Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow FIPS enabled systems to register successfully with puppet #236

Merged
merged 1 commit into from
Jan 18, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -480,6 +480,12 @@ Options:
separated
~~~

# Additional Notes

## FIPS support

On systems with FIPS enabled (where `/proc/sys/crypto/fips_enabled == 1`), algorithms such as MD5 are disallowed. Bootstrap will configure `digest_algorithm = sha256` in puppet.conf to allow successful puppet runs. However, the signing algorithm **must** match on the Puppet Master. It is expected that the Puppet Masters are configured with the **same** algorithm.

# Ansible integration

The `bootstrap.yml` file contains a playbook for [Ansible](https://www.ansible.com/) which can be used to copy `bootstrap.py` to the target machine and execute it there with predefined parameters.
Expand Down
12 changes: 12 additions & 0 deletions bootstrap.py
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,15 @@ def get_puppet_version():
return puppet_version


def is_fips():
"""
Checks to see if the system is FIPS enabled.
"""
fips_file = open("/proc/sys/crypto/fips_enabled", "r")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should handle systems where this file does not exist. (like a CentOS container running on Debian).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why wouldn't it exist? (though if we are going to pretend bootstrap works on non-RHEL, we'll need a whole nother 5 pull requests)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think an EL/Fedora container running on non-EL/Fedora is the only way this could happen.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but the FIPS attribute is set at the kernel level. I suspect /proc/sys/crypto/fips_enabled exists on a Debian system. (Though I don't have one in front of me to confirm)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it's dependent on the docker host. Every single OS image (centos, rhel, debian, alpine) has that file when I run docker on Fedora, but none of the images has it when I run on non-EL/Fedora, such as on OS X, for instance. To clarify, running a RHEL container does not even have that file if the container is running on an OS that doesn't have that file.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, exactly. It's a kernel thing, so a container running on a non-EL/Fedora kernel will not have this.

It's not like I like registering containers anyways...

fips_status = fips_file.read(1)
return fips_status == "1"


def get_bootstrap_rpm():
"""
Retrieve Client CA Certificate RPMs from the Satellite 6 server.
Expand Down Expand Up @@ -434,6 +443,9 @@ def install_puppet_agent():
else:
print_error("Unsupported puppet version")
sys.exit(1)
if is_fips():
main_section += "digest_algorithm = sha256"
print_generic("System is in FIPS mode. Setting digest_algorithm to SHA256 in puppet.conf")
puppet_conf = open(puppet_conf_file, 'wb')
puppet_conf.write("""
%s
Expand Down