1804232 – Installation in FIPS mode fails on BareMetal IPI

Bug 1804232 - Installation in FIPS mode fails on BareMetal IPI

Summary: Installation in FIPS mode fails on BareMetal IPI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.3.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Stephen Benjamin
QA Contact:	Ori Michaeli
Docs Contact:
URL:
Whiteboard:
Depends On:	1812655 1853302
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-18 14:02 UTC by Yurii Prokulevych
Modified:	2020-10-27 15:56 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously the baremetal IPI platform's provisioning services would not work when FIPS was enabled for a cluster. Now, the provisioning services support running while FIPS is enabled.
Clone Of:
Clones:	1812655 (view as bug list)
Environment:
Last Closed:	2020-10-27 15:55:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4196	0	None	None	None	2020-10-27 15:56:00 UTC

Comment 1 Dmitry Tantsur 2020-02-18 14:08:17 UTC

The patch for the immediate issue is https://review.opendev.org/#/c/708388/, but it doesn't mean that ironic will easily run in FIPS mode. At the very least, we need to make sure MD5 is not used for checksums.

Comment 2 Steven Hardy 2020-02-18 14:19:20 UTC

I seems like a prerequisite for this will be OSP support for FIPS (or at least for standalone Ironic), then we would have to ensure Ironic in the context of IPI baremetal is configured appropriately.

Comment 5 Julia Kreger 2020-04-17 15:34:41 UTC

Moving to post as the fixes have been in the RPM and thus container builds.

Comment 6 Scott Dodson 2020-06-04 17:50:04 UTC

Moving to modified to trigger normal process follow through.

Comment 11 Raviv Bar-Tal 2020-07-02 11:52:42 UTC

Trying to verifying this BZ we found a new bug in an earlier stage which block us.
BZ1853302 - Installation in FIPS mode fails on BareMetal IPI with error: "disabled for FIPS"

Comment 17 Ori Michaeli 2020-08-27 06:59:54 UTC

Tested with 4.6.0-0.nightly-2020-08-26-064537:

Installation completed successfully and install-config was updated with fips: true

Comment 20 errata-xmlrpc 2020-10-27 15:55:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.