-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updates for SaaS, Essential Support authentication and new FIPS kernel
Includes i686 caveat
- Loading branch information
Showing
1 changed file
with
86 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,9 +22,9 @@ Extended Security Updates (ESU) for AlmaLinux extend the lifecycle of specific A | |
|
||
### ESU lifecycle | ||
|
||
AlmaLinux provides a 10-year lifecycle with a new minor release arriving every 6 months, bringing new features until the fifth year. Each of the minor releases is supported for 6 months. Customers who want to remain with the specific AlmaLinux minor release for longer can opt for Extended Security Updates (ESU). | ||
AlmaLinux provides a 10-year lifecycle with a new minor release arriving every 6 months, bringing new features until the fifth year. Each of the minor releases is supported for 6 months. Customers who want to remain with the specific AlmaLinux minor release for longer can opt for Extended Security Updates (ESU). | ||
|
||
ESU delivers an extended period of security fixes for critical and high-risk vulnerabilities for select AlmaLinux minor versions, as well as the full suite of five FIPS-validated modules (kernel, openssl, libcrypt, nss and gnutls) and FIPS-compliant security patches for FIPS-certified AlmaLinux deployments. The product also unlocks commercial use of the FIPS-validated packages. | ||
ESU delivers an extended period of security fixes for critical and high-risk vulnerabilities for select AlmaLinux minor versions, as well as the full suite of five FIPS-validated modules (kernel, openssl, libcrypt, nss and gnutls) and FIPS-compliant security patches for FIPS-certified AlmaLinux deployments. The product also unlocks commercial use of the FIPS-validated packages. | ||
|
||
Extended Security Updates are currently available for AlmaLinux 9.2 and have planned support for AlmaLinux 9.6 and 9.10. This provision ensures that a given minor release continues to receive essential updates, allowing customers to avoid upgrading every six months and test/certify their applications against the next minor version at their own pace. | ||
|
||
|
@@ -96,7 +96,7 @@ The TuxCare ESU/FIPS packages and repositories are cryptographically signed with | |
`tuxctl` is the setup tool for TuxCare's Enterprise Support for AlmaLinux, which will configure your system to receive patches from the TuxCare repositories. To install `tuxctl` you need to install the `tuxcare-release` package first. This package contains the TuxCare repo definitions, TuxCare GPG key and the `tuxctl` setup tool. Run the following as root: | ||
|
||
```text | ||
# dnf install -y https://repo.tuxcare.com/tuxcare/tuxcare-release-latest-$(rpm --eval %almalinux.%_arch).rpm | ||
# dnf -y install https://repo.tuxcare.com/tuxcare/tuxcare-release-latest-9.2.$(uname -i).rpm | ||
``` | ||
|
||
The second step is to activate your license on the system. You should run the `tuxctl` tool as root with your ESU license key provided as a command line argument like so: | ||
|
@@ -139,6 +139,44 @@ Then you will have to run `tuxctl` like this: | |
|
||
::: | ||
|
||
### SaaS usage | ||
|
||
If you are using ESU with our SaaS license in AWS, then the instructions are slightly different. You should login to your instance and run the following as root (use of `--fips` is optional depending on your needs): | ||
|
||
```text | ||
# dnf -y install https://repo.tuxcare.com/tuxcare/tuxcare-release-latest-9.2.$(uname -i).rpm | ||
# tuxctl --saas --fips | ||
``` | ||
|
||
If you want to reclaim a license when you terminate an instance, you should first run: | ||
|
||
```text | ||
# tuxctl --delete | ||
De-registration successful | ||
``` | ||
|
||
Then you can use that license to register another instance. | ||
|
||
If you want to check if you've already registered an instance, you can run the following to display your token: | ||
|
||
```text | ||
# tuxctl --validate | ||
Server is registered with token EXTENDED_SECURITY_UPDATES-SERVER-xxxxx | ||
``` | ||
|
||
If the instance has no license installed, it will return: | ||
|
||
```text | ||
Server is not registered | ||
``` | ||
|
||
:::warning | ||
We can provide a systemd unit file and instructions, should you want to incorporate installing tuxcare-release and registering using tuxctl into your AMI, so that when you spin-up an instance its ready to receive patches, simply email [[email protected]]([email protected]) | ||
::: | ||
|
||
### Enabling FIPS 140-3 mode | ||
|
||
First please ensure you have installed the `tuxcare-release` package as described above. If you haven't already registered your ESU license using `tuxctl` the next step will also do that for you. | ||
|
@@ -147,15 +185,17 @@ To enable the FIPS repo, install the FIPS 140-3 validated packages, enable FIPS | |
|
||
```text | ||
# tuxctl --fips -l ESU-XXXXXXXXXXXXXXXXXXXXXXXX | ||
# dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5 | ||
# dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.6 | ||
# dnf -y install gnutls-3.7.6-23.el9_2.tuxcare.3 nettle-3.8-3.el9_2.tuxcare.1 libgcrypt-1.10.0-10.el9_2.tuxcare.3 nss-3.90.0-6.el9_2.tuxcare.1 | ||
# grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.5.$(uname -i) | ||
# grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.6.$(uname -i) | ||
# fips-mode-setup --enable | ||
# reboot | ||
``` | ||
|
||
:::warning | ||
Note the aarch64 platform doesn't currently have FIPS-validated gnutls/libgcrypt/nss packages, so ARM users should only run the first `dnf` command to install the openssl and kernel packages. | ||
