Issue #8095
closed
Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS
geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode
Description
This 3rd party ansible role, a dependency of by pulp_installer, has a recent regression.
It was introduced between 2.2.1 and its subsequent version, 3.0.0.
Revert commit (role) is here on my branch: https://github.com/mikedep333/ansible-role-postgresql/commit/6d83e1dcb6ff4b5146d6e7025bf100c0e7b09134
Upstream (role) bug report: https://github.com/geerlingguy/ansible-role-postgresql/issues/153
Upstream (module) bug report: https://github.com/ansible-collections/community.postgresql/issues/39
Related issues
Updated by mdepaulo@redhat.com over 3 years ago
- Related to Task #7884: Move the pulp_installer Vagrant tests off Travis added
Updated by mdepaulo@redhat.com about 3 years ago
- Subject changed from geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 7 to geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 8
Updated by mdepaulo@redhat.com about 3 years ago
- Assignee set to mdepaulo@redhat.com
I am developing a fix that I plan to submit to upstream. https://github.com/mikedep333/ansible-role-postgresql/commits/fips-and-qemu-fixes
It requires the latest community.postgresql module. It works by setting an environment variable PGOPTIONS (for SHA256) when postgresql 10.
I plan to make it controllable via a variable for that role.
Note that we cannot pass the env var to the role from our role (include role with "apply:" "environment:") because the task has become on it. become overrides higher level environment settings.
Also note that this will require either Ansible 2.10, or installing the latest community.postgresql collection onto Ansible 2.9, and actually have our installer use it on 2.9.
Updated by mdepaulo@redhat.com about 3 years ago
- Subject changed from geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode on CentOS 8 to geerlingguy.postgresql role (pulp_installer) now errors under FIPS mode
Updated by mdepaulo@redhat.com about 3 years ago
I was mistaken about this only affecting CentOS 8, it affects CentOS 7 also.
More worryingly, CentOS 7's postgres 9.6 (from an SCL) only supports non-FIPS-compliant MD5 password hashes.
Therefore, my fix in development to use SHA256 will not suffice.
For the sake of #7884, I will continue to use the old version of the role. Which I suspect uses plaintext passwords.
ASK [geerlingguy.postgresql : Ensure PostgreSQL users are configured correctly.] ***
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
failed: [pulp3-sandbox-centos7-fips] (item={'name': 'pulp', 'password': 'pulp', 'role_attr_flags': 'CREATEDB'}) => {"ansible_loop_var": "item", "changed": false, "item": {"name": "pulp", "password": "pulp", "role_attr_flags": "CREATEDB"}, "module_stderr": "Traceback (most recent call last):
File \"<stdin>\", line 102, in <module>
File \"<stdin>\", line 94, in _ansiballz_main
File \"<stdin>\", line 40, in invoke_module
File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module
fname, loader, pkg_name)
File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code
mod_name, mod_fname, mod_loader, pkg_name)
File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code
exec code in run_globals
File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 974, in <module>
File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 921, in main
File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 384, in user_alter
File \"/tmp/ansible_postgresql_user_payload_0hSOAq/ansible_postgresql_user_payload.zip/ansible/modules/database/postgresql/postgresql_user.py\", line 350, in user_should_we_change_password
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
", "module_stdout": "", "msg": "MODULE FAILURE
Updated by mdepaulo@redhat.com about 3 years ago
- Related to Story #8154: As an EL7 pulp_installer user, I use a newer version of postgres than 9.6 added
Updated by fao89 about 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee changed from mdepaulo@redhat.com to fao89
Updated by fao89 about 3 years ago
it seems it goes beyond the collection: https://stackoverflow.com/questions/12056994/enable-fips-on-postgresql-database
Updated by mdepaulo@redhat.com about 3 years ago
I started working on a fix, in the role: https://github.com/mikedep333/ansible-role-postgresql/commits/fips-and-qemu-fixes
It requires the latest version of the ansible postgresql module, so I get it from the collection.
It works by setting environment variables rather than a proper module variable. That is the feature added to the module.
IIRC, it fails on CentOS 7 though. I forget exactly, I was surprised because I thought CentOS 7 worked previously. Note that we are using postgres 9.6 on CentOS 7, and 9.6 does not support SHA256, only MD5. That would be why.
Updated by fao89 about 3 years ago
Updated by fao89 about 3 years ago
- Status changed from ASSIGNED to POST
.