Azure Update Manager disregards FIPS repositories for Ubuntu 22.04 #337
Description
Describe the bug
Due to the filter in AptitudePackageManager, updates provided by the FIPS repo https://esm.ubuntu.com/fips-updates/ubuntu jammy-updates does not pass the filter and is dropped. If the Ubuntu Pro client is enabled, this problem is worse and will ultimately lead to non-FIPS packages being installed causing conflicts.
Azure Update Manager installs non-FIPS openssh-server on FIPS-enabled Ubuntu 22.04
Root Cause
The LinuxPatchExtension (v1.6.64) has two independent mechanisms for discovering
available updates:
- apt-get -s dist-upgrade (using a custom filtered source list)
- Ubuntu Pro Client API (via uaclient.api.u.pro.packages.updates.v1)
When building the security-classification source list, the extension filters each
deb line with a simple substring check:
AptitudePackageManager.py:186
if base_classification == Constants.PackageClassification.SECURITY and "security" not in line:
continue
The FIPS updates repo uses suite name "jammy-updates", not "jammy-security":
deb https://esm.ubuntu.com/fips-updates/ubuntu jammy-updates main
So it gets excluded from the security source list. Other ESM repos survive because
they have "-security" suites (jammy-apps-security, jammy-infra-security).
During DISCOVERY, the Pro Client independently finds the FIPS openssh packages
(classified as "standard-security") and they get merged into the combined package
list. The log shows them as "Pro Client only updates."
During INSTALLATION, the Pro Client is not involved. The extension calls:
AptitudePackageManager.py:486-490
install_security_updates_azgps_coordinated() ->
apt-get -y --only-upgrade true dist-upgrade
This rebuilds the same filtered security source list (without the FIPS repo).
apt resolves openssh-server from jammy-security instead, installing the non-FIPS
version.
Summary: discovery uses Pro Client (FIPS-aware), installation uses apt with a
filtered source list (not FIPS-aware). The two paths are not coordinated.