Disable FIPS support within JVM for Puppet #828
Conversation
There was a problem hiding this comment.
I think we discussed this should be limited to EL8. I'd still prefer a class parameter:
Boolean $disable_fips = $facts['os']['family'] == 'RedHat' && $facts['os']['release']['major'] == '8',That way it can at least be modified via Hiera.
I also expect that the tests will fail on this.
|
Does the JVM on EL7 even know about that parameter, or would it ignore it? No need to make it conditional then ;) |
|
I think I'd still limit it to the RH OS family. No need to set it on others, which just causes changes that result in a server restart there. |
ehelms
force-pushed
the
disable-fips-support
branch
from
9a35889
to
88cfd33
Compare
|
Tests passing now, let me know what you think of the revamped design. |
ehelms
force-pushed
the
disable-fips-support
branch
from
88cfd33
to
12ad389
Compare
|
@ekohl could you have another look? |
|
Why didn't CI run on this (anymore)? |
|
Ubuntu failure looks unrelated. |
Oh, and to add to that: in a VM it does work. So it's somehow the interaction between docker and systemd. Note that on Focal we only test puppetserver on 7 so that it passes on 6 is just because the agent works on 6. Perhaps it's the same thing that we see PostgreSQL fail on puppet-foreman with Focal. |
Puppet does not currently support FIPS on EL8 and needs to be disabled in order to run on a FIPS enabled EL8+ machine within the Java stack. This solution includes the disable flag out right as it does not break on environments where the flag is not present.
A couple questions to consider:
a) should this be a configurable parameter?
b) should this only be included conditionally? (complicates the code a little bit)