Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace fips-mode-setup #349

Merged
merged 5 commits into from
Feb 24, 2025
Merged

Replace fips-mode-setup #349

merged 5 commits into from
Feb 24, 2025

Conversation

duzda
Copy link
Contributor

@duzda duzda commented Feb 17, 2025
edited
Loading

RHEL10 doesn't support fips-mode-setup, therefore this call has been replaced with simple reading of a proc file. The tests have been edited accordingly, inconsistent has been removed and instead replaced by a test supplying an arbitrary value, that should never occur.

Fixes: #350

@duzda duzda force-pushed the replace-fips-mode-setup branch from 8611c42 to 3d6b7e7 Compare February 17, 2025 14:33
rcritten
rcritten reviewed Feb 17, 2025
View reviewed changes
src/ipahealthcheck/meta/core.py Outdated
if not os.path.exists(paths.PROC_FIPS_ENABLED):
fips = "missing {}".format(paths.PROC_FIPS_ENABLED)
logger.debug("Can't find %s, skipping" %
paths.PROC_FIPS_ENABLED)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit torn on this related to other distributions, whether enforcing that the file exist would break them.
When I originally wrote this I didn't want to hold it against a user that they didn't have a tool installed. But the file in /proc should be created by the kernel so if that's missing it points to a larger issue.
I think we should set rval to WARNING in this case. This file is created by the kernel so if FIPS is disabled in the KERNEL that seems odd. A user can suppress the warning if indeed they have this use-case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can make the assumption, that this file exists, otherwise, the user is using a custom kernel and is probably not thinking about FIPS at all. Nevertheless, the return value is a warning now.

duzda added 4 commits February 18, 2025 10:34
@duzda
Replace fips-mode-setup
e3a02c7 
RHEL10 doesn't support fips-mode-setup, therefore this call
has been replaced with simple reading of a proc file.
The tests have been edited accordingly, inconsistent has been removed
and instead replaced by a test supplying an arbitrary value, that
should never occur.

Fixes: freeipa#350
Signed-off-by: David Hanina <dhanina@redhat.com>
@duzda
Mock read_text for acme unknown
872caaf
@duzda
Warn missing fips file
6dbafec 
Also renamed  test_fips_no_fips_enabled to test_fips_no_fips_available
as this name is more fitting, meaning the kernel is missing fips.

Signed-off-by: David Hanina <dhanina@redhat.com>
@duzda
Remove unnecessary timeout
1e3225b
@duzda duzda force-pushed the replace-fips-mode-setup branch from 78dfe71 to 1e3225b Compare February 18, 2025 09:35
@flo-renaud flo-renaud mentioned this pull request Feb 19, 2025
Open
rcritten
rcritten reviewed Feb 20, 2025
View reviewed changes
@duzda
Remove unnecessary check
ad2620d 
The missing PROC_FIPS_ENABLED should be considered a bug
in the base package, therefore no need to check here.

Signed-off-by: David Hanina <dhanina@redhat.com>
@duzda duzda force-pushed the replace-fips-mode-setup branch from 70b4ec8 to ad2620d Compare February 24, 2025 09:17
@rcritten
Copy link
Collaborator

thanks, looks good.

@rcritten rcritten merged commit f42dc7b into freeipa:master Feb 24, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcritten rcritten rcritten left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove fips-mode-setup
2 participants
@duzda @rcritten