On Thu, Jun 20, 2019 at 9:05 AM 'slig...@verizon.net' via Puppet Users
<puppet-users@googlegroups.com> wrote:
>
> Hello,
>
> We are using some fips and some non-fips agent. Proper agent rpm (fips or non 
> fips based on current configuration) has been installed, however, after agent 
> installation, if we were to update a agent from fips to non-fips or 
> vice-a-verse, will the old agent rpm still function?

The fips and non-fips packages have the same name, but different
releases. So if you switch from one to the other, the old one will be
removed. That said, we don't test switching, as we assume the matching
package is installed from the start.

$ rpm -qi puppet-agent
Name        : puppet-agent
Version     : 6.5.0
Release     : 1.redhatfips7
...

$ rpm -qi puppet-agent
Name        : puppet-agent
Version     : 6.5.0
Release     : 1.el7

> Just running puppet agent -t seems to be working , but in that case not sure 
> what is different between fips and non-fips agent?

The fips agent is compiled against system openssl and does not contain
a vendored openssl:

$ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl
    libssl.so.10 => /lib64/libssl.so.10 (0x00007fefbab83000)

Whereas the non-fips agent is compiled against puppet's vendored openssl:

$  ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl
    libssl.so.1.1 => /opt/puppetlabs/puppet/lib/libssl.so.1.1
(0x00007f705127f000)

If you install a non-fips puppet-agent on a fips-enabled host, it will
use the vendored openssl. While it will "work", I wouldn't recommend
it, because it will subvert the system's openssl.

If you install a fips puppet-agent on a non-fips-enabled host, then it
should work provided the system openssl is compatible with our ruby.

The puppet ruby code is the same for both fips and non-fips. At
runtime, puppet detects if fips is enabled, and if so, removes md5
from its list of supported checksums. This affects filebucketing and
retrieving file contents from "puppet:///" sources. Also some
operations like `puppet module install` cannot be performed due to its
reliance on md5. That will be changing in the near future though.

Josh

>
> Thanks
>
> M
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/59879625-fca7-4696-997a-ce4d598da63e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unZ08CkNbkrwahzXgqAMUdi-%2BvtnX7xrqK7AfCKpiCUOA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to