Canonical Juju

Bug #2002841
Comment #16

Comment 16 for bug 2002841

Revision history for this message

John A Meinel (jameinel) wrote on 2023-10-06:

#16

Because we determined that fips doesn't actually take effect until the machine is restarted, I switched up and wrote this config.yaml:

vpc-id: vpc-5aaf123f
cloudinit-userdata: |
  preruncmd:
    - pro refresh config
    - pro attach C14EW5D6fYetRNEKcSBztWHE8E1WWi
    - pro enable usg --assume-yes
    - pro enable fips-updates --assume-yes
    - if [ -e /var/lib/restarted ]; then echo already restarted; else touch /var/lib/restarted; echo restarting; reboot now; fi

It worked as expected, rebooting one time after installing fips, but otherwise moved forward and did the rest of the juju initialization steps. I bootstrapped with:

$ juju bootstrap aws jam-aws --config config.yaml --bootstrap-series focal --model-default config.yaml --agent-version 3.1.5

Which forced the controller to 3.1.5, but on the controller I could run:
curl -sSf --connect-timeout 20 --noproxy '*' --insecure --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 -o xxx.tgz https://localhost:17070/model/c75854bd-8875-45d1-819c-91b782b4d77d/tools/3.1.5-ubuntu-amd64 ; echo $?
curl: (35) error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS
35
$ curl -sSf --connect-timeout 20 --noproxy '*' --insecure -o xxx.tgz https://localhost:17070/model/c75854bd-8875-45d1-819c-91b782b4d77d/tools/3.1.5-ubuntu-amd64 ; echo $?
0

So I could see that Curl on the controller machine did, indeed, not like CHACHA, but was happy to do other ciphers. Using that same setup (reboot just after installing and enabling fips) I then added a new model

$ juju add-model test
$ juju model-config cloudinit-userdata
preruncmd:
  - pro refresh config
  - pro attach MYSECRET
  - pro enable usg --assume-yes
  - pro enable fips-updates --assume-yes
  - if [ -e /var/lib/restarted ]; then echo already restarted; else touch /var/lib/restarted; echo restarting; reboot now; fi
$ juju deploy ubuntu-lite --base ubuntu@20.04

I then watched as it got set up. fips enablement is a bit slow (about 5 min to get through all the steps before we get to reboot)

I could see that it did get restarted as the new machine came up, before it downloaded the agent binaries
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install.
restarting
+ install -D -m 644 /dev/null /var/lib/juju/nonce.txt
+ echo machine-0:168ea4a8-5886-4a81-84ed-f05966f9f49c

(and at that line 'restarting' I was connected in another terminal over ssh, and I got kicked out and had to wait a bit before I could reconnect.)

And post reboot (and finishing initialization) I can confirm that forcing the cipher fails as desired:
$ curl -sSf --connect-timeout 20 --noproxy '*' --insecure --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 -o xxx.tgz https://172.30.2.150:17070/model/db124619-d82d-4ca7-8777-b3998dc4252b/tools/3.1.5-ubuntu-amd64; echo $? curl: (35) error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS
35

I then went forward and added an LXD unit of the same application:
$ juju add-unit ubuntu-lite --to lxd:0

$ juju status
...
ubuntu-lite/1 waiting allocating 0/lxd/0 waiting for machine
...
0/lxd/0 pending pending ubuntu@20.04 Retrieving image: rootfs: 84% (20.57MB/s)

$ sudo lxc list
+---------------------+---------+----------------------+------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------------------+---------+----------------------+------+-----------+-----------+
| juju-c4252b-0-lxd-0 | RUNNING | 252.2.196.168 (eth0) | | CONTAINER | 0 |
+---------------------+---------+----------------------+------+-----------+-----------+

And from inside that container:
...
This machine is now attached to 'Ubuntu Pro (Apps-only) - Virtual'

