Problem with wal-e on FIPS enabled linux
Hans Hrasna
Hello wal-e devs,
I'm having an issue with wal-e
archiving to S3 on a FIPS enabled linux server. Apparently FIPS
does not support the MD5 hashing algorithm so archiving with FIPS
enabled fails:
File "/opt/wal-e-venv/lib64/python3.6/site-packages/wal_e/worker/worker_util.py", line 40, in do_lzop_pu
k = blobstore.uri_put_file(creds, url, tf)
File "/opt/wal-e-venv/lib64/python3.6/site-packages/wal_e/blobstore/s3/s3_util.py", line 57, in uri_put_file
k.set_contents_from_file(fp, encrypt_key=True)
File "/opt/wal-e-venv/lib64/python3.6/site-packages/boto/s3/key.py", line 1285, in set_contents_from_file
md5 = self.compute_md5(fp, size)
File "/opt/wal-e-venv/lib64/python3.6/site-packages/boto/s3/key.py", line 1036, in compute_md5
hex_digest, b64_digest, data_size = compute_md5(fp, size=size)
File "/opt/wal-e-venv/lib64/python3.6/site-packages/boto/utils.py", line 1000, in compute_md5
return compute_hash(fp, buf_size, size, hash_algorithm=md5)
File "/opt/wal-e-venv/lib64/python3.6/site-packages/boto/utils.py", line 1004, in compute_hash
hash_obj = hash_algorithm()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
2020-07-07T20:26:20Z <Greenlet at 0x7f24a90cd148: <wal_e.worker.upload.WalUploader object at 0x7f24a9125cc0>(<wal_e.worker.pg.wal_transfer.WalSegment object at)> failed with ValueError
I've read that the S3 tags uses MD5 and other software has worked
around it by using the 'overwrite' option which disables the MD5
check (https://github.com/ansible/ansible/issues/52188).
Does anyone know if there a workaround or option to disable the
use of the S3 tags in wal-e?
Has wal-g solved this issue? Is wal-g FIPS compliant?
Hans
-- Hans Hrasna Principal Architect EnterpriseDB Corporation The Enterprise PostgreSQL Company