1743621 – rhel worker could not be enabled fips by MCO

Bug 1743621 - rhel worker could not be enabled fips by MCO

Summary: rhel worker could not be enabled fips by MCO

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Machine Config Operator
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Antonio Murdaca
QA Contact:	Micah Abbott
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-20 10:43 UTC by Chuan Yu
Modified:	2019-08-20 18:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-20 14:31:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift machine-config-operator pull 1068	0	None	closed	Bug 1743621: pkg/daemon: error early if updating FIPS on non-RHCOS	2020-08-04 14:34:11 UTC

Description Chuan Yu 2019-08-20 10:43:41 UTC

Description of problem:
The machineconfig for enable fips could not be applied to rhel worker by MCO

Version-Release number of selected component (if applicable):
4.2.0-0.nightly-2019-08-19-201622
Red Hat Enterprise Linux Server 7.6 (Maipo)

How reproducible:
always

Steps to Reproduce:
1.Setup upi on aws cluster, scale up rhel worker node
2.create machineconfig to enable fips on worker:
$ oc create -f - <<EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-fips-worker
spec:
  fips: true
EOF

3.

Actual results:
The rhel worker could not be enable fips by MCO:
$ oc describe node ip-10-0-49-29.us-east-2.compute.internal | grep -A6 Annotations
Annotations:        machineconfiguration.openshift.io/currentConfig: rendered-worker-6ef5ccd601e982a620b612d01ad4fa56
                    machineconfiguration.openshift.io/desiredConfig: rendered-worker-c09fee3aed63a40028076de64e4e0caa
                    machineconfiguration.openshift.io/reason: enable FIPS: : fork/exec /usr/libexec/rhcos-tools/coreos-fips: no such file or directory
                    machineconfiguration.openshift.io/ssh: accessed
                    machineconfiguration.openshift.io/state: Degraded
                    volumes.kubernetes.io/controller-managed-attach-detach: true
CreationTimestamp:  Tue, 20 Aug 2019 16:40:21 +0800


$ oc describe co machine-config | grep -A2 Extension
  Extension:
    Master:  all 3 nodes are at latest configuration rendered-master-6c0938b762a7a9936aebff2255d860a9
    Worker:  pool is degraded because nodes fail with "1 nodes are reporting degraded status on sync": "Node ip-10-0-49-29.us-east-2.compute.internal is reporting: \"enable FIPS: : fork/exec /usr/libexec/rhcos-tools/coreos-fips: no such file or directory\""

Expected results:
The rhel worker could be enable fips by MCO

Additional info:

Comment 1 Antonio Murdaca 2019-08-20 12:55:23 UTC

FIPS mode isn't a target for rhel workers afaict, but we should play nicer in case we can't enable it I guess.

Comment 2 Antonio Murdaca 2019-08-20 13:39:19 UTC

Created a patch to make it clear that FIPS isn't supported on RHEL.
To reconcile the cluster, just delete the MachineConfig that you've created with FIPS enabled.

Comment 4 Ben Breard 2019-08-20 14:26:09 UTC

This is absolutely outside the scope of the MCO. RHEL customers are responsible for "managing" their servers, and configuring FIPs and other things like crypto policies definitely falls into the space that the end user should be setting on their RHEL nodes.

Note You need to log in before you can comment on or make changes to this bug.