Project

Profile

Help

Task #3638

closed

Pulp - Story #3637: As a user, I can run pulp in a FIPS-enabled environment

Get crane running in a FIPS enabled environment

Added by daviddavis almost 6 years ago. Updated almost 5 years ago.

Status:
CLOSED - COMPLETE
Priority:
Normal
Assignee:
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Target Release - Crane:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 39
Quarter:

Description

This work might not be necessary. Check with @thomasmckay.


Related issues

Related to Docker Support - Task #3752: Confirm that pulp_docker works in FIPS modeCLOSED - COMPLETE

Actions
Actions #1

Updated by daviddavis almost 6 years ago

  • Project changed from Pulp to Docker Support
Actions #2

Updated by tomckay@redhat.com almost 6 years ago

Foreman will still need crane for smart-proxy. The addition of a docker v2 api to foreman server itself will make it possible to avoid using crane (with some additional work required in foreman) there.

Actions #3

Updated by daviddavis almost 6 years ago

  • Sprint set to Sprint 37
Actions #4

Updated by rchan almost 6 years ago

  • Sprint changed from Sprint 37 to Sprint 38
Actions #5

Updated by daviddavis almost 6 years ago

  • Project changed from Docker Support to Crane
Actions #6

Updated by daviddavis almost 6 years ago

  • Related to Task #3752: Confirm that pulp_docker works in FIPS mode added
Actions #7

Updated by rchan almost 6 years ago

  • Sprint changed from Sprint 38 to Sprint 39
Actions #8

Updated by dkliban@redhat.com almost 6 years ago

Test instructions:

This requires installing docker. I recommend installing it on a Fedora 27 VM (F27)

1. Install docker
2. Start docker daemon
3. run "docker pull registry" - this should pull down the registry image that you can run in step 4
4. Deploy registry on localhost by following example here: https://docs.docker.com/registry/deploying/
5. Copy the ubuntu image into the registry by continuing the example ^

Now on the same F27 machine install Pulp 2.16.2

6. pulp-admin docker repo create --feed http://127.0.0.1:5000 --upstream-name ubuntu --repo-id mydocker2
7. pulp-admin docker repo sync run --repo-id mydocker2
8. sudo docker pull localhost:5001/mydocker2

Now on a FIPS enabled RHEL install Pulp 2.16.2

9. pulp-admin docker repo create --feed http://<f27 ip>:5000 --upstream-name ubuntu --repo-id mydocker2
10. pulp-admin docker repo sync run --repo-id mydocker2

Now on a Fedora 27 machine

11. sudo docker pull <rhel7 ip>:5001/mydocker2

Actions #9

Updated by daviddavis over 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ragbalak
Actions #11

Updated by ragbalak over 5 years ago

Hi Team,

Have verified this fix on a RHEL Fips enabled VM. Had to make some modifications in order to get this working.
These are the steps that I followed

1. Had Pulp-2.16 stable installed in a RHEL Machine with FIPS enabled
2. Had Pulp-2.17 nightly installed in F27 machine
3. Both machines should have a hostname configured

4. Install docker on the fedora machine ( since this has to pull images from crane server on rhel machine)

dnf -y install docker

5. Once docker is installed, set it to accept images from untrusted registries (ie. the pulp repository)

# we can add  both pulp and docker registries of both f27 and rhel, so that the docker can pull from any of these registries with no issues 
echo  '{"insecure-registries" : ["<rhel_machine_host_name>:5000", '<rhel_machine_host_name>:5001', "<f27_machine_host_name>:5000", '<f27_machine_host_name>:5001'    ]}' >> /etc/docker/daemon.json

6. Once docker is installed, and configured to use insecure registries, start the docker daemon

systemctl start docker

7.create a local registry and start it on port 5001 ( since pulp by default runs on 5000)

# this adds private registry image 
docker pull registry
# start the registry image in local docker container on port 5001 and also the registry should be listening on port 5001
docker run  docker run -d  -e REGISTRY_HTTP_ADDR=0.0.0.0:5001  -p 5001:5001  --name registry2 registry
# Lets add another image that we will be using throughout this test
docker pull ubuntu # this pulls the image from the docker hub
# Let us then add this image to the local docker registry
docker tag ubuntu <f27_machine_host_name>:5001/my-ubuntu
docker push <f27_machine_host_name>:5001/my-ubuntu # this adds the image to the local registry
# now we can remove the images as it is added to the local registry
docker image remove *ubuntu

8. Once the image is added in the docker registry, we can check whether pulp can make use of this image from the f27 docker registry
9. For this, login to the Rhel7 machine
10. login to the pulp-admin
11.Create the feed of this pulp-admin to point to the fedora machine docker registry and sync the content to make it available in the local pulp repo

# creating a pulp repo with name mydocker2
pulp-admin docker repo create --feed http://<fedora_machine_host_name>:5001 --upstream-name my-ubuntu --repo-id mydocker2
# sync the repo for downloading the content from the docker registry
pulp-admin docker repo sync run --repo-id mydocker2

# Now the content should have been made available in pulp server. This can be checked using
pulp-admin docker repo list

12. Once the content is present in Rhel machine(FIPS) Pulp repo, we can check whether the fedora machine's docker is able to get this content (via crane - as this gives the docker content in the pulp ).
13 Login back to Fedora machine and do the following

docker pull <Rhel7-machine_host_name>:5000/mydocker2

14. This step should add content in the local docker , which can be checked by running

docker image list

15. This ensures that crane works properly in a FIPS enabled system , thereby allowing remote systems to get pulp docker content.
16. As a sanity check, the roles of rhel and fedora can be reversed and tested, with fedora having the pulp content and doing a docker pull from rhel machine.

Actions #12

Updated by ragbalak over 5 years ago

  • Status changed from ASSIGNED to CLOSED - COMPLETE
Actions #13

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF