Bug 2166839
| Summary: | satellite does not work when crypto policy future is enabled | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Benjamin Hackl-Blaimschein <benjamin.hackl-blaimschein> |
| Component: | Installation | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED COMPLETED | QA Contact: | Gaurav Talreja <gtalreja> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.12.1 | CC: | ehelms, ekohlvan |
| Target Milestone: | Unspecified | Flags: | benjamin.hackl-blaimschein:
needinfo-
|
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-02-27 08:12:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2117265 | ||
| Bug Blocks: | |||
(In reply to Benjamin Hackl-Blaimschein from comment #0) > Installer does not warn if crypto policy is set to future. Installer runs, > but some services silently fail - e.g. This is all Candlepin, which has been fixed in https://github.com/theforeman/puppet-candlepin/commit/86bb0923677aa7586709ae4266f1c8bf9a1e97c4. https://bugzilla.redhat.com/show_bug.cgi?id=2117265#c2 contains some notes on overriding the ciphers in custom-hiera.yaml, though you should remove that once Satellite defaults to the more secure ciphers. > Update documentation and or implement an installer check. This has been added to the documentation. I can't link exactly to the sentence, but https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html/installing_satellite_server_in_a_connected_network_environment/preparing_your_environment_for_installation_satellite#system-requirements_satellite is the chapter that includes: > Satellite supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Satellite and Capsule installations. An installer check has a problem. https://bugzilla.redhat.com/show_bug.cgi?id=2117265 is still open for real support, but currently it's blocked on CDN access which we don't control. If we implement a check, it requires Satellite to push an update to remove that check when the CDN does support it. So in summary: * It's already documented in the system requirements * A future Satellite itself should work out of the box with FUTURE crypto-policy * It's unknown when the Red Hat CDN becomes compatible with FUTURE crypto-policy * An installer check for a non-local dependency can create issues down the line Because of that I'm inclined to close this bug now. Do you agree your concern has been addressed? Yes please close. Documentation already states that FUTURE crypto-policy is not supported. Somehow I missed this, sorry. Thank you. |
Description of problem: Installer does not warn if crypto policy is set to future. Installer runs, but some services silently fail - e.g. Version-Release number of selected component (if applicable): 6.12.1 - but probably all versions > 6.11 How reproducible: always. Steps to Reproduce: 1. update-crypto-policies --set future 2. systemctl reboot 3. satellite-installer --scenario satellite 4. hammer ping Actual results: # hammer ping database: Status: ok Server Response: Duration: 0ms candlepin: Status: FAIL Server Response: Message: Failed to open TCP connection to localhost:23443 (Connection refused - connect(2) for "localhost" port 23443) candlepin_auth: Status: FAIL Server Response: Message: A backend service [ Candlepin ] is unreachable candlepin_events: Status: ok message: 0 Processed, 0 Failed Server Response: Duration: 0ms katello_events: Status: ok message: 0 Processed, 0 Failed Server Response: Duration: 0ms pulp3: Status: ok Server Response: Duration: 240ms pulp3_content: Status: ok Server Response: Duration: 58ms foreman_tasks: Status: ok Server Response: Duration: 3ms Expected results: hammer ping database: Status: ok Server Response: Duration: 0ms candlepin: Status: ok Server Response: Duration: 20ms candlepin_auth: Status: ok Server Response: Duration: 16ms candlepin_events: Status: ok message: 27 Processed, 0 Failed Server Response: Duration: 0ms katello_events: Status: ok message: 0 Processed, 0 Failed Server Response: Duration: 0ms pulp3: Status: ok Server Response: Duration: 268ms pulp3_content: Status: ok Server Response: Duration: 231ms foreman_tasks: Status: ok Server Response: Duration: 4ms Additional info: Update documentation and or implement an installer check.