Launchpad itself

UA backend(s) unreachable during live filesystem builds

Asked by Gauthier Jolly

[context]

VM instances started, from Ubuntu FIPS cloud offers, need to boot with FIPS modules. This is why CPC needs to pre-install FIPS components (kernel + crypto libraries) on FIPS cloud images.

To do so, the CPC team is manually adding FIPS PPAs, installing and holding back packages, etc... By doing so, we are trying to mock what UA client is usually doing on running machines (with "ua enable fips"). Since FIPS installation process is sometimes updated, keeping it up-to-date across different clouds requires maintenance work. Also, because these changes also happen in UA client, the work is duplicated.

To avoid this duplication and also prevent any potential "conflict" between what is done during image build and UA client, the CPC team would like to install FIPS using UA client in the images.

[request]

To do so, UA client running on LP needs to be able to access the following domains:

for staging:
contracts.staging.canonical.com
esm.staging.canonical.com

for production:
contracts.canonical.com
esm.canonical.com

[security considerations]

Since those domains are maintained by Canonical, my security concerns are limited. However, I also have a limited knowledge of LP and of its security considerations in general.

NB: I don't know for sure if this is the only endpoints we need to allow, I will check UA client's logs to confirm.

Question information

Language:
English Edit question
Status:
Expired
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Colin Watson (cjwatson) said : 		#1

Would it be acceptable to do this by granting the livefs builds in question temporary access to the relevant FIPS private PPAs instead? You may have seen email discussion of this recently, maybe in relation to ESM rather than FIPS. Although this does require some development work in LP, we'd generally prefer this approach over using the external mirrors.

Revision history for this message
Gauthier Jolly (gjolly) said : 		#2

Not sure I understand your question. As I mentioned, we are already installing FIPS packages from private PPAs. We would like to move away from that and use UA client.

Revision history for this message
Colin Watson (cjwatson) said : 		#3

We would prefer to avoid needing to grant access to the external servers used by the UA client, so I'm trying to work out whether that can be avoided. It would be good to work out whether any of the problems you have with using private PPAs can be mitigated; it should ideally be possible for it just to be a matter of dispatching the right set of archives and authentication tokens to the build, which is then a relatively routine business.

(I'll be on leave for most of the next week.)

Revision history for this message
Launchpad Janitor (janitor) said : 		#4

This question was expired because it remained in the 'Needs information' state without activity for the last 15 days.

Revision history for this message
Éric St-Jean (esj) said : 		#5

reviving this topic - the reason that it would be best to allow uaclient to do its thing is that it's not just about accessing the PPA(s)
it's about the business logic to figure out _what_ to install, which is not trivial.
that logic is implemented in uaclient *and* the commercial systems contracts backend, and this logic is quite fluid and evolving regularly. we would have to duplicate this logic in our hooks, and keep it in sync with both changes in uaclient and in the contracts backend, so it's not simply about upfront work, it's about continuous maintenance but, most critically, brittleness as we might break paying cloud customers at some point if we fail to update the logic and it lags behind changes in the backend

Revision history for this message
Colin Watson (cjwatson) said : 		#6

How were you planning to authenticate the builder to these services, given that builders typically have more or less no credentials?

In any case, please convert this question into a bug report using the "Create bug report" button.

Revision history for this message
Gauthier Jolly (gjolly) said : 		#7

Ideally we would like to use some kind of vault. But for now I presume we will have to put the secret (UA token) in our build hooks.