Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment
Ensure all pulpcore dependencies are FIPS compatible
Users need to install pulpcore in a FIPS compatible environments, therefore all dependencies need to be FIPS compatible. Django specifically we know is not FIPS compatible.
Test pulpcore and it's dependencies in the CentOS 8 pulplift FIPS environment. Then for any dependencies that are not FIPS compatible, develop a patch and then contribute that patch in one of the following ways listed further down.
Developing the patch before contributing it¶
Use a fork of the dependency and apply your patch to a branch on top of the tag Pulp uses as it's dependency. So for example, for Django we use the latest 2.2 tag. So apply the patch onto a forked Django 2.2.16.
Adding these branches to the pulplift environment¶
We need the pulplift EL7 and EL8 environments to use these branches instead of the ones from PyPI. For example the CI job in pulp_installer for FIPS EL7 and EL8 fail due to Django not being patched.
Where to go with a patch once its finalized?¶
Two things should be done for each patch:
- Contribute the patch to upstream. This will cause both PyPI and RPM packaged versions to be FIPS compatible.
- Produce a .patch file to be included in anyone's RPM and store it in the pulp-packaging repo.
Updated by bmbouter over 3 years ago
- Tracker changed from Story to Task
- Subject changed from As an installer user, I can install a FIPS compatible environment to Ensure all pulpcore dependencies are FIPS compatible
- Description updated (diff)
- Category deleted (
Installer - Moved to GitHub issues)
Updated by bmbouter about 3 years ago
Here's the patch that AWX was using to get their Django working: https://github.com/ansible/awx/blob/devel/awx/__init__.py#L37-L54