Bug 1853302 - Installation in FIPS mode fails on BareMetal IPI with error: "disabled for FIPS"
Summary: Installation in FIPS mode fails on BareMetal IPI with error: "disabled for FIPS"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.6.0
Assignee: Dmitry Tantsur
QA Contact: Ori Michaeli
URL:
Whiteboard:
Depends On: 1869183
Blocks: 1804232
TreeView+ depends on / blocked
 
Reported: 2020-07-02 11:47 UTC by Raviv Bar-Tal
Modified: 2020-10-27 16:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: ironic was using MD5 to build its hash ring. This hash function is not available in the FIPS 140-2 mode. Consequence: installation would fail because ironic would not be able to build a hash ring. Fix: the ironic image now defaults to SHA256 as a hash function for the hash ring.
Clone Of:
Environment:
Last Closed: 2020-10-27 16:11:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github metal3-io ironic-image pull 179 0 None closed Set the hash ring algorithm to SHA256 2021-01-01 16:10:49 UTC
Github openshift ironic-image pull 94 0 None closed Set the hash ring algorithm to SHA256 2021-01-01 16:10:47 UTC
OpenStack gerrit 739779 0 None MERGED Add an option to choose the hash ring algorithm 2021-01-01 16:10:49 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:12:07 UTC

Description Raviv Bar-Tal 2020-07-02 11:47:46 UTC
Description of problem:
Deployment of OCP-4.5 with fips on baremetal(vms simulating baremetal) fails:
openshift installer shows the below  error message:
time="2020-07-02T10:08:53Z" level=error msg="Error: Internal Server Error"
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error msg="  on ../../tmp/openshift-install-923937140/masters/main.tf line 1, in resource \"ironic_node_v1\" \"openshift-master-host\":"  
time="2020-07-02T10:08:53Z" level=error msg="   1: resource \"ironic_node_v1\" \"openshift-master-host\" {"                                                                 
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error msg="Error: Internal Server Error"
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error msg="  on ../../tmp/openshift-install-923937140/masters/main.tf line 1, in resource \"ironic_node_v1\" \"openshift-master-host\":"  
time="2020-07-02T10:08:53Z" level=error msg="   1: resource \"ironic_node_v1\" \"openshift-master-host\" {"                                                                 
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error msg="Error: Internal Server Error"
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error msg="  on ../../tmp/openshift-install-923937140/masters/main.tf line 1, in resource \"ironic_node_v1\" \"openshift-master-host\":"  
time="2020-07-02T10:08:53Z" level=error msg="   1: resource \"ironic_node_v1\" \"openshift-master-host\" {"                                                                 
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=error
time="2020-07-02T10:08:53Z" level=fatal msg="failed to fetch Cluster: failed to generate asset \"Cluster\": failed to create cluster: failed to apply Terraform: failed to complete the change"

Ironic-api on bootstrap shows the below error message:

2020-07-02 10:08:52.637 27 ERROR wsme.api [req-8ae567e1-29fc-4e1b-b3e4-14dde5921def - - - - -] Server-side error: "[digital envelope routines: EVP_DigestInit_ex] disabled for FIPS". Detail:
Traceback (most recent call last):

  File "/usr/lib/python3.6/site-packages/wsmeext/pecan.py", line 85, in callfunction
    result = f(self, *args, **kwargs)

  File "/usr/lib/python3.6/site-packages/ironic/api/controllers/v1/node.py", line 2049, in post                                                                             
    topic = api.request.rpcapi.get_topic_for(node)

  File "/usr/lib/python3.6/site-packages/ironic/conductor/rpcapi.py", line 161, in get_topic_for                                                                            
    hostname = self.get_conductor_for(node)

  File "/usr/lib/python3.6/site-packages/ironic/conductor/rpcapi.py", line 144, in get_conductor_for                                                                        
    node.conductor_group)

  File "/usr/lib/python3.6/site-packages/ironic/common/hash_ring.py", line 84, in get_ring                                                                                  
    return self._get_ring(driver_name, conductor_group)

  File "/usr/lib/python3.6/site-packages/ironic/common/hash_ring.py", line 98, in _get_ring                                                                                 
    if not self.ring:

  File "/usr/lib/python3.6/site-packages/ironic/common/hash_ring.py", line 58, in ring                                                                                      
    rings = self._load_hash_rings()

  File "/usr/lib/python3.6/site-packages/ironic/common/hash_ring.py", line 72, in _load_hash_rings                                                                          
    hosts, partitions=2 ** CONF.hash_partition_exponent)

  File "/usr/lib/python3.6/site-packages/tooz/hashring.py", line 48, in __init__
    self.add_nodes(set(nodes))

  File "/usr/lib/python3.6/site-packages/tooz/hashring.py", line 73, in add_nodes
    key_hash = hashlib.md5(key)

ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
ESC[00m

Version-Release number of selected component (if applicable):


How reproducible:
set the fips option to true:
In QE Jenkins -> check FIPS_MODE checkbox
Manual installation -> set "fips: true " in install_config.yaml

Steps to Reproduce:
1. Set FIPS to true 
2. Run the installation 
3.

Actual results:
Installation fails

Expected results:


Additional info:

Comment 2 Tomas Sedovic 2020-08-13 11:27:26 UTC
All the pull requests have been merged. Setting to POST, but we need to tag the RPMs at which point we'll move this to MODIFIED.

Comment 3 Dmitry Tantsur 2020-08-24 07:26:34 UTC
Ready for testing.

Comment 4 Ori Michaeli 2020-08-27 06:59:25 UTC
Tested with 4.6.0-0.nightly-2020-08-26-064537:

Installation completed successfully and install-config was updated with fips: true

Comment 7 errata-xmlrpc 2020-10-27 16:11:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.