Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32973

When fileintegritynodestatus is Failed, applying a aide config with disallowed algorithm, the fileintegritynodestatus is different for different nodes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.13.z, 4.12.z, 4.14.z, 4.15.z, 4.16.0
    • File Integrity Operator
    • None
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      On a fips enabled cluster, when fileintegritynodestatus is Failed, applying a aide config with disallowed algorithm, the fileintegritynodestatus is different for nodes. Some of them show "Failed", the others show "Erroed"
% oc get fileintegritynodestatus
NAME                                                              NODE                                        STATUS
example-fileintegrity-ip-10-0-11-7.us-east-2.compute.internal     ip-10-0-11-7.us-east-2.compute.internal     Errored
example-fileintegrity-ip-10-0-5-4.us-east-2.compute.internal      ip-10-0-5-4.us-east-2.compute.internal      Errored
example-fileintegrity-ip-10-0-52-138.us-east-2.compute.internal   ip-10-0-52-138.us-east-2.compute.internal   Errored
example-fileintegrity-ip-10-0-54-206.us-east-2.compute.internal   ip-10-0-54-206.us-east-2.compute.internal   Failed
example-fileintegrity-ip-10-0-64-198.us-east-2.compute.internal   ip-10-0-64-198.us-east-2.compute.internal   Failed
example-fileintegrity-ip-10-0-76-239.us-east-2.compute.internal   ip-10-0-76-239.us-east-2.compute.internal   Errored    

      Version-Release number of selected component (if applicable):

      4.16.0-0.nightly-2024-04-23-032717 + file-integrity-operator.v1.3.3    

      How reproducible:

      Always

      Steps to Reproduce:

       

      1. Install file-integrity-operator.v1.3.3 
2. Create a fileintegrity with the default config 
3. Trigger fileintegrity failures on each node
$ for node in `oc get node --no-headers | awk '{print $1}'`; do oc debug node/$node -- chroot /host mkdir /etc/test; done
 
4. Create a new configmap from a aide-config with md5 algorithm configured:
$ oc create configmap myconf --from-file=aide-conf=./testmd5
$ oc apply -f - <<EOF
   apiVersion: fileintegrity.openshift.io/v1alpha1
   kind: FileIntegrity
   metadata:
     name: example-fileintegrity
     namespace: openshift-file-integrity
   spec:
     config:
       name: myconf
       namespace: openshift-file-integrity
       key: aide-conf
       gracePeriod: 15
       debug: true
EOF
5. Check the fileintegritynodestatus

      Actual results:

       

      The fileintegrityndoestatus is different on different nodes. Some aide pod restart, thus no "Use of FIPS disallowed algorithm under FIPS mode exit status 255" or err message on nodes.
% oc get fileintegritynodestatus
NAME                                                              NODE                                        STATUS
example-fileintegrity-ip-10-0-11-7.us-east-2.compute.internal     ip-10-0-11-7.us-east-2.compute.internal     Errored
example-fileintegrity-ip-10-0-5-4.us-east-2.compute.internal      ip-10-0-5-4.us-east-2.compute.internal      Errored
example-fileintegrity-ip-10-0-52-138.us-east-2.compute.internal   ip-10-0-52-138.us-east-2.compute.internal   Errored
example-fileintegrity-ip-10-0-54-206.us-east-2.compute.internal   ip-10-0-54-206.us-east-2.compute.internal   Failed
example-fileintegrity-ip-10-0-64-198.us-east-2.compute.internal   ip-10-0-64-198.us-east-2.compute.internal   Failed
example-fileintegrity-ip-10-0-76-239.us-east-2.compute.internal   ip-10-0-76-239.us-east-2.compute.internal   Errored
% oc get pod
NAME                                       READY   STATUS    RESTARTS        AGE
aide-example-fileintegrity-lqqsc           1/1     Running   1 (26m ago)     26m
aide-example-fileintegrity-n6t5v           1/1     Running   0               26m
aide-example-fileintegrity-nn7mb           1/1     Running   0               26m
aide-example-fileintegrity-sng25           1/1     Running   1 (26m ago)     26m
aide-example-fileintegrity-z55sw           1/1     Running   0               26m
aide-example-fileintegrity-zthdn           1/1     Running   0               26m
file-integrity-operator-7894fbc8dd-7s8bg   1/1     Running   1 (3h23m ago)   3h23m
xiyuan@xiyuan-mac 1 % oc logs pod/aide-example-fileintegrity-n6t5v | head
2024-04-25T08:33:30Z: Starting the AIDE runner daemon
W0425 08:33:30.428351       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2024-04-25T08:33:30Z: running aide check
2024-04-25T08:33:30Z: aide check returned status 20
2024-04-25T08:33:30Z: force-initializing AIDE db
2024-04-25T08:33:30Z: Error initializing the AIDE DB: Use of FIPS disallowed algorithm under FIPS mode exit status 255
2024-04-25T08:33:30Z: warning: couldn't report the daemon failure (the server could not find the requested resource)
E0425 08:33:31.509779       1 retrywatcher.go:129] "Watch failed" err="context canceled"
E0425 08:33:32.510725       1 retrywatcher.go:129] "Watch failed" err="context canceled"
E0425 08:33:33.510782       1 retrywatcher.go:129] "Watch failed" err="context canceled"
% oc logs pod/aide-example-fileintegrity-lqqsc | grep -i err
% oc logs pod/aide-example-fileintegrity-lqqsc | head       
2024-04-25T08:33:45Z: Starting the AIDE runner daemon
W0425 08:33:45.999374       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2024-04-25T08:33:46Z: running aide check
2024-04-25T08:33:46Z: aide check returned status 20
2024-04-25T08:34:01Z: running aide check
2024-04-25T08:34:01Z: aide check returned status 20
2024-04-25T08:34:16Z: running aide check
2024-04-25T08:34:16Z: aide check returned status 20
2024-04-25T08:34:31Z: running aide check
2024-04-25T08:34:31Z: aide check returned status 20
## For the one shows Failed, there is no entry info in the result configmap:
% oc extract cm/aide-example-fileintegrity-ip-10-0-64-198.us-east-2.compute.internal-failed --confirm
integritylog
% cat integritylog 
Algo MD5 is not available

## For the one shows Failed, there is previous failure info in the configmap:
% oc extract cm/aide-example-fileintegrity-ip-10-0-52-138.us-east-2.compute.internal-failed --confirm
integritylog
% cat integritylog 
Start timestamp: 2024-04-25 08:32:24 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
  Total number of entries: 35119
  Added entries:  1
  Removed entries:  0
  Changed entries:  0
---------------------------------------------------
Added entries:
---------------------------------------------------
d++++++++++++++++: /hostroot/etc/test
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/hostroot/etc/kubernetes/aide.db.gz
  SHA1     : 0A4L6p4Bmef3qkPnlRg/zEuxvtE=
  SHA256   : JxAcDYKI58auMUyIPXOUEKn5ARSFivgi
             42GPZiISCHs=
  SHA512   : QD678rghHLwhhGknv+9cwlbfeo3c+dyW
             4UQacZyeHzBv7n7XB44TZmfjoquYDcB/
             5XHwaeRYXT6yiJzbezBhxw==
End timestamp: 2024-04-25 08:32:53 +0000 (run time: 0m 29s)

      Expected results:

      The fileintegrityndoestatus on all nodes should be the same, should all be Errored.    

      Additional info:

      The logs is available at: https://drive.google.com/drive/folders/12g5610Mn9kl_iONVgp77FixrLbXK-jRV

            wenshen@redhat.com Vincent Shen
            xiyuan@redhat.com Xiaojie Yuan
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: