Skip to content

Commit

Permalink
purge: change order of operations
Browse files Browse the repository at this point in the history
Now the downgrades are performed first, and then the kernel is removed.
This way, initramfs runs the non-fips libraries and is able to generate
data for the next boot.

Fixes: #2805

Signed-off-by: Renan Rodrigo <[email protected]>
  • Loading branch information
renanrodrigo committed Oct 26, 2023
1 parent 6f16cd6 commit 19efc5e
Show file tree
Hide file tree
Showing 3 changed files with 201 additions and 4 deletions.
192 changes: 192 additions & 0 deletions features/attached_commands.feature
Original file line number Diff line number Diff line change
Expand Up @@ -990,6 +990,198 @@ Feature: Command behaviour when attached to an Ubuntu Pro subscription
| focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://archive.ubuntu.com/ubuntu focal-updates/main |
| focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://archive.ubuntu.com/ubuntu focal-updates/main |

@slow
@series.bionic
@series.focal
@uses.config.machine_type.gcp.generic
Scenario Outline: Disable and purge fips
Given a `<release>` machine with ubuntu-advantage-tools installed
When I attach `contract_token` with sudo
And I run `apt update` with sudo
And I run `pro enable <fips-service> --assume-yes` with sudo
And I reboot the machine
And I run `pro status` with sudo
Then stdout matches regexp:
"""
<fips-service> +yes +enabled
"""
When I run `uname -r` as non-root
Then stdout matches regexp:
"""
fips
"""
And I verify that `openssh-server` is installed from apt source `<fips-source>`
And I verify that `linux-gcp-fips` is installed from apt source `<fips-source>`
When I run `pro disable <fips-service> --purge` `with sudo` and stdin `y\ny`
Then stdout matches regexp:
"""
\(The --purge flag is still experimental - use with caution\)
Purging the <fips-name> packages would uninstall the following kernel\(s\):
.*
.* is the current running kernel\.
If you cannot guarantee that other kernels in this system are bootable and
working properly, \*do not proceed\*\. You may end up with an unbootable system\.
Do you want to proceed\? \(y/N\)
"""
And stdout matches regexp:
"""
The following package\(s\) will be REMOVED:
(.|\n)+
The following package\(s\) will be reinstalled from the archive:
(.|\n)+
Do you want to proceed\? \(y/N\)
"""
When I reboot the machine
And I run `pro status` with sudo
Then stdout matches regexp:
"""
<fips-service> +yes +disabled
"""
When I run `uname -r` as non-root
Then stdout does not match regexp:
"""
fips
"""
And I verify that `openssh-server` is installed from apt source `<archive-source>`
And I verify that `linux-gcp-fips` is not installed
Examples: ubuntu release
| release | fips-service | fips-name | fips-source | archive-source |
| bionic | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main |
| bionic | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main |
| focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main |
| focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-west2.gce.archive.ubuntu.com/ubuntu focal-updates/main |

@slow
@series.bionic
@series.focal
@uses.config.machine_type.aws.generic
Scenario Outline: Disable and purge fips
Given a `<release>` machine with ubuntu-advantage-tools installed
When I attach `contract_token` with sudo
And I run `apt update` with sudo
And I run `pro enable <fips-service> --assume-yes` with sudo
And I reboot the machine
And I run `pro status` with sudo
Then stdout matches regexp:
"""
<fips-service> +yes +enabled
"""
When I run `uname -r` as non-root
Then stdout matches regexp:
"""
fips
"""
And I verify that `openssh-server` is installed from apt source `<fips-source>`
And I verify that `linux-aws-fips` is installed from apt source `<fips-source>`
When I run `pro disable <fips-service> --purge` `with sudo` and stdin `y\ny`
Then stdout matches regexp:
"""
\(The --purge flag is still experimental - use with caution\)
Purging the <fips-name> packages would uninstall the following kernel\(s\):
.*
.* is the current running kernel\.
If you cannot guarantee that other kernels in this system are bootable and
working properly, \*do not proceed\*\. You may end up with an unbootable system\.
Do you want to proceed\? \(y/N\)
"""
And stdout matches regexp:
"""
The following package\(s\) will be REMOVED:
(.|\n)+
The following package\(s\) will be reinstalled from the archive:
(.|\n)+
Do you want to proceed\? \(y/N\)
"""
When I reboot the machine
And I run `pro status` with sudo
Then stdout matches regexp:
"""
<fips-service> +yes +disabled
"""
When I run `uname -r` as non-root
Then stdout does not match regexp:
"""
fips
"""
And I verify that `openssh-server` is installed from apt source `<archive-source>`
And I verify that `linux-aws-fips` is not installed
Examples: ubuntu release
| release | fips-service | fips-name | fips-source | archive-source |
| bionic | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main |
| bionic | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main |
| focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main |
| focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://us-east-2.ec2.archive.ubuntu.com/ubuntu focal-updates/main |

