Bug 2126483 - Setup on a separate machine fails in FIPS mode
Summary: Setup on a separate machine fails in FIPS mode
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.EngineCommon
Version: 4.5.0.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ovirt-4.5.3
: ---
Assignee: Yedidyah Bar David
QA Contact: Qin Yuan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-13 14:27 UTC by Yedidyah Bar David
Modified: 2022-10-03 19:00 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-10-03 19:00:49 UTC
oVirt Team: Integration
Embargoed:
mperina: ovirt-4.5+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github oVirt ovirt-engine pull 652 0 None open Fix remote engine fips mode 2022-09-13 14:28:57 UTC
Red Hat Issue Tracker RHV-47905 0 None None None 2022-09-13 14:45:37 UTC

Description Yedidyah Bar David 2022-09-13 14:27:58 UTC 
Description of problem:

Setup on a separate machine fails in FIPS mode, with:

  File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine-dwh/core/remote_engine.py", line 83, in _remote_engine_customization
    oenginecons.ConfigEnv.ENGINE_FQDN
  File "/usr/share/ovirt-engine/setup/ovirt_engine_setup/remote_engine.py", line 146, in configure
    self._style.configure(fqdn=fqdn)
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 177, in configure
    self._ssh_connect()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 153, in _ssh_connect
    osetupcons.ConfigEnv.REMOTE_ENGINE_HOST_CLIENT_KEY
  File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 416, in connect
    self, server_hostkey_name, server_key
  File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 837, in missing_host_key
    key.get_name(), hostname, hexlify(key.get_fingerprint())
  File "/usr/lib/python3.6/site-packages/paramiko/pkey.py", line 180, in get_fingerprint
    return md5(self.asbytes()).digest()

Version-Release number of selected component (if applicable):
current master, probably for a long time

How reproducible:
Always, I think

Steps to Reproduce:
1. Setup an engine on machine A
2. Install machine B in fips mode (or convert it to that)
3. Install e.g. dwh
4. Run engine-setup choosing to configure stuff with the engine on machine A

Actual results:
Fails as above

Expected results:
Succeeds

Additional info:
This is due to a bug in paramiko [1]. Fixing it in engine-setup code without fixing [1] might not be possible or easy in all cases.

[1] https://github.com/paramiko/paramiko/issues/396
Comment 1 Casper (RHV QE bot) 2022-09-13 14:30:59 UTC 
This bug has low overall severity and is not going to be further verified by QE. If you believe special care is required, feel free to properly align relevant severity, flags and keywords to raise PM_Score or use one of the Bumps ('PrioBumpField', 'PrioBumpGSS', 'PrioBumpPM', 'PrioBumpQA') in Keywords to raise it's PM_Score above verification threashold (1000).
Comment 2 Yedidyah Bar David 2022-09-20 08:13:05 UTC 
Moving to MODIFIED, despite not covering all possible cases. A complete fix is to fix paramiko, see comment 0.
Comment 3 Casper (RHV QE bot) 2022-10-03 19:00:49 UTC 
This bug has low overall severity and passed an automated regression suite, and is not going to be further verified by QE. If you believe special care is required, feel free to re-open to ON_QA status.
Note You need to log in before you can comment on or make changes to this bug.