Project

Profile

Help

Task #6984

Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment

Ensure all pulpcore dependencies are FIPS compatible

Added by bmbouter 10 months ago. Updated 7 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Background

Users need to install pulpcore in a FIPS compatible environments, therefore all dependencies need to be FIPS compatible. Django specifically we know is not FIPS compatible.

The Plan

Test pulpcore and it's dependencies in the CentOS 8 pulplift FIPS environment. Then for any dependencies that are not FIPS compatible, develop a patch and then contribute that patch in one of the following ways listed further down.

Developing the patch before contributing it

Use a fork of the dependency and apply your patch to a branch on top of the tag Pulp uses as it's dependency. So for example, for Django we use the latest 2.2 tag. So apply the patch onto a forked Django 2.2.16.

Adding these branches to the pulplift environment

We need the pulplift EL7 and EL8 environments to use these branches instead of the ones from PyPI. For example the CI job in pulp_installer for FIPS EL7 and EL8 fail due to Django not being patched.

Where to go with a patch once its finalized?

Two things should be done for each patch:

  1. Contribute the patch to upstream. This will cause both PyPI and RPM packaged versions to be FIPS compatible.
  2. Produce a .patch file to be included in anyone's RPM and store it in the pulp-packaging repo.

History

#1 Updated by bmbouter 10 months ago

  • Parent task set to #3778

#2 Updated by bmbouter 10 months ago

  • Tracker changed from Story to Task
  • Subject changed from As an installer user, I can install a FIPS compatible environment to Ensure all pulpcore dependencies are FIPS compatible
  • Description updated (diff)
  • Category deleted (Installer)

#3 Updated by mdellweg 7 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to mdellweg

#4 Updated by bmbouter 7 months ago

Here's the patch that AWX was using to get their Django working: https://github.com/ansible/awx/blob/devel/awx/__init__.py#L37-L54

#5 Updated by bmbouter 7 months ago

  • Description updated (diff)

#7 Updated by bmbouter 7 months ago

  • Sprint/Milestone set to 3.7.0

#8 Updated by mdellweg 7 months ago

  • Status changed from ASSIGNED to MODIFIED

#9 Updated by bmbouter 7 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF