Clarify FIPS-compliant Landscape deployment details#82
Clarify FIPS-compliant Landscape deployment details#82rajannpatel wants to merge 7 commits intocanonical:mainfrom
Conversation
|
@YanisaHS; non-scalable Landscape installations in FIPS-mode only manage several hundred Ubuntu instances due to inefficiencies in the FIPS compliant openssl package. Customers interested in the convenience of non-scalable installations need to be adequately warned of this shortcoming, to avoid surprises. |
YanisaHS
left a comment
YanisaHS
left a comment
There was a problem hiding this comment.
I've suggested some changes - mostly minor, although one major thing is that this change pushes users to install with Juju for FIPS, but our existing guide originally pushed towards a deb install? I'm not sure which is correct. Presumably Juju though, so this would require an edit in that section too.
docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md
Outdated
Show resolved
Hide resolved
docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md
Show resolved
Hide resolved
There was a problem hiding this comment.
Also, later the guide we push people to using Quickstart or Manual installations - is this not supposed to be the case for FIPS-compliance?
There was a problem hiding this comment.
Manual installations are for reference, Quickstart is only suitable for users who acknowledge it's for small estates due to the inefficiency introduced by enabling FIPS.
There was a problem hiding this comment.
@rajannpatel that makes sense, but what I'm getting at is that in the "Install and configure Landscape for FIPS-compliant deployments" section, we explicitly tell users to use Quickstart or Manual, but the introduction you added tells users to use the charm.
So that section needs to be edited as well if this is the case (that users should be using Juju for FIPS)
…n-fips-compliant-machines.md Accepting Yanisa's suggestion Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com>
* feat: add documentation for searching by profile type * feat: update GET /child-instance-profiles parameters * add `only_landscape_created` to responses/post req * feat: add wsl limits endpoint * update url, re-sort endpoints * feat: add docs for with_profiles flag * remove whitespace * feat: add API reference for `POST `/child-instance-profiles/make-hosts-compliant`` * fix illegal json for syntax highlighting * fix: update profile payload (#17) * feat: feature flag wsl endpoints (#19) * fix url.... * feat: update `/GET computers` to include `with_wsl_profiles` * fix: update wsl feature limit doc (#21) * feat: add `registered_at` key to GET `/computers/<int:computer_id>` and add annotations to example * feat: add docs for child instance profiles (#20) * fix: update GET /computers/<int:computer_id>/children response payload (#24) * feat: add additional paramters to the GET /computers docs * fix: update compliance for WSL ghosts (#26) * fix: broken link for tests (#27) * add script_tempdir docs to client configuration setup guide * fix grammar * include client version note; use placeholder for tempdir; light cleanup of formatting * api for wsl profiles * wsl guide * add rootfs to spelling * fix some UI references * changes * wording changes * looks good * feat: create table of all possible immutable settings (#30) * refactor: move api doc (#31) * feat: add ENV only table (#32) * sort em * add LANDSCAPE_CONFIG_FILE and ENV only table * feat!: remove `[grpc]` instructions (#33) * add line about allowed_interfaces * spelling * add example * feat: start service.conf docs; add system settings section (#35) * feat: add async frontend settings (#37) * refactor: separate `VAULT_TOKEN` from `LANDSCAPE_SECRETS__SERVICE_URL`, add default for `vault_url` (#38) * feat: add job handler settings section (#39) * feat: broker settings documentation (#36) * feat: add message server settings (#40) * feat: add `[stores]` section docs (#42) * feat: `[secrets]` section docs (#43) * feat: add `[scripts]` section docs (#45) * maintenance settings * fix: add missing message server setting. (#49) * feat: add `[appserver]` docs (#48) * add a few back to the maintenance section * schema settings * api settings * cors spellcheck * fix: move `enable_query_debug` to `[system]`, correct env var name, add moved fields (#41) * fix link * fix: change `features` -> `system` in immutable conf settings table to reflect the real settings (#53) * feat: add missing `enable-tag-script-execution` to sys settings (#54) * add oidc-provider to standalone OIDC setup * add wip docs for provisioning and setup * fill out ubuntu installer doc * add administrator doc * add index to top-level how-to index * enforce my opinions on the custom wordlist * remove references to Google OAuth 2.0 and non-delivered functionality for 25.08 * add service install instructions * add note about default file * fix note * feat: `[oops]` section docs (#47) * feat: add `[load_shaper]` section docs (#46) * feat: `[package_upload]` section docs, add sections for generic store/services settings (#44) * add step to create and validate autoinstall file * bump required server version to 25.10~beta.3 * feat: add apt source delete handler docs (#57) * feat: add apt source list