Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: Logging 5.3.4
Affects Version/s: Logging 5.3.0
Component/s: Log Storage
Labels:

Blocked:
False
Ready:
False
Docs QE Status:
NEW
QE Status:
NEW
Release Note Text:
Before this update, Elasticsearch pods failed to start after updating with FIPS enabled. With this update, Elasticsearch pods start successfully.

Sprint:
Logging (LogExp) - Sprint 211, Logging (LogExp) - Sprint 212, Logging (LogExp) - Sprint 213

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:
On a FIPS enabled cluster, the elasticsearch pods are failing with error:

[2021-11-18 03:36:29,968][INFO ][container.run            ] Building required p12 files and truststore
keytool error: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available

Version-Release number of selected component (if applicable):

Client Version: 4.9.0-202109210853.p0.git.96e95ce.assembly.stream-96e95ce
Server Version: 4.9.7
Kubernetes Version: v1.22.2+5e38c72
elasticsearch-operator.5.3.0-67

Enable FIPS on the Cluster

How reproducible:
Always

Steps to Reproduce:

*Deploy a FIPS enabled cluster.
*Install the cluster logging, elasticsearch operation and create a cluster logging instance.
*Check the elasticsearch pods, the pods are in CrashLoopBackOff with below error in the pod.

oc logs -f elasticsearch-cdm-8hv2dgdn-2-b8488b954-f4k7r -c elasticsearch
[2021-11-18 03:36:29,943][INFO ][container.run            ] Begin Elasticsearch startup script
[2021-11-18 03:36:29,948][INFO ][container.run            ] Comparing the specified RAM to the maximum recommended for Elasticsearch...
[2021-11-18 03:36:29,951][INFO ][container.run            ] Inspecting cgroup version...
[2021-11-18 03:36:29,954][INFO ][container.run            ] Detected cgroup v1
[2021-11-18 03:36:29,956][INFO ][container.run            ] Inspecting the maximum RAM available...
[2021-11-18 03:36:29,960][INFO ][container.run            ] ES_JAVA_OPTS: ' -Xms512m -Xmx512m'
[2021-11-18 03:36:29,962][INFO ][container.run            ] Copying certs from /etc/openshift/elasticsearch/secret to /etc/elasticsearch//secret
[2021-11-18 03:36:29,968][INFO ][container.run            ] Building required p12 files and truststore
keytool error: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available

    Image:          "https://access.redhat.com/containers/#/registry.access.redhat.com/openshift-logging/elasticsearch6-rhel8/images/v6.8.1-42" 
    Image ID:      registry.redhat.io/openshift-logging/elasticsearch6-rhel8@sha256:73472de60c6e962c44b1e57f424d133a25822828e6daa2bfa5854467c8f9c2e9

Attachments

Issue Links

is cloned by

LOG-2000 Elasticsearch pods fails to start with ‘keytool error: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available’ error on a FIPS enabled cluster

Closed

LOG-2001 Elasticsearch pods fails to start with ‘keytool error: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available’ error on a FIPS enabled cluster