@slow
@series.bionic
@series.focal
@uses.config.machine_type.azure.generic
Scenario Outline: Disable and purge fips
Given a `<release>` machine with ubuntu-advantage-tools installed
When I attach `contract_token` with sudo
And I run `apt update` with sudo
And I run `pro enable <fips-service> --assume-yes` with sudo
And I reboot the machine
And I run `pro status` with sudo
Then stdout matches regexp:
"""
<fips-service> +yes +enabled
"""
When I run `uname -r` as non-root
Then stdout matches regexp:
"""
fips
"""
And I verify that `openssh-server` is installed from apt source `<fips-source>`
And I verify that `linux-azure-fips` is installed from apt source `<fips-source>`
When I run `pro disable <fips-service> --purge` `with sudo` and stdin `y\ny`
Then stdout matches regexp:
"""
\(The --purge flag is still experimental - use with caution\)
Purging the <fips-name> packages would uninstall the following kernel\(s\):
.*
.* is the current running kernel\.
If you cannot guarantee that other kernels in this system are bootable and
working properly, \*do not proceed\*\. You may end up with an unbootable system\.
Do you want to proceed\? \(y/N\)
"""
And stdout matches regexp:
"""
The following package\(s\) will be REMOVED:
(.|\n)+
The following package\(s\) will be reinstalled from the archive:
(.|\n)+
Do you want to proceed\? \(y/N\)
"""
When I reboot the machine
And I run `pro status` with sudo
Then stdout matches regexp:
"""
<fips-service> +yes +disabled
"""
When I run `uname -r` as non-root
Then stdout does not match regexp:
"""
fips
"""
And I verify that `openssh-server` is installed from apt source `<archive-source>`
And I verify that `linux-azure-fips` is not installed
Examples: ubuntu release
| release | fips-service | fips-name | fips-source | archive-source |
| bionic | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu bionic/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main |
| bionic | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu bionic-updates/main | https://esm.ubuntu.com/infra/ubuntu bionic-infra-security/main |
| focal | fips | FIPS | https://esm.ubuntu.com/fips/ubuntu focal/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main |
| focal | fips-updates | FIPS Updates | https://esm.ubuntu.com/fips-updates/ubuntu focal-updates/main | http://azure.archive.ubuntu.com/ubuntu focal-updates/main |

@slow
@series.lts
@uses.config.machine_type.lxd-vm
Expand Down
11 changes: 8 additions & 3 deletions features/steps/packages.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,14 @@ def verify_package_not_installed(context, package):
when_i_run_command(
context, "apt-cache policy {}".format(package), "as non-root"
)
assert_that(
context.process.stdout.strip(), contains_string("Installed: (none)")
)
output = context.process.stdout.strip()
if "Installed" in output:
assert_that(
context.process.stdout.strip(),
contains_string("Installed: (none)"),
)
# If no output or it doesn't contain installation information,
# then the package is neither installed nor known


@then("I verify that `{package}` is installed from apt source `{apt_source}`")
Expand Down
2 changes: 1 addition & 1 deletion uaclient/entitlements/repo.py
Original file line number Diff line number Diff line change
Expand Up @@ -164,8 +164,8 @@ def _perform_disable(self, silent=False):
self.remove_apt_config(silent=silent)

if self.purge and self.origin:
self.execute_removal(packages_to_remove)
self.execute_reinstall(packages_to_reinstall)
self.execute_removal(packages_to_remove)
return True

def purge_kernel_check(self, package_list):
Expand Down

0 comments on commit 19efc5e

Please sign in to comment.