Jira (PUP-8469) fqdn_rand should use md5 on non-fips enabled hosts

[Josh Cooper (JIRA)]

Josh Cooper created an issue

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts Issue Type: Bug Assignee: Unassigned Created: 2018/02/16 11:51 AM Priority: Normal Reporter: Josh Cooper Puppet 5.4's fqdn_rand function produces a different value than earlier versions for the same set of inputs. $ bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' Notice: Scope(Class[main]): 5.4.0: 22 Notice: Compiled catalog for r1nc1m63jxi6u3e.delivery.puppetlabs.net in environment production in 0.04 seconds $ bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' Notice: Scope(Class[main]): 5.3.5: 5 Notice: Compiled catalog for r1nc1m63jxi6u3e.delivery.puppetlabs.net in environment production in 0.03 seconds This is a problem because the values are often written into service configuration files. When they change, services get notified and restart. We should restore the previous fqdn_rand behavior of calculating its seed value using MD5 when running on a non-FIPS enabled master. FIPS enabled masters should continue using SHA256. Add Comment

This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)

[Jayant Sane (JIRA)]

Jayant Sane assigned an issue to Jayant Sane

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Jayant Sane Assignee: Jayant Sane

Add Comment

[Jayant Sane (JIRA)]

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Josh Cooper Fix Version/s: PUP 5.5.0

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Josh Cooper Sprint: Platform Core KANBAN

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Josh Cooper Sub-team: Coremunity

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Josh Cooper Team: Platform Core

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-8469

Re: fqdn_rand should use md5 on non-fips enabled hosts Merged to master in https://github.com/puppetlabs/puppet/commit/e89db4ef51d26c397885ae8faacf198731b1cff3

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney commented on PUP-8469

Re: fqdn_rand should use md5 on non-fips enabled hosts

Jayant Sane Could you add release notes if needed?

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Jayant Sane (JIRA)]

Jayant Sane updated an issue

Puppet / PUP-8469

fqdn_rand should use md5 on non-fips enabled hosts

It also restores the behavior of fqdn_rand to that in versions before 5.4.0 when running on non-fips enabled hosts. Change By: Jayant Sane Release Notes Summary: fqdn_rand uses SHA256 to compute seed/rand when running on FIPS enabled hosts which is a change from using MD5 on non-fips enabled hosts. So a given host will yield different fqdn_rand values when in fips mode and when not in fips mode. Release Notes: New Feature

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney assigned an issue to Unassigned

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Eric Delaney Assignee: Jayant Sane

Add Comment

[Kris Bosland (JIRA)]

Kris Bosland assigned an issue to Kris Bosland

Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts

Change By: Kris Bosland Assignee: Kris Bosland

Add Comment

[Kris Bosland (JIRA)]

Kris Bosland commented on PUP-8469

Re: fqdn_rand should use md5 on non-fips enabled hosts All current branches now give the same result (17 in my case): 4.10.x: % bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' /Users/kris.bosland/work/puppet/.bundle/ruby/2.4.0/gems/CFPropertyList-2.2.8/lib/cfpropertylist/rbCFTypes.rb:24: warning: constant ::Fixnum is deprecated Notice: Scope(Class[main]): 4.10.11: 17 Notice: Compiled catalog for x in environment production in 0.10 seconds Notice: Applied catalog in 0.01 seconds 5.3.x: % bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' Notice: Scope(Class[main]): 5.3.6: 17 Notice: Compiled catalog for kris.bosland-c02kf9eafft1 in environment production in 0.04 seconds Notice: Applied catalog in 0.01 seconds 5.5.x: % bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' Notice: Scope(Class[main]): 5.5.0: 17 Notice: Compiled catalog for x in environment production in 0.04 seconds Notice: Applied catalog in 0.01 seconds master: % bx puppet apply -e '$value = fqdn_rand(30); notice("$puppetversion: $value")' Notice: Scope(Class[main]): 6.0.0: 17 Notice: Compiled catalog for x in environment production in 0.04 seconds Notice: Applied catalog in 0.01 seconds

Add Comment

[John Duarte (JIRA)]

John Duarte updated an issue

Puppet / PUP-8469

fqdn_rand should use md5 on non-fips enabled hosts

Change By: John Duarte QA Risk Assessment: Needs Assessment No Action

Add Comment