Description of problem: The overcloud deploy fails on the mysql setup when deploying FIPS and tls-everywhere. The default cipher in hieradata is AES128-SHA256 for mysql and this is not allowed in FIPS Version-Release number of selected component (if applicable): RHOS-17.0-RHEL-9-20220909.n.0 How reproducible: everytime Steps to Reproduce: 1. deploy OSP systems with FIPS enabled 2. overcloud deploy with fips and tls-e tht items openstack-tripleo-heat-templates/environments/fips.yaml openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml Actual results: deploy fails Expected results: deploy succeeds Additional info: we most likely will need to use a supported cipher hieradata config tripleo::profile::pacemaker::mysql_bundle::gcomm_cipher=ECDHE-RSA-AES256-GCM-SHA384
/usr/share/openstack-tripleo-heat-templates/environments/fips.yaml already contains: parameter_defaults: # Set ISCSI Chap algorithms to specifically disallow MD5 IscsidCHAPAlgorithms: 'SHA3-256,SHA256,SHA1' # Set SnmpdReadonlyUserAuthType to not be 'MD5' SnmpdReadonlyUserAuthType: 'SHA' # Add RabbitAdditionalErlArgs for FIPS RabbitFIPS: true maybe we should add the gcomm_cipher override to this template (or expose it as parameter in THT?).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2023:4577