Run your Ubuntu in US Government Clouds

In August 2016, the United States government announced a new federal source-code policy, which mandates that at least 20% of custom source code developed by or for any agency of the federal government must be released as open-source software (OSS). The memo of this policy also states that the Federal Government spends more than $6 billion each year on software through more than 42,000 transactions. Obviously, this is a huge business for all open-source developers. The question is “how can you get the business from the Federal Government?” The answer is FIPS.

Federal Information Processing Standards (FIPS) are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST). Certain federal-related applications are required to be FIPS compliant, and many non-government organizations also follow FIPS standards.  Ubuntu Pro provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory. And Google automatically encrypts traffic between VMs that travels between Google data centers using FIPS 140-2 validated encryption. Your workloads can easily be FIPS compliant if you properly deploy your workloads on Ubuntu Pro in Google Cloud. Ubuntu 18.04 Pro offers you two FIPS options: FIPS and FIPS-updates. Let’s SSH into your Ubuntu Pro virtual machine. If you haven’t yet upgraded your Ubuntu LTS to Ubuntu Pro, please follow this tutorial. In less than One Minute, you will be able to get your Ubuntu Pro machine without losing any of your mission-critical workloads. Once you SSH into your Ubuntu Pro, input:

ua status

You will see:

SERVICE	ENTITLED	STATUS	DESCRIPTION
[…]
fips	yes	disabled	NIST-certified core packages
fips-updates	yes	disabled	NIST-certified core packages with priority security updates

FIPS-updates model will include security patches against CVEs, while FIPS option will make sure your system stays strictly compliant with FIPS certification. That said, once you installed a security patch to fight against a new critical CVE, your system would not be FIPS compliant because you modified it. To “update”, or “not update”, that is the question!

Let’s enable FIPS now:

sudo ua enable fips

One moment, checking your subscription first This will install the FIPS core packages. Are you sure? (y/N) y Updating package lists Installing FIPS packages FIPS enabled A reboot is required to complete install.

At the time of writing, FIPS is only available on Ubuntu 18.04 Pro. We will need to wait longer for FIPS components in Ubuntu 16.04 Pro and Ubuntu 20.04 Pro.

Maintenance: Livepatch

SERVICE	ENTITLED	STATUS	DESCRIPTION
[…]
livepatch	yes	n/a	Canonical Livepatch service

Livepatch eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. This reduces fire drills while keeping uninterrupted service.

Let’s enable Livepatch in Ubuntu 20.04 Pro and let the machine safely go for 10 years:

sudo ua enable livepatch

One moment, checking your subscription first Canonical livepatch enabled.

Check it:

ua status

SERVICE	ENTITLED	STATUS	DESCRIPTION
cis	yes	disabled	Center for Internet Security Audit Tools
esm-apps	yes	enabled	UA Apps: Extended Security Maintenance (ESM)
esm-infra	yes	enabled	UA Infra: Extended Security Maintenance (ESM)
fips	yes	n/a	NIST-certified core packages
fips-updates	yes	n/a	NIST-certified core packages with priority security updates
livepatch	yes	enabled	Canonical Livepatch service

At the time of writing, Livepatch is only available on Ubuntu 20.04 Pro. Livepatch for Ubuntu 16.04 Pro and Ubuntu 18.04 Pro will be available soon.

A spell to rule them all

In this blog series, we navigate through the great features of Ubuntu Pro: CIS, ESM, FIPS, Livepatch. Now, if you just want them all at once, here us the single magic spell you need to remember:

gcloud beta compute disks update BOOT_DISK_NAME   –zone=ZONE   –update-user-licenses=”LICENSE_URI”

Replace the following:

• BOOT_DISK_NAME: the name of the boot disk to append the license to
• ZONE: the zone containing the boot disk to append the license to
• LICENSE_URI: the license URI for the version of Ubuntu Pro you are upgrading to. The following table shows the license URI for the supported versions of Ubuntu Pro:

Ubuntu Pro version	License URI
Ubuntu Pro 16.04 LTS	https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1604-lts
Ubuntu Pro 18.04 LTS	https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1804-lts
Ubuntu Pro 20.04 LTS	https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2004-lts

For comprehensive instruction, please refer to official Google Cloud documentation: Upgrade from Ubuntu to Ubuntu Pro.