Issue upgrading on FIPS enabled system #1934
Comments
|
@DFolchA the flag The workaround i found is: sudo bash -c 'echo "%_pkgverify_level none" >/etc/rpm/macros.verify'
sudo yum -y --setopt=tsflags=nocrypto upgradeReference: https://bugzilla.redhat.com/show_bug.cgi?id=1830347 |
|
The error replicates on install: As commented previously, this is the same error seen for the Wazuh Manager RPM package in #367. In summary, CentOS machines come with package Package differencesThe solutions used in the Manager and Indexer could be used here:
|
|
After just changing the first line of the gives some errors and warnings, as seen in the output: 1 - and in the middle there are warnings similar to and errors similar to: This seems to have to do with the version of python used by the executable files present in the |
|
The first thing to prove has been why the new problems only arise when creating the Wazuh Dashboard Most errors come from directory or As seen in this article, that itself can bring problems to the A test in both CentOS 7 and Rocky Linux 8 proved it had something to do with it: 1- A first solution seemed to be creating The following line was added to the Dockerfile, with the same result as in the previous builds: A couple other tests changing the version of python gave the same result. 2- The next solution was to try and do what the error asks for and change the line to
For the first times it kept exiting with an error, as seen in the following log, even when no changes were done to the files, which seemed to be an error related to the fact of being a local file, or having been extracted and compressed. Finally, with the help of @c-bordon it was cleared the error came from using revision After solving that, the package was correctly created, although all the The log of the build is: The installation on Rocky Linux 8 with FIPS enabled of the package went correctly: On seeing the properties of the package we can see it has the needed SHA256 digest but it is missing some headers: The next steps are to automatize the changing of the files if this solution is deemed appropriate, investigating on the missing headers in the package properties and trying to remove the Warnings. |
|
The process explained in the last comment has been automatized. The base builder now changes, using It isn't the best solution, as we depend on all systems having installed some version of Python 3.x. The best solution would be to try and remove that files, as they seem to be tests, which may not be used, more research is necessary on that. For the warnings, they come from incorrect executable permissions on files where it is not needed and also needs to be changed. |
|
As we can see here, The file |
|
A bug in Opensearch Dashboards was found with a similar problem: opensearch-project/OpenSearch-Dashboards#988 The solution is similar to the manual changing of shebangs, but this time using an specialized tool recommended by the official documentation of Fedora. This tool is https://pypi.org/project/pathfix.py/ In the Fedora project documentation the recommended call is: but even installing In the Rocky Linux 8 version used by docker, Finally, with the solution implemented in branch |
|
Testing a complete cluster, the same error as the one seen for the dashboard is seen for |
Tests🔴 CentOS 7:Error coming from the different 🟡 CentOS 8:This error comes from an insufficient space on the virtual machine where the test was done, in a posterior test the installation finished correctly. 🔴 Red Hat 7:🟢 Red Hat 8:🟢 Red Hat 9:SummaryThe errors come from the difference of versions between the machine in which the package was created, with On CentOS 7 and Red Hat 7, the output of the recommended command doesn't give any information: |
|
On hold because of wazuh/wazuh#15526 |
|
This issue has been on hold after the closing of wazuh/wazuh#15526 because of issues #1965, #1969 and #1984 |
|
There is an error building the packages with the branch created for this PR( |
|
On hold for #1984 and problems with the Jenkins checks |
|
After creating the package using the Jenkins pipeline, it has worked correctly on systems with 🟢 CentOS 7🟢 CentOS 8🟢 Red Hat Linux 7🟢 Red Hat Linux 8 |
|
After a test in a Rocky Linux 8 with FIPS enabled the first error of the issue appeared, making it clear the package of the last commentary must not have been created correctly, but just as a When checking for digests, the output on Rocky Linux 8 is: On CentOS 8( Onc CentOS 7( |
|
When trying to build the package locally on CentOS 7 or 8 the build exits with error: Jenkins pipelines also give an error. |
|
After some searching a solution has been found to the installation error At the same time, the package was not being built because of different errors in all systems tried, among them the errors seen here and here. Once The installation was successful both in Rocky Linux 8 and CentOS 7: Rocky Linux 8CentOS 7The only problem with this package is it doesn't use any compression and its size is too much: As seen in this article and in file The problem is it appears as default on both Rocky Linux 8 and CentOS 7 but the default value is what gave the problem in Other changes done today include changing the base of the branch used to 4.4, changing the building machine to Rocky Linux 8.5 and making the |
|
Changing the The package is also installed correctly on both CentOS 7 and Rocky Linux 8 with FIPS: Rocky Linux 8CentOS 7 |
|
The issue has been rebased again to version |
|
A package has been built correctly on Jenkins using the changes and uploading the images as |
When upgrading via yum, i get the following error:
The unique thing about my system is that it is FIPS enabled. In RHEL8 this means that MD5 and SHA1 hashes are disabled.
The text was updated successfully, but these errors were encountered: