feat: warn/confirm with user if enabling fips downgrades the kernel #2890
Conversation
|
🌎 This PR changes translatable messages. 🌏 Please select which scenarios apply. For further explanation, please read our policy on message changes.
|
|
Jira: This PR is not related to a Jira item. (The PR title does not include a SC-#### reference) GitHub Issues: No GitHub issues are fixed by this PR. (No commits have Fixes: #### references) Launchpad Bugs: No Launchpad bugs are fixed by this PR. (No commits have LP: #### references) Documentation: The changes in this PR do not require documentation changes. 👍 this comment to confirm that this is correct. |
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
5 times, most recently
from
6fa3681
to
4ff8838
Compare
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
2 times, most recently
from
cdfc0fb
to
33e8ae7
Compare
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
7 times, most recently
from
28d6489
to
e70b077
Compare
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
from
e70b077
to
06827a5
Compare
|
Integration test failures are just proxy tests which I don't think have anything to do with this code |
| @@ -195,8 +247,14 @@ def install_packages( | |||
|
|
|||
| for pkg in desired_packages: | |||
| try: | |||
| super().install_packages( | |||
| package_list=[pkg], cleanup_on_failure=False, verbose=False | |||
| apt.run_apt_install_command( | |||
There was a problem hiding this comment.
Just double checking, why are we changing this ?
There was a problem hiding this comment.
Every time super().install_packages is called, the kernel downgrade warning is sent. In my testing, we generally saw it three times. Grant suggested that this call should properly be run_apt_install_command instead.
There was a problem hiding this comment.
ohh fair enough, that makes total sense. Thanks for the context here
| """ | ||
| Updating <fips-name> package lists | ||
| Installing <fips-name> packages | ||
| Updating standard Ubuntu package lists | ||
| This will downgrade the kernel from .+ to .+\. |
There was a problem hiding this comment.
Is this test supposed to pass on all releases specified in this Scenario Outline ? I have tested the bionic aws.pro and the test didn't work
There was a problem hiding this comment.
Where is this failing for you? It worked for all the iterations I ran of it and is currently passing in CI -- the aws.pro bionic failure is only for an unrelated proxy test.
There was a problem hiding this comment.
That's weird. I am getting the following error on bionic:
Assertion Failed: Expected to match regexp:
Updating FIPS package lists
Installing FIPS packages
This will downgrade the kernel from .+ to .+\.
Warning: Downgrading the kernel may cause hardware failures. Please ensure the
hardware is compatible with the new kernel version before proceeding.
Updating standard Ubuntu package lists(\n.*)?
FIPS enabled
A reboot is required to complete install
But got:
One moment, checking your subscription first
Disabling incompatible service: Livepatch
Updating FIPS package lists
Installing FIPS packages
Updating standard Ubuntu package lists
FIPS enabled
A reboot is required to complete install.
But I haven't checked the other releases yet
There was a problem hiding this comment.
Hi, thanks for the check! I have since fixed the downgrade conditional -- let me know if you're still seeing unexpected failures?
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
3 times, most recently
from
255894a
to
3708517
Compare
There was a problem hiding this comment.
@catmsred I can confirm the tests are now passing for me. Just one more addition to this PR and I will approve it
| @@ -154,6 +155,56 @@ def conditional_packages(self): | |||
|
|
|||
| return FIPS_CONDITIONAL_PACKAGES.get(series, []) | |||
|
|
|||
| def prompt_if_kernel_downgrade( | |||
There was a problem hiding this comment.
I think we just need some unittests for this method now
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
from
3708517
to
46ec689
Compare
There was a problem hiding this comment.
Thanks for all the work on this issue @catmsred. I have just one tiny nit here, but let me know if I am missing something
| entitlement, | ||
| ): | ||
| """Test kernel downgrades block install if user denies prompt""" | ||
| m_prompt_for_confirmation = util.prompt_for_confirmation |
There was a problem hiding this comment.
I think I am missing something. Why do we need this line here ?
There was a problem hiding this comment.
We do not! Good catch, that was left over from my experiments for the best way to handle this mock. I will clean it up and then we should be good to merge.
This change adds a new message prompting the user to confirm if enabling fips downgrades the kernel.
catmsred
force-pushed
the
feature/fips_downgrade_warn
branch
from
46ec689
to
71fd8e6
Compare
|
CI fails are flakes + two approvals = merging |
This change adds a new message prompting the user to confirm if enabling fips downgrades the kernel.
Why is this needed?
There have been reports of people enabling FIPS (not realizing it will downgrade their kernel), and having their hardware fail as it needed the new kernel. This change adds an additional warning/prompt if a FIPS enablement is determined to downgrade the kernel.
Jira card: SC-1534
Test Steps
On a pro (but not FIPS) VM, enable FIPS and you should see the new messages.
Checklist
Does this PR require extra reviews?