Task #3650
closed
Story #3637: As a user, I can run pulp in a FIPS-enabled environment
Create a FIPS-enabled devel environment
0%
Updated by daviddavis over 6 years ago
I found some FIPS-enabled boxes for Vagrant[0] but they only support VirtualBox. I think we'll have to roll our own libvirt FIPS boxes.
[0] https://app.vagrantup.com/boxes/search?utf8=%E2%9C%93&sort=downloads&provider=&q=fips
Updated by daviddavis over 6 years ago
Instructions to enable FIPS are here:
It basically requires setting a kernel parameter.
Updated by daviddavis over 6 years ago
dalley, good find. I pinged ehelms because Katello supports multiple OSes for the dev environment. He recommended either using the generic Ansible package module[0] or add checks to see what family of OS you're on.
[0] I think it's this http://docs.ansible.com/ansible/latest/modules/package_module.html
Updated by dalley over 6 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to dalley
I got it working (the development environment, not Pulp)
Use this branch: https://github.com/pulp/devel/tree/fips
I grafted the FIPS enablement steps from katello/forklift. During the FIPS enablement process the VM restarts, and when it comes back up Vagrant doesn't re-mount the shared folders (which, the ansible scripts need in order to create the editable installs.
So, the one little pinprick when using this environment is that you need to keep an eye on the ansible progress, and once it finishes rebooting for FIPS enablement and begins the normal Pulp provisioning steps, in another terminal you need to run the command "vagrant sshfs --mount".
That will re-mount the shared folders if you are using SSHFS. I don't use NFS anymore so I don't know the process, there.
Near the end of provisioning, it does throw some FIPS related errors, but that is where our real work will need to begin and not part of this task
pulp2_dev: creating link: /etc/yum/pluginconf.d/pulp-profile-update.conf pointing to /home/vagrant/devel/pulp_rpm/handlers/etc/yum/pluginconf.d/pulp-profile-update.conf
pulp2_dev: creating link: /usr/share/pulp-rpm pointing to /home/vagrant/devel/pulp_rpm/plugins/usr/share/pulp-rpm
pulp2_dev: creating link: /usr/lib/yum-plugins/pulp-profile-update.py pointing to /home/vagrant/devel/pulp_rpm/handlers/usr/lib/yum-plugins/pulp-profile-update.py
pulp2_dev: ~/devel ~
pulp2_dev: Adjusting facls for apache
pulp2_dev: Starting more services
pulp2_dev: Created symlink from /etc/systemd/system/multi-user.target.wants/goferd.service to /usr/lib/systemd/system/goferd.service.
pulp2_dev: Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
pulp2_dev: Failed to execute operation: Too many levels of symbolic links
pulp2_dev: Failed to execute operation: Too many levels of symbolic links
pulp2_dev: Failed to execute operation: Too many levels of symbolic links
pulp2_dev: Traceback (most recent call last):
pulp2_dev: File "/bin/pulp-manage-db", line 9, in <module>
pulp2_dev: load_entry_point('pulp-server==2.17a1', 'console_scripts', 'pulp-manage-db')()
pulp2_dev: File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
pulp2_dev: return get_distribution(dist).load_entry_point(group, name)
pulp2_dev: File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
pulp2_dev: return ep.load()
pulp2_dev: File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
pulp2_dev: entry = __import__(self.module_name, globals(),globals(), ['__name__'])
pulp2_dev: File "/home/vagrant/devel/pulp/server/pulp/server/db/manage.py", line 14, in <module>
pulp2_dev: from pulp.plugins.loader.api import load_content_types
pulp2_dev: File "/home/vagrant/devel/pulp/server/pulp/plugins/loader/api.py", line 7, in <module>
pulp2_dev: from pulp.plugins.loader.manager import PluginManager
pulp2_dev: File "/home/vagrant/devel/pulp/server/pulp/plugins/loader/manager.py", line 9, in <module>
pulp2_dev: from pulp.server.db.model import ContentUnit
pulp2_dev: File "/home/vagrant/devel/pulp/server/pulp/server/db/model/__init__.py", line 13, in <module>
pulp2_dev: from mongoengine import (BooleanField, DictField, Document, DynamicField, IntField,
pulp2_dev: File "/usr/lib/python2.7/site-packages/mongoengine/__init__.py", line 1, in <module>
pulp2_dev: import document
pulp2_dev: File "/usr/lib/python2.7/site-packages/mongoengine/document.py", line 2, in <module>
pulp2_dev: import pymongo
pulp2_dev: File "/usr/lib64/python2.7/site-packages/pymongo/__init__.py", line 83, in <module>
pulp2_dev: from pymongo.collection import ReturnDocument
pulp2_dev: File "/usr/lib64/python2.7/site-packages/pymongo/collection.py", line 21, in <module>
pulp2_dev: from bson.code import Code
pulp2_dev: File "/usr/lib64/python2.7/site-packages/bson/__init__.py", line 43, in <module>
pulp2_dev: from bson.objectid import ObjectId
pulp2_dev: File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 55, in <module>
pulp2_dev: class ObjectId(object):
pulp2_dev: File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 62, in ObjectId
pulp2_dev: _machine_bytes = _machine_bytes()
pulp2_dev: File "/usr/lib64/python2.7/site-packages/bson/objectid.py", line 38, in _machine_bytes
pulp2_dev: machine_hash = hashlib.md5()
pulp2_dev: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
pulp2_dev: There was an internal server error while trying to access the Pulp application.
pulp2_dev: One possible cause is that the database needs to be migrated to the latest
pulp2_dev: version. If this is the case, run pulp-manage-db and restart the services. More
pulp2_dev: information may be found in Apache's log.
Updated by dalley over 6 years ago
- Status changed from ASSIGNED to CLOSED - COMPLETE
Updated by rchan over 6 years ago
- Sprint changed from Sprint 37 to Sprint 36
Moving back to Sprint 36 since this got finished.
.