Created attachment 1754631 [details] issue log files Description of problem: -> $ hosted-engine --deploy ... [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce FIPS mode] [ ERROR ] fatal: [localhost -> rhevh-hostedengine-vm-05.lab.eng.pek2.redhat.com]: FAILED! => {"changed": false, "msg": "FIPS mode is not enabled as required"} [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Sync on engine machine] ... Version-Release number of selected component (if applicable): ovirt-hosted-engine-setup-2.5.0-0.0.master.20201216174101.git2a94b06.el8.noarch ansible-2.9.17-1.el8.noarch How reproducible: Steps to Reproduce: 1. Install RHEL 8 server host 2. Enable ovirt repos 3. Install ovirt-engine-appliance 4. hosted engine -deploy Actual results: "FIPS mode is not enabled as required" error occur in "Enforce FIPS mode" task when deploying hosted engine Expected results: Hosted engine deploy successful without error. Additional info:
Created attachment 1759907 [details] openscap-report The issue is with the appliance, upstream only. When trying to apply openscap I get "Result notapplicable". Seems similar to https://bugs.centos.org/view.php?id=17996
"DISA STIG" profile is not supported on CentOS anymore. The only profiles we can use for CentOS are PCI-DSS and Standard: # oscap info "openscap-us/scap-security-guide-0.1.54/ssg-centos8-ds.xml" Document type: Source Data Stream Imported: 2021-02-03T11:21:55 Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream Status: draft Generated: 2021-02-03 Resolved: true Profiles: Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: Standard System Security Profile for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_standard Referenced check files: ssg-rhel8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 security-data-oval-com.redhat.rhsa-RHEL8.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml Sandro, Martin, Should we use another profile instead of "DISA STIG"?
On oVirt side we are not really trying to support DISA-STIG. This is targeting RHV on RHEL.
Test with: RHEL-8.4.0-20210309.1-x86_64-dvd1.iso ovirt-engine-appliance-4.4-20210408133441.1.el8.x86_64 ovirt-hosted-engine-setup-2.4.9-1.el8.noarch HE deploys successfully. Move it to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Engine and Host Common Packages security update [ovirt-4.4.6]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2180