The only thing vaguely interesting in the system log in an sshd error of the following nature. Jul 6 14:45:36 sshd[14537]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key In condor MasterLog, here's what the stack dump log looks like
Stack dump for process 14412 at timestamp 1467830633 (17 frames) Regarding the preliminary steps for FIPS and the prelink stuff you mentioned I have to ask the guy who installed it originally about what he did there.
There is no openssl-fips installed, only regular openssl.
Sure I plan to upgrade to 8.4 at some point, not sure that solves this immediate problem though. Also does one reap all the benefits of 8.4 if the condor central manager machine is also on 8.2?
Yes we test on various OS versions, this is RHEL6.6 because we have some customers using this, so need to test for their benefit also.
I will try your suggestion about with fips mode off to see if logging gives me anything useful. From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Michael V Pelletier <Michael.V.Pelletier@xxxxxxxxxxxx>
Sent: Wednesday, July 6, 2016 1:05 PM To: HTCondor-Users Mail List Subject: Re: [HTCondor-users] condor and FIPS issue From: ade kc <kcbobo@xxxxxxxxxxx>
Date: 07/06/2016 01:33 PM > My team is currently doing some "FIPS" testing. king group to ... > > This effectively requires installation of the "dracut-fips" package. I > installed condor 8.2.8 on an execute node and the condor_master daemon > would immediately do a crash dump. > > I removed the "dracut-fips" package and all is well again with the world. > > This is a redhat 6.6 machine, seems there's a conflict between this > package and condor. Anyone aware of this? I can try another condor version > to see what happens, but wanted to check in here first. Does anything show up in the system log about the HTCondor startup regarding the FIPS status of the system? Perhaps the unprelink of the HTCondor binaries wasn't successful or something like that, and maybe that would be reflected in FIPS-related logging. For instance, perhaps the prelink -u -a you ran before installing dracut-fips overlooked the /usr/libexec/condor directory. Also, do you have openssl-fips installed as well? That's going to be the FIPS nexus for HTCondor, rather than Dracut. Maybe try running with the FIPS mode turned off (fips=0 in the kernel args) and see if there's any useful logging activity in "non-enforcing mode," as it were. I'm surprised you've got RHEL 6.6 - the security standards I'm conversant with require regular operating system security patches, and there's been four moderate and two important kernel security errata since the release of 6.7 about a year ago, among about 128 in total over 6.6. Also I highly recommend 8.4 over 8.2. The transition is easy as long as you're mindful of the new packaging divisions (i.e., if you need kbdd you have to install it separately, or install condor-all), and there's a lot of good improvements. And thanks to the virtues of the ClassAd system, 8.4 and 8.2 can coexist in the same pool, so an incremental upgrade is feasible. -Michael Pelletier. _ |