Bug 1924590
| Summary: | "FIPS mode is not enabled as required" error occur in "Enforce FIPS mode" task when deploying hosted engine | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Wei Wang <weiwang> | ||||||
| Component: | ovirt-ansible-collection | Assignee: | Asaf Rachmani <arachman> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Wei Wang <weiwang> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 4.4.6 | CC: | arachman, bugs, cshao, lsvaty, mavital, mtessun, peyu, sbonazzo, shlei, weiwang, yaniwang | ||||||
| Target Milestone: | ovirt-4.4.6 | Keywords: | ZStream | ||||||
| Target Release: | 4.4.6 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-06-01 13:23:43 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1759907 [details] openscap-report The issue is with the appliance, upstream only. When trying to apply openscap I get "Result notapplicable". Seems similar to https://bugs.centos.org/view.php?id=17996 "DISA STIG" profile is not supported on CentOS anymore. The only profiles we can use for CentOS are PCI-DSS and Standard: # oscap info "openscap-us/scap-security-guide-0.1.54/ssg-centos8-ds.xml" Document type: Source Data Stream Imported: 2021-02-03T11:21:55 Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream Status: draft Generated: 2021-02-03 Resolved: true Profiles: Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: Standard System Security Profile for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_standard Referenced check files: ssg-rhel8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 security-data-oval-com.redhat.rhsa-RHEL8.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml Ref-Id: scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml Sandro, Martin, Should we use another profile instead of "DISA STIG"? On oVirt side we are not really trying to support DISA-STIG. This is targeting RHV on RHEL. Test with: RHEL-8.4.0-20210309.1-x86_64-dvd1.iso ovirt-engine-appliance-4.4-20210408133441.1.el8.x86_64 ovirt-hosted-engine-setup-2.4.9-1.el8.noarch HE deploys successfully. Move it to "VERIFIED" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Engine and Host Common Packages security update [ovirt-4.4.6]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2180 |
Created attachment 1754631 [details] issue log files Description of problem: -> $ hosted-engine --deploy ... [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Enforce FIPS mode] [ ERROR ] fatal: [localhost -> rhevh-hostedengine-vm-05.lab.eng.pek2.redhat.com]: FAILED! => {"changed": false, "msg": "FIPS mode is not enabled as required"} [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Sync on engine machine] ... Version-Release number of selected component (if applicable): ovirt-hosted-engine-setup-2.5.0-0.0.master.20201216174101.git2a94b06.el8.noarch ansible-2.9.17-1.el8.noarch How reproducible: Steps to Reproduce: 1. Install RHEL 8 server host 2. Enable ovirt repos 3. Install ovirt-engine-appliance 4. hosted engine -deploy Actual results: "FIPS mode is not enabled as required" error occur in "Enforce FIPS mode" task when deploying hosted engine Expected results: Hosted engine deploy successful without error. Additional info: