Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23386

Unable to run oc commands on RHEL9 Host with FIPS enabled OCP cluster

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.16.0
    • 4.15.0
    • oc
    • None
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      --- update ---
      Added by PR #77748

      If the oc compiled in RHEL8 is used in a FIPS enabled RHEL9 cluster, oc fails. Now, to mitigate the problem, we also generates RHEL9 compatible oc binary in addition to the default one that customer can use if they get an error.
      Show
      --- update --- Added by PR #77748 If the oc compiled in RHEL8 is used in a FIPS enabled RHEL9 cluster, oc fails. Now, to mitigate the problem, we also generates RHEL9 compatible oc binary in addition to the default one that customer can use if they get an error.
    • Bug Fix
    • Done

      Description of problem:

      Unable to run oc commands in FIPS enable OCP cluster on PowerVS

      Version-Release number of selected component (if applicable):

      4.15.0-ec2

      How reproducible:

      Deploy OCP cluster with FIPS enabled

      Steps to Reproduce:

      1. Enable the var in var.tfvars - fips_compliant      = true
      2. Deploy the cluster
      3. run oc commands
      

      Actual results:

      [root@rdr-swap-fips-syd05-bastion-0 ~]# oc version
      FIPS mode is enabled, but the required OpenSSL library is not available
      
      [root@rdr-swap-fips-syd05-bastion-0 ~]# oc debug node/syd05-master-0.rdr-swap-fips.ibm.com
      FIPS mode is enabled, but the required OpenSSL library is not available
      
      [root@rdr-swap-fips-syd05-bastion-0 ~]# fips-mode-setup --check
      FIPS mode is enabled.

      Expected results:

      # oc debug node/syd05-master-0.rdr-swap-fips1.ibm.com
      Temporary namespace openshift-debug-dns7d is created for debugging node...
      Starting pod/syd05-master-0rdr-swap-fips1ibmcom-debug-hs4dr ...
      To use host binaries, run `chroot /host`
      Pod IP: 193.168.200.9

      Additional info:

      Not able to collect must gather logs due to the issue
      
      links - https://access.redhat.com/solutions/7034387

            aguclu@redhat.com Arda Guclu
            sbobade Swapnil Bobade
            Julie Mathew Julie Mathew
            Votes:
            5 Vote for this issue
            Watchers:
            32 Start watching this issue

              Created:
              Updated:
              Resolved: