Task #3638

Pulp - Story #3637: As a user, I can run pulp in a FIPS-enabled environment

Get crane running in a FIPS enabled environment

Added by daviddavis over 2 years ago. Updated almost 2 years ago.

Start date:
Due date:
% Done:


Estimated time:
Platform Release:
Target Release - Crane:
Sprint Candidate:
Pulp 2
Sprint 39


This work might not be necessary. Check with @thomasmckay.

Related issues

Related to Docker Support - Task #3752: Confirm that pulp_docker works in FIPS modeCLOSED - COMPLETE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>


#1 Updated by daviddavis over 2 years ago

  • Project changed from Pulp to Docker Support

#2 Updated by over 2 years ago

Foreman will still need crane for smart-proxy. The addition of a docker v2 api to foreman server itself will make it possible to avoid using crane (with some additional work required in foreman) there.

#3 Updated by daviddavis over 2 years ago

  • Sprint set to Sprint 37

#4 Updated by rchan over 2 years ago

  • Sprint changed from Sprint 37 to Sprint 38

#5 Updated by daviddavis over 2 years ago

  • Project changed from Docker Support to Crane

#6 Updated by daviddavis over 2 years ago

  • Related to Task #3752: Confirm that pulp_docker works in FIPS mode added

#7 Updated by rchan over 2 years ago

  • Sprint changed from Sprint 38 to Sprint 39

#8 Updated by over 2 years ago

Test instructions:

This requires installing docker. I recommend installing it on a Fedora 27 VM (F27)

1. Install docker
2. Start docker daemon
3. run "docker pull registry" - this should pull down the registry image that you can run in step 4
4. Deploy registry on localhost by following example here:
5. Copy the ubuntu image into the registry by continuing the example ^

Now on the same F27 machine install Pulp 2.16.2

6. pulp-admin docker repo create --feed --upstream-name ubuntu --repo-id mydocker2
7. pulp-admin docker repo sync run --repo-id mydocker2
8. sudo docker pull localhost:5001/mydocker2

Now on a FIPS enabled RHEL install Pulp 2.16.2

9. pulp-admin docker repo create --feed http://<f27 ip>:5000 --upstream-name ubuntu --repo-id mydocker2
10. pulp-admin docker repo sync run --repo-id mydocker2

Now on a Fedora 27 machine

11. sudo docker pull <rhel7 ip>:5001/mydocker2

#9 Updated by daviddavis over 2 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ragbalak

#11 Updated by ragbalak over 2 years ago

Hi Team,

Have verified this fix on a RHEL Fips enabled VM. Had to make some modifications in order to get this working.
These are the steps that I followed

1. Had Pulp-2.16 stable installed in a RHEL Machine with FIPS enabled
2. Had Pulp-2.17 nightly installed in F27 machine
3. Both machines should have a hostname configured

4. Install docker on the fedora machine ( since this has to pull images from crane server on rhel machine)

dnf -y install docker

5. Once docker is installed, set it to accept images from untrusted registries (ie. the pulp repository)

# we can add  both pulp and docker registries of both f27 and rhel, so that the docker can pull from any of these registries with no issues 
echo  '{"insecure-registries" : ["<rhel_machine_host_name>:5000", '<rhel_machine_host_name>:5001', "<f27_machine_host_name>:5000", '<f27_machine_host_name>:5001'    ]}' >> /etc/docker/daemon.json

6. Once docker is installed, and configured to use insecure registries, start the docker daemon

systemctl start docker

7.create a local registry and start it on port 5001 ( since pulp by default runs on 5000)

# this adds private registry image 
docker pull registry
# start the registry image in local docker container on port 5001 and also the registry should be listening on port 5001
docker run  docker run -d  -e REGISTRY_HTTP_ADDR=  -p 5001:5001  --name registry2 registry
# Lets add another image that we will be using throughout this test
docker pull ubuntu # this pulls the image from the docker hub
# Let us then add this image to the local docker registry
docker tag ubuntu <f27_machine_host_name>:5001/my-ubuntu
docker push <f27_machine_host_name>:5001/my-ubuntu # this adds the image to the local registry
# now we can remove the images as it is added to the local registry
docker image remove *ubuntu

8. Once the image is added in the docker registry, we can check whether pulp can make use of this image from the f27 docker registry
9. For this, login to the Rhel7 machine
10. login to the pulp-admin
11.Create the feed of this pulp-admin to point to the fedora machine docker registry and sync the content to make it available in the local pulp repo

# creating a pulp repo with name mydocker2
pulp-admin docker repo create --feed http://<fedora_machine_host_name>:5001 --upstream-name my-ubuntu --repo-id mydocker2
# sync the repo for downloading the content from the docker registry
pulp-admin docker repo sync run --repo-id mydocker2

# Now the content should have been made available in pulp server. This can be checked using
pulp-admin docker repo list

12. Once the content is present in Rhel machine(FIPS) Pulp repo, we can check whether the fedora machine's docker is able to get this content (via crane - as this gives the docker content in the pulp ).
13 Login back to Fedora machine and do the following

docker pull <Rhel7-machine_host_name>:5000/mydocker2

14. This step should add content in the local docker , which can be checked by running

docker image list

15. This ensures that crane works properly in a FIPS enabled system , thereby allowing remote systems to get pulp docker content.
16. As a sanity check, the roles of rhel and fedora can be reversed and tested, with fedora having the pulp content and doing a docker pull from rhel machine.

#12 Updated by ragbalak over 2 years ago

  • Status changed from ASSIGNED to CLOSED - COMPLETE

#13 Updated by bmbouter almost 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF