Project

Profile

Help

Issue #8095

closed

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode

Added by mdepaulo@redhat.com over 1 year ago. Updated over 1 year ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 91
Quarter:

Description

This 3rd party ansible role, a dependency of by pulp_installer, has a recent regression.

It was introduced between 2.2.1 and its subsequent version, 3.0.0.

Revert commit (role) is here on my branch: https://github.com/mikedep333/ansible-role-postgresql/commit/6d83e1dcb6ff4b5146d6e7025bf100c0e7b09134

Upstream (role) bug report: https://github.com/geerlingguy/ansible-role-postgresql/issues/153

Upstream (module) bug report: https://github.com/ansible-collections/community.postgresql/issues/39


Related issues

Related to Pulp - Task #7884: Move the pulp_installer Vagrant tests off TravisCLOSED - CURRENTRELEASEmdepaulo@redhat.com

Actions
Related to Pulp - Story #8154: As an EL7 pulp_installer user, I use a newer version of postgres than 9.6CLOSED - CURRENTRELEASEfao89

Actions
Actions #1

Updated by mdepaulo@redhat.com over 1 year ago

  • Related to Task #7884: Move the pulp_installer Vagrant tests off Travis added
Actions #2

Updated by mdepaulo@redhat.com over 1 year ago

  • Subject changed from geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 7 to geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 8
Actions #3

Updated by mdepaulo@redhat.com over 1 year ago

  • Description updated (diff)
Actions #4

Updated by mdepaulo@redhat.com over 1 year ago

  • Assignee set to mdepaulo@redhat.com

I am developing a fix that I plan to submit to upstream. https://github.com/mikedep333/ansible-role-postgresql/commits/fips-and-qemu-fixes

It requires the latest community.postgresql module. It works by setting an environment variable PGOPTIONS (for SHA256) when postgresql 10.

I plan to make it controllable via a variable for that role.

Note that we cannot pass the env var to the role from our role (include role with "apply:" "environment:") because the task has become on it. become overrides higher level environment settings.

Also note that this will require either Ansible 2.10, or installing the latest community.postgresql collection onto Ansible 2.9, and actually have our installer use it on 2.9.

Actions #5

Updated by mdepaulo@redhat.com over 1 year ago

  • Description updated (diff)
Actions #6

Updated by mdepaulo@redhat.com over 1 year ago

  • Subject changed from geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 8 to geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode
Actions #7

Updated by mdepaulo@redhat.com over 1 year ago

I was mistaken about this only affecting CentOS 8, it affects CentOS 7 also.

More worryingly, CentOS 7's postgres 9.6 (from an SCL) only supports non-FIPS-compliant MD5 password hashes.

Therefore, my fix in development to use SHA256 will not suffice.

For the sake of #7884, I will continue to use the old version of the role. Which I suspect uses plaintext passwords.

ASK [geerlingguy.postgresql : Ensure PostgreSQL users are configured correctly.] ***
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
failed: [pulp3-sandbox-centos7-fips] (item={'name': 'pulp', 'password': 'pulp', 'role_attr_flags': 'CREATEDB'}) => {"ansible_loop_var": "item", "changed": false, "item": {"name": "pulp", "password": "pulp", "role_attr_flags": "CREATEDB"}, "module_stderr": "Traceback (most recent call last):
  File \"<stdin>\", line 102, in <module>
  File \"<stdin>\", line 94, in _ansiballz_main
  File \"<stdin>\", line 40, in invoke_module
  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module
    fname, loader, pkg_name)
  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code
    mod_name, mod_fname, mod_loader, pkg_name)
  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code
    exec code in run_globals
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 974, in <module>
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 921, in main
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 384, in user_alter
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 350, in user_should_we_change_password
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
", "module_stdout": "", "msg": "MODULE FAILURE

Actions #8

Updated by mdepaulo@redhat.com over 1 year ago

  • Related to Story #8154: As an EL7 pulp_installer user, I use a newer version of postgres than 9.6 added
Actions #9

Updated by mdepaulo@redhat.com over 1 year ago

  • Triaged changed from No to Yes
Actions #10

Updated by fao89 over 1 year ago

  • Status changed from NEW to ASSIGNED
  • Assignee changed from mdepaulo@redhat.com to fao89
Actions #12

Updated by mdepaulo@redhat.com over 1 year ago

I started working on a fix, in the role: https://github.com/mikedep333/ansible-role-postgresql/commits/fips-and-qemu-fixes

It requires the latest version of the ansible postgresql module, so I get it from the collection.

It works by setting environment variables rather than a proper module variable. That is the feature added to the module.

IIRC, it fails on CentOS 7 though. I forget exactly, I was surprised because I thought CentOS 7 worked previously. Note that we are using postgres 9.6 on CentOS 7, and 9.6 does not support SHA256, only MD5. That would be why.

Actions #14

Updated by daviddavis over 1 year ago

  • Sprint set to Sprint 90
Actions #15

Updated by rchan over 1 year ago

  • Sprint changed from Sprint 90 to Sprint 91
Actions #17

Updated by fao89 over 1 year ago

  • Status changed from POST to MODIFIED

Also available in: Atom PDF