Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2460

[Vector] Collector pods fail to start on a FIPS enabled cluster.

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • OBSDA-111 - Provide GA Support for Vector Collector with OpenShift Logging
    • Impediment
    • VERIFIED
    • Logging (Core) - Sprint 218, Logging (Core) - Sprint 219, Logging (Core) - Sprint 220, Log Collection - Sprint 221

      Version of components:

      Cluster Logging 5.4

      Server Version: 4.9.0-0.nightly-2022-04-07-205533

      Kubernetes Version: v1.22.5+a36406b

       

      Description of the problem:

      On a FIPS enabled cluster Vector collector pods fail to start with the below error:

      Apr 08 05:06:05.059 ERROR vector::topology: Configuration error. error=Sink "default": Could not build PKCS#12 archive for identity: error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:227:, error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:crypto/evp/evp_pbe.c:131:, error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:crypto/pkcs12/p12_decr.c:41:, error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:crypto/pkcs12/p12_decr.c:144:, error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:crypto/pkcs12/p12_add.c:119: 

      Steps to reproduce the issue:

      1 Deploy a FIPS enabled OCP cluster.

      2 Install the 5.4 CLusterLogging and Elasticsearch operators.

      3 Create a ClusterLogging instance.

      apiVersion: "logging.openshift.io/v1"
      kind: "ClusterLogging"
      metadata:
        name: "instance" 
        namespace: "openshift-logging"
        annotations:
          logging.openshift.io/preview-vector-collector: enabled
      spec:
        managementState: "Managed"  
        logStore:
          type: "elasticsearch"  
          retentionPolicy: 
            application:
              maxAge: 10h
            infra:
              maxAge: 10h
            audit:
              maxAge: 10h
          elasticsearch:
            nodeCount: 3 
            storage: {} 
            resources: 
                limits:
                  memory: "4Gi"
                requests:
                  memory: "1Gi"
            proxy: 
              resources:
                limits:
                  memory: 256Mi
                requests:
                  memory: 256Mi
            redundancyPolicy: "SingleRedundancy"
        visualization:
          type: "kibana"  
          kibana:
            replicas: 1
        collection:
          logs:
            type: "vector"  
            vector: {} 

      4 Check the collector pod logs are in CrashLoopBackOff with the following error in logs.

      $ oc get pods
      NAME                                               READY   STATUS             RESTARTS         AGE
      cluster-logging-operator-6c884f55f6-2t2xc          1/1     Running            0                31m
      collector-68jdr                                    1/2     CrashLoopBackOff   10 (4m33s ago)   30m
      collector-cpb8q                                    1/2     CrashLoopBackOff   10 (4m35s ago)   30m
      collector-kmzvb                                    1/2     CrashLoopBackOff   10 (4m10s ago)   30m
      collector-nkfp8                                    1/2     CrashLoopBackOff   10 (4m38s ago)   30m
      collector-nlc9p                                    1/2     CrashLoopBackOff   10 (4m15s ago)   30m
      collector-sw4zx                                    1/2     CrashLoopBackOff   10 (4m36s ago)   30m
      collector-wbxxl                                    1/2     CrashLoopBackOff   10 (4m26s ago)   30m
      elasticsearch-cdm-gd7smnhe-1-574db95c8d-r86k5      2/2     Running            0                30m
      elasticsearch-cdm-gd7smnhe-2-6bbf478ccd-hmnzx      2/2     Running            0                30m
      elasticsearch-cdm-gd7smnhe-3-754d56c65b-n49v8      2/2     Running            0                30m
      elasticsearch-im-app-27489930--1-wl65c             0/1     Completed          0                12m
      elasticsearch-im-audit-27489930--1-vtx9h           0/1     Completed          0                12m
      elasticsearch-im-infra-27489930--1-r2d6s           0/1     Completed          0                12m
      kibana-797c59589c-kfvlg                            2/2     Running            0                30m
      loki-operator-controller-manager-5789bb7b8-lt6vd   2/2     Running            0                31m
      
      $ oc logs collector-nlc9p -c collector 
      Apr 08 05:37:57.381  INFO vector::app: Log level is enabled. level="info"
      Apr 08 05:37:57.381  INFO vector::app: Loading configs. path=[("/etc/vector/vector.toml", Some(Toml))]
      Apr 08 05:37:57.384  INFO vector::sources::kubernetes_logs: Obtained Kubernetes Node name to collect logs for (self). self_node_name="ip-10-0-178-157.us-east-2.compute.internal"
      Apr 08 05:37:57.393 ERROR vector::topology: Configuration error. error=Sink "default": Could not build PKCS#12 archive for identity: error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS:crypto/evp/evp_enc.c:227:, error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:crypto/evp/evp_pbe.c:131:, error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:crypto/pkcs12/p12_decr.c:41:, error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:crypto/pkcs12/p12_decr.c:144:, error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:crypto/pkcs12/p12_add.c:119:
       

              syedriko_sub@redhat.com Sergey Yedrikov
              rhn-support-ikanse Ishwar Kanse
              Ishwar Kanse Ishwar Kanse
              Votes:
              4 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: