fips and non fips agent rpms
18 views
Skip to first unread message
sli...@verizon.net
Jun 20, 2019, 12:05:19 PM6/20/19
to Puppet Users
Hello,
We are using some fips and some non-fips agent. Proper agent rpm (fips or non fips based on current configuration) has been installed, however, after agent installation, if we were to update a agent from fips to non-fips or vice-a-verse, will the old agent rpm still function? Just running puppet agent -t seems to be working , but in that case not sure what is different between fips and non-fips agent?
Thanks
M
We are using some fips and some non-fips agent. Proper agent rpm (fips or non fips based on current configuration) has been installed, however, after agent installation, if we were to update a agent from fips to non-fips or vice-a-verse, will the old agent rpm still function? Just running puppet agent -t seems to be working , but in that case not sure what is different between fips and non-fips agent?
Thanks
M
Josh Cooper
Jun 21, 2019, 1:29:38 PM6/21/19
to puppet...@googlegroups.com
On Thu, Jun 20, 2019 at 9:05 AM 'sli...@verizon.net' via Puppet Users
<puppet...@googlegroups.com> wrote:
>
> Hello,
>
> We are using some fips and some non-fips agent. Proper agent rpm (fips or non fips based on current configuration) has been installed, however, after agent installation, if we were to update a agent from fips to non-fips or vice-a-verse, will the old agent rpm still function?
The fips and non-fips packages have the same name, but different
<puppet...@googlegroups.com> wrote:
>
> Hello,
>
> We are using some fips and some non-fips agent. Proper agent rpm (fips or non fips based on current configuration) has been installed, however, after agent installation, if we were to update a agent from fips to non-fips or vice-a-verse, will the old agent rpm still function?
releases. So if you switch from one to the other, the old one will be
removed. That said, we don't test switching, as we assume the matching
package is installed from the start.
$ rpm -qi puppet-agent
Name : puppet-agent
Version : 6.5.0
Release : 1.redhatfips7
...
$ rpm -qi puppet-agent
Name : puppet-agent
Version : 6.5.0
Release : 1.el7
> Just running puppet agent -t seems to be working , but in that case not sure what is different between fips and non-fips agent?
a vendored openssl:
$ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl
libssl.so.10 => /lib64/libssl.so.10 (0x00007fefbab83000)
Whereas the non-fips agent is compiled against puppet's vendored openssl:
$ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl
libssl.so.1.1 => /opt/puppetlabs/puppet/lib/libssl.so.1.1
(0x00007f705127f000)
If you install a non-fips puppet-agent on a fips-enabled host, it will
use the vendored openssl. While it will "work", I wouldn't recommend
it, because it will subvert the system's openssl.
If you install a fips puppet-agent on a non-fips-enabled host, then it
should work provided the system openssl is compatible with our ruby.
The puppet ruby code is the same for both fips and non-fips. At
runtime, puppet detects if fips is enabled, and if so, removes md5
from its list of supported checksums. This affects filebucketing and
retrieving file contents from "puppet:///" sources. Also some
operations like `puppet module install` cannot be performed due to its
reliance on md5. That will be changing in the near future though.
Josh
>
> Thanks
>
> M
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/59879625-fca7-4696-997a-ce4d598da63e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
sli...@verizon.net
Jun 24, 2019, 1:04:13 PM6/24/19
to Puppet Users
Thanks Josh,
I am not switching out package. I am making a fips enabled server (with fips agent installed) into a fips disabled one. Basically updating the grub and rebooting. Thus now I have a non fips enabled machine with puppet fips agent installed. So the question is will it work properly or do I have to install nonfips agent?
Basically I am using an image with fips agent installed. However, when we install software, it may not work with fips, so we disable fips but leaving the agent alone.
My initial testing with bare bone master and puppet agent -t, showed that non fips agent will work with fips enabled machine and vice-a -verse But wanted to figure out what issues I may encounter, if any?
Thanks
M
I am not switching out package. I am making a fips enabled server (with fips agent installed) into a fips disabled one. Basically updating the grub and rebooting. Thus now I have a non fips enabled machine with puppet fips agent installed. So the question is will it work properly or do I have to install nonfips agent?
Basically I am using an image with fips agent installed. However, when we install software, it may not work with fips, so we disable fips but leaving the agent alone.
My initial testing with bare bone master and puppet agent -t, showed that non fips agent will work with fips enabled machine and vice-a -verse But wanted to figure out what issues I may encounter, if any?
Thanks
M
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet...@googlegroups.com.
Lindsey Smith
Jun 24, 2019, 1:34:51 PM6/24/19
to puppet...@googlegroups.com
On Mon, Jun 24, 2019 at 10:04 AM 'sli...@verizon.net' via Puppet Users <puppet...@googlegroups.com> wrote:
Thanks Josh,
I am not switching out package. I am making a fips enabled server (with fips agent installed) into a fips disabled one. Basically updating the grub and rebooting. Thus now I have a non fips enabled machine with puppet fips agent installed. So the question is will it work properly or do I have to install nonfips agent?
Basically I am using an image with fips agent installed. However, when we install software, it may not work with fips, so we disable fips but leaving the agent alone.
My initial testing with bare bone master and puppet agent -t, showed that non fips agent will work with fips enabled machine and vice-a -verse But wanted to figure out what issues I may encounter, if any?
I'm working on FIPS mode improvements to Puppet and would like to learn more about your environment and usage of FIPS. Could you contact me at l.s...@puppet.com?
thanks,
Lindsey
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com.
Josh Cooper
Jun 25, 2019, 11:46:11 AM6/25/19
to puppet...@googlegroups.com
On Mon, Jun 24, 2019 at 10:04 AM 'sli...@verizon.net' via Puppet Users <puppet...@googlegroups.com> wrote:
Thanks Josh,
I am not switching out package. I am making a fips enabled server (with fips agent installed) into a fips disabled one. Basically updating the grub and rebooting. Thus now I have a non fips enabled machine with puppet fips agent installed. So the question is will it work properly or do I have to install nonfips agent?
Basically I am using an image with fips agent installed. However, when we install software, it may not work with fips, so we disable fips but leaving the agent alone.
My initial testing with bare bone master and puppet agent -t, showed that non fips agent will work with fips enabled machine and vice-a -verse But wanted to figure out what issues I may encounter, if any?
Ah, makes sense. The fips agent should work when fips is disabled. The agent will fallback to allowing md5 for filebucketing and when retrieving file resource metadata, e.g. `source => "puppet:///modules/foo/bar.txt"`. However, if you run into issues you can always specify which digest to use explicitly. See the `digest_algorithm` puppet setting and the `checksum` file parameter.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
sli...@verizon.net
Jun 25, 2019, 1:18:31 PM6/25/19
to Puppet Users
Thanks Josh for explanation!
M
M
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages