Bug 1636251
Summary: | ceph-keys fails if RHEL is configured in FIPS mode | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | subhash <vpoliset> |
Component: | RADOS | Assignee: | Radoslaw Zarzynski <rzarzyns> |
Status: | CLOSED ERRATA | QA Contact: | subhash <vpoliset> |
Severity: | high | Docs Contact: | Erin Donnelly <edonnell> |
Priority: | high | ||
Version: | 3.2 | CC: | anharris, aschoen, bhubbard, bniver, ceph-eng-bugs, degts, dzafman, edonnell, flucifre, gmeno, hnallurv, jbiao, jbrier, jcall, jdurgin, kchai, mbenjamin, mmanjuna, mwatts, nmavrogi, nojha, nthomas, rrelyea, rzarzyns, sankarshan, shan, swells, tchandra, tserlin, vpoliset, vumrao, ykaul |
Target Milestone: | z2 | ||
Target Release: | 3.2 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | RHEL: ceph-12.2.8-111.el7cp Ubuntu: ceph_12.2.8-86redhat1 | Doc Type: | Bug Fix |
Doc Text: |
.Ceph installation no longer fails when FIPS mode is enabled
Previously, installing {product} using the `ceph-ansible` utility failed at `TASK [ceph-mon : create monitor initial keyring]` when FIPS mode was enabled. To resolve this bug, the symmetric cipher cryptographic key is now wrapped with a one-shot wrapping key before it is used to instantiate the cipher. This allows {product} to install normally when FIPS mode is enabled.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-30 15:56:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1629656 |
Comment 3
Sébastien Han
2018-10-10 16:01:47 UTC
It would be useful to see the output from the two tasks that run before the task whose output is in this ticket, just to rule out anything there. Those tasks would be: - name: generate monitor initial keyring - name: read monitor initial keyring if it already exists Seb: In the end it looks like there is a silent error preventing the keyring from being created or from being placed into the correct location. That is handled by the `ceph_key.py` helper, but in the trace above there isn't any output that'd indicate an error or bad behavior. Is there a way to turn up logging level? I think if not, then it is going to require reproducing that locally to work through `ceph_key.py` to find the source of the issue. Does that sound plausible/reasonable? This is probably not a ceph-ansible bug. *** Bug 1636364 has been marked as a duplicate of this bug. *** This is a priority for 3.2Z2. And the fix needs to merge into 4.x builds as well. (In reply to Federico Lucifredi from comment #16) > This is a priority for 3.2Z2. And the fix needs to merge into 4.x builds as > well. I have created this one for 4.0 - https://bugzilla.redhat.com/show_bug.cgi?id=1684272 Noticed the on_qa flag was set. Excellent! Would it be beneficial to Engineering for the customer to test this in their environment prior to release? May help ensure all issues are resolved. If yes, please set needinfo to me (swells) and I'll loop in the account team (Carolyn Heeley <cheeley>) to figure out procedurally how to do the pre-release testing. If not, no worries. Wanted to make the offer! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0911 |