|
||
We also provide multilib i686 packages of the userspace modules in the x86_64 repo for backwards compatibility, note that these are not FIPS-validated but are built from the same source. | ||
::: | ||
|
||
Once you've logged in after the reboot, run these commands and check the output matches to confirm it worked: | ||
|
@@ -165,7 +205,7 @@ $ fips-mode-setup --check | |
FIPS mode is enabled. | ||
$ uname -r | ||
5.14.0-284.11.1.el9_2.tuxcare.5.x86_64 | ||
5.14.0-284.11.1.el9_2.tuxcare.6.x86_64 | ||
$ openssl list -providers | grep -A3 fips | ||
fips | ||
|
@@ -187,15 +227,17 @@ To uninstall tuxctl, disable the ESU/FIPS functionality and revert to AlmaLinux | |
-e 's|https://repo.tuxcare.com/almalinux/|https://repo.almalinux.org/almalinux/|' \ | ||
-e 's|^# mirrorlist|mirrorlist|' \ | ||
-e 's|^baseurl|# baseurl|' \ | ||
-e 's|$tuxcare_releasever/$tuxcare_token|$releasever|g' \ | ||
-e 's|almacare|tuxcare|g' \ | ||
-e 's|$tuxcare_releasever|$releasever|g' \ | ||
-e 's|$almacare_releasever|$releasever|g' \ | ||
-e '/^exclude/d' \ | ||
/etc/yum.repos.d/almalinux*.repo | ||
# reboot | ||
``` | ||
|
||
:::warning | ||
Note that by disabling ESU, you will revert to tracking major version releases instead of sticking to a specific minor version, so you may be upgraded from 9.2 to 9.3 for example - a process you cannot undo. | ||
Note that by disabling ESU, you will revert to tracking major version releases instead of sticking to a specific minor version, so you may be upgraded from 9.2 to 9.4 for example - a process you cannot undo. | ||
::: | ||
|
||
To completely remove the TuxCare packages, after following the above steps, run the following as root: | ||
|
@@ -286,6 +328,28 @@ TuxCare Technical Support is designed for enterprise clients with trained IT sta | |
|
||
* New tickets may be created by simply emailing the support desk: [[email protected]]([email protected]) | ||
|
||
:::warning | ||
If you are a user of our SaaS product on AWS Marketplace, before you contact support, you should have your AWS accountId to hand, there are various ways to find it. | ||
|
||
If you have the aws cli tool installed on your computer, you can run: | ||
|
||
```text | ||
$ aws sts get-caller-identity --query Account --output text | ||
123456789012 | ||
``` | ||
|
||
Alternatively you can make a request to the AWS API from within a running instance, as described [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html#retrieve-iid), for example using IMDSv1: | ||
|
||
```text | ||
$ curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep accountId | ||
"accountId" : "123456789012", | ||
``` | ||
|
||
Or if you have access to the [ec2 console](https://console.aws.amazon.com/console/home) you can simply click your username at the top right of the page. Your Account ID is the 12 digits in the dropdown. | ||
::: | ||
|
||
All customers are entitled to access the Support knowledgebase, FAQs, and other self-service tools as may be offered by Enterprise Support for AlmaLinux. | ||
|
||
#### Response Time | ||
|
@@ -351,28 +415,28 @@ Technical support covered by any of the TuxCare Support Programs shall not be pr | |
* Incidents for which the Customer cannot provide accurate information, as reasonably requested by TuxCare, in order to reproduce, investigate, and resolve the incident | ||
* Incidents which arise as a result of neglect or incorrect use of TuxCare instructions, which, if properly used, would have prevented the Incident | ||
|
||
### Switching repositories | ||
### Installing tuxctl (Essential Support) | ||
|
||
For Essential Support customers wishing to use our vetted TuxCare repos instead of the community AlmaLinux ones, all you have to do is run the following as root: | ||
Similarly to the ESU instructions [above](/enterprise-support-for-almalinux/#installing-tuxctl), Essential Support customers should install tuxcare-release and register their server using tuxctl. The main difference is the choice of OS version - you must install the RPM specifically for your AlmaLinux version. | ||
|
||
If you are unsure, run this to find your exact OS version: | ||
|
||
```text | ||
# sed -i \ | ||
-e 's|https://repo.almalinux.org/almalinux/|https://repo.tuxcare.com/almalinux/|' \ | ||
-e 's|^mirrorlist|# mirrorlist|' \ | ||
-e 's|^# baseurl|baseurl|' \ | ||
/etc/yum.repos.d/almalinux*.repo | ||
$ cat /etc/almalinux-release | ||
AlmaLinux release 8.10 (Cerulean Leopard) | ||
``` | ||
|
||
This method will work for any version of AlmaLinux 8.x or 9.x, we currently don't mirror the vault (debuginfo/source) repo's. | ||
You can browse [https://repo.tuxcare.com/tuxcare/](https://repo.tuxcare.com/tuxcare/) and find the correct RPM, or you can figure it out by substituting the version number (e.g. 8.10, 9.2, 9.4...) then install it as root, for example: | ||
|
||
```text | ||
# dnf -y install https://repo.tuxcare.com/tuxcare/tuxcare-release-latest-8.10.$(uname -i).rpm | ||
``` | ||
|
||
To revert back to the community mirrors you can run the following as root: | ||
The second step is to activate your license on the system. You should run the `tuxctl` tool as root with your Essential Support license key provided as a command line argument like so: | ||
|
||
```text | ||
# sed -i \ | ||
-e 's|https://repo.tuxcare.com/almalinux/|https://repo.almalinux.org/almalinux/|' \ | ||
-e 's|^# mirrorlist|mirrorlist|' \ | ||
-e 's|^baseurl|# baseurl|' \ | ||
/etc/yum.repos.d/almalinux*.repo | ||
# tuxctl --license-key ESA-XXXXXXXXXXXXXXXXXXXXXXXX | ||
``` | ||
|
||
:::warning | ||
|