Bug 1760434
| Summary: | [fips] pcsd fails to start in fips mode due to OpenSSL::PKey::DHError | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Hagara <phagara> | ||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.8 | CC: | cfeist, cluster-maint, idevat, mlisik, mmazoure, mpospisi, omular, tojeline | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcs-0.9.168-2.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Previously, pcsd was generating custom Diffie-Hellman key with the default length of 1024bits. This is not long enough when FIPS is enabled. After fix, the DH key is only generated by pcsd when requested (by setting a custom key length in /etc/sysconfig/pcsd). This allows pcsd to start with its default configuration even when FIPS is enabled.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-03-31 19:09:41 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Workaround: set PCSD_SSL_DH_KEX_BITS=2048 in /etc/sysconfig/pcsd Created attachment 1626766 [details]
proposed fix
After Fix [mule76 ~] $ rpm -q pcs pcs-0.9.168-2.el7.x86_64 [mule76 ~] $ cat /proc/sys/crypto/fips_enabled 1 [mule76 ~] $ systemctl stop pcsd [mule76 ~] $ systemctl start pcsd [mule76 ~] $ systemctl status pcsd ● pcsd.service - PCS GUI and remote configuration interface Loaded: loaded (/usr/lib/systemd/system/pcsd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2019-10-18 13:00:09 CEST; 4s ago ... [mule76 ~] $ pcs status pcsd mule76 mule76: Online Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0996 |
Description of problem: > Oct 10 12:00:59 virt-028 systemd[1]: Starting PCS GUI and remote configuration interface... > Oct 10 12:01:01 virt-028 systemd[1]: Created slice User Slice of root. > Oct 10 12:01:01 virt-028 systemd[1]: Started Session 2 of user root. > Oct 10 12:01:01 virt-028 CROND[3621]: (root) CMD (run-parts /etc/cron.hourly) > Oct 10 12:01:01 virt-028 run-parts(/etc/cron.hourly)[3624]: starting 0anacron > Oct 10 12:01:01 virt-028 anacron[3631]: Anacron started on 2019-10-10 > Oct 10 12:01:01 virt-028 anacron[3631]: Will run job `cron.daily' in 8 min. > Oct 10 12:01:01 virt-028 anacron[3631]: Will run job `cron.weekly' in 28 min. > Oct 10 12:01:01 virt-028 anacron[3631]: Will run job `cron.monthly' in 48 min. > Oct 10 12:01:01 virt-028 anacron[3631]: Jobs will be executed sequentially > Oct 10 12:01:01 virt-028 run-parts(/etc/cron.hourly)[3633]: finished 0anacron > Oct 10 12:01:01 virt-028 abrt[3597]: detected unhandled Ruby exception in '/usr/lib/pcsd/pcsd' > Oct 10 12:01:07 virt-028 kernel: TECH PREVIEW: eBPF syscall may not be fully supported. > Please review provided documentation for limitations. > Oct 10 12:01:08 virt-028 crontab[4216]: (root) LIST (root) > Oct 10 12:01:10 virt-028 systemd[1]: Starting Hostname Service... > Oct 10 12:01:10 virt-028 dbus[701]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' > Oct 10 12:01:10 virt-028 dbus[701]: [system] Successfully activated service 'org.freedesktop.hostname1' > Oct 10 12:01:10 virt-028 systemd[1]: Started Hostname Service. > Oct 10 12:01:14 virt-028 systemd[1]: Got automount request for /proc/sys/fs/binfmt_misc, triggered by 4555 (sysctl) > Oct 10 12:01:14 virt-028 systemd[1]: Mounting Arbitrary Executable File Formats File System... > Oct 10 12:01:14 virt-028 systemd[1]: Mounted Arbitrary Executable File Formats File System. > Oct 10 12:01:14 virt-028 kernel: nr_pdflush_threads exported in /proc is scheduled for removal > Oct 10 12:01:20 virt-028 kernel: warning: `turbostat' uses 32-bit capabilities (legacy support in use) > Oct 10 12:01:32 virt-028 root[5362]: 2019-10-10 12:01:32 /usr/bin/rhts-test-runner.sh 25243 180 hearbeat... > Oct 10 12:02:29 virt-028 systemd[1]: pcsd.service start operation timed out. Terminating. > Oct 10 12:02:29 virt-028 pcsd[3597]: /usr/lib/pcsd/ssl.rb:162:in `generate': BN lib (OpenSSL::PKey::DHError) > Oct 10 12:02:29 virt-028 pcsd[3597]: from /usr/lib/pcsd/ssl.rb:162:in `<top (required)>' > Oct 10 12:02:29 virt-028 pcsd[3597]: from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' > Oct 10 12:02:29 virt-028 pcsd[3597]: from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' > Oct 10 12:02:29 virt-028 pcsd[3597]: from /usr/lib/pcsd/pcsd:14:in `<main>' > Oct 10 12:02:29 virt-028 systemd[1]: Failed to start PCS GUI and remote configuration interface. > Oct 10 12:02:29 virt-028 systemd[1]: Unit pcsd.service entered failed state. > Oct 10 12:02:29 virt-028 systemd[1]: pcsd.service failed. Version-Release number of selected component (if applicable): pcs-0.9.168-1.el7 pacemaker-1.1.21-2.el7 corosync-2.4.5-4.el7 How reproducible: always Steps to Reproduce: 1. enable fips 2. try creating a cluster Actual results: Expected results: Additional info: