[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor and FIPS issue

From: ade kc <kcbobo@xxxxxxxxxxx>
Date: 07/06/2016 01:33 PM

> My team is currently doing some "FIPS" testing. king group to ...
> This effectively requires installation of the "dracut-fips" package. I
> installed condor 8.2.8 on an execute node and the condor_master daemon
> would immediately do a crash dump.

> I removed the "dracut-fips" package and all is well again with the world.

> This is a redhat 6.6 machine, seems there's a conflict between this
> package and condor. Anyone aware of this? I can try another condor version
> to see what happens, but wanted to check in here first.

Does anything show up in the system log about the HTCondor startup regarding
the FIPS status of the system? Perhaps the unprelink of the HTCondor
binaries wasn't successful or something like that, and maybe that would
be reflected in FIPS-related logging.

For instance, perhaps the prelink -u -a you ran before installing
dracut-fips overlooked the /usr/libexec/condor directory.

Also, do you have openssl-fips installed as well? That's going to be the
FIPS nexus for HTCondor, rather than Dracut. Maybe try running with
the FIPS mode turned off (fips=0 in the kernel args) and see if there's
any useful logging activity in "non-enforcing mode," as it were.

I'm surprised you've got RHEL 6.6 - the security standards I'm
conversant with require regular operating system security patches,
and there's been four moderate and two important kernel security errata
since the release of 6.7 about a year ago, among about 128 in total
over 6.6.

Also I highly recommend 8.4 over 8.2. The transition is easy as
long as you're mindful of the new packaging divisions (i.e., if you need
kbdd you have to install it separately, or install condor-all), and
there's a lot of good improvements. And thanks to the virtues of the
ClassAd system, 8.4 and 8.2 can coexist in the same pool, so an
incremental upgrade is feasible.

        -Michael Pelletier.