cvuqdisk doesn't install on FIPS-enabled system
ThiloSolbrig opened this issue · comments
cvuqdisk.rpm is missing a few digests and thus doesn't install on FIPS-enabled systems. Use rpm as a workaround.
# rpm --checksig --verbose /u01/app/19.0.0/grid_1/cv/rpm/cvuqdisk-1.0.10-1.rpm
/u01/app/19.0.0/grid_1/cv/rpm/cvuqdisk-1.0.10-1.rpm:
Header SHA1 digest: OK
Payload SHA256 digest: NOTFOUND
MD5 digest: NOTFOUND
# fips-mode-setup --check
FIPS mode is enabled.
# yum -y install /u01/app/19.0.0/grid_1/cv/rpm/cvuqdisk-1.0.10-1.rpm
Last metadata expiration check: 0:36:11 ago on Tue 16 Apr 2024 07:17:46 PM CEST.
Dependencies resolved.
=============================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================
Installing:
cvuqdisk x86_64 1.0.10-1 @commandline 11 k
Transaction Summary
=============================================================================================================================================================
Install 1 Package
Total size: 11 k
Installed size: 22 k
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Error: Transaction test error:
package cvuqdisk-1.0.10-1.x86_64 does not verify: no digest
Going to provide a fix shortly.
Hi Thilo,
I tried to reproduce the issue but can't find the correct FIPS setup.
yum-config-manager --enable ol7_security_validation
yum install -y dracut-fips dracut-fips-aesni
dracut -f
Add fips=1 to grub /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot system.
cat /proc/sys/crypto/fips_enabled
1
ansible all -m setup | grep ansible_fips
"ansible_fips": true,
I can install thr RPM with yum without any problem.
Do you know what I skipped in my test setup?
Hi Thorsten,
what does fips-mode-setup --check
return for your test setup? If it's not FIPS mode is enabled.
there likely isn't a fully FIPS enabled system. In my opinion, FIPS mode should better be enabled by fips-mode-setup --enable
. Also I'm not sure if the rpm fails on OEL7, too. I had this issue with OEL8 and OEL9.
This issue is stale because it has been open for 30 days with no activity. Auto close in 30 days.
This issue is stale because it has been open for 30 days with no activity. Auto close in 30 days.