You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I see cc_ubuntu_pro.py enables fips mode for Ubuntu pro as per the doc here. This is run on first boot since the frequency is PER_INSTANCE. For centos/fedora/rhel, we would want to implement something similar to enable fips mode for cloud instances. However, I have a question. How do you ensure that cc_ubuntu_pro is run before say ssh keys are generated by cc_ssh.py (which is also a per instance module)? If the ssh keys are generated once the instance comes up on first boot but before fips is enabled (which would not be enabled until a reboot happens), the ssh keys that are generated might be non-fips complaint. Therefore, after reboot with fips mode ON, these keys might require to be deleted. Similarly there might be other configurations that happen before the reboot that are non-fips complaint and needs to be reverted after the reboot with fips enabled happens. How does canonical handle this situation?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I see
cc_ubuntu_pro.pyenables fips mode for Ubuntu pro as per the doc here. This is run on first boot since the frequency isPER_INSTANCE. For centos/fedora/rhel, we would want to implement something similar to enable fips mode for cloud instances. However, I have a question. How do you ensure thatcc_ubuntu_prois run before say ssh keys are generated bycc_ssh.py(which is also a per instance module)? If the ssh keys are generated once the instance comes up on first boot but before fips is enabled (which would not be enabled until a reboot happens), the ssh keys that are generated might be non-fips complaint. Therefore, after reboot with fips mode ON, these keys might require to be deleted. Similarly there might be other configurations that happen before the reboot that are non-fips complaint and needs to be reverted after the reboot with fips enabled happens. How does canonical handle this situation?Beta Was this translation helpful? Give feedback.
All reactions