Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23386

Unable to run oc commands on RHEL9 Host with FIPS enabled OCP cluster

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • 4.16.0
    • 4.15.0
    • oc
    • None
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • If the oc compiled in RHEL8 is used in a FIPS enabled RHEL9 cluster, oc fails. Now, to mitigate the problem, we also generates RHEL9 compatible oc binary in addition to the default one that customer can use if they get an error.
    • Bug Fix

    Description

      Description of problem:

      Unable to run oc commands in FIPS enable OCP cluster on PowerVS

      Version-Release number of selected component (if applicable):

      4.15.0-ec2

      How reproducible:

      Deploy OCP cluster with FIPS enabled

      Steps to Reproduce:

      1. Enable the var in var.tfvars - fips_compliant      = true
2. Deploy the cluster
3. run oc commands

      Actual results:

      [root@rdr-swap-fips-syd05-bastion-0 ~]# oc version
FIPS mode is enabled, but the required OpenSSL library is not available

[root@rdr-swap-fips-syd05-bastion-0 ~]# oc debug node/syd05-master-0.rdr-swap-fips.ibm.com
FIPS mode is enabled, but the required OpenSSL library is not available

[root@rdr-swap-fips-syd05-bastion-0 ~]# fips-mode-setup --check
FIPS mode is enabled.

      Expected results:

      # oc debug node/syd05-master-0.rdr-swap-fips1.ibm.com
Temporary namespace openshift-debug-dns7d is created for debugging node...
Starting pod/syd05-master-0rdr-swap-fips1ibmcom-debug-hs4dr ...
To use host binaries, run `chroot /host`
Pod IP: 193.168.200.9

      Additional info:

      Not able to collect must gather logs due to the issue

links - https://access.redhat.com/solutions/7034387

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. RHOAIENG-4350 In workbench the oc CLI tool cannot be used on FIPS enabled cluster

          • Critical - To be worked on immediately following BLOCKER issues.
          • New
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-23549 Unable to run ccoctl commands on RHEL9 Host with FIPS enabled OCP cluster

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-23552 Unable to use openshift-install on RHEL9 Host with FIPS enabled OCP cluster on PowerVS (IBMCloud)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-23551 Unable to use opm on RHEL9 Host with FIPS enabled OCP cluster

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-25461 Implement multi-rhel artifact extraction

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          links to

          GitHub openshift-eng/ocp-build-data#4046: OCPBUGS-23386: add rhel-9-golang in cli artifacts stream

          GitHub openshift/oc#1632: OCPBUGS-23386: Generate FIPS compatible RHEL9 oc binary

          GitHub openshift/oc#1691: OCPBUGS-23386: Extract oc also for linux/ppc64le

          Web Link RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

          Activity

            People

              aguclu@redhat.com Arda Guclu
              sbobade Swapnil Bobade
              Julie Mathew Julie Mathew
              Votes:
              5 Vote for this issue
              Watchers:
              30 Start watching this issue

              Dates

                Created:
                Updated: