On Mon, Jun 24, 2019 at 10:04 AM 'slig...@verizon.net' via Puppet Users < puppet-users@googlegroups.com> wrote:
> Thanks Josh, > > I am not switching out package. I am making a fips enabled server (with > fips agent installed) into a fips disabled one. Basically updating the grub > and rebooting. Thus now I have a non fips enabled machine with puppet fips > agent installed. So the question is will it work properly or do I have to > install nonfips agent? > > Basically I am using an image with fips agent installed. However, when we > install software, it may not work with fips, so we disable fips but leaving > the agent alone. > > My initial testing with bare bone master and puppet agent -t, showed that > non fips agent will work with fips enabled machine and vice-a -verse But > wanted to figure out what issues I may encounter, if any? > Ah, makes sense. The fips agent should work when fips is disabled. The agent will fallback to allowing md5 for filebucketing and when retrieving file resource metadata, e.g. `source => "puppet:///modules/foo/bar.txt"`. However, if you run into issues you can always specify which digest to use explicitly. See the `digest_algorithm` puppet setting and the `checksum` file parameter. https://puppet.com/docs/puppet/latest/configuration.html#digestalgorithm https://puppet.com/docs/puppet/latest/type.html#file-attribute-checksum Thanks > > M > > On Friday, June 21, 2019 at 1:29:38 PM UTC-4, Josh Cooper wrote: >> >> On Thu, Jun 20, 2019 at 9:05 AM 'sli...@verizon.net' via Puppet Users >> <puppet...@googlegroups.com> wrote: >> > >> > Hello, >> > >> > We are using some fips and some non-fips agent. Proper agent rpm (fips >> or non fips based on current configuration) has been installed, however, >> after agent installation, if we were to update a agent from fips to >> non-fips or vice-a-verse, will the old agent rpm still function? >> >> The fips and non-fips packages have the same name, but different >> releases. So if you switch from one to the other, the old one will be >> removed. That said, we don't test switching, as we assume the matching >> package is installed from the start. >> >> $ rpm -qi puppet-agent >> Name : puppet-agent >> Version : 6.5.0 >> Release : 1.redhatfips7 >> ... >> >> $ rpm -qi puppet-agent >> Name : puppet-agent >> Version : 6.5.0 >> Release : 1.el7 >> >> > Just running puppet agent -t seems to be working , but in that case not >> sure what is different between fips and non-fips agent? >> >> The fips agent is compiled against system openssl and does not contain >> a vendored openssl: >> >> $ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl >> libssl.so.10 => /lib64/libssl.so.10 (0x00007fefbab83000) >> >> Whereas the non-fips agent is compiled against puppet's vendored openssl: >> >> $ ldd /opt/puppetlabs/puppet/lib/libfacter.so | grep libssl >> libssl.so.1.1 => /opt/puppetlabs/puppet/lib/libssl.so.1.1 >> (0x00007f705127f000) >> >> If you install a non-fips puppet-agent on a fips-enabled host, it will >> use the vendored openssl. While it will "work", I wouldn't recommend >> it, because it will subvert the system's openssl. >> >> If you install a fips puppet-agent on a non-fips-enabled host, then it >> should work provided the system openssl is compatible with our ruby. >> >> The puppet ruby code is the same for both fips and non-fips. At >> runtime, puppet detects if fips is enabled, and if so, removes md5 >> from its list of supported checksums. This affects filebucketing and >> retrieving file contents from "puppet:///" sources. Also some >> operations like `puppet module install` cannot be performed due to its >> reliance on md5. That will be changing in the near future though. >> >> Josh >> >> > >> > Thanks >> > >> > M >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to puppet...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/59879625-fca7-4696-997a-ce4d598da63e%40googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/82943502-678f-4e3d-a492-2d2057e4fb99%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Josh Cooper | Software Engineer j...@puppet.com | @coopjn -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2Bu97umwQms1hugVwa%3Dw0dh3O8RwEr2ZY-OKq6JLesW1z7UNAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
