Thanks Josh for explanation! M
On Tuesday, June 25, 2019 at 11:46:11 AM UTC-4, Josh Cooper wrote: > > > > On Mon, Jun 24, 2019 at 10:04 AM '[email protected] <javascript:>' via > Puppet Users <[email protected] <javascript:>> wrote: > >> Thanks Josh, >> >> I am not switching out package. I am making a fips enabled server (with >> fips agent installed) into a fips disabled one. Basically updating the grub >> and rebooting. Thus now I have a non fips enabled machine with puppet fips >> agent installed. So the question is will it work properly or do I have to >> install nonfips agent? >> >> Basically I am using an image with fips agent installed. However, when we >> install software, it may not work with fips, so we disable fips but leaving >> the agent alone. >> >> My initial testing with bare bone master and puppet agent -t, showed that >> non fips agent will work with fips enabled machine and vice-a -verse But >> wanted to figure out what issues I may encounter, if any? >> > > Ah, makes sense. The fips agent should work when fips is disabled. The > agent will fallback to allowing md5 for filebucketing and when retrieving > file resource metadata, e.g. `source => "puppet:///modules/foo/bar.txt"`. > However, if you run into issues you can always specify which digest to use > explicitly. See the `digest_algorithm` puppet setting and the `checksum` > file parameter. > > https://puppet.com/docs/puppet/latest/configuration.html#digestalgorithm > https://puppet.com/docs/puppet/latest/type.html#file-attribute-checksum > > Thanks >> >> M >> >> On Friday, June 21, 2019 at 1:29:38 PM UTC-4, Josh Cooper wrote: >>> >>> On Thu, Jun 20, 2019 at 9:05 AM '[email protected]' via Puppet Users >>> <[email protected]> wrote: >>> > >>> > Hello, >>> > >>> > We are using some fips and some non-fips agent. Proper agent rpm (fips >>> or non fips based on current configuration) has been installed, however, >>> after agent installation, if we were to update a agent from fips to >>> non-fips or vice-a-verse, will the old agent rpm still function? >>> >>> The fips and non-fips packages have the same name, but different >>> releases. So if you switch from one to the other, the old one will be >>> removed. That said, we don't test switching, as we assume the matching >>> package is installed from the start. >>> >>> $ rpm -qi puppet-agent >>> Name : puppet-agent >>> Version : 6.5.0 >>> Release : 1.redhatfips7 >>> ... >>> >>> $ rpm -qi puppet-agent >>> Name : puppet-agent >>> Version : 6.5.0 >>> Release : 1.el7 >>> >>> > Just running puppet agent -t seems to be working , but in that case >>> not sure what is different between fips and non-fips agent? >>> >>> The fips agent is compiled against system openssl and does not contain >>> a vendored openssl: >>> >>> $ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl >>> libssl.so.10 => /lib64/libssl.so.10 (0x00007fefbab83000) >>> >>> Whereas the non-fips agent is compiled against puppet's vendored >>> openssl: >>> >>> $ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl >>> libssl.so.1.1 => /opt/puppetlabs/puppet/lib/libssl.so.1.1 >>> (0x00007f705127f000) >>> >>> If you install a non-fips puppet-agent on a fips-enabled host, it will >>> use the vendored openssl. While it will "work", I wouldn't recommend >>> it, because it will subvert the system's openssl. >>> >>> If you install a fips puppet-agent on a non-fips-enabled host, then it >>> should work provided the system openssl is compatible with our ruby. >>> >>> The puppet ruby code is the same for both fips and non-fips. At >>> runtime, puppet detects if fips is enabled, and if so, removes md5 >>> from its list of supported checksums. This affects filebucketing and >>> retrieving file contents from "puppet:///" sources. Also some >>> operations like `puppet module install` cannot be performed due to its >>> reliance on md5. That will be changing in the near future though. >>> >>> Josh >>> >>> > >>> > Thanks >>> > >>> > M >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/59879625-fca7-4696-997a-ce4d598da63e%40googlegroups.com. >>> >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > Josh Cooper | Software Engineer > [email protected] <javascript:> | @coopjn > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d974f744-e48f-4d56-8f34-d9eed4c92276%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
