Bug 1967533

Summary: [RFE] allow enabling fips on the engine VM
Product: [oVirt] ovirt-hosted-engine-setup Reporter: Yedidyah Bar David <didi>
Component: Plugins.GeneralAssignee: Asaf Rachmani <arachman>
Status: CLOSED CURRENTRELEASE QA Contact: Qin Yuan <qiyuan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, mperina
Target Milestone: ovirt-4.4.8Keywords: FutureFeature, ZStream
Target Release: ---Flags: sbonazzo: ovirt-4.4+
pm-rhel: planning_ack?
pm-rhel: devel_ack+
pm-rhel: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-hosted-engine-setup-2.5.3-1.el8ev, ovirt-ansible-collection-1.5.4-1.el8ev Doc Type: Enhancement
Doc Text:
Support enabling FIPS on the Self Hosted Engine VM via command line `hosted-engine --deploy` now also asks `'Do you want to enable FIPS?` The answer to this question is passed to the ansible code which now supports enabling FIPS without requiring an OpenSCAP profile (bug #1967530)
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-19 06:23:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2021-06-03 10:22:19 UTC 
Description of problem:

Right now, we enable fips on the engine VM only if the user wants to apply an OpenSCAP profile. Add an independent question for this and pass as a new ansible var, to be added in bug 1967530.
Comment 1 Qin Yuan 2021-08-18 03:46:54 UTC 
Verified with:
ovirt-hosted-engine-setup-2.5.3-1.el8ev.noarch
ovirt-ansible-collection-1.6.0-1.el8ev.noarch

Steps:
1. Run `hosted-engine --deploy`
2. Don't apply OpenSCAP security profile, check if there is an independent question asking for enabling FIPS mode on engine VM.
3. Choose to enable FIPS, check if hosted engine deployment could succeed.
4. Check if FIPS mode is enabled on engine VM after deployment finished.

Results:
1. There is an independent question asking for enabling FIPS mode on engine VM when OpenSCAP security profile is not applied.
  Do you want to apply a default OpenSCAP security profile? (Yes, No) [No]: 
  Do you want to enable FIPS? (Yes, No) [No]:

2. Hosted engine deployment succeeds when enabling FIPS mode but not applying OpenSCAP security profile.

3. FIPS mode is enabled on engine VM after deployment finished:
# fips-mode-setup --check
FIPS mode is enabled.
Comment 2 Sandro Bonazzola 2021-08-19 06:23:01 UTC 
This bugzilla is included in oVirt 4.4.8 release, published on August 19th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.8 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.