-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Ubuntu VM images #1909
Update Ubuntu VM images #1909
Conversation
Coverage reportClick to see where and how coverage changed
This report was generated by python-coverage-comment-action |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While we are doing this, we might as well update to a more recent release.
Updating to Gen 2 worked fine. Updating to Jammy is slightly trickier:
This seems like more incentive to move off omsagent, if anything.
|
|
There is a 24.04 image on marketplace. I'd imagine that it too wants to install snaps. Omsagent definitely doesn't support 24.04, but we don't really need it to. I'm not sure if Azure Update Manager or Monitor Agent can handle 24.04 yet either. |
Hmm, yes I'd forgotten about that but probably should have brought it up before. It feels like Ubuntu is moving towards distributing more packages as snaps. Firefox is now a snap by default. That will be difficult to support,
My feeling is the drive towards snaps won't change. |
Discussion of snap endpoints in #1220 |
Do we still need domains and IP addresses for the endpoints we want to reach (@jemrobinson)? Using the Snap Store Proxy like we proxy apt/pip/cran could be a good solution. |
|
Looking at loosening network rules to allow snapcraft. However, DNS still not allowing snapcraft domain names to be resolved
|
Snapcraft is blacklisted by adgaurd
|
Permitted domains data-safe-haven/data_safe_haven/types/enums.py Lines 81 to 90 in 5596a99
|
Having looked at Snap Store Proxy, it looks like it isn't possible to get this working without creating a Ubuntu SSO account (and there may be limits on how many clients can connect without having a Canonical support contract). |
Ok, allowing the VMs to directly contact snapcraft now works. So finding a way to allow that allows us to use Jammy. Currently, it creates a new application rule to allow Snapcraft through the firewall. If Snap Store Proxy won't work, maybe we can use another proxy ourselves - |
As I understand it, we are talking about different methods of proxying here. The Snap Store Proxy is much more like a snap store instance which has an upstream provider (quite like how we use Nexus). The snapd proxy configuration is a general purpose http/https proxy, like we route all internet traffic through |
Ok, but we're just using a squid proxy for apt, so wouldn't something similar work for snapd? |
Is Fedora supported on Azure? I have no problem with switching to another distro, but we want to avoid maintaining our own OS if possible. I remember you were interested in NixOS a few years ago @JimMadge - is that another possibility? |
We're using squid-deb-proxy which can act as a proxy to any |
I assumed there would be an official Fedora image, but it looks like there isn't. NixOS would be a much more complex change. Moving to an immutable distro would involve changing how we think about configuration. I think it would be a good long term goal. There is an argument that immutable provides better security and reproducibility. There is also no official image on the Marketplace so it would involve building that ourselves. |
Yes. I think I wrote something like this in Slack and didn't comment here 🤦. The Snap Store Proxy is like a dedicated proxy for snapd. I don't think it would be a good solution for us though. |
If this is working, let's get this in now for rc3 and open an issue to track the security question. |
Latest update from testing with VM behind an Azure firewall. Started with a fully locked down VM with nothing allowed out, then progressively allowed more and more traffic. The list of required endpoints for snaps found on snapcraft.io is
Only You also need to allow Allowing
Blocking Blocking Ultimately, it seems |
@craddm Is this ready for review? |
Yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look good.
I think we might want to add a rule to explicitly disallow the endpoints dashboard.snapcraft.io
and login.ubuntu.com
with a high priority.
It would be good to have a summary of what you've found out about the endpoints and the consequences. I.e. we must block two endpoints, a user with an authorisation token (presumably?) can upload to dashboard.snapcraft.io
.
@jemrobinson is there precedent for that? I can't see any disallow rules in a quick look through firewall.py
.
@craddm Are you happy with this? |
Yes, LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly LGTM. One question about forbidden domains.
network.AzureFirewallApplicationRuleCollectionArgs( | ||
action=network.AzureFirewallRCActionArgs( | ||
type=network.AzureFirewallRCActionType.DENY | ||
), | ||
name="workspaces-deny", | ||
priority=FirewallPriorities.SRE_WORKSPACES, | ||
rules=[ | ||
network.AzureFirewallApplicationRuleArgs( | ||
description="Deny external Ubuntu Snap Store upload and login access", | ||
name="DenyUbuntuSnapcraft", | ||
protocols=[ | ||
network.AzureFirewallApplicationRuleProtocolArgs( | ||
port=int(Ports.HTTP), | ||
protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTP, | ||
), | ||
network.AzureFirewallApplicationRuleProtocolArgs( | ||
port=int(Ports.HTTPS), | ||
protocol_type=network.AzureFirewallApplicationRuleProtocolType.HTTPS, | ||
), | ||
], | ||
source_addresses=props.subnet_workspaces_prefixes, | ||
target_fqdns=ForbiddenDomains.UBUNTU_SNAPCRAFT, | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking further - I'm happy with this rule, but I think AzureFirewall behaviour defaults to DENY, so it might not be needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm in two minds.
I know we block everything we don't explicitly allow. It feels like we should capture the fact that these domains in particular should always be blocked though. You might be tempted to allow them when debugging for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tend to agree, feels like it's worth being explicit here
✅ Checklist
Enable foobar integration
rather than515 foobar
).develop
.🚦 Depends on
Updates the Linux VM to a Gen2 VM.
WIP: updates to release xx.04 LTS of Ubuntu
🌂 Related issues
Closes #1550
🔬 Tests
Unable to test if the deployed VMs are fully working, as cannot currently login with a user due to #1908