NOTICES
...
$ lxc exec juju-c4252b-0-lxd-0 bash
tail -f /var/log/cloud-init-output.log
+ curl -sSf --connect-timeout 20 --noproxy * --insecure -o /var/lib/juju/tools/3.1.5-ubuntu-amd64/tools.tar.gz https://172.30.2.150:17070/model/db124619-d82d-4ca7-8777-b3998dc4252b/tools/3.1.5-ubuntu-amd64
Cloud-init v. 23.2.2-0ubuntu0~20.04.1 running 'modules:final' at Fri, 06 Oct 2023 22:23:26 +0000. Up 15.54 seconds.
+ echo Agent binaries downloaded successfully.
Agent binaries downloaded successfully.
+ break
+ sha256sum /var/lib/juju/tools/3.1.5-ubuntu-amd64/tools.tar.gz
...

and from within that container:
root@juju-c4252b-0-lxd-0:~# curl -sSf --connect-timeout 20 --noproxy '*' --insecure --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 -o xxx.tgz https://172.30.2.150:17070/model/db124619-d82d-4ca7-8777-b3998dc4252b/tools/3.1.5-ubuntu-amd64; echo $?
curl: (35) error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS
35
root@juju-c4252b-0-lxd-0:~# curl -sSf --connect-timeout 20 --noproxy '*' --insecure -o xxx.tgz https://172.30.2.150:17070/model/db124619-d82d-4ca7-8777-b3998dc4252b/tools/3.1.5-ubuntu-amd64; echo $?
0

So if I force it, it fails, but as long as I don't (and juju doesn't) it successfully downloads. And the container had no problem starting up.

Because we determined that fips doesn't actually take effect until the machine is restarted, I switched up and wrote this config.yaml:

It worked as expected, rebooting one time after installing fips, but otherwise moved forward and did the rest of the juju initialization steps. I bootstrapped with:

$ juju bootstrap aws jam-aws --config config.yaml --bootstrap-series focal --model-default config.yaml --agent-version 3.1.5

I then watched as it got set up. fips enablement is a bit slow (about 5 min to get through all the steps before we get to reboot)

(and at that line 'restarting' I was connected in another terminal over ssh, and I got kicked out and had to wait a bit before I could reconnect.)

And post reboot (and finishing initialization) I can confirm that forcing the cipher fails as desired:
$ curl -sSf --connect-timeout 20 --noproxy '*' --insecure --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 -o xxx.tgz https://172.30.2.150:17070/model/db124619-d82d-4ca7-8777-b3998dc4252b/tools/3.1.5-ubuntu-amd64; echo $?     curl: (35) error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS
35

I then went forward and added an LXD unit of the same application:
$ juju add-unit ubuntu-lite --to lxd:0

$ juju status
...
ubuntu-lite/1   waiting   allocating  0/lxd/0                         waiting for machine
...
0/lxd/0  pending            pending              ubuntu@20.04              Retrieving image: rootfs: 84% (20.57MB/s)

$ sudo lxc list
+---------------------+---------+----------------------+------+-----------+-----------+
|        NAME         |  STATE  |         IPV4         | IPV6 |   TYPE    | SNAPSHOTS |
+---------------------+---------+----------------------+------+-----------+-----------+
| juju-c4252b-0-lxd-0 | RUNNING | 252.2.196.168 (eth0) |      | CONTAINER | 0         |
+---------------------+---------+----------------------+------+-----------+-----------+

And from inside that container:
...
This machine is now attached to 'Ubuntu Pro (Apps-only) - Virtual'

SERVICE          ENTITLED  STATUS    DESCRIPTION
anbox-cloud      yes                disabled           Scalable Android in the cloud
esm-apps         yes                enabled            Expanded Security Maintenance for Applications
esm-infra        yes                enabled            Expanded Security Maintenance for Infrastructure
fips             yes                disabled           NIST-certified core packages
fips-updates     yes                disabled           NIST-certified core packages with priority security updates
ros              yes                disabled           Security Updates for the Robot Operating System
usg              yes                disabled           Security compliance and audit tools

So if I force it, it fails, but as long as I don't (and juju doesn't) it successfully downloads. And the container had no problem starting up.