1967533 – [RFE] allow enabling fips on the engine VM

Bug 1967533 - [RFE] allow enabling fips on the engine VM

Summary: [RFE] allow enabling fips on the engine VM

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-hosted-engine-setup
Classification:	oVirt
Component:	Plugins.General
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ovirt-4.4.8
Target Release:	---
Assignee:	Asaf Rachmani
QA Contact:	Qin Yuan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-03 10:22 UTC by Yedidyah Bar David
Modified:	2021-08-19 06:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ovirt-hosted-engine-setup-2.5.3-1.el8ev, ovirt-ansible-collection-1.5.4-1.el8ev
Clone Of:
Environment:
Last Closed:	2021-08-19 06:23:01 UTC
oVirt Team:	Integration
Embargoed:
Dependent Products:
Flags:	sbonazzo: ovirt-4.4+ pm-rhel: planning_ack? pm-rhel: devel_ack+ pm-rhel: testing_ack?

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	115701	0	master	MERGED	fips: Allow enabling fips on the engine VM	2021-07-19 07:54:21 UTC

Description Yedidyah Bar David 2021-06-03 10:22:19 UTC

Description of problem:

Right now, we enable fips on the engine VM only if the user wants to apply an OpenSCAP profile. Add an independent question for this and pass as a new ansible var, to be added in bug 1967530.

Comment 1 Qin Yuan 2021-08-18 03:46:54 UTC

Verified with:
ovirt-hosted-engine-setup-2.5.3-1.el8ev.noarch
ovirt-ansible-collection-1.6.0-1.el8ev.noarch

Steps:
1. Run `hosted-engine --deploy`
2. Don't apply OpenSCAP security profile, check if there is an independent question asking for enabling FIPS mode on engine VM.
3. Choose to enable FIPS, check if hosted engine deployment could succeed.
4. Check if FIPS mode is enabled on engine VM after deployment finished.

Results:
1. There is an independent question asking for enabling FIPS mode on engine VM when OpenSCAP security profile is not applied.
  Do you want to apply a default OpenSCAP security profile? (Yes, No) [No]: 
  Do you want to enable FIPS? (Yes, No) [No]:

2. Hosted engine deployment succeeds when enabling FIPS mode but not applying OpenSCAP security profile.

3. FIPS mode is enabled on engine VM after deployment finished:
# fips-mode-setup --check
FIPS mode is enabled.

Comment 2 Sandro Bonazzola 2021-08-19 06:23:01 UTC

This bugzilla is included in oVirt 4.4.8 release, published on August 19th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.8 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.