Description of problem: python-oslo-db supports using auth_ed25519 for password authentication with MySQL. This is not the default and is not known to be utilized by any customers at this time. Furthermore, the RPM requirements pull in pynacl, which pulls in libsodium, which is an encryption library that is otherwise unused in OSP17. As it happens, the requirement isn't direct from python-oslo-db - PyMySQL will do a check-import of pynacl, and automatically disable auth_ed25519 if pynacl isn't available, so it's safe to drop this support without adversely affecting other code paths. How reproducible: 100% Steps to Reproduce: 1. dnf install -y python3-oslo-db Actual results: python3-pynacl and libsodium are installed Expected results: No more python3-pynacl or libsodium Additional info: To my knowledge, no version of pynacl is FIPS certified.
There is an RFE which intended to add support for ed25519. I'm not following the latest status of that work but that RFE should be considered before we determine whether we go ahead removing support. https://bugzilla.redhat.com/show_bug.cgi?id=1687309 https://bugs.launchpad.net/tripleo/+bug/1866093
Per https://bugzilla.redhat.com/show_bug.cgi?id=1687309#c21 I have closed the RFE as CANTFIX since there is no way for us to implement ed25519 support in MariaDB in a FIPS compliant way.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543