Bug 2166839

Summary: satellite does not work when crypto policy future is enabled
Product: Red Hat Satellite Reporter: Benjamin Hackl-Blaimschein <benjamin.hackl-blaimschein>
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED COMPLETED QA Contact: Gaurav Talreja <gtalreja>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.12.1CC: ehelms, ekohlvan
Target Milestone: UnspecifiedFlags: benjamin.hackl-blaimschein: needinfo-
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-27 08:12:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2117265    
Bug Blocks:    

Description Benjamin Hackl-Blaimschein 2023-02-03 06:46:44 UTC 
Description of problem:

Installer does not warn if crypto policy is set to future. Installer runs, but some services silently fail - e.g. 


Version-Release number of selected component (if applicable):

6.12.1 - but probably all versions > 6.11


How reproducible:

always.


Steps to Reproduce:
1. update-crypto-policies --set future
2. systemctl reboot
3. satellite-installer --scenario satellite
4. hammer ping

Actual results:

# hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          FAIL
    Server Response: Message: Failed to open TCP connection to localhost:23443 (Connection refused - connect(2) for "localhost" port 23443)
candlepin_auth:   
    Status:          FAIL
    Server Response: Message: A backend service [ Candlepin ] is unreachable
candlepin_events: 
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp3:            
    Status:          ok
    Server Response: Duration: 240ms
pulp3_content:    
    Status:          ok
    Server Response: Duration: 58ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 3ms




Expected results:

hammer ping
database:         
    Status:          ok
    Server Response: Duration: 0ms
candlepin:        
    Status:          ok
    Server Response: Duration: 20ms
candlepin_auth:   
    Status:          ok
    Server Response: Duration: 16ms
candlepin_events: 
    Status:          ok
    message:         27 Processed, 0 Failed
    Server Response: Duration: 0ms
katello_events:   
    Status:          ok
    message:         0 Processed, 0 Failed
    Server Response: Duration: 0ms
pulp3:            
    Status:          ok
    Server Response: Duration: 268ms
pulp3_content:    
    Status:          ok
    Server Response: Duration: 231ms
foreman_tasks:    
    Status:          ok
    Server Response: Duration: 4ms


Additional info:

Update documentation and or implement an installer check.
Comment 1 Ewoud Kohl van Wijngaarden 2023-02-23 15:17:15 UTC 
(In reply to Benjamin Hackl-Blaimschein from comment #0)
> Installer does not warn if crypto policy is set to future. Installer runs,
> but some services silently fail - e.g. 

This is all Candlepin, which has been fixed in https://github.com/theforeman/puppet-candlepin/commit/86bb0923677aa7586709ae4266f1c8bf9a1e97c4. https://bugzilla.redhat.com/show_bug.cgi?id=2117265#c2 contains some notes on overriding the ciphers in custom-hiera.yaml, though you should remove that once Satellite defaults to the more secure ciphers.

> Update documentation and or implement an installer check.

This has been added to the documentation. I can't link exactly to the sentence, but https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#system-requirements_satellite is the chapter that includes:

> Satellite supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Satellite and Capsule installations. 

An installer check has a problem. https://bugzilla.redhat.com/show_bug.cgi?id=2117265 is still open for real support, but currently it's blocked on CDN access which we don't control. If we implement a check, it requires Satellite to push an update to remove that check when the CDN does support it.

So in summary:

* It's already documented in the system requirements
* A future Satellite itself should work out of the box with FUTURE crypto-policy
* It's unknown when the Red Hat CDN becomes compatible with FUTURE crypto-policy
* An installer check for a non-local dependency can create issues down the line

Because of that I'm inclined to close this bug now. Do you agree your concern has been addressed?
Comment 2 Benjamin Hackl-Blaimschein 2023-02-27 08:12:38 UTC 
Yes please close. Documentation already states that FUTURE crypto-policy is not supported. Somehow I missed this, sorry. Thank you.