline, ubuntu-advantage status expect an output like the following, livepatch: enabled client-version: "7.23" architecture: x86_64 cpu-model: Intel Core Processor (Skylake) last-check: 2017-10-20T19:39:54.451499227Z boot-time: 2017-10-20T19:28:09Z uptime: 15m30s status: - kernel: 4.4.0-97.120-generic running: true livepatch: checkState: checked patchState: nothing-to-apply version: "" fixes: "" esm: disabled (not available) fips: disabled ZESTY 0. Install the new ubuntu-advantage-tools package to add livepatch support. 1. Collect status before enabling livepatch type on commandline: - ubuntu-advantage status + ubuntu-advantage status expect the livepatch service to be unavailable: livepatch: disabled (not available) esm: disabled (not available) fips: disabled (not available) 2. Ensure that livepatch cannot be enabled on Zesty. You can use a dummy set of credentials like "foobar" as the token: type on commandline, sudo ubuntu-advantage enable-livepatch foobar expect, - Sorry, but Canonical Livepatch is not supported on zesty - + Sorry, but Canonical Livepatch is not supported on zesty [FIPS TESTCASES] These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. Prior to the upload they were performed on S390, PPC64EL and AMD64 architectures. TRUSTY (Note that FIPS is not supported on trusty.) 1. Collect status before enabling fips type on commandline, ubuntu-advantage status expect, - livepatch: disabled - - esm: disabled (not available) - - fips: disabled (not available) + livepatch: disabled + + esm: disabled (not available) + + fips: disabled (not available) 2. Ensure that fips cannot be enabled on trusty. You can use a dummy set of credentials like user:secret as the token: type on commandline, sudo ubuntu-advantage enable-fips user:secret expect, Sorry, but Canonical FIPS 140-2 Modules is not supported on trusty - - XENIAL 0. Install the new ubuntu-advantage-tools package to add fips support. 1. Collect status before enabling fips type on commandline, ubuntu-advantage status expect, livepatch: disabled esm: disabled (not available) fips: disabled 2. Enable fips Note: This will require a token or credentials to fips Private PPA, in the form xxx:xxx type on commandline, sudo ubuntu-advantage enable-fips xxx:xxx expect, [sudo] password for ubuntu: Running apt-get update... OK Ubuntu FIPS PPA repository enabled. Installing FIPS packages (this may take a while)... OK Configuring FIPS... Updating grub to enable fips... OK Successfully configured FIPS. Please reboot into the FIPS kernel to enable it. type on commandline, sudo reboot 3. Log back into system after reboot type on commandline, ubuntu-advantage status expect, livepatch: disabled esm: disabled (not available) fips: enabled 4. verify fips kernel "4.4.0-1002-fips" has been installed type on commandline, uname -a expect, Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux ZESTY (Note that FIPS is not supported on zesty.) 1. Collect status before enabling fips type on commandline, ubuntu-advantage status expect, livepatch: disabled (not available) esm: disabled (not available) fips: disabled (not available) 2. Ensure that fips cannot be enabled on Zesty. You can use a dummy set of credentials like user:secret as the token: type on commandline, sudo ubuntu-advantage enable-fips user:secret expect, Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty [REGRESSION POTENTIAL] The current ubuntu-advantage-tools package in trusty, xenial and zesty is basically a NOOP because the only service it supports is ESM, which is only available for precise. This update adds two new features to the package: FIPS (xenial only) and Livepatch (trusty and xenial), essentially making the package useful in trusty and xenial. For zesty there is no change, as none of these products are available for non-LTS releases. [OTHER INFO] The way this package was made available in all the ubuntu releases where it is now was via a "pocket copy". That's why it has the exact same version in trusty, xenial and zesty. Currently artful has version 10 (a version 12 just missed the feature freeze), so in order for upgrades between releases to work, we adopted the backports versioning scheme, by appending the ubuntu release code with a tilda ("~") to the version. Another point is that even though ubuntu-advantage-tools is "just" a shell script, it is unit tested with python3, and these tests (and lint runs) gate merges in the upstream github repository at github.com/CanonicalLtd/ubuntu-advantage-script/
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU] include recent version containing fips and livepatch To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