endpoint doc (#59) * separate configuration and administration documents * remove oidc-provider configuration * add X-FQDN to configuration * fix ubuntu installer index * rename ubuntu-installer-provisioning ubuntu-installer * Ubuntu installer (24.04+) -> recent release of the Ubuntu installer (24.04 and later) * add background info to intros * add cross-link to Subiquity in intros * add note about beta PPA in example * clean up HAProxy configuration section * multitenant -> multi-tenant * fix X-FQDN instructions to show that user should do something * enable featre -> set configuration * fix verify section * SaaS Landscape -> Landscape SaaS * oidc client -> oidc provider * use Ubuntu's... when referencing autoinstall docs * administer -> set up * fix setup guide - create/test/upload sections * fix provision a workstation guide * improve h1 names - more verbose * add note about setup in the workstation provisioning guide * enable-employee-management -> employee_management * add note about SaaS feature availability * move 'see subiquity docs' into background info * use paragraph styling * add self-hosted/SaaS disclaimers * fix background info - use paragraph instead of callout * feat: document self-service account creation endpoint (#62) * feat: reference for accept invitation rest endpoint (#63) * add documentation for licensing management * include optional params for licenses * feat: replace tables with more readable sections (#69) * refactor: update api config settings (#70) * touch up some doc stuff * refactor: update broker config settings (#72) * refactor: update load shaper config settings (#73) * refactor: update appserver config settings (#71) * refactor: update message server config settings (#74) * refactor: update package upload settings (#76) * document licensing * include snap/core mention * spelling error * refactor: update oops settings (#75) * refactor: update secrets settings (#77) refactor: fix secrets settings * refactor: update stores settings (#78) * refactor: update system settings (#79) * address feedback for the most part * fix ref and hyperlink * fix docs * Final draft review (#87) * language changes * Update immutable-settings.md Here's a sample for the ENV page * move table to list format * alphabetize and restructure config that can only be set in environment variables * addressed wck0 comments * added notes for read/write access for `landscape` user * removed dev-only configs and added note to `deployment_mode` that users shouldn't edit it * changes to ssl-related cert names in service section, moved schema section and added config * note on landscape system user * added ubuntu_pro_contract_server_url * removed dev-only configs * changed [broker] ssl config names and added a env value for store_superuser --------- Co-authored-by: Bill Kronholm <actual@billkronholm.com> * feat: add hostagent-* settings sections (#81) * fix: typo in header (#91) * feat: add package search settings section (#80) * feat: add pingserver settings (#82) * feat: docs for generic tls client settings (rabbit/vault) (#92) * feat: document how to use mTLS with RabbitMQ/broker, secrets-service, async-frontend (#85) * Update docs/explanation/landscape/licenses.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * Update docs/how-to-guides/ubuntu-pro/attach-ubuntu-pro.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * Update docs/explanation/landscape/licenses.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * Update docs/how-to-guides/ubuntu-pro/attach-ubuntu-pro.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * reword some stuff * minor wording changes * feat: add standalone account creation doc (#89) * feat: add reject invitation doc (#93) * Update docs/how-to-guides/ubuntu-pro/attach-ubuntu-pro.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * Update docs/how-to-guides/ubuntu-pro/attach-ubuntu-pro.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * Update docs/how-to-guides/ubuntu-pro/attach-ubuntu-pro.md Co-authored-by: Yanisa Haley Scherber <yhscherber@gmail.com> * feat: add GET standalone-account REST API endpoint (#94) * update web portal docs * update links * wording changes to the automated attachment intro section (not web portal) * fix wording and feature flag mentions * moved API note * feat: add disa stig deployment guide (#96) Co-authored-by: Bill Kronholm <bill.kronholm@canonical.com> Co-authored-by: Yanisa Haley Scherber <yanisa.scherber@canonical.com> * feat: add port setting to stores section (#97) * only run gh workflow on staging docs * add gh workflow back --------- Co-authored-by: Bill Kronholm <bill.kronholm@canonical.com> Co-authored-by: Bill Kronholm <actual@billkronholm.com> Co-authored-by: landscape-github-actions[bot] <landscape-github-actions[bot]@users.noreply.github.com> Co-authored-by: jansdhillon <jan.dhillon@canonical.com> Co-authored-by: Jan <77344313+jansdhillon@users.noreply.github.com> Co-authored-by: Justin Kim <justin.kim@canonical.com> Co-authored-by: Spencer Runde <spencer.runde@canonical.com> Co-authored-by: david-mclain <david.mclain@canonical.com> Co-authored-by: David <davidmclain98@gmail.com>
YanisaHS
left a comment
YanisaHS
left a comment
There was a problem hiding this comment.
