Bug 1804232 - Installation in FIPS mode fails on BareMetal IPI
Summary: Installation in FIPS mode fails on BareMetal IPI
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Stephen Benjamin
QA Contact: Ori Michaeli
URL:
Whiteboard:
Depends On: 1812655 1853302
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-18 14:02 UTC by Yurii Prokulevych
Modified: 2020-10-27 15:56 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously the baremetal IPI platform's provisioning services would not work when FIPS was enabled for a cluster. Now, the provisioning services support running while FIPS is enabled.
Clone Of:
: 1812655 (view as bug list)
Environment:
Last Closed: 2020-10-27 15:55:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 15:56:00 UTC

Comment 1 Dmitry Tantsur 2020-02-18 14:08:17 UTC
The patch for the immediate issue is https://review.opendev.org/#/c/708388/, but it doesn't mean that ironic will easily run in FIPS mode. At the very least, we need to make sure MD5 is not used for checksums.

Comment 2 Steven Hardy 2020-02-18 14:19:20 UTC
I seems like a prerequisite for this will be OSP support for FIPS (or at least for standalone Ironic), then we would have to ensure Ironic in the context of IPI baremetal is configured appropriately.

Comment 5 Julia Kreger 2020-04-17 15:34:41 UTC
Moving to post as the fixes have been in the RPM and thus container builds.

Comment 6 Scott Dodson 2020-06-04 17:50:04 UTC
Moving to modified to trigger normal process follow through.

Comment 11 Raviv Bar-Tal 2020-07-02 11:52:42 UTC
Trying to verifying this BZ we found a new bug in an earlier stage which block us.
BZ1853302 - Installation in FIPS mode fails on BareMetal IPI with error: "disabled for FIPS"

Comment 17 Ori Michaeli 2020-08-27 06:59:54 UTC
Tested with 4.6.0-0.nightly-2020-08-26-064537:

Installation completed successfully and install-config was updated with fips: true

Comment 20 errata-xmlrpc 2020-10-27 15:55:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.