Clarify FIPS-compliant Landscape deployment details #82
There are no files selected for viewing
|
Collaborator
There was a problem hiding this comment. Also, later the guide we push people to using Quickstart or Manual installations - is this not supposed to be the case for FIPS-compliance?
Contributor
Author
There was a problem hiding this comment. Manual installations are for reference, Quickstart is only suitable for users who acknowledge it's for small estates due to the inefficiency introduced by enabling FIPS.
Collaborator
There was a problem hiding this comment. @rajannpatel that makes sense, but what I'm getting at is that in the "Install and configure Landscape for FIPS-compliant deployments" section, we explicitly tell users to use Quickstart or Manual, but the introduction you added tells users to use the charm. So that section needs to be edited as well if this is the case (that users should be using Juju for FIPS) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,11 @@ | ||
| (how-to-install-fips-compliant)= | ||
| # How to install a FIPS-compliant Landscape Server | ||
|
Collaborator
There was a problem hiding this comment. I don't think this is precise though - (AFAIK) it's not Landscape that's actually FIPS-certified. If you prefer it to be more clear that it's for Landscape Server in the title, how about "How to install Landscape Server on FIPS-compliant machines"? Would that solve what you're getting at? |
||
|
|
||
| This document provides the Landscape-specific steps needed for a FIPS-compliant Landscape deployment. The FIPS-compliant process is quite similar to the standard installation process. | ||
|
|
||
| Note that for FIPS-compliant deployments, Landscape Quickstart isn't suitable for large estates (over a few hundred machines). This is due to some performance configuration introduced by the `openssl` 3.0 package which incorporates delays. To manage a large, FIPS-compliant estate, use the Juju deployment method, which allows for horizontal scaling to overcome this limitation. | ||
|
|
||
| ## The FIPS-compliant Landscape Quickstart deployment checklist | ||
|
Collaborator
There was a problem hiding this comment. The heading would ideally be more action-oriented for a how-to guide, like what it was previously ("Install and configure Landscape for FIPS-compliant deployments"). Why did you suggest changing it? I'm open to changing the title if you have a concern about the old one, I'm just not sure what issue you're addressing with your new title, so I don't have a recommendation for a new one But also - you specify Quickstart in this one, when this section applies to Quickstart and Manual.
Collaborator
There was a problem hiding this comment. Note: This concern isn't relevant anymore if we switch to my sample structure provided in a later comment |
||
|
|
||
| Use the {ref}`Quickstart <how-to-quickstart-installation>` or {ref}`Manual <how-to-manual-installation>` installation guides, with the following changes: | ||
|
|
||
|
|
@@ -23,6 +25,26 @@ If you're {ref}`configuring Postfix for emails <how-to-configure-postfix>`, add | |
|
|
||
| By default, Postfix uses MD5 hashes with the TLS for backward compatibility. In FIPS mode, the MD5 hashing function is not available. SHA-256 is a secure cryptographic hash function that can be used with FIPS. | ||
|
|
||
| ## The FIPS-compliant Landscape Juju deployment checklist | ||
|
Collaborator
There was a problem hiding this comment. Is cloud-init how users should be installing charmed Landscape for FIPS-compliant deployments? Asking because I'm not sure, and if yes, it introduces some new, notable information to the doc I'd rather not fully separate the two sections (deb vs charm) because there's shared information between the two. How you have it now, a user could jump to the juju section, and they'd miss the postfix part If we should keep the cloud-init part and include juju installs more prominently, a better structure for the doc could be:
If you're happy with that structure, I can push in changes to your PR to restructure the existing information in this format, and we could go from there. Just let me know
Contributor
Author
There was a problem hiding this comment. I need an engineer to sanity check this cloud-init stuff, because I'm going off what the Support Knowbot told me.
Collaborator
There was a problem hiding this comment. @rajannpatel ok, please tag me or re-request my review when you're ready for me to move forward on it. (to review again or to change the structure based on my previous comment) |
||
|
|
||
| - Specify that FIPS should be enabled within a cloud-init.yaml file | ||
|
|
||
| ```yaml | ||
| #cloud-config | ||
| ubuntu_pro: | ||
| token: <ubuntu_pro_token> | ||
| enable: | ||
| - fips-updates | ||
| ``` | ||
|
|
||
| - Ensure that every new machine Juju provisions in this model will have FIPS enabled at first boot, by using this cloud-init.yaml file as the model config in Juju: | ||
|
|
||
| ```bash | ||
| juju model-config --file cloudinit-userdata.yaml | ||
| ``` | ||
|
|
||
| - Follow the [Juju installation steps](../juju-installation/). | ||
|
|
||
| ## Related topics | ||
|
|
||
| Outside of Landscape, there are additional steps you may need when setting up your full FIPS-compliant deployment. See the following related topics: | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.