Project

Profile

Help

Task #6984

closed

Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment

Ensure all pulpcore dependencies are FIPS compatible

Added by bmbouter over 4 years ago. Updated about 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Background

Users need to install pulpcore in a FIPS compatible environments, therefore all dependencies need to be FIPS compatible. Django specifically we know is not FIPS compatible.

The Plan

Test pulpcore and it's dependencies in the CentOS 8 pulplift FIPS environment. Then for any dependencies that are not FIPS compatible, develop a patch and then contribute that patch in one of the following ways listed further down.

Developing the patch before contributing it

Use a fork of the dependency and apply your patch to a branch on top of the tag Pulp uses as it's dependency. So for example, for Django we use the latest 2.2 tag. So apply the patch onto a forked Django 2.2.16.

Adding these branches to the pulplift environment

We need the pulplift EL7 and EL8 environments to use these branches instead of the ones from PyPI. For example the CI job in pulp_installer for FIPS EL7 and EL8 fail due to Django not being patched.

Where to go with a patch once its finalized?

Two things should be done for each patch:

  1. Contribute the patch to upstream. This will cause both PyPI and RPM packaged versions to be FIPS compatible.
  2. Produce a .patch file to be included in anyone's RPM and store it in the pulp-packaging repo.
Actions #1

Updated by bmbouter over 4 years ago

  • Parent issue set to #3778
Actions #2

Updated by bmbouter over 4 years ago

  • Tracker changed from Story to Task
  • Subject changed from As an installer user, I can install a FIPS compatible environment to Ensure all pulpcore dependencies are FIPS compatible
  • Description updated (diff)
  • Category deleted (Installer - Moved to GitHub issues)
Actions #3

Updated by mdellweg over 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to mdellweg
Actions #4

Updated by bmbouter over 4 years ago

Here's the patch that AWX was using to get their Django working: https://github.com/ansible/awx/blob/devel/awx/__init__.py#L37-L54

Actions #5

Updated by bmbouter over 4 years ago

  • Description updated (diff)
Actions #7

Updated by bmbouter over 4 years ago

  • Sprint/Milestone set to 3.7.0
Actions #8

Updated by mdellweg over 4 years ago

  • Status changed from ASSIGNED to MODIFIED
Actions #9

Updated by bmbouter about 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF