Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1145453

Summary: [IBM] "fips=1": Prompt "An exception during the transaction: Command '['service', 'sshd', 'restart']' returned non-zero exit status 1" when configuring ssh
Product: Red Hat Enterprise Virtualization Manager Reporter: cshao <cshao>
Component: ovirt-nodeAssignee: Fabian Deutsch <fdeutsch>
Status: CLOSED EOL QA Contact: cshao <cshao>
Severity: high Docs Contact:
Priority: high    
Version: 3.4.0CC: dfediuck, fdeutsch, gklein, gouyang, huiwa, leiwang, lsurette, rbarry, yaniwang, ycui, ykaul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-23 12:21:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ovirt-node.log
none
ssh_status none

Description cshao 2014-09-23 06:29:36 UTC
Created attachment 940258 [details]
ovirt-node.log

Description of problem:
Auto install RHEV-H with fips=1, it will prompt "An exception during the 
transaction: Command '['service', 'sshd', 'restart']' returned non-zero 
exit status 1" when configuring  ssh.

Version-Release number of selected component (if applicable):
rhev-hypervisor6-6.5-20140915.0.iso
ovirt-node-3.0.1-18.el6_5.16.noarch
vdsm-4.14.13-2.el6ev.x86_64

How reproducible:
100%


Steps to Reproduce:
1. Auto install RHEV-H with below parameters:
BOOTIF=eth0 storage_init=/dev/sda adminpw=xxxxxx fips=1 firstboot
2. Login RHEV-H.
3. Configuring SSH.

Actual results:
Prompt "An exception during the transaction: Command '['service', 
'sshd', 'restart']' returned non-zero exit status 1" when configuring  ssh.

Expected results:
No such issue if without "fips=1"

Comment 1 Ying Cui 2014-09-23 06:56:53 UTC
effect of IBM build.
So move it to high.

Comment 2 cshao 2014-09-23 07:26:01 UTC
Created attachment 940299 [details]
ssh_status

Comment 3 Ying Cui 2014-10-09 03:10:13 UTC
This bug need to pay more attention, because it will affect the IBM. So I set it to Urgent priority.

Comment 4 Ryan Barry 2014-10-20 14:37:38 UTC
I'm not able to reproduce this in KVM. Does it require specific hardware?

Can you grab the output of "/usr/sbin/sshd -D", please?

Comment 5 cshao 2014-10-21 06:17:05 UTC
(In reply to Ryan Barry from comment #4)
> I'm not able to reproduce this in KVM. Does it require specific hardware?
> 
Just VM (with fips=1)is enough.

> Can you grab the output of "/usr/sbin/sshd -D", please?
#/usr/sbin/sshd -D
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key

Comment 6 Ryan Barry 2014-10-22 23:29:34 UTC
Note: this doesn't seem to affect EL7.

Trying fips=1 on my workstation segfaults the VM (probably because FIPS isn't available on the host). I'm going to try setting up another machine tomorrow to look at this.

Comment 7 Ryan Barry 2014-10-23 19:18:23 UTC
I'm not able to get this working on any systems I have for a variety of reasons (LUKS, kernel panic on F20, FIPS won't load with binary drivers available). I'm going to try to work around this.

If there's test hardware you can make available wtih FIPS enabled, I would appreciate it.

Comment 12 Fabian Deutsch 2016-03-23 12:21:55 UTC
In future RHEV-H will be much closer to RHEL, RHEV-H will also inherit RHEL's FIPS behavior.