@rajannpatel see my earlier comment and one in the previous thread - there are some larger issues here with how we tell users to install Landscape for FIPS-compliant deployments. The content you've added pushes users with large deployments to the charm, which contradicts the content in the next section. I'm not sure why we specified that it should be Quickstart or Manual before as I'm not familiar with what actually goes in a FIPS-compliant deployment. But it's important that our guidance is cohesive
If it is correct that users can use any deployment mode of Landscape, you could change that line to be "Depending on your deployment, use the Quickstart, Manual, or Juju installation guides..."
|
It is correct that users can use any deployment mode of Landscape, for estates smaller than several hundred machines, it is conceivable that Landscape Quickstart can be used when FIPS is enabled. For larger estates, for scalability reasons, a Juju installation is strongly recommended. |
add juju checklist
clean mangled titles
| @@ -1,9 +1,11 @@ | |||
| (how-to-install-fips-compliant)= | |||
| # How to install on FIPS-compliant machines | |||
| # How to install a FIPS-compliant Landscape Server | |||
There was a problem hiding this comment.
I don't think this is precise though - (AFAIK) it's not Landscape that's actually FIPS-certified.
If you prefer it to be more clear that it's for Landscape Server in the title, how about "How to install Landscape Server on FIPS-compliant machines"? Would that solve what you're getting at?
| ## Install and configure Landscape for FIPS-compliant deployments | ||
| Note that for FIPS-compliant deployments, Landscape Quickstart isn't suitable for large estates (over a few hundred machines). This is due to some performance configuration introduced by the `openssl` 3.0 package which incorporates delays. To manage a large, FIPS-compliant estate, use the Juju deployment method, which allows for horizontal scaling to overcome this limitation. | ||
|
|
||
| ## The FIPS-compliant Landscape Quickstart deployment checklist |
There was a problem hiding this comment.
The heading would ideally be more action-oriented for a how-to guide, like what it was previously ("Install and configure Landscape for FIPS-compliant deployments").
Why did you suggest changing it? I'm open to changing the title if you have a concern about the old one, I'm just not sure what issue you're addressing with your new title, so I don't have a recommendation for a new one
But also - you specify Quickstart in this one, when this section applies to Quickstart and Manual.
There was a problem hiding this comment.
Note: This concern isn't relevant anymore if we switch to my sample structure provided in a later comment
|
|
||
| By default, Postfix uses MD5 hashes with the TLS for backward compatibility. In FIPS mode, the MD5 hashing function is not available. SHA-256 is a secure cryptographic hash function that can be used with FIPS. | ||
|
|
||
| ## The FIPS-compliant Landscape Juju deployment checklist |
There was a problem hiding this comment.
Is cloud-init how users should be installing charmed Landscape for FIPS-compliant deployments? Asking because I'm not sure, and if yes, it introduces some new, notable information to the doc
I'd rather not fully separate the two sections (deb vs charm) because there's shared information between the two. How you have it now, a user could jump to the juju section, and they'd miss the postfix part
If we should keep the cloud-init part and include juju installs more prominently, a better structure for the doc could be:
- Enable FIPS-mode in Ubuntu Pro
- For manual and quickstart deployments
- XYZ
- For juju installs
- XYZ
- For manual and quickstart deployments
- Install Landscape Server
- For manual and quickstart deployments
- XYZ
- For juju installs
- XYZ
- For manual and quickstart deployments
- Additional FIPS-specific configurations
- Postfix stuff
If you're happy with that structure, I can push in changes to your PR to restructure the existing information in this format, and we could go from there. Just let me know
There was a problem hiding this comment.
I need an engineer to sanity check this cloud-init stuff, because I'm going off what the Support Knowbot told me.
There was a problem hiding this comment.
@rajannpatel ok, please tag me or re-request my review when you're ready for me to move forward on it. (to review again or to change the structure based on my previous comment)
2 participants
No description provided.