Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI] :modules:reindex task can't run on FIPS JVMs #40904

Closed
jkakavas opened this issue Apr 5, 2019 · 4 comments · Fixed by #41199
Closed

[CI] :modules:reindex task can't run on FIPS JVMs #40904

jkakavas opened this issue Apr 5, 2019 · 4 comments · Fixed by #41199
Assignees
@alpar-t
Labels
:Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team >test-failure Triaged test failures from CI

Comments

@jkakavas
Copy link
Member

jkakavas commented Apr 5, 2019

it looks like either #40564 or #40804 made it so some system properties (specifically javax.net.ssl.trustStorePassword and javax.net.ssl.keyStorePassword ) do not find their way to :modules:reindex:integTestCluster when running with a FIPS JVM. This causes the task to fail as the BCFKS keystore cannot be decrypted.

Example failures:
https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+7.x+matrix-java-periodic/ES_BUILD_JAVA=openjdk12,ES_RUNTIME_JAVA=java8fips,nodes=immutable&&linux&&docker/116/console
https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+matrix-java-periodic/ES_BUILD_JAVA=openjdk12,ES_RUNTIME_JAVA=java8fips,nodes=immutable&&linux&&docker/340/console

Manifests as

Caused by: java.security.KeyStoreException: problem accessing trust storejava.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed.
  	at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:74) ~[?:?]
  	at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:250) ~[?:1.8.0_202]
  	at org.elasticsearch.common.ssl.KeyStoreUtil.createTrustManager(KeyStoreUtil.java:151) ~[?:?]
  	at org.elasticsearch.common.ssl.DefaultJdkTrustConfig.createTrustManager(DefaultJdkTrustConfig.java:68) ~[?:?]
  	at org.elasticsearch.common.ssl.SslConfiguration.createSslContext(SslConfiguration.java:136) ~[?:?]
  	at org.elasticsearch.index.reindex.ReindexSslConfig.reload(ReindexSslConfig.java:145) ~[?:?]
  	at org.elasticsearch.index.reindex.ReindexSslConfig.<init>(ReindexSslConfig.java:115) ~[?:?]
  	at org.elasticsearch.index.reindex.ReindexPlugin.createComponents(ReindexPlugin.java:88) ~[?:?]
  	at org.elasticsearch.node.Node.lambda$new$9(Node.java:440) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_202]
  	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_202]
  	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_202]
  	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_202]
  	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_202]
  	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_202]
  	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_202]
  	at org.elasticsearch.node.Node.<init>(Node.java:443) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	at org.elasticsearch.node.Node.<init>(Node.java:253) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
  	... 6 more
@jkakavas jkakavas added :Delivery/Build Build or test infrastructure >test-failure Triaged test failures from CI labels Apr 5, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@jkakavas jkakavas mentioned this issue Apr 8, 2019
Merged
jkakavas added a commit that referenced this issue Apr 8, 2019
@jkakavas
Mute reindex integTest in FIPS (#40941)
a4cdfc0 
Relates: #40904
jkakavas added a commit that referenced this issue Apr 8, 2019
@jkakavas
Mute reindex integTest in FIPS (#40941)
c9ff630 
Relates: #40904
@original-brownbear original-brownbear mentioned this issue Apr 11, 2019
Merged
@alpar-t
Copy link
Contributor

alpar-t commented Apr 11, 2019

@jkakavas is this something you plan to address yourself? Maybe the security label would be more appropriate than build here ?

@jkakavas
Copy link
Member Author

jkakavas commented Apr 11, 2019
edited
Loading

@jkakavas is this something you plan to address yourself?

@atorok It wasn't in my to-do list but I have nothing against picking it up. It feels the build label was appropriate since this was running fine before #40564 or #40804 which makes me think something in there changed how system properties are passed ? I could be wrong though, I'll know more once I look into it.

I would appreciate it though if you have any quick ideas on what in these aforementioned PRs have changed the way system properties are picked up

@alpar-t alpar-t self-assigned this Apr 12, 2019
@alpar-t
Copy link
Contributor

alpar-t commented Apr 12, 2019

Thanks for pointing that out it wasn't obvious to me this is a regression.
I probably missed something fips specific in test-clusters I will take a look

alpar-t added a commit to alpar-t/elasticsearch that referenced this issue Apr 15, 2019
@alpar-t
Add FIPS specific testclusters configuration
2e1463a 
ClusterFormationTasks auto configured these properties for clusters.
This PR adds FIPS specific configuration across all test clusters from
the main build script to prevent coupling betwwen testclusters and the
build plugin.

Closes elastic#40904
@alpar-t alpar-t mentioned this issue Apr 15, 2019
Merged
alpar-t added a commit that referenced this issue Apr 19, 2019
@alpar-t
Add FIPS specific testclusters configuration (#41199)
92483d4 
ClusterFormationTasks auto configured these properties for clusters.
This PR adds FIPS specific configuration across all test clusters from
the main build script to prevent coupling betwwen testclusters and the
build plugin.

Closes #40904
alpar-t added a commit that referenced this issue Apr 19, 2019
@alpar-t
Add FIPS specific testclusters configuration (#41199)
e1e2568 
ClusterFormationTasks auto configured these properties for clusters.
This PR adds FIPS specific configuration across all test clusters from
the main build script to prevent coupling betwwen testclusters and the
build plugin.

Closes #40904
gurkankaymak pushed a commit to gurkankaymak/elasticsearch that referenced this issue May 27, 2019
@jkakavas
Mute reindex integTest in FIPS (elastic#40941)
0c651d1 
Relates: elastic#40904
gurkankaymak pushed a commit to gurkankaymak/elasticsearch that referenced this issue May 27, 2019
@alpar-t
Add FIPS specific testclusters configuration (elastic#41199)
7d27feb 
ClusterFormationTasks auto configured these properties for clusters.
This PR adds FIPS specific configuration across all test clusters from
the main build script to prevent coupling betwwen testclusters and the
build plugin.

Closes elastic#40904
@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alpar-t alpar-t

Labels
:Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add FIPS specific testclusters configuration alpar-t/elasticsearch
4 participants
@alpar-t @mark-vieira @jkakavas @elasticmachine