FIPS 140-3
This release includes fixes to support FIPS 140-3 in WALinuxAgent.
Support for FIPS 140-3 requires updates to other components on top of WALinuxAgent; the "FIPS 140-3" column in the tables below shows "Enabled" when all those components have been deployed to the corresponding stage.
These are the VM extensions that currently support FIPS 140-3. We will add to this list as more extensions become available. Using those extensions with FIPS 140-3 requires an explicit opt-in; we will post details about the opt-in process within a few days.
- Microsoft.Azure.Extensions.CustomScript
- Microsoft.CPlat.Core.RunCommandLinux
- Microsoft.CPlat.ProxyAgentLinux
- Microsoft.CPlat.ProxyAgentLinuxArm64
- Microsoft.GuestConfiguration.ConfigurationForLinux
- Microsoft.ManagedServices.ApplicationHealthLinux
- Microsoft.OSTCExtensions.VMAccessForLinux
Agent and Extension Policy:
- #3259 Block extensions disallowed by policy
- #3321 Report ext policy errors in heartbeat
- #3331 Implement signature validation helper functions
Provisioning:
- #3309 Apply patch to prevent ssh public key override
- #3158 Use proper filesystem creation flag for btrfs
Resource Governance Improvements and Bug Fixes:
- #3316 Enable resource monitoring in cgroup v2 machines
- #3341 Update agent cgroup cleanup
- #3349 Add cgroupv2 distros to supported list
- #3361 Clean old agent cgroup setup
Security improvements:
Misc.:
- #3339 Add conf option to use hardcoded wireserver ip instead of dhcp request to discover wireserver ip
- #3337 Support for python 3.12
- #3345 Update telemetry message for agent updates and send new telemetry for ext resource governance
- #3346 Disable rsm downgrade
- #3338 #3353 Add community support for Chainguard OS
- #3141 Swap out legacycrypt for crypt-r for Python 3.13+
- #3358 Pin setuptools version
- #3384 #3385 Set the agent config file path for FreeBSD
- #3386 Handle errors importing crypt module
E2E Tests:
- #3285 Update offer name for AlmaLinux
- #3289 Suppress error messages from GuestConfiguration
- #3292 Suppress systemd errors in e2e tests
- #3291 Skip AlmaLinux on scale set tests
- #3295 Remove reference to uninitialized variable
- #3302 Suppress message for expected error in e2e test
- #3304 Mark AMA ext as not supported on suse
- #3308 Refresh certs
- #3311 Add retry logic for ExtPolicy "ResourceNotFound" test failure
- #3312 Improve ext dependencies scenarios to share scaleset
- #3314 Add Python 2 unicode strings to regex check [CheckAgentLog]
- #3315 Evaluate distro remotely [no outbound connections test suite]
- #3319 add support for alma 8
- #3320 Wait for timeout for ExtPolicy disallowed delete test case
- #3326 suppress agent cgroup warning for v2
- #3327 Skip ext policy test case on flatcar
- #3328 suppress cgroup warn
- #3330 ignore systemctl error
- #3329 disable default outbound access
- #3332 rollback testing in agent publish scenario
- #3336 ignore systemd failure in e2e tests
- #3348 Do not install Python for end-to-end tests
- #3351 Update RHEL versions in end-to-end tests
- #3352 Mark images not available on all clouds
- #3354 Ext sequencing scenario should get utc timestamp for test case start
- #3357 ignore cgroup systemd errors
- #3350 Add e2e agent removal scenario
- #3359 Skip publish hostname test on RHEL 8.10
- #3362 ubuntu_2404_arm64 is not available in nat clouds
- #3360 Add fix for ExtPolicyWithDependencies e2e test
- #3375 Use HHTPS on requests to ifconfig.io
- #3377 Add sleep test
- #3379 Update SUSE versions on end-to-end tests
- #3382 Skip sles-12-sp5 on China Cloud
Unit Tests:
- #3284 Create Azure Pipeline for Python 2.6 & 3.4 Unit Tests
- #3296 Enable unit tests for Python 2.6 & 3.4 on Github Actions
- #3299 fix random time pick
- #3300 Cleanup Github Actions workflow for Unit Tests
- #3303 Do not skip tests on Python 2.6 & 3.4
- #3305 Fix unit test failures when run on containers
- #3333 Add time.sleep mock to fix slow UT
- #3340 Fix signature validation UT failure
- #3343 Use Ubuntu 24 for the Unit Tests workflow
Deployment schedule - Public
| Stage | Regions | Deployment Start | FIPS 140-3 |
|---|---|---|---|
| Canary | Central US EUAP, East US 2 EUAP | 05/29/2025 14:32:55 UTC | Enabled |
| Pilot | West Central US, East Asia | 06/05/2025 15:47:09 UTC | |
| Medium | UK South | 06/09/2025 21:17:01 UTC | |
| Large | North Europe | 06/11/2025 21:36:55 UTC | |
| Batch 1A-i | Australia East, Brazil South, France Central, Germany West Central | 06/16/2025 17:02:43 UTC | |
| Batch 1A-ii | Korea Central, North Central US, Norway East, Sweden Central, Switzerland North, West India | 06/17/2025 18:19:56 UTC | |
| Batch 1A-iii | Australia Central, Canada Central, Japan East, Jio India West | 06/19/2025 18:36:49 UTC | |
| Batch 1A-iv | Central India, South Africa North, UAE North, UK West | 06/23/2025 17:03:55 UTC | |
| Batch 1A-v | Australia Central 2, Brazil Southeast, Canada East, France South, Germany North, Japan West, Southeast Asia, West US 3 | 06/25/2025 16:39:52 UTC | |
| Batch 1B-i | Central US | 06/30/2025 17:57:01 UTC | |
| Batch 1B-ii | West Europe | 07/02/2025 17:18:48 UTC | |
| Batch 1B-iii | East US | 07/08/2025 14:59:17 UTC | |
| Batch 2A-i | Australia Southeast, Jio India Central, Korea South, Norway West, South Africa West, South Central US, South India, Sweden South, Switzerland West, UAE Central | 07/14/2025 17:00:36 UTC | |
| Batch 2A-ii | West US 2 | 07/15/2025 18:20:23 UTC | |
| Batch 2B-i | West US | 07/17/2025 18:23:21 UTC | |
| Batch 2B-ii | East US 2 | 07/23/2025 15:10:24 UTC | |
| All | Rest of the Public regions | 2025-07-29 16:04:38 UTC |
Deployment schedule - USGov
| Stage | Regions | Deployment Start |
|---|---|---|
| Stage 1 | USDoD Central | 2025-07-30 16:38:49 UTC |
| Stage 2 | USDoD East | |
| Stage 3 | USGov Texas | |
| Stage 4 | USGov Virginia, USGov Arizona | |
| All | Rest of the USGov regions |
Deployment schedule - China
| Stage | Regions | Deployment Start |
|---|---|---|
| Stage 1 | China North | |
| Stage 2 | China North, China North 2 | |
| Stage 3 | China East | |
| Stage 4 | China East 2 | |
| All | Rest of the China regions |