Project

Profile

Help

Issue #8095

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode

Added by mdepaulo@redhat.com 8 months ago. Updated 7 months ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
Category:
Installer
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 91
Quarter:

Description

This 3rd party ansible role, a dependency of by pulp_installer, has a recent regression.

It was introduced between 2.2.1 and its subsequent version, 3.0.0.

Revert commit (role) is here on my branch: https://github.com/mikedep333/ansible-role-postgresql/commit/6d83e1dcb6ff4b5146d6e7025bf100c0e7b09134

Upstream (role) bug report: https://github.com/geerlingguy/ansible-role-postgresql/issues/153

Upstream (module) bug report: https://github.com/ansible-collections/community.postgresql/issues/39


Related issues

Related to Pulp - Task #7884: Move the pulp_installer Vagrant tests off TravisCLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Pulp - Story #8154: As an EL7 pulp_installer user, I use a newer version of postgres than 9.6CLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by mdepaulo@redhat.com 8 months ago

  • Related to Task #7884: Move the pulp_installer Vagrant tests off Travis added

#2 Updated by mdepaulo@redhat.com 8 months ago

  • Subject changed from geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 7 to geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 8

#3 Updated by mdepaulo@redhat.com 8 months ago

  • Description updated (diff)

#4 Updated by mdepaulo@redhat.com 8 months ago

  • Assignee set to mdepaulo@redhat.com

I am developing a fix that I plan to submit to upstream. https://github.com/mikedep333/ansible-role-postgresql/commits/fips-and-qemu-fixes

It requires the latest community.postgresql module. It works by setting an environment variable PGOPTIONS (for SHA256) when postgresql 10.

I plan to make it controllable via a variable for that role.

Note that we cannot pass the env var to the role from our role (include role with "apply:" "environment:") because the task has become on it. become overrides higher level environment settings.

Also note that this will require either Ansible 2.10, or installing the latest community.postgresql collection onto Ansible 2.9, and actually have our installer use it on 2.9.

#5 Updated by mdepaulo@redhat.com 8 months ago

  • Description updated (diff)

#6 Updated by mdepaulo@redhat.com 8 months ago

  • Subject changed from geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 8 to geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode

#7 Updated by mdepaulo@redhat.com 8 months ago

I was mistaken about this only affecting CentOS 8, it affects CentOS 7 also.

More worryingly, CentOS 7's postgres 9.6 (from an SCL) only supports non-FIPS-compliant MD5 password hashes.

Therefore, my fix in development to use SHA256 will not suffice.

For the sake of #7884, I will continue to use the old version of the role. Which I suspect uses plaintext passwords.

ASK [geerlingguy.postgresql : Ensure PostgreSQL users are configured correctly.] ***
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
failed: [pulp3-sandbox-centos7-fips] (item={'name': 'pulp', 'password': 'pulp', 'role_attr_flags': 'CREATEDB'}) => {"ansible_loop_var": "item", "changed": false, "item": {"name": "pulp", "password": "pulp", "role_attr_flags": "CREATEDB"}, "module_stderr": "Traceback (most recent call last):
  File \"<stdin>\", line 102, in <module>
  File \"<stdin>\", line 94, in _ansiballz_main
  File \"<stdin>\", line 40, in invoke_module
  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module
    fname, loader, pkg_name)
  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code
    mod_name, mod_fname, mod_loader, pkg_name)
  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code
    exec code in run_globals
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 974, in <module>
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 921, in main
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 384, in user_alter
  File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 350, in user_should_we_change_password
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
", "module_stdout": "", "msg": "MODULE FAILURE

#8 Updated by mdepaulo@redhat.com 8 months ago

  • Related to Story #8154: As an EL7 pulp_installer user, I use a newer version of postgres than 9.6 added

#9 Updated by mdepaulo@redhat.com 8 months ago

  • Triaged changed from No to Yes

#10 Updated by fao89 7 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee changed from mdepaulo@redhat.com to fao89

#12 Updated by mdepaulo@redhat.com 7 months ago

I started working on a fix, in the role: https://github.com/mikedep333/ansible-role-postgresql/commits/fips-and-qemu-fixes

It requires the latest version of the ansible postgresql module, so I get it from the collection.

It works by setting environment variables rather than a proper module variable. That is the feature added to the module.

IIRC, it fails on CentOS 7 though. I forget exactly, I was surprised because I thought CentOS 7 worked previously. Note that we are using postgres 9.6 on CentOS 7, and 9.6 does not support SHA256, only MD5. That would be why.

#14 Updated by daviddavis 7 months ago

  • Sprint set to Sprint 90

#15 Updated by rchan 7 months ago

  • Sprint changed from Sprint 90 to Sprint 91

#17 Updated by fao89 7 months ago

  • Status changed from POST to MODIFIED

Please register to edit this issue

Also available in: Atom PDF