Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55093

Unable to use openshift-install/openshift-install-fips on RHEL9.5 for FIPS enabled installation

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      OpenShift 4.16.36 cluster installation fails in FIPS mode with error "FIPS mode is enabled, but the required OpenSSL backend is unavailable" despite proper FIPS configuration on the host system. The same configuration works successfully with OpenShift 4.14.38.

      # ./openshift-install version 
./openshift-install 4.16.36 built from commit ed196179749c9370de6906453fb78f16b37a6e42 release image quay.io/openshift-release-dev/ocp-release@sha256:efab0026a48c418ff01754238aea813e24097f65ff75962147cef78d785f06f4 release architecture amd64 

# ./oc version Client Version: 4.16.36 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 

# oc adm release extract --command=openshift-install-fips --to /tmp docker-gcs-infra-local.artifactrepository.xyz.net/redhat/openshift4:4.16.36-x86_64@sha256:efab0026a48c418ff01754238aea813e24097f65ff75962147cef78d785f06f4
error: command "openshift-install-fips" does not support the operating system "linux"

      ref: https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/installation_overview/installing-fips#installation-obtaining-fips-installer-mirror_installing-fips

       

      Version-Release number of selected component (if applicable):

      OpenShift Version: 4.16.36 
Installation Method: Agent-based installer 
Host OS: RHEL 9.5 (Plow) 
Host Kernel: 5.14.0-503.19.1.el9_5.x86_64 
OpenSSL Version: 3.2.2 (June 4, 2024) 
OpenSSL Package: openssl-libs-3.2.2-6.el9_5.x86_64 
Deployment Type: Disconnected environment    

      How reproducible:

      Steps to Reproduce:

      1. Enable FIPS mode on RHEL 9.5 host: sudo fips-mode-setup --enable
2. Reboot system and verify FIPS mode is enabled: fips-mode-setup --check
3. Set `fips: true` in the install-config.yaml
4. Attempt to create PXE files: ./openshift-install agent create pxe-files --dir clusterconfigs    

      Actual results:

      The installation fails with error:

      level=error msg=FIPS mode is enabled, but the required OpenSSL backend is unavailable
level=fatal msg=failed to fetch Agent Installer PXE Files: failed to fetch dependency of "Agent Installer PXE Files": failed to fetch dependency of "Agent Installer Artifacts": failed to generate asset "BaseIso Image": failed to get base ISO image

      Expected results:

      Installation should proceed successfully.

      Additional info:

      FIPS Status Check:
# fips-mode-setup --check
FIPS mode is enabled.

      OS Version:
# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.5 (Plow)"
ID="rhel"
VERSION_ID="9.5"

      OpenSSL Library and Version:
# rpm -qf /lib64/libcrypto.so.3
openssl-libs-3.2.2-6.el9_5.x86_64

# openssl version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)

      FIPS Validation Test:
# openssl md5 /etc/hostname
Error setting digest
002E141A147F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (MD5 : 95), Properties ()
002E141A147F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:272:

              rhn-support-pamoedom Pedro Jose Amoedo Martinez
              abdullahsikder Abdullah Sikder
              Abdullah Sikder
              None
              Gaoyun Pei Gaoyun Pei
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: