On Mon, Jun 24, 2019 at 10:04 AM '[email protected]' via Puppet Users < [email protected]> wrote:
> Thanks Josh, > > I am not switching out package. I am making a fips enabled server (with > fips agent installed) into a fips disabled one. Basically updating the grub > and rebooting. Thus now I have a non fips enabled machine with puppet fips > agent installed. So the question is will it work properly or do I have to > install nonfips agent? > > Basically I am using an image with fips agent installed. However, when we > install software, it may not work with fips, so we disable fips but leaving > the agent alone. > > My initial testing with bare bone master and puppet agent -t, showed that > non fips agent will work with fips enabled machine and vice-a -verse But > wanted to figure out what issues I may encounter, if any? > Ah, makes sense. The fips agent should work when fips is disabled. The agent will fallback to allowing md5 for filebucketing and when retrieving file resource metadata, e.g. `source => "puppet:///modules/foo/bar.txt"`. However, if you run into issues you can always specify which digest to use explicitly. See the `digest_algorithm` puppet setting and the `checksum` file parameter. https://puppet.com/docs/puppet/latest/configuration.html#digestalgorithm https://puppet.com/docs/puppet/latest/type.html#file-attribute-checksum Thanks > > M > > On Friday, June 21, 2019 at 1:29:38 PM UTC-4, Josh Cooper wrote: >> >> On Thu, Jun 20, 2019 at 9:05 AM '[email protected]' via Puppet Users >> <[email protected]> wrote: >> > >> > Hello, >> > >> > We are using some fips and some non-fips agent. Proper agent rpm (fips >> or non fips based on current configuration) has been installed, however, >> after agent installation, if we were to update a agent from fips to >> non-fips or vice-a-verse, will the old agent rpm still function? >> >> The fips and non-fips packages have the same name, but different >> releases. So if you switch from one to the other, the old one will be >> removed. That said, we don't test switching, as we assume the matching >> package is installed from the start. >> >> $ rpm -qi puppet-agent >> Name : puppet-agent >> Version : 6.5.0 >> Release : 1.redhatfips7 >> ... >> >> $ rpm -qi puppet-agent >> Name : puppet-agent >> Version : 6.5.0 >> Release : 1.el7 >> >> > Just running puppet agent -t seems to be working , but in that case not >> sure what is different between fips and non-fips agent? >> >> The fips agent is compiled against system openssl and does not contain >> a vendored openssl: >> >> $ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl >> libssl.so.10 => /lib64/libssl.so.10 (0x00007fefbab83000) >> >> Whereas the non-fips agent is compiled against puppet's vendored openssl: >> >> $ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl >> libssl.so.1.1 => /opt/puppetlabs/puppet/lib/libssl.so.1.1 >> (0x00007f705127f000) >> >> If you install a non-fips puppet-agent on a fips-enabled host, it will >> use the vendored openssl. While it will "work", I wouldn't recommend >> it, because it will subvert the system's openssl. >> >> If you install a fips puppet-agent on a non-fips-enabled host, then it >> should work provided the system openssl is compatible with our ruby. >> >> The puppet ruby code is the same for both fips and non-fips. At >> runtime, puppet detects if fips is enabled, and if so, removes md5 >> from its list of supported checksums. This affects filebucketing and >> retrieving file contents from "puppet:///" sources. Also some >> operations like `puppet module install` cannot be performed due to its >> reliance on md5. That will be changing in the near future though. >> >> Josh >> >> > >> > Thanks >> > >> > M >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/59879625-fca7-4696-997a-ce4d598da63e%40googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Josh Cooper | Software Engineer [email protected] | @coopjn -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2Bu97umwQms1hugVwa%3Dw0dh3O8RwEr2ZY-OKq6JLesW1z7UNAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
