Project

Profile

Help

Issue #3156

pulp-manage-db fails to run on FIPS enabled system.

Added by pthomas@redhat.com almost 3 years ago. Updated 4 months ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Installing pulp 2.14.3 on a FIPS enabled system fails on pulp-manage-db

 rpm -qa |grep pulp
python-isodate-0.5.0-4.pulp.el7.noarch
python-pulp-docker-common-3.0.2-1.el7.noarch
python-pulp-repoauth-2.14.3-1.el7.noarch
pulp-puppet-plugins-2.14.3-1.el7.noarch
python-pulp-bindings-2.14.3-1.el7.noarch
pulp-rpm-admin-extensions-2.14.3-1.el7.noarch
python-pulp-python-common-2.0.2-1.el7.noarch
pulp-python-plugins-2.0.2-1.el7.noarch
python-pulp-common-2.14.3-1.el7.noarch
python-kombu-3.0.33-8.pulp.el7.noarch
python-pulp-rpm-common-2.14.3-1.el7.noarch
python-pulp-puppet-common-2.14.3-1.el7.noarch
pulp-selinux-2.14.3-1.el7.noarch
python-pulp-oid_validation-2.14.3-1.el7.noarch
pulp-docker-plugins-3.0.2-1.el7.noarch
pulp-rpm-plugins-2.14.3-1.el7.noarch
pulp-admin-client-2.14.3-1.el7.noarch
pulp-docker-admin-extensions-3.0.2-1.el7.noarch
python-pulp-ostree-common-1.3.0-1.el7.noarch
pulp-ostree-admin-extensions-1.3.0-1.el7.noarch
pulp-python-admin-extensions-2.0.2-1.el7.noarch
pulp-server-2.14.3-1.el7.noarch
python-pulp-client-lib-2.14.3-1.el7.noarch
pulp-puppet-admin-extensions-2.14.3-1.el7.noarch
pulp-ostree-plugins-1.3.0-1.el7.noarch

Steps

1.  On a FIPS enabled system, Install pulp 2.14.3 (latest stable)
2. Follow the installation steps
3. Run sudo -u apache pulp-manage-db

Actual Result

sudo -u apache pulp-manage-db
Traceback (most recent call last):
  File "/bin/pulp-manage-db", line 9, in <module>
    load_entry_point('pulp-server==2.14.3', 'console_scripts', 'pulp-manage-db')()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/site-packages/pulp/server/db/manage.py", line 14, in <module>
    from pulp.plugins.loader.api import load_content_types
  File "/usr/lib/python2.7/site-packages/pulp/plugins/loader/api.py", line 7, in <module>
    from pulp.plugins.loader.manager import PluginManager
  File "/usr/lib/python2.7/site-packages/pulp/plugins/loader/manager.py", line 9, in <module>
    from pulp.server.db.model import ContentUnit
  File "/usr/lib/python2.7/site-packages/pulp/server/db/model/__init__.py", line 12, in <module>
    from mongoengine import (BooleanField, DictField, Document, DynamicField, IntField,
  File "/usr/lib/python2.7/site-packages/mongoengine/__init__.py", line 1, in <module>
    import document
  File "/usr/lib/python2.7/site-packages/mongoengine/document.py", line 2, in <module>
    import pymongo
  File "/usr/lib64/python2.7/site-packages/pymongo/__init__.py", line 83, in <module>
    from pymongo.collection import ReturnDocument
  File "/usr/lib64/python2.7/site-packages/pymongo/collection.py", line 21, in <module>
    from bson.code import Code
  File "/usr/lib64/python2.7/site-packages/bson/__init__.py", line 43, in <module>
    from bson.objectid import ObjectId
  File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 55, in <module>
    class ObjectId(object):
  File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 62, in ObjectId
    _machine_bytes = _machine_bytes()
  File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 38, in _machine_bytes
    machine_hash = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

History

#2 Updated by mhrivnak almost 3 years ago

The problem appears to be that pymongo cannot run on a FIPS-enabled machine. It hard fails just by importing it. There will need to be an investigation into whether there is some option for making pymongo work.

The MongoDB docs are not very promising either: "Only MongoDB Enterprise edition supports FIPS mode."

https://docs.mongodb.com/manual/tutorial/configure-fips/#prerequisites

Python 2.7.5 (default, May  3 2017, 07:55:04) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pymongo
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/pymongo/__init__.py", line 83, in <module>
    from pymongo.collection import ReturnDocument
  File "/usr/lib64/python2.7/site-packages/pymongo/collection.py", line 21, in <module>
    from bson.code import Code
  File "/usr/lib64/python2.7/site-packages/bson/__init__.py", line 43, in <module>
    from bson.objectid import ObjectId
  File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 55, in <module>
    class ObjectId(object):
  File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 62, in ObjectId
    _machine_bytes = _machine_bytes()
  File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 38, in _machine_bytes
    machine_hash = hashlib.md5()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

#3 Updated by dalley almost 3 years ago

  • Status changed from NEW to CLOSED - WONTFIX
  • Triaged changed from No to Yes

#4 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF