Description of problem:
Many users of Satellite 6 run systems that are FIPS enabled. Puppet's default digest_algorithm, is md5, which will not work on FIPS enabled systems.
This RFE requests updating the provisioning snippet for puppet.conf to add the 'digest_algorithm = sha256' directive in the [main] section of puppet.conf.
The installation programs (capsule|katello)-installer might need to be updated to ensure that the Capsule/Satellite server also have this change.
Version-Release number of selected component (if applicable):
This is detailed in (https://tickets.puppetlabs.com/browse/PUP-1840)
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Discussed this with firstname.lastname@example.org, another way to implement this could be via an installer option to (katello|foreman)-installer, such as --puppet-digest=sha256 This would allow the end-user to 'opt-in' to the change. As in current versions of Puppet, the client and server MUST be configured to use the same digest algorithm, this would be a fair way to implement this request.
Per 6.3 planning, moving out non acked bugs to the backlog
It appears fixed with some error handling issues upstream in Puppet ... is the lack of an ack here meaning this will not be in 6.3?
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you.
Upstream bug assigned to email@example.com
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26203 has been resolved.
Based on comment 14, not going to close this :)
Verified on Satellite 6.6 snap 13, the provisioning templates have been updated to have the fips condition. The host provisioned from hostgroup with the fips_enabled parameter on has fips mode enabled as expected.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.