pkg/daemon: support FIPS #889
Conversation
openshift-ci-robot
added
the
size/L
openshift-ci-robot
added
the
approved
| @@ -369,6 +400,7 @@ func Reconcilable(oldConfig, newConfig *mcfgv1.MachineConfig) (*MachineConfigDif | |||
| return &MachineConfigDiff{ | |||
| osUpdate: oldConfig.Spec.OSImageURL != newConfig.Spec.OSImageURL, | |||
| kargs: !reflect.DeepEqual(oldConfig.Spec.KernelArguments, newConfig.Spec.KernelArguments), | |||
| fips: oldConfig.Spec.Fips != newConfig.Spec.Fips, | |||
There was a problem hiding this comment.
This will force the reboot so that the change takes effect, correct?
There was a problem hiding this comment.
nope, the sync itself does the reboot the node (and it can't be avoided today as we know). This is just to log what we're changing during a sync.
There was a problem hiding this comment.
WFM. Just wanted to ensure a reboot does happen when FIPS changes 👍
There was a problem hiding this comment.
👍 the e2e added here also takes care of validating fips has been enabled on nodes so it will fail if we skip a reboot after enabling fips (iiuic)
| @@ -37,6 +37,8 @@ const ( | |||
| coreUserName = "core" | |||
| // SSH Keys for user "core" will only be written at /home/core/.ssh | |||
| coreUserSSHPath = "/home/core/.ssh/" | |||
| // fipsCommand is the command to use when enabling or disabling FIPS | |||
| fipsCommand = "/usr/libexec/rhcos-tools/coreos-fips" | |||
There was a problem hiding this comment.
Sort of a side comment but I recently was thinking that we probably should have taken the path of replacing /usr/bin/fips-mode-setup; we can totally do that now via override layers.
| @@ -51,6 +51,7 @@ type MachineConfigSpec struct { | |||
| // Config is a Ignition Config object. | |||
| Config ign.Config `json:"config"` | |||
| KernelArguments []string `json:"kernelArguments"` | |||
| Fips bool `json:"fips"` | |||
There was a problem hiding this comment.
What about Erica's comment here?
| outIgn := configs[0].Spec.Config | ||
| for idx := 1; idx < len(configs); idx++ { | ||
| // if any of the config has FIPS enabled, it'll be set |
There was a problem hiding this comment.
Ah OK I see we went with the last approach. I think that's sane for this indeed.
|
LGTM, giving to |
docs/MachineConfiguration.md
Outdated
| @@ -94,6 +95,10 @@ Ignition config keys as well. | |||
|
|
|||
| This extends the host's kernel arguments. Use this for e.g. [nosmt](https://access.redhat.com/solutions/rhel-smt). | |||
|
|
|||
| ### FIPS | |||
|
|
|||
| This allows to enable/disable [FIPS mode](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations). | |||
There was a problem hiding this comment.
Can you add a comment here about if any of the config has FIPS enabled, it'll be set as well?
pkg/daemon/update.go
Outdated
| cmd := exec.Command(fipsCommand, arg) | ||
| dn.logSystem("Running %s %s", fipsCommand, arg) | ||
| if out, err := cmd.CombinedOutput(); err != nil { | ||
| return errors.Wrapf(err, "enabling FIPS: %s", string(out)) |
There was a problem hiding this comment.
Can you include arg in the error to distinguish between errors from enabling and disabling FIPS?
There was a problem hiding this comment.
oh good catch this is completely wrong indeed
| @@ -546,3 +546,91 @@ func TestDontDeleteRPMFiles(t *testing.T) { | |||
| } | |||
| } | |||
| } | |||
|
|
|||
| func TestFIPS(t *testing.T) { | |||
There was a problem hiding this comment.
non-blocking suggestion: it might be nice to have this test structured as a table test with a couple variations of machineconfig sets.
There was a problem hiding this comment.
yeah, that would be amazing but test timeout is 75m today and going through various reboots for applying the MC + other tests would exceed that
| return dn.updateOSAndReboot(newConfig) | ||
| } | ||
|
|
||
| func (dn *Daemon) updateFIPS(current, desired *mcfgv1.MachineConfig) error { | ||
| if current.Spec.Fips == desired.Spec.Fips { |
There was a problem hiding this comment.
Does the current get written to Status anywhere?
Co-authored-by: Colin Walters <[email protected]> Co-authored-by: Antonio Murdaca <[email protected]> Signed-off-by: Antonio Murdaca <[email protected]>
runcom
force-pushed
the
fips-all-the-things
branch
from
3037ec7 to
eb9186b
Compare
|
Took care of @ericavonb comments |
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ashcrow, ericavonb, runcom The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
Gah. This is hitting AWS/ECS errors now: |
Part of: openshift/enhancements#15 We added FIPS to the MCO a while ago: openshift/machine-config-operator#889 However, during some discussion it became clear that the main use case for FIPS is "day 1" - it doesn't make sense to turn it on "day 2" because the standard requires that e.g. long-term key material was created with FIPS enabled. Further, it's unlikely that admins will want to turn it *off* if they ever had it on. This is a good candidate for an install config.
Part of: openshift/enhancements#15 We added FIPS to the MCO a while ago: openshift/machine-config-operator#889 However, during some discussion it became clear that the main use case for FIPS is "day 1" - it doesn't make sense to turn it on "day 2" because the standard requires that e.g. long-term key material was created with FIPS enabled. Further, it's unlikely that admins will want to turn it *off* if they ever had it on. This is a good candidate for an install config.
Part of: openshift/enhancements#15 We added FIPS to the MCO a while ago: openshift/machine-config-operator#889 However, during some discussion it became clear that the main use case for FIPS is "day 1" - it doesn't make sense to turn it on "day 2" because the standard requires that e.g. long-term key material was created with FIPS enabled. Further, it's unlikely that admins will want to turn it *off* if they ever had it on. This is a good candidate for an install config.
Signed-off-by: Antonio Murdaca [email protected]
- What I did
resurrected from #826
close #800
Added a new FIPS field to MachineConfig to enable/disable FIPS on rhcos (disabled by default). This is, at this point, only intended as a day-2 operation.
FIPS would also greatly benefit a dedicated CRD (oc edit fips?) - I'm experimenting with that but it will ofc require a new controller.
- How to verify it
added an e2e and manually verified
- Description for the changelog
Added FIPS support