allow FIPS enabled systems to register successfully with puppet #236
Conversation
bootstrap.py
Outdated
| if fipsStatus == "1": | ||
| return True | ||
| else: | ||
| return False |
There was a problem hiding this comment.
Any reason not to do this?
return fipsStatus == "1"There was a problem hiding this comment.
It seemed more pythonic to return True/False in lieu of a value. But I can be convinced otherwise.
There was a problem hiding this comment.
return fipsStatus == "1" will return (True/False) just fine and is imho the pythonicst way to do it.
There was a problem hiding this comment.
And, for those interested, it's the Ruby way also (though I'm struggling to find a link to back myself up).
README.md
Outdated
|
|
||
| ## FIPS support | ||
|
|
||
| On systems with FIPS enabled (where `/proc/sys/crypto/fips_enabled` == `1`), algorithms such as MD5 are disallowed. |
There was a problem hiding this comment.
I think this should be '/proc/sys/crypto/fips_enabled == 1' (but using backticks, of course)
README.md
Outdated
| On systems with FIPS enabled (where `/proc/sys/crypto/fips_enabled` == `1`), algorithms such as MD5 are disallowed. | ||
| Bootstrap will configure `digest_algorithm = sha256` in puppet.conf to allow successful puppet runs. | ||
| However, the signing algorithm **must** match on the Puppet Master. It is expected that the Puppet Masters are configured with | ||
| the **same** algorithm. |
bootstrap.py
Outdated
| """ | ||
| Checks to see if the system is FIPS enabled. | ||
| """ | ||
| fipsfile = open("/proc/sys/crypto/fips_enabled", "r") |
bootstrap.py
Outdated
| Checks to see if the system is FIPS enabled. | ||
| """ | ||
| fipsfile = open("/proc/sys/crypto/fips_enabled", "r") | ||
| fipsStatus = fipsfile.read(1) |
There was a problem hiding this comment.
and this fips_status, we're in snake_land here ;)
sideangleside
force-pushed
the
puppet-fips-support
branch
from
5597841 to
97e1930
Compare
|
I've incorporated all of the above feedback into 97e1930 |
bootstrap.py
Outdated
| """ | ||
| fips_file = open("/proc/sys/crypto/fips_enabled", "r") | ||
| fips_status = fips_file.read(1) | ||
| if fips_status == "1": |
| """ | ||
| Checks to see if the system is FIPS enabled. | ||
| """ | ||
| fips_file = open("/proc/sys/crypto/fips_enabled", "r") |
There was a problem hiding this comment.
I wonder if we should handle systems where this file does not exist. (like a CentOS container running on Debian).
There was a problem hiding this comment.
Why wouldn't it exist? (though if we are going to pretend bootstrap works on non-RHEL, we'll need a whole nother 5 pull requests)
There was a problem hiding this comment.
I think an EL/Fedora container running on non-EL/Fedora is the only way this could happen.
There was a problem hiding this comment.
but the FIPS attribute is set at the kernel level. I suspect /proc/sys/crypto/fips_enabled exists on a Debian system. (Though I don't have one in front of me to confirm)
There was a problem hiding this comment.
Yeah, it's dependent on the docker host. Every single OS image (centos, rhel, debian, alpine) has that file when I run docker on Fedora, but none of the images has it when I run on non-EL/Fedora, such as on OS X, for instance. To clarify, running a RHEL container does not even have that file if the container is running on an OS that doesn't have that file.
There was a problem hiding this comment.
Yeah, exactly. It's a kernel thing, so a container running on a non-EL/Fedora kernel will not have this.
It's not like I like registering containers anyways...
sideangleside
force-pushed
the
puppet-fips-support
branch
from
97e1930 to
9ee74d4
Compare
* make bootstrap.py compatible with Puppet 4 (Katello#230) * add ansible example playbook (Katello#197) * remove SAMs CA consumer RPM in remove_obsolete_packages() (Katello#234) * allow FIPS enabled systems to register successfully with puppet (Katello#236) * allow configuring timeout for API calls and subscription-manager (Katello#237) * implement switching proxy / caps without destroying the host in Foreman (Katello#227)
Fixes #235