Bug 1804232

Summary: Installation in FIPS mode fails on BareMetal IPI
Product: OpenShift Container Platform Reporter: Yurii Prokulevych <yprokule>
Component: InstallerAssignee: Stephen Benjamin <stbenjam>
Installer sub component: OpenShift on Bare Metal IPI QA Contact: Ori Michaeli <omichael>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: augol, jkreger, omichael, rbartal, shardy, stbenjam, tsedovic, xiuwang
Version: 4.3.zKeywords: Triaged
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously the baremetal IPI platform's provisioning services would not work when FIPS was enabled for a cluster. Now, the provisioning services support running while FIPS is enabled.
 Story Points: ---
Clone Of:
: 1812655 (view as bug list) Environment:
Last Closed: 2020-10-27 15:55:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1812655, 1853302    
Bug Blocks:    

Comment 1 Dmitry Tantsur 2020-02-18 14:08:17 UTC 
The patch for the immediate issue is https://review.opendev.org/#/c/708388/, but it doesn't mean that ironic will easily run in FIPS mode. At the very least, we need to make sure MD5 is not used for checksums.
Comment 2 Steven Hardy 2020-02-18 14:19:20 UTC 
I seems like a prerequisite for this will be OSP support for FIPS (or at least for standalone Ironic), then we would have to ensure Ironic in the context of IPI baremetal is configured appropriately.
Comment 5 Julia Kreger 2020-04-17 15:34:41 UTC 
Moving to post as the fixes have been in the RPM and thus container builds.
Comment 6 Scott Dodson 2020-06-04 17:50:04 UTC 
Moving to modified to trigger normal process follow through.
Comment 11 Raviv Bar-Tal 2020-07-02 11:52:42 UTC 
Trying to verifying this BZ we found a new bug in an earlier stage which block us.
BZ1853302 - Installation in FIPS mode fails on BareMetal IPI with error: "disabled for FIPS"
Comment 17 Ori Michaeli 2020-08-27 06:59:54 UTC 
Tested with 4.6.0-0.nightly-2020-08-26-064537:

Installation completed successfully and install-config was updated with fips: true
Comment 20 errata-xmlrpc 2020-10-27 15:55:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196