UA backend(s) unreachable during live filesystem builds

Asked by Gauthier Jolly on 2021-04-27

[context]

VM instances started, from Ubuntu FIPS cloud offers, need to boot with FIPS modules. This is why CPC needs to pre-install FIPS components (kernel + crypto libraries) on FIPS cloud images.

To do so, the CPC team is manually adding FIPS PPAs, installing and holding back packages, etc... By doing so, we are trying to mock what UA client is usually doing on running machines (with "ua enable fips"). Since FIPS installation process is sometimes updated, keeping it up-to-date across different clouds requires maintenance work. Also, because these changes also happen in UA client, the work is duplicated.

To avoid this duplication and also prevent any potential "conflict" between what is done during image build and UA client, the CPC team would like to install FIPS using UA client in the images.

[request]

To do so, UA client running on LP needs to be able to access the following domains:

for staging:
contracts.staging.canonical.com
esm.staging.canonical.com

for production:
contracts.canonical.com
esm.canonical.com

[security considerations]

Since those domains are maintained by Canonical, my security concerns are limited. However, I also have a limited knowledge of LP and of its security considerations in general.

NB: I don't know for sure if this is the only endpoints we need to allow, I will check UA client's logs to confirm.

Question information

Language:
English Edit question
Status:
Needs information
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Colin Watson (cjwatson) said : #1

Would it be acceptable to do this by granting the livefs builds in question temporary access to the relevant FIPS private PPAs instead? You may have seen email discussion of this recently, maybe in relation to ESM rather than FIPS. Although this does require some development work in LP, we'd generally prefer this approach over using the external mirrors.

Gauthier Jolly (gjolly) said : #2

Not sure I understand your question. As I mentioned, we are already installing FIPS packages from private PPAs. We would like to move away from that and use UA client.

Colin Watson (cjwatson) said : #3

We would prefer to avoid needing to grant access to the external servers used by the UA client, so I'm trying to work out whether that can be avoided. It would be good to work out whether any of the problems you have with using private PPAs can be mitigated; it should ideally be possible for it just to be a matter of dispatching the right set of archives and authentication tokens to the build, which is then a relatively routine business.

(I'll be on leave for most of the next week.)

Can you help with this problem?

Provide an answer of your own, or ask Gauthier Jolly for more information if necessary.

To post a message you must log in.